Your organization starts to store RDS credentials in AWS Secrets Manager. To be compliant with security regulations, all secrets stored in the Secrets Manager should automatically rotate. If rotation is not enabled for a secret, your team should get an email notification. Which method is the most appropriate?

Answer options:

A.Configure AWS Secrets Manager to enable the rotation for all existing and new secrets.
B.Create a CloudWatch Event rule that matches all events in Secrets Manager. Register an SNS topic as its target to provide notifications.
C.Enable Amazon GuardDuty that monitors services including Secrets Manager.
D.Add the rule “secretsmanager-rotation-enabled-check” in AWS Config to check whether AWS Secrets Manager has enabled the secret rotation.

Correct Answer – D
Option A is incorrect because there is no such configuration to enable rotation for all secrets. The rotation is managed in each secret.
Option B is incorrect because the CloudWatch Event rule needs a Lambda function as its target to check if rotation is enabled. The description of the option is incomplete.
Option C is incorrect because Amazon GuardDuty, as a continuous security monitoring service, does not check the secret rotation for Secrets Manager.
Option D is CORRECT because the AWS Config rule “secretsmanager-rotation-enabled-check” checks whether AWS Secrets Manager secret has rotation enabled. Users need to add the rule in AWS Config and set up a notification.
Reference:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/aws-config-rules.html.
https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-rotation-enabled-check.html.