AWS Certified Developer – Associate / Question #1106 of 557

Question #1106

A developer is designing a serverless application using AWS Lambda functions that require access to an Amazon Aurora database. The database credentials must be securely managed and automatically rotated every 30 days. The Lambda functions must immediately use the new credentials upon rotation without any manual intervention, code changes, or redeployment.

Which solution meets these requirements?

A

Store the credentials as a secret in AWS Secrets Manager with automatic rotation enabled. Retrieve the secret dynamically at runtime within the Lambda functions using Secrets Manager API calls.

B

Store the credentials as a secret in AWS Secrets Manager with automatic rotation enabled. Configure the Lambda environment variables to reference the secret ARN using the secretsManagerField property in the function configuration.

C

Store the credentials as a SecureString parameter in AWS Systems Manager Parameter Store with a rotation policy. Use an Amazon EventBridge rule to trigger a Lambda function that updates all Lambda environment variables when rotation occurs.

D

Store the credentials as a SecureString parameter in AWS Systems Manager Parameter Store with a rotation policy. Reference the parameter directly in the Lambda function code using the ssm:GetParameter API call at runtime.

Explanation

Option A is correct because AWS Secrets Manager provides automatic rotation of credentials, and retrieving the secret via API calls at runtime ensures the Lambda function always uses the most recent credentials. This approach avoids caching issues and meets the requirement of immediate credential updates without code changes or redeployment.

Option B is incorrect because referencing Secrets Manager secrets in Lambda environment variables caches the secret value at cold start. Rotated credentials may not be immediately available until the next cold start, violating the requirement.

Option C is invalid because updating Lambda environment variables during rotation would require redeployment, which the question explicitly prohibits.

Option D is incorrect because AWS Systems Manager Parameter Store lacks native automatic rotation capabilities, and retrieving parameters without explicitly requesting the latest version may return cached values, risking outdated credentials.

Key Points:
- Secrets Manager handles automatic rotation natively.
- Runtime API calls ensure immediate use of updated credentials.
- Environment variable references cache secrets, causing delays in updates.
- Systems Manager Parameter Store requires custom rotation logic and may not refresh credentials dynamically.

Answer

The correct answer is: A