AWS Certified Developer – Associate / Question #558 of 557

Question #558

A company is deploying a serverless application using AWS Lambda. The application requires access to a legacy database that uses a password for authentication. The password must be encrypted at rest and in transit, and must be accessible to Lambda functions in multiple AWS accounts. A developer needs to implement a secure storage solution with the LEAST operational overhead.

Which solution meets these requirements?

Store the password as an AWS Systems Manager Parameter Store SecureString parameter encrypted with an AWS KMS AWS-managed key. Create an IAM policy allowing cross-account access to the parameter. Configure Lambda execution roles with permissions to access Parameter Store. Retrieve the parameter with decryption enabled during Lambda execution.

Store the password using AWS Secrets Manager with an AWS KMS customer-managed key. Attach a resource-based policy to the secret granting access to the target AWS accounts. Configure Lambda execution roles with permissions to retrieve the secret. Access the secret directly from Secrets Manager during Lambda execution.

Encrypt the password using an AWS KMS customer-managed key. Store the encrypted password in an Amazon S3 bucket. Create a bucket policy allowing cross-account access. Configure Lambda execution roles with S3 read permissions and KMS decrypt permissions. Retrieve and decrypt the password during Lambda execution.

Store the password in Amazon DynamoDB with encryption enabled using an AWS KMS AWS-managed key. Create an IAM policy allowing cross-account access to the DynamoDB table. Configure Lambda execution roles with DynamoDB read permissions. Retrieve and decrypt the password during Lambda execution.

Explanation

Option B is correct because AWS Secrets Manager is purpose-built for securely storing and managing secrets like database passwords. Using a customer-managed KMS key ensures encryption at rest, while Secrets Manager's TLS encryption secures data in transit. Resource-based policies allow direct cross-account access without complex IAM role configurations, reducing operational overhead. Lambda execution roles only need permissions to retrieve the secret, simplifying access management. Other options involve more steps: Option A uses Parameter Store, which lacks native cross-account resource policies; Option C adds S3/KMS management complexity; Option D uses DynamoDB, which isn't optimized for secrets. Secrets Manager also supports automatic rotation, enhancing security without additional effort.

Answer

The correct answer is: B