Question #737
A company operates a serverless application using AWS Lambda functions triggered by Amazon API Gateway. Each Lambda function must access an Amazon RDS PostgreSQL database. To comply with security policies, all Lambda functions must use a single securely encrypted database connection string.
Which solution will meet these requirements?
Use IAM database authentication for RDS PostgreSQL to enable secure database connections for all Lambda functions.
Store the credentials in an encrypted Amazon ElastiCache cluster and retrieve them during Lambda execution.
Store the credentials in AWS Systems Manager Parameter Store as a secure string parameter.
Use Lambda environment variables encrypted with a customer-managed AWS Key Management Service (AWS KMS) key.
Explanation
Option C is correct because AWS Systems Manager Parameter Store is designed to securely store configuration data, including encrypted secrets like database connection strings. By storing the connection string as a secure string parameter, it is encrypted using AWS KMS, ensuring security. All Lambda functions can retrieve this single parameter at runtime, maintaining consistency and reducing the risk of mismanagement.
Option A (IAM DB authentication) does not store a connection string but uses temporary credentials, which does not meet the requirement. Option B (ElastiCache) is unsuitable as it is a caching service, not intended for secure credential storage. Option D (Lambda environment variables) lacks centralized management, requiring updates across all functions if the connection string changes, which is inefficient and error-prone.
Answer
The correct answer is: C