Logo
AWS Certified Developer – Associate / Question #710 of 557

Question #710

A company uses a custom intermediate certificate authority (Intermediate CA Cert) that is 8 KB in size to sign SSL certificates for its internal API endpoints. The company’s serverless application consists of numerous AWS Lambda functions that communicate with these endpoints. A developer included the Intermediate CA Cert as a file in the Lambda deployment package and configured the Lambda's trust store during initialization.

After 6 months, the Intermediate CA Cert expires and needs renewal. The developer seeks a solution to update the certificate across all deployed Lambda functions efficiently without redeploying them. The solution must apply uniformly across development, staging, and production environments, each in separate AWS accounts.

Which combination of steps should the developer take to meet these requirements MOST cost-effectively? (Choose two.)

A

Store the Intermediate CA Cert as a secret in AWS Secrets Manager. Create a resource-based policy. Add IAM users to allow access to the secret.
B

Store the Intermediate CA Cert as a Secure String parameter in AWS Systems Manager Parameter Store. Create a resource-based policy. Add IAM users to allow access to the policy.
C

Store the Intermediate CA Cert in an Amazon S3 bucket. Create a resource-based policy to allow access to the bucket.
D

Refactor the Lambda code to load the Intermediate CA Cert from its location. Modify the runtime trust store inside the Lambda function handler.
E

Refactor the Lambda code to load the Intermediate CA Cert from its location. Modify the runtime trust store outside the Lambda function handler.

Explanation

Answer A is correct because AWS Secrets Manager supports storing certificates larger than 4KB (unlike Systems Manager Parameter Store in B) and allows cross-account access via resource-based policies. Answer E is correct because modifying the trust store outside the Lambda handler ensures the certificate is loaded once during initialization (cold start), improving efficiency.

B is incorrect due to the 4KB size limit in Parameter Store. C is suboptimal as S3 requires additional permissions and is less secure for secrets. D is inefficient since modifying the trust store inside the handler would reload the certificate on every invocation. Key points: Use Secrets Manager for large secrets; optimize Lambda initialization by loading external resources once.

Answer

The correct answer is: AE