Question #1084
A developer is configuring an AWS Lambda function that interacts with a payment gateway. The payment gateway's API secret needs to be securely stored and updated periodically without redeploying the Lambda code. What is the BEST solution?
Store the API secret in AWS Secrets Manager.
Store the API secret in an IAM role's policy.
Encrypt the API secret using AWS KMS and store it in the Lambda environment variables.
Include the API secret in a Lambda layer.
Explanation
The correct answer is A because AWS Secrets Manager is designed to securely store and manage secrets like API keys. It supports automatic rotation, ensuring the secret can be updated periodically without redeploying the Lambda function. The Lambda code can retrieve the secret dynamically at runtime using Secrets Manager's API, eliminating the need to hardcode or redeploy environment variables.
Why other options are incorrect:
- B: IAM roles manage permissions, not application secrets. Storing API secrets in IAM policies is not secure or scalable.
- C: While encrypting with KMS adds security, storing the secret in environment variables still requires redeployment to update the value.
- D: Lambda layers are for code/dependencies, not secrets. Updating a secret in a layer would still require redeployment.
Key Points:
- Use Secrets Manager for dynamic secrets management with rotation.
- Avoid storing sensitive data in Lambda configurations (environment variables, layers, or code).
- Secrets Manager integrates seamlessly with Lambda for runtime retrieval.
Answer
The correct answer is: A