Question #943
A company uses an AWS Lambda function to interact with an external API that requires an API key. The Lambda function stores the API key in its environment variables. The company wants to ensure the API key is encrypted securely.
Which solution will meet these requirements?
Remove the API key from the Lambda environment. Use IAM roles for API authentication.
Move the API key from Lambda environment variables to AWS Systems Manager Parameter Store.
Move the API key from Lambda environment variables to AWS Key Management Service (AWS KMS).
Move the API key from the Lambda environment to an encrypted .txt file. Store the file in an S3 bucket.
Explanation
Answer B is correct because AWS Systems Manager (SSM) Parameter Store supports SecureString parameters, which encrypt the API key using AWS KMS. This method ensures the key is securely stored and accessed by the Lambda function at runtime, avoiding plaintext exposure in environment variables.
Option A is incorrect because IAM roles cannot authenticate with external APIs requiring an API key. Option C is incorrect because AWS KMS is designed for managing encryption keys, not storing secrets like API keys. Option D is suboptimal because storing the key in an S3 bucket adds unnecessary complexity and latency compared to SSM Parameter Store, which is purpose-built for secure parameter storage.
Answer
The correct answer is: B