Question #1989
A company is developing a new internal API gateway in the AWS Cloud that requires secure storage and retrieval of multiple API keys from an AWS managed service. Which solution will meet these requirements with the LEAST operational overhead?
Store the API keys in AWS Systems Manager Parameter Store. Use AWS CloudFormation and the GetSecretValue API to retrieve the API keys from Parameter Store.
Store the API keys in AWS Secrets Manager. Use AWS CloudFormation and AWS Lambda with the GetSecretValue API to retrieve the API keys from Secrets Manager.
Store the API keys in AWS Systems Manager Parameter Store. Use AWS CloudFormation and AWS Lambda with the GetSecretValue API to retrieve the API keys from Parameter Store.
Store the API keys in AWS Secrets Manager. Use AWS CloudFormation and the GetSecretValue API to retrieve the API keys from Secrets Manager.
Explanation
The correct answer is D. AWS Secrets Manager is purpose-built for securely storing and managing secrets (e.g., API keys, passwords) and offers native integration with AWS CloudFormation via dynamic references (e.g., {{resolve:secretsmanager:secret-id}}). This allows CloudFormation to retrieve secrets directly without custom Lambda code, reducing operational overhead.
Option A and C incorrectly use Parameter Store, which is less suited for secrets management (no native rotation, requires manual handling of encryption). Option B and C involve Lambda, adding unnecessary complexity. Secrets Manager (D) provides a fully managed solution with secure retrieval via CloudFormation, aligning with the requirement of least operational overhead.
Key Points:
1. Secrets Manager is optimized for secrets; Parameter Store is for general parameters.
2. CloudFormation dynamic references avoid Lambda, reducing overhead.
3. GetSecretValue is a Secrets Manager API, not used directly here—dynamic references handle retrieval.
Answer
The correct answer is: D