Question #1761
A company is developing a serverless application on AWS that requires dynamic configuration updates and secure handling of API keys. The solution must minimize operational complexity while ensuring sensitive data is managed securely.
Which approach meets these requirements with the LEAST administrative effort?
Use AWS AppConfig to manage dynamic configuration changes. Use AWS Secrets Manager to securely store and rotate API keys.
Use AWS Systems Manager Parameter Store (Standard) for configuration data. Use AWS Secrets Manager to handle API keys without rotation capabilities.
Store configuration settings in an encrypted Amazon S3 bucket. Use AWS KMS to encrypt API keys stored in a DynamoDB table.
Use AWS CloudFormation templates for configuration management. Store API keys in environment variables within AWS Lambda functions.
Explanation
Option A is correct because:
- AWS AppConfig is purpose-built for dynamic configuration updates, enabling real-time changes without redeploying code, reducing operational complexity.
- AWS Secrets Manager securely stores API keys, provides automatic rotation, and integrates seamlessly with serverless services (e.g., Lambda), ensuring compliance and reducing manual efforts.
Other options fail because:
- B: SSM Parameter Store (Standard) lacks advanced configuration features like controlled rollouts, and disabling rotation in Secrets Manager increases security risks.
- C: Storing configs in S3 requires manual updates and lacks dynamic capabilities. DynamoDB with KMS lacks built-in rotation, increasing operational overhead.
- D: CloudFormation isn't designed for dynamic updates, and storing API keys in environment variables is insecure.
Key Points: Use managed services (AppConfig, Secrets Manager) for dynamic configs and secrets to minimize effort while ensuring security.
Answer
The correct answer is: A