Answer-first summary for fast verification
Answer: Create and retrieve an AWS Secrets Manager secret for the OpenSearch domain's MasterUserOptions, granting Lambda an IAM role with secretsmanager:GetSecretValue permission for runtime secret resolution.
The most secure way to pass master user credentials to the Lambda function is by using AWS Secrets Manager. Option D involves creating a secret in AWS Secrets Manager and referencing it dynamically within the CloudFormation template. It ensures that the credentials are never hard-coded and are securely stored and managed. The Lambda function retrieves the secret at runtime through an IAM role with the necessary permissions. This approach leverages Secrets Manager’s features like automatic rotation and fine-grained access control, making it the safest and most reliable method among the provided options.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
In an audit monitoring system using Amazon OpenSearch Service, how should a developer securely pass OpenSearch Service domain master user credentials to an associated AWS Lambda function through a CloudFormation custom resource?
A
Deploy credentials via CloudFormation parameters to both the OpenSearch domain's MasterUserOptions and Lambda's environment variable, applying the NoEcho attribute.
B
Deploy credentials to the OpenSearch domain's MasterUserOptions using CloudFormation parameters and store them in AWS Systems Manager Parameter Store, assigning an IAM role with ssm:GetParameter permission to Lambda for runtime resolution.
C
Deploy credentials to the OpenSearch domain's MasterUserOptions and Lambda's environment variable using encrypted CloudFormation parameters with AWS KMS.
D
Create and retrieve an AWS Secrets Manager secret for the OpenSearch domain's MasterUserOptions, granting Lambda an IAM role with secretsmanager:GetSecretValue permission for runtime secret resolution.
No comments yet.