A company is adopting a serverless architecture using AWS Lambda to interact with a Microsoft SQL Server database on Amazon RDS. They maintain distinct development and production environments, including database clones. Developers have access to the development database credentials, but production database credentials must be encrypted with a key accessible only to the IT security team's IAM group. This key requires regular rotation. What is the optimal strategy for a solutions architect to secure the production database credentials?

Exam-Like

Utilize AWS Systems Manager Parameter Store with a SecureString parameter encrypted by an AWS KMS customer managed key to store the database credentials. Assign a role to each Lambda function granting access to the SecureString parameter. Limit access to the SecureString parameter and the customer managed key to the IT security team.

25.0%

Encrypt the database credentials using the AWS KMS default Lambda key and store them in the Lambda function's environment variables. Load credentials from these variables in the Lambda code. Restrict access to the KMS key to the IT security team.

0.0%

Store the database credentials in the Lambda function's environment variables and encrypt these variables using an AWS KMS customer managed key. Limit access to the customer managed key to the IT security team.

0.0%

Store the database credentials in AWS Secrets Manager as a secret associated with an AWS KMS customer managed key. Attach a role to each Lambda function to access the secret. Restrict access to the secret and the customer managed key to the IT security team.

75.0%

AWS Certified Solutions Architect - Professional

Get started today

Comments