Answer-first summary for fast verification
Answer: Store the database credentials in AWS Secrets Manager as a secret associated with an AWS KMS customer managed key. Attach a role to each Lambda function to access the secret. Restrict access to the secret and the customer managed key to the IT security team.
The correct answer is D. AWS Secrets Manager is designed specifically for managing and rotating secrets, such as database credentials. It includes built-in integration with AWS KMS for encryption. This solution fulfills the requirement of encrypting the credentials with a key accessible only to the IT security team and provides built-in key rotation capabilities. In contrast, while AWS Systems Manager Parameter Store (Answer A) can also store secrets, it does not offer the same level of built-in rotation capabilities as AWS Secrets Manager. Options B and C involve storing secrets in Lambda environment variables, which is less secure and more complex to manage compared to using AWS Secrets Manager.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is adopting a serverless architecture using AWS Lambda to interact with a Microsoft SQL Server database on Amazon RDS. They maintain distinct development and production environments, including database clones. Developers have access to the development database credentials, but production database credentials must be encrypted with a key accessible only to the IT security team's IAM group. This key requires regular rotation. What is the optimal strategy for a solutions architect to secure the production database credentials?
A
Utilize AWS Systems Manager Parameter Store with a SecureString parameter encrypted by an AWS KMS customer managed key to store the database credentials. Assign a role to each Lambda function granting access to the SecureString parameter. Limit access to the SecureString parameter and the customer managed key to the IT security team.
B
Encrypt the database credentials using the AWS KMS default Lambda key and store them in the Lambda function's environment variables. Load credentials from these variables in the Lambda code. Restrict access to the KMS key to the IT security team.
C
Store the database credentials in the Lambda function's environment variables and encrypt these variables using an AWS KMS customer managed key. Limit access to the customer managed key to the IT security team.
D
Store the database credentials in AWS Secrets Manager as a secret associated with an AWS KMS customer managed key. Attach a role to each Lambda function to access the secret. Restrict access to the secret and the customer managed key to the IT security team.