AWS Certified Developer – Associate (DVA-C02) — Question 144

A developer is building an application that gives users the ability to view bank accounts from multiple sources in a single dashboard. The developer has automated the process to retrieve API credentials for these sources. The process invokes an AWS Lambda function that is associated with an AWS CloudFormation custom resource.

The developer wants a solution that will store the API credentials with minimal operational overhead.

Which solution will meet these requirements in the MOST secure way?

Answer options

• A. Add an AWS Secrets Manager GenerateSecretString resource to the CloudFormation template. Set the value to reference new credentials for the CloudFormation resource.
• B. Use the AWS SDK ssm:PutParameter operation in the Lambda function from the existing custom resource to store the credentials as a parameter. Set the parameter value to reference the new credentials. Set the parameter type to SecureString.
• C. Add an AWS Systems Manager Parameter Store resource to the CloudFormation template. Set the CloudFormation resource value to reference the new credentials. Set the resource NoEcho attribute to true.
• D. Use the AWS SDK ssm:PutParameter operation in the Lambda function from the existing custom resource to store the credentials as a parameter. Set the parameter value to reference the new credentials. Set the parameter NoEcho attribute to true.

Correct answer: B

Explanation

Option B is the most secure solution because it uses AWS Systems Manager's SecureString parameter type, which encrypts the credentials at rest and manages access control. Other options, while they may store credentials, either do not provide the same level of encryption (as in option C) or do not utilize the SecureString type (as in option D). Option A, while utilizing Secrets Manager, does not specifically mention the SecureString which is crucial for sensitive data.