AWS Certified Developer – Associate (DVA-C02) — Question 148

A company uses a custom root certificate authority certificate chain (Root CA Cert) that is 10 KB in size to generate SSL certificates for its on-premises HTTPS endpoints. One of the company’s cloud-based applications has hundreds of AWS Lambda functions that pull data from these endpoints. A developer updated the trust store of the Lambda execution environment to use the Root CA Cert when the Lambda execution environment is initialized. The developer bundled the Root CA Cert as a text file in the Lambda deployment bundle.

After 3 months of development, the Root CA Cert is no longer valid and must be updated. The developer needs a more efficient solution to update the Root CA Cert for all deployed Lambda functions. The solution must not include rebuilding or updating all Lambda functions that use the Root CA Cert. The solution must also work for all development, testing, and production environments. Each environment is managed in a separate AWS account.

Which combination of steps should the developer take to meet these requirements MOST cost-effectively? (Choose two.)

Answer options

Correct answer: A, E

Explanation

Option A is correct as using AWS Secrets Manager allows for easy management and access control of sensitive information like the Root CA Cert. Option E is also correct because modifying the runtime trust store outside the Lambda function handler allows for centralized management of the Root CA Cert without deploying changes to each Lambda function. Options B and C are not the best fit due to additional overhead in managing parameters or S3 buckets. Option D requires modifying the function handler which goes against the requirement of not updating each Lambda function.