AWS Certified Developer – Associate (DVA-C02) — Question 193

A company built a new application in the AWS Cloud. The company automated the bootstrapping of new resources with an Auto Scaling group by using AWS CloudFormation templates. The bootstrap scripts contain sensitive data.

The company needs a solution that is integrated with CloudFormation to manage the sensitive data in the bootstrap scripts.

Which solution will meet these requirements in the MOST secure way?

Answer options

• A. Put the sensitive data into a CloudFormation parameter. Encrypt the CloudFormation templates by using an AWS Key Management Service (AWS KMS) key.
• B. Put the sensitive data into an Amazon S3 bucket. Update the CloudFormation templates to download the object from Amazon S3 during bootstrap.
• C. Put the sensitive data into AWS Systems Manager Parameter Store as a secure string parameter. Update the CloudFormation templates to use dynamic references to specify template values.
• D. Put the sensitive data into Amazon Elastic File System (Amazon EFS). Enforce EFS encryption after file system creation. Update the CloudFormation templates to retrieve data from Amazon EFS.

Correct answer: C

Explanation

The correct answer is C because AWS Systems Manager Parameter Store allows you to store sensitive data securely as a secure string and provides dynamic references, which integrates seamlessly with CloudFormation. Options A and B do not provide the same level of security for sensitive data, and option D, while it offers encryption, is less integrated with CloudFormation compared to using Parameter Store.