AWS Certified Developer – Associate (DVA-C02) — Question 342

A company is building a serverless application. The application uses an API key to authenticate with a third-party application. The company wants to store the external API key as a part of an AWS Lambda configuration. The company needs to have full control over the AWS Key Management Service (AWS KMS) keys that will encrypt the API key and should be visible only to authorized entities.

Which solution will meet these requirements?

Answer options

• A. Store the API key in AWS Systems Manager Parameter Store as a string parameter. Use the default AWS KMS key that AWS provides to encrypt the API key.
• B. Store the API key in AWS Lambda environment variables. Create an AWS KMS customer managed key to encrypt the API key.
• C. Store the API key in the code repository. Use an AWS managed key to encrypt the code repository.
• D. Store the API key as an Amazon DynamoDB table record. Use an AWS managed key to encrypt the API key.

Correct answer: B

Explanation

Storing the API key as an AWS Lambda environment variable meets the requirement of keeping it within the Lambda configuration. Using an AWS KMS customer managed key gives the organization full control over key policies and rotation, unlike AWS managed keys or default KMS keys. Other options either store the key outside the Lambda configuration or do not provide full administrative control over the encryption keys.