AWS Certified Developer – Associate (DVA-C02) — Question 389

A company uses an AWS Lambda function to transfer files from an Amazon S3 bucket to the company's SFTP server. The Lambda function connects to the SFTP server by using credentials such as username and password. The company uses Lambda environment variables to store these credentials.

A developer needs to implement encrypted username and password credentials.

Which solution will meet these requirements?

Answer options

• A. Remove the user credentials from the Lambda environment. Implement IAM database authentication.
• B. Move the user credentials from Lambda environment variables to AWS Systems Manager Parameter Store.
• C. Move the user credentials from Lambda environment variables to AWS Key Management Service (AWS KMS).
• D. Move the user credentials from the Lambda environment to an encrypted .txt file. Store the file in an S3 bucket.

Correct answer: B

Explanation

AWS Systems Manager Parameter Store is a secure, centralized storage service for configuration data and secrets, allowing credentials to be stored as encrypted SecureString parameters. AWS KMS manages encryption keys but is not designed to directly store and retrieve user credentials like username/password pairs. Storing credentials in an S3 bucket or attempting to use IAM database authentication for an SFTP server are incorrect and less secure architectures.