AWS Certified Developer – Associate (DVA-C02) — Question 535

A developer is building an application that consists of many AWS Lambda functions. The Lambda functions connect to a single Amazon RDS database.

The developer needs to implement a solution to store the database credentials securely. When the credentials are updated, the Lambda functions must be able to use the new credentials without requiring a code update or a configuration update.

Which solution will meet these requirements?

Answer options

• A. Store the credentials as a secret in AWS Secrets Manager. Access the secret at runtime from within the Lambda functions.
• B. Store the credentials as a secret in AWS Secrets Manager. Access the credentials in environment variables by using the containerDefinitions and valueFrom elements in reference to the secret value.
• C. Store the credentials as a SecureString parameter in AWS Systems Manager Parameter Store. Add a trigger to pass the credentials to the Lambda functions when the Lambda functions run.
• D. Store the credentials as a SecureString parameter in AWS Systems Manager Parameter Store. Add a reference to the parameter in an environment variable in the Lambda functions.

Correct answer: A

Explanation

AWS Secrets Manager allows AWS Lambda functions to retrieve the latest database credentials dynamically at runtime, ensuring that credential rotation does not require code or configuration updates. Option B is incorrect because 'containerDefinitions' is used for Amazon ECS, not AWS Lambda. Options C and D are incorrect because utilizing environment variables to store or reference parameters would require a configuration update to the Lambda function to reflect any changes to the credentials.