AWS Certified Developer – Associate — Question 120

A company's developer is building a static website to be deployed in Amazon S3 for a production environment. The website integrates with an Amazon Aurora PostgreSQL database by using an AWS Lambda function. The website that is deployed to production will use a Lambda alias that points to a specific version of the Lambda function.

The company must rotate the database credentials every 2 weeks. Lambda functions that the company deployed previously must be able to use the most recent credentials.

Which solution will meet these requirements?

Answer options

• A. Store the database credentials in AWS Secrets Manager. Turn on rotation. Write code in the Lambda function to retrieve the credentials from Secrets Manager.
• B. Include the database credentials as part of the Lambda function code. Update the credentials periodically and deploy the new Lambda function.
• C. Use Lambda environment variables. Update the environment variables when new credentials are available.
• D. Store the database credentials in AWS Systems Manager Parameter Store Turn on rotation. Write code in the Lambda function to retrieve the credentials from Systems Manager Parameter Store.

Correct answer: A

Explanation

The correct answer is A because AWS Secrets Manager is designed for securely storing and automatically rotating database credentials, making it easy for Lambda functions to retrieve them as needed. Option B is not suitable since hardcoding credentials in the function code is insecure and requires redeployment. Option C is less ideal as environment variables do not support automatic rotation, and updating them frequently can be cumbersome. Option D, while a viable option, does not utilize the automatic rotation feature as effectively as Secrets Manager.