AWS Certified Developer – Associate — Question 244

A company's developer is creating an AWS Lambda function that will read data from an Amazon RDS database. The company's security policies require the database credentials to be encrypted at rest by AWS Key Management Service (AWS KMS) keys. The database credentials must also be automatically rotated. The Lambda function needs to be able to read the database credentials securely.

Which solution will meet these requirements?

Answer options

• A. Create an AWS Secrets Manager secret for the database credentials encrypted with a KMS key. Modify the Lambda function to retrieve the secret from Secrets Manager. Attach a custom IAM policy to the Lambda function execution role to allow access to secretsmanager:GetSecretValue from the secret's Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key's ARN.
• B. Create an Amazon S3 bucket for the database credentials. Encrypt the database credentials with server-side encryption with KMS keys (SSE-KMS). Modify the Lambda function to retrieve the database credentials from the S3 bucket. Attach a custom IAM policy to the Lambda function execution role to allow access to S3:GetObject from the S3 bucket's Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key's ARN.
• C. Create SecureString parameters in AWS Systems Manager Parameter Store for the database credentials encrypted with a KMS key. Pass the parameter values by using Lambda environment variables. Attach a custom IAM policy to the Lambda function execution role to allow access to ssm:GetParameter from the parameter's Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key's ARN.
• D. Create String parameters in AWS Systems Manager Parameter Store for the database credentials encrypted with a KMS key. Pass the parameter values by using Lambda environment variables. Attach a custom IAM policy to the Lambda function execution role to allow access to ssm:GetParameter from the parameter's Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key's ARN.

Correct answer: A

Explanation

Option A is correct because AWS Secrets Manager is specifically designed for securely storing and managing secrets, including automatic rotation of credentials. The other options either do not support automatic rotation (B and D) or do not align with the best practices for storing sensitive information securely (C).