AWS Certified Developer – Associate — Question 273

A developer is building a serverless application that uses the AWS Cloud Development Kit (AWS CDK) to deploy application infrastructure. The developer is creating an AWS Lambda function that queries an HTTP API. The API needs all requests to include an access token for authentication and authorization. The developer needs to store the access token securely and to give the Lambda function access to the token.

Which solution will meet these requirements?

Answer options

• A. Update the deployment environment to inject the access token as an environment variable. Update the AWS CDK stack to capture the access token. Set the access token as an environment variable of the Lambda function. Update the Lambda function's code to reference the environment variable.
• B. Update the deployment environment to inject the access token as an environment variable. Update the AWS CDK stack to create an AWS Systems Manager Parameter Store String parameter. Set the value of the parameter from the environment variable. Update the Lambda function's execution role to allow the GetParameter action on the parameter. Update the Lambda function's code to use the AWS SDK to retrieve the access token from Parameter Store.
• C. Update the AWS CDK stack to create an AWS Systems Manager Parameter Store String parameter. Update the Lambda function's execution role to allow the GetParameter action on the parameter. Manually set the access token in Parameter Store. Update the Lambda function's code to use the AWS SDK to retrieve the access token from Parameter Store.
• D. Update the AWS CDK stack to create an AWS Secrets Manager secret. Configure the permissions for the secret and the Lambda function to allow the function to access the secret. Update the CloudFormation stack policy inside the AWS CDK stack to prevent updates to the secret. Manually set the access token in Secrets Manager. Update the Lambda function's code to use the AWS SDK to retrieve the access token from Secrets Manager.

Correct answer: D

Explanation

AWS Secrets Manager is the standard service for securely storing sensitive data like API access tokens, and manually setting the secret prevents it from being exposed in the AWS CDK code or deployment pipelines. Utilizing a CloudFormation stack policy ensures that subsequent CDK deployments do not overwrite the manually entered secret value. Other options are insecure because they either expose the token in plaintext via environment variables or store it in an unencrypted Systems Manager Parameter Store String parameter.