A company uses a custom root certificate authority certificate chain (Root CA Cert) that…

Question

A company uses a custom root certificate authority certificate chain (Root CA Cert) that is 10 KB in size to generate SSL certificates for its on-premises HTTPS endpoints. One of the company’s cloud-based applications has hundreds of AWS Lambda functions that pull data from these endpoints. A developer updated the trust store of the Lambda execution environment to use the Root CA Cert when the Lambda execution environment is initialized. The developer bundled the Root CA Cert as a text file in the Lambda deployment bundle. After 3 months of development, the Root CA Cert is no longer valid and must be updated. The developer needs a more efficient solution to update the Root CA Cert for all deployed Lambda functions. The solution must not include rebuilding or updating all Lambda functions that use the Root CA Cert. The solution must also work for all development, testing, and production environments. Each environment is managed in a separate AWS account. Which combination of steps should the developer take to meet these requirements MOST cost-effectively? (Choose two.)

Accepted Answer

Correct answer: C, E. C. Store the Root CA Cert in an Amazon S3 bucket. Create a resource-based policy to allow access to the bucket. — E. Refactor the Lambda code to load the Root CA Cert from the Root CA Cert’s location. Modify the runtime trust store outside the Lambda function handler. — Storing the Root CA Cert in Amazon S3 is the most cost-effective storage option for cross-account access, as AWS Secrets Manager charges a monthly fee per secret per account. Furthermore, retrieving the certificate and updating the trust store outside the Lambda handler ensures this operation runs only during initialization (cold starts) rather than on every invocation, which reduces latency, API calls, and costs.

AWS Certified Developer – Associate — Question 331

Answer options

Correct answer: C, E

Explanation