AWS Certified Security – Specialty (SCS-C02) — Question 196

An Amazon API Gateway API invokes an AWS Lambda function that needs to interact with a software-as-a-service (SaaS) platform. A unique client token is generated in the SaaS platform to grant access to the Lambda function. A security engineer needs to design a solution to encrypt the access token at rest and pass the token to the Lambda function at runtime.

Which solution will meet these requirements MOST cost-effectively?

Answer options

• A. Store the client token as a secret in AWS Secrets Manager. Use the AWS SDK to retrieve the secret in the Lambda function.
• B. Configure a token-based Lambda authorizer in API Gateway.
• C. Store the client token as a SecureString parameter in AWS Systems Manager Parameter Store. Use the AWS SDK to retrieve the value of the SecureString parameter in the Lambda function.
• D. Use AWS Key Management Service (AWS KMS) to encrypt the client token. Pass the token to the Lambda function at runtime through an environment variable.

Correct answer: C

Explanation

The correct answer is C because storing the client token as a SecureString parameter in AWS Systems Manager Parameter Store allows for secure storage and access while being cost-effective. Option A, while secure, incurs additional costs associated with AWS Secrets Manager. Option B does not address the encryption or secure storage of the client token, and option D involves additional complexity and potential costs associated with KMS and environment variables.