AWS Certified Security – Specialty — Question 294

A company has thousands of AWS Lambda functions. While reviewing the Lambda functions, a security engineer discovers that sensitive information is being stored in environment variables and is viewable as plaintext in the Lambda console. The values of the sensitive information are only a few characters long.

What is the MOST cost-effective way to address this security issue?

Answer options

• A. Set up IAM policies from the Lambda console to hide access to the environment variables.
• B. Use AWS Step Functions to store the environment variables. Access the environment variables at runtime. Use IAM permissions to restrict access to the environment variables to only the Lambda functions that require access.
• C. Store the environment variables in AWS Secrets Manager, and access them at runtime. Use IAM permissions to restrict access to the secrets to only the Lambda functions that require access.
• D. Store the environment variables in AWS Systems Manager Parameter Store as secure string parameters, and access them at runtime. Use IAM permissions to restrict access to the parameters to only the Lambda functions that require access.

Correct answer: D

Explanation

AWS Systems Manager Parameter Store with SecureString parameters is the most cost-effective option because standard parameters are offered at no additional charge, making it highly economical for thousands of functions. While AWS Secrets Manager also secures sensitive data, it charges a monthly fee per secret, which would be significantly more expensive in this scenario. Restricting visibility directly in the Lambda console via IAM policies is not possible, and AWS Step Functions is not designed to function as a secure configuration store.