AWS Certified Solutions Architect – Associate (SAA-C02) — Question 589

A developer is creating an AWS Lambda function to perform dynamic updates to a database when an item is added to an Amazon Simple Queue Service
(Amazon SQS) queue. A solutions architect must recommend a solution that tracks any usage of database credentials in AWS CloudTrail. The solution also must provide auditing capabilities.
Which solution will meet these requirements?

Answer options

• A. Store the encrypted credentials in a Lambda environment variable
• B. Create an Amazon DynamoDB table to store the credentials. Encrypt the table
• C. Store the credentials as a secure string in AWS Systems Manager Parameter Store
• D. Use an AWS Key Management Service (AWS KMS) key store to store the credentials

Correct answer: C

Explanation

AWS Systems Manager Parameter Store allows secure credential storage using the SecureString parameter type, which integrates natively with AWS KMS and automatically logs API calls in AWS CloudTrail for comprehensive auditing. Storing credentials in Lambda environment variables or a custom DynamoDB table does not provide this same out-of-the-box credential-level auditing. Additionally, AWS KMS is designed for cryptographic key management rather than acting directly as a dedicated credential storage service.