Q15 — AWS DVA-C02 Ch.2

Question 15 of 100 | ← Chapter 2

A company has built a new application in the AWS Cloud. The company uses AWS CloudFormation templates to automate the provisioning of Auto Scaling resources. The provisioning scripts contain sensitive data. The company requires a solution integrated with CloudFormation to manage sensitive data in the provisioning scripts. Which solution satisfies these requirements in the most secure manner?

Correct Answer: C. Store sensitive data in AWS Systems Manager Parameter Store as SecureString parameters. Update the CloudFormation template to use dynamic references to specify template values.

Explanation

Option C recommends storing sensitive data as SecureString parameters in AWS Systems Manager Parameter Store. Parameter Store provides centralized, secure storage and retrieval of sensitive data, and dynamic references allow referencing those parameters in CloudFormation templates without exposing plaintext values. Option A, while secure via KMS encryption, lacks the operational convenience and fine-grained access control offered by Parameter Store. Option B introduces management challenges around S3 object permissions, versioning, and availability during bootstrapping. Option D adds architectural complexity and does not integrate as natively or securely with CloudFormation as Parameter Store does.