Q15 — AWS DVA-C02 Ch.2
Question 15 of 100 | ← Chapter 2
A company has built a new application in the AWS Cloud. The company uses AWS CloudFormation templates to automate the provisioning of Auto Scaling resources. The provisioning scripts contain sensitive data. The company requires a solution integrated with CloudFormation to manage sensitive data in the provisioning scripts. Which solution satisfies these requirements in the most secure manner?
- A. Store sensitive data in CloudFormation parameters. Encrypt the CloudFormation template using an AWS Key Management Service (AWS KMS) key.
- B. Store sensitive data in an Amazon S3 bucket. Update the CloudFormation template to download the object from Amazon S3 during instance bootstrapping.
- C. Store sensitive data in AWS Systems Manager Parameter Store as SecureString parameters. Update the CloudFormation template to use dynamic references to specify template values. ✓
- D. Store sensitive data in Amazon Elastic File System (Amazon EFS). Enforce EFS encryption after file system creation. Update the CloudFormation template to retrieve data from Amazon EFS.
Correct Answer: C. Store sensitive data in AWS Systems Manager Parameter Store as SecureString parameters. Update the CloudFormation template to use dynamic references to specify template values.
Explanation
Option C recommends storing sensitive data as SecureString parameters in AWS Systems Manager Parameter Store. Parameter Store provides centralized, secure storage and retrieval of sensitive data, and dynamic references allow referencing those parameters in CloudFormation templates without exposing plaintext values. Option A, while secure via KMS encryption, lacks the operational convenience and fine-grained access control offered by Parameter Store. Option B introduces management challenges around S3 object permissions, versioning, and availability during bootstrapping. Option D adds architectural complexity and does not integrate as natively or securely with CloudFormation as Parameter Store does.