Q64 — AWS DVA-C02 Ch.2

Question 64 of 100 | ← Chapter 2

A company is implementing an audit monitoring system using Amazon OpenSearch Service. A developer needs to create a custom AWS CloudFormation resource associated with an AWS Lambda function to configure the OpenSearch Service domain. The Lambda function must use the OpenSearch Service master user credentials to access the OpenSearch Service domain. What is the most secure way to pass these credentials to the Lambda function?

Correct Answer: D. Use CloudFormation to create an AWS Secrets Manager secret. Use a CloudFormation dynamic reference to retrieve the secret's value for the OpenSearch Service domain's MasterUserOptions. Create an IAM role with secretsmanager:GetSecretValue permission and assign it to the Lambda function. Store the secret name as an environment variable in the Lambda function and resolve the secret value at runtime.

Explanation

Option D recommends using AWS Secrets Manager to create a secret and retrieving its value via a CloudFormation dynamic reference for the OpenSearch Service domain's MasterUserOptions. It also involves creating an IAM role with secretsmanager:GetSecretValue permission, assigning it to the Lambda function, storing the secret name as an environment variable, and resolving the secret value at runtime. This ensures credential security and prevents plaintext storage of credentials in the CloudFormation template. Other options involve passing credentials via parameters (A, B, C), but option D provides a more secure and manageable secret management solution.