Q46 — AWS DVA-C02 Ch.3

Question 46 of 100 | ← Chapter 3

A developer is building an application that allows users to view bank account data from multiple sources on a single dashboard. The developer has already automated retrieval of API credentials for these sources. This automation invokes an AWS Lambda function associated with a custom AWS CloudFormation resource. The developer wants to store the API credentials with the lowest possible operational cost while ensuring security. Which solution best meets these requirements?

Correct Answer: B. In the Lambda function, use the AWS SDK ssm:PutParameter operation to store the credential as a parameter, setting the parameter value to reference the new credential and the parameter type to SecureString.

Explanation

Storing credentials as SecureString parameters in AWS Systems Manager Parameter Store encrypts them at rest using AWS KMS and provides fine-grained access control — meeting security requirements. Using ssm:PutParameter in the Lambda function (Option B) enables dynamic, programmatic credential creation and storage without requiring CloudFormation template modifications for each credential. While Secrets Manager (Option A) is also secure, it incurs higher cost and complexity for simple static credential storage; Parameter Store SecureString is lower-cost and fully sufficient here. Options C and D incorrectly rely on NoEcho alone, which only masks values in CloudFormation outputs and does not provide encryption or security guarantees.