Q6 — AWS DVA-C02 Ch.3
Question 6 of 100 | ← Chapter 3
A company uses an AWS Lambda function to transfer files from an Amazon S3 bucket to its SFTP service. The Lambda function connects to the SFTP service using credentials such as username and password. The company stores these credentials in Lambda environment variables. The developer needs to implement encrypted username and password credentials. Which solution meets these requirements?
- A. Remove the user credentials from Lambda environment variables and implement IAM database authentication.
- B. Move the user credentials from Lambda environment variables to AWS Systems Manager Parameter Store. ✓
- C. Move the user credentials from Lambda environment variables to AWS Key Management Service (AWS KMS).
- D. Move the user credentials from Lambda environment variables to an encrypted .txt file stored in an S3 bucket.
Correct Answer: B. Move the user credentials from Lambda environment variables to AWS Systems Manager Parameter Store.
Explanation
Option A: Removing credentials from Lambda environment variables and implementing IAM database authentication is inappropriate because IAM database authentication applies to databases—not SFTP servers requiring username/password authentication. Option B: Moving credentials from Lambda environment variables to AWS Systems Manager Parameter Store is appropriate. Parameter Store securely stores and manages configuration and sensitive data; access can be controlled via IAM roles and policies, and encryption can be enabled. Option C: Moving credentials to AWS KMS is unsuitable because AWS KMS manages encryption keys—not credentials themselves. Option D: Storing credentials in an encrypted .txt file in S3 introduces unnecessary complexity, requiring separate management of S3 access controls and encryption configurations.