Q69 — AWS SAP-C02 Ch.3
Question 69 of 75 | ← Chapter 3
Q294. A company is implementing a serverless architecture by using AWS Lambda functions that need to access a Microsoft SQL Server DB instance on Amazon RDS. The company has separate environments for development and production, including a clone of the database system. The company's developers are allowed to access the credentials for the development database. However, the credentials for the production database must be encrypted with a key that only members of the IT security team's IAM user group can access. This key must be rotated on a regular basis What should a solutions architect do in the production environment to meet these requirements?
- A. Store the database credentials in AWS Systems Manager Parameter Store by using a SecureString parameter that is encrypted by an AWS Key Management Service (AWS KMS) customer managed key Attach a role to each Lambda function to provide access to the SecureString parameter. Restrict access to the SecureString parameter and the customer managed key so that only the IT security team can access the parameter and the key
- B. Encrypt the database credentials by using the AWS Key Management Service (AWS KMS) default Lambda key Store the credentials in the environment variables of each Lambda function. Load the credentials from the environment variables in the Lambda code. Restrict access to the KMS key so that only the IT security team can access the key
- C. Store the database credentials in the environment variables of each Lambda function. Encrypt the environment variables by using an AWS Key Management Service (AWS KMS) customer managed key. Restrict access to the customer managed key so that only the IT security team can access the key
- D. Store the database credentials in AWS Secrets Manager as a secret that is associated with an AWS Key Management Service (AWS KMS) customer managed key. Attach a role to each Lambda function to provide access to the secret Restrict access to the secret and the customer managed key so that only the IT security team can access the secret and the key ✓
Correct Answer: D. Store the database credentials in AWS Secrets Manager as a secret that is associated with an AWS Key Management Service (AWS KMS) customer managed key. Attach a role to each Lambda function to provide access to the secret Restrict access to the secret and the customer managed key so that only the IT security team can access the secret and the key
Explanation
To meet the requirement of encrypting the production database credentials with a key that only members of the IT security team's IAM user group can access, a solution using AWS Secrets Manager and an AWS KMS customer managed key should be implemented. Therefore, the correct solution is:D. Step D stores the database credentials in AWS Secrets Manager that is associated with an AWS KMS customer managed key for encryption. The solutions architect then attaches a role to each Lambda function to provide access to the secret. Access to the secret and the customer managed key is restricted so that only the IT security team can access them. Option A is incorrect because storing the credentials in AWS Systems Manager Parameter Store does not provide native encryption of the sensitive data by default and therefore requires additional configuration to encrypt the data using AWS KMS. Option B is also incorrect because using the AWS KMS default Lambda key does not support rotation of the key on a regular basis, which is required in this scenario. Option C is incorrect because encrypting environment variables with an AWS KMS customer managed key requires additional code changes and implementation effort, while AWS Secrets Manager provides native integration with AWS KMS for encryption and key management.