Q69 — AWS SAP-C02 Ch.3

Question 69 of 75 | ← Chapter 3

Q294. A company is implementing a serverless architecture by using AWS Lambda functions that need to access a Microsoft SQL Server DB instance on Amazon RDS. The company has separate environments for development and production, including a clone of the database system. The company's developers are allowed to access the credentials for the development database. However, the credentials for the production database must be encrypted with a key that only members of the IT security team's IAM user group can access. This key must be rotated on a regular basis What should a solutions architect do in the production environment to meet these requirements?

Correct Answer: D. Store the database credentials in AWS Secrets Manager as a secret that is associated with an AWS Key Management Service (AWS KMS) customer managed key. Attach a role to each Lambda function to provide access to the secret Restrict access to the secret and the customer managed key so that only the IT security team can access the secret and the key

Explanation

To meet the requirement of encrypting the production database credentials with a key that only members of the IT security team's IAM user group can access, a solution using AWS Secrets Manager and an AWS KMS customer managed key should be implemented. Therefore, the correct solution is:D. Step D stores the database credentials in AWS Secrets Manager that is associated with an AWS KMS customer managed key for encryption. The solutions architect then attaches a role to each Lambda function to provide access to the secret. Access to the secret and the customer managed key is restricted so that only the IT security team can access them. Option A is incorrect because storing the credentials in AWS Systems Manager Parameter Store does not provide native encryption of the sensitive data by default and therefore requires additional configuration to encrypt the data using AWS KMS. Option B is also incorrect because using the AWS KMS default Lambda key does not support rotation of the key on a regular basis, which is required in this scenario. Option C is incorrect because encrypting environment variables with an AWS KMS customer managed key requires additional code changes and implementation effort, while AWS Secrets Manager provides native integration with AWS KMS for encryption and key management.