Which solution will meet these requirements?

By:
In: DVA-C02
Tagged:
With: 2 Comments
A company’s developer is building a static website to be deployed in Amazon S3 for a production environment.The website integrates with an Amazon Aurora PostgreSQL database by using an AWS Lambda function.The website that is deployed to production will use a Lambda alias that points to a specific version of the Lambda function.The company must rotate the database credentials every 2 weeks.Lambda functions that the company deployed previously must be able to use the most recent credentials.

Which solution will meet these requirements?

Store the database credentials in AWS Secrets Manager. Turn on rotation. Write code in the Lambda function to retrieve the credentials from Secrets Manager.

Include the database credentials as part of the Lambda function code. Update the credentials periodically and deploy the new Lambda function.

Use Lambda environment variables. Update the environment variables when new credentials are available.

Store the database credentials in AWS Systems Manager Parameter Store. Turn on rotation. Write code in the Lambda function to retrieve the credentials from Systems Manager Parameter Store.

Explanations:

AWS Secrets Manager is designed for storing and managing sensitive information like database credentials. It supports automatic rotation of secrets, and Lambda functions can easily retrieve the most recent credentials securely. This meets the requirement of rotating credentials every 2 weeks and ensures that all deployed Lambda functions can access the latest credentials.

Including database credentials in the Lambda function code is not a secure practice. It requires redeploying the Lambda function every time the credentials change, which does not align with the requirement of seamless access to the most recent credentials by all functions. This method also increases the risk of exposing sensitive information.

Using Lambda environment variables to store database credentials can work but is not recommended for sensitive information due to security concerns. Environment variables can be accessed by anyone with permission to view the Lambda configuration, and updating them still requires redeploying the function, which does not fulfill the need for automatic credential rotation.

AWS Systems Manager Parameter Store can store sensitive information and is capable of updating credentials. However, it does not provide built-in support for automatic rotation of credentials, which is a requirement in this scenario. The Lambda function would still need to implement a custom solution for rotation.

2026-03-26

2 Comments

  1. Teresa
    Author

    I think the answer is:
    Store the database credentials in AWS Secrets Manager. Turn on rotation. Write code in the Lambda function to retrieve the credentials from Secrets Manager.

  2. Joseph
    Author

    It appears that the answer is:
    Store the database credentials in AWS Secrets Manager. Turn on rotation. Write code in the Lambda function to retrieve the credentials from Secrets Manager.

Leave a Reply

Your email address will not be published. Required fields are marked *

4 + seven =