What should a solutions architect do in the production environment to meet these requirements?

By:
In: SAP-C02
Tagged:
With: 1 Comment
A company is implementing a serverless architecture by using AWS Lambda functions that need to access a Microsoft SQL Server DB instance on Amazon RDS.The company has separate environments for development and production, including a clone of the database system.The company’s developers are allowed to access the credentials for the development database.However, the credentials for the production database must be encrypted with a key that only members of the IT security team’s IAM user group can access.This key must be rotated on a regular basis.

What should a solutions architect do in the production environment to meet these requirements?

Store the database credentials in AWS Systems Manager Parameter Store by using a SecureString parameter that is encrypted by an AWS Key Management Service (AWS KMS) customer managed key. Attach a role to each Lambda function to provide access to the SecureString parameter. Restrict access to the SecureString parameter and the customer managed key so that only the IT security team can access the parameter and the key.

Encrypt the database credentials by using the AWS Key Management Service (AWS KMS) default Lambda key. Store the credentials in the environment variables of each Lambda function. Load the credentials from the environment variables in the Lambda code. Restrict access to the KMS key so that only the IT security team can access the key.

Store the database credentials in the environment variables of each Lambda function. Encrypt the environment variables by using an AWS Key Management Service (AWS KMS) customer managed key. Restrict access to the customer managed key so that only the IT security team can access the key.

Store the database credentials in AWS Secrets Manager as a secret that is associated with an AWS Key Management Service (AWS KMS) customer managed key. Attach a role to each Lambda function to provide access to the secret. Restrict access to the secret and the customer managed key so that only the IT security team can access the secret and the key.

Explanations:

Although using AWS Systems Manager Parameter Store with a SecureString parameter and a KMS customer managed key provides encryption, AWS Secrets Manager is generally recommended for managing and rotating database credentials securely. Secrets Manager offers built-in rotation, which meets rotation requirements.

Storing credentials in Lambda environment variables encrypted with the default KMS key is not ideal for production database credentials. The default Lambda key does not support regular key rotation and limits control over key access, so it does not meet the key rotation or security requirements.

Encrypting Lambda environment variables with a KMS customer managed key restricts access, but this method lacks Secrets Manager’s features like automatic credential rotation, which is explicitly required for the production database credentials.

AWS Secrets Manager with a KMS customer managed key is the optimal solution, as it provides secure storage, fine-grained access control, and automated credential rotation. Restricting access to the secret and the key to only the IT security team meets all requirements.

2025-10-04

1 Comment

  1. Cynthia
    Author

    I believe the answer is:
    Store the database credentials in AWS Secrets Manager as a secret that is associated with an AWS Key Management Service (AWS KMS) customer managed key. Attach a role to each Lambda function to provide access to the secret. Restrict access to the secret and the customer managed key so that only the IT security team can access the secret and the key.

Leave a Reply to Cynthia Cancel reply

Your email address will not be published. Required fields are marked *

13 − 13 =