Which solution will meet these requirements?
Store the API key in AWS Systems Manager Parameter Store as a string parameter. Use the default AWS KMS key that AWS provides to encrypt the API key.
Store the API key in AWS Lambda environment variables. Create an AWS KMS customer managed key to encrypt the API key.
Store the API key in the code repository. Use an AWS managed key to encrypt the code repository.
Store the API key as an Amazon DynamoDB table record. Use an AWS managed key to encrypt the API key.
Explanations:
While storing the API key in AWS Systems Manager Parameter Store is a good practice, using the default AWS KMS key does not provide the company with full control over the KMS keys. The default key is managed by AWS and cannot be customized.
Storing the API key in AWS Lambda environment variables allows for easy access within the Lambda function, and creating a customer-managed AWS KMS key provides the company with full control over the encryption and access policies for the API key. This meets all the requirements of security and control.
Storing the API key in the code repository is not a secure practice, as it can expose sensitive information. Additionally, using an AWS managed key for a code repository does not ensure that the company has full control over the encryption keys, as AWS manages those keys.
Storing the API key in an Amazon DynamoDB table is a feasible option, but using an AWS managed key does not grant the company full control over the encryption process. The managed key is controlled by AWS, which does not align with the requirement for full control over AWS KMS keys.
I weigh that the answer is:
Store the API key in AWS Lambda environment variables. Create an AWS KMS customer managed key to encrypt the API key.