Which solution will meet these requirements?
Create an AWS Secrets Manager secret for the database credentials encrypted with a KMS key. Modify the Lambda function to retrieve the secret from Secrets Manager. Attach a custom IAM policy to the Lambda function execution role to allow access to secretsmanager:GetSecretValue from the secret’s Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key’s ARN.
Create an Amazon S3 bucket for the database credentials. Encrypt the database credentials with server-side encryption with KMS keys (SSE-KMS). Modify the Lambda function to retrieve the database credentials from the S3 bucket. Attach a custom IAM policy to the Lambda function execution role to allow access to S3:GetObject from the S3 bucket’s Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key’s ARN.
Create SecureString parameters in AWS Systems Manager Parameter Store for the database credentials encrypted with a KMS key. Pass the parameter values by using Lambda environment variables. Attach a custom IAM policy to the Lambda function execution role to allow access to ssm:GetParameter from the parameter’s Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key’s ARN.
Create String parameters in AWS Systems Manager Parameter Store for the database credentials encrypted with a KMS key. Pass the parameter values by using Lambda environment variables. Attach a custom IAM policy to the Lambda function execution role to allow access to ssm:GetParameter from the parameter’s Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key’s ARN.
Explanations:
AWS Secrets Manager is designed for securely storing and managing sensitive information like database credentials. It encrypts secrets with KMS keys by default, supports automatic rotation, and allows Lambda functions to retrieve the secret securely. The required IAM permissions (secretsmanagerand kms) are correctly specified.
Storing database credentials in S3 is not ideal for this use case. While S3 can encrypt data with SSE-KMS, it does not provide automatic rotation of secrets like Secrets Manager does. This option also requires more manual handling of credentials and is not tailored to secrets management.
While Systems Manager Parameter Store can store credentials encrypted with KMS, SecureString parameters are the correct choice for sensitive information. Using String parameters would expose the data in plaintext. SecureString ensures encryption and security, so this option is incomplete.
Using String parameters in Systems Manager Parameter Store is not secure for storing sensitive information like database credentials because it does not encrypt the data at rest. SecureString parameters should be used instead to ensure encryption.
If I’m correct, the answer is:
Create an AWS Secrets Manager secret for the database credentials encrypted with a KMS key. Modify the Lambda function to retrieve the secret from Secrets Manager. Attach a custom IAM policy to the Lambda function execution role to allow access to secretsmanager:GetSecretValue from the secret’s Amazon Resource Name (ARN) and to allow access to kms:Decrypt from the KMS key’s ARN.