DVA-C02 · Question #136
A company's developer is building a static website to be deployed in Amazon S3 for a production environment. The website integrates with an Amazon Aurora PostgreSQL database by using an AWS Lambda fun
The correct answer is A. Store the database credentials in AWS Secrets Manager. Turn on rotation. Write code in the. AWS Secrets Manager with automatic rotation ensures Lambda functions always retrieve the latest credentials at runtime, decoupling credential lifecycle from function deployment.
Question
A company's developer is building a static website to be deployed in Amazon S3 for a production environment. The website integrates with an Amazon Aurora PostgreSQL database by using an AWS Lambda function. The website that is deployed to production will use a Lambda alias that points to a specific version of the Lambda function. The company must rotate the database credentials every 2 weeks. Lambda functions that the company deployed previously must be able to use the most recent credentials. Which solution will meet these requirements?
Options
- AStore the database credentials in AWS Secrets Manager. Turn on rotation. Write code in the
- BInclude the database credentials as part of the Lambda function code. Update the credentials
- CUse Lambda environment variables. Update the environment variables when new credentials are
- DStore the database credentials in AWS Systems Manager Parameter Store. Turn on rotation.
How the community answered
(56 responses)- A77% (43)
- B5% (3)
- C4% (2)
- D14% (8)
Why each option
AWS Secrets Manager with automatic rotation ensures Lambda functions always retrieve the latest credentials at runtime, decoupling credential lifecycle from function deployment.
Storing credentials in AWS Secrets Manager with rotation enabled and fetching them at runtime via the Secrets Manager API means every Lambda invocation retrieves the current valid credentials; because the secret ARN (not the value) is referenced in code, previously deployed function versions automatically use the rotated credentials without redeployment.
Hardcoding credentials in the function code requires redeployment of every function version each rotation cycle, violates security best practices, and leaves credentials exposed in source code and deployment packages.
Lambda environment variables are bound to a specific function version at publish time; updating them does not propagate to previously published versions pointed to by aliases, so old versions would still use stale credentials.
AWS Systems Manager Parameter Store can store credentials but its native rotation capability is more limited than Secrets Manager, which provides built-in automated rotation with Lambda integration specifically designed for database credentials.
Concept tested: AWS Secrets Manager automatic rotation for Lambda credential management
Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html
Community Discussion
No community discussion yet for this question.