DVA-C02 · Question #400
A company uses an AWS Lambda function to transfer files from an Amazon S3 bucket to the company's SFTP server. The Lambda function connects to the SFTP server by using credentials such as username and
The correct answer is B. Move the user credentials from Lambda environment variables to AWS Systems Manager. Storing SFTP credentials securely requires moving them out of Lambda environment variables into a dedicated secrets management service. AWS Systems Manager Parameter Store (with SecureString) or Secrets Manager are the correct destinations.
Question
A company uses an AWS Lambda function to transfer files from an Amazon S3 bucket to the company's SFTP server. The Lambda function connects to the SFTP server by using credentials such as username and password. The company uses Lambda environment variables to store these credentials. A developer needs to implement encrypted username and password credentials. Which solution will meet these requirements?
Options
- ARemove the user credentials from the Lambda environment. Implement IAM database
- BMove the user credentials from Lambda environment variables to AWS Systems Manager
- CMove the user credentials from Lambda environment variables to AWS Key Management Service
- DMove the user credentials from the Lambda environment to an encrypted .txt file. Store the file in
How the community answered
(40 responses)- A10% (4)
- B83% (33)
- C5% (2)
- D3% (1)
Why each option
Storing SFTP credentials securely requires moving them out of Lambda environment variables into a dedicated secrets management service. AWS Systems Manager Parameter Store (with SecureString) or Secrets Manager are the correct destinations.
IAM database authentication applies to RDS/Aurora databases, not SFTP servers, so it cannot replace username/password credentials for an external SFTP endpoint.
AWS Systems Manager Parameter Store supports SecureString parameters that are encrypted at rest using AWS KMS. The Lambda function can retrieve the credentials at runtime via the SSM API without storing them in plaintext, satisfying the encryption requirement with minimal refactoring.
AWS KMS is a key management service used to create and control encryption keys; it does not store arbitrary secrets like usernames and passwords.
Storing credentials in an encrypted .txt file in S3 requires managing encryption keys separately and adds operational complexity without a native secret rotation or audit mechanism.
Concept tested: Secure credential storage with SSM Parameter Store
Source: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
Community Discussion
No community discussion yet for this question.