nerdexam
Amazon

DVA-C02 · Question #400

A company uses an AWS Lambda function to transfer files from an Amazon S3 bucket to the company's SFTP server. The Lambda function connects to the SFTP server by using credentials such as username and

The correct answer is B. Move the user credentials from Lambda environment variables to AWS Systems Manager. Storing SFTP credentials securely requires moving them out of Lambda environment variables into a dedicated secrets management service. AWS Systems Manager Parameter Store (with SecureString) or Secrets Manager are the correct destinations.

Submitted by yaw92· Mar 5, 2026Security

Question

A company uses an AWS Lambda function to transfer files from an Amazon S3 bucket to the company's SFTP server. The Lambda function connects to the SFTP server by using credentials such as username and password. The company uses Lambda environment variables to store these credentials. A developer needs to implement encrypted username and password credentials. Which solution will meet these requirements?

Options

  • ARemove the user credentials from the Lambda environment. Implement IAM database
  • BMove the user credentials from Lambda environment variables to AWS Systems Manager
  • CMove the user credentials from Lambda environment variables to AWS Key Management Service
  • DMove the user credentials from the Lambda environment to an encrypted .txt file. Store the file in

How the community answered

(40 responses)
  • A
    10% (4)
  • B
    83% (33)
  • C
    5% (2)
  • D
    3% (1)

Why each option

Storing SFTP credentials securely requires moving them out of Lambda environment variables into a dedicated secrets management service. AWS Systems Manager Parameter Store (with SecureString) or Secrets Manager are the correct destinations.

ARemove the user credentials from the Lambda environment. Implement IAM database

IAM database authentication applies to RDS/Aurora databases, not SFTP servers, so it cannot replace username/password credentials for an external SFTP endpoint.

BMove the user credentials from Lambda environment variables to AWS Systems ManagerCorrect

AWS Systems Manager Parameter Store supports SecureString parameters that are encrypted at rest using AWS KMS. The Lambda function can retrieve the credentials at runtime via the SSM API without storing them in plaintext, satisfying the encryption requirement with minimal refactoring.

CMove the user credentials from Lambda environment variables to AWS Key Management Service

AWS KMS is a key management service used to create and control encryption keys; it does not store arbitrary secrets like usernames and passwords.

DMove the user credentials from the Lambda environment to an encrypted .txt file. Store the file in

Storing credentials in an encrypted .txt file in S3 requires managing encryption keys separately and adds operational complexity without a native secret rotation or audit mechanism.

Concept tested: Secure credential storage with SSM Parameter Store

Source: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice