Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 180 discussion

C. AWS Systems Manager Parameter Store offers a more centralized way to manage encrypted secrets across multiple services than Lambda environment variables, making it a better fit for this scenario.

C. Option A (IAM database authentication) may provide secure authentication, but it doesn't directly address the storage and retrieval of the connection string. Option B (storing credentials in an encrypted RDS DB instance) might introduce unnecessary complexity and potential security risks. Option D (Lambda environment variables with a shared AWS KMS key) is a viable option, but using Parameter Store is generally considered a more centralized and managed approach for storing and retrieving sensitive data in AWS. Therefore, option C is the most appropriate choice for securely managing the database connection string in this scenario.

C is the best choice. For those that chose A: simply enabling the DB IAM auth does not address the need to use a single secure string. It would require more steps to make this work regarding lambda execution role, iam policies and etc.

This appear at 17 Jun exam

C is the correct answer.

https://aws.amazon.com/blogs/database/iam-role-based-authentication-to-amazon-aurora-from-serverless-applications/

The developer can create an IAM role with permission to connect to Aurora DB instance and attach it to each Lambda function. The developer can also configure Aurora DB instance to use IAM database authentication and enable encryption in transit using SSL certificates. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html

The answer is A. https://aws.amazon.com/ru/blogs/database/iam-role-based-authentication-to-amazon-aurora-from-serverless-applications/

C. Store the credentials in AWS Systems Manager Parameter Store as a secure string parameter: This is a strong option. Systems Manager Parameter Store provides secure, hierarchical storage for configuration data and secrets. It can store data such as passwords and database connection strings securely, and it integrates with AWS Key Management Service (AWS KMS) for encryption. Lambda functions can then retrieve the connection string securely at runtime. D. Use Lambda environment variables with a shared AWS Key Management Service (AWS KMS) key for encryption: While Lambda environment variables can be encrypted with AWS KMS and used to store sensitive information like database connection strings, they are not as centrally manageable as Parameter Store. Each Lambda function's environment variables would need to be updated individually if the connection string changes, which is less efficient and more prone to error.

https://aws.amazon.com/blogs/database/iam-role-based-authentication-to-amazon-aurora-from-serverless-applications/

The correct answer is (D). Solution (D) is the best option because it uses Lambda environment variables with an AWS Key Management Service (AWS KMS) shared key for encryption.