Download Full Version DVA-C02 Amazon Web Services Exam

Sensitive environment variables in Lambda should be protected using encryption helpers integrated with AWS KMS. Lambda environment variables are encrypted at rest, and when using a customer managed KMS key, teams can control the key policy, access, and rotation for their own microservices—matching the policy requirement that each team has “full control” over key rotation. AWS managed keys do not provide the same level of customer control over lifecycle and rotation decisions.

Therefore, the correct approach is to create customer managed KMS keys (one per team/service boundary or per microservice, depending on governance) and configure each Lambda function to use the relevant CMK for encrypting its environment variables. The Lambda execution role must have permission to use the key for decryption at runtime, typically requiring kms:Decrypt (and sometimes kms:DescribeKey depending on tooling). This is captured by Option B.

Option A and D use AWS managed keys, which do not satisfy the requirement for each team to control rotation. Rotation control (and policy ownership) is a key differentiator of customer managed keys.

Option C is not correct because the Lambda execution role does not need kms:CreateGrant and kms:Encrypt for decrypting environment variables at runtime. Over-permissioning increases risk. The Lambda service handles encryption of environment variables; the function runtime principally needs the ability to decrypt.

The most secure solution is A because AWS Secrets Manager is purpose-built for storing, retrieving, and managing secrets such as database credentials, API keys, and tokens. In AWS guidance, Secrets Manager is recommended when applications need secure secret storage with controlled access, encryption, and integration with runtime retrieval patterns. By storing the credentials as a secret and passing only the secret ARN through an environment variable, the Lambda function avoids exposing the actual username and password in plaintext configuration.

The AWS Parameters and Secrets Lambda Extension is specifically designed to let Lambda functions retrieve secrets securely at invocation time. This reduces the risk of accidental exposure in code, deployment artifacts, or function configuration. Secrets Manager also supports automatic rotation , which is a major security advantage for database credentials and is one of the main reasons AWS recommends it over hardcoded or manually managed values.

Option B is incorrect because base64 is only encoding, not encryption, and embedding credentials in source code is insecure. Option C is less appropriate because a string type parameter in Systems Manager Parameter Store is not the secure choice for sensitive credentials; secure storage there would require SecureString , but even then Secrets Manager is the stronger AWS-recommended service for database secrets. Option D only masks values in CloudFormation outputs and logs with NoEcho ; it does not provide secure runtime secret retrieval or secret lifecycle management.

Therefore, A is the best and most secure answer according to AWS security best practices for Lambda applications handling database credentials.

Amazon EFS: A network file system (NFS) providing shared, scalable storage across multiple Lambda functions and other AWS resources.

Lambda Mounting: EFS file systems can be mounted within Lambda functions to access a shared storage space.

Log Appending: EFS supports appending data to existing files, making it ideal for the log file scenario.

AWS Elastic Beanstalk supports several deployment policies, and in this case, the requirement is to forward a specific percentage of traffic to the new version without causing downtime. The Traffic-splitting deployment policy is the most appropriate choice.

Traffic-splitting Deployment: This deployment method allows you to gradually shift a specified percentage of incoming traffic from the old environment version to the new one. During the evaluation period, if any issues are detected, the traffic can be redirected back to the old version.

No Downtime: This method ensures no downtime since both versions of the application run concurrently, and traffic is split between them.

Alternatives:

Rolling deployments (Option A): These gradually replace instances but may result in partial downtime if some instances fail during deployment.

In-place deployments (Option C): In-place deployments replace instances without creating new ones, which can lead to downtime.

Immutable deployments (Option D): While this ensures no downtime by creating entirely new instances, it doesn ' t provide traffic splitting during the evaluation phase.

Elastic Beanstalk Deployment Policies