Question

You're developing an application that is going to be hosted in AWS Lambda. The function will make calls to a database.

A requirement is that all database connection strings should be kept secure.

Which of the following is the MOST secure way to implement this?

A. Put the connection strings values in a CloudFormation template.

B. Put the database connection string in the app.json file and store it in a Git repository.

C. Lambda needs to reference the AWS Systems Manager Parameter Store for the encrypted database connection string.

D. Place the database connection string in the AWS Lambda function itself since all Lambda functions are encrypted at rest.

Answer 1

Answer - C.

The AWS Documentation mentions the following.

AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management.

You can store data such as passwords, database strings, and license codes as parameter values.

You can store values as plain text or encrypted data.

You can then reference values by using the unique name that you specified when you created the parameter.

Highly scalable, available, and durable, Parameter Store is backed by the AWS Cloud.

Parameter Store is offered at no additional charge.

Option A is incorrect because the connection strings values are exposed in the CloudFormation template.

Option B is incorrect because the string is stored in the code repository and is unsecure.

Option D is incorrect because the string is stored together with the Lambda function code, which is not secure.

For more information on the Systems Manager Parameter Store, please refer to the below URL-

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html

The most secure way to implement database connection strings in AWS Lambda is option C, which involves using the AWS Systems Manager Parameter Store to store and retrieve the encrypted database connection string.

Explanation of each option:

A. Putting the connection strings values in a CloudFormation template is not the most secure way to store sensitive data because CloudFormation templates are stored in plain text and can be accessed by anyone who has access to the AWS Management Console.

B. Putting the database connection string in the app.json file and storing it in a Git repository is not secure because Git repositories can be accessed by anyone who has access to the repository, and the database connection string will be stored in plain text.

C. Lambda needs to reference the AWS Systems Manager Parameter Store for the encrypted database connection string. The Parameter Store provides a centralized location for storing and managing secure information such as database connection strings. When using the Parameter Store, the connection string is encrypted using an AWS KMS key, and only authorized AWS Identity and Access Management (IAM) users and roles can access the Parameter Store.

D. Placing the database connection string in the AWS Lambda function itself is not secure because the Lambda function code is stored in plaintext and can be accessed by anyone who has access to the AWS Management Console. It is not recommended to store sensitive data in the Lambda function code.

In summary, option C, using the AWS Systems Manager Parameter Store, is the most secure way to implement database connection strings in AWS Lambda.