Question

You're developing an application that is going to be hosted in AWS Lambda. The function will make calls to a database. A requirement is that all database connection strings should be kept secure.

Which of the following is the MOST secure way to implement this?

A. Put the connection strings values in a CloudFormation template.

B. Put the database connection string in the app.json file and store it in a Git repository.

C. Lambda needs to reference the AWS Systems Manager Parameter Store for the encrypted database connection string.

D. Place the database connection string in the AWS Lambda function itself since all Lambda functions are encrypted at rest.

Answer 1

Answer - C.

The AWS Documentation mentions the following.

AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management.

You can store data such as passwords, database strings, and license codes as parameter values.

You can store values as plain text or encrypted data.

You can then reference values by using the unique name that you specified when you created the parameter.

Highly scalable, available, and durable, Parameter Store is backed by the AWS Cloud.

Parameter Store is offered at no additional charge.

Option A is incorrect because the connection strings values are exposed in the CloudFormation template.

Option B is incorrect because the string is stored in the code repository and is unsecure.

Option D is incorrect because the string is stored together with the Lambda function code, which is not secure.

For more information on the Systems Manager Parameter Store, please refer to the below URL-

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html

The most secure way to store and access database connection strings in an AWS Lambda function is to use the AWS Systems Manager Parameter Store. This option is provided by option C.

Option A is not the most secure way to implement this because CloudFormation templates are typically stored in plain text, which can be a security risk. This means that anyone with access to the CloudFormation template can view the database connection string.

Option B is also not the most secure way to implement this because storing the database connection string in a Git repository is not secure. Git repositories are typically public or shared with a team of developers, which means that anyone with access to the repository can view the database connection string.

Option D is also not the most secure way to implement this because storing the database connection string in the AWS Lambda function itself is not secure. While Lambda functions are encrypted at rest, anyone with access to the function can view the database connection string.

Option C is the most secure way to implement this because the AWS Systems Manager Parameter Store allows you to store encrypted strings, including database connection strings, as parameters. The parameters can be accessed by the Lambda function securely, and you can control who has access to the encrypted strings using AWS Identity and Access Management (IAM). By using the AWS Systems Manager Parameter Store, you can ensure that your database connection strings are encrypted and secure.