Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 147 discussion

Answer is B A is not correct as the requirement asked to store API credentials, GenerateSecretString will create a random string as password. C the API credential will be retrieved by the Lambda function, it is un-available to the template. D no echo is a attribute of cloud formation template.

The correct answer is (D). Solution (D) is the most secure because it stores the API credentials in AWS Secrets Manager, which is a managed service that provides secure, policy-controlled storage for secrets. The parameter's NoEcho attribute prevents the parameter value from being displayed in the console or request history.

SecureString parameters are encrypted both when stored in the Parameter Store (at rest) and while being transmitted (in transit) using AWS KMS (Key Management Service). This means that even if someone were to gain unauthorized access to the Parameter Store's underlying storage, they wouldn't be able to easily read the parameter's value.

https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutParameter.html

B is the correct answer.

I choose C, not choose A due to minimal cost I dont understand why most of you choose B

its B only https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html#:~:text=You%20can%20also%20use%20SecureString%20parameters%20with%20other%20AWS%20services.%20In%20the%20following%20example%2C%20the%20Lambda%20function%20retrieves%20a%20SecureString%20parameter%20by%20using%20the%20GetParameters%20API.

I will got with A. Becausehttps://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html nullifying the B&D. Justifying A https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html

The solution that will meet the requirements is to use the AWS SDK ssm PutParameter operation in the Lambda function from the existing custom resource to store the credentials as a parameter. Set the parameter value to reference the new credentials. Set the parameter type to SecureString. This way, the developer can store the API credentials with minimal operational overhead, as AWS Systems Manager Parameter Store provides secure and scalable storage for configuration data. The SecureString parameter type encrypts the parameter value with AWS Key Management Service (AWS KMS). The other options either involve adding additional resources to the CloudFormation template, which increases complexity and cost, or do not encrypt the parameter value, which reduces security.

B. Use the AWS SDK ssm:PutParameter operation in the Lambda function from the existing custom resource to store the credentials as a parameter. Set the parameter value to reference the new credentials. Set the parameter type to SecureString: This is a secure and operationally efficient solution. AWS Systems Manager Parameter Store can securely store parameters as SecureString, which encrypts the parameter value. The ssm:PutParameter operation can be used within the Lambda function to store the credentials directly after retrieval, minimizing operational overhead.

Answer is B

noecho is CF feature, not ssm param store

Agree with B - D will be stored in plain text, this is credentials so should be secure string

ANS: D NoEcho https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/82#issuecomment-517704282

ANS: D NoEcho https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/82#issuecomment-517704282

Is B the correct answer? SecureString isn't currently supported for AWS CloudFormation templates. https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutParameter.html

Answer is A AWS Secrets Manager is specifically designed for securely storing sensitive information like API credentials, database passwords, and other secrets