Exam AWS Certified Security - Specialty topic 1 question 370 discussion

Param store - SecureString is FREE

The most cost-effective solution to meet these requirements would be to store the client token as a SecureString parameter in AWS Systems Manager Parameter Store and use the AWS SDK to retrieve the value of the SecureString parameter in the Lambda function.C

C for cost effectiveness, systems manager parameter store trumps secrets manager

A unique client token is generated in the SaaS platform to grant access to the Lambda function (0) most cost effective solution to (1) encrypt the access token at rest and (2) pass the token to the Lambda function at runtime Unless I am mistaken a Lamda authorizer is Lambda side auth before execution of a Lambda function, not auth of Lambda to the SaaS application. If so, this eliminates B. A Secrets Manager & C Parameter Store seem to both be possible. Parameter Store is free, Secrets Manager is not so between these C is better but both incur some cost by using the AWS SDK. D seems possible but has a cost per key https://medium.com/@kush.saraiya/encrypting-environment-variables-in-aws-lambda-function-e09cdde9fef1 Hard to evaluate the costs on this but I think the 'MOST cost-effectively' is a hint to choose Parameter Store so I think C is the best answer. (disclaimer I have never worked with any of this and am just reading documentation)

A Lambda authorizer is useful if you want to implement a custom authorization scheme that uses a bearer token authentication strategy such as OAuth or SAML, or that uses request parameters to determine the caller's identity. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html

Why B isn't a valid option? Is it because request need to come from 3rd party SAAS solution?

C , most cost-effectively

Agree with C, cost-effectively

Agree with C

C -90% https://aws.amazon.com/systems-manager/pricing/