A developer is building an application that gives users the ability to view bank accounts from multiple sources in a single dashboard. The developer has automated the process to retrieve API credentials for these sources. The process invokes an AWS Lambda function that is associated with an AWS CloudFormation custom resource.
The developer wants a solution that will store the API credentials with minimal operational overhead.
Which solution will meet these requirements in the MOST secure way?
The most secure and appropriate solution for storing API credentials with minimal operational overhead is by using the AWS SDK ssm:PutParameter operation in the Lambda function to store the credentials as a SecureString parameter. AWS Systems Manager Parameter Store allows developers to securely store and manage secret data such as API credentials, and setting the parameter type to SecureString encrypts the data using AWS Key Management Service (KMS), ensuring its security. This approach meets the requirement of minimal operational overhead while maintaining a high level of security for the API credentials.
Answer is B A is not correct as the requirement asked to store API credentials, GenerateSecretString will create a random string as password. C the API credential will be retrieved by the Lambda function, it is un-available to the template. D no echo is a attribute of cloud formation template.
The correct answer is (D). Solution (D) is the most secure because it stores the API credentials in AWS Secrets Manager, which is a managed service that provides secure, policy-controlled storage for secrets. The parameter's NoEcho attribute prevents the parameter value from being displayed in the console or request history.
Answer is A AWS Secrets Manager is specifically designed for securely storing sensitive information like API credentials, database passwords, and other secrets
ANS: D NoEcho https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/82#issuecomment-517704282
I agree with Jing2023 answer
Is B the correct answer? SecureString isn't currently supported for AWS CloudFormation templates. https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutParameter.html
Agree with B - D will be stored in plain text, this is credentials so should be secure string
The solution that will meet the requirements is to use the AWS SDK ssm PutParameter operation in the Lambda function from the existing custom resource to store the credentials as a parameter. Set the parameter value to reference the new credentials. Set the parameter type to SecureString. This way, the developer can store the API credentials with minimal operational overhead, as AWS Systems Manager Parameter Store provides secure and scalable storage for configuration data. The SecureString parameter type encrypts the parameter value with AWS Key Management Service (AWS KMS). The other options either involve adding additional resources to the CloudFormation template, which increases complexity and cost, or do not encrypt the parameter value, which reduces security.
its B only https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html#:~:text=You%20can%20also%20use%20SecureString%20parameters%20with%20other%20AWS%20services.%20In%20the%20following%20example%2C%20the%20Lambda%20function%20retrieves%20a%20SecureString%20parameter%20by%20using%20the%20GetParameters%20API.
I choose C, not choose A due to minimal cost I dont understand why most of you choose B
ANS: D NoEcho https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/82#issuecomment-517704282
noecho is CF feature, not ssm param store
Answer is B
B. Use the AWS SDK ssm:PutParameter operation in the Lambda function from the existing custom resource to store the credentials as a parameter. Set the parameter value to reference the new credentials. Set the parameter type to SecureString: This is a secure and operationally efficient solution. AWS Systems Manager Parameter Store can securely store parameters as SecureString, which encrypts the parameter value. The ssm:PutParameter operation can be used within the Lambda function to store the credentials directly after retrieval, minimizing operational overhead.
I will got with A. Becausehttps://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html nullifying the B&D. Justifying A https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html
Reverting the Option to B
B is the correct answer.
https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutParameter.html