Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For AWS DVA-C02 candidates, a common pitfall is confusing where and how to securely store sensitive application credentials used by Lambda. The exam tests nuanced understanding of AWS SDK integration and secure secrets management within serverless architectures. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
DataSync Innovations runs a serverless pipeline where an AWS Lambda function moves data files from an Amazon S3 bucket to a partner company’s SFTP server daily. The Lambda function authenticates to the SFTP server using basic credentials (a username and password) currently stored as plaintext environment variables. The development team must improve security by encrypting these credentials while maintaining seamless access within the Lambda function code.
The Requirement: #
Implement a solution to securely store and retrieve the encrypted SFTP username and password credentials for the Lambda function without exposing secrets in plaintext in the environment variables.
The Options #
- A) Remove the user credentials from Lambda environment variables and implement IAM database authentication for the SFTP server.
- B) Move the user credentials from Lambda environment variables to AWS Systems Manager Parameter Store.
- C) Move the user credentials from Lambda environment variables to AWS Key Management Service (AWS KMS).
- D) Move the user credentials from Lambda environment variables to an encrypted file stored in an S3 bucket.
Google adsense #
leave a comment:
Correct Answer #
B
Quick Insight: The Developer Imperative #
For Lambda credentials, the best practice is to store sensitive data in AWS Systems Manager Parameter Store (with encryption enabled). The Lambda function can then securely retrieve decrypted parameters dynamically at runtime using IAM roles. Direct storage in environment variables—even encrypted—or using raw KMS calls for secrets is discouraged because it complicates access and key management. Using Parameter Store aligns with AWS SDK integration patterns and least privilege access.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option B
The Winning Logic #
AWS Systems Manager Parameter Store supports storing secure string parameters encrypted with AWS KMS keys. Lambda functions with appropriate IAM permissions can retrieve and decrypt these credentials at runtime via the AWS SDK without embedding them in environment variables. This pattern improves security by removing sensitive plaintext secrets from the deployment environment and centralizing secrets management with fine-grained access control.
The Trap (Distractor Analysis): #
- Why not A? IAM database authentication applies to AWS RDS databases only; it doesn’t secure third-party SFTP credentials.
- Why not C? AWS KMS is a key management system, not a secret store; you cannot directly “store” credentials in KMS. Typically, KMS encrypts/decrypts data but doesn’t hold it for you. Developers would need to implement their own secrets storage, increasing complexity and risk.
- Why not D? Storing an encrypted file in S3 adds complexity in managing decryption keys and retrieval. It also lacks the seamless SDK integration provided by Parameter Store or Secrets Manager, making access more error-prone and operationally heavy.
The Technical Blueprint #
# Example: Lambda function retrieving encrypted credentials from SSM Parameter Store
aws ssm get-parameter --name "/prod/sftp/username" --with-decryption
aws ssm get-parameter --name "/prod/sftp/password" --with-decryption
Lambda code snippet using AWS SDK for JavaScript (Node.js):
const AWS = require('aws-sdk');
const ssm = new AWS.SSM();
async function getSftpCredentials() {
const usernameParam = await ssm.getParameter({ Name: '/prod/sftp/username', WithDecryption: true }).promise();
const passwordParam = await ssm.getParameter({ Name: '/prod/sftp/password', WithDecryption: true }).promise();
return {
username: usernameParam.Parameter.Value,
password: passwordParam.Parameter.Value,
};
}
The Comparative Analysis #
| Option | API Complexity | Performance | Use Case |
|---|---|---|---|
| A | Not applicable (RDS only) | N/A | IAM Database Auth doesn’t fit SFTP use case |
| B | Moderate (SSM getParameter) | Low latency | Managed encrypted parameter retrieval for secrets |
| C | High (manual encryption) | Moderate (extra steps) | Raw key management, no native secret store |
| D | High (file management) | Potentially higher latency | Encrypted file retrieval adds operational overhead |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick AWS Systems Manager Parameter Store or Secrets Manager when you see secure, encrypted secret storage for Lambda environment removal—especially when seamless SDK integration is required.
Real World #
In production, companies often choose Secrets Manager for rotation capabilities. But for exam scope and simplicity, Parameter Store with encryption suffices and costs less.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS DVA-C02 exam.