Skip to main content

AWS DVA-C02 Drill: Securing Sensitive Data - Encryption in Transit for Lambda Configurations

·944 words·5 mins·
Certification Drills AWS DVA-C02 Lambda KMS Secrets Manager SSM Parameter Store
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | AWS SAA/SAP & Multi-Cloud Expert.
Table of Contents

Jeff’s Note
#

Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.

For DVA-C02 candidates, the confusion often lies in how to properly secure sensitive parameters without exposing secrets, especially during transit. In production, this is about knowing exactly which AWS service guarantees encryption in transit vs. just encryption at rest—and how AWS Lambda integrates with these services seamlessly in code and environment configurations. Let’s drill down.

The Certification Drill (Simulated Question)
#

Scenario
#

TechNova is building a serverless application where AWS Lambda functions process customer data. The development team needs to ensure all sensitive configuration data—such as API credentials—is encrypted not only at rest but also during transit between the Lambda functions and wherever these secrets are stored.

The developers have already created a customer managed AWS KMS key to use for encrypting sensitive information. The challenge now is to choose the correct approach to meet the requirement that sensitive configuration data be encrypted in transit when accessed by the Lambda functions.

The Requirement:
#

Implement encryption in transit for all sensitive configuration data used by Lambda, leveraging the existing customer managed key.

The Options
#

  • A) Store sensitive data as String parameters in AWS Systems Manager Parameter Store, specifying the KMS key ID for encryption. Reference these parameters in Lambda environment variables and retrieve them via the GetParameter API at runtime.
  • B) Store secrets in AWS Secrets Manager encrypted with the customer managed KMS key. Create a new Lambda function layer that fetches these secrets from Secrets Manager when invoked.
  • C) Upload objects containing sensitive data to Amazon S3 encrypted with the customer managed KMS key. Configure Lambda to fetch these objects from S3 during invocation.
  • D) Encrypt Lambda environment variables using the customer managed KMS key and enable encryption helpers in the Lambda environment to secure variables in transit. Grant the Lambda execution role permissions on the KMS key.

Google adsense
#

leave a comment:

Correct Answer
#

B

Quick Insight: The Developer Imperative
#

  • Lambda environment variables and SSM Parameter Store encrypt data at rest but do not encrypt data in transit by default, exposing risk when data is fetched.
  • Secrets Manager provides encryption in transit (TLS) and uses customer managed CMKs for robust key controls, making it the best choice for sensitive config retrieval in Lambda.
  • A Lambda layer dedicated to fetching secrets centralizes logic and simplifies secret rotation.

Content Locked: The Expert Analysis
#

You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?

Unlock Full Access & Start Mastering

The Expert’s Analysis
#

Correct Answer
#

Option B

The Winning Logic
#

  • AWS Secrets Manager is designed specifically to manage sensitive secrets with automatic encryption at rest using customer managed keys and SSL-encrypted transit when accessed.
  • When a Lambda function retrieves secrets from Secrets Manager via the AWS SDK, the data is transmitted over TLS, ensuring encryption in transit.
  • Using a Lambda layer to encapsulate secret retrieval logic allows code reuse and simplifies secret access management.
  • Secrets Manager supports built-in automatic rotation workflows, which is a best practice for sensitive API keys.
  • In contrast, SSM Parameter Store encrypts secrets at rest, but the GetParameter API call does not enforce encryption in transit by default.
  • Lambda environment variables are encrypted at rest but exposed in plaintext inside Lambda runtime once loaded, lacking transit encryption guarantees.
  • Storing secrets as S3 objects, while encrypted at rest, exposes the secrets during transit when fetched from S3. Additionally, using S3 for configuration secrets is less idiomatic and adds operational overhead.

The Trap (Distractor Analysis):
#

  • Why not A? SSM Parameter Store’s encryption only applies at rest with the KMS key; the API call is not guaranteed to encrypt the data in transit beyond standard HTTPS, which can be insufficient for security-sensitive environments.
  • Why not C? S3 is not optimized for secret management. Encryption applies at rest but Lambda retrieving sensitive files from S3 can expose secrets in transit unless additional layers of encryption or signing are implemented.
  • Why not D? Lambda environment variables are encrypted at rest, but once injected into runtime, they are unencrypted in memory. There is no direct built-in feature to encrypt environment variables in transit between storage and the function runtime.

The Technical Blueprint
#

B) Developer Relevant: Lambda Secrets Manager SDK Access Example
# 

import boto3
import os
import base64
from botocore.exceptions import ClientError

def get_secret(secret_name):
    region_name = os.environ['AWS_REGION']
    client = boto3.client('secretsmanager', region_name=region_name)

    try:
        response = client.get_secret_value(SecretId=secret_name)
    except ClientError as e:
        raise e

    # Secrets Manager returns the decrypted secret value
    if 'SecretString' in response:
        return response['SecretString']
    else:
        return base64.b64decode(response['SecretBinary'])

This Lambda code snippet retrieves secrets securely from Secrets Manager – the SDK manages TLS (encryption in transit) automatically.

The Comparative Analysis (Developer-Focused)
#

Option API Complexity Performance Use Case
A Moderate (GetParameter API) Good Secure but limited transit security
B Moderate (SecretsManager API) Good with caching Best for sensitive secrets, transit encryption guaranteed
C Higher (S3 GetObject) Slightly slower Not recommended for secrets management
D Low (Env variables) Instant access Good for secrets at rest but lacks transit encryption

Real-World Application (Practitioner Insight)
#

Exam Rule
#

For the exam, always pick AWS Secrets Manager when you see “encryption in transit” + sensitive configuration in Lambda.

Real World
#

In practice, companies sometimes use Systems Manager Parameter Store for less sensitive parameters due to cost. But where sensitive API keys or credentials are involved, Secrets Manager’s built-in transit encryption and rotation capabilities are essential.

(CTA) Stop Guessing, Start Mastering
#

Unlock The Full Analysis Now

Disclaimer

This is a study note based on simulated scenarios for the AWS DVA-C02 exam.

The DevPro Network: Mission and Founder

A 21-Year Tech Leadership Journey

Jeff Taakey has driven complex systems for over two decades, serving in pivotal roles as an Architect, Technical Director, and startup Co-founder/CTO.

He holds both an MBA degree and a Computer Science Master's degree from an English-speaking university in Hong Kong. His expertise is further backed by multiple international certifications including TOGAF, PMP, ITIL, and AWS SAA.

His experience spans diverse sectors and includes leading large, multidisciplinary teams (up to 86 people). He has also served as a Development Team Lead while cooperating with global teams spanning North America, Europe, and Asia-Pacific. He has spearheaded the design of an industry cloud platform. This work was often conducted within global Fortune 500 environments like IBM, Citi and Panasonic.

Following a recent Master’s degree from an English-speaking university in Hong Kong, he launched this platform to share advanced, practical technical knowledge with the global developer community.


About This Site: AWS.CertDevPro.com


AWS.CertDevPro.com focuses exclusively on mastering the Amazon Web Services ecosystem. We transform raw practice questions into strategic Decision Matrices. Led by Jeff Taakey (MBA & 21-year veteran of IBM/Citi), we provide the exclusive SAA and SAP Master Packs designed to move your cloud expertise from certification-ready to project-ready.