Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For DVA-C02 candidates, the confusion often lies in properly securing sensitive configuration data—like API keys—while maintaining full ownership and control of encryption keys. In production, this is about knowing exactly how Lambda environment variables, Systems Manager Parameter Store, and KMS customer-managed keys interplay to safeguard secrets while minimizing operational risk and avoiding exposure.
The Certification Drill (Simulated Question) #
Scenario #
A fintech startup named FinTechNova is developing a fully serverless payment processing app hosted on AWS Lambda. The app needs to authenticate to a critical external financial data provider using a third-party API key. FinTechNova insists on fully managing the encryption keys used to protect this API key within AWS. They want the key to be securely stored as part of their Lambda function’s configuration, with decryption accessible only to authorized AWS entities. How should FinTechNova architect this to meet their strict security and key control requirements?
The Requirement: #
Securely store a third-party API key for use by an AWS Lambda function so that:
- The API key is encrypted at rest with customer-managed AWS KMS keys.
- Access to decrypt the key is limited to authorized AWS principals.
- The secret is accessible via Lambda configuration.
The Options #
- A) Store the API key in AWS Systems Manager Parameter Store as a string parameter. Use the default AWS KMS key provided by AWS for encryption.
- B) Store the API key in AWS Lambda environment variables. Create and use an AWS KMS customer-managed key (CMK) to encrypt the API key.
- C) Store the API key directly in the application code repository. Use an AWS managed key to encrypt the repository.
- D) Store the API key as an item in an Amazon DynamoDB table. Use an AWS managed key to encrypt the API key in the table.
Google adsense #
leave a comment:
Correct Answer #
B
Quick Insight: The Developer Imperative #
For DVA-C02, the key takeaway is that Lambda environment variables can be encrypted with your own customer-managed CMK, giving you full key ownership. The default AWS KMS keys used in Parameter Store lack this granular key control, and stashing secrets in code or DynamoDB with AWS-managed keys breaks security best practices.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option B
The Winning Logic #
Storing secrets in Lambda environment variables encrypted by a customer-managed AWS KMS key enables FinTechNova to retain full control over the key policy, usage auditing, and lifecycle — critical for compliance in financial services. The environment variable integrates seamlessly with Lambda’s execution environment, and the AWS Lambda service can decrypt the variable transparently at runtime if permissions are granted. Using a customer-managed key (CMK) rather than the default AWS key aligns with the requirement of “full control” of KMS keys.
The Trap (Distractor Analysis): #
- Why not Option A? Parameter Store’s default encryption uses an AWS-managed CMK, meaning FinTechNova wouldn’t have full administrative control over the KMS keys as required. To have key control in Parameter Store, you must explicitly specify a customer-managed key.
- Why not Option C? Embedding secrets in the code repository—regardless of encryption—is a poor security practice; version control history makes secret rotation difficult, and AWS managed keys for the repo do not provide runtime decryption for Lambda.
- Why not Option D? While DynamoDB can encrypt data at rest, using AWS managed keys does not give full KMS key management control. Also, storing secrets in a database complicates Lambda integration compared to environment variables or Parameter Store.
The Technical Blueprint #
B) For Developer / SysOps (Code/CLI Snippet):
# Example snippet to encrypt environment variables with a customer-managed CMK
# Create a CMK (if not already created)
aws kms create-key --description "KMS CMK for Lambda API key encryption" --tags TagKey=Project,TagValue=FinTechNova
# Assume your CMK key ID is "1234abcd-12ab-34cd-56ef-1234567890ab"
# Encrypt a plaintext API key locally or via CLI
aws kms encrypt --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--plaintext "EXTERNAL_API_KEY_VALUE"
# Then assign the encrypted environment variable to your Lambda function
aws lambda update-function-configuration --function-name PaymentProcessor \
--environment Variables="{API_KEY=EXTERNAL_API_KEY_VALUE}" \
--kms-key-arn arn:aws:kms:region:account-id:key/1234abcd-12ab-34cd-56ef-1234567890ab
The Comparative Analysis #
| Option | API Complexity | Performance | Use Case |
|---|---|---|---|
| A | Simple SSM parameter set/get via SDK | Good, but limited KMS key control | Works if using customer-managed CMK explicitly; default key does not meet key control requirement |
| B | Lambda env vars encrypted via CMK | Native to Lambda, minimal latency | Best fit for secret config with full key ownership |
| C | N/A (code repo integration) | Deploy-time only, no runtime security | Not secure; risks exposure in SCM history |
| D | DynamoDB SDK get item, encryption handled | Extra read latency, complex access control | Overcomplicated for environment secrets |
Real-World Application (Practitioner Insight) #
Exam Rule #
“For the exam, always pick Lambda environment variables encrypted with customer-managed keys when the scenario states ‘full control over KMS keys’ and ‘secrets in Lambda config.’”
Real World #
“In production, you may also consider AWS Secrets Manager for rotation and secret versioning, but for exam focus, understanding Lambda env vars + CMK is critical.”
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS DVA-C02 exam.