You’re developing an application that is going to be hosted in AWS Lambda. The function will make calls to a database. A requirement is that all database connection strings should be kept secure. Which of the following is the MOST secure way to implement this?

Answer options:

A.Put the connection strings values in a CloudFormation template.
B.Put the database connection string in the app.json file and store it in a Git repository.
C.Lambda needs to reference the AWS Systems Manager Parameter Store for the encrypted database connection string.
D.Place the database connection string in the AWS Lambda function itself since all Lambda functions are encrypted at rest.

Answer – C
The AWS Documentation mentions the following.
AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. You can store values as plain text or encrypted data. You can then reference values by using the unique name that you specified when you created the parameter. Highly scalable, available, and durable, Parameter Store is backed by the AWS Cloud. Parameter Store is offered at no additional charge.
Option A is incorrect because the connection strings values are exposed in the CloudFormation template.
Option B is incorrect because the string is stored in the code repository and is unsecure.
Option D is incorrect because the string is stored together with the Lambda function code, which is not secure.
For more information on the Systems Manager Parameter Store, please refer to the below URL-
https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html