Your team is developing a Lambda function. The function would need to interact with a database. The Lambda function and the database will be deployed in different environments respectively. Which of the following is the most secure approach for the Lambda function to get the database credentials for multiple environments?

Answer options:

A.Hardcode the database credentials in GitHub for different environments of the Lambda function.
B.Create a lambda function for each environment and ensure each has a different programming language.
C.Store the database credentials in AWS Secrets Manager.
D.Store the database credentials in a Lambda function tag.

Answer – C
Secrets Manager supports many types of secrets. However, Secrets Manager can natively rotate credentials for supported AWS databases without any additional programming. However, rotating the secrets for other databases or services requires creating a custom Lambda function to define how Secrets Manager interacts with the database or service.
Option A is incorrect since this has a security issue since the database credentials are hardcoded in GitHub.
Option B is incorrect since using different programming languages makes no sense.
Option C is correct because AWS Secrets Manager can store the database credentials in a secure way for the Lambda function to get the credentials. AWS Secrets Manager helps users to protect and manage credentials.
Option D is incorrect since, you can tag Lambda functions to organize them by owner, project, or department. Tag keys and tag values are supported across AWS services for use in filtering resources and adding detail to billing reports. It is not used to store such connection strings.
Please refer to the below references:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
https://aws.amazon.com/blogs/security/how-to-securely-provide-database-credentials-to-lambda-functions-by-using-aws-secrets-manager/