Security
⏱ ~3-min readAceMark GuideWhat this topic is really about
AWS Secrets Manager stores secrets encrypted and supports automatic rotation (e.g., for RDS credentials). Parameter Store Standard stores parameters but lacks native managed rotation, S3 is object storage, and AWS Config tracks resource configuration.
Secrets Manager provides encrypted storage, automatic rotation, and IAM-based access control. DynamoDB and S3 can store secrets but lack built-in rotation. Plain Lambda env vars are encrypted at rest but cannot rotate, and they appear in the console.
See the mechanism
Lambda execution roles use STS to provide temporary credentials automatically. A diagram for this topic isn't available yet — the worked example below walks the same reasoning step by step.
An exam-style question, fully explained
A Lambda function needs read-only access to a specific S3 bucket. Most secure approach?
- Identify what the question tests: A Lambda function needs read-only access to a specific S3 bucket..
- Lambda execution roles use STS to provide temporary credentials automatically.
- Pair the role with a bucket-scoped least-privilege policy.
- Long-lived access keys in env vars are a credential-leak risk.
- Making the bucket public exposes data globally.
Traps the examiner sets
- Read each option carefully — distractors on Security are designed to look plausible.
- Re-check the exact wording of the question stem before committing to an answer.
- Watch the qualifiers ("always", "only", "except") that flip a correct-looking option.
Test your recall
Answer each from memory — you'll see instantly whether you're right and why.
Run a focused 10-question mini-mock on Security and see it stick.
Practice more of this topic →