Home › AWS Developer Associate › cloudcomputing › awsdevsecurity › A Lambda function reads database credentials at …
A Lambda function reads database credentials at cold start from AWS Secrets Manager and caches them for the lifetime of the execution environment. What's the security trade-off vs. fetching on every invocation?
ACaching is forbidden by AWS — every invocation must re-fetch
BCaching disables IAM entirely
CCached secrets reduce latency and Secrets Manager API costs but require rotation logic to refresh credentials in long-lived containers — otherwise a rotated secret will start failing
DCaching makes the secret world-readable
Answer & Solution
Correct answer: C. Cached secrets reduce latency and Secrets Manager API costs but require rotation logic to refresh credentials in long-lived containers — otherwise a rotated secret will start failing
Caching at init is the recommended pattern but introduces staleness after rotation; either reduce env reuse time, restart on signal, or proactively refresh. The other options are false or absolute.
Related questions
An S3 bucket policy grants `s3:GetObject` only when the request includes a specific VPC enWhich approach correctly handles environment-specific configuration (DB endpoints, featureAn application must encrypt user-uploaded files in S3 with a key the customer controls (CMWhich IAM feature lets a developer's IAM role temporarily "impersonate" a service-account-An API Gateway REST API needs to require a valid Amazon Cognito ID token on every call. WhWhich IAM construct is best for granting a CodeBuild project the right to read from one spWhich AWS service issues, manages, and auto-renews public TLS certificates for use with ALA static website served from S3 must allow time-limited downloads to authenticated users w