Practice free →
HomeAWS Developer Associatecloudcomputingawsdevsecurity › A Lambda function reads database credentials at …

A Lambda function reads database credentials at cold start from AWS Secrets Manager and caches them for the lifetime of the execution environment. What's the security trade-off vs. fetching on every invocation?

ACaching is forbidden by AWS — every invocation must re-fetch
BCaching disables IAM entirely
CCached secrets reduce latency and Secrets Manager API costs but require rotation logic to refresh credentials in long-lived containers — otherwise a rotated secret will start failing
DCaching makes the secret world-readable
Answer & Solution
Correct answer: C. Cached secrets reduce latency and Secrets Manager API costs but require rotation logic to refresh credentials in long-lived containers — otherwise a rotated secret will start failing
Caching at init is the recommended pattern but introduces staleness after rotation; either reduce env reuse time, restart on signal, or proactively refresh. The other options are false or absolute.
Solve this in the app — AWS Developer Associate practice & 24k+ MCQs →
Related questions