Home › AWS Developer Associate › cloudcomputing › awsdevsecurity › Which approach correctly handles environment-spe…
Which approach correctly handles environment-specific configuration (DB endpoints, feature flags) for Lambda functions deployed via SAM/CloudFormation?
AHard-code production endpoints into source code and use git branches per environment
BStore config in AWS Systems Manager Parameter Store (or Secrets Manager) and read it at runtime by IAM-permitted Lambda execution roles
CPass plain-text DB passwords in CloudFormation template files committed to a public repo
DEdit the Lambda console UI manually per environment after every deploy
Answer & Solution
Correct answer: B. Store config in AWS Systems Manager Parameter Store (or Secrets Manager) and read it at runtime by IAM-permitted Lambda execution roles
Parameter Store / Secrets Manager + IAM is the canonical pattern. Hard-coded values in code, plain-text in templates, or manual UI edits all break repeatability or leak secrets.
Related questions
An S3 bucket policy grants `s3:GetObject` only when the request includes a specific VPC enAn application must encrypt user-uploaded files in S3 with a key the customer controls (CMWhich IAM feature lets a developer's IAM role temporarily "impersonate" a service-account-A Lambda function reads database credentials at cold start from AWS Secrets Manager and caAn API Gateway REST API needs to require a valid Amazon Cognito ID token on every call. WhWhich IAM construct is best for granting a CodeBuild project the right to read from one spWhich AWS service issues, manages, and auto-renews public TLS certificates for use with ALA static website served from S3 must allow time-limited downloads to authenticated users w