A developer is building an AWS Lambda function that needs to retrieve a database password securely. The password is stored in AWS Secrets Manager and is rotated every 30 days. The function must minimize the number of API calls to Secrets Manager. Which approach should the developer use?
Caching the secret in the global scope allows reuse across invocations within the same execution environment. If the secret is rotated, the cache can be refreshed when the cached secret fails to authenticate.
Why this answer
Option C is correct because it retrieves the secret once during the Lambda cold start (outside the handler), caches it in a global variable, and only refreshes the cache if the secret fails (e.g., due to rotation). This minimizes API calls to Secrets Manager while still handling secret rotation gracefully, as the cached secret remains valid until a failure occurs.
Exam trap
The trap here is that candidates assume 'minimize API calls' means never calling Secrets Manager again, but the correct approach allows a single call per cold start with a fallback refresh on failure, not zero calls forever.
How to eliminate wrong answers
Option A is wrong because storing the password as an encrypted environment variable does not support automatic rotation—the value is static until the function is redeployed, violating the requirement that the password is rotated every 30 days. Option B is wrong because calling Secrets Manager on every invocation maximizes API calls, incurring unnecessary cost and latency, and contradicts the requirement to minimize API calls. Option D is wrong because switching to Systems Manager Parameter Store does not inherently reduce API calls; the same caching strategy would still be needed, and the question specifically asks about Secrets Manager, not an alternative service.