A cloud application uses AWS Lambda functions in a serverless architecture. The security team wants to enforce least privilege access for these functions. Which THREE practices should be implemented?
External secrets management reduces exposure.
Why this answer
AWS Parameter Store or Secrets Manager are correct because they provide secure, auditable storage for sensitive data like database credentials and API keys. Lambda functions can retrieve these values at runtime via the AWS SDK, avoiding hard-coded secrets in code or environment variables. This aligns with the principle of least privilege by granting the Lambda IAM role only the specific permissions needed to access the secret, not the secret value itself in plaintext.
Exam trap
ISC2 often tests the misconception that encrypting environment variables with KMS is a sufficient substitute for using a dedicated secrets management service, but the trap is that environment variables are still visible in plaintext to anyone with console access or CloudTrail logs of the function configuration.