A company operates a web-based loan processing application.

The correct answer is A . For a Lambda-based application that must use third-party API keys while ensuring secrets never appear in client code, request URLs, headers, or logs, storing the keys as encrypted Lambda environment variables protected by AWS KMS is the most secure choice among the options given. AWS supports encryption at rest for Lambda environment variables, and the function’s execution role can be granted permission to decrypt those values at runtime. This keeps the secrets entirely on the server side and out of the browser and request path.

Option B is insecure because query string parameters are a poor location for secrets. Even when HTTPS is used, query parameters can still be exposed through logs, monitoring systems, browser history, proxies, or debugging tools. Option C is clearly unacceptable because embedding secrets in client-side JavaScript exposes them to users. Obfuscation or minification does not provide security. Option D is also not appropriate because AWS resource tags are not a secrets-management mechanism and are not intended for storing confidential credentials.

From AWS security best practices, secrets should never be embedded in client applications and should be stored in protected server-side configuration with strong access controls. Although AWS Secrets Manager would often be the stronger real-world recommendation for rotating and retrieving secrets, it is not listed here. Among the available choices, KMS-encrypted Lambda environment variables best satisfy the requirements for confidentiality, controlled access, and avoiding accidental exposure in application logs or HTTP request elements.

Therefore, A is the most secure answer.