ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 138 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 138
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company uses AWS Secrets Manager to store a set of sensitive API keys that an AWS Lambda function uses. When the Lambda function is invoked the Lambda function retrieves the API keys and makes an API call to an external service. The Secrets Manager secret is encrypted with the default AWS Key Management Service (AWS KMS) key.

A DevOps engineer needs to update the infrastructure to ensure that only the Lambda function’s execution role can access the values in Secrets Manager. The solution must apply the principle of least privilege.

Which combination of steps will meet these requirements? (Choose two.)

  • A. Update the default KMS key for Secrets Manager to allow only the Lambda function’s execution role to decrypt
  • B. Create a KMS customer managed key that trusts Secrets Manager and allows the Lambda function's execution role to decrypt. Update Secrets Manager to use the new customer managed key
  • C. Create a KMS customer managed key that trusts Secrets Manager and allows the account's root principal to decrypt. Update Secrets Manager to use the new customer managed key
  • D. Ensure that the Lambda function’s execution role has the KMS permissions scoped on the resource level. Configure the permissions so that the KMS key can encrypt the Secrets Manager secret
  • E. Remove all KMS permissions from the Lambda function’s execution role
Show Suggested Answer Hide Answer
Suggested Answer: BD 🗳️
by vandergun at Nov. 22, 2023, 2:15 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
thanhnv142
Highly Voted 1 year, 2 months ago
Selected Answer: BD
B and D are correct: <update the infrastructure to ensure that only the Lambda function’s execution role> means we need to ensure that lambda's IAM role has sufficient permissions and KMS policy allows Lambda's IAM role A: cannot update default key C: <allows the account's root principal to decrypt> this against the principal of least privilege E: irrelevant
upvoted 5 times
...
heff_bezos
Most Recent 7 months, 1 week ago
Selected Answer: BD
If default keys are the same as the AWS managed keys, then the answer is B. You cannot modify the "default" key's policy to allow access only from the Lambda execution role.
upvoted 1 times
...
jamesf
9 months, 1 week ago
Selected Answer: BD
I go for BD
upvoted 2 times
...
4555894
1 year, 1 month ago
Selected Answer: BD
The requirement is to update the infrastructure to ensure that only the Lambda function’s execution role can access the values in Secrets Manager. The solution must apply the principle of least privilege, which means granting the minimum permissions necessary to perform a task.
upvoted 2 times
...
hotblooded
1 year, 2 months ago
Selected Answer: AD
{ "Version": "2012-10-17", "Id": "key-consolepolicy-2", "Statement": [ { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": {"AWS": [ "arn:aws:iam::111122223333:role/KeyCreatorRole" ]}, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": here arn of secret manager } ] } I think A is correct answer , why to create CMK as customer is using default KMS
upvoted 1 times
...
zolthar_z
1 year, 5 months ago
Selected Answer: BD
I think B:D
upvoted 4 times
...
radev
1 year, 5 months ago
Selected Answer: BD
B, D A is incorrect because updating the default KMS key for Secrets Manager to allow only the Lambda function's execution role to decrypt would grant access to all other resources using the default key, which violates the principle of least privilege. C is incorrect because allowing the account's root principal to decrypt the secret would grant unnecessary access to the secret, which violates the principle of least privilege. E is incorrect because removing all KMS permissions from the Lambda function's execution role would prevent the Lambda function from decrypting the secret, which is required for it to function properly.
upvoted 4 times
hotblooded
1 year, 2 months ago
{ "Version": "2012-10-17", "Id": "key-consolepolicy-2", "Statement": [ { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": {"AWS": [ "arn:aws:iam::111122223333:role/KeyCreatorRole" ]}, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": here arn of secret manager } ] } I think A is correct answer , why to create CMK as customer is using default KMS
upvoted 1 times
hotblooded
1 year, 2 months ago
Or we can ad below condition also "Condition": { "StringEquals": { "kms:CallerAccount": "111122223333", "kms:ViaService": "secretsmanager.us-west-2.amazonaws.com" } }
upvoted 1 times
...
...
...
vandergun
1 year, 5 months ago
Selected Answer: BD
I vote B,D
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago