ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 586 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 586
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

During an audit, a security team discovered that a development team was putting IAM user secret access keys in their code and then committing it to an AWS
CodeCommit repository. The security team wants to automatically find and remediate instances of this security vulnerability.
Which solution will ensure that the credentials are appropriately secured automatically?

  • A. Run a script nightly using AWS Systems Manager Run Command to search for credentials on the development instances. If found, use AWS Secrets Manager to rotate the credentials.
  • B. Use a scheduled AWS Lambda function to download and scan the application code from CodeCommit. If credentials are found, generate new credentials and store them in AWS KMS.
  • C. Configure Amazon Macie to scan for credentials in CodeCommit repositories. If credentials are found, trigger an AWS Lambda function to disable the credentials and notify the user.
  • D. Configure a CodeCommit trigger to invoke an AWS Lambda function to scan new code submissions for credentials. If credentials are found, disable them in AWS IAM and notify the user.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by Nemer at Aug. 11, 2020, 11:24 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Nemer
Highly Voted 3 years, 7 months ago
D. CodeCommit trigger with Lambda. https://docs.aws.amazon.com/lambda/latest/dg/services-codecommit.html
upvoted 28 times
rcher
3 years, 6 months ago
Sample code here https://github.com/aws-samples/discover-sensitive-data-in-aws-codecommit-with-aws-lambda/tree/main/src/handlers Running regex after all hehe
upvoted 3 times
...
...
MMARTINEZ85
Highly Voted 3 years, 7 months ago
C. Macie can be used with CodeCommit. https://docs.aws.amazon.com/codecommit/latest/userguide/data-protection.html
upvoted 10 times
misterfaust
3 years, 7 months ago
"Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3."
upvoted 1 times
Gmail78
3 years, 7 months ago
which it exclude C from my understanding...D is then the answer
upvoted 1 times
bbnbnuyh
3 years, 7 months ago
Macie can only scan S3 buckets. D is the answer
upvoted 3 times
...
...
...
ymengxing
3 years, 6 months ago
That's right! AWS CodeCommit stores your repositories in Amazon S3 and Amazon DynamoDB. So use Macie. See https://aws.amazon.com/codecommit/features/ High Availability and Durability.
upvoted 5 times
kirrim
3 years, 5 months ago
CodeCommit may use S3 on the back end (and it also uses DynamoDB on the back end) but I don't think they're stored in buckets that you can see or point Macie to. In fact, there are even solutions out there describing how to copy your repo from CodeCommit into S3 to back it up: https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automate-event-driven-backups-from-codecommit-to-amazon-s3-using-codebuild-and-cloudwatch-events.html D: AWS has an exact architecture for doing this: https://aws.amazon.com/blogs/compute/discovering-sensitive-data-in-aws-codecommit-with-aws-lambda-2/
upvoted 4 times
...
...
...
Simon523
Most Recent 1 year, 8 months ago
https://docs.aws.amazon.com/codecommit/latest/userguide/how-to-notify-lambda.html
upvoted 1 times
...
Santo99
2 years, 8 months ago
Selected Answer: D
Macke is only for S3
upvoted 3 times
...
cannottellname
3 years, 3 months ago
Amazon Macie is only used for S3. Hence, D seems good :):)
upvoted 2 times
...
tkanmani76
3 years, 3 months ago
D - https://aws.amazon.com/blogs/compute/discovering-sensitive-data-in-aws-codecommit-with-aws-lambda-2/
upvoted 1 times
...
AzureDP900
3 years, 5 months ago
D is right answer, I think this question in Neal Davis practice tests
upvoted 1 times
...
ryu10_09
3 years, 5 months ago
Selected Answer: D
https://aws.amazon.com/blogs/compute/discovering-sensitive-data-in-aws-codecommit-with-aws-lambda-2/
upvoted 1 times
...
nodogoshi
3 years, 6 months ago
D. Amazon Macie is for S3 Service, not for CodeCommit. https://docs.aws.amazon.com/codecommit/latest/userguide/data-protection.html ”Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.” [stored in Amazon S3.]
upvoted 1 times
...
TomPaschenda
3 years, 6 months ago
For D, there is a blog post describing that exact solution: https://aws.amazon.com/blogs/compute/discovering-sensitive-data-in-aws-codecommit-with-aws-lambda-2/ For C: I dont think Macie works directly with CodeCommit
upvoted 4 times
student22
3 years, 6 months ago
Good link, thanks. Answer is D
upvoted 1 times
...
...
Suresh108
3 years, 6 months ago
I am choosing DDDDDD. https://aws.amazon.com/blogs/compute/discovering-sensitive-data-in-aws-codecommit-with-aws-lambda-2/
upvoted 2 times
...
student22
3 years, 6 months ago
D Not C - Macie is for s3
upvoted 1 times
...
WhyIronMan
3 years, 6 months ago
I'll go with D
upvoted 1 times
...
Kopa
3 years, 6 months ago
Only D is a promptly and immediate solution regarding security.
upvoted 1 times
...
blackgamer
3 years, 6 months ago
D is answer. C is not relevant , it is to scan S3.
upvoted 1 times
...
Waiweng
3 years, 6 months ago
it's D
upvoted 2 times
...
PredaOvde
3 years, 6 months ago
Cannot be D. It will check only for newly commited code, not for old code, which is required. I pick A.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago