Exam AWS Certified Security - Specialty topic 1 question 319 discussion

Exam question from Amazon's AWS Certified Security - Specialty

Question #: 319
Topic #: 1

[All AWS Certified Security - Specialty Questions]

A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company's security team. However, an audit revealed that an API key is stored with the source code of an AWS Lambda function in an AWS
CodeCommit repository in the DevOps account.
How should the security team securely store the API key?

A. Create a CodeCommit repository in the security account using AWS Key Management Service (AWS KMS) for encryption. Require the development team to migrate the Lambda source code to this repository.
B. Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key. Create a presigned URL for the S3 key, and specify the URL in a Lambda environmental variable in the AWS CloudFormation template. Update the Lambda function code to retrieve the key using the URL and call the API.
C. Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) for encryption. Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API.
D. Create an encrypted environment variable for the Lambda function to store the API key using AWS Key Management Service (AWS KMS) for encryption. Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime.

Show Suggested Answer

Suggested Answer: C 🗳️

by argol at Jan. 4, 2022, 8:52 p.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

LaLune

Highly Voted 3 years, 5 months ago

One of the purposes of the AWS secrets manager is to store secrets in secure string format. Only C provides that opportunity here. Hardcoding a key is very unsecure practice. And C, among the options is the only way not to find along the way the key plaintext.

upvoted 9 times

...

Raphaello

Most Recent 1 year, 4 months ago

Selected Answer: C

Correct answer is C. Secrets Manager to store API key securely using KMS key. Grant access to KSM key to Lambda exec role.

upvoted 1 times

...

Toptip

2 years ago

Selected Answer: C

C most secure solution in this situation

upvoted 1 times

...

awsec2

2 years, 5 months ago

C This solution meets the requirement of storing the API key in a centralized security account and encrypting it using AWS KMS. It also separates the key from the source code and avoids storing it directly with the code in the CodeCommit repository. Additionally, it allows the security team to manage the key in the security account and grant access to the IAM role used by the Lambda function, which minimizes the overhead of managing the key.

upvoted 1 times

...