DOP-C02 · Question #481
DOP-C02 Question #481: Real Exam Question with Answer & Explanation
The correct answer is C: Store the API credentials in AWS Secrets Manager. Update the key policy for the CodeBuild IAM. To securely manage and rotate API credentials for CodeBuild and encrypt build outputs, store credentials in AWS Secrets Manager and update the CodeBuild IAM service role's key policy with KMS permissions.
Question
A company in a highly regulated industry is building an artifact by using AWS CodeBuild and AWS CodePipeline. The company must connect to an external authenticated API during the building process. The company's DevOps engineer needs to encrypt the build outputs by using an AWS Key Management Service (AWS KMS) key. The external API credentials must be reset each month. The DevOps engineer has created a new key in AWS KMS. Which solution will meet these requirements?
Options
- AStore the API credentials in AWS Systems Manager Parameter Store. Update the key policy for
- BStore the API credentials in AWS Systems Manager Parameter Store. Update the key policy for
- CStore the API credentials in AWS Secrets Manager. Update the key policy for the CodeBuild IAM
- DStore the API credentials in AWS Secrets Manager. Update the key policy for the CodePipeline
Explanation
To securely manage and rotate API credentials for CodeBuild and encrypt build outputs, store credentials in AWS Secrets Manager and update the CodeBuild IAM service role's key policy with KMS permissions.
Common mistakes.
- A. AWS Systems Manager Parameter Store can store secrets, but AWS Secrets Manager offers native, automated rotation capabilities, which is a more suitable and lower-overhead solution for credentials that must be reset monthly.
- B. AWS Systems Manager Parameter Store lacks the native automated rotation features of AWS Secrets Manager, making it less ideal for the monthly credential reset requirement.
- D. While AWS Secrets Manager is the correct choice for credential storage, the permissions to access these credentials and encrypt build outputs are needed by the AWS CodeBuild IAM service role, as CodeBuild is the service actively performing the build and accessing the external API, not CodePipeline.
Concept tested. Secure credential management and KMS encryption in CodeBuild
Reference. https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html
Topics
Community Discussion
No community discussion yet for this question.