An architect is designing a secure CI/CD pipeline using AWS CodePipeline, CodeBuild, and CodeDeploy. The pipeline needs to deploy an application to an Auto Scaling group of EC2 instances. The EC2 instances must retrieve highly sensitive database credentials during the deployment process. Which THREE security practices should be implemented? (Select THREE)

Answer options:

A.

Store the database credentials in AWS Secrets Manager.

B.

Assign an IAM instance profile to the EC2 instances with permissions to read the specific secret.

C.

Encrypt the secret in Secrets Manager using a Customer Managed KMS Key (CMK).

D.

Store the credentials as plaintext environment variables in the CodeBuild buildspec.yml file.

E.

Create an IAM user for the application, generate access keys, and store them on the EC2 instances.

F.

Pass the credentials as parameters in the CodeDeploy appspec.yml file.

How to approach this question

Identify the secure storage service (Secrets Manager), the secure access method (IAM Roles), and the encryption method (KMS).

Full Answer

Sensitive credentials should be stored in AWS Secrets Manager and encrypted with a KMS CMK. EC2 instances should use an IAM Instance Profile (role) to securely authenticate and retrieve the secret at runtime, avoiding hardcoded credentials.

Common mistakes

Storing secrets in buildspec or appspec files.

Question 66 All questions Question 68

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 1

75 questions · hints · full answers · grading

Sign up free Take the exam

More questions from this exam

Q01An enterprise has 50 VPCs across two AWS Regions. They need to establish transitive routing betwe...Hard Q02A company uses AWS Organizations. The security team wants to ensure that no IAM user or role can ...Medium Q03An application requires a relational database with an RPO of 1 second and an RTO of less than 1 m...Hard Q04A company is setting up a new multi-account environment. They want to automate the provisioning o...Medium Q05An organization wants to allocate AWS costs to specific business units. They use AWS Organization...Hard

View all 75 questions →