A company uses AWS Secrets Manager to store a set of sensitive API keys that an AWS Lambd…

Question

A company uses AWS Secrets Manager to store a set of sensitive API keys that an AWS Lambda function uses. When the Lambda function is invoked the Lambda function retrieves the API keys and makes an API call to an external service. The Secrets Manager secret is encrypted with the default AWS Key Management Service (AWS KMS) key. A DevOps engineer needs to update the infrastructure to ensure that only the Lambda function’s execution role can access the values in Secrets Manager. The solution must apply the principle of least privilege. Which combination of steps will meet these requirements? (Choose two.)

Accepted Answer

Correct answer: B, D. B. Create a KMS customer managed key that trusts Secrets Manager and allows the Lambda function's execution role to decrypt. Update Secrets Manager to use the new customer managed key — D. Ensure that the Lambda function’s execution role has the KMS permissions scoped on the resource level. Configure the permissions so that the KMS key can encrypt the Secrets Manager secret — Option B is correct because creating a KMS customer managed key specifically for the Lambda function’s execution role ensures that only this role can decrypt the secrets, thus applying the principle of least privilege. Option D is also correct as it ensures that the execution role has the necessary permissions scoped only to the required resources. Options A and C are incorrect as they do not sufficiently limit access to only the Lambda function's execution role. Option E is incorrect because removing all KMS permissions from the Lambda function's execution role would prevent it from accessing the secrets altogether.

AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 132

Answer options

Correct answer: B, D

Explanation