AWS Certified Security – Specialty (SCS-C02) — Question 78

A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company's security team. However, an audit revealed that an API key is stored with the source code of an AWS Lambda function in an AWS CodeCommit repository in the DevOps account.

How should the security team securely store the API key?

Answer options

• A. Create a CodeCommit repository in the security account using AWS Key Management Service (AWS KMS) for encryption. Require the development team to migrate the Lambda source code to this repository.
• B. Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key. Create a presigned URL for the S3 key, and specify the URL in a Lambda environmental variable in the AWS CloudFormation template. Update the Lambda function code to retrieve the key using the URL and call the API.
• C. Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) for encryption. Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API.
• D. Create an encrypted environment variable for the Lambda function to store the API key using AWS Key Management Service (AWS KMS) for encryption. Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime.

Correct answer: C

Explanation

The correct answer is C because AWS Secrets Manager is specifically designed for securely storing sensitive information like API keys, and it allows for easy access management through IAM roles. Option A, while secure, requires unnecessary migration of code and does not directly address the key storage issue. Option B introduces complexity with presigned URLs and S3, which isn't as secure or straightforward as using Secrets Manager. Option D suggests using an environment variable, which can expose the key if not handled correctly, making it less secure than storing it in Secrets Manager.