AWS Certified Security – Specialty — Question 298

A company is running batch workloads that use containers on Amazon Elastic Container Service (Amazon ECS). The company needs a secure solution for storing API keys that are required for integration with external services. The company's security policy states that API keys must not be stored or transmitted in plaintext. The company's IT team currently rotates the API keys manually.

A security engineer must recommend a solution that meets the security requirements and automates the rotation of the API keys

Which solution should the security engineer recommend?

Answer options

• A. Use a secure string parameter in AWS Systems Manager Parameter Store. Activate the feature for automatic rotation.
• B. Use Amazon EC2 user data for storing the API keys. Set up a scheduled AWS Lambda function to automatically rotate the API keys.
• C. Use AWS Fargate to store the API keys. Set up a scheduled AWS Lambda function to automatically rotate the API keys.
• D. Use AWS Secrets Manager to store the API keys. Reference the API keys in the container definition.

Correct answer: D

Explanation

AWS Secrets Manager natively supports automatic rotation of secrets and integrates seamlessly with Amazon ECS, allowing sensitive API keys to be securely referenced in the container definition without exposing them in plaintext. In contrast, AWS Systems Manager Parameter Store does not offer built-in automatic rotation for secure string parameters. Storing secrets in EC2 user data or directly inside Fargate task definitions violates security best practices regarding plaintext exposure.