AWS Certified Security – Specialty — Question 301

A company uses AWS Signer with all of the company’s AWS Lambda functions. A developer recently stopped working for the company. The company wants to ensure that all the code that the developer wrote can no longer be deployed to the Lambda functions.

Which solution will meet this requirement?

Answer options

• A. Revoke all versions of the signing profile assigned to the developer.
• B. Examine the developer’s IAM roles. Remove all permissions that grant access to Signer.
• C. Re-encrypt all source code with a new AWS Key Management Service (AWS KMS) key.
• D. Use Amazon CodeGuru to profile all the code that the Lambda functions use.

Correct answer: A

Explanation

Revoking the signing profile versions associated with the developer invalidates existing signatures generated by that profile, which blocks AWS Lambda from deploying any code signed by them. Removing IAM permissions only stops the developer from signing new code but does not invalidate previously signed packages. Neither re-encrypting with AWS KMS nor utilizing Amazon CodeGuru will prevent the deployment of already signed packages.