AWS Certified Security – Specialty — Question 397

A company’s policies require that code be validated to ensure that the code has not been altered before invocation. A security engineer needs to update code in an AWS Lambda function. The developer has finalized the code and has stored the code in an Amazon S3 bucket.

Which combination of steps should the security engineer take to meet these requirements? (Choose two.)

Answer options

• A. Deploy the new code in a zip file to the S3 bucket.
• B. Invoke a signing job by using AWS Signer. Deploy the new signed code to the Lambda function.
• C. Use AWS Key Management Service (AWS KMS) to encrypt the code.
• D. Analyze the code with Amazon CodeGuru.
• E. Store all passwords in AWS Secrets Manager.

Correct answer: A, B

Explanation

To ensure code integrity and verify that AWS Lambda code has not been altered before execution, AWS Signer should be used to digitally sign the code package. The process requires packaging the code as a zip file in an Amazon S3 bucket (Option A) and then running an AWS Signer signing job before deploying the signed code to Lambda (Option B). Options C, D, and E focus on encryption, code analysis, and secrets management respectively, which do not address code integrity verification before execution.