AWS Certified DevOps Engineer – Professional — Question 82

A devops team uses AWS CloudFormation to build their infrastructure. The security team is concerned about sensitive parameters, such as passwords, being exposed.

Which combination of steps will enhance the security of AWS CloudFormation? (Choose three.)

Answer options

• A. Create a secure string with AWS KMS and choose a KMS encryption key. Reference the ARN of the secure string, and give AWS CloudFormation permission to the KMS key for decryption.
• B. Create secrets using the AWS Secrets Manager AWS::SecretsManager::Secret resource type. Reference the secret resource return attributes in resources that need a password, such as an Amazon RDS database.
• C. Store sensitive static data as secure strings in the AWS Systems Manager Parameter Store. Use dynamic references in the resources that need access to the data.
• D. Store sensitive static data in the AWS Systems Manager Parameter Store as strings. Reference the stored value using types of Systems Manager parameters.
• E. Use AWS KMS to encrypt the CloudFormation template.
• F. Use the CloudFormation NoEcho parameter property to mask the parameter value.

Correct answer: B, C, F

Explanation

The correct answers, B, C, and F, effectively protect sensitive data by utilizing AWS Secrets Manager, AWS Systems Manager Parameter Store, and the NoEcho property to ensure that sensitive parameters are not exposed in logs or outputs. Options A and D do not provide the same level of security, as they do not leverage the dynamic referencing and masking capabilities necessary for sensitive data management.