Q41 — AWS DOP-C02 Ch.1
Question 41 of 100 | ← Chapter 1
A company needs to scan code changes for security issues before deployment and prevent deployment of noncompliant code. The company uses an AWS CodePipeline pipeline that triggers on code changes, which occur multiple times per day. The company's security team supports a third-party scanning application and provides command-line integration steps for the scan. The code scanning step requires credentials. Which solution meets these requirements in the most secure manner?
- A. Create a new AWS CodeBuild project. Configure the username and password in environment variables. Run the command-line integration steps using the username and password. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project.
- B. Create a new AWS CodeBuild project. Store the username and password as secrets in AWS Secrets Manager. Read the secrets from Secrets Manager. Run the command-line integration steps using the username and password. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project. ✓
- C. Create a new AWS CodeBuild project. Store the username and password as strings in AWS Systems Manager Parameter Store. Read the strings from Parameter Store. Run the command-line integration steps using the username and password. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project.
- D. Upload an encrypted JSON file containing the username and password to an Amazon S3 bucket with a specific policy that allows only administrators to read the file. Create a new AWS CodeBuild project. Use the username and password from the file in Amazon S3 to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project.
Correct Answer: B. Create a new AWS CodeBuild project. Store the username and password as secrets in AWS Secrets Manager. Read the secrets from Secrets Manager. Run the command-line integration steps using the username and password. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project.
Explanation
B is correct (Secrets Manager is the key).