Q79 — AWS DOP-C02 Ch.1
Question 79 of 100 | ← Chapter 1
A company uses AWS CodeBuild to deploy container-based applications. The security team requires vulnerability scanning of containers before deployment to protected endpoints. All sensitive information must be securely stored.
- A. Encrypt secrets using AWS KMS. Store the encrypted secrets as environment variables in the buildspec.yml file under variable mappings. Reference the environment variables to initiate the scan.
- B. Import secrets into AWS CloudHSM keys. Reference the CloudHSM key as an environment variable under variable mappings in the buildspec.yml file. Reference the environment variable to initiate the scan.
- C. Store secrets as SecureString parameters in AWS Systems Manager Parameter Store. Add the Parameter Store key as an environment variable under parameter store mappings in the buildspec.yml file. Reference the environment variable to initiate the scan. ✓
- D. Encrypt secrets using the AWS Encryption SDK and embed them as variables under secrets mappings in the buildspec.yml file. Attach a policy to the CodeBuild project to grant access to the required decryption key.
Correct Answer: C. Store secrets as SecureString parameters in AWS Systems Manager Parameter Store. Add the Parameter Store key as an environment variable under parameter store mappings in the buildspec.yml file. Reference the environment variable to initiate the scan.
Explanation
Option C is correct. AWS Systems Manager Parameter Store is purpose-built for securely storing and managing secrets and configuration data, supporting encryption-at-rest with AWS KMS and fine-grained IAM access control. Referencing secrets via parameter store mappings in buildspec.yml allows CodeBuild to retrieve and inject them securely at runtime—without exposing plaintext or ciphertext in source control. Option A risks credential exposure if buildspec.yml is version-controlled. Option B overcomplicates the use case with CloudHSM, which is intended for highly regulated workloads requiring FIPS-validated HSMs. Option D embeds encrypted secrets directly in buildspec.yml, violating security best practices by introducing unnecessary complexity and potential misconfiguration risk. Parameter Store is the standard, secure, and operationally simple choice.