Q79 — AWS DOP-C02 Ch.1

Question 79 of 100 | ← Chapter 1

A company uses AWS CodeBuild to deploy container-based applications. The security team requires vulnerability scanning of containers before deployment to protected endpoints. All sensitive information must be securely stored.

Correct Answer: C. Store secrets as SecureString parameters in AWS Systems Manager Parameter Store. Add the Parameter Store key as an environment variable under parameter store mappings in the buildspec.yml file. Reference the environment variable to initiate the scan.

Explanation

Option C is correct. AWS Systems Manager Parameter Store is purpose-built for securely storing and managing secrets and configuration data, supporting encryption-at-rest with AWS KMS and fine-grained IAM access control. Referencing secrets via parameter store mappings in buildspec.yml allows CodeBuild to retrieve and inject them securely at runtime—without exposing plaintext or ciphertext in source control. Option A risks credential exposure if buildspec.yml is version-controlled. Option B overcomplicates the use case with CloudHSM, which is intended for highly regulated workloads requiring FIPS-validated HSMs. Option D embeds encrypted secrets directly in buildspec.yml, violating security best practices by introducing unnecessary complexity and potential misconfiguration risk. Parameter Store is the standard, secure, and operationally simple choice.