Q87 — AWS DOP-C02 Ch.1
Question 87 of 100 | ← Chapter 1
A company developed a serverless web application hosted on AWS. The application consists of Amazon S3, Amazon API Gateway, multiple AWS Lambda functions, and an Amazon RDS for MySQL database. The company uses AWS CodeCommit to store source code. The source code comprises an AWS Serverless Application Model (AWS SAM) template and Python code. Security audits and penetration tests revealed that database credentials are hardcoded in the CodeCommit repository. A DevOps engineer wants to implement a solution to automatically detect and prevent hardcoded secrets. What is the most secure solution that meets these requirements?
- A. Enable Amazon CodeGuru Profiler. Decorate handler functions with @with_lambda_profiler(). Manually review recommendation reports. Store credentials as secure strings in AWS Systems Manager Parameter Store. Update the SAM template and Python code to retrieve secrets from Parameter Store.
- B. Associate the CodeCommit repository with Amazon CodeGuru Reviewer. Manually inspect code reviews for any recommendations. Select the protect secrets option. Update the SAM template and Python code to retrieve credentials from AWS Secrets Manager. ✓
- C. Enable Amazon CodeGuru Profiler. Decorate handler functions with @with_lambda_profiler(). Manually review recommendation reports. Select the protect secrets option. Update the SAM template and Python code to retrieve credentials from AWS Secrets Manager.
- D. Associate the CodeCommit repository with Amazon CodeGuru Reviewer. Manually inspect code reviews for any recommendations. Store credentials as strings in AWS Systems Manager Parameter Store. Update the SAM template and Python code to retrieve secrets from Parameter Store.
Correct Answer: B. Associate the CodeCommit repository with Amazon CodeGuru Reviewer. Manually inspect code reviews for any recommendations. Select the protect secrets option. Update the SAM template and Python code to retrieve credentials from AWS Secrets Manager.
Explanation
The core requirement is automated detection and prevention of hardcoded secrets. Amazon CodeGuru Reviewer is a code review service that automatically scans code for vulnerabilities—including hardcoded secrets—and provides actionable recommendations. Associating the CodeCommit repository with CodeGuru Reviewer enables continuous, automated scanning of every commit. Upon detection, developers can manually review findings and select the ‘protect secrets’ option, which guides remediation using AWS Secrets Manager—a purpose-built, auditable, and rotation-capable secret management service. Updating the SAM template and Python code to retrieve secrets from Secrets Manager eliminates hardcoding. Option B fulfills all criteria: automated detection via CodeGuru Reviewer, manual validation, secure storage in Secrets Manager, and proper integration. Option A and C misuse CodeGuru Profiler—which profiles runtime performance, not static code analysis. Option D uses Parameter Store, which lacks native secret rotation and audit logging compared to Secrets Manager.