Q84 — AWS DOP-C02 Ch.2
Question 84 of 100 | ← Chapter 2
A company developed a serverless web application hosted on AWS. The application consists of Amazon S3, Amazon API Gateway, two AWS Lambda functions, and an Amazon RDS database running MySQL. The company uses AWS CodeCommit to store source code, which includes AWS Serverless Application Model (AWS SAM) templates and Python code. Security audits and penetration tests revealed that database credentials were hardcoded in the CodeCommit repository. A DevOps engineer must implement a solution to automatically detect and prevent hardcoded secrets.
- A. Enable Amazon CodeGuru Profiler. Decorate handler functions with @with_lambda_profiler(). Manually review recommendation reports. Store passwords as secure strings in AWS Systems Manager Parameter Store. Update the SAM template and Python code to retrieve secrets from Parameter Store.
- B. Associate the CodeCommit repository with Amazon CodeGuru Reviewer. Manually review code reviews for recommendations. Select the 'protect secrets' option. Update the SAM template and Python code to retrieve secrets from AWS Secrets Manager. ✓
- C. Enable Amazon CodeGuru Profiler. Decorate handler functions with @with_lambda_profiler(). Manually review recommendation reports. Select the 'protect secrets' option. Update the SAM template and Python code to retrieve secrets from AWS Secrets Manager.
- D. Associate the CodeCommit repository with Amazon CodeGuru Reviewer. Manually review code reviews for recommendations. Store passwords as plaintext strings in AWS Systems Manager Parameter Store. Update the SAM template and Python code to retrieve secrets from Parameter Store.
Correct Answer: B. Associate the CodeCommit repository with Amazon CodeGuru Reviewer. Manually review code reviews for recommendations. Select the 'protect secrets' option. Update the SAM template and Python code to retrieve secrets from AWS Secrets Manager.
Explanation
Securing serverless applications against hardcoded secrets requires automated detection and secure secret management. Per AWS documentation, Amazon CodeGuru Reviewer is purpose-built for static code analysis and identifies hardcoded credentials. Integrating CodeCommit with CodeGuru Reviewer enables automated scanning and report generation; engineers then manually triage findings. AWS Secrets Manager provides superior secret management over Systems Manager Parameter Store, including automatic rotation and encryption. Option B combines automated scanning (CodeGuru Reviewer) with secure storage (Secrets Manager), fulfilling both detection and protection requirements. Option D uses Parameter Store, which lacks built-in rotation and advanced secret governance. Options A and C misuse CodeGuru Profiler — a performance profiling tool — not suited for code security analysis.