Q51 — AWS SAP-C02 Ch.2

Question 51 of 75 | ← Chapter 2

Q201. During an audit, a Security team discovered that a development team was putting IAM user secret access keys in their code and then committing it to an AWS Code Commit repository. The Security team wants to automatically find and remediate instances of this security Vulnerability. Which solution will ensure that the credentials are appropriately secured automatically?

Correct Answer: D. Configure a Code Commit trigger to invoke an AWS Lambda function to scan new code submissions for credentials. If credentials are found, disable them in AWS IAM and notify the user.

Explanation

Option A suggests running a script nightly using AWS Systems Manager Run Command to search for credentials on the development instances. While this solution may remediate instances of the security vulnerability, it does not automatically ensure that credentials are appropriately secured. Option B suggests using a scheduled AWS Lambda function to download and scan the application code from Code Commit. While this solution can detect and remediate instances of the security vulnerability, it may not be as effective as configuring a Code Commit trigger to automatically detect new code submissions. Option C suggests configuring Amazon Macie to scan for credentials in Code Commit repositories. While this can help detect credentials, it does not include an automated remediation step to disable the credentials in AWS IAM and notify the user. Therefore, option D is the best solution to automatically ensure that credentials are appropriately secured. By configuring a Code Commit trigger to invoke an AWS Lambda function to scan new code submissions for credentials, organizations can automatically detect and disable credentials in AWS IAM while notifying users of the issue.