Q97 — AWS SCS-C02 Ch.1

Question 97 of 100 | ← Chapter 1

A security engineer is checking an AWS CloudFormation template for vulnerabilities. The security engineer nds a parameter that has a default value that exposes an application's API key in plaintext. The parameter is referenced several times throughout the template. The security engineer must replace the parameter while maintaining the ability to reference the value in the template.  Which solution will meet these requirements in the MOST secure way?

Correct Answer: B. Store the API key value in AWS Secrets Manager. In the template, replace all references to the value with {{resolve:secretsmanager:MySecretId:SecretString}}.

Explanation

AWS Secrets Manager 是专为存储和管理敏感信息如 API 密钥设计的服务,提供自动密钥轮换、细粒度权限控制和加密存储功能。通过 CloudFormation 模板可直接引用 Secrets Manager 中的密钥,使用语法 {{resolve:secretsmanager:MySecretId:SecretString}} 实现安全引用,既消除了明文暴露风险,又保持了模板内参数引用的灵活性与可维护性。