Q43 — AWS SOA-C02 Ch.1

Question 43 of 100 | ← Chapter 1

A company deploys a new application to Amazon EC2 instances. The application code is stored in an AWS CodeCommit repository. The company uses an AWS CodePipeline pipeline to deploy the code to the EC2 instances through a continuous integration and continuous delivery (CI/CD) process. A SysOps administrator needs to ensure that sensitive database information is configured properly on the EC2 instances to prevent accidental leakage of credentials. Which solutions will store and retrieve the sensitive information in the MOST secure manner? (Choose two.)

Correct Answer: A. Store the values in AWS Secrets Manager. Update the code to retrieve these values when the application starts. Store the values as environmental variables that the application can use., B. Store the values in AWS Systems Manager Parameter Store as secret strings. Update the code to retrieve these values when the application starts. Store the values as environmental variables that the application can use.

Explanation

AWS Secrets Manager和Systems Manager Parameter Store是专为安全存储敏感数据设计的服务。两者均支持加密、细粒度访问控制,并与IAM集成,确保凭证仅在需要时解密。Secrets Manager额外支持自动轮换密钥功能。环境变量作为运行时注入方式,避免了硬编码风险。Lambda引入额外调用环节可能增加攻击面。本地文件或S3存储面临持久化存储泄露风险,权限管理复杂度更高。AWS文档明确推荐使用Secrets Manager或Parameter Store管理机密信息(AWS Security Best Practices)。选项A、B直接利用AWS托管服务,符合最小权限原则和安全最佳实践。