Question #693
A developer is configuring a CI/CD pipeline using AWS CodePipeline. The pipeline includes a build stage that needs access to an API requiring an API key for integration tests. The developer is using a buildspec.yml file to set up the API key. Company policy mandates that all API keys must be rotated automatically every 30 days.
Which solution ensures the API key is handled MOST securely?
Store the API key directly in the buildspec.yml file as a plaintext variable. Use an AWS Step Function to trigger rotation monthly.
Store the API key in AWS Systems Manager Parameter Store as a SecureString and reference it via environment variables. Enable rotation using a custom Lambda function.
Store the API key in AWS Secrets Manager and reference it via environment variables. Configure Secrets Manager to rotate the key automatically every 30 days.
Encrypt the API key using AWS KMS and store it in an environment variable. Set up an Amazon CloudWatch Events rule to handle rotation.
Explanation
Option C is correct because AWS Secrets Manager is designed to handle secrets securely and offers built-in automatic rotation, which aligns with the company's requirement. Secrets Manager encrypts the API key, allows secure retrieval via environment variables, and automates rotation without custom code.
Other options are less secure or inefficient:
- A: Storing the API key in plaintext violates security best practices.
- B: While Parameter Store's SecureString encrypts the key, rotation requires a custom Lambda function, making it less maintainable.
- D: KMS encryption is secure, but rotation via CloudWatch Events still requires manual implementation.
Key Points:
1. Never store secrets in plaintext (eliminates A).
2. Use AWS Secrets Manager for automated rotation (C) over manual/custom solutions (B, D).
3. Secrets Manager integrates natively with CodePipeline for secure environment variable injection.
Answer
The correct answer is: C