Question #771
During a security review, it was found that developers accidentally included IAM role session tokens in their code pushed to an AWS CodeCommit repository. The security team needs an automated solution to detect and remediate such exposures.
Which solution ensures the credentials are secured automatically?
Use AWS Systems Manager Automation to periodically scan the CodeCommit repositories. If tokens are found, use IAM to revoke the sessions.
Set up an Amazon EventBridge rule that triggers on CodeCommit pushes. Invoke a Lambda function to scan new commits. If tokens are found, use AWS STS to revoke the session and alert the team.
Configure Amazon Macie to continuously monitor the repository. Upon detection, trigger a Lambda function to invalidate the sessions via IAM and notify the user.
Implement a CodeCommit repository trigger that invokes a Lambda function for each new commit. The Lambda scans for session tokens, revokes them using IAM, and notifies the user.
Explanation
Option D is correct because:
1. Immediate Trigger: CodeCommit repository triggers invoke a Lambda function for every new commit, ensuring real-time detection.
2. Accurate Remediation: The Lambda function uses IAM to revoke session tokens (e.g., via UpdateAssumeRolePolicy), which is the correct method to invalidate active sessions.
3. Automation: The solution fully automates detection and remediation without delays.
Other options are incorrect because:
- A: Periodic scans (SSM Automation) may miss new commits, causing delays.
- B: Using AWS STS to revoke sessions is incorrect; STS issues tokens but cannot revoke them. IAM is required.
- C: Amazon Macie is designed for PII detection, not IAM tokens, and may not integrate as seamlessly with CodeCommit.
Key Points: Use event-driven triggers (e.g., CodeCommit hooks) for real-time scanning, and leverage IAM APIs to revoke exposed credentials.
Answer
The correct answer is: D