Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 242 discussion

A - AWS Secrets Manager can't rotate the credentials if they are part of the code B - You don't store creds in KMS, that's the job of Secrets Manager C - Macie can do S3 only. CodeCommit backend is also S3 but it's transparent for us, so you can't use Macie. D - Correct. See this use case https://aws.amazon.com/blogs/compute/discovering-sensitive-data-in-aws-codecommit-with-aws-lambda-2/

D https://aws.amazon.com/blogs/compute/discovering-sensitive-data-in-aws-codecommit-with-aws-lambda-2/

Using lambda to trigger a scan is retrospectively ineffective as Azure can do so with DevOps Organization advanced security (which does code scanning) and provide you an option to remediate if targets are found.

D is right option.

Macie only does S3 -> C is out Scheduled or nightly script will only detect the problem after a while so damage might has already done --> A, B is out Plus KMS doesnt do secrets D looks valid technically

Correct C. Macie can scan for credentials in CodeCommit repositories. According to the AWS documentation, Macie supports scanning for credentials in CodeCommit repositories and triggering actions based on the findings. You can use Macie to discover sensitive data such as AWS access keys, AWS secret access keys, private keys, and more in your CodeCommit repositories. You can also configure Macie to send notifications, invoke Lambda functions, or publish findings to AWS Security Hub when it detects sensitive data in CodeCommit repositories. For more information, see Data protection in AWS CodeCommithttps://docs.aws.amazon.com/macie/latest/user/what-is-macie.html and Amazon Macie | AWS Bloghttps://aws.amazon.com/blogs/aws/category/amazon-macie/.https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html: https://docs.aws.amazon.com/codecommit/latest/userguide/data-protection.htmlhttps://aws.amazon.com/blogs/aws/category/amazon-macie/: https://aws.amazon.com/blogs/aws/category/amazon-macie/

D - https://aws.amazon.com/blogs/compute/discovering-sensitive-data-in-aws-codecommit-with-aws-lambda-2/

D can resolve the code that already commit to codecommit

Macie sounds good but not is use case is only scans S3. Then D is more apropiate in this case , similar question in this exam practice on Tutoriales Dojo

Macie would be a great choice but at the moment it only scans S3. And even if CodeCommit ends in S3 (according to the AWS documentation) it is not visible for us and therefore I don't believe we an configure Macie to scan. At the moment Lambda remains the best choice

Need auto-disable and D does it

D. Configure a CodeCommit trigger to invoke an AWS Lambda function to scan new code submissions for credentials. If credentials are found, disable them in AWS IAM and notify the user. Explanation: This solution leverages a CodeCommit trigger to automatically invoke an AWS Lambda function whenever new code is submitted to the repository. The Lambda function can scan the code for credentials and if found, take appropriate actions such as disabling those credentials in AWS IAM and notifying the user. This approach ensures that the security vulnerability is automatically identified and remediated as part of the development process, providing a proactive security measure.

I would go with D. reason is ABC are all post event action, meaning the creditential are already leaked AFTER the code submition. only D would prevent it from happeninng by doing a check BEFORE it get submitted.

option D is the correct one of course

C - https://docs.aws.amazon.com/macie/latest/user/managed-data-identifiers.html#managed-data-identifiers-credentials