Which solution will ensure that the credentials are appropriately secured automatically?
Run a script nightly using AWS Systems Manager Run Command to search for credentials on the development instances. If found, use AWS Secrets Manager to rotate the credentials
Use a scheduled AWS Lambda function to download and scan the application code from CodeCommit. If credentials are found, generate new credentials and store them in AWS KMS.
Configure Amazon Macie to scan for credentials in CodeCommit repositories. If credentials are found, trigger an AWS Lambda function to disable the credentials and notify the user.
Configure a CodeCommit trigger to invoke an AWS Lambda function to scan new code submissions for credentials. If credentials are found, disable them in AWS IAM and notify the user.
Explanations:
Running a nightly script to search for credentials does not provide real-time remediation, and AWS Secrets Manager cannot rotate IAM user credentials that are hardcoded in the code base. The solution is reactive rather than proactive.
While scanning application code for credentials is a good approach, storing found credentials in AWS KMS does not address the underlying issue of hardcoded secrets in the code. This solution lacks immediate remediation and might still leave the vulnerabilities exposed until the code is changed.
Amazon Macie is designed for data classification and protection, particularly with sensitive data in S3, not specifically for scanning code repositories like CodeCommit for IAM credentials. Furthermore, triggering a Lambda function to disable credentials post-factum does not prevent the exposure of credentials in the first place.
Configuring a CodeCommit trigger to invoke an AWS Lambda function to scan new code submissions allows for immediate detection and remediation of hardcoded credentials. Disabling the credentials and notifying the user ensures that the problem is addressed promptly, reducing the risk of exposure.
My best guess is:
Configure a CodeCommit trigger to invoke an AWS Lambda function to scan new code submissions for credentials. If credentials are found, disable them in AWS IAM and notify the user.