Which solution will meet these requirements in the MOST secure way?

By:
In: DOP-C01
Tagged:
With: 1 Comment
A company needs to scan code changes for security issues before deployment and must prevent noncompliant code from being deployed.The company uses an AWS CodePipeline pipeline that starts when code changes occur.The code changes occur many times each day.The company’s security team supports a third-party application for code scans and has provided command-line integration steps to submit code scans.The code scan step requires a user name and password.

Which solution will meet these requirements in the MOST secure way?

Create a new AWS CodeBuild project. Configure the user name and password in an environment variable. Use the user name and password to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project.

Create a new AWS CodeBuild project. Store the user name and password as a secret in AWS Secrets Manager Read the secret from Secrets Manager. Use the user name and password to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project.

Create a new AWS CodeBuild project. Store the user name and password as a string in AWS Systems Manager Parameter Store. Read the string from Parameter Store. Use the user name and password to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project.

Upload the user name and password in an encrypted JSON file to an Amazon S3 bucket that has a specific policy to allow only administrators to read the file. Create a new AWS CodeBuild project. Use the user name and password from the file in Amazon S3 to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project.

Explanations:

Storing the user name and password as environment variables in CodeBuild is insecure, as environment variables can be easily exposed in logs and are not designed for secure management of sensitive data.

Storing the user name and password in AWS Secrets Manager is the most secure solution. Secrets Manager provides encrypted storage and access control, ensuring sensitive data is protected and can be retrieved securely.

AWS Systems Manager Parameter Store is less secure than Secrets Manager for storing sensitive data. While it can store secrets, it lacks the same level of advanced features and encryption controls provided by Secrets Manager.

Storing sensitive information (user name and password) in an S3 bucket, even with encryption, is less secure than using a specialized service like Secrets Manager. S3 access control can be complex, and misconfigurations could expose the credentials.

2025-09-30

1 Comment

  1. Aaron
    Author

    I systematize that the answer is:
    Create a new AWS CodeBuild project. Store the user name and password as a secret in AWS Secrets Manager Read the secret from Secrets Manager. Use the user name and password to run the command-line integration steps. Update the CodePipeline pipeline to include a new scan stage. In the new scan stage, include a test action that uses the newly created CodeBuild project.

Leave a Reply

Your email address will not be published. Required fields are marked *

12 − twelve =