Which solution will ensure that the credentials are appropriately secured automatically?
Run a script nightly using AWS Systems Manager Run Command to search for credentials on the development instances. If found, use AWS Secrets Manager to rotate the credentials.
Use a scheduled AWS Lambda function to download and scan the application code from CodeCommit. If credentials are found, generate new credentials and store them in AWS KMS.
Configure Amazon Macie to scan for credentials in CodeCommit repositories. If credentials are found, trigger an AWS Lambda function to disable the credentials and notify the user.
Configure a CodeCommit trigger to invoke an AWS Lambda function to scan new code submissions for credentials. If credentials are found, disable them in AWS IAM and notify the user.
Explanations:
Running a script nightly may identify existing issues, but it does not provide real-time detection and remediation for newly committed code. Additionally, rotating credentials after detection does not address the initial exposure of sensitive information in the repository.
While a scheduled Lambda function can scan the application code, generating new credentials and storing them in AWS KMS does not prevent the original credentials from being exposed. The lack of immediate action on code commits means vulnerabilities could remain for extended periods.
Amazon Macie is designed for data classification and sensitive data discovery in S3, but it is not specifically tailored for scanning CodeCommit repositories. Triggering a Lambda function to disable credentials does not provide a proactive approach for new code submissions.
Configuring a CodeCommit trigger to invoke a Lambda function allows for immediate scanning of new code submissions. If credentials are found, the Lambda function can disable them in IAM and notify the user, effectively providing real-time detection and remediation of the vulnerability.