Which solution will meet these requirements?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A company had a third-party audit of its AWS environment.The auditor identified secrets in developer documentation and found secrets that were hardcoded into AWS CloudFormation templates throughout the environment.The auditor also identified security groups that allowed inbound traffic from the internet and outbound traffic to all destinations on the internet.A solutions architect must design a solution that will encrypt all secrets and rotate the secrets every 90 days.Additionally, the solutions architect must configure the security groups to prevent resources from being accessible from the internet.

Which solution will meet these requirements?

Use AWS Secrets Manager to create, store, and access secrets. Create new secrets in AWS CloudFormation by using the AWS::SecretsManager::Secret resource type. Reference the secrets in other templates by using Secrets Manager dynamic references. Configure automatic rotation in Secrets Manager to rotate the secrets every 90 days. Use AWS Firewall Manager to create a policy that identifies all security groups that allow inbound or outbound communications for any protocols to 0.0.0.0/0. Whenever the policy flags a security group in violation, remove the noncompliant rule from security groups.

Use AWS Systems Manager Parameter Store to create, store, and access secrets. Create new Parameter Store items in AWS CloudFormation by using the AWS::SSM::Parameter resource type. Access these items by using the AWS CLI or AWS APIs. Configure automatic rotation in Parameter Store to rotate the secrets every 90 days. Use AWS Firewall Manager to create a policy that identifies all security groups that allow inbound or outbound communications for any protocols to 0.0.0.0/0. Whenever the policy flags a security group in violation, remove the noncompliant rule from security groups.

Use AWS Secrets Manager to create, store, and access secrets. Create new secrets in AWS CloudFormation by using the AWS::SecretsManager::Secret resource type. Reference the secrets in other templates by using Secrets Manager dynamic references. Configure automatic rotation in Secrets Manager to rotate the secrets every 90 days. Use AWS Firewall Manager to create a policy that enforces a requirement for all security groups to explicitly deny inbound and outbound communications for all protocols to 0.0.0.0/0.

Use AWS Systems Manager Parameter Store to create, store, and access secrets. Create new Parameter Store items in AWS CloudFormation by using the AWS::SSM::Parameter resource type. Reference the items in other templates by using Systems Manager dynamic references. Configure automatic rotation in Parameter Store to rotate the secrets every 90 days. Use AWS Firewall Manager to create a policy that enforces a requirement for all security groups to explicitly deny inbound and outbound communications for all protocols to 0.0.0.0/0.

Explanations:

AWS Secrets Manager provides secure secret storage with automatic rotation, which meets the requirement for secret encryption and rotation every 90 days. Using Secrets Manager dynamic references in CloudFormation templates ensures secrets are securely managed. AWS Firewall Manager can enforce policies to prevent security group violations related to inbound or outbound traffic to 0.0.0.0/0, fulfilling the security group configuration requirement.

AWS Systems Manager Parameter Store can store secrets, but it lacks the advanced secret rotation features provided by Secrets Manager, making it unsuitable for the required automatic rotation of secrets every 90 days. Also, although Firewall Manager can be used to control security groups, Parameter Store does not support dynamic references in CloudFormation templates as well as Secrets Manager.

While AWS Secrets Manager offers the required secret rotation and encryption, AWS Firewall Manager policy enforcing a requirement to “explicitly deny” inbound and outbound traffic to 0.0.0.0/0 is not necessary. The goal is to block the unrestricted access, not to enforce an explicit deny. The policy in A is more appropriate.

While Parameter Store can store secrets, it does not offer the same robust automatic rotation features as AWS Secrets Manager. The inclusion of explicit deny in the Firewall Manager policy is also a misconfiguration, as the goal is to identify violations and remove noncompliant rules, not enforce an explicit deny.

2025-09-28

1 Comment

  1. Maria
    Author

    I surmise that the answer is:
    Use AWS Secrets Manager to create, store, and access secrets. Create new secrets in AWS CloudFormation by using the AWS::SecretsManager::Secret resource type. Reference the secrets in other templates by using Secrets Manager dynamic references. Configure automatic rotation in Secrets Manager to rotate the secrets every 90 days. Use AWS Firewall Manager to create a policy that identifies all security groups that allow inbound or outbound communications for any protocols to 0.0.0.0/0. Whenever the policy flags a security group in violation, remove the noncompliant rule from security groups.

Leave a Reply to Maria Cancel reply

Your email address will not be published. Required fields are marked *

five × 3 =