Which solution will meet these requirements MOST securely?

By:
On:
In: DVA-C02
Tagged:
With: 0 Comments
A company notices that credentials that the company uses to connect to an external software as a service (SaaS) vendor are stored in a configuration file as plaintext.The developer needs to secure the API credentials and enforce automatic credentials rotation on a quarterly basis.

Which solution will meet these requirements MOST securely?

Use AWS Key Management Service (AWS KMS) to encrypt the configuration file. Decrypt the configuration file when users make API calls to the SaaS vendor. Enable rotation.

Retrieve temporary credentials from AWS Security Token Service (AWS STS) every 15 minutes. Use the temporary credentials when users make API calls to the SaaS vendor.

Store the credentials in AWS Secrets Manager and enable rotation. Configure the API to have Secrets Manager access.

Store the credentials in AWS Systems Manager Parameter Store and enable rotation. Retrieve the credentials when users make API calls to the SaaS vendor.

Explanations:

While AWS KMS can encrypt data at rest and enable key rotation, it does not inherently support automatic rotation of the credentials stored in the configuration file. Manual decryption would still be required each time the credentials are accessed, which is less secure than using a dedicated secrets management service.

AWS STS provides temporary security credentials, but this option does not address the need to securely store and automatically rotate the API credentials. Temporary credentials are not ideal for accessing external SaaS services that require consistent credentials over time. Additionally, STS credentials are not a direct solution for managing long-lived API keys.

Storing the credentials in AWS Secrets Manager provides a secure way to manage sensitive information. Secrets Manager allows for automatic rotation of credentials, enhancing security by ensuring that credentials are updated regularly without manual intervention. This option meets both the requirement for securing the credentials and enforcing automatic rotation.

AWS Systems Manager Parameter Store can store parameters securely, but it lacks built-in support for automatic credential rotation. While it is a viable option for managing secrets, it does not provide the same level of automated security management as AWS Secrets Manager, making it less suitable for the requirement of automatic rotation.

Leave a Reply

Your email address will not be published. Required fields are marked *

nine − seven =