Which solutions will store and retrieve the sensitive information in the MOST secure manner?
(Choose two.)
Store the values in AWS Secrets Manager. Update the code to retrieve these values when the application starts. Store the values as environmental variables that the application can use.
Store the values in AWS Systems Manager Parameter Store as secret strings. Update the code to retrieve these values when the application starts. Store the values as environmental variables that the application can use.
Store the values in an AWS Lambda function. Update the code to invoke the Lambda function when the application starts. Configure the Lambda function to inject the values as environmental variables that the application can use.
Store the configuration information in a file on the EC2 instances. Ensure that the underlying drives are encrypted by AWS Key Management Service (AWS KMS). Update the application to read the file when the application starts. Store the values as environmental variables.
Store the values in a text file in an Amazon S3 bucket. In the CI/CD pipeline, copy the file to the EC2 instance in an appropriate location on a disk that the application can read.
Explanations:
AWS Secrets Manager is designed to securely store and manage sensitive information such as database credentials. It supports automatic encryption at rest, and retrieving values from it programmatically is a secure practice. Storing the values as environmental variables ensures that they are readily available to the application in a secure manner.
AWS Systems Manager Parameter Store allows secure storage of sensitive information using encryption, including the option to store secret strings. Retrieving the values programmatically and using them as environmental variables is a secure way to pass sensitive information to the application.
Storing sensitive information in AWS Lambda is not ideal as Lambda functions are designed for processing logic rather than storing secrets. While Lambda can retrieve and inject credentials, it adds unnecessary complexity and is not the most secure or scalable option compared to using Secrets Manager or Parameter Store.
Storing sensitive information in a file on EC2 instances and relying on KMS encryption is not recommended, as it introduces risks of accidental exposure due to improper access controls. Managing credentials through AWS managed services like Secrets Manager or Parameter Store is more secure and scalable.
Storing sensitive information in a text file on S3 and copying it to EC2 introduces security risks. S3 bucket access must be carefully managed, and relying on file-based configuration management is prone to mistakes, especially in CI/CD environments. Secrets should be managed with more secure options like Secrets Manager or Parameter Store.