A company uses AWS Secrets Manager to store a set of sensitive API keys that an AWS Lambda function uses. When the Lambda function is invoked the Lambda function retrieves the API keys and makes an API call to an external service. The Secrets Manager secret is encrypted with the default AWS Key Management Service (AWS KMS) key. A DevOps engineer needs to update the infrastructure to ensure that only the Lambda function’s execution role can access the values in Secrets Manager. The solution must apply the principle of least privilege. Which combination of steps will meet these requirements? (Choose two.)

Topic #: - All AWS Certified DevOps Engineer - Professional DOP-C02 Questions

A. Update the default KMS key for Secrets Manager to allow only the Lambda function’s execution role to decrypt
B. Create a KMS customer managed key that trusts Secrets Manager and allows the Lambda function’s execution role to decrypt. Update Secrets Manager to use the new customer managed key
C. Create a KMS customer managed key that trusts Secrets Manager and allows the account’s root principal to decrypt. Update Secrets Manager to use the new customer managed key
D. Ensure that the Lambda function’s execution role has the KMS permissions scoped on the resource level. Configure the permissions so that the KMS key can encrypt the Secrets Manager secret
E. Remove all KMS permissions from the Lambda function’s execution role

- Awsexamhub website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Suggested Answer:

Share this post

Join the Discussion