Discover how to automatically detect and remediate IAM user secret access keys committed to AWS CodeCommit repositories using CodeCommit triggers and AWS Lambda functions.
Table of Contents
Question
During an audit, a security team discovered that a development team was putting IAM user secret access keys in their code and then committing it to an AWS CodeCommit repository. The security team wants to automatically find and remediate instances of this security vulnerability.
Which solution will ensure that the credentials are appropriately secured automatically?
A. Run a script nightly using AWS Systems Manager Run Command to search for credentials on the development instances. If found, use AWS Secrets Manager to rotate the credentials
B. Use a scheduled AWS Lambda function to download and scan the application code from CodeCommit. If credentials are found, generate new credentials and store them in AWS KMS.
C. Configure Amazon Macie to scan for credentials in CodeCommit repositories. If credentials are found, trigger an AWS Lambda function to disable the credentials and notify the user.
D. Configure a CodeCommit trigger to invoke an AWS Lambda function to scan new code submissions for credentials. If credentials are found, disable them in AWS IAM and notify the user.
Answer
D. Configure a CodeCommit trigger to invoke an AWS Lambda function to scan new code submissions for credentials. If credentials are found, disable them in AWS IAM and notify the user.
Explanation
This solution leverages AWS CodeCommit triggers and AWS Lambda to automatically detect and remediate instances of IAM user secret access keys being committed to the CodeCommit repository. Here’s how it works:
- CodeCommit Trigger: AWS CodeCommit supports configuring triggers that can invoke an AWS Lambda function whenever a specific event occurs, such as a new code commit.
- Lambda Function: A Lambda function can be created to scan the newly committed code for patterns that match IAM user secret access keys. This can be done using regular expressions or other pattern matching techniques.
- Disable Credentials in IAM: If the Lambda function detects IAM user secret access keys in the committed code, it can automatically disable those credentials in AWS IAM. This ensures that the compromised credentials cannot be used for unauthorized access.
- Notify User: The Lambda function can also send a notification to the user who committed the code, informing them about the detected security vulnerability and the action taken (disabling the credentials).
By configuring this solution, the security team can automatically detect and remediate instances of IAM user secret access keys being committed to the CodeCommit repository without manual intervention. This proactive approach helps to secure credentials and mitigate potential security risks.
Additionally, since the solution is triggered by new code commits, it provides real-time protection and ensures that any new instances of this security vulnerability are promptly addressed.
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.