A company utilizes AWS Secrets Manager to securely store sensitive API keys required by an AWS Lambda function for making API calls to an external service. The Lambda function retrieves these keys upon invocation. Currently, the Secrets Manager secret is encrypted using the default AWS Key Management Service (AWS KMS) key. A DevOps engineer is tasked with updating the infrastructure to ensure that access to the secrets in Secrets Manager is restricted solely to the Lambda function's execution role, adhering to the principle of least privilege. What steps should the DevOps engineer take to achieve this?

Exam-Like

Update the default KMS key for Secrets Manager to allow only the Lambda function’s execution role to decrypt

10.0%

Create a KMS customer managed key that trusts Secrets Manager and allows the Lambda function's execution role to decrypt. Update Secrets Manager to use the new customer managed key

30.0%

Create a KMS customer managed key that trusts Secrets Manager and allows the account's root principal to decrypt. Update Secrets Manager to use the new customer managed key

10.0%

Ensure that the Lambda function’s execution role has the KMS permissions scoped on the resource level. Configure the permissions so that the KMS key can encrypt the Secrets Manager secret

50.0%

Remove all KMS permissions from the Lambda function’s execution role

AWS Certified DevOps Engineer - Professional

Comments

Get started today