Question 34
Domain 6: Security and ComplianceA company uses AWS Secrets Manager to store a set of sensitive API keys that an AWS Lambda function uses. When the Lambda function is invoked the Lambda function retrieves the API keys and makes an API call to an external service. The Secrets Manager secret is encrypted with the default AWS Key Management Service (AWS KMS) key. A DevOps engineer needs to update the infrastructure to ensure that only the Lambda function’s execution role can access the values in Secrets Manager. The solution must apply the principle of least privilege. Which combination of steps will meet these requirements? (Choose two.)
Correct answer: C
Explanation
AWS Secrets Manager access is controlled by IAM and, when encrypted with the default AWS KMS key, by KMS permissions as well. To apply least privilege, grant the Lambda execution role permission to call Secrets Manager for that specific secret and allow the role to use the KMS key for decrypting that secret, while denying access to other principals.
Why each option is right or wrong
A. Create a KMS customer managed key that trusts Secrets Manager and allows the Lambda function's execution role to decrypt. Update Secrets Manager to use the new customer managed key
Using a customer managed key alone does not grant secret-read access; IAM access to the secret is also needed.
B. Ensure that the Lambda function’s execution role has the KMS permissions scoped on the resource level. Configure the permissions so that the KMS key can encrypt the Secrets Manager secret
KMS encrypt permission is not the main need for Lambda reading a secret; decrypt and secret access matter.
C. All of the above
Each of the listed options is a valid answer; all are needed.