AWS DevOps Engineer Professional Practice Test

How can you pass a sensitive value to a CodeBuild project securely?

• A. Configure the value in environment variables
• B. Store the value in a text file in the repository
• C. Configure the value in SSM Parameter Store or Secrets Manager
• D. Hardcode the value in the buildspec file

The correct answer is: Configure the value in SSM Parameter Store or Secrets Manager

Using SSM Parameter Store or Secrets Manager to pass a sensitive value to a CodeBuild project securely is the most appropriate and secure method. Both of these services are specifically designed to store sensitive information such as passwords, API keys, and configuration settings in a secure manner. SSM Parameter Store allows you to securely store and manage parameters, while Secrets Manager provides more advance features for managing secrets, including automatic rotation and cryptographic storage. By integrating these services with your CodeBuild project, you can reference these secure values in your build environment without exposing them in your source code or build configurations. This significantly reduces the risk of accidental leakage or exposure of sensitive information. The alternatives provided can expose sensitive information: Configuring the value in environment variables may seem like a straightforward approach, but it can lead to potential exposure in build logs, making it less secure for sensitive data. Storing the value in a text file in the repository poses a security risk, as it can be accessed by anyone with access to the repository. Hardcoding the value in the buildspec file is not advisable for sensitive values, as it makes them visible in the source code, potentially compromising them.