A company uses AWS Secrets Manager to store a set of sensitive API keys that an AWS Lambda
function uses. When the Lambda function is invoked, the Lambda function retrieves the API keys and makes an API call to an external service. The Secrets Manager secret is encrypted with the default AWS Key Management Service (AWS KMS) key.
A DevOps engineer needs to update the infrastructure to ensure that only the Lambda function’s execution role can access the values in Secrets Manager. The solution must apply the principle of least privilege.
Which combination of steps will meet these requirements? (Select TWO.)
A . Update the default KMS key for Secrets Manager to allow only the Lambda function’s execution role to decrypt.
B . Create a KMS customer managed key that trusts Secrets Manager and allows the Lambda function’s execution role to decrypt. Update Secrets Manager to use the new customer managed key.
C . Create a KMS customer managed key that trusts Secrets Manager and allows the account’s :root principal to decrypt. Update Secrets Manager to use the new customer managed key.
D . Ensure that the Lambda function’s execution role has the KMS permissions scoped on the resource level. Configure the permissions so that the KMS key can encrypt the Secrets Manager secret.
E . Remove all KMS permissions from the Lambda function’s execution role.
Answer: B, D
Latest DOP-C02 Dumps Valid Version with 75 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund