Amazon Exam SCS-C02 Topic 5 Question 52 Discussion

Actual exam question for Amazon's SCS-C02 exam

Question #: 52
Topic #: 5

[Identity and Access Management]

A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company'ssecurity team However, an audit revealed that an API key is steed with the source code of an IAM Lambda function m an IAM CodeCommit repository in the DevOps account

How should the security learn securely store the API key?

ACreate a CodeCommit repository in the security account using IAM Key Management Service (IAM KMS) tor encryption Require the development team to migrate the Lambda source code to this repository

BStore the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable in the IAM CloudFormation template Update the Lambda function code to retrieve the key using the URL and call the API

CCreate a secret in IAM Secrets Manager in the security account to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API

DCreate an encrypted environment variable for the Lambda function to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime

Show Suggested Answer

Suggested Answer: C

To securely store the API key, the security team should do the following:

Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) for encryption. This allows the security team to encrypt and manage the API key centrally, and to configure automatic rotation schedules for it.

Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API. This allows the security team to avoid storing the API key with the source code, and to use IAM policies to control access to the secret.

by Dannie at Nov 02, 2025, 12:50 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Paz

2 hours ago

This is a tricky one. I'm leaning towards option B, using an S3 bucket with server-side encryption. That seems like a straightforward way to store the key separately. But I'm also intrigued by the Secrets Manager option - I'll need to weigh the pros and cons of each approach.

upvoted 0 times

...

Keith

6 days ago

Okay, I've got a plan. I think option C is the way to go - storing the API key in Secrets Manager with KMS encryption, and granting the Lambda function access to retrieve it. That keeps the key completely separate from the source code, and Secrets Manager is designed for securely storing sensitive information.

upvoted 0 times

...

Theron

11 days ago

Hmm, I'm a bit confused by all the different options here. I'll need to carefully read through each one and think about the pros and cons of each approach. Storing the key securely is the priority, but I want to make sure I choose the most efficient and secure method.

upvoted 0 times

...

Dalene

17 days ago

This looks like a pretty straightforward IAM and security question. I think I can handle this one - the key is to keep the API key secure and separate from the source code.

upvoted 0 times

...