New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C02 Exam - Topic 5 Question 52 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 52
Topic #: 5
[All SCS-C02 Questions]

[Identity and Access Management]

A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company'ssecurity team However, an audit revealed that an API key is steed with the source code of an IAM Lambda function m an IAM CodeCommit repository in the DevOps account

How should the security learn securely store the API key?

Show Suggested Answer Hide Answer
Suggested Answer: C

To securely store the API key, the security team should do the following:

Create a secret in AWS Secrets Manager in the security account to store the API key using AWS Key Management Service (AWS KMS) for encryption. This allows the security team to encrypt and manage the API key centrally, and to configure automatic rotation schedules for it.

Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API. This allows the security team to avoid storing the API key with the source code, and to use IAM policies to control access to the secret.


by Dannie at Nov 02, 2025, 12:50 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Tuyet
5 hours ago
Option B sounds good too. S3 with encryption is solid, but a bit more complex.
upvoted 0 times
...
Derick
5 days ago
Agreed! It keeps the API key secure and easy to manage.
upvoted 0 times
...
Ariel
11 days ago
Wait, can environment variables really be trusted?
upvoted 0 times
...
Billye
16 days ago
Definitely agree with C, it’s more secure.
upvoted 0 times
...
Gayla
21 days ago
Isn't using S3 for this risky?
upvoted 0 times
...
Thurman
26 days ago
I think option C is the way to go!
upvoted 0 times
...
Rodolfo
1 month ago
Option D seems a bit risky to me. Storing the key in an env var, even if encrypted, is not as secure as a dedicated service like Secrets Manager.
upvoted 0 times
...
Glenn
1 month ago
Haha, I bet the developer who stored the API key in the repo thought they were being "clever". Rookie mistake!
upvoted 0 times
...
Leonardo
1 month ago
I agree, C is the best choice. Secrets Manager provides a centralized and secure way to store sensitive data like API keys.
upvoted 0 times
...
Meaghan
2 months ago
I feel like using encrypted environment variables is a common practice, but I wonder if option D is enough for compliance. Maybe C is better for security?
upvoted 0 times
...
Shanda
2 months ago
I practiced a similar question where we had to choose between environment variables and Secrets Manager. I think option C is more secure than D since it centralizes key management.
upvoted 0 times
...
Floyd
2 months ago
I'm not entirely sure, but I think storing the key in an S3 bucket could expose it if not handled correctly. Option B might not be the safest.
upvoted 0 times
...
Shawnda
2 months ago
Storing API keys in Secrets Manager is a best practice.
upvoted 0 times
...
Roslyn
2 months ago
I think option C is the best. Secrets Manager is designed for this.
upvoted 0 times
...
Lawana
2 months ago
C) is the correct answer. Storing the API key in Secrets Manager with KMS encryption is the most secure option.
upvoted 0 times
...
Paz
3 months ago
I prefer option D. Environment variables are straightforward and secure enough.
upvoted 0 times
...
Jules
3 months ago
I remember we discussed the importance of using Secrets Manager for sensitive data like API keys. It seems like option C might be the best choice here.
upvoted 0 times
...
Brandon
3 months ago
I feel pretty confident about this one. The key is to keep the API key completely separate from the source code, so I think option C with Secrets Manager is the way to go. It provides the highest level of security and control over the sensitive information.
upvoted 0 times
...
Paz
4 months ago
This is a tricky one. I'm leaning towards option B, using an S3 bucket with server-side encryption. That seems like a straightforward way to store the key separately. But I'm also intrigued by the Secrets Manager option - I'll need to weigh the pros and cons of each approach.
upvoted 0 times
...
Keith
4 months ago
Okay, I've got a plan. I think option C is the way to go - storing the API key in Secrets Manager with KMS encryption, and granting the Lambda function access to retrieve it. That keeps the key completely separate from the source code, and Secrets Manager is designed for securely storing sensitive information.
upvoted 0 times
...
Theron
4 months ago
Hmm, I'm a bit confused by all the different options here. I'll need to carefully read through each one and think about the pros and cons of each approach. Storing the key securely is the priority, but I want to make sure I choose the most efficient and secure method.
upvoted 0 times
...
Dalene
4 months ago
This looks like a pretty straightforward IAM and security question. I think I can handle this one - the key is to keep the API key secure and separate from the source code.
upvoted 0 times
Charlene
3 months ago
Secrets Manager is a solid choice for sensitive data.
upvoted 0 times
...
...

Save Cancel