Securely Storing Database Password for AWS CodeBuild
Question
Your team is planning to use the AWS Code Build service to test out the build of the application.
The application needs to connect to a database.
How should you securely store the database password so that it is available during the build process?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - B.
The AWS Documentation mentions the following.
We strongly discourage using environment variables to store sensitive values, especially AWS access key IDs and secret access keys.
Environment variables can be displayed in plain text using tools such as the AWS CodeBuild console and the AWS CLI.
For sensitive values, we recommend you store them in the Amazon EC2 Systems Manager Parameter Store and then retrieve them from your build spec.
All other options are invalid because they are all insecure ways to access passwords in applications from AWS CodeBuild.
For more information on referencing environment variables, please refer to the below URL-
https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-env-vars.htmlThe recommended way to securely store the database password in AWS CodeBuild is by using AWS Systems Manager Parameter Store, so the correct answer is B.
Explanation:
AWS CodeBuild is a fully managed continuous integration and continuous delivery service that compiles source code, runs tests, and produces software packages that are ready to deploy. It can be used to build applications written in different programming languages and run on different platforms.
When building an application that requires a database, it is important to store the database password securely to prevent unauthorized access. Here are the reasons why storing the password in the other options is not recommended:
A. Store the password as an environment variable on the build server.
Storing the password as an environment variable on the build server is not recommended because environment variables can be accessed by anyone who has access to the build server, including other users or applications running on the same server. Therefore, this option does not provide adequate security.
C. Store the password in a config file on the build server.
Storing the password in a config file on the build server is also not recommended because the config file can be accessed by anyone who has access to the build server. This option is only slightly better than storing the password as an environment variable, but it still does not provide adequate security.
D. Store the password in a config file in the application.
Storing the password in a config file in the application is not recommended because the config file can be accessed by anyone who has access to the application code. This option is not secure because the password is stored in plain text in the config file and is vulnerable to attacks that could compromise the password.
B. Store the password in AWS Systems Manager Parameter Store.
AWS Systems Manager Parameter Store is a secure, scalable, and flexible storage service that allows you to store and manage parameters and secrets such as passwords, keys, and certificates. By storing the database password in Parameter Store, you can easily access it during the build process without exposing it to anyone who does not have the necessary permissions. Additionally, Parameter Store provides a versioning capability and allows you to audit who has accessed the parameter and when.
In conclusion, storing the database password in AWS Systems Manager Parameter Store is the recommended way to securely store the password in AWS CodeBuild.
