Secure CI/CD Process with AWS CodePipeline and Customer-Managed Keys

Ensure Compliance with Company Policy: AWS CodePipeline and Customer-Managed Keys

Prev Question Next Question

Question

A company is planning on using AWS CodePipeline for their underlying CI/CD process.

The code will be picked up from an S3 bucket.

The company policy mandates that all data should be encrypted at rest and that the keys are managed by the customer.

Which of the following measures would you take to ensure that the CI/CD process conforms to this policy? Choose 2 possible actions from the options given below.

Answers

A. Ensure that server-side encryption is enabled on the S3 bucket and data is encrypted at-rest on the CodeBuild environment using customer-managed CMK.

B. Ensure that server-side encryption is enabled on the CodePipeline stage.

C. Configure the code pickup stage in CodePipeline to use AWS KMS.

D. Configure AWS KMS with customer managed keys and use it for S3 bucket encryption.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A and D.

This is also mentioned in the AWS Documentation.

There are two ways to configure server-side encryption for Amazon S3 artifacts.

AWS CodePipeline creates an Amazon S3 artifact bucket and default AWS-managed SSE-KMS encryption keys when creating a pipeline using the Create Pipeline wizard.

The master key is encrypted along with object data and managed by AWS.

You can create and manage your own customer-managed SSE-KMS keys.

Options B and C are incorrect since this needs to be configured at the S3 bucket level.

For more information on Encryption in S3 with CodePipeline, please refer to the below Link-

https://docs.aws.amazon.com/codepipeline/latest/userguide/S3-artifact-encryption.html

Please refer to the following link on page 252.

https://docs.aws.amazon.com/codebuild/latest/userguide/codebuild-user.pdf

To ensure that the CI/CD process conforms to the company policy of encrypting all data at rest and managing the keys, the following measures should be taken:

Ensure that server-side encryption is enabled on the S3 bucket and data is encrypted at-rest on the CodeBuild environment using customer-managed CMK. Enabling server-side encryption on the S3 bucket ensures that all data uploaded to the bucket is automatically encrypted at rest. To ensure that the encryption keys are managed by the customer, a customer-managed CMK (Customer Master Key) should be used to encrypt the data in the CodeBuild environment.
Configure AWS KMS with customer managed keys and use it for S3 bucket encryption. AWS KMS (Key Management Service) is a fully managed service that makes it easy to create and control the encryption keys used to encrypt data. By configuring AWS KMS with customer-managed keys, the customer can ensure that they have full control over the keys used to encrypt their data. Using AWS KMS to encrypt the S3 bucket data ensures that all data uploaded to the bucket is automatically encrypted at rest and that the encryption keys are managed by the customer.

Therefore, the two possible actions to ensure that the CI/CD process conforms to the company policy are A and D.

Prev Question Next Question