The DevOps team of your company is considering to use AWS CodeCommit rather than Github.
The company has very strict security policies and needs to confirm whether or not CodeCommit is secure.
They need to make sure that all new tools are able to pass their annual security audits (which come from an external organization)
One key part of the audit is to check if the important data is encrypted.
What should the DevOps team do to make sure that the CodeCommit pass the security audit?
Click on the arrows to vote for the correct answer
A. B. C. D.Option C is Correct.
For AWS CodeCommit repositories, the data is encrypted in transit and at rest as well.
When data is pushed into an AWS CodeCommit repository (for example, by calling git push), AWS CodeCommit encrypts the received data as it is stored in the repository.
When data is pulled from an AWS CodeCommit repository (for example, by calling git pull), AWS CodeCommit decrypts the data and then sends it to the caller.
Also, CodeCommit creates an AWS-managed key in that same region in AWS Key Management Service (AWS KMS) that is used only by AWS CodeCommit (the aws/ codecommit key)
This key is created and stored in your AWS account.
The user does not need to create a new key manually for CodeCommit.
Option A is incorrect because the data at transit is also encrypted by CodeCommit as well.
Option B is incorrect because CodeCommit creates a new key by itself.
No manual work is needed.
Option D is incorrect because there are no such settings for encryption.
All data is encrypted automatically.
When considering the security of AWS CodeCommit, it is important to note that CodeCommit is already designed to be secure by default. AWS CodeCommit repositories are encrypted at rest, meaning that the data stored in CodeCommit repositories is protected from unauthorized access.
However, to ensure that CodeCommit is able to pass the annual security audit, it is necessary to consider the encryption of data in transit, as well as data at rest. This means that the data being transferred between the user's local environment and the CodeCommit repository needs to be encrypted, in addition to the encryption already applied to the repository data.
Option A states that the DevOps team should configure CodeCommit to encrypt data in transit, such as during "git push". This is a correct statement, as the team should ensure that all data being transferred to and from the CodeCommit repository is encrypted. Therefore, this option is partially correct, but it doesn't address encryption at rest.
Option B suggests creating a key in KMS for "CodeCommit" and ensuring that "CodeCommit" uses that newly created key to encrypt all data in transit and at rest. This is a good solution that addresses both encryption at rest and in transit. By using KMS, the DevOps team can manage the encryption keys centrally, and also leverage features such as key rotation and auditing. Therefore, option B is the correct answer.
Option C states that there is no need to do anything, as data in CodeCommit is already encrypted in transit and at rest. While it is true that CodeCommit is designed to be secure by default, it is important to note that data in transit still needs to be encrypted to meet security audit requirements.
Option D suggests enabling the encryption setting during the creation of a new CodeCommit repo. While this will ensure that data in transit and at rest is encrypted, it is not a scalable solution as it requires manual intervention for each new repository created. Therefore, this option is not the best solution.
In conclusion, option B is the best solution for ensuring that CodeCommit is able to pass the security audit. By creating a key in KMS for CodeCommit and ensuring that it is used to encrypt data in transit and at rest, the DevOps team can meet the strict security requirements of their company.