You are using the AWS CodeBuild service to handle the build task in a CI/CD pipeline. In the pre-build phase of buildspec.yml, there is a docker login command such as “docker login –u $USER_NAME –p $LOGIN_PASSWORD”. And its user name and password are provided as variables in the env phase in the same buildspec.yml file.

Answer options:

A.In the env phase of the buildspec.yml file, use parameter-store to specify the user name and password. The values are stored in the Systems Manager parameter store.
B.Store the buildspec.yml file in AWS CodeCommit rather than GitHub as IAM rules can be configured in CodeCommit to ensure the security.
C.Add a strong IAM rule in AWS CodeBuild to make sure that only limited users can access the buildspec.yml file.
D.Store the credentials in a file and put the file in an S3 bucket. Encrypt the S3 bucket via SSE-S3. Modify the buildspec.yml file to use the encrypted file in the S3 bucket.

Correct Answer – A
The security issue for this case is that the credentials are exposed in the buildspec.yml file. Approaches should be taken to prevent this. Check on
https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html
for the specifications of the buildspec.yml file.
Option A is CORRECT: Because Systems Manager parameter store is an ideal place to store sensitive data. In buildspec.yml, parameter store is used as below:
env:
variables:
key: "value"
key: "value"
parameter-store:
key: "value"
key: "value"
Option B is incorrect: Because AWS CodeCommit still has the same issue as GitHub. And credentials should not be put in buildspec.yml.
Option C is incorrect: This can be regarded as a prevention action. However, it does not fix the problem essentially.
Option D is incorrect: Because for the env phase of buildspec.yml, it cannot use the file in an S3 bucket.