Challenge - 5 Problems

🎖️

Secret Management Mastery

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ service_behavior

intermediate

2:00remaining

How does AWS Secrets Manager handle secret rotation?

A developer configures AWS Secrets Manager to rotate a database password automatically every 30 days. What happens during the rotation process?

ASecrets Manager only updates the secret value in the console but does not change the database password.

BSecrets Manager deletes the old secret and creates a completely new secret with a new name.

CSecrets Manager creates a new secret version, updates the database with the new password, and marks the new version as current.

DSecrets Manager sends an email notification to the admin but does not change the secret or database password.

Attempts:

2 left

❓ Configuration

intermediate

2:00remaining

Terraform: Correct Vault provider configuration for AWS authentication

Which Terraform configuration snippet correctly sets up the Vault provider to authenticate using AWS IAM role?

provider "vault" {
  auth_login {
    path = "auth/aws/login"
    parameters = {
      role = "my-role"
    }
  }
}

provider "vault" {
  auth_method = "aws"
  role = "my-role"
}

provider "vault" {
  auth {
    method = "aws"
    role = "my-role"
  }
}

provider "vault" {
  aws_auth {
    role = "my-role"
  }
}

Attempts:

2 left

❓ Architecture

advanced

2:00remaining

Designing secure secret access for microservices using Vault

You have multiple microservices running in Kubernetes that need to access different secrets stored in Vault. Which architecture ensures least privilege and automatic secret renewal?

AEmbed Vault root token in each microservice container environment variables for easy access.

BAssign each microservice a unique Vault Kubernetes service account role with policies scoped to only required secrets, and use Vault Agent sidecar for automatic token renewal.

CStore secrets in Kubernetes ConfigMaps and let microservices read them directly without Vault integration.

DUse a single Vault token shared by all microservices with full access to all secrets, and manually update tokens when expired.

Attempts:

2 left

❓ security

advanced

2:00remaining

Identifying security risk in secret management configuration

Which Terraform snippet introduces a security risk when managing AWS Secrets Manager secrets?

resource "aws_secretsmanager_secret" "db_password" {
  name = "db_password"
}

resource "aws_secretsmanager_secret_version" "db_password_version" {
  secret_id     = aws_secretsmanager_secret.db_password.id
  secret_string = var.db_password
}

ANot specifying a KMS key for encryption, so AWS uses default encryption.

BUsing <code>secret_string</code> instead of <code>secret_binary</code> for the secret value.

CNot tagging the secret resource with environment metadata.

DStoring the secret value directly in Terraform variable <code>var.db_password</code> which may be logged or stored in state files.

Attempts:

2 left

✅ Best Practice

expert

2:00remaining

Choosing the best secret injection method for serverless functions

You deploy AWS Lambda functions that require database credentials stored in AWS Secrets Manager. Which approach follows best practices for secret injection and minimizes cold start latency?

AConfigure Lambda environment variables with the secret ARN and fetch secrets at runtime using AWS SDK with caching inside the function.

BHardcode the database credentials inside the Lambda function code for faster access.

CFetch the secret from Secrets Manager on every function invocation without caching.

DStore the secret in an S3 bucket and read it from Lambda at runtime.

Attempts:

2 left