Question

A company is planning on using AWS CodePipeline for their underlying CI/CD process. The code will be picked up from an S3 bucket. The company policy mandates that all data should be encrypted at rest and that the keys are managed by the customer. Which of the following measures would you take to ensure that the CI/CD process conforms to this policy? Choose 2 possible actions from the options given below.

A. Ensure that server-side encryption is enabled on the S3 bucket and data is encrypted at-rest on the CodeBuild environment using customer-managed CMK.

B. Ensure that server-side encryption is enabled on the CodePipeline stage.

C. Configure the code pickup stage in CodePipeline to use AWS KMS.

D. Configure AWS KMS with customer managed keys and use it for S3 bucket encryption.

Answer 1

Answer - A and D.

This is also mentioned in the AWS Documentation.

There are two ways to configure server-side encryption for Amazon S3 artifacts.

AWS CodePipeline creates an Amazon S3 artifact bucket and default AWS-managed SSE-KMS encryption keys when creating a pipeline using the Create Pipeline wizard.

The master key is encrypted along with object data and managed by AWS.

You can create and manage your own customer-managed SSE-KMS keys.

Options B and C are incorrect since this needs to be configured at the S3 bucket level.