Correct answers - "Store the secret as SecureString in SSM Parameter Store" : With AWS Systems
Manager Parameter Store, you can create SecureString parameters, which are parameters that have
a plaintext parameter name and an encrypted parameter value. Parameter Store uses AWS KMS to
encrypt and decrypt the parameter values of Secure String parameters. Also, if you are using
customer managed CMKs, you can use IAM policies and key policies to manage encrypt and decrypt
permissions. To retrieve the decrypted value you only need to do one API call.
"Audit using CloudTrail" - CloudTrail will allow you to see all API calls made to SSM and KMS
Incorrect answers:
"Encrypt first with KMS then store in SSM Parameter store" - This could work but will require two
API calls to get the decrypted value instead of one.
"Store the secret as PlainText in SSM Parameter Store" - Plaintext parameters are not secure and
shouldn't use to store secrets
"Audit using SSM Audit Trail" - this feature does not exist
For more information visit