Store credentials in AWS Secrets Manager and resolve them in the template using CloudFormation dynamic references and Configure NoEcho on sensitive CloudFormation parameters to hide their values in stack outputs and events are correct because they prevent secret values from being recorded or displayed during CloudFormation deployments.

Store credentials in AWS Secrets Manager and resolve them in the template using CloudFormation dynamic references keeps secrets out of templates and stack metadata by resolving values at deploy time so the plaintext is not stored in stack parameters or shown by Describe calls or stack events. Using dynamic references causes CloudFormation to substitute secrets during provisioning without persisting the secret value in the stack.

Configure NoEcho on sensitive CloudFormation parameters to hide their values in stack outputs and events masks parameter values so the console and API responses show asterisks instead of the secret. NoEcho prevents accidental disclosure in stack events and Describe responses but you should still avoid logging plaintext or passing secrets to other services in clear text.

Turn on default encryption for the Amazon S3 bucket that stores the CloudFormation template is incorrect because encryption at rest protects the template file in the bucket but does not stop secrets from appearing in CloudFormation stack events or Describe APIs during deployment.

Use AWS Systems Manager Parameter Store secure strings and reference them by tag keys in the template is incorrect because CloudFormation does not support resolving parameters by tag keys. Parameter Store secure strings can be used via dynamic references by name or version but tags are not a supported resolution mechanism.

Enable AWS CloudTrail data event logging for S3 to audit template access is incorrect because CloudTrail adds auditing and visibility but it does not prevent sensitive values from surfacing in CloudFormation events or outputs during deployments.

Full AWS Practitioner Certification Question