The problem has two distinct requirements: securely managing rotating external API credentials and encrypting CodeBuild artifacts with a specific KMS key.

For credentials that must be reset each month and are sensitive, AWS Secrets Manager is the appropriate service, not Parameter Store. Secrets Manager provides built-in support for secret rotation, versioning, access control, and auditability. The external API credentials can be updated monthly either manually or via an automated rotation Lambda. CodeBuild can read the secret at build time by assuming an IAM role that allows secretsmanager:GetSecretValue.

To encrypt CodeBuild outputs, the correct pattern is to set the CODEBUILD_KMS_KEY_ID environment variable (or CodeBuild project setting) to the desired KMS key. The CodeBuild IAM service role must be granted kms:Encrypt, kms:Decrypt, and related actions on that KMS key via the key policy or IAM policy. This ensures build artifacts and logs are encrypted using the specified customer managed key.

Option C captures both requirements precisely: store credentials in Secrets Manager and update the KMS key policy for the CodeBuild role, not the CodePipeline role. Options A and B misuse Parameter Store and/or the wrong IAM principal. Option D updates the wrong role and does not connect the KMS key to CodeBuild’s artifact encryption.