New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon DVA-C02 Exam - Topic 2 Question 57 Discussion

Actual exam question for Amazon's DVA-C02 exam
Question #: 57
Topic #: 2
[All DVA-C02 Questions]

A healthcare company is developing a multi-tier web application to manage patient records that are in an Amazon Aurora PostgreSQL database cluster. The company stores the application code in a Git repository and deploys the code to Amazon EC2 instances.

The application must comply with security policies and follow the principle of least privilege. The company must securely manage database credentials and API keys within the application code. The company must have the ability to rotate encryption keys on demand.

Which solution will meet these requirements?

Show Suggested Answer Hide Answer
Suggested Answer: A

Requirement Summary:

Multi-tier app on EC2 + Aurora PostgreSQL

Must comply with least privilege and security policies

Need to manage credentials and API keys securely

Must support key rotation on demand

Evaluate Options:

A . Secrets Manager + AWS managed KMS keys

Best practice for secure secret storage

Supports auto rotation

Uses AWS SDK to fetch at runtime (secure, avoids hardcoding)

AWS managed keys are rotated automatically and easier to manage

B . Secrets Manager + customer managed keys

Also valid, but adds complexity

Since the question asks for LEAST development effort, AWS-managed keys are preferred

C . Store secrets in code

Violates all security best practices

D . Use SSM Parameter Store + AWS managed keys

Possible, but Secrets Manager is preferred when rotation is needed

Parameter Store does not natively rotate secrets

Secrets Manager: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

Automatic key rotation: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

Best practices for secret management: https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html


by Shenika at Nov 02, 2025, 07:26 PM

Limited Time Offer

25%

Off

Get Premium DVA-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Audry
5 hours ago
Option D sounds good too. Parameter Store is reliable for secrets.
upvoted 0 times
...
Kirk
5 days ago
Option C is risky. Hardcoding credentials is a bad practice.
upvoted 0 times
...
Freeman
11 days ago
I prefer option B. Customer managed keys give more control.
upvoted 0 times
...
Cassi
16 days ago
I think option A is the best. Secrets Manager is secure.
upvoted 0 times
...
Bernardo
21 days ago
A and D both look good, but A has that automatic key rotation!
upvoted 0 times
...
Arlene
26 days ago
Surprised that D is even an option, feels less secure.
upvoted 0 times
...
Deonna
1 month ago
I think B is better for more control over KMS keys.
upvoted 0 times
...
Albert
1 month ago
Secrets Manager is the way to go. Rotating keys automatically is a game-changer.
upvoted 0 times
...
Izetta
1 month ago
Option D looks good, but using AWS managed keys is not as flexible as customer-managed keys.
upvoted 0 times
...
Jesusita
2 months ago
Haha, Option C? Storing credentials in the code? That's a big no-no!
upvoted 0 times
...
Merilyn
2 months ago
I vaguely remember that AWS Systems Manager Parameter Store can also be used for storing secrets, but I'm not clear on how it compares to Secrets Manager in terms of security features.
upvoted 0 times
...
Brigette
2 months ago
I feel like option C is definitely not the right choice since storing credentials in application code goes against best practices, but I can't recall why exactly.
upvoted 0 times
...
Andra
2 months ago
Option A seems solid, using Secrets Manager is a good move.
upvoted 0 times
...
Erick
2 months ago
I agree, Option B is the way to go. Separating credentials by environment is a security risk.
upvoted 0 times
...
Fletcher
2 months ago
I think option A sounds familiar because it mentions using the AWS SDK to retrieve secrets, which we practiced in a similar question about securing API keys.
upvoted 0 times
...
Lemuel
3 months ago
Option B seems like the most secure solution. Rotating encryption keys is a must-have.
upvoted 0 times
...
Glen
3 months ago
Storing creds in code? That's a big no-no! (C is risky)
upvoted 0 times
...
Jacklyn
3 months ago
I remember we discussed the importance of using AWS Secrets Manager for managing sensitive information, but I'm not sure if we covered the differences between managed and customer managed KMS keys.
upvoted 0 times
...
Evangelina
3 months ago
The principle of least privilege is key here. I like how options A and B use the AWS SDK to retrieve secrets securely.
upvoted 0 times
...
Eileen
4 months ago
I'm a bit confused about the difference between managed and customer-managed keys. I'll need to research that more before deciding.
upvoted 0 times
...
Simona
4 months ago
Automatic key rotation is a must-have for compliance. I think option A or B would be the best approach here.
upvoted 0 times
...
Craig
4 months ago
Hmm, storing credentials in the code doesn't seem very secure. I'm leaning towards one of the AWS services like Secrets Manager or Parameter Store.
upvoted 0 times
...
Jutta
4 months ago
This looks like a tricky security question. I'll need to carefully consider the requirements and the options presented.
upvoted 0 times
...

Save Cancel