Amazon Exam DVA-C02 Topic 2 Question 57 Discussion

Actual exam question for Amazon's DVA-C02 exam

Question #: 57
Topic #: 2

A healthcare company is developing a multi-tier web application to manage patient records that are in an Amazon Aurora PostgreSQL database cluster. The company stores the application code in a Git repository and deploys the code to Amazon EC2 instances.

The application must comply with security policies and follow the principle of least privilege. The company must securely manage database credentials and API keys within the application code. The company must have the ability to rotate encryption keys on demand.

Which solution will meet these requirements?

AStore database credentials and API keys in AWS Secrets Manager. Use AWS managed AWS KMS keys. Set up automatic key rotation. Use the AWS SDK to retrieve secrets.

BStore the database credentials and API keys in AWS Secrets Manager. Use customer managed AWS KMS keys. Set up automatic key rotation. Create a key policy in the application to retrieve secrets by using the AWS SDK.

CStore the database credentials in the application code. Separate credentials by using environment-specific branches that have restricted access to the code repositories.

DStore the database credentials and API keys as parameters in AWS Systems Manager Parameter Store. Encrypt the credentials and API keys with AWS managed AWS KMS keys. Use the AWS SDK to retrieve secrets.

Show Suggested Answer

Suggested Answer: A

Requirement Summary:

Multi-tier app on EC2 + Aurora PostgreSQL

Must comply with least privilege and security policies

Need to manage credentials and API keys securely

Must support key rotation on demand

Evaluate Options:

A . Secrets Manager + AWS managed KMS keys

Best practice for secure secret storage

Supports auto rotation

Uses AWS SDK to fetch at runtime (secure, avoids hardcoding)

AWS managed keys are rotated automatically and easier to manage

B . Secrets Manager + customer managed keys

Also valid, but adds complexity

Since the question asks for LEAST development effort, AWS-managed keys are preferred

C . Store secrets in code

Violates all security best practices

D . Use SSM Parameter Store + AWS managed keys

Possible, but Secrets Manager is preferred when rotation is needed

Parameter Store does not natively rotate secrets

Secrets Manager: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

Automatic key rotation: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

Best practices for secret management: https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html

by Shenika at Nov 02, 2025, 07:26 PM

Limited Time Offer

25%

Off

Get Premium DVA-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Eileen

2 hours ago

I'm a bit confused about the difference between managed and customer-managed keys. I'll need to research that more before deciding.

upvoted 0 times

...

Simona

6 days ago

Automatic key rotation is a must-have for compliance. I think option A or B would be the best approach here.

upvoted 0 times

...

Craig

11 days ago

Hmm, storing credentials in the code doesn't seem very secure. I'm leaning towards one of the AWS services like Secrets Manager or Parameter Store.

upvoted 0 times

...

Jutta

17 days ago

This looks like a tricky security question. I'll need to carefully consider the requirements and the options presented.

upvoted 0 times

...