Exam DVA-C02 Topic 3 Question 10 Discussion
Actual exam question for Amazon's DVA-C02 exam
Question #: 10
Topic #: 3
Question #: 10
Topic #: 3
A developer is modifying an AWS Lambda function that accesses an Amazon RDS for MySQL database. The developer discovers that the Lambda function has the database credentials stored as plaintext in the Lambda function code.
The developer must implement a solution to make the credentials more secure. The solution must include automated credential rotation every 30 days.
Which solution will meet these requirements?
The developer must implement a solution to make the credentials more secure. The solution must include automated credential rotation every 30 days.
Which solution will meet these requirements?
Suggested Answer: A Vote an answer
Requirement Summary:
* Lambda function accesses RDS for MySQL
* Credentials are currentlyhardcoded in code(insecure)
* Must enableautomated credential rotation every 30 days
Option A: Use AWS Secrets Manager + automatic rotation
* #Best and secure option
* Secrets Manager allows:
* Secure storage of secrets
* Integration withRDS for automatic rotation
* Scheduled rotation every X days (e.g., 30 days)
* Lambda canfetch credentialsvia SDK (GetSecretValue)
Option B: Use SSM Parameter Store + rotation
* #SSMdoes not support automatic rotationof secrets.
* You'd need to build custom rotation logic = higher operational overhead.
Option C: Encrypted S3 + Object Lambda rotation
* #Not intended for credential storage.
* S3 is not asecrets management system, and Object Lambda does not perform rotation.
Option D: SSM + EventBridge rotation
* #No native integration between Parameter Store and EventBridge for secret rotation.
* You'd need to build custom Lambda functions = higher maintenance.
* Secrets Manager rotation for RDS:https://docs.aws.amazon.com/secretsmanager/latest/userguide
/rotating-secrets.html
* Secure retrieval in Lambda:https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving- secrets_lambda.html
* Integration with RDS MySQL:https://docs.aws.amazon.com/secretsmanager/latest/userguide
/integrating_rds_config.html
* Lambda function accesses RDS for MySQL
* Credentials are currentlyhardcoded in code(insecure)
* Must enableautomated credential rotation every 30 days
Option A: Use AWS Secrets Manager + automatic rotation
* #Best and secure option
* Secrets Manager allows:
* Secure storage of secrets
* Integration withRDS for automatic rotation
* Scheduled rotation every X days (e.g., 30 days)
* Lambda canfetch credentialsvia SDK (GetSecretValue)
Option B: Use SSM Parameter Store + rotation
* #SSMdoes not support automatic rotationof secrets.
* You'd need to build custom rotation logic = higher operational overhead.
Option C: Encrypted S3 + Object Lambda rotation
* #Not intended for credential storage.
* S3 is not asecrets management system, and Object Lambda does not perform rotation.
Option D: SSM + EventBridge rotation
* #No native integration between Parameter Store and EventBridge for secret rotation.
* You'd need to build custom Lambda functions = higher maintenance.
* Secrets Manager rotation for RDS:https://docs.aws.amazon.com/secretsmanager/latest/userguide
/rotating-secrets.html
* Secure retrieval in Lambda:https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving- secrets_lambda.html
* Integration with RDS MySQL:https://docs.aws.amazon.com/secretsmanager/latest/userguide
/integrating_rds_config.html
by Irma at Dec 27, 2025, 06:24 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).