nerdexam
ExamsDVA-C02Questions#136
AmazonAmazon

DVA-C02 · Question #136

DVA-C02 Question #136: Real Exam Question with Answer & Explanation

The correct answer is A: Store the database credentials in AWS Secrets Manager. Turn on rotation. Write code in the. AWS Secrets Manager with automatic rotation ensures Lambda functions always retrieve the latest credentials at runtime, decoupling credential lifecycle from function deployment.

Submitted by manish99· Mar 5, 2026Security

Question

A company's developer is building a static website to be deployed in Amazon S3 for a production environment. The website integrates with an Amazon Aurora PostgreSQL database by using an AWS Lambda function. The website that is deployed to production will use a Lambda alias that points to a specific version of the Lambda function. The company must rotate the database credentials every 2 weeks. Lambda functions that the company deployed previously must be able to use the most recent credentials. Which solution will meet these requirements?

Options

  • AStore the database credentials in AWS Secrets Manager. Turn on rotation. Write code in the
  • BInclude the database credentials as part of the Lambda function code. Update the credentials
  • CUse Lambda environment variables. Update the environment variables when new credentials are
  • DStore the database credentials in AWS Systems Manager Parameter Store. Turn on rotation.

Explanation

AWS Secrets Manager with automatic rotation ensures Lambda functions always retrieve the latest credentials at runtime, decoupling credential lifecycle from function deployment.

Common mistakes.

  • B. Hardcoding credentials in the function code requires redeployment of every function version each rotation cycle, violates security best practices, and leaves credentials exposed in source code and deployment packages.
  • C. Lambda environment variables are bound to a specific function version at publish time; updating them does not propagate to previously published versions pointed to by aliases, so old versions would still use stale credentials.
  • D. AWS Systems Manager Parameter Store can store credentials but its native rotation capability is more limited than Secrets Manager, which provides built-in automated rotation with Lambda integration specifically designed for database credentials.

Concept tested. AWS Secrets Manager automatic rotation for Lambda credential management

Reference. https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full DVA-C02 PracticeBrowse All DVA-C02 Questions