nerdexam
Amazon

DVA-C02 · Question #136

A company's developer is building a static website to be deployed in Amazon S3 for a production environment. The website integrates with an Amazon Aurora PostgreSQL database by using an AWS Lambda fun

The correct answer is A. Store the database credentials in AWS Secrets Manager. Turn on rotation. Write code in the. AWS Secrets Manager with automatic rotation ensures Lambda functions always retrieve the latest credentials at runtime, decoupling credential lifecycle from function deployment.

Submitted by manish99· Mar 5, 2026Security

Question

A company's developer is building a static website to be deployed in Amazon S3 for a production environment. The website integrates with an Amazon Aurora PostgreSQL database by using an AWS Lambda function. The website that is deployed to production will use a Lambda alias that points to a specific version of the Lambda function. The company must rotate the database credentials every 2 weeks. Lambda functions that the company deployed previously must be able to use the most recent credentials. Which solution will meet these requirements?

Options

  • AStore the database credentials in AWS Secrets Manager. Turn on rotation. Write code in the
  • BInclude the database credentials as part of the Lambda function code. Update the credentials
  • CUse Lambda environment variables. Update the environment variables when new credentials are
  • DStore the database credentials in AWS Systems Manager Parameter Store. Turn on rotation.

How the community answered

(56 responses)
  • A
    77% (43)
  • B
    5% (3)
  • C
    4% (2)
  • D
    14% (8)

Why each option

AWS Secrets Manager with automatic rotation ensures Lambda functions always retrieve the latest credentials at runtime, decoupling credential lifecycle from function deployment.

AStore the database credentials in AWS Secrets Manager. Turn on rotation. Write code in theCorrect

Storing credentials in AWS Secrets Manager with rotation enabled and fetching them at runtime via the Secrets Manager API means every Lambda invocation retrieves the current valid credentials; because the secret ARN (not the value) is referenced in code, previously deployed function versions automatically use the rotated credentials without redeployment.

BInclude the database credentials as part of the Lambda function code. Update the credentials

Hardcoding credentials in the function code requires redeployment of every function version each rotation cycle, violates security best practices, and leaves credentials exposed in source code and deployment packages.

CUse Lambda environment variables. Update the environment variables when new credentials are

Lambda environment variables are bound to a specific function version at publish time; updating them does not propagate to previously published versions pointed to by aliases, so old versions would still use stale credentials.

DStore the database credentials in AWS Systems Manager Parameter Store. Turn on rotation.

AWS Systems Manager Parameter Store can store credentials but its native rotation capability is more limited than Secrets Manager, which provides built-in automated rotation with Lambda integration specifically designed for database credentials.

Concept tested: AWS Secrets Manager automatic rotation for Lambda credential management

Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice