nerdexam
ExamsDVA-C02Questions#275
AmazonAmazon

DVA-C02 · Question #275

DVA-C02 Question #275: Real Exam Question with Answer & Explanation

The correct answer is B: Store the credentials as secrets in AWS Secrets Manager. Create an AWS Lambda function to. AWS Secrets Manager is purpose-built for storing, managing, and automatically rotating database credentials, and natively integrates with Amazon RDS to rotate credentials without requiring custom code or storing credentials in the application.

Submitted by rachelw· Mar 5, 2026Security

Question

A company runs an application on Amazon EC2 instances. The EC2 instances open connections to an Amazon RDS for SQL Server database. A developer needs to store and access the credentials and wants to automatically rotate the credentials. The developer does not want to store the credentials for the database in the code. Which solution will meet these requirements in the MOST secure way?

Options

  • ACreate an IAM role that has permissions to access the database. Attach the IAM role to the EC2
  • BStore the credentials as secrets in AWS Secrets Manager. Create an AWS Lambda function to
  • CStore the credentials in an encrypted text file in an Amazon S3 bucket. Configure the EC2
  • DStore the credentials in an Amazon DynamoDB table. Configure an Amazon CloudWatch Events

Explanation

AWS Secrets Manager is purpose-built for storing, managing, and automatically rotating database credentials, and natively integrates with Amazon RDS to rotate credentials without requiring custom code or storing credentials in the application.

Common mistakes.

  • A. IAM roles enable EC2 instances to authenticate to AWS services using IAM-based authentication, but RDS for SQL Server requires database-level username/password credentials; IAM database authentication is only supported on RDS MySQL and PostgreSQL, not SQL Server.
  • C. Storing credentials in an S3 file, even encrypted, does not provide automatic rotation; the developer would need to build a custom rotation mechanism and the credentials remain static until manually updated.
  • D. DynamoDB is a general-purpose database with no built-in credential rotation capability; using CloudWatch Events to trigger rotation would require significant custom Lambda code to implement what Secrets Manager provides natively.

Concept tested. AWS Secrets Manager automatic credential rotation for RDS

Reference. https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full DVA-C02 PracticeBrowse All DVA-C02 Questions