nerdexam
Amazon

DVA-C02 · Question #305

A data visualization company wants to strengthen the security of its core applications. The applications are deployed on AWS across its development, staging, pre-production, and production environment

The correct answer is D. Configure AWS Secrets Manager to create a new secret for each environment type. Store the. Option D is correct because AWS Secrets Manager is purpose-built for storing, encrypting, and automatically rotating secrets - and creating a separate secret per environment (dev, staging, pre-prod, prod) is the cleanest architectural pattern, allowing independent rotation schedu

Submitted by carlos_mx· Mar 5, 2026Security

Question

A data visualization company wants to strengthen the security of its core applications. The applications are deployed on AWS across its development, staging, pre-production, and production environments. The company needs to encrypt all of its stored sensitive credentials. The sensitive credentials need to be automatically rotated. A version of the sensitive credentials need to be stored for each environment. Which solution will meet these requirements in the MOST operationally efficient way?

Options

  • AConfigure AWS Secrets Manager versions to store different copies of the same credentials
  • BCreate a new parameter version in AWS Systems Manager Parameter Store for each
  • CConfigure the environment variables in the application code. Use different names for each
  • DConfigure AWS Secrets Manager to create a new secret for each environment type. Store the

How the community answered

(32 responses)
  • A
    16% (5)
  • B
    6% (2)
  • C
    3% (1)
  • D
    75% (24)

Explanation

Option D is correct because AWS Secrets Manager is purpose-built for storing, encrypting, and automatically rotating secrets - and creating a separate secret per environment (dev, staging, pre-prod, prod) is the cleanest architectural pattern, allowing independent rotation schedules, fine-grained IAM policies, and clear separation of concerns with minimal operational overhead.

Option A is wrong because Secrets Manager versions track the rotation history of a single secret (via staging labels like AWSCURRENT/AWSPREVIOUS) - they are not designed to represent separate environment copies of the same credential.

Option B is wrong because AWS Systems Manager Parameter Store (even with SecureString) does not natively support automatic credential rotation - you'd need to build custom rotation logic, making it far less operationally efficient than Secrets Manager.

Option C is wrong because hardcoding or configuring credentials in application environment variables is a security anti-pattern: they are not encrypted at rest, not rotated automatically, and are easily exposed through logs or process inspection.

Memory tip: Think of Secrets Manager as "Secrets + Rotation = One Secret per environment." If the question mentions automatic rotation of encrypted credentials, Secrets Manager is almost always the answer - and one secret per environment keeps isolation clean.

Topics

#AWS Secrets Manager#Secret Rotation#Credential Management#Security Best Practices

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice