DVA-C02 · Question #305
A data visualization company wants to strengthen the security of its core applications. The applications are deployed on AWS across its development, staging, pre-production, and production environment
The correct answer is D. Configure AWS Secrets Manager to create a new secret for each environment type. Store the. Option D is correct because AWS Secrets Manager is purpose-built for storing, encrypting, and automatically rotating secrets - and creating a separate secret per environment (dev, staging, pre-prod, prod) is the cleanest architectural pattern, allowing independent rotation schedu
Question
A data visualization company wants to strengthen the security of its core applications. The applications are deployed on AWS across its development, staging, pre-production, and production environments. The company needs to encrypt all of its stored sensitive credentials. The sensitive credentials need to be automatically rotated. A version of the sensitive credentials need to be stored for each environment. Which solution will meet these requirements in the MOST operationally efficient way?
Options
- AConfigure AWS Secrets Manager versions to store different copies of the same credentials
- BCreate a new parameter version in AWS Systems Manager Parameter Store for each
- CConfigure the environment variables in the application code. Use different names for each
- DConfigure AWS Secrets Manager to create a new secret for each environment type. Store the
How the community answered
(32 responses)- A16% (5)
- B6% (2)
- C3% (1)
- D75% (24)
Explanation
Option D is correct because AWS Secrets Manager is purpose-built for storing, encrypting, and automatically rotating secrets - and creating a separate secret per environment (dev, staging, pre-prod, prod) is the cleanest architectural pattern, allowing independent rotation schedules, fine-grained IAM policies, and clear separation of concerns with minimal operational overhead.
Option A is wrong because Secrets Manager versions track the rotation history of a single secret (via staging labels like AWSCURRENT/AWSPREVIOUS) - they are not designed to represent separate environment copies of the same credential.
Option B is wrong because AWS Systems Manager Parameter Store (even with SecureString) does not natively support automatic credential rotation - you'd need to build custom rotation logic, making it far less operationally efficient than Secrets Manager.
Option C is wrong because hardcoding or configuring credentials in application environment variables is a security anti-pattern: they are not encrypted at rest, not rotated automatically, and are easily exposed through logs or process inspection.
Memory tip: Think of Secrets Manager as "Secrets + Rotation = One Secret per environment." If the question mentions automatic rotation of encrypted credentials, Secrets Manager is almost always the answer - and one secret per environment keeps isolation clean.
Topics
Community Discussion
No community discussion yet for this question.