nerdexam
Amazon

DVA-C02 · Question #541

A developer is writing an application in AWS Lambda. To simplify testing and deployments, the developer needs the database connection string to be easily changed without modifying the Lambda code. How

The correct answer is A. Store the connection string as a secret in AWS Secrets Manager.. AWS Secrets Manager is the correct service to store database connection strings, enabling Lambda to retrieve them at runtime without embedding them in code.

Submitted by anna_se· Mar 5, 2026Development with AWS Services

Question

A developer is writing an application in AWS Lambda. To simplify testing and deployments, the developer needs the database connection string to be easily changed without modifying the Lambda code. How can this requirement be met?

Options

  • AStore the connection string as a secret in AWS Secrets Manager.
  • BStore the connection string in an IAM user account.
  • CStore the connection string in AWS KMS.
  • DStore the connection string as a Lambda layer.

How the community answered

(32 responses)
  • A
    91% (29)
  • B
    3% (1)
  • C
    6% (2)

Why each option

AWS Secrets Manager is the correct service to store database connection strings, enabling Lambda to retrieve them at runtime without embedding them in code.

AStore the connection string as a secret in AWS Secrets Manager.Correct

AWS Secrets Manager stores, rotates, and manages access to secrets such as database credentials and connection strings. Lambda functions can retrieve the secret value at runtime via the Secrets Manager API using the function's IAM role, keeping sensitive configuration out of the code and enabling changes without redeployment or code modification.

BStore the connection string in an IAM user account.

IAM user accounts are for authentication and authorization principals, not for storing configuration data or secrets; there is no mechanism to store a connection string in an IAM user account.

CStore the connection string in AWS KMS.

AWS KMS is a key management service used for cryptographic operations and key storage; it is not designed to store arbitrary configuration values or connection strings.

DStore the connection string as a Lambda layer.

Lambda layers package and share code libraries or dependencies across functions; they are deployed as immutable ZIP archives and are not suitable for storing dynamic configuration values that need to change without code redeployment.

Concept tested: AWS Secrets Manager for Lambda configuration management

Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_how-services-use-secrets_lambda.html

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice