nerdexam
Amazon

DVA-C02 · Question #645

A healthcare company is developing a multi-tier web application to manage patient records that are in an Amazon Aurora PostgreSQL database cluster. The company stores the application code in a Git rep

The correct answer is B. Store the database credentials and API keys in AWS Secrets Manager. Use customer managed. AWS Secrets Manager provides secure storage and built-in credential rotation for your database passwords and API keys. By using a customer-managed KMS key, you retain full control over that key’s lifecycle, including on-demand rotation, and you can grant your application IAM perm

Submitted by satoshi_tk· Mar 5, 2026Security

Question

A healthcare company is developing a multi-tier web application to manage patient records that are in an Amazon Aurora PostgreSQL database cluster. The company stores the application code in a Git repository and deploys the code to Amazon EC2 instances. The application must comply with security policies and follow the principle of least privilege. The company must securely manage database credentials and API keys within the application code. The company must have the ability to rotate encryption keys on demand. Which solution will meet these requirements?

Options

  • AStore database credentials and API keys in AWS Secrets Manager. Use AWS managed AWS
  • BStore the database credentials and API keys in AWS Secrets Manager. Use customer managed
  • CStore the database credentials in the application code. Separate credentials by using
  • DStore the database credentials and API keys as parameters in AWS Systems Manager

How the community answered

(39 responses)
  • A
    5% (2)
  • B
    82% (32)
  • C
    10% (4)
  • D
    3% (1)

Explanation

AWS Secrets Manager provides secure storage and built-in credential rotation for your database passwords and API keys. By using a customer-managed KMS key, you retain full control over that key’s lifecycle, including on-demand rotation, and you can grant your application IAM permission to decrypt only the secrets it needs. Storing secrets in Secrets Manager, configuring automatic rotation, and securing them with your own CMK satisfies least-privilege, secure secret management, and on-demand key rotation requirements.

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice