nerdexam
ExamsSAP-C02Questions#474
AmazonAmazon

SAP-C02 · Question #474

SAP-C02 Question #474: Real Exam Question with Answer & Explanation

The correct answer is D: Store the database credentials in AWS Secrets Manager as a secret that is associated with an. A solutions architect needs to securely store and manage production database credentials for AWS Lambda functions accessing Amazon RDS SQL Server, ensuring encryption with IT security team-only access and regular rotation.

Submitted by jaden.t· Mar 6, 2026Design for New Solutions

Question

A company is implementing a serverless architecture by using AWS Lambda functions that need to access a Microsoft SQL Server DB instance on Amazon RDS. The company has separate environments for development and production, including a clone of the database system. The company's developers are allowed to access the credentials for the development database. However, the credentials for the production database must be encrypted with a key that only members of the IT security team's IAM user group can access. This key must be rotated on a regular basis. What should a solutions architect do in the production environment to meet these requirements?

Options

  • AStore the database credentials in AWS Systems Manager Parameter Store by using a
  • BEncrypt the database credentials by using the AWS Key Management Service (AWS KMS)
  • CStore the database credentials in the environment variables of each Lambda function. Encrypt the
  • DStore the database credentials in AWS Secrets Manager as a secret that is associated with an

Explanation

A solutions architect needs to securely store and manage production database credentials for AWS Lambda functions accessing Amazon RDS SQL Server, ensuring encryption with IT security team-only access and regular rotation.

Common mistakes.

  • A. AWS Systems Manager Parameter Store SecureString encrypts parameters, but it does not offer built-in automated rotation for database credentials, nor does it provide the same level of granular access control for the encryption key and rotation process specifically tailored for database secrets as Secrets Manager.
  • B. While encrypting credentials with an AWS KMS key provides encryption, storing the encrypted value in Parameter Store still lacks automated rotation for database credentials and requires more manual management compared to AWS Secrets Manager.
  • C. Storing database credentials directly in Lambda environment variables, even if encrypted at rest, is generally not recommended for sensitive production secrets due to potential exposure through logs or improper access, and it lacks automated rotation and dedicated access control features for the secret itself.

Concept tested. Secure secret management and rotation with AWS Secrets Manager

Reference. https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SAP-C02 PracticeBrowse All SAP-C02 Questions