AWS Certified Developer – Associate (DVA-C02) — Question 131

A developer is setting up a deployment pipeline. The pipeline includes an AWS CodeBuild build stage that requires access to a database to run integration tests. The developer is using a buildspec.yml file to configure the database connection. Company policy requires automatic rotation of all database credentials.

Which solution will handle the database credentials MOST securely?

Answer options

• A. Retrieve the credentials from variables that are hardcoded in the buildspec.yml file. Configure an AWS Lambda function to rotate the credentials.
• B. Retrieve the credentials from an environment variable that is linked to a SecureString parameter in AWS Systems Manager Parameter Store. Configure Parameter Store for automatic rotation.
• C. Retrieve the credentials from an environment variable that is linked to an AWS Secrets Manager secret. Configure Secrets Manager for automatic rotation.
• D. Retrieve the credentials from an environment variable that contains the connection string in plaintext. Configure an Amazon EventBridge event to rotate the credentials.

Correct answer: C

Explanation

Option C is the most secure method because AWS Secrets Manager is designed for managing sensitive information and supports automatic credential rotation natively. Option A is insecure due to hardcoding credentials, and while option B is better, using Secrets Manager offers enhanced security features. Option D is also insecure since storing the connection string in plaintext exposes it to potential threats.