AWS Certified Developer – Associate (DVA-C02) — Question 151

A developer maintains applications that store several secrets in AWS Secrets Manager. The applications use secrets that have changed over time. The developer needs to identify required secrets that are still in use. The developer does not want to cause any application downtime.

What should the developer do to meet these requirements?

Answer options

• A. Configure an AWS CloudTrail log file delivery to an Amazon S3 bucket. Create an Amazon CloudWatch alarm for the GetSecretValue Secrets Manager API operation requests.
• B. Create a secretsmanager-secret-unused AWS Config managed rule. Create an Amazon EventBridge rule to initiate notifications when the AWS Config managed rule is met.
• C. Deactivate the applications secrets and monitor the applications error logs temporarily.
• D. Configure AWS X-Ray for the applications. Create a sampling rule to match the GetSecretValue Secrets Manager API operation requests.

Correct answer: B

Explanation

The correct answer is B because creating an AWS Config managed rule allows the developer to automatically detect unused secrets without impacting application performance. Option A does not directly identify unused secrets, while C could cause application errors and downtime. Option D focuses on tracing but does not provide a direct way to identify unused secrets.