AWS Certified Developer – Associate (DVA-C02) — Question 214

A company has an existing application that has hardcoded database credentials. A developer needs to modify the existing application. The application is deployed in two AWS Regions with an active-passive failover configuration to meet company’s disaster recovery strategy.

The developer needs a solution to store the credentials outside the code. The solution must comply with the company’s disaster recovery strategy.

Which solution will meet these requirements in the MOST secure way?

Answer options

• A. Store the credentials in AWS Secrets Manager in the primary Region. Enable secret replication to the secondary Region. Update the application to use the Amazon Resource Name (ARN) based on the Region.
• B. Store credentials in AWS Systems Manager Parameter Store in the primary Region. Enable parameter replication to the secondary Region. Update the application to use the Amazon Resource Name (ARN) based on the Region.
• C. Store credentials in a config file. Upload the config file to an S3 bucket in the primary Region. Enable Cross-Region Replication (CRR) to an S3 bucket in the secondary region. Update the application to access the config file from the S3 bucket, based on the Region.
• D. Store credentials in a config file. Upload the config file to an Amazon Elastic File System (Amazon EFS) file system. Update the application to use the Amazon EFS file system Regional endpoints to access the config file in the primary and secondary Regions.

Correct answer: A

Explanation

Option A is the most secure method as AWS Secrets Manager is designed for managing sensitive information and allows for automated secret replication across regions, ensuring compliance with disaster recovery strategies. Option B, while also secure, is not as specialized for secret management. Options C and D use less secure methods by storing credentials in config files, which can expose sensitive data if not properly secured.