AWS Certified Developer – Associate (DVA-C02) — Question 288

A company notices that credentials that the company uses to connect to an external software as a service (SaaS) vendor are stored in a configuration file as plaintext.

The developer needs to secure the API credentials and enforce automatic credentials rotation on a quarterly basis.

Which solution will meet these requirements MOST securely?

Answer options

• A. Use AWS Key Management Service (AWS KMS) to encrypt the configuration file. Decrypt the configuration file when users make API calls to the SaaS vendor. Enable rotation.
• B. Retrieve temporary credentials from AWS Security Token Service (AWS STS) every 15 minutes. Use the temporary credentials when users make API calls to the SaaS vendor.
• C. Store the credentials in AWS Secrets Manager and enable rotation. Configure the API to have Secrets Manager access.
• D. Store the credentials in AWS Systems Manager Parameter Store and enable rotation. Retrieve the credentials when users make API calls to the SaaS vendor.

Correct answer: C

Explanation

AWS Secrets Manager is the ideal service for this scenario as it securely stores API keys and supports built-in automatic rotation schedules, which can be configured for a quarterly basis. AWS Systems Manager Parameter Store does not provide native automatic rotation for external credentials, and AWS KMS is designed for key management rather than storing and rotating secret payloads. AWS STS is used for generating temporary AWS credentials and cannot be used for third-party SaaS vendor credentials.