AWS Certified Developer – Associate (DVA-C02) — Question 308

A data visualization company wants to strengthen the security of its core applications. The applications are deployed on AWS across its development, staging, pre-production, and production environments. The company needs to encrypt all of its stored sensitive credentials. The sensitive credentials need to be automatically rotated. A version of the sensitive credentials need to be stored for each environment.

Which solution will meet these requirements in the MOST operationally efficient way?

Answer options

• A. Configure AWS Secrets Manager versions to store different copies of the same credentials across multiple environments.
• B. Create a new parameter version in AWS Systems Manager Parameter Store for each environment. Store the environment-specific credentials in the parameter version.
• C. Configure the environment variables in the application code. Use different names for each environment type.
• D. Configure AWS Secrets Manager to create a new secret for each environment type. Store the environment-specific credentials in the secret.

Correct answer: D

Explanation

AWS Secrets Manager natively supports both automatic rotation and encryption of sensitive data, making it the most operationally efficient choice. Creating a distinct secret for each environment (Option D) is correct because Secrets Manager versions (Option A) are designed for managing rotation history (like current and previous values) rather than segregating different environments. AWS Systems Manager Parameter Store (Option B) does not support automatic rotation natively, and hardcoding environment variables in application code (Option C) is highly insecure and does not support rotation.