AWS Certified Developer – Associate (DVA-C02) — Question 435

A company is developing a serverless application that requires storage of sensitive API keys as environment variables for various services. The application requires the automatic rotation of the encryption keys every year.

Which solution will meet these requirements with no development effort?

Answer options

• A. Encrypt the environment variables by using AWS Secrets Manager. Set up automatic rotation in Secrets Manager.
• B. Encrypt the environment variables by using AWS Key Management Service (AWS KMS) customer managed keys. Enable automatic key rotation.
• C. Encrypt the environment variables by using AWS Key Management Service (AWS KMS) AWS managed keys. Configure a custom AWS Lambda function to automate key rotation.
• D. Encrypt the environment variables by using AWS Systems Manager Parameter Store. Set up automatic rotation in Parameter Store.

Correct answer: B

Explanation

AWS KMS customer managed keys allow you to enable automatic key rotation with a simple configuration switch, which automatically rotates the backing key every year with zero development effort. AWS managed keys are rotated automatically every three years, which does not meet the annual requirement, and altering this behavior would require custom development. AWS Secrets Manager and Systems Manager Parameter Store do not natively manage the rotation of the environment variables' underlying encryption keys without additional development or configuration.