AWS Certified Developer – Associate (DVA-C02) — Question 95

A company's developer is building a static website to be deployed in Amazon S3 for a production environment. The website integrates with an Amazon Aurora PostgreSQL database by using an AWS Lambda function. The website that is deployed to production will use a Lambda alias that points to a specific version of the Lambda function.

The company must rotate the database credentials every 2 weeks. Lambda functions that the company deployed previously must be able to use the most recent credentials.

Which solution will meet these requirements?

Answer options

• A. Store the database credentials in AWS Secrets Manager. Turn on rotation. Write code in the Lambda function to retrieve the credentials from Secrets Manager.
• B. Include the database credentials as part of the Lambda function code. Update the credentials periodically and deploy the new Lambda function.
• C. Use Lambda environment variables. Update the environment variables when new credentials are available.
• D. Store the database credentials in AWS Systems Manager Parameter Store. Turn on rotation. Write code in the Lambda function to retrieve the credentials from Systems Manager Parameter Store.

Correct answer: A

Explanation

Option A is correct because AWS Secrets Manager supports automatic rotation of credentials, ensuring that the latest credentials are always available to the Lambda functions. Option B is not secure as it hard-codes credentials in the function, requiring redeployment for updates. Option C does not provide a mechanism for automatic rotation, and option D, while a viable option, does not integrate as seamlessly with credential rotation compared to Secrets Manager.