Skip to main content

AWS DVA-C02 Drill: Secure Configuration Management - Least Operational Overhead with Secrets & Parameters

·1028 words·5 mins·
Certification Drills AWS DVA-C02 Secrets Manager Parameter Store Lambda
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | AWS SAA/SAP & Multi-Cloud Expert.
Table of Contents

Jeff’s Note
#

“Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.”

“For AWS DVA-C02 candidates, the confusion often lies in balancing secure credential storage with minimal code changes and operational overhead. In production, this is about knowing exactly which AWS services manage secrets securely and natively handle rotation, while other config values should leverage simpler encrypted parameter storage. Let’s drill down.”

The Certification Drill (Simulated Question)
#

Scenario
#

A fintech startup, NimbusPay, is enhancing its core payment backend implemented as AWS Lambda functions. Upon reviewing the code, their development team finds that database credentials for their Amazon RDS for SQL Server instance—such as username, password, DB name, host, and port—are hardcoded, along with resource identifiers for a DynamoDB table, an S3 bucket, and an SNS topic.

NimbusPay’s lead developer wants to securely externalize all these configuration values from the code in encrypted storage, enable automatic rotation for the database credentials, and allow other applications to reuse these parameters. Updates to these values should not require code modifications or manual deployments. The team also prefers the solution with the lowest operational overhead.

The Requirement:
#

Securely store and reuse database credentials and other configuration parameters outside the codebase, with automatic credentials rotation and minimal operational burden.

The Options
#

  • A) Create an RDS database secret in AWS Secrets Manager. Set the user name, password, database, host, and port. Turn on secret rotation. Create encrypted Lambda environment variables for the DynamoDB table, S3 bucket, and SNS topic.
  • B) Create an RDS database secret in AWS Secrets Manager. Set the user name, password, database, host, and port. Turn on secret rotation. Create SecureString parameters in AWS Systems Manager Parameter Store for the DynamoDB table, S3 bucket, and SNS topic.
  • C) Create RDS database parameters in AWS Systems Manager Parameter Store for the user name, password, database, host, and port. Create encrypted Lambda environment variables for the DynamoDB table, S3 bucket, and SNS topic. Create a Lambda function and set the logic for the credentials rotation task. Schedule the credentials rotation task in Amazon EventBridge.
  • D) Create RDS database parameters in AWS Systems Manager Parameter Store for the user name, password, database, host, and port. Store the DynamoDB table, S3 bucket, and SNS topic in Amazon S3. Create a Lambda function and set the logic for the credentials rotation. Invoke the Lambda function on a schedule.

Google adsense
#

leave a comment:

Correct Answer
#

B

Quick Insight: The Developer Imperative
#

  • For DVA-C02: Using AWS Secrets Manager for database credentials is critical because it natively supports automatic rotation of secrets without extra coding.
  • Sensitive but static resource names (DynamoDB, S3, SNS) fit well into SSM Parameter Store’s SecureString, which is simpler and cost-effective.
  • Encrypted Lambda environment variables do not support automatic updates without redeployment and increase operational overhead.
  • Custom rotation code and scheduling add complexity and risk compared to built-in Secrets Manager rotation.

Content Locked: The Expert Analysis
#

You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?

Unlock Full Access & Start Mastering

The Expert’s Analysis
#

Correct Answer
#

Option B

The Winning Logic
#

AWS Secrets Manager is purpose-built for managing database credentials:

  • It securely stores the RDS username, password, host, port, and database name in an encrypted secret.
  • It supports built-in, automated secret rotation which can be enabled with minimal custom logic, dramatically reducing operational overhead.
  • This rotation can integrate directly with RDS SQL Server without creating bespoke Lambda functions.

For static configuration items like DynamoDB tables, S3 buckets, and SNS topics, AWS Systems Manager Parameter Store’s SecureString is appropriate:

  • Parameters can be encrypted with KMS keys.
  • They can be updated without redeploying code, since Lambda can read parameters dynamically at runtime or cache them securely.
  • This avoids the risk, complexity, and cost of storing every parameter as a secret in Secrets Manager.

Using encrypted Lambda environment variables for these parameters (Options A and C) is less ideal because those environment variables require redeployments to update values and do not support rotation.

Implementing credential rotation manually with custom Lambda + EventBridge tasks (Options C and D) increases operational overhead and creates more failure points compared to the native rotation in Secrets Manager.

The Trap (Distractor Analysis):
#

  • Why not A? Encrypted Lambda environment variables for static config mean code redeployment on each update, increasing ops overhead.
  • Why not C? The developer must write and maintain custom rotation logic and scheduling for secrets, which Secrets Manager automates.
  • Why not D? Storing resource identifiers in S3 is less secure and less manageable than Parameter Store; custom rotation logic adds complexity.

The Technical Blueprint
# 

# Create a secret in AWS Secrets Manager with rotation:
aws secretsmanager create-secret --name NimbusPay/RDS/SQLServer --secret-string '{"username":"dbuser","password":"Passw0rd!","host":"db.nimbuspay.com","port":1433,"database":"payments"}'

aws secretsmanager rotate-secret --secret-id NimbusPay/RDS/SQLServer --rotation-lambda-arn arn:aws:lambda:region:account:function:SecretsManagerRotationLambda

# Store static config in Parameter Store as SecureString:
aws ssm put-parameter --name /NimbusPay/DynamoDB/TableName --value "NimbusPayTransactionTable" --type SecureString --key-id alias/aws/ssm

aws ssm put-parameter --name /NimbusPay/S3/BucketName --value "nimbuspay-archive-bucket" --type SecureString --key-id alias/aws/ssm

aws ssm put-parameter --name /NimbusPay/SNS/TopicArn --value "arn:aws:sns:region:account:PaymentNotifications" --type SecureString --key-id alias/aws/ssm

The Comparative Analysis
#

Option API Complexity Performance Use Case / Operational Overhead
A Medium (Secrets Manager + env vars) Low update flexibility Uses rotation for DB creds but env vars static, need redeploy for updates.
B Low (Native Secrets Manager + SSM) High flexibility and security Best balance: Secrets Manager for DB creds + SSM for static params with no redeploy.
C High (SSM + custom rotation lambda) More complex deployment Custom rotation lambda adds overhead and risk. Lambda env vars require redeployment.
D Very High (SSM + S3 + custom rotation) Complex and fragile Storing config in S3 less secure; custom rotation increases error surface.

Real-World Application (Practitioner Insight)
#

Exam Rule
#

“For the exam, always pick Secrets Manager when you see database credentials that require rotation.”

Real World
#

“In production, many teams combine Secrets Manager for dynamic secrets with Parameter Store for static config to optimize cost and operational cadence.”

(CTA) Stop Guessing, Start Mastering
#

Unlock The Full Analysis Now

Disclaimer

This is a study note based on simulated scenarios for the AWS DVA-C02 exam.

The DevPro Network: Mission and Founder

A 21-Year Tech Leadership Journey

Jeff Taakey has driven complex systems for over two decades, serving in pivotal roles as an Architect, Technical Director, and startup Co-founder/CTO.

He holds both an MBA degree and a Computer Science Master's degree from an English-speaking university in Hong Kong. His expertise is further backed by multiple international certifications including TOGAF, PMP, ITIL, and AWS SAA.

His experience spans diverse sectors and includes leading large, multidisciplinary teams (up to 86 people). He has also served as a Development Team Lead while cooperating with global teams spanning North America, Europe, and Asia-Pacific. He has spearheaded the design of an industry cloud platform. This work was often conducted within global Fortune 500 environments like IBM, Citi and Panasonic.

Following a recent Master’s degree from an English-speaking university in Hong Kong, he launched this platform to share advanced, practical technical knowledge with the global developer community.


About This Site: AWS.CertDevPro.com


AWS.CertDevPro.com focuses exclusively on mastering the Amazon Web Services ecosystem. We transform raw practice questions into strategic Decision Matrices. Led by Jeff Taakey (MBA & 21-year veteran of IBM/Citi), we provide the exclusive SAA and SAP Master Packs designed to move your cloud expertise from certification-ready to project-ready.