Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For DVA-C02 candidates, the confusion often lies in recognizing which AWS service handles secret rotation out-of-the-box and when custom code is needed. In production, this is about knowing exactly how secrets are stored, encrypted, and rotated transparently without blowing up your deployment pipeline. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
TechNova Solutions is building a new serverless application that integrates multiple third-party services requiring API keys. These sensitive keys must be stored securely as environment variables accessible by AWS Lambda functions. TechNova wants the encryption keys protecting these secrets to rotate automatically on a yearly basis with no additional development effort or maintenance overhead.
The Requirement: #
Identify the best solution for storing and rotating sensitive environment variables with zero development effort for key rotation automation.
The Options #
- A) Encrypt the environment variables by using AWS Secrets Manager. Set up automatic rotation in Secrets Manager.
- B) Encrypt the environment variables by using AWS Key Management Service (AWS KMS) customer managed keys. Enable automatic key rotation.
- C) Encrypt the environment variables by using AWS Key Management Service (AWS KMS) AWS managed keys. Configure a custom AWS Lambda function to automate key rotation.
- D) Encrypt the environment variables by using AWS Systems Manager Parameter Store. Set up automatic rotation in Parameter Store.
Google adsense #
leave a comment:
Correct Answer #
A
Quick Insight: The Developer Imperative #
- Secrets Manager natively manages secrets rotation with built-in Lambda rotation functions — no additional development needed.
- KMS key rotation automates only the data key rotation, but does not manage secret rotation nor environment variable updates automatically.
- Parameter Store doesn’t support secret rotation natively.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option A
The Winning Logic #
AWS Secrets Manager is purpose-built for secret management, including automatic rotation of secrets with zero custom code required. You simply enable rotation and Secrets Manager provisions a Lambda function for you. It also integrates cleanly with Lambda environment variables or direct API calls, making it the best option for storing sensitive keys requiring automated rotation.
- Secrets Manager encrypts the secret values at rest using KMS under the hood.
- The built-in rotation feature handles periodic credential updates and versioning.
- No custom Lambda or manual pipeline updates are needed for rotation.
- It’s the most developer-friendly for managing secrets lifecycle automatically.
The Trap (Distractor Analysis): #
-
Why not B?
KMS customer managed keys can rotate automatically, but this rotates the key material only. It does not automatically re-encrypt or update environment variables or secret values. Additional logic would be needed to re-encrypt and propagate changes. -
Why not C?
AWS managed keys are rotated by AWS, but there is no built-in secret rotation; a custom Lambda rotation function still must be developed, meaning more effort, which violates the “no development effort” requirement. -
Why not D?
Parameter Store can store encrypted parameters but does not support automatic secret rotation. Rotation would require manual or custom solution development.
The Technical Blueprint #
# Example: Enable rotation for a secret in AWS Secrets Manager via CLI
aws secretsmanager rotate-secret \
--secret-id MyApp/APIKeys \
--rotation-lambda-arn arn:aws:lambda:region:account-id:function:SecretsManagerRotationLambda \
--rotation-rules AutomaticallyAfterDays=365
The Comparative Analysis #
| Option | API Complexity | Automation of Rotation | Use Case Fit |
|---|---|---|---|
| A | Low | Fully automatic | Best for managing secrets lifecycle with rotation out-of-the-box |
| B | Medium | Key rotation only | Good for encryption keys, but no secret value rotation |
| C | High | Manual via Lambda | Requires custom code, no zero-effort |
| D | Low | None | Stores encrypted params but no automatic rotation |
Real-World Application (Practitioner Insight) #
Exam Rule #
“For the exam, always pick Secrets Manager when you see automatic secret rotation with sensitive credentials.”
Real World #
“In real projects, we might combine Secrets Manager with parameter substitutions in Lambda environment variables or API calls, relying on Secrets Manager’s native rotation rather than building custom rotation logic.”
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS DVA-C02 exam.