Skip to main content

AWS DVA-C02 Drill: Secrets Management - Native Rotation vs. Custom Implementation

·1648 words·8 mins·
Certification Drills AWS DVA-C02 AWS Secrets Manager Lambda RDS Credential Rotation KMS
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | AWS SAA/SAP & Multi-Cloud Expert.
Table of Contents

Jeff’s Note
#

Jeff’s Note
#

“Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.”

“For DVA-C02 candidates, the confusion often lies in choosing between Secrets Manager and Parameter Store for database credentials. In production, this is about knowing exactly which AWS service provides native RDS integration with zero-code rotation. Let’s drill down.”

The Certification Drill (Simulated Question)
#

Scenario
#

TechFlow Analytics is migrating their data pipeline application to serverless architecture. Their backend Lambda function needs to connect to a PostgreSQL database running on Amazon RDS. Currently, the database credentials are hardcoded in an S3 bucket as a JSON file, which the Lambda function downloads during cold starts.

The Lead Developer has been tasked with implementing a more secure solution that addresses two critical requirements: credentials must rotate automatically every 30 days, and the Lambda function should retrieve the latest credentials with minimal code changes.

The Requirement:
#

Implement a credential storage and rotation solution that provides native RDS integration, automatic credential updates, and seamless Lambda function access with the LEAST management overhead.

The Options
#

  • A) Store the credentials in AWS Systems Manager Parameter Store. Select the database that the parameter will access. Use the default AWS Key Management Service (AWS KMS) key to encrypt the parameter. Enable automatic rotation for the parameter. Use the parameter from Parameter Store on the Lambda function to connect to the database.

  • B) Encrypt the credentials with the default AWS Key Management Service (AWS KMS) key. Store the credentials as environment variables for the Lambda function. Create a second Lambda function to generate new credentials and rotate the credentials by updating the environment variables of the first Lambda function. Invoke the second Lambda function by using an Amazon EventBridge rule that runs on a schedule. Update the database to use the new credentials. On the first Lambda function, retrieve the credentials from the environment variables. Decrypt the credentials by using AWS KMS. Connect to the database.

  • C) Store the credentials in AWS Secrets Manager. Set the secret type to Credentials for Amazon RDS database. Select the database that the secret will access. Use the default AWS Key Management Service (AWS KMS) key to encrypt the secret. Enable automatic rotation for the secret. Use the secret from Secrets Manager on the Lambda function to connect to the database.

  • D) Encrypt the credentials by using AWS Key Management Service (AWS KMS). Store the credentials in an Amazon DynamoDB table. Create a second Lambda function to rotate the credentials. Invoke the second Lambda function by using an Amazon EventBridge rule that runs on a schedule. Update the DynamoDB table. Update the database to use the generated credentials. Retrieve the credentials from DynamoDB with the first Lambda function. Connect to the database.

Correct Answer
#

Option C.

Quick Insight: The Native Integration Imperative
#

For DVA-C02: The exam tests your knowledge of AWS service-specific SDK methods. Secrets Manager provides the GetSecretValue API with built-in credential caching via the AWS Secrets Manager SDK, while Parameter Store requires manual rotation logic implementation. The key differentiator is native RDS rotation without writing Lambda rotation functions.

Content Locked: The Expert Analysis
#

You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?

Unlock Full Access & Start Mastering

The Expert’s Analysis
#

Correct Answer
#

Option C: AWS Secrets Manager with RDS-specific secret type

The Winning Logic
#

Secrets Manager is purpose-built for this exact use case. Here’s why it’s the optimal solution:

1. Native RDS Integration: When you select “Credentials for Amazon RDS database” as the secret type, Secrets Manager automatically:

  • Stores the connection string metadata (endpoint, port, database name)
  • Creates the rotation Lambda function template for your specific database engine
  • Configures IAM permissions for the rotation function
  • Updates both the secret AND the database master password atomically

2. Zero-Code Rotation: The rotation happens via a managed Lambda function that Secrets Manager deploys. You never write rotation logic. The function:

# This is what AWS manages for you automatically
def lambda_handler(event, context):
    service_client = boto3.client('secretsmanager')
    arn = event['SecretId']
    token = event['ClientRequestToken']
    step = event['Step']
    
    # AWS handles: createSecret, setSecret, testSecret, finishSecret
    # Rotation includes: RDS password update + secret version update

3. SDK Simplicity: Your Lambda function only needs:

import boto3
import json

secrets_client = boto3.client('secretsmanager')

def lambda_handler(event, context):
    secret_value = secrets_client.get_secret_value(
        SecretId='prod/rds/techflow-db'
    )
    
    credentials = json.loads(secret_value['SecretString'])
    # credentials contains: username, password, host, port, dbname
    
    connection = psycopg2.connect(
        host=credentials['host'],
        user=credentials['username'],
        password=credentials['password'],
        database=credentials['dbname']
    )

4. Version Staging: Secrets Manager uses staging labels (AWSCURRENT, AWSPENDING, AWSPREVIOUS) to enable zero-downtime rotation. Your application always fetches AWSCURRENT, while rotation happens on AWSPENDING.

The Trap (Distractor Analysis)
#

Why not Option A (Parameter Store)?

  • Missing Feature: Parameter Store does NOT have native automatic rotation functionality for RDS credentials
  • API Reality: There is no “Enable automatic rotation for the parameter” option in Parameter Store
  • Manual Implementation Required: You’d need to build the entire rotation mechanism yourself (Lambda function + EventBridge + RDS password update logic)
  • Use Case: Parameter Store is excellent for configuration data and non-rotating secrets, but not for database credentials that require rotation

Why not Option B (Environment Variables)?

  • Deployment Overhead: Updating Lambda environment variables requires redeploying the function configuration, causing a brief interruption
  • Race Condition Risk: The rotation Lambda must update the database password AND the environment variable atomically, which is complex
  • Poor Security Practice: While encrypted at rest, environment variables are visible in the Lambda console to anyone with read permissions
  • Operational Complexity: You’re building a custom rotation system instead of using AWS-managed rotation

Why not Option D (DynamoDB Custom Solution)?

  • Maximum Management Overhead: You’re implementing the entire secrets management system from scratch
  • No Built-in Encryption: DynamoDB encryption is separate from KMS-based secrets encryption
  • Custom Rotation Logic: You must write and maintain the rotation Lambda, error handling, and rollback mechanisms
  • Cost Inefficiency: DynamoDB read/write costs plus Lambda invocations for every database connection
  • Development Anti-Pattern: Reinventing AWS Secrets Manager

The Technical Blueprint
#

Developer Implementation Pattern:

# Lambda function code for RDS connection using Secrets Manager
import boto3
import json
import psycopg2
from botocore.exceptions import ClientError

def get_secret(secret_name, region_name="us-east-1"):
    """
    Retrieve database credentials from Secrets Manager
    This function includes caching logic in production
    """
    session = boto3.session.Session()
    client = session.client(
        service_name='secretsmanager',
        region_name=region_name
    )
    
    try:
        get_secret_value_response = client.get_secret_value(
            SecretId=secret_name
        )
    except ClientError as e:
        # Handle specific error codes
        if e.response['Error']['Code'] == 'ResourceNotFoundException':
            raise Exception(f"Secret {secret_name} not found")
        elif e.response['Error']['Code'] == 'InvalidRequestException':
            raise Exception(f"Invalid request for secret {secret_name}")
        elif e.response['Error']['Code'] == 'InvalidParameterException':
            raise Exception(f"Invalid parameter for secret {secret_name}")
        else:
            raise e
    
    # Parse the secret string
    secret = json.loads(get_secret_value_response['SecretString'])
    return secret

def lambda_handler(event, context):
    # Retrieve credentials
    db_credentials = get_secret('prod/rds/techflow-db')
    
    # Connect to RDS
    conn = psycopg2.connect(
        host=db_credentials['host'],
        port=db_credentials['port'],
        user=db_credentials['username'],
        password=db_credentials['password'],
        database=db_credentials['dbname']
    )
    
    cursor = conn.cursor()
    cursor.execute("SELECT version();")
    result = cursor.fetchone()
    
    cursor.close()
    conn.close()
    
    return {
        'statusCode': 200,
        'body': json.dumps({'database_version': result[0]})
    }

Required IAM Policy for Lambda Execution Role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:prod/rds/techflow-db-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id",
            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com"
                }
            }
        }
    ]
}

CLI Command to Create the Secret:

aws secretsmanager create-secret \
    --name prod/rds/techflow-db \
    --description "RDS PostgreSQL credentials for TechFlow Analytics" \
    --secret-string '{
        "username": "admin",
        "password": "INITIAL_PASSWORD_HERE",
        "engine": "postgres",
        "host": "techflow-db.c9xkjy1z2k3f.us-east-1.rds.amazonaws.com",
        "port": 5432,
        "dbname": "analytics"
    }' \
    --kms-key-id alias/aws/secretsmanager

# Enable automatic rotation (30-day interval)
aws secretsmanager rotate-secret \
    --secret-id prod/rds/techflow-db \
    --rotation-lambda-arn arn:aws:lambda:us-east-1:123456789012:function:SecretsManagerRDSPostgreSQLRotation \
    --rotation-rules AutomaticallyAfterDays=30

The Comparative Analysis
#

Option API Complexity Rotation Implementation Management Overhead Production Readiness
A) Parameter Store Low (get_parameter API) Manual - Must write Lambda function, EventBridge rule, RDS password update logic High - Build and maintain custom rotation system ❌ Not suitable for rotating credentials
B) Environment Variables Very Low (built-in env vars) Custom - Second Lambda + EventBridge + Function update Very High - Deployment coupling, race conditions ❌ Poor security posture, deployment overhead
C) Secrets Manager (RDS) Low (get_secret_value API) Fully Managed - AWS-provided rotation Lambda, zero custom code Minimal - One-time setup, AWS handles rotation Enterprise-grade, zero-downtime rotation
D) DynamoDB Custom Medium (DynamoDB + KMS APIs) Fully Custom - Build entire system from scratch Maximum - Custom implementation of all components ❌ Reinventing the wheel, high maintenance cost

Developer Efficiency Metrics:

Solution Lines of Code Required Services to Monitor MTTR for Rotation Failures
Parameter Store ~150 (rotation function) 3 (SSM, Lambda, EventBridge) Hours (manual debugging)
Environment Variables ~200 (rotation + updates) 4 (Lambda x2, EventBridge, RDS) Hours (complex rollback)
Secrets Manager ~30 (connection only) 1 (Secrets Manager) Minutes (AWS support)
DynamoDB Custom ~300+ (full implementation) 5+ (DynamoDB, Lambda, EventBridge, KMS, RDS) Days (custom debugging)

Real-World Application (Developer Insight)
#

Exam Rule
#

“For the DVA-C02 exam, when you see RDS credentials + automatic rotation + Lambda integration, always choose Secrets Manager with RDS-specific secret type. The keywords ‘LEAST management overhead’ signal that AWS wants the managed service, not custom code.”

Real World
#

“In production at scale, we implement additional optimizations:

  1. Caching Layer: Use the AWS Secrets Manager Caching Library to avoid API calls on every invocation:
from aws_secretsmanager_caching import SecretCache

cache = SecretCache()
secret = cache.get_secret_value('prod/rds/techflow-db')

  1. Connection Pooling: Combine Secrets Manager with RDS Proxy to maintain persistent database connections and handle credential rotation transparently.

  2. Multi-Region Strategy: Replicate secrets across regions for disaster recovery:

aws secretsmanager replicate-secret-to-regions \
    --secret-id prod/rds/techflow-db \
    --add-replica-regions Region=us-west-2
  1. Monitoring: Set up CloudWatch alarms for failed rotation attempts:
aws cloudwatch put-metric-alarm \
    --alarm-name secrets-rotation-failure \
    --metric-name RotationFailed \
    --namespace AWS/SecretsManager \
    --statistic Sum \
    --period 300 \
    --threshold 1 \
    --comparison-operator GreaterThanThreshold

The exam tests your knowledge of AWS-managed features. Production adds operational excellence layers on top.”

Stop Guessing, Start Mastering
#

Unlock The Full Analysis Now

Disclaimer

This is a study note based on simulated scenarios for the AWS DVA-C02 exam. Always refer to the official AWS documentation and hands-on practice for the most current service capabilities.

The DevPro Network: Mission and Founder

A 21-Year Tech Leadership Journey

Jeff Taakey has driven complex systems for over two decades, serving in pivotal roles as an Architect, Technical Director, and startup Co-founder/CTO.

He holds both an MBA degree and a Computer Science Master's degree from an English-speaking university in Hong Kong. His expertise is further backed by multiple international certifications including TOGAF, PMP, ITIL, and AWS SAA.

His experience spans diverse sectors and includes leading large, multidisciplinary teams (up to 86 people). He has also served as a Development Team Lead while cooperating with global teams spanning North America, Europe, and Asia-Pacific. He has spearheaded the design of an industry cloud platform. This work was often conducted within global Fortune 500 environments like IBM, Citi and Panasonic.

Following a recent Master’s degree from an English-speaking university in Hong Kong, he launched this platform to share advanced, practical technical knowledge with the global developer community.


About This Site: AWS.CertDevPro.com


AWS.CertDevPro.com focuses exclusively on mastering the Amazon Web Services ecosystem. We transform raw practice questions into strategic Decision Matrices. Led by Jeff Taakey (MBA & 21-year veteran of IBM/Citi), we provide the exclusive SAA and SAP Master Packs designed to move your cloud expertise from certification-ready to project-ready.