Q99 — AWS DVA-C02 Ch.1
Question 99 of 100 | ← Chapter 1
A company runs an application on Amazon EC2 instances behind an Application Load Balancer. The EC2 instances run in an Auto Scaling group across multiple Availability Zones. The application requires retrieving application secrets during startup and exporting them as environment variables. These secrets must be encrypted at rest and rotated monthly. Which solution meets these requirements with the least development effort?
- A. Store secrets in a text file and store the file in Amazon S3. Provide a custom managed key. Use that key to encrypt the secrets in Amazon S3. Read the file contents and export them as environment variables. Configure S3 Object Lambda to rotate the text file monthly.
- B. Store secrets as strings in AWS Systems Manager Parameter Store using the default AWS Key Management Service (AWS KMS) key. Configure an Amazon EC2 user data script to retrieve the secrets during launch and export them as environment variables. Configure an AWS Lambda function to rotate the secrets in Parameter Store monthly.
- C. Store secrets as Base64-encoded environment variables in the application properties. Retrieve the secrets during application startup. Reference these secrets in the application code. Write a script to rotate the environment-variable-stored secrets.
- D. Store secrets in AWS Secrets Manager. Provide a new customer master key. Use that key to encrypt the secrets. Enable automatic rotation. Configure an Amazon EC2 user data script to programmatically retrieve the secrets during launch and export them as environment variables. ✓
Correct Answer: D. Store secrets in AWS Secrets Manager. Provide a new customer master key. Use that key to encrypt the secrets. Enable automatic rotation. Configure an Amazon EC2 user data script to programmatically retrieve the secrets during launch and export them as environment variables.
Explanation
Option D uses AWS Secrets Manager to store secrets and enables automatic rotation, providing secure secret management and periodic rotation without requiring developers to write additional code. Configuring an Amazon EC2 user data script to programmatically retrieve secrets and export them as environment variables is straightforward and eliminates the need for custom rotation scripts. Thus, option D satisfies the requirements with minimal development effort.