Q36 — AWS DVA-C02 Ch.2

Question 36 of 100 | ← Chapter 2

A developer manages an application that uses AWS Secrets Manager to store secrets. These applications use rotating secrets. The developer needs to identify which secrets are still in active use and wants to avoid any application downtime. What should the developer do to meet these requirements?

Correct Answer: B. Create a secretsmanager-secret-unused AWS Config managed rule. Create an Amazon EventBridge rule to trigger notifications when the AWS Config managed rule evaluates to true.

Explanation

Option B recommends using the secretsmanager-secret-unused AWS Config managed rule, which detects unused secrets by analyzing CloudTrail logs for GetSecretValue activity over a configurable period (default 90 days). An associated Amazon EventBridge rule can notify the developer when the rule identifies unused secrets—enabling proactive cleanup without disrupting applications. Options A, C, and D either lack precision (A, D), introduce risk (C), or require instrumentation overhead, making B the safest and most automated approach.