Amazon Web Services DVA-C02 Exam With Confidence Using Practice Dumps

The most secure solution is A because AWS Secrets Manager is purpose-built for storing, retrieving, and managing secrets such as database credentials, API keys, and tokens. In AWS guidance, Secrets Manager is recommended when applications need secure secret storage with controlled access, encryption, and integration with runtime retrieval patterns. By storing the credentials as a secret and passing only the secret ARN through an environment variable, the Lambda function avoids exposing the actual username and password in plaintext configuration.

The AWS Parameters and Secrets Lambda Extension is specifically designed to let Lambda functions retrieve secrets securely at invocation time. This reduces the risk of accidental exposure in code, deployment artifacts, or function configuration. Secrets Manager also supports automatic rotation , which is a major security advantage for database credentials and is one of the main reasons AWS recommends it over hardcoded or manually managed values.

Option B is incorrect because base64 is only encoding, not encryption, and embedding credentials in source code is insecure. Option C is less appropriate because a string type parameter in Systems Manager Parameter Store is not the secure choice for sensitive credentials; secure storage there would require SecureString , but even then Secrets Manager is the stronger AWS-recommended service for database secrets. Option D only masks values in CloudFormation outputs and logs with NoEcho ; it does not provide secure runtime secret retrieval or secret lifecycle management.

Therefore, A is the best and most secure answer according to AWS security best practices for Lambda applications handling database credentials.

Amazon API Gateway supports canary deployments , which are designed specifically for controlled production rollouts. Canary deployments allow a developer to direct a configurable percentage of traffic to a new deployment while the remainder continues to use the existing deployment.

AWS documentation states that canary releases help minimize customer impact by exposing only a subset of users to potential issues. Because the routing is request-based , individual users are less likely to encounter inconsistent behavior across multiple requests.

Route 53 weighted routing (Option B) operates at the DNS level and can result in users being routed unpredictably due to DNS caching. An Application Load Balancer (Option C) is not supported as a direct frontend for API Gateway stages and adds unnecessary complexity. Option A lacks traffic control guarantees.

Therefore, configuring a canary deployment on the production stage is the AWS-recommended and lowest-risk approach.

This solution meets the requirements in the most operationally efficient manner because it does not require any infrastructure provisioning or management. The developer can create a Lambda function that makes the API call and configure an EventBridge rule that triggers the function once a day at a designated time. This is a serverless solution that scales automatically and only charges for the execution time of the function.