Ace Your DVA-C02 AWS Certified Associate Exam

Requirement Summary:

Lambda function accesses RDS for MySQL

Credentials are currently hardcoded in code (insecure)

Must enable automated credential rotation every 30 days

Option A: Use AWS Secrets Manager + automatic rotation

Best and secure option

Secrets Manager allows:

Secure storage of secrets

Integration with RDS for automatic rotation

Scheduled rotation every X days (e.g., 30 days)

Lambda can fetch credentials via SDK (GetSecretValue)

Option B: Use SSM Parameter Store + rotation

SSM does not support automatic rotation of secrets.

You ' d need to build custom rotation logic = higher operational overhead.

Option C: Encrypted S3 + Object Lambda rotation

Not intended for credential storage.

S3 is not a secrets management system, and Object Lambda does not perform rotation.

Option D: SSM + EventBridge rotation

No native integration between Parameter Store and EventBridge for secret rotation.

You’d need to build custom Lambda functions = higher maintenance.

Secrets Manager rotation for RDS:

Secure retrieval in Lambda:

Integration with RDS MySQL:

API Gateway Stages: Stages in API Gateway represent distinct environments (like PROD and DEV) allowing different configurations.

Stage Variables: Stage variables store environment-specific information, including Lambda function aliases.

Ease of Management: This solution offers a straightforward way to manage different Lambda function versions across environments.

Step Functions Retriers: Retriers provide a built-in way to gracefully handle transient errors within State Machines. Here ' s how to use them:

Directly attach a retrier to the problematic ' GetResource ' task.

Configure the retrier:

ErrorEquals: Set this to [ ' TooManyRequestsException ' ] to target the specific error.

IntervalSeconds: Set to 10 for the desired retry delay.

MaxAttempts: Set to 1, as you want only one retry attempt.

Error Handling:

Upon ' TooManyRequestsException ' , the retrier triggers the task again after 10 seconds.

On a second failure, Step Functions moves to the next state or fails the workflow, as per your design.

' IllegalArgumentException ' causes error propagation as intended.

Amazon CloudFront field-level encryption is specifically designed to protect sensitive fields in HTTP requests. It allows CloudFront to encrypt specific request fields at the edge using asymmetric encryption , ensuring that only authorized application components that possess the private key can decrypt the data.

This approach ensures that sensitive fields remain encrypted throughout transit and processing, while non-sensitive fields can still be accessed normally. This satisfies the requirement that only specific parts of the application can decrypt the data.

Field-level encryption is a native CloudFront capability and is far more secure and scalable than implementing custom encryption logic in Lambda@Edge or Lambda functions. AWS documentation emphasizes using built-in CloudFront security features to minimize operational overhead and reduce the risk of cryptographic implementation errors.

Options A and B introduce unnecessary complexity and custom cryptographic handling, which AWS generally discourages when managed services are available. Option D only secures transport and access control and does not encrypt individual data fields.

Therefore, CloudFront field-level encryption with asymmetric keys is the AWS-recommended and correct solution.