DVA-C02 Exam Dumps : AWS Certified Developer - Associate

DynamoDB already supports encryption at rest by default (with AWS owned keys or AWS managed/customer managed KMS keys). However, the requirement here is stronger and explicit: patient data must be encrypted before it is stored in DynamoDB, meaning the encryption must occur client-side / application-side so that the data remains encrypted as it traverses the stack and is still encrypted when written to the table. This is often required for highly sensitive PII/PHI where administrators or downstream systems should not see plaintext.

Option A meets this requirement by encrypting the payload inside the Lambda function before making the PutItem call to DynamoDB, using KMS-backed envelope encryption via the AWS Encryption SDK (the option names it “Database Encryption SDK,” but the intent is client-side encryption). The encrypted fields remain ciphertext in transit to DynamoDB and at rest inside DynamoDB, satisfying both “in transit” and “at rest” with encryption happening prior to storage.

Option B only ensures DynamoDB encryption at rest at the service level, but the data would still be plaintext in the item attributes as seen by the application and anyone with DynamoDB read permissions (even though stored encrypted on disk). It does not guarantee “encrypted before stored.”

Option C encrypting after the write via streams is too late: plaintext would already be stored (and potentially accessed) before post-processing.

Option D adds unnecessary workflow complexity. Encrypting in a queue still requires encryption before DynamoDB, but it does not inherently simplify compared to encrypting directly in the Lambda that writes to DynamoDB.

Therefore, client-side encryption in Lambda using KMS-backed encryption is the correct solution.

This solution will meet the requirements by using AWS Secrets Manager, which is a service that helps protect secrets such as database credentials by encrypting them with AWS Key Management Service (AWS KMS) and enabling automatic rotation of secrets. The developer can use an AWS Secrets Manager resource in AWS CloudFormation template, which enables creating and managing secrets as part of a CloudFormation stack. The developer can use an AWS::SecretsManager::Secret resource type to generate and rotate the password for accessing RDS database during deployment. The developer can also specify a RotationSchedule property for the secret resource, which defines how often to rotate the secret and which Lambda function to use for rotation logic. Option A is not optimal because it will use an AWS Lambda function as a CloudFormation custom resource, which may introduce additional complexity and overhead for creating and managing a custom resource and implementing rotation logic. Option B is not optimal because it will use an AWS Systems Manager Parameter Store resource with the SecureString data type, which does not support automatic rotation of secrets. Option C is not optimal because it will use a cron daemon on the application’s host to generate and rotate the password, which may incur more costs and require more maintenance for running and securing a host.

AWS CodeBuild integrates natively with AWS Secrets Manager , allowing secrets to be securely injected into build environments without being exposed in logs. When referenced using the secrets-manager mapping in the env section of buildspec.yml, CodeBuild automatically retrieves and decrypts the secret at runtime.

AWS documentation states that Secrets Manager provides encryption at rest using AWS KMS, fine-grained IAM access control, and automatic rotation support. Secrets retrieved this way are masked in build logs by default, satisfying the requirement that secrets do not appear in logs.

Parameter Store (Option C) can store encrypted values, but Secrets Manager is AWS’s preferred service for managing secrets, especially when rotation and auditing are required. Options B and D introduce unnecessary steps and higher operational overhead.

Therefore, Secrets Manager with CodeBuild environment variables is the most secure and operationally efficient solution.