DVA-C02 Exam Dumps : AWS Certified Developer - Associate

AWS Secrets Manager is purpose-built for securely storing and managing sensitive information such as API keys, tokens, and credentials. It provides automatic secret rotation , fine-grained IAM access control, encryption at rest using AWS KMS, and audit logging through AWS CloudTrail. This makes it the most secure and scalable option for managing short-lived authentication keys.

AWS Lambda extensions enable efficient secret retrieval by caching secrets locally within the execution environment. This reduces repeated calls to Secrets Manager on every invocation, improving performance and lowering costs while maintaining up-to-date credentials. AWS documentation explicitly recommends using Lambda extensions or caching logic for secrets that are frequently accessed.

Storing secrets in S3 (Option B) or environment variables (Option C) lacks built-in rotation and increases exposure risk. Parameter Store (Option D) supports encryption but does not provide native rotation for secrets without custom automation, making it less suitable for this use case.

Therefore, Secrets Manager with Lambda extensions provides the most secure, automated, and operationally efficient solution.

The simplest and most efficient way to avoid hardcoding configuration such as a DynamoDB table name is to use Lambda environment variables. Environment variables are designed for runtime configuration and allow changing values without updating application code logic. The developer can store the table name in an environment variable (for example, TABLE_NAME) and read it from the runtime environment using the standard language method (such as os.environ in Python, process.env in Node.js, etc.).

This approach has very low operational overhead: updating the table name becomes a configuration change (in the Lambda console, IaC templates, or CI/CD pipeline) rather than a code change. It also keeps deployment packages stable and avoids unnecessary dependencies.

Option B is not suitable because /tmp is ephemeral storage that can be cleared between invocations and is not intended for configuration management.

Option C is heavier than necessary. Lambda layers are great for shared libraries and dependencies, but using a layer to store a single changing table name is awkward and forces a layer update and function reconfiguration when the value changes.

Option D does not solve the problem because a global variable is still set in the code. If the table name changes, the code must still be modified and redeployed.

Therefore, storing the table name in a Lambda environment variable is the most efficient solution.

AWS Elastic Beanstalk supports several deployment policies, and in this case, the requirement is to forward a specific percentage of traffic to the new version without causing downtime. The Traffic-splitting deployment policy is the most appropriate choice.

Traffic-splitting Deployment: This deployment method allows you to gradually shift a specified percentage of incoming traffic from the old environment version to the new one. During the evaluation period, if any issues are detected, the traffic can be redirected back to the old version.

No Downtime: This method ensures no downtime since both versions of the application run concurrently, and traffic is split between them.

Alternatives:

Rolling deployments (Option A): These gradually replace instances but may result in partial downtime if some instances fail during deployment.

In-place deployments (Option C): In-place deployments replace instances without creating new ones, which can lead to downtime.

Immutable deployments (Option D): While this ensures no downtime by creating entirely new instances, it doesn ' t provide traffic splitting during the evaluation phase.

Elastic Beanstalk Deployment Policies