Examice

Exam DVA-C02 All QuestionsBrowse all questions from this exam

Question 1

A company is implementing an application on Amazon EC2 instances. The application needs to process incoming transactions. When the application detects a transaction that is not valid, the application must send a chat message to the company's support team. To send the message, the application needs to retrieve the access token to authenticate by using the chat API.

A developer needs to implement a solution to store the access token. The access token must be encrypted at rest and in transit. The access token must also be accessible from other AWS accounts.

Which solution will meet these requirements with the LEAST management overhead?

Use an AWS Systems Manager Parameter Store SecureString parameter that uses an AWS Key Management Service (AWS KMS) AWS managed key to store the access token. Add a resource-based policy to the parameter to allow access from other accounts. Update the IAM role of the EC2 instances with permissions to access Parameter Store. Retrieve the token from Parameter Store with the decrypt flag enabled. Use the decrypted access token to send the message to the chat.

Encrypt the access token by using an AWS Key Management Service (AWS KMS) customer managed key. Store the access token in an Amazon DynamoDB table. Update the IAM role of the EC2 instances with permissions to access DynamoDB and AWS KMS. Retrieve the token from DynamoDDecrypt the token by using AWS KMS on the EC2 instances. Use the decrypted access token to send the message to the chat.

Use AWS Secrets Manager with an AWS Key Management Service (AWS KMS) customer managed key to store the access token. Add a resource-based policy to the secret to allow access from other accounts. Update the IAM role of the EC2 instances with permissions to access Secrets Manager. Retrieve the token from Secrets Manager. Use the decrypted access token to send the message to the chat.

Encrypt the access token by using an AWS Key Management Service (AWS KMS) AWS managed key. Store the access token in an Amazon S3 bucket. Add a bucket policy to the S3 bucket to allow access from other accounts. Update the IAM role of the EC2 instances with permissions to access Amazon S3 and AWS KMS. Retrieve the token from the S3 bucket. Decrypt the token by using AWS KMS on the EC2 instances. Use the decrypted access token to send the massage to the chat.

Correct Answer: C

The access token must be stored securely, both at rest and in transit, and it must be accessible from other AWS accounts with minimal management overhead. AWS Secrets Manager is designed specifically for managing secrets like access tokens and provides built-in encryption using AWS KMS. It also supports resource-based policies that allow access from other accounts, which aligns perfectly with the requirement. Additionally, Secrets Manager automates many aspects of secret management, including rotation, which reduces management overhead compared to other services. This makes AWS Secrets Manager the most appropriate choice.

Discussion

UntamablesOption: C

The correct answer is C. https://aws.amazon.com/premiumsupport/knowledge-center/secrets-manager-share-between-accounts/ https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples_cross.html Option A is wrong. It seems to be a good solution. However, AWS managed keys cannot be used for cross account accessing.

CyberBaby803

Based on this AWS managed keys can be used for cross account accessing. https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html

AgboolaKun

I am not sure if the documentation you provided specifically say that AWS managed keys can be used for cross account accessing. However, @Untamables explanation is on point. Please see this Stack Overflow thread - https://stackoverflow.com/questions/63420732/sharing-an-aws-managed-kms-key-with-another-account

jipark

cross account, rotate is key for 'Security Manager'

watson1780Option: C

C is correct answer ( ibit.ly/AWSCertifiedDeveloperAssociate )

karixi2

I am very happy as I just got my AWS Certified Developer - Associate - Specialty DVA-C02 Exam results today and I passed it with a great score of 90%.

ramzez4815

Is this dump still valid?

certplan

- Option A involves using AWS Systems Manager Parameter Store, which can work but requires additional configuration and doesn't offer some of the benefits tailored for secrets management like automatic rotation. - Option B involves storing the access token in DynamoDB, which is not specifically designed for secrets management, and managing encryption and decryption manually using AWS KMS. - Option D involves using S3, which again is not designed for secrets management, and adds complexity in managing access policies and permissions. Additionally, accessing the token would involve reading from S3, decrypting it, and then using it, which is less straightforward compared to using a service like Secrets Manager.

tsdsmth

The answer would be C if an AWS-managed key was used, as Secrets Manager and KMS are good for situations like this. However, the use of a customer-managed key increases management overhead. So the best answer is D, not C.

Amazon_Dumps_comOption: C

C is Valid ( CCCCCC )

AnandeshOption: C

https://docs.aws.amazon.com/secretsmanager/latest/userguide/data-protection.html https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html

Web_AmazonExamsOption: C

The questions came in my exam.Correct answer is C.

tomchandler077

AWS Secrets Manager (Option C) is designed for exactly this kind of use case, providing built-in functionality for secure storage and retrieval of secrets with minimal management overhead, especially for managing access tokens and cross-account access. Amazon S3 with KMS (Option D), while familiar and powerful, requires more manual work to set up and manage the security aspects, which can lead to increased overhead in comparison to Secrets Manager. Given that the goal is to have the least management overhead, Option C is the best fit because it is purpose-built for managing secrets and automates much of the complexity involved in secure storage and retrieval.

nkroker

C is the correct answer as the Secrets Manager supports resource-based policies, allowing you to grant access to other AWS accounts easily.

NagaoShingoOption: C

C is correct answer.

65703c1Option: C

C is the correct answer.

heshankd

Did the exam, thanks to my experience in AWS I passed the exam, Most of the questions are new, only few questions were from here.

shabeebcoderOption: C

This is the correct answer for lease overhead to manage the secret key

ibratoevOption: C

It is C

SD_CSOption: A

I think this would be A as this is cheaper than C. Any reason why A can not be the answer?

TheFivePips

From what I can find, You can apply resource-based policies at the Parameter Store level to control access to the entire Parameter Store service. However, you cannot apply resource-based policies directly to individual parameters within the Parameter Store. That is seemingly the only reason I would choose C over A. But were also not looking for whats cheapest, were looking for whats easiest to manage

gilleep_17

You cannot use a resource-based policy with a parameter in the Parameter Store. The stephen answser Option C is correct Practise paper3