Amazon Web Services Updated DVA-C02 Exam Questions and Answers by blanka

“Encryption in transit” means the connection between the client (EC2 instances) and Amazon S3 must use TLS/HTTPS , not plain HTTP. The most direct way to enforce this at the bucket level is an S3 bucket policy that denies any request that is not using secure transport. AWS provides the global condition key aws:SecureTransport , which evaluates to true when a request is made over HTTPS and false when made over HTTP.

By adding an explicit Deny statement conditioned on aws:SecureTransport = false, the bucket rejects any insecure requests regardless of who makes them. This ensures that even if an application is misconfigured (or a user tries to access the bucket over HTTP), S3 will refuse the request. This is a strong enforcement mechanism because explicit denies in IAM policies override allows.

Option C (SSE-KMS) provides encryption at rest , not in transit. It protects objects while stored in S3 but does not force clients to use TLS for transport. Option B (VPC endpoint) can keep traffic on the AWS network path and can be combined with endpoint policies, but it does not inherently guarantee TLS usage unless you also enforce HTTPS. Option A (installing certificates) is not the mechanism for controlling whether the application uses HTTPS to S3; the S3 client uses AWS-managed TLS endpoints, and enforcement should happen through policy.

Therefore, the correct solution is D : create an S3 bucket policy that denies requests when aws:SecureTransport is false, ensuring all access uses encrypted transport (HTTPS/TLS).

Requirement Summary:

Lambda function accesses RDS for MySQL

Credentials are currently hardcoded in code (insecure)

Must enable automated credential rotation every 30 days

Option A: Use AWS Secrets Manager + automatic rotation

Best and secure option

Secrets Manager allows:

Secure storage of secrets

Integration with RDS for automatic rotation

Scheduled rotation every X days (e.g., 30 days)

Lambda can fetch credentials via SDK (GetSecretValue)

Option B: Use SSM Parameter Store + rotation

SSM does not support automatic rotation of secrets.

You ' d need to build custom rotation logic = higher operational overhead.

Option C: Encrypted S3 + Object Lambda rotation

Not intended for credential storage.

S3 is not a secrets management system, and Object Lambda does not perform rotation.

Option D: SSM + EventBridge rotation

No native integration between Parameter Store and EventBridge for secret rotation.

You’d need to build custom Lambda functions = higher maintenance.

Secrets Manager rotation for RDS: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

Secure retrieval in Lambda: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html

Integration with RDS MySQL: https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_rds_config.html

This solution meets the requirements in the most secure way because it uses a service that is integrated with CloudFormation to manage sensitive data in encrypted form. AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store sensitive data as secure string parameters, which are encrypted using an AWS Key Management Service (AWS KMS) key of your choice. You can also use dynamic references in your CloudFormation templates to specify template values that are stored in Parameter Store or Secrets Manager without having to include them in your templates. Dynamic references are resolved only during stack creation or update operations, which reduces exposure risks for sensitive data. Putting sensitive data into a CloudFormation parameter will not encrypt them or protect them from unauthorized access. Putting sensitive data into an Amazon S3 bucket or Amazon Elastic File System (Amazon EFS) will require additional configuration and integration with CloudFormation and may not provide fine-grained access control or encryption for sensitive data.