Question 118 of 1,616
SecurityhardMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is a policy that grants secretsmanager:GetSecretValue for the specific secret ARN and includes a condition for aws:SourceVpce to restrict access to the VPC endpoint. This is the only option that satisfies the principle of least privilege for AWS Secrets Manager Lambda VPC access because it limits the action to exactly what the function needs—reading a single secret—while using the aws:SourceVpce condition key to ensure the request originates only from the VPC endpoint the Lambda function uses, not from any other network path. On the AWS Certified Developer Associate DVA-C02 exam, this scenario tests your understanding of combining resource-level ARN scoping with VPC endpoint conditions to enforce network-boundary security, a common trap being that many candidates forget the condition key and just grant wildcard access. Remember the mnemonic: “Get the secret, lock the endpoint”—always pair GetSecretValue with SourceVpce for VPC-based Lambda functions.

DVA-C02 Security Practice Question

This DVA-C02 practice question tests your understanding of security. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A developer is storing an API secret for a third-party service in AWS Secrets Manager. The secret needs to be accessed by an AWS Lambda function that runs in a VPC. The Lambda function must have the minimum required permissions. Which IAM policy statement should the developer attach to the Lambda execution role?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "minimum / minimize"

    Why it matters: Asks for the least resource use — fewest addresses, smallest subnet, lowest overhead. Eliminate over-provisioned options even if they would technically work.

Question 1hardmultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

A policy that grants secretsmanager:GetSecretValue for the specific secret ARN and includes a condition for aws:SourceVpce to restrict access to the VPC endpoint

Option A is correct because it grants the minimum required permission (secretsmanager:GetSecretValue) scoped to the specific secret ARN, and uses the aws:SourceVpce condition key to restrict access to the VPC endpoint used by the Lambda function. This ensures that only requests originating from the specified VPC endpoint can retrieve the secret, aligning with the principle of least privilege and the requirement that the Lambda function runs in a VPC.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • A policy that grants secretsmanager:GetSecretValue for the specific secret ARN and includes a condition for aws:SourceVpce to restrict access to the VPC endpoint

    Why this is correct

    Correct. This provides least privilege and restricts access to requests coming through the VPC endpoint.

    Clue confirmation

    The clue word "minimum / minimize" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • A policy that grants secretsmanager:GetSecretValue for all secrets in the account

    Why it's wrong here

    This violates least privilege by granting access to all secrets.

  • A policy that grants secretsmanager:GetSecretValue for the secret and includes a condition for aws:SourceIp

    Why it's wrong here

    The source IP for a Lambda function in a VPC is a private IP, which is not effective for restricting access via condition keys.

  • A policy that grants secretsmanager:GetSecretValue for the secret and includes a condition for ec2:Vpc

    Why it's wrong here

    The ec2:Vpc condition key is not defined for Secrets Manager; the correct condition key for VPC endpoints is aws:SourceVpce.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse aws:SourceIp with VPC-based access control, not realizing that Lambda functions in a VPC use private IPs and require VPC endpoint conditions (aws:SourceVpce or aws:SourceVpc) instead of IP-based conditions.

Detailed technical explanation

How to think about this question

When a Lambda function runs in a VPC, it accesses Secrets Manager through a VPC endpoint (powered by AWS PrivateLink). The aws:SourceVpce condition key checks the VPC endpoint ID from which the request originates, ensuring that only traffic through that specific endpoint can retrieve the secret. This is more secure than using aws:SourceIp because Lambda functions in a VPC use private IPs that are not visible to Secrets Manager; the VPC endpoint acts as a proxy, so the source IP is the endpoint's private IP, which is not a reliable identifier for the Lambda function itself.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related DVA-C02 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free DVA-C02 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this DVA-C02 question test?

Security — This question tests Security — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: A policy that grants secretsmanager:GetSecretValue for the specific secret ARN and includes a condition for aws:SourceVpce to restrict access to the VPC endpoint — Option A is correct because it grants the minimum required permission (secretsmanager:GetSecretValue) scoped to the specific secret ARN, and uses the aws:SourceVpce condition key to restrict access to the VPC endpoint used by the Lambda function. This ensures that only requests originating from the specified VPC endpoint can retrieve the secret, aligning with the principle of least privilege and the requirement that the Lambda function runs in a VPC.

What should I do if I get this DVA-C02 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "minimum / minimize". Asks for the least resource use — fewest addresses, smallest subnet, lowest overhead. Eliminate over-provisioned options even if they would technically work.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on DVA-C02

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A developer wants to securely store API keys for a third-party service and retrieve them at runtime in a Lambda function. Which AWS service should be used?

easy
  • A.AWS Secrets Manager
  • B.AWS CloudFormation
  • C.Amazon DynamoDB with encryption at rest
  • D.AWS Systems Manager Parameter Store

Why A: AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, rotating, and retrieving secrets such as API keys, database credentials, and OAuth tokens at runtime. It integrates natively with AWS Lambda via the AWS SDK, allowing developers to fetch secrets with minimal latency and without hardcoding sensitive values in code. Secrets Manager also supports automatic rotation of secrets using built-in or custom Lambda functions, which is critical for maintaining security compliance.

Variation 2. A Lambda function in a VPC must retrieve secrets from Secrets Manager without traversing the public internet. Which configuration should be used?

hard
  • A.A public NAT gateway only
  • B.An internet gateway attached to the Lambda subnet
  • C.A VPC peering connection to every AWS region
  • D.An interface VPC endpoint for Secrets Manager with appropriate security groups

Why D: An interface VPC endpoint (AWS PrivateLink) for Secrets Manager allows Lambda functions within a VPC to securely retrieve secrets using private IP addresses, without traversing the public internet. This is achieved by creating an elastic network interface in the VPC subnet with a security group that controls access, ensuring traffic stays within the AWS network.

Keep practising

More DVA-C02 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This DVA-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the DVA-C02 exam.