Question 317 of 1,040
Design Secure ArchitecturesmediumMultiple ChoiceObjective-mapped

SAA-C03 Design Secure Architectures Practice Question

This SAA-C03 practice question tests your understanding of design secure architectures. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A team runs an application on Amazon EC2 that connects to an Aurora database. The database password must rotate automatically every 30 days, and the application should retrieve the current secret at runtime using an IAM role. Which AWS service is the best fit?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

AWS Secrets Manager with rotation enabled.

AWS Secrets Manager is the best fit because it natively supports automatic rotation of database credentials on a schedule (e.g., every 30 days) and integrates directly with Amazon RDS/Aurora to update the password. The application can retrieve the current secret at runtime using an IAM role attached to the EC2 instance, without hardcoding credentials. Secrets Manager also provides built-in secret rotation with Lambda, ensuring zero downtime during password changes.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • AWS Systems Manager Parameter Store standard parameters.

    Why it's wrong here

    Parameter Store is useful for configuration values, but it does not provide built-in secret rotation in the same way.

    When this WOULD be correct

    If the question required storing configuration data (e.g., database endpoint, port) without rotation, or if the application needed to retrieve parameters at runtime without automatic rotation, Parameter Store would be appropriate.

  • AWS Secrets Manager with rotation enabled.

    Why this is correct

    Secrets Manager is designed for secure secret storage with built-in rotation support and fine-grained access through IAM. In this case, the application can retrieve the current database credentials at runtime with its EC2 role, while the secret is rotated on a schedule without embedding passwords in code. This reduces operational risk, improves auditability, and avoids manual password changes that often cause outages.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • AWS KMS, because KMS stores credentials and rotates them automatically.

    Why it's wrong here

    KMS protects encryption keys, but it is not a general secret store for application database credentials.

    When this WOULD be correct

    A question asks which service should be used to encrypt data at rest for an application that stores sensitive files in Amazon S3, with requirements for automatic key rotation and centralized key management. AWS KMS would be the correct answer.

  • Amazon S3 with server-side encryption and versioning.

    Why it's wrong here

    S3 can store files securely, but it is not the right service for application secret retrieval and automatic rotation.

    When this WOULD be correct

    An application needs to store and retrieve large configuration files (e.g., database connection strings) with versioning and encryption, but does not require automatic rotation or IAM-based access; S3 with SSE and versioning would be appropriate.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The SAA-C03 exam frequently reuses these exact scenarios with slightly different constraints.

AWS Secrets Manager with rotation enabled.Correct answer

Why this is correct

Secrets Manager is designed for secure secret storage with built-in rotation support and fine-grained access through IAM. In this case, the application can retrieve the current database credentials at runtime with its EC2 role, while the secret is rotated on a schedule without embedding passwords in code. This reduces operational risk, improves auditability, and avoids manual password changes that often cause outages.

AWS Systems Manager Parameter Store standard parameters.Wrong answer — click to see why

Why this is wrong here

Systems Manager Parameter Store standard parameters do not support automatic rotation of secrets; they require manual updates or custom automation, whereas the question mandates automatic rotation every 30 days.

★ When this WOULD be the correct answer

If the question required storing configuration data (e.g., database endpoint, port) without rotation, or if the application needed to retrieve parameters at runtime without automatic rotation, Parameter Store would be appropriate.

Why candidates choose this

Candidates may confuse Parameter Store with Secrets Manager because both can store secrets securely, but they overlook that Parameter Store lacks built-in rotation capabilities.

AWS KMS, because KMS stores credentials and rotates them automatically.Wrong answer — click to see why

Why this is wrong here

AWS KMS is a key management service for encryption keys, not a service for storing or rotating database passwords. It does not provide automatic rotation of secrets or direct retrieval by applications via IAM roles.

★ When this WOULD be the correct answer

A question asks which service should be used to encrypt data at rest for an application that stores sensitive files in Amazon S3, with requirements for automatic key rotation and centralized key management. AWS KMS would be the correct answer.

Why candidates choose this

Candidates may confuse KMS's key rotation capability with secret rotation, or mistakenly think KMS can store credentials because it manages encryption keys that protect secrets.

Amazon S3 with server-side encryption and versioning.Wrong answer — click to see why

Why this is wrong here

Amazon S3 with server-side encryption and versioning does not provide automatic password rotation or native integration with IAM roles for runtime secret retrieval; it is designed for object storage, not dynamic secrets management.

★ When this WOULD be the correct answer

An application needs to store and retrieve large configuration files (e.g., database connection strings) with versioning and encryption, but does not require automatic rotation or IAM-based access; S3 with SSE and versioning would be appropriate.

Why candidates choose this

Candidates may think S3 can store any data securely and versioning provides a form of rotation, overlooking that Secrets Manager is purpose-built for managing secrets with rotation and IAM integration.

Analysis generated from the official SAA-C03blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets but lacks native rotation) with Secrets Manager, or incorrectly assume KMS can store and rotate credentials because it handles encryption keys.

Detailed technical explanation

How to think about this question

Secrets Manager uses an AWS Lambda function (provided or custom) to perform the actual rotation, which updates the password in both the Aurora database and the secret store atomically. The rotation process follows a four-phase state machine (create secret, set secret, test secret, finish secret) to ensure the application always has a valid credential during the transition. The IAM role attached to the EC2 instance must have a policy granting `secretsmanager:GetSecretValue` for the specific secret ARN, and the secret's resource-based policy must allow the role to access it.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

Quick reference

Cloud Service Model Comparison

ModelYou ManageProvider ManagesExamples
IaaSOS, runtime, apps, dataHardware, hypervisor, networkingEC2, Azure VMs, GCP Compute Engine
PaaSApps and dataOS, runtime, middleware, hardwareElastic Beanstalk, Azure App Service
SaaSData and settings onlyEverything elseMicrosoft 365, Salesforce, Workday
FaaS / ServerlessFunction code onlyInfra, scaling, runtimeLambda, Azure Functions, Cloud Run
CaaSContainers and appsKubernetes, OS, hardwareEKS, AKS, GKE

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SAA-C03 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SAA-C03 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SAA-C03 question test?

Design Secure Architectures — This question tests Design Secure Architectures — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: AWS Secrets Manager with rotation enabled. — AWS Secrets Manager is the best fit because it natively supports automatic rotation of database credentials on a schedule (e.g., every 30 days) and integrates directly with Amazon RDS/Aurora to update the password. The application can retrieve the current secret at runtime using an IAM role attached to the EC2 instance, without hardcoding credentials. Secrets Manager also provides built-in secret rotation with Lambda, ensuring zero downtime during password changes.

What should I do if I get this SAA-C03 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More SAA-C03 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SAA-C03 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SAA-C03 exam.