Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 154 discussion

I think B is correct https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-secret-unused.html A. could work but requires additional work to identify unused secrets. C. is too risky and could cause downtime. D. not the right use case

With option A, if you want to know what secrets are not used anymore for the past 90 days, then you need to wait 90 days, get a list of the ones that are used then minus this from the total list... but option B returns the unused list for the last 90 days directly

source copilot: Why Option A is Better: 1. Real-Time Monitoring: By using CloudTrail and CloudWatch, you can monitor GetSecretValue API calls in real-time, providing immediate insights into which secrets are being accessed. 2. Detailed Logging: CloudTrail logs provide detailed information about each API call, including the source IP, user, and timestamp, which can help identify the specific applications or instances accessing the secrets. 3. Customizable Alerts: CloudWatch alarms can be configured to trigger notifications based on specific patterns or thresholds, offering more flexibility and control over monitoring.

Why Option B Might Not Be the Best Choice: 1. Rule Limitation: The secretsmanager-secret-unused AWS Config managed rule checks if a secret has not been retrieved for a specified period. However, it might not provide real-time insights into which secrets are currently in use. 2. Delayed Detection: This rule might only detect secrets that have not been used for a while, potentially missing secrets that are infrequently accessed but still required. 3. Lack of Granularity: The rule might not provide detailed information about the specific applications or instances accessing the secrets, making it harder to pinpoint which secrets are actively used.

B is the correct answer.

We need "secrets that are still in use". "B" secretsmanager-secret-unused returns unused. So we can easily determine the used secrets if it is not falling under this scanner

My choice is "A". We need "secrets that are still in use". "B" secretsmanager-secret-unused returns unused.

A. Use an AWS Step Functions state machine to monitor API failures. Use the Wait state to delay calling the Lambda function: This is a viable and efficient solution. AWS Step Functions can orchestrate the Lambda function invocations and manage the workflow, including handling API call rate limits. The Wait state can be used to introduce delays between API calls to ensure compliance with the rate limits. This approach also allows for handling errors and retries effectively. B. Use an Amazon Simple Queue Service (Amazon SQS) queue to hold the API calls. Configure the Lambda function to poll the queue within the API threshold limits: While using SQS to queue API call requests is a good way to manage workload, it adds complexity to the solution. The Lambda function would need to be modified to manage the queue and ensure API calls are made within the threshold limits. This approach might not be as straightforward and efficient as using Step Functions.

ChatGPT:A

It's easier to use a built-in solution in AWS Config (check chris_777 answer)

It's easier to use a default built-in solution in AWS Config (check chris_777 answer)

I think A is a more direct way, while B needs an inference after receiving the notification for 'unused'.

B is correct for this one.

A is correct. . AWS CloudTrail can track API calls, including the GetSecretValue call for AWS Secrets Manager. By setting up CloudTrail log delivery to an S3 bucket, the developer can analyze which secrets are being accessed. Using CloudWatch to create an alarm for the GetSecretValue API call provides insight into which secrets are actively being retrieved, thus indicating which secrets are in use.

The correct answer is (B). Solution (B) is the best option to meet the developer's requirements. It allows the developer to identify necessary secrets that are still in use without causing any application downtime.