SAA-C03 Secrets Manager Practice Questions - AWS Solutions Architect Associate

Practice Secrets Manager Questions Now

Start a timed practice session focusing on AWS Secrets Manager topics from the SAA-C03 question bank.

How Secrets Manager Is Really Tested in SAA-C03

Secrets Manager questions center on secure credential lifecycle management. The exam tests whether secrets are stored, rotated, and accessed in a way that minimizes exposure risk.

SAA-C03 often compares static configuration secrets to managed secret retrieval patterns. Correct answers avoid hardcoded credentials and manual rotation workflows.

Best-practice solutions combine rotation automation, fine-grained access policies, and runtime retrieval by authorized workloads.

Secrets management decisions that frequently drive correct answers

Decision Point	Option A	Option B	Exam Takeaway
Credential rotation approach	Automated rotation using Secrets Manager integration patterns	Manual credential updates on long fixed intervals	High-security or compliance scenarios usually expect automated rotation workflows.
Application secret access	Runtime retrieval with IAM role-based least-privilege access	Embed secrets in source code, AMIs, or environment files	Hardcoded secrets are typically an immediate red flag in exam options.
Cross-account sharing model	Controlled resource policy and IAM permissions for explicit secret consumers	Broad wildcard access for convenience	Sensitive data scenarios reward tightly scoped access paths.

Database credential governance for multiple workloads

Multiple services need database credentials with periodic rotation and auditable access in a regulated environment.

Store credentials in Secrets Manager, not in code or static files.
Grant read access only to workload roles that require each secret.
Enable automated rotation and test consumer compatibility after rotation.
Monitor secret access and policy changes for anomaly detection.

Common Exam Trap: Using one shared credential with no rotation for all services is a common insecure distractor pattern.

SAA-C03 Secrets Manager Question Bank (6 Questions)

Browse all 6 practice questions covering AWS Secrets Manager for the SAA-C03 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

Question 1Design Secure Architectures
A web application requires database credentials that must rotate automatically every 30 days. The solution must integrate natively with RDS for seamless rotation. Which service provides the best fit?
AAWS Systems Manager Parameter Store with custom Lambda rotation.
BAWS Secrets Manager with built-in RDS rotation support.
CStore encrypted credentials in S3 with Lambda-triggered rotation.
DUse IAM Database Authentication to eliminate credential storage.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SAA-C03 Quiz
Question 2Design Secure Architectures
An application running on EC2 instances retrieves database credentials from AWS Secrets Manager. A new security mandate requires that these credentials be rotated every 30 days automatically, without any manual intervention or application downtime. How can this be achieved?
AWrite a custom script that runs on a cron schedule on an EC2 instance to change the password in the database and update the secret in Secrets Manager.
BManually update the password in the database and in Secrets Manager every 30 days.
CConfigure a rotation schedule directly within AWS Secrets Manager using a Lambda function template provided by AWS.
DStore the credentials in the application's source code and redeploy the application every 30 days with a new password.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SAA-C03 Quiz
Question 3Design Secure Architectures
A Lambda function needs to access a database credential stored in Secrets Manager. The security team insists the function cannot decrypt the secret without an explicit permission check that includes the function's deployment tag value. How can you enforce this?
APut the secret ARN in the Lambda environment variable and allow Lambda to call `GetSecretValue` without any additional checks.
BUse a KMS key with a key policy that restricts decrypt to principals with a specific tag value, and attach a condition to the Lambda's IAM role that includes `aws:ResourceTag` on the Lambda function. Also enable Secret Manager resource policy that requires source principal tag in the request condition.
CStore the secret in plain text in S3 behind an IAM role.
DUse an IAM user for the Lambda and rotate credentials manually.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SAA-C03 Quiz
Question 4Design Secure Architectures
A web application deployed on EC2 instances requires database credentials to access an Amazon Aurora database. A security audit flagged that the credentials are hardcoded in the application source code. The solution must rotate the credentials automatically every 30 days. What should the Solution Architect recommend?
AStore credentials in AWS Systems Manager Parameter Store as a SecureString. Use a CloudWatch Event to trigger a Lambda function to rotate the password.
BStore credentials in AWS Secrets Manager. Configure automatic rotation using the built-in support for Amazon Aurora.
CEnable IAM Database Authentication for Aurora. Modify the application to use an IAM role attached to the EC2 instance.
DSave the credentials in an encrypted S3 bucket. Update the application to read the file at startup.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SAA-C03 Quiz
Question 5Mixed
Developers must store API credentials that are required at runtime by AWS Lambda functions. The solution must support automatic rotation without code changes. What should the solutions architect recommend?
AStore the credentials in AWS Systems Manager Parameter Store Standard parameters with SDK caching.
BUse AWS Secrets Manager with rotation enabled through an AWS Lambda rotation function.
CStore the credentials in an encrypted Amazon S3 object and rotate the object manually.
DEncrypt the credentials with AWS Key Management Service (AWS KMS) and store them in Lambda environment variables.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SAA-C03 Quiz
Question 6Mixed
You are storing secrets for an application in AWS Secrets Manager. An EC2 instance needs to retrieve these secrets at launch. How should you grant the instance the necessary permissions?
AStore an IAM user's access keys in the EC2 instance's user data.
BAttach an IAM role to the EC2 instance with a policy allowing secretsmanager:GetSecretValue.
CCreate an IAM policy that allows all actions on Secrets Manager and attach it to the instance.
DUse the Key Management Service (KMS) to encrypt the secrets.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SAA-C03 Quiz

Key Secrets Manager Concepts for SAA-C03

secrets managersecretrotationcredentialapi key

SAA-C03 Secrets Manager Exam Tips

AWS Secrets Manager questions in SAA-C03 are typically scenario-based. Focus on architecture trade-offs, resilience, and secure-by-default design choices. Priority concepts: secrets manager, secret, rotation, credential, api key.

What SAA-C03 Expects

Anchor your answer in choose the most reliable and cost-aware architecture pattern, not just a feature match.
Secrets Manager scenarios for SAA-C03 are frequently mapped to Domain 1 (30%), so read the objective carefully before picking controls or architecture.
Expect multi-topic scenarios where Secrets Manager interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value Secrets Manager Concepts

Know the core Secrets Manager building blocks cold: secrets manager, secret, rotation, credential.
Review the edge-case features and limits for api key; these details are commonly used to differentiate answer choices.
Practice service-integration reasoning: how Secrets Manager pairs with KMS, IAM, RDS, Parameter Store in real deployment patterns.
For SAA-C03, explain why the chosen Secrets Manager design meets reliability, security, and cost expectations better than the alternatives.

Common SAA-C03 Traps

Watch for answers that solve today's issue but do not scale across multiple AZs.
Questions in Design Secure Architectures often include distractors that look correct for Secrets Manager but violate least-privilege, durability, or availability requirements.
Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

Can you compare at least two Secrets Manager implementation paths and justify which one best fits the scenario?
Can you map the chosen answer back to Design Secure Architectures (30%) outcomes for SAA-C03?
Can you explain security and access boundaries for Secrets Manager without relying on default-open assumptions?
Can you describe how Secrets Manager integrates with KMS and IAM during failure, scaling, and monitoring events?

Exam Domains Covering Secrets Manager

Domain 1Design Secure Architectures30%

Related Resources

🎯 Free SAA-C03 Mock Exam KMS Questions IAM Questions RDS Questions

More SAA-C03 Study Resources

← SAA-C03 Study Hub 30-Day Study Plan Full Practice Exam

🗝️ AWS Secrets Manager - SAA-C03 Practice Questions