Questions & Answers

Practice exam questions with detailed explanations for AWS Secrets Manager

Question 1

What is the maximum size of a secret in AWS Secrets Manager?

A) 32KB
B) 64KB ✓
C) 128KB
D) 256KB

Correct Answer: B) 64KB

AWS Secrets Manager supports secrets up to 64KB in size. This limit applies to the entire secret value including any JSON structure.

Question 2

Which AWS service is used for automatic secret rotation in Secrets Manager?

A) AWS Lambda ✓
B) AWS Step Functions
C) AWS CodeBuild
D) AWS Batch

Correct Answer: A) AWS Lambda

Lambda functions handle the rotation logic for secrets. AWS provides pre-built rotation functions for RDS, DocumentDB, and Redshift, or you can create custom functions.

Question 3

How many versions of a secret can be stored in Secrets Manager?

A) 50
B) 100 ✓
C) 200
D) Unlimited

Correct Answer: B) 100

Secrets Manager can store up to 100 versions of a secret. Older versions are automatically deprecated but retained for recovery purposes.

Question 4

Which encryption service is used by Secrets Manager to encrypt secrets at rest?

A) AWS KMS ✓
B) AWS CloudHSM
C) AWS Certificate Manager
D) AWS Systems Manager

Correct Answer: A) AWS KMS

All secrets are encrypted using AWS Key Management Service (KMS). You can use AWS-managed keys or customer-managed keys for encryption.

Question 5

What are the four phases of secret rotation in Secrets Manager?

A) Start, Update, Verify, Complete
B) Create, Set, Test, Finish ✓
C) Generate, Apply, Validate, Activate
D) Init, Config, Check, Deploy

Correct Answer: B) Create, Set, Test, Finish

The four standard rotation phases are: createSecret (generate new credentials), setSecret (update the service), testSecret (validate new credentials), and finishSecret (mark as current).

Question 6

Which API call is used to retrieve a secret value from Secrets Manager?

A) GetSecret
B) GetSecretValue ✓
C) RetrieveSecret
D) DescribeSecret

Correct Answer: B) GetSecretValue

GetSecretValue retrieves the actual secret value. DescribeSecret only returns metadata without the secret value itself.

Question 7

What is the maximum number of secrets per region in Secrets Manager?

A) 100,000
B) 250,000
C) 500,000 ✓
D) 1,000,000

Correct Answer: C) 500,000

You can store up to 500,000 secrets per region. This is a service quota that can be increased by contacting AWS Support.

Question 8

Which feature allows cross-account access to secrets in Secrets Manager?

A) IAM roles only
B) Resource-based policies ✓
C) VPC endpoints
D) Cross-region replication

Correct Answer: B) Resource-based policies

Resource-based policies attached to secrets enable cross-account access. Both the resource policy and IAM permissions in the accessing account are required.

Exam Strategy Tip

For Secrets Manager questions, remember: automatic rotation is only available for RDS, DocumentDB, and Redshift. All secrets are encrypted with KMS, and the maximum secret size is 64KB. Cross-account access requires resource-based policies.

Back to Service Limitations Back to Topics