Study DVA-C02 Secrets, Sensitive Data, Masking and Multi-Tenant Access: key concepts, common traps, and exam decision cues.
This lesson is about the mistakes developers create when sensitive data handling is treated as an afterthought. DVA-C02 wants you to know where secrets belong, how to avoid leaking sensitive information into logs or code, and how tenant-aware access patterns differ from simple authenticated reads.
Secret management service: Managed store for credentials, tokens, or other sensitive configuration that should not live directly in source code or plain-text config.
Data masking: Technique that hides or transforms sensitive values so they are not fully exposed to users, logs, or downstream systems.
AWS wants you to recognize:
| Requirement | Strong lane | Why |
|---|---|---|
| database password or API token in app code | move to managed secret storage | Secrets should not live in source control or plain runtime config. |
| sensitive values should not appear in logs or responses | sanitization and masking | The requirement is controlled exposure, not just encryption. |
| one tenant must never retrieve another tenant’s records | tenant-scoped data access pattern | This is a record-access design problem. |
| environment variable contains sensitive data | encrypt and restrict access | Runtime config can still expose secrets if handled weakly. |
| personal or regulated data needs different handling rules | classify data and apply matching controls | Classification drives masking, exposure, and storage decisions. |
flowchart TD
A["Sensitive value or data"] --> B{"What kind of problem is it?"}
B -->|"Credential or token storage"| C["Use managed secret retrieval"]
B -->|"Visible in output or logs"| D["Mask or sanitize the value"]
B -->|"Wrong tenant can see it"| E["Enforce tenant-scoped authorization and filtering"]
B -->|"Runtime setting contains secret"| F["Encrypt and control access to env config"]
Strong answers usually separate:
If the question says users are authenticated but can still reach the wrong tenant’s data, the stronger answer is usually not “rotate the key” or “add TLS.” The real problem is that the application has not enforced tenant-aware authorization or filtered access paths correctly.
| Trap | Better thinking |
|---|---|
| encrypted secret in code is good enough | The first problem is still secret placement and retrieval discipline. |
| authenticated user can read any record returned by the backend | Authentication does not replace tenant-aware authorization. |
| masking is only for logs | Sensitive data may need masking in responses, dashboards, exports, and support views too. |
| one secret store choice solves every sensitive-data problem | Secret storage, masking, classification, and tenant access are related but distinct controls. |