Practice Free DVA-C02 Exam Online Questions
A company is planning to deploy an application on AWS behind an Elastic Load Balancing (ELB) load balancer. The application uses an HTTP/HTTPS listener and must access the client IP addresses.
Which load-balancing solution meets these requirements?
- A . Use an Application Load Balancer and the X-Forwarded-For headers.
- B . Use a Network Load Balancer (NLB). Enable proxy protocol support on the NLB and the target application.
- C . Use an Application Load Balancer. Register the targets by the instance ID.
- D . Use a Network Load Balancer and the X-Forwarded-For headers.
A company’s website runs on an Amazon EC2 instance and uses Auto Scaling to scale the environment during peak times. Website users across the world ate experiencing high latency flue lo sialic content on theEC2 instance. even during non-peak hours.
When companion of steps mill resolves the latency issue? (Select TWO)
- A . Double the Auto Scaling group’s maximum number of servers
- B . Host the application code on AWS lambda
- C . Scale vertically by resizing the EC2 instances
- D . Create an Amazon Cloudfront distribution to cache the static content
- E . Store the application’s sialic content in Amazon S3
D,E
Explanation:
The combination of steps that will resolve the latency issue is to create an Amazon CloudFront distribution to cache the static content and store the application’s static content in Amazon S3. This way, the company can use CloudFront to deliver the static content from edge locations that are closer to the website users, reducing latency and improving performance. The company can also use S3 to store the static content reliably and cost-effectively, and integrate it with CloudFront easily. The other options either do not address the latency issue, or are not necessary or feasible for the given scenario.
Reference: Using Amazon S3 Origins and Custom Origins for Web Distributions
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
- A . The EC2 instance will only be able to list the S3 buckets.
- B . The EC2 instance will only be able to list the contents of one S3 bucket at a time.
- C . The EC2 instance will be able to perform all actions on any S3 bucket.
- D . The EC2 instance will not be able to perform any S3 action on any S3 bucket.
A company has an application that receives batches of orders from partners every day. The application uses an AWS Lambda function to process the batches.
If a batch contains no orders, the Lambda function must publish to an Amazon SNS topic as soon as possible.
Which combination of steps will meet this requirement with the LEAST implementation effort? (Select TWO.)
- A . Update the existing Lambda function’s code to send an Amazon CloudWatch custom metric for the number of orders in a batch for each partner.
- B . Create a new Lambda function as an Amazon Kinesis data stream consumer. Configure the new Lambda function to track orders and to publish to the SNS topic when a batch contains no orders.
- C . Set up an Amazon CloudWatch alarm that will send a notification to the SNS topic when the value of the custom metric is 0.
- D . Schedule a new Lambda function to analyze Amazon CloudWatch metrics every 24 hours to identify batches that contain no orders. Configure the Lambda function to publish to the SNS topic.
- E . Modify the existing Lambda function to log orders to an Amazon Kinesis data stream.
A, C
Explanation:
The least implementation effort is to publish a custom CloudWatch metric from the existing Lambda function that records the number of orders in each batch, then create a CloudWatch alarm that sends a notification to the SNS topic when the metric value is 0. This avoids building a separate stream-processing pipeline or scheduled analytics job. A new Kinesis consumer and Lambda function would add unnecessary services and operational complexity. A 24-hour scheduled function is also slower than required because the notification must happen as soon as possible. Logging to Kinesis only creates more data movement and still requires separate analysis logic. CloudWatch supports custom metrics, and CloudWatch alarms can send notifications through Amazon SNS when metric thresholds are breached. (AWS Documentation)
A developer is running an application on an Amazon EC2 instance. When the application tries to read an Amazon S3 bucket, the application fails. The developer notices that the associated IAM role is missing the S3 read permission. The developer needs to give the application the ability to read the S3 bucket.
Which solution will meet this requirement with the LEAST application disruption?
- A . Add the permission to the role. Terminate the existing EC2 instance. Launch a new EC2 instance.
- B . Add the permission to the role so that the change will take effect automatically.
- C . Add the permission to the role. Hibernate and restart the existing EC2 instance.
- D . Add the permission to the S3 bucket. Restart the EC2 instance.
B
Explanation:
The correct answer is B because when an IAM role is attached to an Amazon EC2 instance through an instance profile, changes to the permissions policy for that role propagate automatically to applications that use the instance role credentials. This is the least disruptive approach because the developer does not need to restart, hibernate, terminate, or replace the EC2 instance.
AWS documentation explains that applications running on EC2 can obtain temporary security credentials from the instance metadata service for the attached IAM role. When the IAM policy attached to that role is updated to allow Amazon S3 read access, new temporary credentials issued for the role will reflect the updated permissions. This makes it possible to correct the access issue without changing the application deployment model or interrupting the running instance.
Option A is unnecessary because terminating and relaunching the instance causes avoidable disruption.
Option C is also unnecessary because hibernation and restart are not required for IAM policy changes to take effect.
Option D is not the best answer because although bucket policies can grant access, the issue identified is specifically that the instance role lacks S3 read permission, and restarting the instance is still unnecessary.
The AWS best-practice approach is to grant the required permission directly to the IAM role used by the EC2 instance. This keeps authorization centralized and lets the running application continue using temporary role credentials with minimal operational impact.
Therefore, the solution with the least application disruption is to add the S3 read permission to the IAM role, making B the correct answer.
A web application is using Amazon Kinesis Data Streams for clickstream data that may not be consumed for up to 12 hours.
How can the developer implement encryption at rest for data within the Kinesis Data Streams?
- A . Enable SSL connections to Kinesis.
- B . Use Amazon Kinesis Consumer Library.
- C . Encrypt the data once it is at rest with a Lambda function.
- D . Enable server-side encryption in Kinesis Data Streams.
A web application is using Amazon Kinesis Data Streams for clickstream data that may not be consumed for up to 12 hours.
How can the developer implement encryption at rest for data within the Kinesis Data Streams?
- A . Enable SSL connections to Kinesis.
- B . Use Amazon Kinesis Consumer Library.
- C . Encrypt the data once it is at rest with a Lambda function.
- D . Enable server-side encryption in Kinesis Data Streams.
An AWS Lambda function requires read access to an Amazon S3 bucket and requires read/write access to an Amazon DynamoDB table. The correct IAM policy already exists.
What is the MOST secure way to grant the Lambda function access to the S3 bucket and the DynamoDB table?
- A . Attach the existing IAM policy to the Lambda function.
- B . Create an IAM role for the Lambda function. Attach the existing IAM policy to the role. Attach the role to the Lambda function.
- C . Create an IAM user with programmatic access. Attach the existing IAM policy to the user. Add the user access key ID and secret access key as environment variables in the Lambda function.
- D . Add the AWS account root user access key ID and secret access key as encrypted environment variables in the Lambda function.
B
Explanation:
The most secure and AWS-recommended way for a Lambda function to access other AWS services is to use an IAM execution role. Lambda assumes this role at runtime and receives temporary credentials that are automatically rotated by AWS. The developer attaches the necessary permissions (the existing IAM policy) to that role, and then configures the Lambda function to use the role.
Option B follows least privilege and avoids long-term credentials. It also integrates with AWS security tooling: IAM Access Analyzer, CloudTrail, and policy boundaries can all be applied cleanly. Because the policy already exists, this requires minimal extra work: create/choose the execution role, attach the policy, and assign the role to the function.
Option A is not correct because IAM policies are attached to IAM identities (users, groups, roles) ― not directly to Lambda functions as standalone entities. Lambda permissions are granted through the function’s execution role.
Option C is insecure because it uses long-term IAM user access keys embedded in environment
variables. Even if encrypted, this expands the blast radius, complicates rotation, and contradicts AWS best practices for avoiding static credentials inside code/runtime.
Option D is extremely insecure and noncompliant. Root user access keys should not be used for applications and should generally not exist.
Therefore, create and attach the existing policy to a Lambda execution IAM role and assign that role to the function.
A developer created reusable code that several AWS Lambda functions need to use. The developer bundled the code into a .zip archive. The developer needs to deploy the code to AWS and update the Lambda functions to use the code.
Which solution will meet this requirement in the MOST operationally efficient way?
- A . Upload the .zip archive to Amazon S3. Configure an import path on the Lambda functions to point to the .zip archive.
- B . Create a new Lambda function that contains and runs the shared code. Update the existing Lambda functions to invoke the new Lambda function synchronously.
- C . Create a Lambda layer that contains the .zip archive. Attach the Lambda layer to the Lambda functions.
- D . Create a Lambda container image that includes the shared code. Use the container image as a Lambda base image for all the functions.
C
Explanation:
A Lambda layer is the correct operationally efficient solution because layers are specifically designed to package reusable code, libraries, custom runtimes, or configuration files separately from function code. The developer can publish the shared .zip archive as a layer version and attach that layer to multiple Lambda functions. This avoids copying the same dependency into every deployment package and centralizes dependency management. Amazon S3 alone does not create an importable runtime dependency path for Lambda. A separate Lambda function would add synchronous invocation latency and coupling. A container image could work for container-based functions, but it is heavier and unnecessary when the code is already packaged as a .zip dependency. AWS documentation states that layers are used to separate reusable dependencies from function code and add them to functions. (AWS Documentation)
A developer created reusable code that several AWS Lambda functions need to use. The developer bundled the code into a .zip archive. The developer needs to deploy the code to AWS and update the Lambda functions to use the code.
Which solution will meet this requirement in the MOST operationally efficient way?
- A . Upload the .zip archive to Amazon S3. Configure an import path on the Lambda functions to point to the .zip archive.
- B . Create a new Lambda function that contains and runs the shared code. Update the existing Lambda functions to invoke the new Lambda function synchronously.
- C . Create a Lambda layer that contains the .zip archive. Attach the Lambda layer to the Lambda functions.
- D . Create a Lambda container image that includes the shared code. Use the container image as a Lambda base image for all the functions.
C
Explanation:
A Lambda layer is the correct operationally efficient solution because layers are specifically designed to package reusable code, libraries, custom runtimes, or configuration files separately from function code. The developer can publish the shared .zip archive as a layer version and attach that layer to multiple Lambda functions. This avoids copying the same dependency into every deployment package and centralizes dependency management. Amazon S3 alone does not create an importable runtime dependency path for Lambda. A separate Lambda function would add synchronous invocation latency and coupling. A container image could work for container-based functions, but it is heavier and unnecessary when the code is already packaged as a .zip dependency. AWS documentation states that layers are used to separate reusable dependencies from function code and add them to functions. (AWS Documentation)