Practice Free DVA-C02 Exam Online Questions
Question #1
A developer needs to use Amazon DynamoDB to store customer orders. The developer’s company requires all customer data to be encrypted at rest with a key that the company generates.
What should the developer do to meet these requirements?
- A . Create the DynamoDB table with encryption set to None. Code the application to use the key to decrypt the data when the application reads from the table. Code the application to use the key to encrypt the data when the application writes to the table.
- B . Store the key by using AW5 KMS. Choose an AVVS KMS customer managed key during creation of the DynamoDB table. Provide the Amazon Resource Name (ARN) of the AWS KMS key.
- C . Store the key by using AWS KMS. Create the DynamoDB table with default encryption. Include the kms: Encrypt parameter with the Amazon Resource Name (ARN) of the AWS KMS key when using the DynamoDB SDK.
- D . Store the key by using AWS KMS. Choose an AWS KMS AWS managed key during creation of the DynamoDB table. Provide the Amazon Resource Name (ARN) of the AWS KMS key.
Correct Answer: B
B
Explanation:
Requirement Summary:
Store customer orders in DynamoDB
Must encrypt data at rest
Company wants to use a key it generates (i.e., customer managed key)
Evaluate Options:
B
Explanation:
Requirement Summary:
Store customer orders in DynamoDB
Must encrypt data at rest
Company wants to use a key it generates (i.e., customer managed key)
Evaluate Options:
Question #1
A developer needs to use Amazon DynamoDB to store customer orders. The developer’s company requires all customer data to be encrypted at rest with a key that the company generates.
What should the developer do to meet these requirements?
- A . Create the DynamoDB table with encryption set to None. Code the application to use the key to decrypt the data when the application reads from the table. Code the application to use the key to encrypt the data when the application writes to the table.
- B . Store the key by using AW5 KMS. Choose an AVVS KMS customer managed key during creation of the DynamoDB table. Provide the Amazon Resource Name (ARN) of the AWS KMS key.
- C . Store the key by using AWS KMS. Create the DynamoDB table with default encryption. Include the kms: Encrypt parameter with the Amazon Resource Name (ARN) of the AWS KMS key when using the DynamoDB SDK.
- D . Store the key by using AWS KMS. Choose an AWS KMS AWS managed key during creation of the DynamoDB table. Provide the Amazon Resource Name (ARN) of the AWS KMS key.
Correct Answer: B
B
Explanation:
Requirement Summary:
Store customer orders in DynamoDB
Must encrypt data at rest
Company wants to use a key it generates (i.e., customer managed key)
Evaluate Options:
B
Explanation:
Requirement Summary:
Store customer orders in DynamoDB
Must encrypt data at rest
Company wants to use a key it generates (i.e., customer managed key)
Evaluate Options:
Question #3
A developer is building an application that stores objects in an Amazon S3 bucket. The bucket does not have versioning enabled. The objects are accessed rarely after 1 week. However, the objects must be immediately available at all times.
The developer wants to optimize storage costs for the S3 bucket.
Which solution will meet this requirement?
- A . Create an S3 Lifecycle rule to expire objects after 7 days.
- B . Create an S3 Lifecycle rule to transition objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 7 days.
- C . Create an S3 Lifecycle rule to transition objects to S3 Glacier Flexible Retrieval after 7 days.
- D . Create an S3 Lifecycle rule to delete objects that have delete markers.
Correct Answer: B
B
Explanation:
The objects are “rarely accessed after 1 week” but must remain immediately available at all times. That means the storage class must support millisecond access without a restore process. S3 Standard-Infrequent Access (Standard-IA) is designed for exactly this: lower storage cost than S3 Standard, while still providing rapid access when needed.
With option B, an S3 Lifecycle rule transitions objects from S3 Standard to S3 Standard-IA after 7 days. This aligns perfectly with the usage pattern: frequent access initially, then infrequent access after a week, while keeping immediate availability.
Option C (S3 Glacier Flexible Retrieval) is not appropriate because Glacier classes are archival. Access typically requires a restore operation and retrieval time (minutes to hours), which violates “immediately available at all times.”
Option A expires objects, which deletes them after 7 days―this contradicts the requirement to keep objects available.
Option D is irrelevant because delete markers exist only when versioning is enabled. The bucket does not have versioning enabled, so this rule would not help.
Therefore, transitioning to S3 Standard-IA after 7 days is the correct cost-optimized solution while maintaining immediate availability.
B
Explanation:
The objects are “rarely accessed after 1 week” but must remain immediately available at all times. That means the storage class must support millisecond access without a restore process. S3 Standard-Infrequent Access (Standard-IA) is designed for exactly this: lower storage cost than S3 Standard, while still providing rapid access when needed.
With option B, an S3 Lifecycle rule transitions objects from S3 Standard to S3 Standard-IA after 7 days. This aligns perfectly with the usage pattern: frequent access initially, then infrequent access after a week, while keeping immediate availability.
Option C (S3 Glacier Flexible Retrieval) is not appropriate because Glacier classes are archival. Access typically requires a restore operation and retrieval time (minutes to hours), which violates “immediately available at all times.”
Option A expires objects, which deletes them after 7 days―this contradicts the requirement to keep objects available.
Option D is irrelevant because delete markers exist only when versioning is enabled. The bucket does not have versioning enabled, so this rule would not help.
Therefore, transitioning to S3 Standard-IA after 7 days is the correct cost-optimized solution while maintaining immediate availability.
Question #4
A developer is planning to migrate on-premises company data to Amazon S3. The data must be encrypted, and the encryption Keys must support automate annual rotation. The company must use AWS Key Management Service (AWS KMS) to encrypt the data.
When type of keys should the developer use to meet these requirements?
- A . Amazon S3 managed keys
- B . Symmetric customer managed keys with key material that is generated by AWS
- C . Asymmetric customer managed keys with key material that generated by AWS
- D . Symmetric customer managed keys with imported key material
Correct Answer: B
B
Explanation:
The type of keys that the developer should use to meet the requirements is symmetric customer managed keys with key material that is generated by AWS. This way, the developer can use AWS Key Management Service (AWS KMS) to encrypt the data with a symmetric key that is managed by the developer. The developer can also enable automatic annual rotation for the key, which creates new key material for the key every year. The other options either involve using Amazon S3 managed keys, which do not support automatic annual rotation, or using asymmetric keys or imported key material, which are not supported by S3 encryption.
Reference: Using AWS KMS keys to encrypt S3 objects
B
Explanation:
The type of keys that the developer should use to meet the requirements is symmetric customer managed keys with key material that is generated by AWS. This way, the developer can use AWS Key Management Service (AWS KMS) to encrypt the data with a symmetric key that is managed by the developer. The developer can also enable automatic annual rotation for the key, which creates new key material for the key every year. The other options either involve using Amazon S3 managed keys, which do not support automatic annual rotation, or using asymmetric keys or imported key material, which are not supported by S3 encryption.
Reference: Using AWS KMS keys to encrypt S3 objects
Question #5
A developer is writing an application to analyze the traffic to a fleet of Amazon EC2 instances. The EC2 instances run behind a public Application Load Balancer (ALB). An HTTP server runs on each of the EC2 instances, logging all requests to a log file.
The developer wants to capture the client public IP addresses. The developer analyzes the log files and notices only the IP address of the ALB.
What must the developer do to capture the client public IP addresses in the log file?
- A . Add a Host header to the HTTP server log configuration file.
- B . Install the Amazon CloudWatch Logs agent on each EC2 instance. Configure the agent to write to
the log file. - C . Install the AWS X-Ray daemon on each EC2 instance. Configure the daemon to write to the log file.
- D . Add an X-Forwarded-For header to the HTTP server log configuration file.
Correct Answer: D
Question #6
A developer needs to set up an API to provide access to an application and its resources. The developer has a TLS certificate. The developer must have the ability to change the default base URL of the API to a custom domain name. The API users are distributed globally. The solution must minimize API latency.
- A . Create an Amazon CloudFront distribution that uses an AWS Lambda@Edge function to process
API requests. Import the TLS certificate into AWS Certificate Manager and CloudFront. Add the custom domain name as an alias resource record set that is for the CloudFront distribution. - B . Create an Amazon API Gateway REST API. Use the private endpoint type. Import the TLS certificate into AWS Certificate Manager. Create a custom domain name for the REST API. Route traffic to the custom domain name. Disable the default endpoint for the REST API.
- C . Create an Amazon API Gateway REST API. Use the edge-optimized endpoint type. Import the TLS certificate into AWS Certificate Manager. Create a custom domain name for the REST API. Route traffic to the custom domain name. Disable the default endpoint for the REST API.
- D . Create an Amazon CloudFront distribution that uses CloudFront Functions to process API requests. Import the TLS certificate into AWS Certificate Manager and CloudFront. Add the custom domain name as an alias resource record set that is for the CloudFront distribution.
Correct Answer: C
C
Explanation:
Comprehensive and Detailed Step-by-Step
Option C: Edge-Optimized API Gateway with Custom Domain Name:
Edge-Optimized API Gateway: This endpoint type automatically leverages the Amazon CloudFront global distribution network, minimizing latency for API users distributed globally.
Custom Domain Name: API Gateway supports custom domain names for APIs. Importing the TLS certificate into AWS Certificate Manager (ACM) and associating it with the custom domain name ensures secure connections.
Disabling the Default Endpoint: Prevents direct access via the default API Gateway URL, enforcing the use of the custom domain name.
Why Other Options Are Incorrect:
Option A: While CloudFront can distribute API requests globally, API Gateway with edge-optimized endpoints already provides this functionality natively without requiring Lambda@Edge.
Option B: Private endpoint types are used for internal access via VPC, which does not meet the global distribution and low-latency requirement.
Option D: CloudFront Functions are not needed because API Gateway’s edge-optimized endpoints handle global distribution efficiently.
Reference: Amazon API Gateway Custom Domain Names
Amazon API Gateway Endpoint Types
C
Explanation:
Comprehensive and Detailed Step-by-Step
Option C: Edge-Optimized API Gateway with Custom Domain Name:
Edge-Optimized API Gateway: This endpoint type automatically leverages the Amazon CloudFront global distribution network, minimizing latency for API users distributed globally.
Custom Domain Name: API Gateway supports custom domain names for APIs. Importing the TLS certificate into AWS Certificate Manager (ACM) and associating it with the custom domain name ensures secure connections.
Disabling the Default Endpoint: Prevents direct access via the default API Gateway URL, enforcing the use of the custom domain name.
Why Other Options Are Incorrect:
Option A: While CloudFront can distribute API requests globally, API Gateway with edge-optimized endpoints already provides this functionality natively without requiring Lambda@Edge.
Option B: Private endpoint types are used for internal access via VPC, which does not meet the global distribution and low-latency requirement.
Option D: CloudFront Functions are not needed because API Gateway’s edge-optimized endpoints handle global distribution efficiently.
Reference: Amazon API Gateway Custom Domain Names
Amazon API Gateway Endpoint Types
Question #7
A company has an application that runs as a series of AWS Lambda functions. Each Lambda function receives data from an Amazon Simple Notification Service (Amazon SNS) topic and writes the data to an Amazon Aurora DB instance.
To comply with an information security policy, the company must ensure that the Lambda functions all use a single securely encrypted database connection string to access Aurora.
Which solution will meet these requirements?
- A . Use IAM database authentication for Aurora to enable secure database connections for ail the Lambda functions.
- B . Store the credentials and read the credentials from an encrypted Amazon RDS DB instance.
- C . Store the credentials in AWS Systems Manager Parameter Store as a secure string parameter.
- D . Use Lambda environment variables with a shared AWS Key Management Service (AWS KMS) key for encryption.
Correct Answer: A
A
Explanation:
This solution will meet the requirements by using IAM database authentication for Aurora, which enables using IAM roles or users to authenticate with Aurora databases instead of using passwords or other secrets. The developer can use IAM database authentication for Aurora to enable secure database connections for all the Lambda functions that access Aurora DB instance. The developer can create an IAM role with permission to connect to Aurora DB instance and attach it to each Lambda function. The developer can also configure Aurora DB instance to use IAM database authentication and enable encryption in transit using SSL certificates. This way, the Lambda functions can use a single securely encrypted database connection string to access Aurora without needing any secrets or passwords.
Option B is not optimal because it will store the credentials and read them from an encrypted Amazon RDS DB instance, which may introduce additional costs and complexity for managing and accessing another RDS DB instance.
Option C is not optimal because it will store the credentials in AWS Systems Manager Parameter Store as a secure string parameter, which may require additional steps or permissions to retrieve and decrypt the credentials from Parameter Store.
Option D is not optimal because it will use Lambda environment variables with a shared AWS Key Management Service (AWS KMS) key for encryption, which may not be secure or scalable as environment variables are stored as plain text unless encrypted with AWS KMS.
Reference: [IAM Database Authentication for MySQL and PostgreSQL], [Using SSL/TLS to Encrypt a Connection to a DB Instance]
A
Explanation:
This solution will meet the requirements by using IAM database authentication for Aurora, which enables using IAM roles or users to authenticate with Aurora databases instead of using passwords or other secrets. The developer can use IAM database authentication for Aurora to enable secure database connections for all the Lambda functions that access Aurora DB instance. The developer can create an IAM role with permission to connect to Aurora DB instance and attach it to each Lambda function. The developer can also configure Aurora DB instance to use IAM database authentication and enable encryption in transit using SSL certificates. This way, the Lambda functions can use a single securely encrypted database connection string to access Aurora without needing any secrets or passwords.
Option B is not optimal because it will store the credentials and read them from an encrypted Amazon RDS DB instance, which may introduce additional costs and complexity for managing and accessing another RDS DB instance.
Option C is not optimal because it will store the credentials in AWS Systems Manager Parameter Store as a secure string parameter, which may require additional steps or permissions to retrieve and decrypt the credentials from Parameter Store.
Option D is not optimal because it will use Lambda environment variables with a shared AWS Key Management Service (AWS KMS) key for encryption, which may not be secure or scalable as environment variables are stored as plain text unless encrypted with AWS KMS.
Reference: [IAM Database Authentication for MySQL and PostgreSQL], [Using SSL/TLS to Encrypt a Connection to a DB Instance]
Question #8
A company is building a new application that runs on AWS and uses Amazon API Gateway to expose APIs Teams of developers are working on separate components of the application in parallel. The company wants to publish an API without an integrated backend so that teams that depend on the application backend can continue the development work before the API backend development is complete.
Which solution will meet these requirements?
- A . Create API Gateway resources and set the integration type value to MOCK Configure the method integration request and integration response to associate a response with an HTTP status code Create an API Gateway stage and deploy the API.
- B . Create an AWS Lambda function that returns mocked responses and various HTTP status codes.
Create API Gateway resources and set the integration type value to AWS_PROXY Deploy the API. - C . Create an EC2 application that returns mocked HTTP responses Create API Gateway resources and set the integration type value to AWS Create an API Gateway stage and deploy the API.
- D . Create API Gateway resources and set the integration type value set to HTTP_PROXY. Add mapping templates and deploy the API. Create an AWS Lambda layer that returns various HTTP status codes Associate the Lambda layer with the API deployment
Correct Answer: A
A
Explanation:
API Gateway Mocking: This feature is built for decoupling development dependencies.
Here’s the process:
Create resources and methods in your API Gateway.
Set the integration type to ‘MOCK’.
Define Integration Responses, mapping HTTP status codes to desired mocked responses (JSON, etc.).
Deployment and Use:
Create a deployment stage for the API.
Frontend teams can call this API and get the mocked responses without a real backend.
Reference: Mocking API Gateway APIs: https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-mock-integration.html
A
Explanation:
API Gateway Mocking: This feature is built for decoupling development dependencies.
Here’s the process:
Create resources and methods in your API Gateway.
Set the integration type to ‘MOCK’.
Define Integration Responses, mapping HTTP status codes to desired mocked responses (JSON, etc.).
Deployment and Use:
Create a deployment stage for the API.
Frontend teams can call this API and get the mocked responses without a real backend.
Reference: Mocking API Gateway APIs: https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-mock-integration.html
Question #9
A developer is managing an application that uploads user files to an Amazon S3 bucket named company bucket. The company wants to maintain copies of all the files uploaded by users for compliance purposes, while ensuring users still have access to the data through the application.
Which IAM permissions should be applied to users to ensure they can create but not remove files from the bucket?
- A . {"Version": "2012-10-17","Statement": [{"Sid": "statement1","Effect": "Allow","Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],"Resource": ["arn:aws:s3:::companybucket"]}]}
- B . {"Version": "2012-10-17","Statement": [{"Sid": "statement1","Effect": "Allow","Action": ["s3:CreateBucket", "s3:GetBucketLocation"],"Resource": "arn:aws:s3:::companybucket"}]}
- C . {"Version": "2012-10-17","Statement": [{"Sid": "statement1","Effect": "Allow","Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:PutObjectRetention"],"Resource": "arn:aws:s3:::companybucket"}]}
- D . {"Version": "2012-10-17","Statement": [{"Sid": "statement1","Effect": "Allow","Action": ["s3:GetObject", "s3:PutObject"],"Resource": ["arn:aws:s3:::companybucket"]}]}
Correct Answer: D
D
Explanation:
To meet the requirement:
Users must be able to upload (PutObject) and read (GetObject) files but not delete them.
Option D ensures users cannot delete files by omitting the s3:DeleteObject action while allowing s3:GetObject and s3:PutObject.
Option A: Includes s3:DeleteObject, which allows users to delete files and does not meet the requirement.
Option B: Contains unrelated actions like CreateBucket, which is not relevant here.
Option C: Adds s3:PutObjectRetention, which is unnecessary and does not restrict DeleteObject.
Reference: AWS S3 Permissions Documentation
D
Explanation:
To meet the requirement:
Users must be able to upload (PutObject) and read (GetObject) files but not delete them.
Option D ensures users cannot delete files by omitting the s3:DeleteObject action while allowing s3:GetObject and s3:PutObject.
Option A: Includes s3:DeleteObject, which allows users to delete files and does not meet the requirement.
Option B: Contains unrelated actions like CreateBucket, which is not relevant here.
Option C: Adds s3:PutObjectRetention, which is unnecessary and does not restrict DeleteObject.
Reference: AWS S3 Permissions Documentation
Question #10
A developer is trying to make API calls using the AWS SDK. The IAM user credentials used by the application require multi-factor authentication for all API calls.
Which method should the developer use to access the multi-factor authentication-protected API?
- A . GetFederationToken
- B . GetCallerIdentity
- C . GetSessionToken
- D . DecodeAuthorizationMessage
Correct Answer: C
C
Explanation:
When IAM user credentials require MFA for API access, the correct approach is to obtain temporary security credentials from AWS Security Token Service (STS) that are validated with an MFA code. AWS documentation describes using STS to issue temporary credentials that applications can use instead of long-term access keys, especially when MFA is required.
The specific STS API operation used for an IAM user to obtain temporary credentials is GetSessionToken. This call supports MFA by accepting the user’s MFA device serial number and a time-based one-time password (TOTP) code. STS then returns a set of temporary credentials: AccessKeyId, SecretAccessKey, and SessionToken, which the SDK can use to sign subsequent API requests. This is the standard method for enabling MFA-protected API access for IAM users.
Why the other options are wrong:
GetFederationToken is used to obtain temporary credentials for a federated user, often for scenarios where you want to grant access to resources for users who do not have IAM users. It’s not the typical method for IAM-user MFA enforcement for all calls.
GetCallerIdentity simply returns identity details for the current credentials; it does not generate credentials.
DecodeAuthorizationMessage is used to decode encoded authorization failure messages returned by AWS, not to authenticate.
Therefore, to access an API protected by MFA requirements for an IAM user, the developer should call GetSessionToken and then use the returned temporary credentials in the AWS SDK.
C
Explanation:
When IAM user credentials require MFA for API access, the correct approach is to obtain temporary security credentials from AWS Security Token Service (STS) that are validated with an MFA code. AWS documentation describes using STS to issue temporary credentials that applications can use instead of long-term access keys, especially when MFA is required.
The specific STS API operation used for an IAM user to obtain temporary credentials is GetSessionToken. This call supports MFA by accepting the user’s MFA device serial number and a time-based one-time password (TOTP) code. STS then returns a set of temporary credentials: AccessKeyId, SecretAccessKey, and SessionToken, which the SDK can use to sign subsequent API requests. This is the standard method for enabling MFA-protected API access for IAM users.
Why the other options are wrong:
GetFederationToken is used to obtain temporary credentials for a federated user, often for scenarios where you want to grant access to resources for users who do not have IAM users. It’s not the typical method for IAM-user MFA enforcement for all calls.
GetCallerIdentity simply returns identity details for the current credentials; it does not generate credentials.
DecodeAuthorizationMessage is used to decode encoded authorization failure messages returned by AWS, not to authenticate.
Therefore, to access an API protected by MFA requirements for an IAM user, the developer should call GetSessionToken and then use the returned temporary credentials in the AWS SDK.