Practice Free DVA-C02 Exam Online Questions
A developer wants to expand an application to run in multiple AWS Regions. The developer wants to copy Amazon Machine Images (AMIs) with the latest changes and create a new application stack in the destination Region. According to company requirements, all AMIs must be encrypted in all Regions. However, not all the AMIs that the company uses are encrypted.
How can the developer expand the application to run in the destination Region while meeting the encryption requirement?
- A . Create new AMIs, and specify encryption parameters. Copy the encrypted AMIs to the destination Region. Delete the unencrypted AMIs.
- B . Use AWS Key Management Service (AWS KMS) to enable encryption on the unencrypted AMIs.
Copy the encrypted AMIs to the destination Region. - C . Use AWS Certificate Manager (ACM) to enable encryption on the unencrypted AMIs. Copy the encrypted AMIs to the destination Region.
- D . Copy the unencrypted AMIs to the destination Region. Enable encryption by default in the destination Region.
A
Explanation:
Amazon Machine Images (AMIs) are encrypted snapshots of EC2 instances that can be used to launch new instances. The developer can create new AMIs from the existing instances and specify encryption parameters. The developer can copy the encrypted AMIs to the destination Region and use them to create a new application stack. The developer can delete the unencrypted AMIs after the encryption process is complete. This solution will meet the encryption requirement and allow the developer to expand the application to run in the destination Region.
Reference: [Amazon Machine Images (AMI) – Amazon Elastic Compute Cloud]
[Encrypting an Amazon EBS Snapshot – Amazon Elastic Compute Cloud] [Copying an AMI – Amazon Elastic Compute Cloud]
A company has an application that is hosted on Amazon EC2 instances The application stores objects in an Amazon S3 bucket and allows users to download objects from the S3 bucket A developer turns on S3 Block Public Access for the S3 bucket After this change, users report errors when they attempt to download objects The developer needs to implement a solution so that only users who are signed in to the application can access objects in the S3 bucket.
Which combination of steps will meet these requirements in the MOST secure way? (Select TWO.)
- A . Create an EC2 instance profile and role with an appropriate policy Associate the role with the EC2 instances
- B . Create an 1AM user with an appropriate policy. Store the access key ID and secret access key on the EC2 instances
- C . Modify the application to use the S3 GeneratePresignedUrl API call
- D . Modify the application to use the S3 GetObject API call and to return the object handle to the user
- E . Modify the application to delegate requests to the S3 bucket.
A,C
Explanation:
IAM Roles for EC2 (A): The most secure way to provide AWS permissions from EC2.
Create a role with a policy allowing s3:GetObject on the specific bucket.
Attach the role to an instance profile and associate that profile with your instances.
Pre-signed URLs (C): Temporary, authenticated URLs for specific S3 actions.
Modify the app to use the AWS SDK to call GeneratePresignedUrl.
Embed these URLs when a user is properly logged in, allowing download access.
Reference: IAM Roles for EC2: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
Generating Presigned
URLs: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.htm
A company is developing a weather forecast application that displays forecasts for cities within a single country. Weather data is stored in an Amazon DynamoDB table named Forecasts with attributes CityId, Temperature, and ForecastDate.
The application is read heavy. Most read requests target the current day’s forecast for a small number of very large cities. The company must design a partition key strategy that ensures the most even distribution of read traffic.
Which solution will meet these requirements?
- A . Use CityId with a calculated suffix as the partition key and ForecastDate as the sort key.
- B . Use a numeric index as the partition key and ForecastDate as the sort key.
- C . Use ForecastDate as the partition key and CityId as the sort key.
- D . Use ForecastDate with a calculated suffix as the partition key and CityId as the sort key.
A
Explanation:
Amazon DynamoDB performance depends heavily on partition key design. AWS documentation warns against access patterns that repeatedly target the same partition key, as this causes hot partitions, even in on-demand mode.
In this scenario, most reads focus on the current day’s forecast for a small number of large cities. Using CityId alone as the partition key would cause hot partitions for those cities. Adding a calculated
suffix (such as a hash or modulo value) to CityId spreads read requests across multiple partitions while still allowing efficient querying.
Using ForecastDate as the partition key (Options C and D) would concentrate traffic on a single value (today’s date), creating severe hot partition issues.
Option B lacks a meaningful access pattern and complicates queries.
AWS documentation explicitly recommends key-suffix techniques for workloads with skewed access patterns to distribute traffic evenly. Therefore, using CityId with a calculated suffix as the partition key is the correct design.
A social media application stores millions of video clips in Amazon S3 and serves them to users worldwide. Traffic is highly variable and can spike to more than 10,000 PUT and GET requests per second. Users report poor video streaming quality.
Which solution will provide the LARGEST improvement in performance?
- A . Configure an Amazon Route 53 geolocation routing policy.
- B . Use Amazon S3 Cross-Region Replication.
- C . Use S3 Intelligent-Tiering.
- D . Create an Amazon CloudFront distribution with Amazon S3 as the origin.
D
Explanation:
Amazon CloudFront is a global content delivery network (CDN) designed to deliver static and streaming content with low latency and high throughput. AWS documentation explicitly recommends CloudFront for media streaming and high-request-rate workloads.
By placing CloudFront in front of Amazon S3, video content is cached at edge locations close to end users. This dramatically reduces latency, minimizes buffering, and offloads request volume from the S3 bucket. CloudFront is built to handle sudden traffic spikes and supports tens of thousands of requests per second per edge location.
Route 53 routing policies (Option A) control DNS resolution but do not cache content. Cross-Region Replication (Option B) improves regional availability but does not provide edge caching or streaming optimization. S3 Intelligent-Tiering (Option C) optimizes storage cost, not performance.
Therefore, using CloudFront with S3 as the origin provides the largest and most immediate performance improvement.
A developer is building an application that uses an AWS Lambda function to process data. The application requires minimum latency. The Lambda function must have predictable function start times. All setup activities for the execution environment must happen before invocation of the Lambda function.
Which solution will meet these requirements?
- A . Increase the memory of the Lambda function to the maximum amount. Configure an Amazon EventBridge rule to schedule invocations of the Lambda function every minute to keep the execution environment active.
- B . Optimize the static initialization code that runs when a new execution environment is prepared for the first time. Decrease and compress the size of the Lambda function package and the imported libraries and dependencies.
- C . Increase the reserved concurrency of the Lambda function to the maximum value for unreserved account concurrency. Run any setup activities manually before the initial invocation of the Lambda function.
- D . Publish a new version of the Lambda function. Configure provisioned concurrency for the Lambda function with the required minimum number of execution environments.
A company runs an application in a third-party cloud. The company wants to use the application to update data in AWS by using API calls to AWS services. The API calls require credentials.
The company’s security policy requires the company to limit the scope and duration of any credentials used to make API calls to AWS services.
Which solution will meet these requirements in the MOST secure way?
- A . Create an IAM user for the application. Configure the application to load the IAM user’s credentials as environment variables. Use the IAM user’s credentials to interact with AWS services.
- B . Create an IAM user for the application. Populate an AWS Secrets Manager secret with the IAM user’s AWS credentials. Use the secret to interact with AWS services.
- C . Create an IAM role for the application. Configure the application to call the AWS STS GetFederationToken API. Use the STS credentials to interact with AWS services.
- D . Create an IAM role for the application. Configure the application to call the AWS STS AssumeRole API. Use the STS credentials to interact with AWS services.
D
Explanation:
The key security requirement is to limit both scope and duration of credentials used by an external application (running outside AWS). The most secure AWS-native way to do this is to use temporary security credentials issued by AWS Security Token Service (STS), rather than long-term IAM user access keys. Temporary credentials have a short, configurable lifetime and are tied to permissions defined by an IAM role and (optionally) session policies, which enforces least privilege.
With STS AssumeRole, the application requests temporary credentials for a specific IAM role. The role’s permission policy strictly defines what AWS actions and resources the session can access. The resulting credentials automatically expire, reducing the blast radius if the credentials are exposed. This approach also supports best practices such as rotating session credentials frequently and using external IDs and condition keys (where applicable) to reduce confused-deputy risks.
Options A and B rely on long-term IAM user credentials. Even if stored in environment variables or AWS Secrets Manager, these are still persistent credentials that do not inherently meet the “limit duration” requirement and are higher risk if leaked. Secrets Manager improves storage and rotation workflows, but it does not change the fact that IAM user access keys are long-lived by default.
Option C (GetFederationToken) is not the best fit here. Federation tokens are typically used to obtain temporary credentials for a federated user session and are commonly associated with IAM users (or
scenarios like providing temporary access to third parties) rather than the standard, role-based pattern for an application assuming permissions. The most direct and widely recommended method for applications needing scoped, time-bound AWS access is AssumeRole.
Therefore, D is the most secure solution: create an IAM role with least-privilege permissions and have the application call STS AssumeRole to obtain short-lived credentials for AWS API calls.
A developer is building a serverless application by using AWS Serverless Application Model (AWS SAM) on multiple AWS Lambda functions.
When the application is deployed, the developer wants to shift 10% of the traffic to the new deployment of the application for the first 10 minutes after deployment. If there are no issues, all traffic must switch over to the new version.
Which change to the AWS SAM template will meet these requirements?
- A . Set the Deployment Preference Type to Canary10Percent10Minutes. Set the AutoPublishAlias property to the Lambda alias.
- B . Set the Deployment Preference Type to LinearlOPercentEvery10Minutes. Set AutoPubIishAIias property to the Lambda alias.
- C . Set the Deployment Preference Type to CanaryIOPercentIOMinutes. Set the PreTraffic and PostTraffic properties to the Lambda alias.
- D . Set the Deployment Preference Type to LinearlOPercentEveryIOMinutes. Set PreTraffic and Post Traffic properties to the Lambda alias.
A
Explanation:
The AWS Serverless Application Model (AWS SAM) comes built-in with CodeDeploy to provide gradual AWS Lambda deployments1. The DeploymentPreference property in AWS SAM allows you to specify the type of deployment that you want. The Canary10Percent10Minutes option means that 10 percent of your customer traffic is immediately shifted to your new version. After 10 minutes, all traffic is shifted to the new version1. The AutoPublishAlias property in AWS SAM allows AWS SAM to automatically create an alias that points to the updated version of the Lambda function1. Therefore, option A is correct.
A company is building a serverless application on AWS. The application uses an AWS Lambda function to process customer orders 24 hours a day, 7 days a week. The Lambda function calls an external vendor’s HTTP API to process payments.
During load tests, a developer discovers that the external vendor payment processing API occasionally times out and returns errors. The company expects that some payment processing API calls will return errors.
The company wants the support team to receive notifications in near real time only when the payment processing external API error rate exceed 5% of the total number of transactions in an hour. Developers need to use an existing Amazon Simple Notification Service (Amazon SNS) topic that is configured to notify the support team.
Which solution will meet these requirements?
- A . Write the results of payment processing API calls to Amazon CloudWatch. Use Amazon CloudWatch Logs Insights to query the CloudWatch logs. Schedule the Lambda function to check the CloudWatch logs and notify the existing SNS topic.
- B . Publish custom metrics to CloudWatch that record the failures of the external payment processing API calls. Configure a CloudWatch alarm to notify the existing SNS topic when error rate exceeds the specified rate.
- C . Publish the results of the external payment processing API calls to a new Amazon SNS topic.
Subscribe the support team members to the new SNS topic. - D . Write the results of the external payment processing API calls to Amazon S3. Schedule an Amazon Athena query to run at regular intervals. Configure Athena to send notifications to the existing SNS topic when the error rate exceeds the specified rate.
B
Explanation:
Amazon CloudWatch is a service that monitors AWS resources and applications. The developer can publish custom metrics to CloudWatch that record the failures of the external payment processing API calls. The developer can configure a CloudWatch alarm to notify the existing SNS topic when the error rate exceeds 5% of the total number of transactions in an hour. This solution will meet the requirements in a near real-time and scalable way.
Reference: [What Is Amazon CloudWatch? – Amazon CloudWatch]
[Publishing Custom Metrics – Amazon CloudWatch]
[Creating Amazon CloudWatch Alarms – Amazon CloudWatch]
An application uses AWS X-Ray to generate a large amount of trace data on an hourly basis. A developer wants to use filter expressions to limit the returned results through user-specified custom attributes.
How should the developer use filter expressions to filter the results in X-Ray?
- A . Add custom attributes as annotations in the segment document.
- B . Add custom attributes as metadata in the segment document.
- C . Add custom attributes as new segment fields in the segment document.
- D . Create new sampling rules that are based on custom attributes.
A
Explanation:
In AWS X-Ray, filter expressions can filter trace data based on indexed fields that X-Ray can query efficiently. Custom data can be added to segments in two main ways: annotations and metadata. The critical difference is that annotations are indexed and can be used for filtering, while metadata is not indexed and is intended for additional diagnostic context that you do not typically query on.
Therefore, if the developer wants user-specified custom attributes to be usable in X-Ray filter expressions, the developer should record those attributes as annotations in the segment document. Once recorded as annotations, the developer can write filter expressions that match annotation keys/values and return only the relevant traces.
Option B is incorrect because metadata is not indexed and cannot be used in filter expressions for trace search the same way annotations can.
Option C is incorrect because segment documents have a defined schema; adding arbitrary “new segment fields” is not the intended method for searchable custom attributes.
Option D is unrelated: sampling rules control which requests get traced in the first place. They are not used to filter returned results by custom attributes after traces are recorded.
An application reads data from an Amazon Aurora global database with clusters in two AWS Regions. Database credentials are stored in AWS Secrets Manager in the primary Region and are rotated regularly.
The application must be able to run in both Regions and remain highly available.
Which combination of actions will meet these requirements? (Select TWO.)
- A . Configure the application to retrieve database credentials from the secret in the primary Region.
- B . Replicate the secret to the secondary Region and configure the application to retrieve credentials from the replica secret.
- C . Replicate the secret and promote the replica to a standalone secret.
- D . Store the database endpoint and credentials as a secret and connect to the secret.
- E . Store credentials in environment variables in the secondary Region.
A, B
Explanation:
Comprehensive and Detailed Explanation (250C300 words):
AWS Secrets Manager supports cross-Region secret replication, which allows secrets to be automatically copied to other Regions and kept in sync during rotation. AWS documentation recommends secret replication for multi-Region applications to ensure local access and reduce dependency on cross-Region calls.
In this scenario, the primary Region continues to retrieve credentials from the original secret (Option A). The secondary Region retrieves credentials from the replica secret (Option B), ensuring low latency and resilience during Regional failures.
Promoting the replica to a standalone secret (Option C) breaks automatic rotation synchronization and increases operational overhead. Environment variables (Option E) are not suitable for rotating credentials.
Option D is vague and does not address multi-Region availability.
Thus, using the primary secret and a replicated secret is the correct approach.