Practice Free DVA-C02 Exam Online Questions
Question #111
A social media application stores millions of video clips in Amazon S3 and serves them to users across the world. The traffic to the application varies, but access often increases suddenly to more than 10,000 PUT requests and GET requests each second. As the application has grown in popularity, users report poor quality of video streaming.
Which solution will provide the LARGEST improvement in performance?
- A . Create an Amazon Route 53 geolocation routing policy.
- B . Duplicate content in multiple AWS Regions by using S3 Cross-Region Replication.
- C . Use S3 Intelligent-Tiering to move data based on access patterns.
- D . Create an Amazon CloudFront distribution with Amazon S3 as an origin.
Correct Answer: D
D
Explanation:
The correct answer is D because Amazon CloudFront is the AWS content delivery network (CDN) designed to improve performance for users who access content globally. In this scenario, the application serves millions of video clips from Amazon S3 to users around the world, and the main problem is poor streaming quality as traffic scales. CloudFront addresses this by caching content at edge locations that are geographically closer to users, reducing latency and improving throughput.
AWS documentation emphasizes that CloudFront works especially well with Amazon S3 as an origin for static and streaming content. Instead of every viewer retrieving video data directly from the S3 bucket’s Region, CloudFront serves cached objects from nearby edge locations. This provides a major performance boost for global audiences and helps absorb large traffic spikes more efficiently.
Option A is incorrect because Route 53 geolocation routing directs DNS queries based on location, but it does not cache or accelerate video delivery.
Option B can improve regional redundancy, but simply replicating objects across Regions does not automatically provide fast global delivery or edge caching.
Option C is about storage cost optimization, not delivery performance.
CloudFront is also well suited for sudden spikes in traffic because AWS’s edge network is built for high-scale distribution. For video streaming workloads, the reduction in latency and the ability to serve content from nearby cached locations usually provide the largest performance improvement compared to the other options.
Therefore, the best solution is to create an Amazon CloudFront distribution with Amazon S3 as the origin, making D the correct answer.
D
Explanation:
The correct answer is D because Amazon CloudFront is the AWS content delivery network (CDN) designed to improve performance for users who access content globally. In this scenario, the application serves millions of video clips from Amazon S3 to users around the world, and the main problem is poor streaming quality as traffic scales. CloudFront addresses this by caching content at edge locations that are geographically closer to users, reducing latency and improving throughput.
AWS documentation emphasizes that CloudFront works especially well with Amazon S3 as an origin for static and streaming content. Instead of every viewer retrieving video data directly from the S3 bucket’s Region, CloudFront serves cached objects from nearby edge locations. This provides a major performance boost for global audiences and helps absorb large traffic spikes more efficiently.
Option A is incorrect because Route 53 geolocation routing directs DNS queries based on location, but it does not cache or accelerate video delivery.
Option B can improve regional redundancy, but simply replicating objects across Regions does not automatically provide fast global delivery or edge caching.
Option C is about storage cost optimization, not delivery performance.
CloudFront is also well suited for sudden spikes in traffic because AWS’s edge network is built for high-scale distribution. For video streaming workloads, the reduction in latency and the ability to serve content from nearby cached locations usually provide the largest performance improvement compared to the other options.
Therefore, the best solution is to create an Amazon CloudFront distribution with Amazon S3 as the origin, making D the correct answer.
Question #112
A company is using Amazon API Gateway to develop an API for its application on AWS. A developer needs to test and generate API responses. Other teams are required to test the API immediately.
What should the developer do to meet these requirements?
- A . Set up a mock integration request in API Gateway. Configure the method’s integration request and integration response to associate a response with a given status code.
- B . Set up the request validators in the API’s OpenAPI definition file. Import the OpenAPI definitions into API Gateway to test the API.
- C . Set up a gateway response for the API in API Gateway. Configure response headers with hardcoded HTTP status codes and responses.
- D . Set up a request parameter-based Lambda authorizer to control access to the API. Configure the Lambda function with the necessary mapping template.
Correct Answer: A
A
Explanation:
API Gateway mock integration is designed for exactly this situation: generating API responses directly from API Gateway without requiring a working backend. This lets dependent teams test immediately while the real backend is still being developed. The developer can configure the integration request and integration response mapping to return specific payloads and status codes. Request validators check incoming requests but do not generate backend responses. Gateway responses customize API Gateway-generated error responses, not normal business responses for application testing. A Lambda authorizer controls access and would require a Lambda function, which adds unnecessary implementation work. AWS documentation confirms that mock integrations let API developers generate responses directly from API Gateway and unblock teams before backend development is complete. (AWS Documentation)
A
Explanation:
API Gateway mock integration is designed for exactly this situation: generating API responses directly from API Gateway without requiring a working backend. This lets dependent teams test immediately while the real backend is still being developed. The developer can configure the integration request and integration response mapping to return specific payloads and status codes. Request validators check incoming requests but do not generate backend responses. Gateway responses customize API Gateway-generated error responses, not normal business responses for application testing. A Lambda authorizer controls access and would require a Lambda function, which adds unnecessary implementation work. AWS documentation confirms that mock integrations let API developers generate responses directly from API Gateway and unblock teams before backend development is complete. (AWS Documentation)
Question #113
A developer is building an application that stores sensitive user data. The application includes an Amazon CloudFront distribution and multiple AWS Lambda functions that handle user requests.
User requests contain more than 20 data fields. Each application transaction includes sensitive data
that must be encrypted. Only specific parts of the application must be able to decrypt the data.
Which solution will meet these requirements?
- A . Associate the CloudFront distribution with a Lambda@Edge function. Configure the function to perform field-level asymmetric encryption by using a user-defined RSA public key stored in AWS KMS.
- B . Integrate AWS WAF with CloudFront and use a Lambda function with self-managed keys to encrypt and decrypt the data.
- C . Configure the CloudFront distribution to use field-level encryption. Create an asymmetric AWS KMS key and configure CloudFront to use the key.
- D . Configure CloudFront to require HTTPS and require users to access content by using signed URLs or signed cookies.
Correct Answer: C
C
Explanation:
Amazon CloudFront field-level encryption is specifically designed to protect sensitive fields in HTTP requests. It allows CloudFront to encrypt specific request fields at the edge using asymmetric encryption, ensuring that only authorized application components that possess the private key can decrypt the data.
This approach ensures that sensitive fields remain encrypted throughout transit and processing, while non-sensitive fields can still be accessed normally. This satisfies the requirement that only specific parts of the application can decrypt the data.
Field-level encryption is a native CloudFront capability and is far more secure and scalable than implementing custom encryption logic in Lambda@Edge or Lambda functions. AWS documentation emphasizes using built-in CloudFront security features to minimize operational overhead and reduce the risk of cryptographic implementation errors.
Options A and B introduce unnecessary complexity and custom cryptographic handling, which AWS generally discourages when managed services are available.
Option D only secures transport and access control and does not encrypt individual data fields.
Therefore, CloudFront field-level encryption with asymmetric keys is the AWS-recommended and correct solution.
C
Explanation:
Amazon CloudFront field-level encryption is specifically designed to protect sensitive fields in HTTP requests. It allows CloudFront to encrypt specific request fields at the edge using asymmetric encryption, ensuring that only authorized application components that possess the private key can decrypt the data.
This approach ensures that sensitive fields remain encrypted throughout transit and processing, while non-sensitive fields can still be accessed normally. This satisfies the requirement that only specific parts of the application can decrypt the data.
Field-level encryption is a native CloudFront capability and is far more secure and scalable than implementing custom encryption logic in Lambda@Edge or Lambda functions. AWS documentation emphasizes using built-in CloudFront security features to minimize operational overhead and reduce the risk of cryptographic implementation errors.
Options A and B introduce unnecessary complexity and custom cryptographic handling, which AWS generally discourages when managed services are available.
Option D only secures transport and access control and does not encrypt individual data fields.
Therefore, CloudFront field-level encryption with asymmetric keys is the AWS-recommended and correct solution.
Question #114
A developer is setting up a deployment pipeline. The pipeline includes an AWS CodeBuild build stage that requires access to a database to run integration tests. The developer is using a buildspec.yml file to configure the database connection. Company policy requires automatic rotation of all database credentials.
Which solution will handle the database credentials MOST securely?
- A . Retrieve the credentials from variables that are hardcoded in the buildspec.yml file. Configure an AWS Lambda function to rotate the credentials.
- B . Retrieve the credentials from an environment variable that is linked to a SecureString parameter in AWS Systems Manager Parameter Store. Configure Parameter Store for automatic rotation.
- C . Retrieve the credentials from an environment variable that is linked to an AWS Secrets Manager secret. Configure Secrets Manager for automaticrotation.
- D . Retrieve the credentials from an environment variable that contains the connection string in plaintext. Configure an Amazon EventBridge event to rotate the credentials.
Correct Answer: B
Question #115
A developer is integrating Amazon ElastiCache in an application. The cache will store data from a database. The cached data must populate real-time dashboards.
Which caching strategy will meet these requirements?
- A . A read-through cache
- B . A write-behind cache
- C . A lazy-loading cache
- D . A write-through cache
Correct Answer: D
Question #116
A developer is building a financial application on AWS that processes sensitive cardholder data and personally identifiable information (PII). The developer needs a solution to encrypt all application data in transit and data at rest. The solution must ensure that the developer can manage encryption keys.
Which solution will meet these requirements?
- A . Use AWS KMS to implement envelope encryption by using the AWS Encryption SDK.
- B . Store encryption keys as a SecureString parameter in AWS Systems Manager Parameter Store.
Fetch the keys at application startup. Use standard HTTPS for calls. - C . Store encryption keys directly in AWS Secrets Manager. Create an AWS Lambda function to automatically handle encryption.
- D . Upload sensitive data directly from the application to an Amazon S3 bucket. Configure the S3 bucket to use server-side encryption with Amazon S3 managed keys (SSE-S3) as the default encryption.
Correct Answer: A
A
Explanation:
The correct answer is A because the requirement is to encrypt data in transit and data at rest while ensuring that the developer can manage encryption keys. AWS Key Management Service (AWS KMS) is the AWS-managed service specifically designed for creating, controlling, and auditing cryptographic keys. When used with the AWS Encryption SDK, it supports envelope encryption, a recommended pattern for protecting sensitive application data.
In this model, the application uses data keys to encrypt the actual sensitive data, while AWS KMS protects and manages the master keys that encrypt those data keys. This provides strong security and centralized key management, including access control through IAM, key rotation options, and auditability through AWS logging integrations. For data in transit, the application should also use TLS/HTTPS, which is standard AWS guidance for secure communications.
Option B is incorrect because Parameter Store is not the correct mechanism for directly managing application encryption keys in this way. SecureString protects stored values, but it is not a substitute for using KMS as the primary managed key service for encryption architecture.
Option C is incorrect because Secrets Manager is intended for storing secrets such as passwords and tokens, not as the main key management system for application encryption design.
Option D is incorrect because SSE-S3 uses Amazon S3-managed keys, not customer-managed KMS keys, so it does not satisfy the requirement that the developer be able to manage encryption keys.
Therefore, AWS KMS with envelope encryption through the AWS Encryption SDK is the most appropriate and secure solution.
A
Explanation:
The correct answer is A because the requirement is to encrypt data in transit and data at rest while ensuring that the developer can manage encryption keys. AWS Key Management Service (AWS KMS) is the AWS-managed service specifically designed for creating, controlling, and auditing cryptographic keys. When used with the AWS Encryption SDK, it supports envelope encryption, a recommended pattern for protecting sensitive application data.
In this model, the application uses data keys to encrypt the actual sensitive data, while AWS KMS protects and manages the master keys that encrypt those data keys. This provides strong security and centralized key management, including access control through IAM, key rotation options, and auditability through AWS logging integrations. For data in transit, the application should also use TLS/HTTPS, which is standard AWS guidance for secure communications.
Option B is incorrect because Parameter Store is not the correct mechanism for directly managing application encryption keys in this way. SecureString protects stored values, but it is not a substitute for using KMS as the primary managed key service for encryption architecture.
Option C is incorrect because Secrets Manager is intended for storing secrets such as passwords and tokens, not as the main key management system for application encryption design.
Option D is incorrect because SSE-S3 uses Amazon S3-managed keys, not customer-managed KMS keys, so it does not satisfy the requirement that the developer be able to manage encryption keys.
Therefore, AWS KMS with envelope encryption through the AWS Encryption SDK is the most appropriate and secure solution.
Question #117
A company runs an application that currently uploads content to an unencrypted Amazon S3 bucket. The S3 bucket contains millions of objects that total more than 2 TB in size. A new company policy requires all data to be encrypted. The company creates an AWS KMS key to use for encryption.
Which solution will meet this requirement MOST cost-effectively?
- A . Modify the properties of the S3 bucket. Enable default encryption, select SSE-KMS, and specify the Amazon Resource Name (ARN) of the provided KMS key.
- B . Create an S3 bucket policy that denies any PutObject requests that do not include the x-amz-server-side-encryption header that specifies the Amazon Resource Name (ARN) of the provided KMS key. Apply this policy to the bucket.
- C . Configure an Amazon S3 Batch Operations job. Choose the source bucket that contains the unencrypted objects. Select the COPY operation. Specify the source bucket as the destination. In the copy operation parameters, specify the Amazon Resource Name (ARN) of the provided KMS key.
- D . Develop a script by using the AWS SDK. Configure the script to iterate through all objects in the bucket and download each object locally. Ensure that the script then re-uploads each object to the same object key name and specifies server-side encryption with the KMS key during the re-upload.
Correct Answer: C
C
Explanation:
Option C is correct because the requirement applies to existing unencrypted objects, not only future uploads. Enabling default bucket encryption affects new objects going forward, but it does not automatically re-encrypt millions of existing objects already stored in the bucket. An S3 bucket policy can prevent future unencrypted uploads, but it also does not remediate existing data. Amazon S3 Batch Operations is designed for large-scale operations across many objects. AWS documentation states that Batch Operations can use the Copy operation to copy existing unencrypted objects back to the same bucket and write them as encrypted objects. This avoids building and operating a custom script and is more cost-effective and operationally efficient for millions of objects totaling more than 2 TB.
C
Explanation:
Option C is correct because the requirement applies to existing unencrypted objects, not only future uploads. Enabling default bucket encryption affects new objects going forward, but it does not automatically re-encrypt millions of existing objects already stored in the bucket. An S3 bucket policy can prevent future unencrypted uploads, but it also does not remediate existing data. Amazon S3 Batch Operations is designed for large-scale operations across many objects. AWS documentation states that Batch Operations can use the Copy operation to copy existing unencrypted objects back to the same bucket and write them as encrypted objects. This avoids building and operating a custom script and is more cost-effective and operationally efficient for millions of objects totaling more than 2 TB.
Question #118
A developer is working on a serverless application that needs to process any changes to an Amazon DynamoDB table with an AWS Lambda function.
How should the developer configure the Lambda function to detect changes to the DynamoDB table?
- A . Create an Amazon Kinesis data stream, and attach it to the DynamoDB table. Create a trigger to connect the data stream to the Lambda function.
- B . Create an Amazon EventBridge rule to invoke the Lambda function on a regular schedule. Conned to the DynamoDB table from the Lambda function to detect changes.
- C . Enable DynamoDB Streams on the table. Create a trigger to connect the DynamoDB stream to the Lambda function.
- D . Create an Amazon Kinesis Data Firehose delivery stream, and attach it to the DynamoDB table.
Configure the delivery stream destination as the Lambda function.
Correct Answer: C
C
Explanation:
Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. DynamoDB Streams is a feature that captures data modification events in DynamoDB tables. The developer can enable DynamoDB Streams on the table and create a trigger to connect the DynamoDB stream to the Lambda function. This solution will enable the Lambda function to detect changes to the DynamoDB table in near real time.
Reference: [Amazon DynamoDB]
[DynamoDB Streams – Amazon DynamoDB]
[Using AWS Lambda with Amazon DynamoDB – AWS Lambda]
C
Explanation:
Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. DynamoDB Streams is a feature that captures data modification events in DynamoDB tables. The developer can enable DynamoDB Streams on the table and create a trigger to connect the DynamoDB stream to the Lambda function. This solution will enable the Lambda function to detect changes to the DynamoDB table in near real time.
Reference: [Amazon DynamoDB]
[DynamoDB Streams – Amazon DynamoDB]
[Using AWS Lambda with Amazon DynamoDB – AWS Lambda]
Question #119
A developer is writing a serverless application that requires an AWS Lambda function to be invoked every 10 minutes.
What is an automated and serverless way to invoke the function?
- A . Deploy an Amazon EC2 instance based on Linux, and edit its /etc/confab file by adding a command to periodically invoke the lambda function
- B . Configure an environment variable named PERIOD for the Lambda function. Set the value to 600.
- C . Create an Amazon EventBridge rule that runs on a regular schedule to invoke the Lambda function.
- D . Create an Amazon Simple Notification Service (Amazon SNS) topic that has a subscription to the Lambda function with a 600-second timer.
Correct Answer: C
C
Explanation:
The solution that will meet the requirements is to create an Amazon EventBridge rule that runs on a regular schedule to invoke the Lambda function. This way, the developer can use an automated and serverless way to invoke the function every 10 minutes. The developer can also use a cron expression or a rate expression to specify the schedule for the rule. The other options either involve using an Amazon EC2 instance, which is not serverless, or using environment variables or query parameters, which do not trigger the function.
Reference: Schedule AWS Lambda functions using EventBridge
C
Explanation:
The solution that will meet the requirements is to create an Amazon EventBridge rule that runs on a regular schedule to invoke the Lambda function. This way, the developer can use an automated and serverless way to invoke the function every 10 minutes. The developer can also use a cron expression or a rate expression to specify the schedule for the rule. The other options either involve using an Amazon EC2 instance, which is not serverless, or using environment variables or query parameters, which do not trigger the function.
Reference: Schedule AWS Lambda functions using EventBridge
Question #120
A company’s application runs on a fleet of Amazon EC2 instances in a VPC within private subnets that do not have public internet access. The company uses Amazon CloudWatch to monitor the application.
A developer is troubleshooting an issue with the application. Some performance metrics are not being published to CloudWatch. The developer uses EC2 Instance Connect to access an EC2 instance. The developer verifies that a CloudWatch agent is pre-installed and running.
The developer needs to ensure that the performance metrics are published to CloudWatch.
Which solution will meet this requirement in the MOST secure way?
- A . Attach the CloudWatchAgentAdminPolicy managed IAM policy to the IAM role that is associated with the EC2 instance profile. Provision a NAT gateway in a public subnet.
- B . Add a user data script to install and start up the CloudWatch agent automatically when the EC2 instances are first booted up.
- C . Attach the CloudWatchAgentServerPolicy managed IAM policy to the IAM role that is associated with the EC2 instance profile. Provision a VPC interface endpoint for CloudWatch.
- D . Attach the CloudWatchReadOnlyAccess managed IAM policy to the IAM role that is associated with the EC2 instance profile. Provision a VPC interface endpoint for CloudWatch.
Correct Answer: C
C
Explanation:
The EC2 instances are in private subnets with no public internet access, yet the CloudWatch agent must publish metrics to Amazon CloudWatch. To send metrics, the instances need: (1) network connectivity to CloudWatch APIs, and (2) IAM permissions that allow the agent to publish metrics
and logs.
The most secure approach is to avoid opening outbound internet access via a NAT gateway (which increases the network attack surface) and instead use AWS PrivateLink through a VPC interface endpoint for CloudWatch. An interface endpoint provides private connectivity from the VPC to CloudWatch without traversing the public internet.
On the permissions side, AWS provides the managed IAM policy CloudWatchAgentServerPolicy, which is intended for the CloudWatch agent running on servers to publish metrics/logs. Attaching this policy to the EC2 instance profile role provides the needed permissions while keeping scope appropriate (unlike an admin policy).
Why the other options are not best:
A uses CloudWatchAgentAdminPolicy (broader permissions than needed) and a NAT gateway (public internet path). That is not “most secure.”
B is irrelevant here because the agent is already installed and running; the issue is publishing connectivity/permissions.
D grants read-only access, which cannot publish metrics, so it cannot fix the issue.
Therefore, attach CloudWatchAgentServerPolicy to the instance role and create a VPC interface endpoint for CloudWatch.
C
Explanation:
The EC2 instances are in private subnets with no public internet access, yet the CloudWatch agent must publish metrics to Amazon CloudWatch. To send metrics, the instances need: (1) network connectivity to CloudWatch APIs, and (2) IAM permissions that allow the agent to publish metrics
and logs.
The most secure approach is to avoid opening outbound internet access via a NAT gateway (which increases the network attack surface) and instead use AWS PrivateLink through a VPC interface endpoint for CloudWatch. An interface endpoint provides private connectivity from the VPC to CloudWatch without traversing the public internet.
On the permissions side, AWS provides the managed IAM policy CloudWatchAgentServerPolicy, which is intended for the CloudWatch agent running on servers to publish metrics/logs. Attaching this policy to the EC2 instance profile role provides the needed permissions while keeping scope appropriate (unlike an admin policy).
Why the other options are not best:
A uses CloudWatchAgentAdminPolicy (broader permissions than needed) and a NAT gateway (public internet path). That is not “most secure.”
B is irrelevant here because the agent is already installed and running; the issue is publishing connectivity/permissions.
D grants read-only access, which cannot publish metrics, so it cannot fix the issue.
Therefore, attach CloudWatchAgentServerPolicy to the instance role and create a VPC interface endpoint for CloudWatch.