Practice Free DVA-C02 Exam Online Questions
A developer maintains applications that store several secrets in AWS Secrets Manager. The applications use secrets that have changed over time. The developer needs to identify required secrets that are still in use. The developer does not want to cause any application downtime.
What should the developer do to meet these requirements?
- A . Configure an AWS CloudTrail log file delivery to an Amazon S3 bucket. Create an Amazon CloudWatch alarm for the GetSecretValue. Secrets Manager API operation requests
- B . Create a secrets manager-secret-unused AWS Config managed rule. Create an Amazon EventBridge rule to Initiate notification when the AWS Config managed rule is met.
- C . Deactivate the applications secrets and monitor the applications error logs temporarily.
- D . Configure AWS X-Ray for the applications. Create a sampling rule lo match the GetSecretValue Secrets Manager API operation requests.
B
Explanation:
This solution will meet the requirements by using AWS Config to monitor and evaluate whether Secrets Manager secrets are unused or have been deleted, based on specified time periods. The secrets manager-secret-unused managed rule is a predefined rule that checks whether Secrets Manager secrets have been rotated within a specified number of days or have been deleted within a specified number of days after last accessed date. The Amazon EventBridge rule will trigger a notification when the AWS Config managed rule is met, alerting the developer about unused secrets that can be removed without causing application downtime.
Option A is not optimal because it will use AWS CloudTrail log file delivery to an Amazon S3 bucket, which will incur additional costs and complexity for storing and analyzing log files that may not contain relevant information about secret usage.
Option C is not optimal because it will deactivate the application secrets and monitor the application error logs temporarily, which will cause application downtime and potential data loss.
Option D is not optimal because it will use AWS X-Ray to trace secret usage, which will introduce additional overhead and latency for instrumenting and sampling requests that may not be related to secret usage.
Reference: [AWS Config Managed Rules], [Amazon EventBridge]
A developer is building an application that stores sensitive data files in an Amazon S3 bucket. Company security policies require that files be encrypted by using AWS KMS keys. An application in a second AWS account must access the files.
Which combination of solutions will meet these requirements? (Select THREE.)
- A . Encrypt the files using server-side encryption with AWS KMS (SSE-KMS) and an AWS-managed KMS key.
- B . Create an S3 bucket policy that allows access from the second AWS account.
- C . Update the AWS KMS key policy to allow access from the second AWS account.
- D . Create an IAM role that trusts the Amazon S3 service principal.
- E . Encrypt the files using server-side encryption with AWS KMS and a customer-managed KMS key.
- F . Configure default bucket encryption with SSE-S3.
B, C, E
Explanation:
When sharing SSE-KMSCencrypted S3 objects across AWS accounts, AWS documentation states that three elements are required:
A customer-managed KMS key (Option E), because AWS-managed keys cannot be shared across accounts.
An S3 bucket policy (Option B) that grants the second account permission to access the objects.
A KMS key policy (Option C) that explicitly allows the second account to use the KMS key for decrypt operations.
Option A is incorrect because AWS-managed KMS keys cannot be shared.
Option F uses SSE-S3, which does not use KMS and violates the encryption requirement.
Option D is irrelevant because cross-account access does not require an S3 service role.
Therefore, the correct combination is B, C, and E.
A company runs an ecommerce application on AWS. The application stores data in an Amazon Aurora database.
A developer is adding a caching layer to the application. The caching strategy must ensure that the application always uses the most recent value for each data item.
Which caching strategy will meet these requirements?
- A . Implement a TTL strategy for every item that is saved in the cache.
- B . Implement a write-through strategy for every item that is created and updated.
- C . Implement a lazy loading strategy for every item that is loaded.
- D . Implement a read-through strategy for every item that is loaded.
An application writes transactions to an Amazon DynamoDB table by using the PutItem operation. Each transaction has a unique transactionId. Sometimes duplicate transactions are received. The
developer wants to ensure that a duplicate PutItem does not overwrite an existing item. Duplicate transactions are rare.
What is the MOST cost-effective solution?
- A . Call GetItem before calling PutItem.
- B . Enable TTL on the table.
- C . Use a conditional put with attribute_exists(transactionId).
- D . Use a conditional put with attribute_not_exists(transactionId).
D
Explanation:
Amazon DynamoDB supports conditional writes, which allow developers to enforce data integrity rules directly at the database layer. AWS documentation states that conditional expressions are the recommended way to prevent accidental overwrites and ensure idempotent writes.
Using a PutItem operation with the condition expression
attribute_not_exists(transactionId) ensures that the write succeeds only if the item does not already exist. If a duplicate transaction is received, DynamoDB rejects the request without modifying the existing record.
This approach is highly cost-effective because it avoids additional read operations.
Option A doubles request cost by performing a read before every write. TTL (Option B) is unrelated to overwrite prevention.
Option C does the opposite of the requirement by ensuring the attribute exists.
AWS explicitly recommends conditional writes for handling duplicates and enforcing uniqueness with minimal cost and latency.
Therefore, implementing a conditional put with attribute_not_exists(transactionId) is the correct solution.
A company is building an ecommerce application. The company stores the application’s static content in an Amazon S3 bucket. The application stores data that includes personally identifiable information (PII). The application makes dynamic requests in JSON format through an Amazon CloudFront distribution to an Amazon API Gateway REST API. The REST API invokes an AWS Lambda
function that stores and queries data in Amazon DynamoDB.
The company must ensure that all PII data is encrypted at rest in DynamoDB. The company must also protect specific data fields more granularly. The company must ensure that the specified fields are encrypted at the edge. The specified fields must remain encrypted throughout the full stack of the application.
Which solution will meet these requirements?
- A . Configure a Lambda@Edge function to identify and encrypt the sensitive fields. Associate the function with the CloudFront distribution.
- B . Create an RSA key pair. Configure the CloudFront distribution to use field-level encryption directly.
- C . Create an AWS KMS key. Update the Lambda function to encrypt the data before inserting the data into DynamoDB. Configure the function to decrypt the data after retrieval.
- D . Create a new resource on the existing REST API and add a new POST method to the new resource. Configure the POST method to invoke the Lambda function and an AWS KMS key to encrypt the sensitive data fields.
B
Explanation:
The requirement is specific: certain JSON fields must be encrypted at the edge (before traversing the origin path) and must remain encrypted end-to-end through CloudFront → API Gateway → Lambda
→ DynamoDB. The AWS feature designed for encrypting specific fields at the edge is CloudFront field-level encryption. With field-level encryption, CloudFront encrypts designated fields in an HTTPS request before forwarding the request to the origin. The origin (API Gateway/Lambda) receives the encrypted values, and only trusted components that have the private key can decrypt them― ensuring the fields remain protected throughout the stack.
Option B matches this exactly: field-level encryption uses an asymmetric key pair (public key used by CloudFront to encrypt; private key held securely by the application for decryption). This satisfies “encrypted at the edge” and “remain encrypted throughout the full stack.”
The “PII encrypted at rest in DynamoDB” requirement is also satisfied because DynamoDB supports encryption at rest by default (and can use AWS owned or customer managed KMS keys). Field-level encryption adds granular protection for only the most sensitive attributes beyond standard at-rest encryption.
Option A (Lambda@Edge encryption) could encrypt at edge, but it is more custom code, higher operational complexity, and is not as direct/standard as CloudFront field-level encryption for
encrypting request fields.
Option C encrypts in Lambda, not at the edge―data would already have traversed CloudFront and API Gateway in plaintext form before Lambda encrypts it, violating the “encrypted at the edge” requirement.
Option D is not a defined mechanism for edge encryption; API Gateway methods do not provide edge field encryption with KMS in this way.
Therefore, CloudFront field-level encryption is the correct solution.
A developer is creating a serverless application that uses an AWS Lambda function The developer will use AWS CloudFormation to deploy the application The application will write logs to Amazon CloudWatch Logs The developer has created a log group in a CloudFormation template for the application to use The developer needs to modify the CloudFormation template to make the name of the log group available to the application at runtime
Which solution will meet this requirement?
- A . Use the AWS: lnclude transform in CloudFormation to provide the log group’s name to the application
- B . Pass the log group’s name to the application in the user data section of the CloudFormation template.
- C . Use the CloudFormation template’s Mappings section to specify the log group’s name for the application.
- D . Pass the log group’s Amazon Resource Name (ARN) as an environment variable to the Lambda function
D
Explanation:
CloudFormation and Lambda Environment Variables:
CloudFormation is an excellent tool to manage infrastructure as code, including the log group resource.
Lambda functions can access environment variables at runtime, making them a suitable way to pass configuration information like the log group ARN.
CloudFormation Template Modification:
In your CloudFormation template, define the log group resource.
In the Lambda function resource, add an Environment section:
YAML
Environment:
Variables:
LOG_GROUP_ARN: !Ref LogGroupResourceName
Use code with caution.
content_copy
The !Ref intrinsic function retrieves the log group’s ARN, which CloudFormation generates during stack creation.
Using the ARN in Your Lambda Function:
Within your Lambda code, access the LOG_GROUP_ARN environment variable.
Configure your logging library (e.g., Python’s logging module) to send logs to the specified log group.
Reference: AWS Lambda Environment
Variables: https: //docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html
CloudFormation !Ref Intrinsic
Function: https: //docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html
A company has an Amazon S3 bucket containing premier content that it intends to make available to only paid subscribers of its website. The S3 bucket currently has default permissions of all objects being private to prevent inadvertent exposure of the premier content to non-paying website visitors.
How can the company Limit the ability to download a premier content file in the S3 Bucket to paid subscribers only?
- A . Apply a bucket policy that allows anonymous users to download the content from the S3 bucket.
- B . Generate a pre-signed object URL for the premier content file when a pad subscriber requests a download.
- C . Add a Docket policy that requires multi-factor authentication for request to access the S3 bucket objects.
- D . Enable server-side encryption on the S3 bucket for data protection against the non-paying website visitors.
B
Explanation:
This solution will limit the ability to download a premier content file in the S3 bucket to paid subscribers only because it uses a pre-signed object URL that grants temporary access to an S3 object for a specified duration. The pre-signed object URL can be generated by the company’s website when a paid subscriber requests a download, and can be verified by Amazon S3 using the signature in the URL.
Option A is not optimal because it will allow anyone to download the content from the S3 bucket without verifying their subscription status.
Option C is not optimal because it will require additional steps and costs to configure multi-factor authentication for accessing the S3 bucket objects, which may not be feasible or user-friendly for paid subscribers.
Option D is not optimal because it will not prevent non-paying website visitors from accessing the S3 bucket objects, but only encrypt them at rest.
Reference: Share an Object with Others, [Using Amazon S3 Pre-Signed URLs]
A company has a two-tier application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances are in an Auto Scaling group. The Auto Scaling group is configured with a lifecycle hook that uses the default health checks for the EC2 instances.
During a recent change deployment, the ALB reported HTTP 502 errors. When a developer checked the target group, some of the EC2 instances were marked as unhealthy. However, the Auto Scaling group was not replacing the unhealthy EC2 instances.
Which configuration change should the developer make to replace the unhealthy EC2 instances?
- A . Increase the cooldown period of the Auto Scaling group from its default value.
- B . Update the lifecycle hook to wait for the application to install.
- C . Update the Auto Scaling group’s health check from Amazon EC2 to Elastic Load Balancing (ELB).
- D . Set the health check grace period for the Auto Scaling group.
C
Explanation:
By default, an Auto Scaling group uses EC2 status checks to determine instance health. EC2 status checks confirm that an instance is running and reachable at the infrastructure level, but they do not validate that the application is healthy behind the load balancer. In this scenario, the ALB is returning HTTP 502 errors and the target group shows instances as unhealthy, meaning the application is failing health checks (or not responding correctly). However, because the Auto Scaling group is using the default EC2 health check type, it does not consider these instances unhealthy for replacement.
AWS recommends configuring the Auto Scaling group to use ELB health checks when instances serve traffic behind an ALB or NLB. With ELB health checks enabled, Auto Scaling evaluates target health as reported by the load balancer target group. If the ALB marks an instance unhealthy, the Auto Scaling group will treat that instance as unhealthy and terminate and replace it automatically, restoring capacity with healthy targets.
Why the other options are insufficient:
Cooldown period (A) affects scaling timing, not health replacement logic.
Lifecycle hook changes (B) can help with initialization timing, but they do not cause Auto Scaling to replace instances based on ALB target health unless ELB health checks are enabled.
Health check grace period (D) delays health evaluation after launch, which can reduce premature replacement, but it still won’t replace instances based on ALB target group status unless the health check type is ELB.
Therefore, switching the Auto Scaling group health check type to Elastic Load Balancing (ELB) is the correct fix.
A company receives food orders from multiple partners. The company has a microservices application that uses Amazon API Gateway APIs with AWS Lambda integration. Each partner sends orders by calling a customized API that is exposed through API Gateway. The API call invokes a shared Lambda function to process the orders.
Partners need to be notified after the Lambda function processes the orders. Each partner must receive updates for only the partner’s own orders. The company wants to add new partners in the future with the fewest code changes possible.
Which solution will meet these requirements in the MOST scalable way?
- A . Create a different Amazon Simple Notification Service (Amazon SNS) topic for each partner.
Configure the Lambda function to publish messages for each partner to the partner’s SNS topic. - B . Create a different Lambda function for each partner. Configure the Lambda function to notify each partner’s service endpoint directly.
- C . Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure the Lambda function to publish messages with specific attributes to the SNS topic. Subscribe each partner to the SNS topic. Apply the appropriate filter policy to the topic subscriptions.
- D . Create one Amazon Simple Notification Service (Amazon SNS) topic. Subscribe all partners to the SNS topic.
C
Explanation:
Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service that enables pub/sub communication between distributed systems. The developer can create an SNS topic and configure the Lambda function to publish messages with specific attributes to the topic. The developer can subscribe each partner to the SNS topic and apply the appropriate filter policy to the topic subscriptions. This way, each partner will receive updates for only their own orders based on the message attributes. This solution will meet the requirements in the most scalable way and allow adding new partners in the future with minimal code changes.
Reference: [Amazon Simple Notification Service (SNS)]
[Filtering Messages with Attributes – Amazon Simple Notification Service]
A developer created an AWS Lambda function to process data in an application. The function pulls large objects from an Amazon S3 bucket, processes the data, and loads the processed data into a second S3 bucket. Application users have reported slow response times. The developer checks the logs and finds that Lambda function invocations run much slower than expected. The function itself is simple and has a small deployment package. The function initializes quickly. The developer needs to improve the performance of the application.
Which solution will meet this requirement with the LEAST operational overhead?
- A . Store the data in an Amazon EFS file system. Mount the file system to a local directory in the function.
- B . Create an Amazon EventBridge rule to schedule invocations of the function every minute.
- C . Configure the function to use ephemeral storage. Upload the objects and process data in the /tmp directory.
- D . Create a Lambda layer to package the function dependencies. Add the layer to the function.
C
Explanation:
Configuring the Lambda function to use ephemeral storage and processing data in the /tmp directory improves performance by leveraging local storage during execution.
Why Option C is Correct:
Ephemeral Storage: Lambda provides temporary storage (up to 10 GB) in the /tmp directory for each invocation, which is faster than pulling data directly from S3 multiple times.
Performance Boost: Data can be downloaded to /tmp, processed locally, and uploaded to the destination S3 bucket, minimizing S3 network calls.
Low Overhead: This approach requires only minimal changes to the function’s configuration.
Why Not Other Options:
Option A: Using Amazon EFS adds complexity and is unnecessary for this use case.
Option B: Scheduling the function does not address the root cause of slow performance.
Option D: Lambda layers improve deployment efficiency, not runtime performance for this scenario.
Using Ephemeral Storage in AWS Lambda
Best Practices for S3 and Lambda Performance