Practice Free DVA-C02 Exam Online Questions
A developer is building two microservices that use an Amazon SQS queue to communicate. The messages that the microservices send to one another contain sensitive information. The developer must ensure the messages are stored and are encrypted at rest.
Which solution will meet these requirements?
- A . Add a policy to the SQS queue that sets the aws: SecureTransport condition.
- B . Configure the microservices to use the server-side encryption (SSE) option within the messages to send messages to the SQS queue.
- C . Enable the server-side encryption (SSE) option on the SQS queue. Ensure the microservices contain the sensitive information within the body of the messages.
- D . Transmit sensitive information as part of the attributes of the messages that the microservices send.
C
Explanation:
The requirement is specifically encryption at rest for messages stored in Amazon SQS. The AWS-native way to accomplish this is to enable server-side encryption (SSE) on the SQS queue. When SSE is enabled, SQS encrypts messages as they are stored and decrypts them when they are retrieved, using keys from AWS Key Management Service (AWS KMS) (either an AWS managed key for SQS or a customer managed KMS key). This provides transparent encryption at rest without requiring application-level cryptography changes.
Option C correctly states to enable SSE on the queue. Once enabled, any message content placed in the message body will be protected at rest in SQS. (Message attributes are also stored by SQS; however, the key requirement is to ensure the messages are encrypted at rest, and enabling SSE at the queue level is the control that enforces this.)
Option A (aws: SecureTransport) enforces encryption in transit by requiring HTTPS/TLS, not encryption at rest. It is a good security control, but it does not satisfy the at-rest requirement by itself.
Option B is incorrect because SSE is not something the sender “sets within the message”; SSE is configured on the queue, not per-message by the microservices.
Option D suggests putting sensitive data in attributes, which does not add security; it can actually increase exposure because attributes are often used for routing/filters and may be logged or surfaced in monitoring. The right pattern is to keep sensitive data where intended and rely on queue-level SSE to encrypt stored messages.
Therefore, enabling SQS SSE on the queue (C) meets the requirement to ensure messages are encrypted at rest while stored in SQS.
A developer is testing an AWS Lambda function that processes messages from an Amazon SQS queue. Some messages reappear in the queue while they are still being processed.
What should the developer do to correct this behavior?
- A . Increase the Lambda timeout.
- B . Increase the visibility timeout of the SQS queue.
- C . Increase the Lambda memory allocation.
- D . Increase the batch size in the event source mapping.
B
Explanation:
Comprehensive and Detailed Explanation (250C300 words):
Amazon SQS uses a visibility timeout to prevent other consumers from processing a message while it is being handled. If a Lambda function does not complete processing before the visibility timeout expires, the message becomes visible again and can be processed a second time.
AWS documentation states that the SQS visibility timeout should be greater than the maximum Lambda execution time. If not, messages may be delivered multiple times, even though processing is still in progress.
Increasing the Lambda timeout or memory does not directly affect message visibility. Increasing batch size can worsen the problem by increasing processing time.
Therefore, increasing the SQS visibility timeout is the correct and AWS-recommended solution.
Given the source code for an AWS Lambda function in the local file store.py containing a handler function called getstore and the following AWS CloudFormation template:
Transform: AWS: : Serverless-2016-10-31
Resources:
StoreFunc:
Type: AWS: : Serverless: : Function
Properties:
Handler: store.getstore
Runtime: python3.13
What should be done to prepare the template so that it can be deployed using the AWS CLI command aws cloudformation deploy?
- A . Use aws cloudformation compile to base64 encode and embed the source file into a modified CloudFormation template.
- B . Use aws cloudformation package to upload the source code to an Amazon S3 bucket and produce a modified CloudFormation template.
- C . Use aws lambda zip to package the source file together with the CloudFormation template and deploy the resulting .zip archive.
- D . Use aws serverless create-package to embed the source file directly into the existing CloudFormation template.
B
Explanation:
For CloudFormation or AWS SAM templates that reference local artifacts, the source code must be uploaded to Amazon S3 before CloudFormation can deploy it. The aws cloudformation package command scans the template for local artifacts, uploads those artifacts to an S3 bucket, and outputs a modified template that references the S3 object locations. That packaged template can then be deployed with aws cloudformation deploy. There is no standard aws cloudformation compile, aws lambda zip, or aws serverless create-package command for this workflow. The Transform: AWS: : Serverless-2016-10-31 declaration means SAM resources are being transformed through CloudFormation, but local code artifacts still need packaging. AWS documentation describes aws cloudformation package as the command for uploading local artifacts referenced by a CloudFormation template to S3. (AWS Documentation)
A company is expanding the compatibility of its photo-snaring mobile app to hundreds of additional devices with unique screen dimensions and resolutions. Photos are stored in Amazon S3 in their original format and resolution. The company uses an Amazon CloudFront distribution to serve the photos The app includes the dimension and resolution of the display as GET parameters with every request.
A developer needs to implement a solution that optimizes the photos that are served to each device to reduce load time and increase photo quality.
Which solution will meet these requirements MOST cost-effective?
- A . Use S3 Batch Operations to invoke an AWS Lambda function to create new variants of the photos with the required dimensions and resolutions. Create a dynamic CloudFront origin that automatically maps the request of each device to the corresponding photo variant.
- B . Use S3 Batch Operations to invoke an AWS Lambda function to create new variants of the photos with the required dimensions and resolutions. Create a Lambda@Edge function to route requests to the corresponding photo vacant by using request headers.
- C . Create a Lambda@Edge function that optimizes the photos upon request and returns the photos as a response. Change the CloudFront TTL cache policy to the maximum value possible.
- D . Create a Lambda@Edge function that optimizes the photos upon request and returns the photos as a response. In the same function store a copy of the processed photos on Amazon S3 for subsequent requests.
D
Explanation:
This solution meets the requirements most cost-effectively because it optimizes the photos on demand and caches them for future requests. Lambda@Edge allows the developer to run Lambda functions at AWS locations closer to viewers, which can reduce latency and improve photo quality. The developer can create a Lambda@Edge function that uses the GET parameters from each request to optimize the photos with the required dimensions and resolutions and returns them as a response. The function can also store a copy of the processed photos on Amazon S3 for subsequent requests, which can reduce processing time and costs. Using S3 Batch Operations to create new variants of the photos will incur additional storage costs and may not cover all possible dimensions and resolutions. Creating a dynamic CloudFront origin or a Lambda@Edge function to route requests to corresponding photo variants will require maintaining a mapping of device types and photo variants, which can be complex and error-prone.
Reference: [Lambda@Edge Overview], [Resizing Images with Amazon CloudFront & Lambda@Edge]
A developer is setting up infrastructure by using AWS Cloud Formation. If an error occurs when the resources described in the CloudFormation template are provisioned, successfully provisioned resources must be preserved. The developer must provision and update the CloudFormation stack by using the AWS CLI.
Which solution will meet these requirements?
- A . Add an –enable-terminal ion-protection command line option to the create-stack command and the update-stack command.
- B . Add a -disable-roll back command line option to the create-stack command and the update-stack command
- C . Add a ―parameters ParameterKey=P reserve Resources. ParameterVaIue=True command line option to the create-stack command and the update-stack command.
- D . Add a -tags Key=PreserveResources.VaIue=True command line option to the create-stack command and the update-stack command.
A developer is building an application on a fleet of Amazon EC2 Linux instances that run Apache web server. The application needs to send API calls that contain sensitive customer data to a second Linux fleet that also runs Apache within a peered VPC in the same AWS account and AWS Region as the original cluster. All sensitive data must be encrypted in transit. Instances in both fleets have Amazon EBS volumes attached.
Which solution will meet these requirements in the MOST operationally efficient way?
- A . Create a security group in each VPC that allows traffic only from the other fleet’s security group.
Assign each security group to the corresponding instances. - B . Create an AWS Site-to-Site VPN connection between the two peered VPCs. Pass the sensitive data in the API calls through the Site-to-Site VPN connection.
- C . Create a customer managed key in AWS KMS to encrypt all EBS volumes. Create an IAM instance profile that has permission to use the customer managed key and attach the key to all instances in both fleets.
- D . Request a valid certificate through AWS Certificate Manager (ACM) and redeploy both fleets as AWS Nitro Enclaves. Use the ACM for Nitro Enclaves Amazon Machine Image (AMI) and specify the requested certificate for all instances.
A
Explanation:
The requirement is encryption in transit for sensitive data sent in API calls between two Apache-based EC2 fleets in peered VPCs. The most operationally efficient approach is to restrict network access and rely on standard TLS at the application layer. Among the provided options, the only operationally simple and directly relevant network control is security group referencing across VPC peering within the same account and Region.
By creating security groups that allow inbound traffic only from the other fleet’s security group, the developer ensures that only the intended instances can communicate over the required ports (for example, 443 for HTTPS). This is operationally efficient because it avoids managing IP allowlists that change with Auto Scaling and keeps the trust boundary tied to instance membership rather than addresses. It also supports least privilege by limiting which sources can reach the service.
Why the other options are not the best fit:
B (Site-to-Site VPN) is unnecessary for VPC peering in the same account/Region and adds significant operational overhead. It also does not replace the need for TLS at the application layer to guarantee encryption to the endpoint.
C (EBS encryption) addresses encryption at rest on volumes, not encryption in transit between fleets.
D (Nitro Enclaves) is heavy and unrelated to the core requirement; enclaves protect data-in-use and do not replace standard TLS for network encryption.
Important nuance: Security groups alone do not encrypt traffic; encryption is achieved by using HTTPS/TLS between the Apache services. However, option A is the most operationally efficient control offered here to implement secure connectivity between the fleets (paired with using HTTPS on Apache, which is the standard for encrypting API calls).
Therefore, A best meets the requirement with the least operational complexity.
A company has an application that runs across multiple AWS Regions. The application is experiencing performance issues at irregular intervals. A developer must use AWS X-Ray to implement distributed tracing for the application to troubleshoot the root cause of the performance issues.
What should the developer do to meet this requirement?
- A . Use the X-Ray console to add annotations for AWS services and user-defined services
- B . Use Region annotation that X-Ray adds automatically for AWS services Add Region annotation for user-defined services
- C . Use the X-Ray daemon to add annotations for AWS services and user-defined services
- D . Use Region annotation that X-Ray adds automatically for user-defined services Configure X-Ray to add Region annotation for AWS services
B
Explanation:
Distributed Tracing with X-Ray: X-Ray helps visualize request paths and identify bottlenecks in applications distributed across Regions.
Region Annotations (Automatic for AWS Services): X-Ray automatically adds a Region annotation to segments representing calls to AWS services. This aids in tracing cross-Region traffic.
Region Annotations (Manual for User-Defined): For segments representing calls to user-defined services in different Regions, the developer needs to add the Region annotation manually to enable comprehensive tracing.
Reference: AWS X-Ray: https: //aws.amazon.com/xray/
A developer needs to write an AWS CloudFormation template on a local machine and deploy a CloudFormation stack to AWS.
What must the developer do to complete these tasks?
- A . Install the AWS CLI. Configure the AWS CLI by using an I AM user name and password.
- B . Install the AWS CLI. Configure the AWS CLI by using an SSH key.
- C . Install the AWS CLI. Configure the AWS CLI by using an 1AM user access key and secret key.
- D . Install an AWS software development kit (SDK). Configure the SDK by using an X.509 certificate.
A company uses AWS CloudFormation to deploy an application that includes an Amazon API Gateway REST API integrated with AWS Lambda and Amazon DynamoDB. The application has three stages: development, testing, and production, each with its own DynamoDB table.
The company wants to deploy a new production release and route 20% of traffic to the new version while keeping 80% of traffic on the existing production version. The solution must minimize the number of errors that any single customer experiences.
Which approach should the developer take?
- A . Deploy incremental portions of the changes to production in multiple steps.
- B . Use Amazon Route 53 weighted routing between the production and testing stages.
- C . Deploy an Application Load Balancer in front of the API Gateway stages and weight traffic.
- D . Configure canary deployment settings for the production API stage and route 20% of traffic to the canary.
D
Explanation:
Amazon API Gateway supports canary deployments, which are designed specifically for controlled production rollouts. Canary deployments allow a developer to direct a configurable percentage of traffic to a new deployment while the remainder continues to use the existing deployment.
AWS documentation states that canary releases help minimize customer impact by exposing only a subset of users to potential issues. Because the routing is request-based, individual users are less likely to encounter inconsistent behavior across multiple requests.
Route 53 weighted routing (Option B) operates at the DNS level and can result in users being routed unpredictably due to DNS caching. An Application Load Balancer (Option C) is not supported as a direct frontend for API Gateway stages and adds unnecessary complexity.
Option A lacks traffic control guarantees.
Therefore, configuring a canary deployment on the production stage is the AWS-recommended and lowest-risk approach.
A company’s developer has deployed an application in AWS by using AWS CloudFormation. The CloudFormation stack includes parameters in AWS Systems Manager Parameter Store that the application uses as configuration settings. The application can modify the parameter values.
When the developer updated the stack to create additional resources with tags, the developer noted that the parameter values were reset and that the values ignored the latest changes made by the application. The developer needs to change the way the company deploys the CloudFormation stack. The developer also needs to avoid resetting the parameter values outside the stack.
Which solution will meet these requirements with the LEAST development effort?
- A . Modify the CloudFormation stack to set the deletion policy to Retain for the Parameter Store parameters.
- B . Create an Amazon DynamoDB table as a resource in the CloudFormation stack to hold configuration data for the application. Migrate the parameters that the application is modifying from Parameter Store to the DynamoDB table.
- C . Create an Amazon RDS DB instance as a resource in the CloudFormation stack. Create a table in the database for parameter configuration. Migrate the parameters that the application is modifying from
Parameter Store to the configuration table. - D . Modify the CloudFormation stack policy to deny updates on Parameter Store parameters.
D
Explanation:
The issue occurs because the SSM Parameter Store parameters are managed by CloudFormation as stack resources. When CloudFormation performs a stack update, it will attempt to ensure the deployed resources match the template. If the template includes a parameter value, CloudFormation can overwrite the current value during updates, which explains why the application’s runtime modifications are lost.
The developer’s requirement is to continue deploying the stack (including adding resources/tags) without resetting parameter values that are modified outside CloudFormation. The lowest-effort way to do this is to prevent CloudFormation from updating those specific Parameter Store resources during stack updates.
A CloudFormation stack policy can explicitly deny update actions on selected resources (in this case, the SSM parameters). Stack policies are designed to protect critical resources from being unintentionally modified during stack updates. With an update-deny policy applied to the SSM parameter resources, CloudFormation can still update other resources (such as adding tags or creating new components), but it will not overwrite the parameter values that the application has changed.
Option A (DeletionPolicy: Retain) only affects what happens when a resource is deleted or replaced, not whether CloudFormation updates the resource in place. It will not reliably prevent stack updates from resetting values.
Options B and C are larger architecture changes and require migrating configuration storage to DynamoDB or RDS―much more development effort and operational overhead.
Therefore, applying a stack policy to deny updates on Parameter Store parameters is the best and least-effort solution.