Practice Free DVA-C02 Exam Online Questions
A company uses an AWS Lambda function to transfer files from an Amazon S3 bucket to the company’s SFTP server. The Lambda function connects to the SFTP server by using credentials such as username and password. The company uses Lambda environment variables to store these credentials.
A developer needs to implement encrypted username and password credentials.
Which solution will meet these requirements?
- A . Remove the user credentials from the Lambda environment. Implement 1AM database authentication.
- B . Move the user credentials from Lambda environment variables to AWS Systems Manager Parameter Store.
- C . Move the user credentials from Lambda environment variables to AWS Key Management Service (AWS KMS).
- D . Move the user credentials from the Lambda environment to an encrypted .txt file. Store the file in an S3 bucket.
A developer is creating an AWS CloudFormation template to deploy Amazon EC2 instances across multiple AWS accounts. The developer must choose the EC2 instances from a list of approved instance types.
How can the developer incorporate the list of approved instance types in the CloudFormation template?
- A . Create a separate CloudFormation template for each EC2 instance type in the list.
- B . In the Resources section of the CloudFormation template, create resources for each EC2 instance type in the list.
- C . In the CloudFormation template, create a separate parameter for each EC2 instance type in the list.
- D . In the CloudFormation template, create a parameter with the list of EC2 instance types as AllowedValues.
D
Explanation:
In the CloudFormation template, the developer should create a parameter with the list of approved EC2 instance types as AllowedValues. This way, users can select the instance type they want to use when launching the CloudFormation stack, but only from the approved list.
A company wants to migrate applications from its on-premises servers to AWS. As a first step, the company is modifying and migrating a non-critical application to a single Amazon EC2 instance. The application will store information in an Amazon S3 bucket. The company needs to follow security best practices when deploying the application on AWS.
Which approach should the company take to allow the application to interact with Amazon S3?
- A . Create an 1AM role that has administrative access to AWS. Attach the role to the EC2 instance.
- B . Create an 1AM user. Attach the Administrator Access policy. Copy the generated access key and secret key. Within the application code, use the access key and secret key along with the AWS SDK to communicate with Amazon S3.
- C . Create an 1AM role that has the necessary access to Amazon S3. Attach the role to the EC2 instance.
- D . Create an 1AM user. Attach a policy that provides the necessary access to Amazon S3. Copy the generated access key and secret key. Within the application code, use the access key and secret key along with the AWS SDK to communicate with Amazon S3.
A developer is creating a new batch application that will run on an Amazon EC2 instance. The application requires read access to an Amazon S3 bucket. The developer needs to follow security best practices to grant S3 read access to the application.
Which solution meets these requirements?
- A . Add the permissions to an 1AM policy. Attach the policy to a role. Attach the role to the EC2 instance profile.
- B . Add the permissions inline to an 1AM group. Attach the group to the EC2 instance profile.
- C . Add the permissions to an 1AM policy. Attach the policy to a user. Attach the user to the EC2 instance profile.
- D . Add the permissions to an 1AM policy. Use 1AM web identity federation to access the S3 bucket with the policy.
A
Explanation:
Step 1: Understanding the Requirements
Best Practices for Security:
Minimize the use of hardcoded credentials or long-lived access keys.
Use IAM roles for EC2 instances to securely grant permissions to applications running on the instance.
Access Scope: The application needs read-only access to an S3 bucket.
Step 2: Solution Analysis
Option A:
Define an IAM policy with the required s3: GetObject permissions.
Attach this policy to an IAM role.
Assign the role to the EC2 instance profile.
This approach follows security best practices by eliminating the need for static credentials and using temporary, scoped credentials provided by the instance profile.
Correct option.
Option B:
IAM groups are used for organizing users, not for EC2 instances or instance profiles.
Not suitable.
Option C:
IAM users are associated with specific individuals or applications and require static credentials.
This violates security best practices for temporary credentials and roles.
Not suitable.
Option D:
IAM web identity federation is used for applications that authenticate users via third-party identity providers.
This is unnecessary for EC2 instances and does not align with the requirements.
Not suitable.
Step 3: Implementation Steps
Create an IAM Policy:
Grant read-only access to the S3 bucket:
json
Copy code
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3: GetObject",
"Resource": "arn: aws: s3: : : your-bucket-name/*"
}
]
}
Attach the Policy to an IAM Role:
Create an IAM role and attach the policy to the role.
Associate the Role with the EC2 Instance:
Attach the role to the instance profile used by the EC2 instance.
AWS Developer
Reference: IAM Roles for Amazon EC2
Amazon S3 Permissions Reference
A developer is refactoring an AWS Lambda function that uses static parameters that are defined in environment variables. The developer needs to integrate the Lambda function with an AWS AppConfig application. The developer has already configured IAM roles for the AWS AppConfig application and the Lambda function.
Which solution will meet this requirement with the LEAST amount of changes to the code?
- A . Add the AWS AppConfig agent Lambda extension layer. Use the agent endpoint from within the function code.
- B . Create an AWS AppConfig extension. Add the ON_DEPLOYMENT_COMPLETE action point and add the Lambda function URI as the target.
- C . Use the AWS AppConfig client to create a Lambda layer. Add the layer to the function.
- D . Modify the function code to add the StartConfigurationSession API action and the GetLatestConfiguration API action.
A
Explanation:
The AWS AppConfig Agent Lambda extension is designed to simplify integration. It runs as a sidecar process that manages the fetching and local caching of configurations. Instead of adding complex AWS SDK code for session management (Option D), the developer simply calls a local HTTP endpoint (provided by the agent) to retrieve the config. This results in the least code change and better performance due to the agent’s built-in caching.
A company has a monolithic desktop-based application that processes images. A developer is converting the application into an AWS Lambda function by using Python. Currently, the desktop application runs every 5 minutes to process the latest image from an Amazon S3 bucket. The desktop application completes the image processing task within 1 minute.
During testing on AWS, the developer notices that the Lambda function runs at the specified 5-minute interval. However, the Lambda function takes more than 2 minutes to complete the image processing task. The developer needs a solution that will improve the Lambda function’s performance.
Which solution will meet this requirement?
- A . Update the instance type of the Lambda function to a compute optimized instance with at least eight virtual CPUs (vCPUs).
- B . Update the configuration of the Lambda function to use the latest Python runtime.
- C . Increase the memory that is allocated to the Lambda function.
- D . Configure reserved concurrency on the Lambda function.
C
Explanation:
Lambda does not allow the developer to select an EC2 instance type, so option A is invalid. For Lambda, CPU allocation scales proportionally with memory. If the image-processing workload is CPU-bound or memory-constrained, increasing the configured memory can also increase available CPU power and reduce execution duration. Updating the Python runtime may provide minor improvements but is not the primary Lambda performance control. Reserved concurrency controls how many concurrent executions are reserved for the function; it does not make one invocation process faster. The issue is that each run takes too long, not that the function lacks concurrency. AWS Lambda documentation confirms that increasing function memory also increases CPU allocation, and memory can be tuned to improve performance. (AWS Documentation)
A company is building a compute-intensive application that will run on a fleet of Amazon EC2 instances. The application uses attached Amazon Elastic Block Store (Amazon EBS) volumes for storing data. The Amazon EBS volumes will be created at time of initial deployment. The application will process sensitive information. All of the data must be encrypted. The solution should not impact the application’s performance.
Which solution will meet these requirements?
- A . Configure the fleet of EC2 instances to use encrypted EBS volumes to store data.
- B . Configure the application to write all data to an encrypted Amazon S3 bucket.
- C . Configure a custom encryption algorithm for the application that will encrypt and decrypt all data.
- D . Configure an Amazon Machine Image (AMI) that has an encrypted root volume and store the data to ephemeral disks.
A
Explanation:
Amazon Elastic Block Store (Amazon EBS) provides block level storage volumes for use with Amazon EC2 instances1. Amazon EBS encryption offers a straight-forward encryption solution for your EBS resources associated with your EC2 instances1. When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted: Data at rest inside the volume, all data moving between the volume and the instance, all snapshots created from the volume, and all volumes created from those snapshots1.
Therefore, option A is correct.
A developer is creating a new application that will be accessed by users through an API created using Amazon API Gateway. The users need to be authenticated by a third-party Security Assertion Markup Language (SAML) identity provider. Once authenticated, users will need access to other AWS services, such as Amazon S3 and Amazon DynamoDB.
How can these requirements be met?
- A . Use an Amazon Cognito user pool with SAML as the resource server.
- B . Use Amazon Cognito identity pools with a SAML identity provider as one of the authentication providers.
- C . Use the AWS IAM service to provide the sign-up and sign-in functionality.
- D . Use Amazon CloudFront signed URLs to connect with the SAML identity provider.
B
Explanation:
The requirement has two parts: (1) authenticate users with a third-party SAML IdP, and (2) after authentication, allow those users to access AWS services like Amazon S3 and DynamoDB. The AWS pattern for this is to federate the external identity into AWS and then exchange that identity for temporary AWS credentials.
Amazon Cognito identity pools are designed to provide AWS credentials to authenticated users (via AWS STS) so the users can call AWS services directly or through an application backend. Identity pools support federation with external identity providers, including SAML 2.0. When a user authenticates with the third-party SAML IdP, the identity pool can accept the SAML assertion, map the user to an IAM role, and return temporary, scoped credentials (AccessKeyId/SecretAccessKey/SessionToken) associated with that role. Those credentials can be restricted using IAM policies to only the required S3 buckets, DynamoDB tables, and actions, satisfying least privilege.
Option A is incorrect because a Cognito user pool is primarily a user directory and OIDC/OAuth provider for application authentication; while user pools can integrate with SAML IdPs for federation, user pools alone do not directly issue AWS service credentials. The key requirement here is access to S3/DynamoDB, which is the role of an identity pool.
Option C is not appropriate because IAM is not intended to provide end-user sign-up/sign-in for external users; it is for AWS identities and permissions.
Option D is unrelated: CloudFront signed URLs control access to CloudFront-distributed content and do not authenticate users with SAML or provide AWS credentials.
Therefore, B meets both requirements: federate SAML authentication through a Cognito identity pool and provide temporary AWS credentials for accessing S3 and DynamoDB.
A developer is working on an ecommerce website The developer wants to review server logs without logging in to each of the application servers individually. The website runs on multiple Amazon EC2 instances, is written in Python, and needs to be highly available
How can the developer update the application to meet these requirements with MINIMUM changes?
- A . Rewrite the application to be cloud native and to run on AWS Lambda, where the logs can be reviewed in Amazon CloudWatch
- B . Set up centralized logging by using Amazon OpenSearch Service, Logstash, and OpenSearch Dashboards
- C . Scale down the application to one larger EC2 instance where only one instance is recording logs
- D . Install the unified Amazon CloudWatch agent on the EC2 instances Configure the agent to push the application logs to CloudWatch
D
Explanation:
Centralized Logging Benefits: Centralized logging is essential for operational visibility in scalable systems, especially those using multiple EC2 instances like our e-commerce website. CloudWatch provides this capability, along with other monitoring features.
CloudWatch Agent: This is the best way to send custom application logs from EC2 instances to
CloudWatch. Here’s the process:
Install the CloudWatch agent on each EC2 instance.
Configure the agent with a configuration file, specifying:
Which log files to collect.
The format in which to send logs to CloudWatch (e.g., JSON).
The specific CloudWatch Logs log group and log stream for these logs.
Viewing and Analyzing Logs: Once the agent is pushing logs, use the CloudWatch Logs console or API:
View and search the logs across all instances.
Set up alarms based on log events.
Use CloudWatch Logs Insights for sophisticated queries and analysis.
Reference:
Amazon CloudWatch
Logs: https: //docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html
Unified CloudWatch
Agent: https: //docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AgentReference.html
CloudWatch Logs
Insights: https: //docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html
A developer is building an application that needs to access the values of secrets that are in AWS Secrets Manager. The secret IDs are passed to the application code through environment variables. The secrets are encrypted by a customer managed AWS KMS key.
Which combination of permissions is required to retrieve the values of these secrets? (Select TWO.)
- A . secretsmanager: GetSecretValue
- B . secretsmanager: DescribeSecret
- C . secretsmanager: ListSecrets
- D . kms: Decrypt
- E . kms: Encrypt
A, D
Explanation:
To retrieve a secret’s value from AWS Secrets Manager, the calling principal must be authorized to call secretsmanager: GetSecretValue on the specified secret. This API returns the secret material (for example, SecretString or SecretBinary). Passing secret IDs through environment variables only tells the application which secret to request; it does not grant permission to access it.
Because the secret is encrypted with a customer managed AWS KMS key, the caller must also be allowed to use that key for decryption. Secrets Manager stores secret values encrypted at rest, and when a caller requests the secret value, KMS is used to decrypt the stored ciphertext under the configured CMK. Therefore, the principal needs kms: Decrypt permission on the CMK (and the CMK key policy must allow the principal, directly or via grants/conditions). Without kms: Decrypt, the GetSecretValue call will fail because Secrets Manager cannot return plaintext secret material.
secretsmanager: DescribeSecret (B) can be useful for reading metadata such as rotation configuration or tags, but it is not required to retrieve the secret value itself. secretsmanager: ListSecrets (C) is for discovery/enumeration and is not required when the application already knows the secret ID. kms: Encrypt (E) is not needed for reading a secret value; encryption permissions are relevant for write/update operations or client-side encryption flows, not for decrypting stored secrets.
Therefore, the required combination is A (secretsmanager: GetSecretValue) and D (kms: Decrypt) to successfully retrieve secret values encrypted with a customer managed KMS key.