Practice Free DVA-C02 Exam Online Questions
A developer is building an application that needs to access the values of secrets that are in AWS Secrets Manager. The secret IDs are passed to the application code through environment variables. The secrets are encrypted by a customer managed AWS KMS key.
Which combination of permissions is required to retrieve the values of these secrets? (Select TWO.)
- A . secretsmanager: GetSecretValue
- B . secretsmanager: DescribeSecret
- C . secretsmanager: ListSecrets
- D . kms: Decrypt
- E . kms: Encrypt
A, D
Explanation:
To retrieve a secret’s value from AWS Secrets Manager, the calling principal must be authorized to call secretsmanager: GetSecretValue on the specified secret. This API returns the secret material (for example, SecretString or SecretBinary). Passing secret IDs through environment variables only tells the application which secret to request; it does not grant permission to access it.
Because the secret is encrypted with a customer managed AWS KMS key, the caller must also be allowed to use that key for decryption. Secrets Manager stores secret values encrypted at rest, and when a caller requests the secret value, KMS is used to decrypt the stored ciphertext under the configured CMK. Therefore, the principal needs kms: Decrypt permission on the CMK (and the CMK key policy must allow the principal, directly or via grants/conditions). Without kms: Decrypt, the GetSecretValue call will fail because Secrets Manager cannot return plaintext secret material.
secretsmanager: DescribeSecret (B) can be useful for reading metadata such as rotation configuration or tags, but it is not required to retrieve the secret value itself. secretsmanager: ListSecrets (C) is for discovery/enumeration and is not required when the application already knows the secret ID. kms: Encrypt (E) is not needed for reading a secret value; encryption permissions are relevant for write/update operations or client-side encryption flows, not for decrypting stored secrets.
Therefore, the required combination is A (secretsmanager: GetSecretValue) and D (kms: Decrypt) to successfully retrieve secret values encrypted with a customer managed KMS key.
A developer is writing a new serverless application for a company. Several other developers must collaborate on the code for this application, and the company expects frequent changes to the code. The developer needs to deploy the code from source control to AWS Lambda with the fewest number of manual steps.
Which strategy for the build and deployment should the developer use to meet these requirements?
- A . Build the code locally, and then upload the code into the source control system. When a release is needed, run AWS CodePipeline to extract the uploaded build and deploy the resources.
- B . Use the AWS SAM CLI to build and deploy the application from the developer’s local machine with the latest version checked out locally.
- C . Use AWS CodeBuild and AWS CodePipeline to invoke builds and corresponding deployments when configured source-controlled branches have pull requests merged into them.
- D . Use the Lambda console to upload a .zip file of the application that is created by the AWS SAM CLI build command.
C
Explanation:
The requirement emphasizes collaboration, frequent code changes, and deploying from source control with the fewest manual steps. This aligns with a CI/CD pipeline approach where commits or merges automatically trigger builds and deployments. Using AWS CodePipeline orchestrates the stages (source, build, deploy), and AWS CodeBuild performs the build/package steps for the Lambda/serverless application. When integrated with a repository (such as CodeCommit, GitHub, or another supported provider), CodePipeline can automatically start when changes are merged into specific branches, enabling consistent, repeatable deployments.
Option C provides the least operational overhead for teams: developers push code and merge pull requests; the pipeline automatically builds artifacts, runs tests (if configured), packages dependencies, and deploys updates to Lambda (often via AWS SAM/CloudFormation under the hood). This removes manual “build on my laptop” drift, prevents inconsistent deployments between developers, and supports frequent iteration safely.
Option B (SAM CLI from a local machine) requires a developer to manually run build/deploy commands and assumes each developer’s environment is configured correctly. That increases manual steps and the risk of differences across machines.
Option D (uploading zip in the console) is highly manual and not suitable for frequent changes or team collaboration.
Option A is also suboptimal because storing built artifacts in source control is an anti-pattern; builds should be
reproducible and produced by CI, not committed binaries.
Therefore, C is the best choice: set up CodePipeline + CodeBuild so merges to controlled branches automatically trigger builds and deployments to AWS Lambda with minimal manual intervention.
A healthcare company discovers that one of the company’s AWS Lambda functions is improperly sending customer personal health information (PHI) and personally identifiable information (PII) to an Amazon CloudWatch Logs log group.
The company needs a solution to automatically mask PHI and PII across all log events in the log group. The company must ensure that masked values cannot be accidentally revealed through CloudWatch Logs Insights queries or subscription filters. The solution must allow only specific security engineers to view the original unmasked values when required for investigations.
Which solution will meet these requirements?
- A . Create a CloudWatch Logs data protection policy for the log group. Add managed data identifiers for PHI and PII. Grant the logs: Unmask IAM permission only to security engineers.
- B . Update the Lambda function to replace PHI and PII with placeholder characters before the function writes logs to the log group.
- C . Use AWS KMS to encrypt the log group. Give the security engineers KMS decrypt permissions.
- D . Use Amazon Data Firehose to stream the logs to an Amazon S3 bucket. Use Amazon Athena to query the logs. Use Athena views to filter out PHI and PII.
A
Explanation:
CloudWatch Logs data protection policies are designed to detect and mask sensitive data in log events. Managed data identifiers can detect common categories of sensitive information, including PII-related data types, and masking applies across log viewing and query workflows. The logs: Unmask permission controls who can view original unmasked data, so only approved security engineers should receive that permission. Updating the Lambda function is good hygiene but does not protect historical logs and depends on application correctness. KMS encryption protects logs at rest, but authorized log readers would still see plaintext after decryption. Firehose and Athena add unnecessary pipeline complexity and do not enforce masking inside CloudWatch Logs Insights or subscription filters. AWS documentation confirms data protection policies mask sensitive log data and logs: Unmask is required to view unmasked data. (AWS Documentation)
A developer has created a data collection application that uses Amazon API Gateway, AWS Lambda, and Amazon S3. The application’s users periodically upload data files and wait for the validation status to be reflected on a processing dashboard. The validation process is complex and time-consuming for large files.
Some users are uploading dozens of large files and have to wait and refresh the processing dashboard to see if the files have been validated. The developer must refactor the application to immediately update the validation result on the user’s dashboard without reloading the full dashboard.
What is the MOST operationally efficient solution that meets these requirements?
- A . Integrate the client with an API Gateway WebSocket API. Save the user-uploaded files with the WebSocket connection ID. Push the validation status to the connection ID when the processing is complete to initiate an update of the UI.
- B . Launch an Amazon EC2 micro instance, and set up a WebSocket server. Send the user-uploaded file and user detail to the EC2 instance after the user uploads the file. Use the WebSocket server to send
updates to the UI when the uploaded file is processed. - C . Save the user’s email address along with the user-uploaded file. When the validation process is complete, send an email notification through Amazon SNS to the user who uploaded the file.
- D . Save the user-uploaded file and user detail to Amazon DynamoDB. Use Amazon DynamoDB Streams with Amazon SNS push notifications to send updates to the browser to update the UI.
A
Explanation:
The requirement is real-time UI updates “immediately” without refreshing the dashboard. The most operationally efficient AWS-native method is to use API Gateway WebSocket APIs to push updates from the backend to the browser.
With option A, the client establishes a WebSocket connection and receives a connection ID. The application can associate uploads (or job IDs) with that connection ID (commonly storing the mapping in DynamoDB or another datastore). When the long-running validation finishes, the backend uses the WebSocket management API to post a message to the specific connection ID, and the browser updates the UI dynamically. This eliminates polling/refresh and scales well without managing servers.
Option B requires running and maintaining an EC2-hosted WebSocket server (patching, scaling, uptime), which is more operational overhead.
Option C uses email, which is not immediate UI updating and doesn’t update the dashboard without user action.
Option D is not appropriate: SNS does not directly push notifications to a web browser in a standard way, and it adds unnecessary complexity.
Therefore, using API Gateway WebSocket to push validation results to connected clients is the most operationally efficient solution.
A company is building a content authoring application. The application has multiple user groups, such as content creator, reviewer, approver, and administrator. The company needs to assign users fine-grained permissions for specific parts of the application.
The company needs a solution to configure, maintain, and analyze user permissions. The company wants a solution that can be easily adapted to work with newer applications in the future. The company must use a third-party OpenID Connect (OIDC) identity provider (IdP) to authenticate users.
- A . Configure an Amazon Cognito identity pool for the application. Use the identity pool identities within the application to manage user permissions.
- B . Configure the application to check user permissions upon request. Configure the application logic to manage user permissions.
- C . Use Amazon Verified Permissions to set up user permissions. Integrate Verified Permissions with a third-party IdP. Configure the application to request authorization decisions from Verified Permissions.
- D . Set up an IAM role for each user group. Assign users appropriate IAM roles. Configure the application to determine appropriate permissions for each user based on the user’s IAM role.
C
Explanation:
Why Option C is Correct: Amazon Verified Permissions provides fine-grained access control capabilities, making it ideal for managing complex user permissions. It integrates with OIDC IdPs for authentication and allows applications to request authorization decisions dynamically. It is also easily adaptable to newer applications.
Why Other Options are Incorrect:
Option A: Cognito identity pools do not natively support fine-grained permission analysis or management.
Option B: Managing permissions in application logic adds significant operational overhead.
Option D: IAM roles are not designed for application-specific fine-grained access control and are more suitable for resource-level permissions.
AWS Documentation
Reference: Amazon Verified Permissions
A developer has deployed an AWS Lambda function that is subscribed to an Amazon Simple Notification Service {Amazon SNS) topic. The developer must implement a solution to add a record of each Lambda function invocation to an Amazon Simple Queue Service {Amazon SQS) queue.
Which solution will meet this requirement?
- A . Configure the SQS queue as a dead-letter queue for the Lambda function.
- B . Create code that uses the AWS SDK to call the SQS SendMessage operation to add the invocation details to the SQS queue. Add the code to the end of the Lambda function.
- C . Add two asynchronous invocation destinations to the Lambda function: one destination for successful invocations and one destination for failed invocations. Configure the SQS queue as the destination for each type. Create an Amazon CloudWatch alarm based on the DestinationDeliveryFailures metric to catch any message that cannot be delivered.
- D . Add a single asynchronous invocation destination to the Lambda function to capture successful invocations. Configure the SQS queue as the destination. Create an Amazon CloudWatch alarm based on the DestinationDeliveryFailures metric to catch any message that cannot be delivered.