Practice Free DVA-C02 Exam Online Questions
A company regularly receives route status updates from its delivery trucks as events in Amazon EventBridge. The company is building an API-based application in a VPC that will consume and process the events to create a delivery status dashboard. The API application must not be available by using public IP addresses because of security and compliance requirements.
How should the company send events from EventBridge to the API application?
- A . Create an AWS Lambda function that runs in the same VPC as the API application. Configure the function as an EventBridge target. Use the function to send events to the API.
- B . Create an internet-facing Application Load Balancer (ALB) in front of the API application. Associate a security group with rules that block access from all external sources except for EventBridge. Configure the ALB as an EventBridge target.
- C . Create an internet-facing Network Load Balancer (NLB) in front of the API application. Associate a security group with rules that block access from all external sources except for EventBridge. Configure the NLB as an EventBridge target.
- D . Use the application API endpoint in the VPC as a target for EventBridge. Send events directly to the application API endpoint from EventBridge.
A
Explanation:
Why Option A is Correct: Running an AWS Lambda function within the same VPC ensures secure communication without exposing the API application to public IP addresses. The Lambda function can serve as a secure EventBridge target to send events to the API.
Why Other Options are Incorrect:
Option B & C: Internet-facing load balancers expose public IP addresses, which violates compliance requirements.
Option D: EventBridge cannot directly target an endpoint within a private VPC without intermediary services like Lambda.
AWS Documentation
Reference: EventBridge Targets
A company is developing a new ecommerce platform on AWS. The company wants to implement an event-driven architecture for the company’s order processing system.
The system must perform the following steps when a customer places an order:
Update inventory in the company’s warehouse management system
Send a confirmation email message to the customer
Notify the company’s shipping department to prepare the customer’s package
Update the customer’s order history
A developer wants to ensure loose coupling between services so that the company can easily add new steps in the future.
Which solution will meet these requirements?
- A . Use Amazon SQS to create a queue for orders. Configure an AWS Lambda function to process the queue and to directly call the APIs for each order processing step.
- B . Configure the order processing system to publish an event for each order that is placed to an Amazon EventBridge event bus. Set up separate rules and targets for each order processing step.
- C . Use Amazon SNS to publish order events. Create a separate subscription for each order processing step. Configure an AWS Lambda function to process each subscription.
- D . Use AWS Step Functions to orchestrate the workflow. Configure an AWS Lambda function for each step in the process to directly invoke the API for each order processing step.
B
Explanation:
The correct answer is B because Amazon EventBridge is designed for building loosely coupled event-driven architectures. In this scenario, when an order is placed, the order processing system can publish a single event to an EventBridge event bus. Then, multiple independent consumers can react to that event through separate rules and targets. This matches the requirement to update inventory, send email, notify shipping, and update order history without tightly coupling those actions together.
EventBridge is especially well suited when the company wants to add new processing steps later. A new consumer can be added simply by creating another rule and target for the existing order event, without changing the original order submission code or the existing consumers. This supports extensibility and separation of concerns, which are key goals of event-driven design.
Option A is less appropriate because a single Lambda function that directly calls every downstream system becomes tightly coupled and harder to extend.
Option C supports fan-out, but EventBridge provides richer routing, filtering, and event bus semantics for enterprise event-driven workflows.
Option D is useful for workflow orchestration, but it creates a more centrally orchestrated pattern rather than the looser publish-and-subscribe model requested in the question.
AWS guidance for modern event-driven architectures emphasizes publishing events and allowing interested services to subscribe independently. EventBridge provides native routing and integration with many AWS services, making it easy to evolve the architecture over time.
Therefore, B is the best answer for achieving loose coupling and future extensibility.
A company wants to launch a REST API across multiple environments. The company needs to configure staging, testing, and production environments. The configuration must provide built-in support for version control. The team must be able to promote the test environment to the production environment when required.
Which solution will meet these requirements in the MOST operationally efficient way?
- A . Use Amazon API Gateway to create a REST API. Set up an API method for each environment.
Deploy the REST API. Associate the REST API deployment with the appropriate method. - B . Create a REST API for each environment in Amazon API Gateway. Deploy the APIs and distribute the URL of the API to the corresponding users.
- C . Identify the API methods required for the configuration. Create an AWS Lambda function for each required API method. Use Lambda canary deployments with a weighted alias for new releases and version control.
- D . Use Amazon API Gateway to create a REST API. Set up an API method for each environment.
Deploy the REST API and associate the deployment with the appropriate stage.
D
Explanation:
Amazon API Gateway Stages (staging, testing, production) are the standard way to handle different
environments for a single REST API. Each stage is a reference to a specific deployment snapshot of the API. This provides a built-in promotion path: once a deployment is tested in the "test" stage, it can be deployed to the "production" stage. This is the most operationally efficient method as it uses the native features of the service.
A developer is building an application and wants to quickly test the effectiveness of a function before committing the code.
Which solution will meet this requirement with the LEAST effort?
- A . Add a report group that has test case information to the buildspec file of an AWS CodeBuild project.
- B . Highlight the function within the application code. Use the Amazon Q Developer agent to generate a unit test.
- C . Add a report group that has test case information to the appspec file of an AWS CodeBuild project.
- D . Use Amazon Q Developer to review the code. Use the results of the review as context in a follow-up prompt to generate a unit test.
B
Explanation:
Amazon Q Developer (formerly part of CodeWhisperer) is an AI-powered assistant integrated into IDEs (like VS Code or JetBrains). It can generate unit tests, explain code, and suggest improvements. Highlighting a specific function and asking the agent to generate a unit test is the fastest, lowest-effort way for a developer to test a function before committing code, as it happens directly within the development workflow.
A company is providing read access to objects in an Amazon S3 bucket for different customers. The company uses 1AM permissions to restrict access to the S3 bucket. The customers can access only their own files.
Due to a regulation requirement, the company needs to enforce encryption in transit for interactions with Amazon S3.
Which solution will meet these requirements?
- A . Add a bucket policy to the S3 bucket to deny S3 actions when the aws: SecureTransport condition is
equal to false. - B . Add a bucket policy to the S3 bucket to deny S3 actions when the s3: x-amz-acl condition is equal to public-read.
- C . Add an 1AM policy to the 1AM users to enforce the usage of the AWS SDK.
- D . Add an 1AM policy to the 1AM users that allows S3 actions when the s3: x-amz-acl condition is equal to bucket-owner-read.
A company has many microservices that are comprised of AWS Lambda functions. Multiple teams within the company split ownership of the microservices.
An application reads configuration values from environment variables that are contained in the Lambda functions. During a security audit, the company discovers that some of the environment variables contain sensitive information.
The company’s security policy requires each team to have full control over the rotation of AWS KMS keys that the team uses for its respective microservices.
- A . Create AWS managed keys for all Lambda functions. Use the new AWS managed keys to encrypt the environment variables. Add kms: Decrypt permissions to the Lambda function execution roles.
- B . Create customer managed keys for all Lambda functions. Use the new customer managed keys to encrypt the environment variables. Add kms: Decrypt permission to the Lambda function execution roles.
- C . Create customer managed keys for all Lambda functions. Use the new customer managed keys to encrypt the environment variables. Add kms: CreateGrant permission and kms: Encrypt permission to the Lambda function execution roles.
- D . Create AWS managed keys for all Lambda functions. Use the new AWS managed keys to encrypt the environment variables. Add kms: CreateGrant permission and kms: Encrypt permission to the Lambda function execution roles.
B
Explanation:
Comprehensive and Detailed Step-by-Step
Customer Managed Keys (CMK) for Granular Control (Option B):
Customer-managed KMS keys are required to meet the security policy requirement of team-specific control over KMS key rotation. Each team can manage the lifecycle of its own key.
The kms: Decrypt permission allows the Lambda function execution roles to decrypt the environment variables during runtime.
This solution adheres to the principle of least privilege and satisfies the need for team-specific key control.
Why Other Options Are Incorrect:
Option A: AWS-managed keys cannot provide team-specific control or support the custom rotation policy required by the teams.
Option C: Adding kms: CreateGrant and kms: Encrypt permissions to Lambda roles is unnecessary for this scenario. The key usage is limited to decryption at runtime.
Option D: AWS-managed keys still lack team-specific control, and adding kms: CreateGrant and kms: Encrypt is redundant.
Reference: AWS Lambda Environment Variables
AWS Key Management Service Documentation
A developer has created an AWS Lambda function that is written in Python. The Lambda function reads data from objects in Amazon S3 and writes data to an Amazon DynamoDB table.
The function is successfully invoked from an S3 event notification when an object is created.
However, the function fails when it attempts to write to the DynamoDB table.
What is the MOST likely cause of this issue?
- A . The Lambda function’s concurrency limit has been exceeded.
- B . The DynamoDB table requires a global secondary index (GSI) to support writes.
- C . The Lambda function does not have IAM permissions to write to DynamoDB.
- D . The DynamoDB table is not running in the same Availability Zone as the Lambda function.
C
Explanation:
Because the Lambda function is successfully triggered by the S3 event notification, the invocation path (S3 → Lambda) is working correctly. The failure occurs specifically when the function tries to write to DynamoDB, which strongly indicates an authorization problem rather than an invocation, scaling, or infrastructure issue.
In AWS, a Lambda function interacts with other services by using its execution role (an IAM role). AWS documentation explains that a Lambda function must have explicit IAM permissions to call downstream services such as DynamoDB. To write items, the role typically needs actions like dynamodb: PutItem (and sometimes dynamodb: UpdateItem, dynamodb: BatchWriteItem, depending on code behavior) on the target table resource ARN. If these permissions are missing or scoped incorrectly, DynamoDB returns an AccessDeniedException (or similar) and the function fails at the write step.
Option A is unlikely because exceeding concurrency would typically prevent invocation or cause throttling at the Lambda service level, not selectively fail only at DynamoDB write time after the function begins executing.
Option B is incorrect: DynamoDB does not require a GSI to support writes. GSIs are for alternate query access patterns, not mandatory for write operations.
Option D is incorrect because DynamoDB is a regional service, not tied to a single Availability Zone, and Lambda does not need to be “in the same AZ” to access it.
Therefore, the most likely cause is that the Lambda execution role lacks the necessary IAM permissions to perform DynamoDB write operations.
A company is developing an application that will be accessed through the Amazon API Gateway REST API. Registered users should be the only ones who can access certain resources of this API. The token being used should expire automatically and needs to be refreshed periodically.
How can a developer meet these requirements?
- A . Create an Amazon Cognito identity pool, configure the Amazon Cognito Authorizer in API Gateway, and use the temporary credentials generated by the identity pool.
- B . Create and maintain a database record for each user with a corresponding token and use an AWS Lambda authorizer in API Gateway.
- C . Create an Amazon Cognito user pool, configure the Cognito Authorizer in API Gateway, and use the identity or access token.
- D . Create an 1AM user for each API user, attach an invoke permissions policy to the API. and use an I AM authorizer in API Gateway.
A developer is creating an application that must transfer expired items from Amazon DynamoDB to Amazon S3. The developer sets up the DynamoDB table to automatically delete items after a specific TTL. The application must process the items in DynamoDB and then must store the expired items in Amazon S3. The entire process, including item processing and storage in Amazon S3, will take 5 minutes.
Which solution will meet these requirements with the LEAST operational overhead?
- A . Configure DynamoDB Accelerator (DAX) lo query for expired items based on the TTL Save the results to Amazon S3.
- B . Configure DynamoDB Streams to invoke an AWS Lambda function. Program the Lambda function to process the items and to store the expired items in Amazon S3.
- C . Deploy a custom application on an Amazon Elastic Container Service (Amazon ECS) cluster on Amazon EC2 instances. Program the custom application to process the items and to store the expired items in Amazon S3.
- D . Create an Amazon EventBridge rule to invoke an AWS Lambda function. Program the Lambda function to process The items and to store the expired items in Amazon S3.
A company operates a web-based loan processing application. The application’s UI was implemented in JavaScript. The frontend transmits application data securely by using HTTPS to Amazon API Gateway, which initiates an AWS Lambda function in private subnets. The Lambda function interacts with third-party credit check APIs that require persistent API keys. The company enforces strict policies to ensure that personally identifiable information (PII) and sensitive credentials are never exposed in client code, request paths, headers, or logs. The company needs a solution to manage the API keys that the Lambda function needs to use.
Which solution will meet this requirement in the MOST secure way?
- A . Store the API keys as encrypted environment variables by using an AWS KMS key. Configure the execution role of the Lambda function to have permissions to securely decrypt the environment variables at runtime.
- B . Pass the API keys to the Lambda function by including the keys as URL query parameters in each HTTPS request.
- C . Bundle the API keys inside the minified client-side JavaScript.
- D . Store the API keys as resource metadata tags on the Lambda function. Configure the Lambda function to read its own tags at startup by using the AWS SDK.
A
Explanation:
Storing secrets in environment variables encrypted with AWS KMS is a standard secure practice for Lambda. By using a Customer Managed Key (CMK), you can audit every decryption request via CloudTrail. This ensures the keys are never in plaintext in the management console or code.
Options B and C are highly insecure as they expose keys in URLs or client-side code. Tags (Option D) are not meant for sensitive secrets and are not encrypted.