DVA-C02 Exam Dumps - Amazon Web Services AWS Certified Associate Questions and Answers

AWS X-Ray SDK: The primary way to enable X-Ray tracing within applications. The SDK sends data about requests and subsegments to the X-Ray daemon for service map generation.

Instrumenting All Services: To visualize a complete microservice architecture on the service map, each relevant service must include the X-Ray SDK.

Why Option B is Correct:Amazon ECS does not natively process docker-compose.yml files. Instead, the configurations from docker-compose.yml must be converted into ECS-compatible configurations within a task definition. Task definitions are the primary way to specify container configurations in ECS, including service dependencies like databases, caches, and volumes.

Steps to Resolve the Error:

Extract the configurations from the docker-compose.yml file.

Map the dependencies and settings to the appropriate ECS task definition fields.

Deploy the task definition to the ECS cluster.

Why Other Options are Incorrect:

Option A: Docker labels do not directly impact ECS task execution or integrate with ECS service configurations.

Option C: ECS namespaces do not exist as a feature.

Option D: Changing the service type to REPLICA does not resolve the issue of missing service dependency configurations.

AWS Documentation References:

Amazon ECS Task Definitions

Migrating Docker Compose Workloads to ECS

To measure how long an application spends calling downstream AWS services (for example, DynamoDB, S3, SNS, etc.) in a distributed system, the most effective AWS-native approach is AWS X-Ray with appropriate instrumentation. X-Ray provides distributed tracing by capturing end-to-end request paths and breaking each request into segments and subsegments with precise timing information. When the application is instrumented with the X-Ray SDK, client handlers/interceptors automatically create subsegments for calls to AWS services, recording latency, response status, and error/throttle indicators.

This directly satisfies the requirement: determine the length of time of calls to various downstream services. In the X-Ray trace map and trace details, the developer can see per-service timing, identify which dependency is slow, and distinguish application processing time from downstream call time. This is specifically designed for performance bottleneck analysis and root cause investigation across distributed components.

Option A (VPC Flow Logs) captures network flow metadata (source/destination, ports, bytes, accept/reject), not application-level request timing to AWS service APIs, and it won’t show the latency breakdown per downstream service call.

Option B can work only if the application is already logging detailed timing for each call, but this is manual, inconsistent across services, and does not give a unified distributed trace view. It is also higher effort than using standard tracing instrumentation.

Option C increases CloudWatch metric granularity for EC2 but does not show per-request downstream service call durations.

Therefore, implementing AWS X-Ray with client handlers is the correct solution.

For API Gateway REST APIs, configuration changes (new resources/methods) do not automatically become callable from a stage until a new API Gateway Deployment is created and associated with the stage. In CloudFormation, an AWS::ApiGateway::Deployment resource is immutable and effectively represents a snapshot of the API configuration at a point in time. If the Deployment resource does not change (for example, its logical ID or a property that forces replacement), CloudFormation may not create a new deployment even though the stack update succeeds—resulting in the stage still pointing to the old deployment. The symptom is exactly what’s described: new methods return 404 because they are not part of the deployed snapshot.

A common operational fix is to create a new deployment explicitly during CI/CD. Option C does this by running aws apigateway create-deployment, which creates a fresh deployment that includes the new resources/methods and makes them available on the stage.

Option D is unrelated (CloudFront invalidation).

Options A and B do not affect API Gateway deployment snapshots.

???? In pure CloudFormation, another common pattern is to force a new deployment by changing the Deployment logical ID or embedding a timestamp/hash in the deployment description. But among the options given, running create-deployment is the direct fix.

Therefore, add a pipeline step to run aws apigateway create-deployment.

This solution will meet the requirements by using the Time to Live (TTL) feature of DynamoDB, which enables automatically deleting items from a table after a certain time period. The developer can add a new attribute of type Number that has a timestamp that is set to 48 hours after the blog post creation time, which represents the expiration time of the item. The developer can configure the DynamoDB table with a TTL that references the new attribute, which instructs DynamoDB to delete the item when the current time is greater than or equal to the expiration time. This solution is also cost-effective as it does not incur any additional charges for deleting expired items. Option A is not optimal because it will create a script to find and remove old posts with a table scan and a batch write item API operation, which may consume more read and write capacity units and incur more costs. Option B is not optimal because it will use Amazon Elastic Container Service (Amazon ECS) and AWS Fargate to run the script, which may introduce additional costs and complexity for managing and scaling containers. Option C is not optimal because it will create a global secondary index (GSI) that uses the expiration time as a sort key, which may consume more storage space and incur more costs.

Option D is correct because this is exactly the problem the circuit breaker pattern solves. When a downstream service repeatedly fails or times out, a circuit breaker stops further calls after a failure threshold is reached. This prevents the Lambda function from repeatedly calling an unavailable third-party payment platform, reducing wasted API calls and Lambda compute cost. AWS Prescriptive Guidance states that the circuit breaker pattern can prevent a caller service from retrying calls to another service after repeated failures and can also detect when the downstream service becomes functional again. A DLQ does not help because the API Gateway invocation is synchronous and the waste happens before failure. Increasing timeout or memory makes the issue worse. Exponential backoff helps reduce retry pressure but does not stop invocations during an outage.

Using a dead-letter queue (DLQ) with Amazon SQS is the most operationally efficient solution for handling unprocessable messages.

Amazon SQS Dead-Letter Queue:

A DLQ is used to capture messages that fail processing after a specified number of attempts.

Allows the application to continue processing other messages without being blocked.

Messages in the DLQ can be analyzed later for debugging and resolution.

Why DLQ is the Best Option:

Operational Efficiency: Automatically defers messages with errors, ensuring the queue is not blocked.

Analysis Ready: Messages in the DLQ can be inspected to identify recurring issues.

Scalable: Works seamlessly with Lambda and SQS at scale.

Why Not Other Options:

Option A: Logs the messages but does not resolve the queue blockage issue.

Option C: FIFO queues and 0-second retention do not provide error handling or analysis capabilities.

Option D: Alerts administrators but does not handle or store the unprocessable messages.

Steps to Implement:

Create a new SQS queue to serve as the DLQ.

Attach the DLQ to the primary queue and configure the Maximum Receives setting.

Using Amazon SQS Dead-Letter Queues

Best Practices for Using Amazon SQS with AWS Lambda

Sensitive environment variables in Lambda should be protected using encryption helpers integrated with AWS KMS. Lambda environment variables are encrypted at rest, and when using a customer managed KMS key, teams can control the key policy, access, and rotation for their own microservices—matching the policy requirement that each team has “full control” over key rotation. AWS managed keys do not provide the same level of customer control over lifecycle and rotation decisions.

Therefore, the correct approach is to create customer managed KMS keys (one per team/service boundary or per microservice, depending on governance) and configure each Lambda function to use the relevant CMK for encrypting its environment variables. The Lambda execution role must have permission to use the key for decryption at runtime, typically requiring kms:Decrypt (and sometimes kms:DescribeKey depending on tooling). This is captured by Option B.

Option A and D use AWS managed keys, which do not satisfy the requirement for each team to control rotation. Rotation control (and policy ownership) is a key differentiator of customer managed keys.

Option C is not correct because the Lambda execution role does not need kms:CreateGrant and kms:Encrypt for decrypting environment variables at runtime. Over-permissioning increases risk. The Lambda service handles encryption of environment variables; the function runtime principally needs the ability to decrypt.

This solution will meet the requirements by using a rolling with additional batch deployment method, which deploys the new version of the application to a separate group of instances and then shifts traffic to those instances in batches. This way, the application maintains full capacity and avoids service interruption during deployment, as well as minimizes the cost of additional resources that support the deployment. Option A is not optimal because it will use an all at once deployment method, which deploys the new version of the application to all instances simultaneously, which may cause service interruption or downtime during deployment. Option C is not optimal because it will use a blue/green deployment method, which deploys the new version of the application to a separate environment and then swaps URLs with the original environment, which may incur more costs for additional resources that support the deployment. Option D is not optimal because it will use an immutable deployment method, which deploys the new version of the application to a fresh group of instances and then redirects traffic to those instances, which may also incur more costs for additional resources that support the deployment.

This solution meets the requirements because it provides a caching layer that can store and retrieve encrypted data from multiple nodes. Amazon ElastiCache for Redis supports encryption at rest and in transit, and can scale horizontally to increase the cache capacity and availability. Amazon ElastiCache for Memcached does not support encryption, Amazon CloudFront is a content delivery network that is not suitable for caching database queries, and Amazon DynamoDB Accelerator (DAX) is a caching service that only works with DynamoDB tables.

Amazon S3 supports resource-based policies, which are JSON documents that specify the permissions for accessing S3 resources. A resource-based policy can be used to enforce encryption in transit by denying access to requests that do not use HTTPS. The condition key aws:SecureTransport can be used to check if the request was sent using SSL. If the value of this key is false, the request is denied; otherwise, the request is allowed. Reference: How do I use an S3 bucket policy to require requests to use Secure Socket Layer (SSL)?

The key security requirement is to limit both scope and duration of credentials used by an external application (running outside AWS). The most secure AWS-native way to do this is to use temporary security credentials issued by AWS Security Token Service (STS), rather than long-term IAM user access keys. Temporary credentials have a short, configurable lifetime and are tied to permissions defined by an IAM role and (optionally) session policies, which enforces least privilege.

With STS AssumeRole , the application requests temporary credentials for a specific IAM role . The role’s permission policy strictly defines what AWS actions and resources the session can access. The resulting credentials automatically expire, reducing the blast radius if the credentials are exposed. This approach also supports best practices such as rotating session credentials frequently and using external IDs and condition keys (where applicable) to reduce confused-deputy risks.

Options A and B rely on long-term IAM user credentials . Even if stored in environment variables or AWS Secrets Manager, these are still persistent credentials that do not inherently meet the “limit duration” requirement and are higher risk if leaked. Secrets Manager improves storage and rotation workflows, but it does not change the fact that IAM user access keys are long-lived by default.

Option C (GetFederationToken) is not the best fit here. Federation tokens are typically used to obtain temporary credentials for a federated user session and are commonly associated with IAM users (or scenarios like providing temporary access to third parties) rather than the standard, role-based pattern for an application assuming permissions. The most direct and widely recommended method for applications needing scoped, time-bound AWS access is AssumeRole .

Therefore, D is the most secure solution: create an IAM role with least-privilege permissions and have the application call STS AssumeRole to obtain short-lived credentials for AWS API calls.

To rotate database credentials without downtime, Secrets Manager recommends the alternating users (dual user) rotation strategy. With a single-user strategy, Secrets Manager changes the password for the same database user that the application is actively using. If the application continues using cached/old credentials during rotation, authentication failures and downtime can occur.

With the alternating users strategy, two database users exist (often named something like appuser and appuser_clone). Secrets Manager alternates which user is “active” in the secret. During rotation, Secrets Manager updates the inactive user’s password, verifies it, updates the secret to point to the newly updated user, and then (optionally) retires the old credentials. This approach minimizes disruption because there is always one known-good credential set while the other is being updated.

The question specifically requires regular rotation using Secrets Manager. That is achieved by enabling automatic rotation on the secret with a schedule (for example, every 30/60/90 days). Automatic rotation invokes the rotation Lambda (AWS-provided or configured) and performs the workflow without manual intervention.

Option D combines both requirements: automatic rotation plus the alternating users strategy for high availability and no downtime.

Option B mentions alternating users but “managed rotation” is not the standard term used in these choices as the primary differentiator—automatic rotation is the necessary capability to rotate regularly without manual effort.

Options A and C (single user) are more likely to cause downtime during rotation.

Therefore, configure automatic rotation with the alternating users rotation strategy.

To meet the requirement for encryption " at rest, " you must enable Server-Side Encryption (SSE) on the SNS topic (Option A). To ensure encryption " in transit, " you must enforce HTTPS. The aws:SecureTransport global condition key checks if the request was made over SSL/TLS. Adding a Deny statement where aws:SecureTransport is false (Option E) effectively mandates that only encrypted connections are allowed to publish to the topic.