DVA-C02 Exam Dumps - Amazon Web Services AWS Certified Associate Questions and Answers

The requirement is to keep profile pictures private in S3 while allowing the browser to display them each time an employee logs in. The standard AWS pattern is to store objects in a private bucket and provide time-limited access through S3 presigned URLs . A presigned URL grants temporary permission to perform a specific operation (such as GET) on a specific object, and it expires automatically after a configured duration. This prevents public access while still allowing simple browser retrieval.

Option D is the viable long-term solution because it stores only the S3 object key (a stable identifier) in DynamoDB and generates a fresh presigned URL at login time . This is important because presigned URLs expire; storing a presigned URL (option A) would eventually store an expired URL and force extra complexity to refresh records. Generating a new presigned URL when needed ensures the link is always valid and keeps the expiration window tight, which improves security.

Option B is not appropriate for employee browsers in general: a VPC endpoint is for traffic from resources inside a VPC (EC2, Lambda in VPC, etc.). Employee browsers on the public internet cannot use a private VPC endpoint to reach S3. Option C is not viable for “no size limit” images: DynamoDB has strict item size limits, base64 inflates data size, and storing large binary blobs in DynamoDB is inefficient and expensive compared to S3.

Therefore, D best meets the requirement: keep images private in S3, store the S3 key in DynamoDB, and generate a presigned URL on each login to provide secure, temporary access for display.

When sharing SSE-KMS–encrypted S3 objects across AWS accounts , AWS documentation states that three elements are required:

A customer-managed KMS key (Option E), because AWS-managed keys cannot be shared across accounts.

An S3 bucket policy (Option B) that grants the second account permission to access the objects.

A KMS key policy (Option C) that explicitly allows the second account to use the KMS key for decrypt operations.

Option A is incorrect because AWS-managed KMS keys cannot be shared. Option F uses SSE-S3, which does not use KMS and violates the encryption requirement. Option D is irrelevant because cross-account access does not require an S3 service role.

Therefore, the correct combination is B, C, and E .

Because the Lambda function is successfully triggered by the S3 event notification, the invocation path (S3 → Lambda) is working correctly. The failure occurs specifically when the function tries to write to DynamoDB, which strongly indicates an authorization problem rather than an invocation, scaling, or infrastructure issue.

In AWS, a Lambda function interacts with other services by using its execution role (an IAM role). AWS documentation explains that a Lambda function must have explicit IAM permissions to call downstream services such as DynamoDB. To write items, the role typically needs actions like dynamodb:PutItem (and sometimes dynamodb:UpdateItem, dynamodb:BatchWriteItem, depending on code behavior) on the target table resource ARN. If these permissions are missing or scoped incorrectly, DynamoDB returns an AccessDeniedException (or similar) and the function fails at the write step.

Option A is unlikely because exceeding concurrency would typically prevent invocation or cause throttling at the Lambda service level, not selectively fail only at DynamoDB write time after the function begins executing.

Option B is incorrect: DynamoDB does not require a GSI to support writes. GSIs are for alternate query access patterns, not mandatory for write operations.

Option D is incorrect because DynamoDB is a regional service, not tied to a single Availability Zone, and Lambda does not need to be “in the same AZ” to access it.

Therefore, the most likely cause is that the Lambda execution role lacks the necessary IAM permissions to perform DynamoDB write operations.

The correct answer is D because the error is occurring when the Lambda function calls the third-party fulfillment service , and the log message clearly states “Rate limit exceeded from fulfillment service.” This indicates the downstream system is throttling requests. In AWS best practices for integrating with external services, developers should use retries with exponential backoff to handle transient throttling and service rate-limit responses gracefully.

API Gateway showing 5XX errors instead of 4XX errors also makes sense in this design. The client request reaches API Gateway successfully, and API Gateway invokes Lambda. The failure happens inside the backend processing path when Lambda calls the external fulfillment API. Because the backend integration fails, API Gateway surfaces a server-side error rather than a client-side error.

Option A is incorrect because increasing API Gateway throttling limits would allow even more requests to reach Lambda, which could worsen the rate-limit issue against the external fulfillment service. Option B is incorrect because provisioned concurrency helps with cold starts and startup latency, not downstream rate limiting. Option C is incorrect because increasing Lambda memory might improve CPU performance, but it does not solve an external API returning rate-limit responses.

By implementing exponential backoff and retry logic , the Lambda function can reduce the frequency of immediate repeated requests to the third-party service, give the service time to recover, and improve overall request success. This approach aligns with AWS guidance for fault tolerance and resilient service integration patterns when working with throttled downstream dependencies.

A Lambda layer is the correct operationally efficient solution because layers are specifically designed to package reusable code, libraries, custom runtimes, or configuration files separately from function code. The developer can publish the shared .zip archive as a layer version and attach that layer to multiple Lambda functions. This avoids copying the same dependency into every deployment package and centralizes dependency management. Amazon S3 alone does not create an importable runtime dependency path for Lambda. A separate Lambda function would add synchronous invocation latency and coupling. A container image could work for container-based functions, but it is heavier and unnecessary when the code is already packaged as a .zip dependency. AWS documentation states that layers are used to separate reusable dependencies from function code and add them to functions. ( AWS Documentation )

===============

This solution will meet the requirements by using Amazon RDS Proxy, which is a fully managed, highly available database proxy for Amazon RDS that makes applications more scalable, more resilient to database failures, and more secure. The developer can create a proxy in Amazon RDS Proxy, which sits between the application and the DB instance and handles connection management, pooling, and routing. The developer can query the proxy instead of the DB instance, which reduces the number of open connections to the DB instance and avoids errors for too many connections. Option A is not optimal because it will create a read replica for the DB instance, which may not solve the problem of too many connections as read replicas also have connection limits and may incur additional costs. Option B is not optimal because it will migrate the data to an Amazon DynamoDB database, which may introduce additional complexity and overhead for migrating and accessing data from a different database service. Option C is not optimal because it will configure the Amazon Aurora MySQL DB instance for Multi-AZ deployment, which may improve availability and durability of the DB instance but not reduce the number of connections.

This solution will meet the requirements by allowing the developer to control what data is sent to X-Ray and CloudWatch from the application code. The developer can filter out any PII from the trace messages before sending them to X-Ray and CloudWatch, ensuring that no PII goes outside of the EC2 instances. Option B is not optimal because it will automatically instrument all incoming and outgoing requests from the application, which may include PII in the trace messages. Option C is not optimal because it will require additional services and costs to use Amazon Macie and AWS Lambda, which may not be able to detect and hide all PII from the trace messages. Option D is not optimal because it will use Open Telemetry instead of X-Ray, which may not be compatible with CloudWatch and other AWS services.

Requirement Summary:

Customer credit card data may be exposed

Data is stored in Amazon S3

Developer must identify all exposure risks

Tool to Use:

Amazon Macie is designed to:

Automatically scan S3 for sensitive data

Detect financial information, PII, credentials, etc.

Finding Type Mapping:

Credit card data maps to: SensitiveData:S3Object/Financial

Evaluate Options:

A. Athena + filtering

Athena is a query engine; it doesn’t detect sensitive data automatically

B. Macie + Financial finding type

Correct

Designed for this use case

C. Macie + Personal finding type

Personal maps to names, addresses, etc., not credit cards

D. Athena + Financial

Again, Athena can’t classify data – it only queries structured data

Macie Overview: https://docs.aws.amazon.com/macie/latest/userguide/what-is-macie.html

Finding Types: https://docs.aws.amazon.com/macie/latest/user/findings-types.html

Financial finding type: SensitiveData:S3Object/Financial

The destination bucket is in the development account, so the destination encryption key should also be in the development account. A customer managed KMS key is required because its key policy can be edited to allow the production account to use it for encryption during the copy operation. AWS managed keys cannot have their key policies modified to grant cross-account access in the same way. Replicating or copying a KMS key from production is not the correct model for this requirement; KMS keys are regional resources and access is controlled through key policies and IAM permissions. The best design is therefore a new customer managed key in the development account with a key policy that permits the production account to use the key for the copy.

===============