DVA-C02 Exam Dumps - Amazon Web Services AWS Certified Associate Questions and Answers

Comprehensive and Detailed Explanation (AWS Verified – 250–300 Words)

When an Amazon S3 bucket is configured with default encryption using SSE-KMS, AWS Key Management Service (KMS) plays an active role in every PutObject request. Although the IAM user already has the s3:PutObject permission, this alone is not sufficient when SSE-KMS is enabled.

According to AWS documentation, when a client uploads an object to an S3 bucket encrypted with SSE-KMS, Amazon S3 must call AWS KMS on behalf of the caller to generate a unique data encryption key. This operation requires the kms:GenerateDataKey permission on the KMS key used for encryption. If this permission is missing, the PutObject request fails with an Access Denied error—even though S3 permissions appear correct.

AWS explicitly states that IAM principals uploading objects to SSE-KMS–encrypted buckets must be allowed to use the KMS key. At a minimum, the following KMS permissions are required:

kms:GenerateDataKey

(Implicitly) access allowed by the KMS key policy

Option C correctly resolves the issue by granting the IAM user permission to generate a data key via AWS KMS, enabling successful encryption during the upload process.

Option A is invalid because s3:EncryptionConfiguration is not required for object uploads.

Option B is unnecessary because the IAM user already has s3:PutObject.

Option D is incorrect because ACLs are not used to control KMS encryption permissions and are discouraged by AWS best practices.

Configuring the Lambda function to use ephemeral storage and processing data in the /tmp directory improves performance by leveraging local storage during execution.

Why Option C is Correct:

Ephemeral Storage: Lambda provides temporary storage (up to 10 GB) in the /tmp directory for each invocation, which is faster than pulling data directly from S3 multiple times.

Performance Boost: Data can be downloaded to /tmp, processed locally, and uploaded to the destination S3 bucket, minimizing S3 network calls.

Low Overhead: This approach requires only minimal changes to the function's configuration.

Why Not Other Options:

Option A: Using Amazon EFS adds complexity and is unnecessary for this use case.

Option B: Scheduling the function does not address the root cause of slow performance.

Option D: Lambda layers improve deployment efficiency, not runtime performance for this scenario.

Using Ephemeral Storage in AWS Lambda

Best Practices for S3 and Lambda Performance

To reduce the time it takes for new Auto Scaling instances to become ready, the most effective optimization is to bake the time-consuming installation and configuration steps into a custom AMI. By creating a prebuilt AMI that already contains the application binaries, dependencies, and baseline configuration, new instances start from an image that is already near “ready to serve.” This minimizes lengthy bootstrapping and significantly shortens the time required to pass ALB health checks and enter service. Therefore, creating a prebuilt AMI (B) is a primary performance optimization for faster scaling events and lower deployment variability.

After creating the AMI, the Auto Scaling group must actually use it. Because the infrastructure is managed with AWS CloudFormation, the developer should update the launch template resource (or launch configuration equivalent) in the CloudFormation template to reference the new AMI ID. This ensures that all newly launched instances use the optimized image consistently and that the change is tracked and repeatable as part of infrastructure as code. That is option C.

The other options are less optimal for the stated goal. Installing and configuring the app at launch time via Systems Manager Run Command (D) or CloudFormation helper scripts (E) still performs the expensive work during instance initialization, which prolongs launch time and can create variance (for example, dependency download time, repo availability, or transient network slowness). Option A (Marketplace AMI) could help only if a suitable prebuilt image exists for the exact custom application—which is unlikely for a proprietary application—and it also reduces control over the build and hardening process compared to maintaining an internal golden AMI.

Therefore, the best combination is B (bake the app into a custom AMI) and C (update the CloudFormation-managed launch template to use that AMI).

Why Option B is Correct:Amazon ECS does not natively process docker-compose.yml files. Instead, the configurations from docker-compose.yml must be converted into ECS-compatible configurations within a task definition. Task definitions are the primary way to specify container configurations in ECS, including service dependencies like databases, caches, and volumes.

Steps to Resolve the Error:

Extract the configurations from the docker-compose.yml file.

Map the dependencies and settings to the appropriate ECS task definition fields.

Deploy the task definition to the ECS cluster.

Why Other Options are Incorrect:

Option A: Docker labels do not directly impact ECS task execution or integrate with ECS service configurations.

Option C: ECS namespaces do not exist as a feature.

Option D: Changing the service type to REPLICA does not resolve the issue of missing service dependency configurations.

AWS Documentation References:

Amazon ECS Task Definitions

Migrating Docker Compose Workloads to ECS

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. DynamoDB Streams is a feature that captures data modification events in DynamoDB tables. The developer can enable DynamoDB Streams on the table and create a trigger to connect the DynamoDB stream to the Lambda function. This solution will enable the Lambda function to detect changes to the DynamoDB table in near real time.

Comprehensive and Detailed Step-by-Step Explanation:

Issue Analysis:

The stream uses service name as the partition key. This can cause "hot partition" issues when a few service names generate significantly more logs compared to others, causing uneven distribution of data across shards.

Metrics show that the write capacity used is below provisioned capacity, which confirms that the throughput errors are due to shard-level limits and not overall capacity.

Option C: Change Partition Key to Creation Timestamp:

By changing the partition key to the creation timestamp (or a composite key including timestamp), the distribution of data across shards can be randomized, ensuring an even spread of records.

This resolves the shard overutilization issue and eliminates ProvisionedThroughputExceededException.

Why Other Options Are Incorrect:

Option A: Switching to on-demand capacity mode might temporarily alleviate the issue, but the root cause (hot partitioning) remains unresolved.

Option B: Adding shards increases capacity but does not fix the skewed data distribution caused by using the service name as the partition key.

Option D: Creating separate streams for each service adds unnecessary complexity and does not scale well as the number of services grows.

AWS Lambda combined with Amazon S3 event notifications provides the most cost-effective and lowest-latency solution for processing objects uploaded to S3. AWS documentation states that S3 event notifications can invoke Lambda functions immediately after object creation, eliminating delays associated with polling or scheduled execution.

Because the data arrives only about 10 times per day and processing completes quickly, Lambda is ideal due to its pay-per-invocation pricing model. There is no need to maintain always-on infrastructure, which significantly reduces cost compared to running EC2 instances. The developer pays only for execution time and requests.

Using CloudWatch alarms (Option A) or scheduled events (Option C) introduces unnecessary latency and complexity. These approaches either delay processing or require periodic checks rather than reacting instantly to object uploads. Polling from EC2 (Option D) is the most expensive and least efficient option because it requires continuously running compute resources.

AWS best practices for event-driven architectures explicitly recommend S3 event notifications → Lambda for near-real-time processing of uploaded data. This approach minimizes operational overhead, achieves near-zero idle cost, and provides the fastest possible response to new data.

Therefore, invoking a Lambda function directly through an S3 event notification is the optimal solution.

This solution will ensure that all orders and updates are stored to Amazon S3 with the least development effort because it uses DynamoDB Streams to capture changes in the DynamoDB table and trigger a Lambda function to write those changes to the S3 bucket. This way, the original Lambda function and API Gateway API endpoint do not need to be modified, and no additional services are required. Option A is not optimal because it will require more development effort to create a new Lambda function and a new API Gateway API endpoint, and to modify the original Lambda function to post updates to the new API endpoint. Option B is not optimal because it will introduce additional costs and complexity to use Amazon Kinesis Data Streams to create a new data stream, and to modify the Lambda function to publish orders to the data stream. Option D is not optimal because it will require more development effort to modify the Lambda function to publish to a new Amazon SNS topic, and to create and subscribe a new Lambda function to the topic.

Amazon CloudFront field-level encryption is specifically designed to protect sensitive fields in HTTP requests. It allows CloudFront to encrypt specific request fields at the edge using asymmetric encryption, ensuring that only authorized application components that possess the private key can decrypt the data.

This approach ensures that sensitive fields remain encrypted throughout transit and processing, while non-sensitive fields can still be accessed normally. This satisfies the requirement that only specific parts of the application can decrypt the data.

Field-level encryption is a native CloudFront capability and is far more secure and scalable than implementing custom encryption logic in Lambda@Edge or Lambda functions. AWS documentation emphasizes using built-in CloudFront security features to minimize operational overhead and reduce the risk of cryptographic implementation errors.

Options A and B introduce unnecessary complexity and custom cryptographic handling, which AWS generally discourages when managed services are available. Option D only secures transport and access control and does not encrypt individual data fields.

Therefore, CloudFront field-level encryption with asymmetric keys is the AWS-recommended and correct solution.

HTTP 429 errors indicate throttling (“Too Many Requests”). In this architecture, throttling can occur at multiple layers (API Gateway rate limits, downstream AWS service API throttles, or dependency throttling). Regardless of which service is throttling, the correct resilience pattern is to implement retries with exponential backoff and jitter for retryable failures. AWS SDKs and AWS best practices recommend backoff to reduce contention and allow the system to recover, while ensuring requests eventually succeed.

Option C directly addresses the problem and the requirement “ensure that all of the application ingests all files.” With a retry + backoff pattern, transient throttling is handled gracefully: failed operations are retried after increasing delays, avoiding immediate retry storms that worsen throttling. This increases successful completion rate without requiring major architectural changes.

Option A (Transfer Acceleration) can improve upload latency from geographically distributed clients, but it does not resolve request throttling (429) caused by API limits.

Option B (multipart upload) helps with large object uploads and can improve throughput/reliability for big files, but it does not inherently prevent 429 throttling at API Gateway or other throttled calls.

Option D (Intelligent-Tiering) affects storage cost optimization, not ingestion throttling.

Problem: Large bundle size increases Lambda deployment time.

Lambda Layers: Layers let you package dependencies separately from your function code. This optimizes the deployment package, making updates faster.

Modularization: Breaking down dependencies into layers improves code organization and reusability.

The goal is to identify performance bottlenecks across a Lambda function that calls a database (DocumentDB). The most operationally efficient way to pinpoint where time is being spent—without building custom logging/metrics pipelines—is to use distributed tracing. AWS X-Ray provides end-to-end request traces, timing breakdowns, and service maps that help identify whether latency is dominated by Lambda initialization, downstream calls, or database queries.

By enabling X-Ray tracing on the Lambda function, the developer can capture traces for report-generation requests and examine segments that show duration spent inside the function and in downstream dependencies. To specifically diagnose database time, the developer can add custom subsegments around DocumentDB operations (query execution, connection acquisition, cursor iteration). This produces precise timing data for each step, making it straightforward to identify slow queries, excessive connection setup time, or serialization overhead. Because X-Ray aggregates and visualizes traces, the developer can quickly compare “fast” and “slow” traces and isolate the bottleneck.

Option B focuses on errors and generic metrics dashboards; it’s useful for monitoring, but it won’t precisely attribute the extra 22+ seconds to a particular downstream call path. Option C proposes performance improvements (pooling/async), but the question asks to identify bottlenecks first, and it also requires code changes and validation without confirming the root cause. Option D requires adding detailed logging statements and then querying logs; this is more development effort and more ongoing log volume/cost than turning on X-Ray and using trace analysis, especially when the intent is bottleneck identification rather than permanent instrumentation.

Therefore, A is the best choice: enable AWS X-Ray for the Lambda function and trace DocumentDB interactions with custom subsegments to quickly and efficiently identify the specific source(s) of increased latency.

The HTTP header that the developer should use for this analysis is the X-Forwarded-For header. This header contains the IP address of the client that made the request to the Application Load Balancer. The developer can use this header to analyze patterns for the client IP addresses that use the application. The other headers either contain information about the protocol, host, or port of the request, which are not relevant for the analysis.