DVA-C02 Exam Dumps - Amazon Web Services AWS Certified Associate Questions and Answers

When IAM user credentials require MFA for API access, the correct approach is to obtain temporary security credentials from AWS Security Token Service (STS) that are validated with an MFA code. AWS documentation describes using STS to issue temporary credentials that applications can use instead of long-term access keys, especially when MFA is required.

The specific STS API operation used for an IAM user to obtain temporary credentials is GetSessionToken. This call supports MFA by accepting the user’s MFA device serial number and a time-based one-time password (TOTP) code. STS then returns a set of temporary credentials: AccessKeyId, SecretAccessKey, and SessionToken, which the SDK can use to sign subsequent API requests. This is the standard method for enabling MFA-protected API access for IAM users.

Why the other options are wrong:

GetFederationToken is used to obtain temporary credentials for a federated user, often for scenarios where you want to grant access to resources for users who do not have IAM users. It’s not the typical method for IAM-user MFA enforcement for all calls.

GetCallerIdentity simply returns identity details for the current credentials; it does not generate credentials.

DecodeAuthorizationMessage is used to decode encoded authorization failure messages returned by AWS, not to authenticate.

Therefore, to access an API protected by MFA requirements for an IAM user, the developer should call GetSessionToken and then use the returned temporary credentials in the AWS SDK.

This is a feature flag / dynamic configuration requirement: enable a new feature for a subset of users (premium customers), toggle it on/off quickly based on feedback/performance, and deploy configuration changes safely with validation and without disruption. AWS AppConfig (part of AWS Systems Manager) is designed for exactly this use case.

AWS AppConfig helps create, manage, and deploy application configurations, including feature flags, in a controlled way. It supports configuration validators (such as JSON schema or Lambda validators) to catch errors before deployment. It also supports controlled rollouts with deployment strategies to reduce blast radius (for example, gradual deployments). This allows rapid changes without redeploying code and minimizes disruption.

Option A aligns perfectly: use AppConfig feature flags to target premium users and toggle the feature quickly.

Option B is incorrect because Secrets Manager is for sensitive secrets (passwords, API keys), not feature flag management and progressive configuration deployments.

Option C is incorrect because AWS Config evaluates resource compliance and records configuration changes of AWS resources; it does not serve runtime feature flag delivery.

Option D (Parameter Store) can store configuration values, but it does not provide the same feature-flag-focused capabilities, validation/deployment strategies, and safe rollout controls that AppConfig provides. Also, “lifecycle rules” is not how Parameter Store toggles features.

AWS SAM provides built-in tooling to generate realistic event payloads that match the structure of events produced by AWS services (such as S3, SNS, SQS, API Gateway, EventBridge, and others). The command designed specifically for this purpose is sam local generate-event. It produces sample event JSON that mirrors the format AWS services deliver to Lambda, which meets the requirement that payload structures match real service events.

This approach also requires the least development effort because the developer does not need to manually craft and maintain JSON payload files. Instead, the developer can generate the appropriate event type with SAM, optionally tweak values (bucket name, object key, request parameters), and then run sam local invoke using the generated payload. This significantly reduces mistakes and saves time, especially when testing multiple event sources.

Why other options are less suitable:

A (shareable test events) is vague and typically still requires manual creation/maintenance.

B requires manually creating payloads, which is error-prone and higher effort.

C adds unnecessary operational overhead (S3 storage) and still relies on manual payload creation.

Therefore, using sam local generate-event is the quickest and lowest-effort way to generate accurate AWS-service-like test payloads for local Lambda testing.

Using Amazon ElastiCache for Memcached to store and manage the session data will reduce the memory load and improve the performance of the web server. Using Amazon RDS for MySQL DB instance to store the application data will provide a scalable, reliable, and managed database service. Option A is not optimal because it does not address the memory issue of the web server. Option C is not optimal because it does not provide a persistent storage for the application data. Option D is not optimal because it does not provide a high availability and durability for the session data.

Step-by-Step Breakdown:

Requirement Summary:

Encrypt S3 objects using KMS keys

Cross-account read access to another AWS account

Minimize operational overhead

Option A: Use a customer managed key + key policy granting kms:Decrypt to second account

Correct: Customer managed keys allow full control of key policy.

You can add a statement to allow cross-account access using the second account’s IAM principal.

Option B: Use AWS managed key + key policy granting access to second account

Incorrect: AWS-managed KMS keys (aws/s3) cannot be modified to add cross-account access in key policies.

Option C: SCP that grants s3:GetObject to second account

Incorrect: SCPs are used to restrict or allow permissions across AWS Organizations, not to grant S3 or KMS access directly.

Option D: Create a bucket policy granting s3:GetObject to second account

Correct: Bucket policies can grant cross-account access to specific IAM users or roles in the second account.

Option E: Gateway endpoint for S3 with cross-account access

Incorrect: Gateway endpoints only apply within the same VPC/account. Cross-account use with endpoint policies is not the correct pattern for this use case.

Cross-account S3 access with KMS: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html

KMS cross-account key policy: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html

Bucket Policy for cross-account access: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

AWS CloudFormation is a service that allows developers to model and provision AWS resources using templates. A CloudFormation template can define the load test resources, such as EC2 instances, load balancers, and Auto Scaling groups. A CloudFormation stack set is a collection of stacks that can be created and managed from a single template in multiple Regions and accounts. The AWS CLI create-stack-set command can be used to create a stack set from a template and specify the Regions where the stacks should be created. Reference: Working with AWS CloudFormation stack sets

Amazon SQS provides server-side encryption (SSE) to protect messages at rest by using AWS Key Management Service (AWS KMS). When SSE is enabled on an SQS queue, all messages are encrypted automatically before they are stored and decrypted only when they are retrieved by authorized consumers.

AWS documentation states that SSE for SQS transparently encrypts the entire message payload , including the message body and message attributes. This ensures that sensitive data is protected without requiring changes to application code or custom encryption logic.

Option A enforces encryption in transit , not at rest. Option B is invalid because SSE is configured at the queue level, not inside message payloads. Option D does not improve security because message attributes are also stored as part of the message and require SSE to be protected.

Enabling SSE on the queue is the simplest, most secure, and AWS-recommended solution. It ensures compliance with encryption requirements while minimizing operational overhead.

Comprehensive Detailed Step by Step Explanation with All AWS Developer References:

The AWS Serverless Application Model (SAM) includes features for local testing and debugging of AWS Lambda functions. One of the most efficient ways to generate test payloads that match actual AWS event structures is by using the sam local generate-event command.

sam local generate-event: This command allows developers to create pre-configured test event payloads for various AWS services (e.g., S3, API Gateway, SNS). These generated events accurately reflect the format that the service would use in a live environment, reducing the manual work required to create these events from scratch.

Operational Overhead: This approach reduces overhead since the developer does not need to manually create or maintain test events. It ensures that the structure is correct and up-to-date with the latest AWS standards.

Alternatives:

Option A suggests using shareable test events, but manually creating or sharing these events introduces more overhead.

Option B and C both involve manually storing and maintaining test events, which adds unnecessary complexity compared to using sam local generate-event.

AWS SAM CLI documentation

The X-Ray daemon is a software that collects trace data from the X-Ray SDK and relays it to the X-Ray service. The X-Ray daemon can run on any platform that supports Go, including Linux, Windows, and macOS. The developer can install and run the X-Ray daemon on the on-premises servers to capture and relay the data to the X-Ray service with minimal configuration. The X-Ray SDK is used to instrument the application code, not to capture and relay data. The Lambda function solutions are more complex and require additional configuration.

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. The developer can store each employee’s contact information in a DynamoDB table along with the object keys for the photos stored in Amazon S3. Amazon S3 is an object storage service that offers industry-leading scalability, data availability, security, and performance. The developer can use AWS APIs to search and retrieve the employee details and photos from DynamoDB and S3.

Tracing Distributed Systems: AWS X-Ray is designed to trace requests across services, helping identify bottlenecks in distributed applications like this one.

No Code Changes: Enabling X-Ray tracing often requires minimal code changes, meeting the requirement.

Identifying Bottlenecks: Analyzing X-Ray traces and logs will reveal latency in communications between different AWS services, leading to the high duration time.

The most secure approach on Amazon EC2 is to avoid long-term static credentials entirely and rely on IAM roles for Amazon EC2 (instance profiles). When an EC2 instance is associated with an instance profile, AWS automatically provides temporary security credentials to the instance through the instance metadata service (IMDS) . The AWS SDK and CLI can retrieve and rotate these credentials automatically, eliminating the need to store an access key and secret key on disk. This reduces the risk of credential leakage and removes the operational burden of key rotation.

In this scenario, the EC2 instance is already configured with an IAM instance profile in the same account as the S3 bucket. Because the bucket is in the same account and the instance profile can be granted the required permissions, there is no security benefit to keeping a separate stored access key/secret key or performing an additional STS AssumeRole hop. The simplest and most secure design is to attach an IAM policy to the instance profile role that allows the required s3:PutObject (and any related actions such as s3:PutObjectAcl if needed) on the specific bucket/prefix. The application code can then call S3 directly using the AWS SDK, which will automatically use the instance profile credentials.

Option A continues to use long-lived static credentials stored on the server, which is less secure than instance profiles. Option D is the same problem with different keys: still long-lived credentials that must be protected and rotated. Option B removes stored keys but keeps an AssumeRole call; although AssumeRole uses temporary credentials, it adds complexity and is unnecessary here because the instance already has an IAM role and the S3 bucket is in the same account.

Therefore, the most secure solution is C : remove static keys and the AssumeRole code and use the instance profile role with least-privilege S3 permissions.

The core requirement is to perform a one-time deployment for testing without impacting the existing pre-production stack that other team members rely on. The safest way to avoid disruption is to deploy into an isolated AWS account (a dedicated development/testing account) instead of modifying the shared pre-production environment.

Option C achieves this with the least effort: use the AWS SAM CLI to package and deploy the same SAM application into a new AWS account designated for development. This creates an isolated copy of the stack (Lambda + SNS topics) where the developer can validate changes without affecting the shared pre-production deployment or the release pipeline.

Option A still deploys into pre-production, which directly violates the requirement to avoid impacting the existing application. A “debug parameter” does not prevent resource updates or side effects.

Option B is inconsistent: a CloudFormation change set is created against a specific account/stack. You cannot create a change set in one account and “execute it” in a different account as stated. Cross-account execution would require different credentials and a separate deployment process.

Option D introduces additional pipeline/stage complexity and is not necessary for a one-time test; it also implies changing the existing stack/pipeline, which can itself cause disruption.

Amazon API Gateway supports canary deployments , which are designed specifically for controlled production rollouts. Canary deployments allow a developer to direct a configurable percentage of traffic to a new deployment while the remainder continues to use the existing deployment.

AWS documentation states that canary releases help minimize customer impact by exposing only a subset of users to potential issues. Because the routing is request-based , individual users are less likely to encounter inconsistent behavior across multiple requests.

Route 53 weighted routing (Option B) operates at the DNS level and can result in users being routed unpredictably due to DNS caching. An Application Load Balancer (Option C) is not supported as a direct frontend for API Gateway stages and adds unnecessary complexity. Option A lacks traffic control guarantees.

Therefore, configuring a canary deployment on the production stage is the AWS-recommended and lowest-risk approach.