DVA-C02 Exam Dumps - Amazon Web Services AWS Certified Associate Questions and Answers

The AWS Serverless Application Model Command Line Interface (AWS SAM CLI) is a command-line tool for local development and testing of Serverless applications3. The sam local generate-event command of AWS SAM CLI generates sample events for automated tests3. The sam local invoke command is used to invoke Lambda functions3. Therefore, option C is correct.

The requirement has two parts: (1) authenticate users with a third-party SAML IdP , and (2) after authentication, allow those users to access AWS services like Amazon S3 and DynamoDB. The AWS pattern for this is to federate the external identity into AWS and then exchange that identity for temporary AWS credentials .

Amazon Cognito identity pools are designed to provide AWS credentials to authenticated users (via AWS STS) so the users can call AWS services directly or through an application backend. Identity pools support federation with external identity providers, including SAML 2.0 . When a user authenticates with the third-party SAML IdP, the identity pool can accept the SAML assertion, map the user to an IAM role, and return temporary, scoped credentials (AccessKeyId/SecretAccessKey/SessionToken) associated with that role. Those credentials can be restricted using IAM policies to only the required S3 buckets, DynamoDB tables, and actions, satisfying least privilege.

Option A is incorrect because a Cognito user pool is primarily a user directory and OIDC/OAuth provider for application authentication; while user pools can integrate with SAML IdPs for federation, user pools alone do not directly issue AWS service credentials. The key requirement here is access to S3/DynamoDB, which is the role of an identity pool . Option C is not appropriate because IAM is not intended to provide end-user sign-up/sign-in for external users; it is for AWS identities and permissions. Option D is unrelated: CloudFront signed URLs control access to CloudFront-distributed content and do not authenticate users with SAML or provide AWS credentials.

Therefore, B meets both requirements: federate SAML authentication through a Cognito identity pool and provide temporary AWS credentials for accessing S3 and DynamoDB.

Why Option B is Correct:

Amazon S3 Standard provides immediate access to files and is cost-effective for files that need to be accessed within 5 minutes.

By adding the S3 location to the SQS queue, you avoid transferring large files directly, which is both more efficient and scalable.

Why Other Options are Incorrect:

Option A: S3 Glacier Deep Archive is designed for archival storage with retrieval times ranging from minutes to hours, which does not meet the 5-minute requirement.

Option C: Amazon EBS is designed for block storage attached to EC2 instances, which adds unnecessary complexity and cost.

Option D: SQS is not designed to handle large file content directly and has message size limits (256 KB).

AWS Documentation References:

Amazon S3 Overview

Amazon SQS Best Practices

AWS Lambda allocates CPU, network throughput, and other resources proportionally to the function’s configured memory . If a Lambda function is CPU-bound (common for image manipulation such as resizing and thumbnail generation) or limited by I/O throughput, increasing the configured memory often improves performance because it also increases the amount of CPU available to the function. This is a standard Lambda optimization technique: tune memory to reduce runtime and achieve a lower latency target.

In this scenario, the thumbnail generation is taking more than 2 minutes, but the requirement is to process each image in under 30 seconds. Without changing the code, the most direct lever is to increase the function’s memory setting and retest. As memory increases, Lambda provides more compute power, which can significantly speed up CPU-intensive libraries (for example, image decoding, resizing, encoding) and reduce overall execution time. Many workloads show near-linear improvements until other bottlenecks (such as downstream service latency) dominate.

Options A and B are not applicable to Lambda in this way. Lambda does not let you directly select a fixed number of vCPUs or choose an EC2 instance type such as m6a.4xlarge for a function; those are EC2 concepts, not Lambda configuration parameters. Option D (“burstable performance”) is also not a Lambda configuration model; burstable performance applies to certain EC2 instance families, not Lambda’s managed execution environment.

Therefore, the correct action is C : increase the Lambda function’s memory allocation (which also increases available CPU and throughput). This is the AWS-supported way to improve performance for compute-intensive Lambda functions and is the most likely to bring processing time down toward the 30-second requirement without code changes.

Amazon API Gateway has a hard integration timeout that determines how long it waits for a backend response. If the backend (Lambda) does not respond within this time, API Gateway returns an HTTP 504 error to the client.

In this scenario, the Lambda function timeout is longer (20 seconds) than the API Gateway integration timeout (15 seconds). AWS documentation states that API Gateway will terminate the request once its timeout is exceeded, even if Lambda continues executing successfully. This explains why there are no Lambda errors despite 504 responses.

Increasing the Lambda timeout (Option B) does not help because API Gateway times out first. Reserved concurrency (Option A) and throttling limits (Option D) are unrelated to request duration.

The correct solution is to increase the API Gateway integration timeout so that it exceeds the maximum expected Lambda execution time. This ensures API Gateway waits long enough for the Lambda response.

Therefore, increasing the API Gateway timeout prevents HTTP 504 errors.

Comprehensive and Detailed Explanation (250–300 words):

For in-place deployments , AWS CodeDeploy updates instances directly rather than using blue/green infrastructure. AWS documentation states that when automatic rollback is enabled and a deployment fails (for example, due to failed health checks or validation scripts), CodeDeploy initiates a rollback deployment .

In an in-place rollback, CodeDeploy redeploys the last known successful application revision to the affected instances. This rollback is treated as a new deployment , complete with its own deployment ID and lifecycle events. CodeDeploy does not use snapshots, Route 53 switching, or external promotion logic for in-place deployments.

Options A and B describe mechanisms that are used in other services or blue/green strategies, not in-place deployments. Option D is incorrect because CodePipeline orchestrates stages but does not perform rollback logic for CodeDeploy.

Therefore, redeploying the previous stable version as a new deployment is the correct behavior.

Problem: Directory access without file names fails.

S3 Static Website Hosting:

Configuring S3 as a static website enables automatic serving of index.html for directory requests.

Bucket policies ensure correct access permissions.

Updating the CloudFront origin simplifies routing.

Avoiding Public Exposure: The S3 website endpoint allows CloudFront to access content without making the bucket public.

The requirement is to rotate database credentials at least weekly . The AWS service that is purpose-built for storing and automatically rotating secrets is AWS Secrets Manager . Secrets Manager supports rotation schedules (including daily, weekly, or custom intervals) and integrates with supported databases through rotation Lambda functions. With rotation enabled, Secrets Manager can periodically generate a new password, update the secret value, and apply the new credential to the database user, while allowing applications to retrieve the current credential securely at runtime.

Option C matches this best practice: create a database user, store the username/password in a Secrets Manager secret, and enable rotation (daily rotation more than satisfies a weekly requirement). Applications on EC2 can retrieve the secret at startup or on a refresh interval using the AWS SDK, and can cache it according to best practices to reduce API calls, while still supporting rotation.

Option A (Parameter Store secure string) encrypts parameters, but Parameter Store does not provide the same managed secret rotation workflow for database credentials; rotating the KMS key is not the same as rotating the database password. Option B is not applicable as stated for RDS for Microsoft SQL Server: IAM database authentication is supported for specific engines (commonly MySQL and PostgreSQL) and is not the standard mechanism for SQL Server password rotation. Option D is insecure and operationally fragile: embedding long-lived credentials in user data and environment variables makes rotation difficult and increases exposure risk.

Therefore, the most secure and compliant configuration is C : store DB credentials in AWS Secrets Manager and enable automated rotation on an interval that meets or exceeds the weekly rotation requirement.

Concurrent users is an application-level metric, not a default infrastructure metric. CloudWatch provides standard metrics such as CPU utilization, network input, and request counts for many AWS services, but it will not automatically know how many active users the application currently has unless the application publishes that value. The correct design is to publish concurrent user count as a custom CloudWatch metric and use that metric in the scaling policy. SNS is a notification service, not a metric source. CloudFront can improve content delivery, but it does not directly define application auto scaling based on concurrent users. NetworkIn might correlate with load but is not the metric chosen by the architect. CloudWatch supports custom metrics and alarms for threshold-based actions. ( AWS Documentation )

===============

Why Option A is Correct:Converting a Lambda function to use a container image involves packaging the function code into a container image, storing the image in Amazon Elastic Container Registry (ECR), and updating the function to use the ECR repository URI.

Why Other Options are Incorrect:

Option B: SAM templates support container-based Lambda deployment, but storing the image in S3 is not applicable.

Option C: CloudFormation does not natively support specifying Lambda container images in S3.

Option D: While partially correct, it omits the need to specify the image tag for the deployment.

AWS Documentation References:

Lambda Container Images

For client-side encryption with AWS KMS, the documented pattern is envelope encryption : you use KMS to generate and protect a data encryption key (DEK) , and you use that DEK locally to encrypt the actual data. This is the correct approach for large payloads (such as 10 MB documents), because the KMS Encrypt API is intended for encrypting small amounts of data (KMS is not designed to directly encrypt multi-megabyte application payloads).

With envelope encryption, the application calls GenerateDataKey on AWS KMS, specifying the KMS key (customer managed key) to use. KMS returns two versions of the DEK in the response:

a plaintext DEK (usable immediately by the application for local cryptographic operations), and

a ciphertext (encrypted) DEK that is encrypted under the specified KMS key.

The application then uses the plaintext DEK to encrypt the 10 MB document on the client side (for example, using an authenticated encryption mode such as AES-GCM via a standard crypto library). After encryption completes, the application must not persist the plaintext DEK; instead, it stores the encrypted document alongside the ciphertext DEK . Later, to decrypt, the application sends the ciphertext DEK to KMS using Decrypt to recover the plaintext DEK, and then decrypts the document locally.

Therefore, option D is correct because it explicitly uses GenerateDataKey and the plaintext DEK to encrypt the data, which is the required envelope-encryption flow. Options A, B, and C do not follow the correct KMS envelope-encryption process for large client-side payloads.

The immutable deployment method is the best option for this scenario, because it meets the requirements of maintaining full capacity, avoiding service interruption, and minimizing the cost of additional resources.

The immutable deployment method creates a new set of instances in a separate Auto Scaling group and deploys the new version of the application to them. Then, it swaps the new instances with the old ones and terminates the old instances. This way, the application maintains full capacity during the deployment and avoids any downtime. The cost of additional resources is also minimized, because the new instances are only created for a short time and then replaced by the old ones.

The other deployment methods do not meet all the requirements:

The all at once method deploys the new version to all instances simultaneously, which causes a short period of downtime and reduced capacity.

The rolling with additional batch method deploys the new version in batches, but for the first batch it creates new instances instead of using the existing ones. This increases the cost of additional resources and reduces the capacity of the original environment.

The blue/green method creates a new environment with a new set of instances and deploys the new version to them. Then, it swaps the URLs between the old and new environments. This method maintains full capacity and avoids service interruption, but it also increases the cost of additional resources significantly, because it duplicates the entire environment.

The solution that will meet the requirements with the most operational efficiency is to create a new CodePipeline stage that occurs after the container image is built. Configure ECR basic image scanning to scan on image push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check the scan results and to fail the pipeline if there are findings. This way, the container image is analyzed earlier in the CI/CD pipeline and any vulnerabilities are detected and reported before deploying to the EKS cluster. The other options either delay the analysis until after deployment, which increases the risk of exposing insecure images, or perform analysis on the source code instead of the container image, which may not capture all the dependencies and configurations that affect the security posture of the image.

Amazon API Gateway is a service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. The developer can enable API caching in API Gateway to cache responses from the backend integration point for a specified time-to-live (TTL) period. This can improve the responsiveness of the APIs by reducing the number of calls made to the backend service.

Step 1: Understanding the Problem

Processing in Batches: The application must process records in groups.

Sequential Processing: Each record in the batch must be processed before writing to Aurora.

Solution Goals: Use services that support ordered, batched processing and integrate with Aurora.

Step 2: Solution Analysis

Option A:

Amazon Kinesis Data Streams supports ordered data processing.

AWS Lambda can process batches of records via event source mapping with MaximumBatchingWindowInSeconds for timing control.

Configuring the batching window ensures efficient processing and compliance with the workflow.

Correct Option.

Option B:

Amazon SQS is not designed for streaming; it provides reliable, unordered message delivery.

Setting MaximumBatchingWindowInSeconds to 0 disables batching, which is contrary to the requirement.

Not suitable.

Option C:

Amazon MSK provides Kafka-based streaming but requires custom EC2-based processing.

This increases system complexity and operational overhead.

Not ideal for serverless requirements.

Option D:

DynamoDB Streams is event-driven but lacks strong native integration for batch ordering.

Using ECS adds unnecessary complexity.

Not suitable.

Step 3: Implementation Steps for Option A

Set up Kinesis Data Stream:

Configure shards based on the expected throughput.

Configure Lambda with Event Source Mapping:

Enable Kinesis as the event source for Lambda.

Set MaximumBatchingWindowInSeconds to 300 to accumulate data for processing.

Example:

{

" EventSourceArn " : " arn:aws:kinesis:region:account-id:stream/stream-name " ,

" BatchSize " : 100,

" MaximumBatchingWindowInSeconds " : 300

}

Write Processed Data to Aurora:

Use AWS RDS Data API for efficient database operations from Lambda.

AWS Developer References:

Amazon Kinesis Data Streams Developer Guide

AWS Lambda Event Source Mapping

Batch Processing with Lambda