Pass the Amazon Web Services AWS Certified Associate DVA-C02 Questions and answers with Dumpstech

The goal is minimal downtime during deployment and fast rollback if problems occur. In Elastic Beanstalk, the approach that best satisfies both is a blue/green deployment.

With blue/green, the developer deploys the new application version to a separate environment (green) while the current production environment (blue) continues serving traffic. Once validation is complete (health checks, smoke tests), the developer performs a controlled CNAME swap (or routing switch) so traffic shifts from blue to green with near-zero downtime. This reduces risk because the existing environment remains intact and can immediately resume traffic if issues are detected.

Rollback time is also minimized because reverting is simply switching traffic back to the original environment (swap back), rather than rolling back changes across the same environment.

Why the other options are weaker:

All-at-once (C) introduces the highest downtime and risk because it replaces all instances at once, potentially taking the application fully offline and making rollback slower.

Rolling (A) reduces downtime compared to all-at-once, but instances are still updated in-place; if issues appear mid-deployment, rollback is more complex and slower than swapping environments.

Rolling with additional batches (B) can further reduce capacity impact by adding extra instances during deployment, but rollback still involves reversing updates in the same environment and is typically slower than blue/green.

Therefore, deploying to a new environment and using blue/green provides the least downtime and the fastest rollback.

Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service that enables pub/sub communication between distributed systems. The developer can create an SNS topic and configure the Lambda function to publish messages with specific attributes to the topic. The developer can subscribe each partner to the SNS topic and apply the appropriate filter policy to the topic subscriptions. This way, each partner will receive updates for only their own orders based on the message attributes. This solution will meet the requirements in the most scalable way and allow adding new partners in the future with minimal code changes.

Comprehensive and Detailed Step-by-Step Explanation:

Option D: AWS AppConfig with CloudWatch Application Signals

AWS AppConfig is designed for managing and deploying application configurations dynamically, without redeployment.

CloudWatch Application Signals provide automatic rollback mechanisms in case of an unhealthy application state due to bad configuration changes.

This solution meets the requirements with minimal operational overhead by ensuring both dynamic updates and rollback functionality.

Why Other Options Are Incorrect:

Option A and B: AWS Secrets Manager is designed for secrets management, not dynamic application configuration. Custom Config rules add unnecessary complexity.

Option C: While CloudWatch alarms can monitor application changes, using alarms for rollback requires manual setup and lacks the automatic rollback provided by Application Signals.

CloudFormation and Dynamic References: The DefinitionSubstitutions property in CloudFormation allows you to pass values into Step Functions state machines at runtime.

Cost-Effectiveness: This solution is cost-effective as it leverages CloudFormation's built-in capabilities, avoiding the need for additional services like Secrets Manager or AppConfig.

Amazon API Gateway supports mock integration responses, which are predefined responses that can be returned without sending requests to a backend service. Mock integration responses can be used for testing or prototyping purposes, or for simulating different backend responses based on certain conditions. A request mapping template can be used to select a mock integration response based on an expression that evaluates some aspects of the request, such as headers, query strings, or body content. This solution does not require any additional resources or code changes and has the least operational overhead. Reference: Set up mock integrations for an API Gateway REST API

https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-mock-integration.html

DynamoDB access control operates at the table and item level, not at individual attribute deny rules in IAM or resource-based policies. Therefore, Option A is not supported. Encrypting the entire table with KMS (Option B) protects data at rest but does not prevent the Lambda function from reading sensitive attributes once access is granted.

To ensure the Lambda function cannot access PII, AWS documentation recommends controlling which attributes are returned from queries and scans. Using a projection expression (Option E) ensures that only non-PII attributes are returned to the function, even if PII exists in the item. This is a standard DynamoDB best practice for limiting data exposure.

For additional protection, client-side or application-level encryption should be used for sensitive fields. Option C uses envelope encryption with AWS KMS to encrypt only PII attributes. Even if the function retrieves the encrypted attribute, it cannot decrypt the data without KMS permissions. This ensures strong isolation of sensitive data.

ABAC (Option D) controls access to resources, not attributes, and therefore does not satisfy the requirement.

Thus, combining attribute-level encryption with projection expressions meets the security requirement.

The requirement is to redact PII before the object content reaches the consumer, while the analytics service continues to use standard S3 GET requests. The most operationally efficient way is Amazon S3 Object Lambda.

S3 Object Lambda lets you add your own code to process and transform data as it is retrieved from S3. Instead of the analytics service reading directly from the bucket, it reads through an S3 Object Lambda Access Point. When the service performs a GET request, S3 invokes the associated Lambda function, which can modify the object payload on the fly—for example, by calling an external or internal PII redaction API and returning a redacted version of the report. The original object remains unchanged in the bucket, while consumers receive the transformed (redacted) response.

This approach is operationally efficient because it avoids:

duplicating and storing redacted copies of every report,

refactoring the analytics service to use a different datastore or ingestion path,

building a separate proxy service layer.

Option A requires significant refactoring and ongoing ETL/warehouse ops.

Option C provides confidentiality via encryption but does not perform redaction (analytics would still see PII after decryption).

Option D changes the access pattern completely (analytics no longer uses GET) and adds messaging complexity without directly returning redacted object content.

Therefore, S3 Object Lambda + Object Lambda Access Point is the most efficient solution to redact data at retrieval time.

Scenario: Application needs to fetch songs and artists efficiently in a single operation.

BatchGetItem: This DynamoDB operation retrieves multiple items across different tables based on their primary keys in a single request.

Optimized for Request Batching: This approach reduces network traffic compared to performing multiple queries individually.

Data Modeling: The songs table is designed appropriately for this access pattern using artistName as the sort key.

CloudFormation and Lambda Environment Variables:

CloudFormation is an excellent tool to manage infrastructure as code, including the log group resource.

Lambda functions can access environment variables at runtime, making them a suitable way to pass configuration information like the log group ARN.

CloudFormation Template Modification:

In your CloudFormation template, define the log group resource.

In the Lambda function resource, add an Environment section:

YAML

Environment:

Variables:

LOG_GROUP_ARN: !Ref LogGroupResourceName

Use code with caution.

content_copy

The !Ref intrinsic function retrieves the log group's ARN, which CloudFormation generates during stack creation.

Using the ARN in Your Lambda Function:

Within your Lambda code, access the LOG_GROUP_ARN environment variable.

Configure your logging library (e.g., Python's logging module) to send logs to the specified log group.

The company already has SSM Agent deployed on all servers, which enables centralized, scalable fleet operations without logging in to each instance. The most operationally efficient solution is to automate key distribution using Systems Manager Run Command, executing a script across the entire fleet (or a targeted subset) in one action.

Option B uses S3 as a simple distribution source and Run Command to perform the update at scale. The developer can store the required key material in a controlled S3 location and write a script that places the key in the correct filesystem path (with correct permissions/ownership), updates authorized_keys if needed, and restarts any services if required. Run Command can target instances by tags, resource groups, or instance IDs and provides execution logging and status.

Option A is not operationally efficient because it requires logging into each server manually.

Option C and D push the distribution burden to humans (“grant team members permissions to download”), which is error-prone, slow, and not scalable. Also, distributing private keys broadly to individuals increases risk.

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html

AWS Secrets Manager: Built for managing secrets, providing encryption, automatic rotation, and access control.

Customer Master Key (CMK): Provides an extra layer of control over encryption through AWS KMS.

Automatic Rotation: Enhances security by regularly changing the secret.

User Data Script: Allows secrets retrieval at instance startup and sets them as environment variables for seamless use within the application.

Requirement Summary:

Secrets managed in AWS Secrets Manager

DB: Amazon RDS for PostgreSQL

Need automated password rotation

Must maintain high availability

Least development effort

Rotation Strategies:

Single-user rotation strategy

Simplest to implement

The secret contains one set of credentials used by app and rotation logic

Supports automated rotation

AWS provides built-in Lambda rotation templates for RDS

A. Alternating-users strategy

⚠️ More complex

Requires application to switch users during rotation window

B. Manual secret + CLI rotation

Too much manual work

Not scalable or reliable

C. Multivalue answer rotation

Not a valid strategy in this context

Doesn’t apply to Secrets Manager

Secrets Manager rotation strategies: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

RDS PostgreSQL secret rotation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-single-user

AWS CodeBuild supports parallel test execution through batch builds and multiple compute environments. This feature allows a single CodeBuild project to divide test workloads across multiple isolated environments that run concurrently. Each environment executes a subset of the test suite, significantly reducing total build time.

AWS documentation emphasizes using native CodeBuild capabilities to minimize operational complexity. Parallel execution eliminates the need to manually manage infrastructure, test orchestration logic, or EC2 fleets. CodeBuild automatically provisions and terminates build environments, scales as needed, and integrates seamlessly with CI/CD pipelines.

Options A and D require manual coordination and infrastructure management, increasing operational overhead. Option C does not address the performance problem.

Therefore, using CodeBuild’s parallel compute environments is the most efficient and AWS-recommended approach.

The solution that will solve this problem is to create and inspect the Lambda dead-letter queue. Troubleshoot the failed functions. Reprocess the events. This way, the developer can identify and fix any issues that caused the Lambda function to fail when invoked asynchronously by API Gateway. The developer can also reprocess any orders that were not processed due to failures. The other options either do not address the root cause of the problem, or do not help recover from failures.