Pass the Amazon Web Services AWS Certified Associate DVA-C02 Questions and answers with Dumpstech

The AWS Serverless Application Model Command Line Interface (AWS SAM CLI) is a command-line tool for local development and testing of Serverless applications2. The sam local start-api subcommand of AWS SAM CLI is used to simulate a REST API by starting a new local endpoint3. Therefore, option D is correct.

AWS Lambda supports versions and aliases to manage deployments safely. An alias is a named pointer to a specific function version (for example, prod → version 5). Importantly, Lambda aliases can be configured with routing configuration to split incoming invocation traffic between two versions. This enables canary or linear deployments where most traffic goes to the stable version and a small percentage goes to the new version for testing. If issues occur, the developer can quickly shift traffic back by updating the alias.

Option B is the native, simplest, and recommended solution for Lambda traffic shifting.

Option A is not correct because Route 53 weighted routing can split DNS queries between endpoints, but it does not natively target Lambda versions directly for most invocation patterns, and it’s not the standard mechanism for Lambda version traffic shifting.

Option C is unnecessary and adds operational overhead. ALB can invoke Lambda targets, but splitting between Lambda versions is more naturally handled by aliases without provisioning and managing an ALB.

Option D misunderstands layers: layers are for dependencies/shared code, not for deploying new versions or traffic splitting.

Therefore, using a Lambda alias with weighted routing between versions meets the requirement.

Amazon CloudWatch Logs data protection policies allow sensitive data such as credit card numbers to be automatically detected and masked at ingestion time. By default, masked data cannot be viewed by any user.

AWS documentation states that to allow specific principals to view masked data, two conditions must be met:

The data protection policy must include an UnmaskConfig that specifies which IAM roles are permitted to view the unmasked data.

The IAM role must have the logs:Unmask permission.

Option A configures the policy to allow the fraud detection role to unmask sensitive fields. Option B grants the necessary permission to that role. Together, these steps ensure that only the fraud detection account can view credit card numbers.

Attaching the policy to the log group (Option D) is necessary for masking but does not grant unmask access on its own. IAM roles cannot contain data protection policies (Option E), and policies are not attached in the consuming account (Option C).

Therefore, the correct combination is A and B, ensuring strict access control while maintaining compliance with security requirements.

S3 Object Lambda allows you to add your own code to process data retrieved from S3 before returning it to an application. You can use an AWS Lambda function to modify the data, such as removing PII, redacting confidential information, or resizing images. You can create an S3 Object Lambda access point and associate it with your Lambda function. Then, you can use the access point to request objects from S3 and get the modified data back. This way, you can maintain only one copy of the original document in S3 and apply different transformations depending on who accesses it. Reference: Using AWS Lambda with Amazon S3

Increasing the number of shards of the Kinesis data stream will increase the throughput and parallelism of the data processing. Increasing the memory that is allocated to the Lambda function will also increase the CPU and network performance of the function, which will reduce the run duration and improve the processing speed. Option B is not correct because decreasing the timeout of the Lambda function will not affect the processing speed, but may cause some records to fail if they exceed the timeout limit. Option D is not correct because decreasing the number of shards of the Kinesis data stream will decrease the throughput and parallelism of the data processing, which will slow down the processing speed. Option E is not correct because increasing the timeout of the Lambda function will not affect the processing speed, but may increase the cost of running the function.

Problem: Large bundle size increases Lambda deployment time.

Lambda Layers: Layers let you package dependencies separately from your function code. This optimizes the deployment package, making updates faster.

Modularization: Breaking down dependencies into layers improves code organization and reusability.

This solution will most likely solve the issues because it will grant the IAM user the necessary permission to access the DynamoDB table using the AWS CLI command. The error message indicates that the IAM user does not have sufficient access rights to perform the scan operation on the table. Option A is not optimal because it will change the command to use put-item instead of scan, which will not achieve the desired result of getting data from the table. Option B is not optimal because it will involve contacting AWS Support, which may not be necessary or efficient for this issue. Option C is not optimal because it will state that DynamoDB cannot be accessed from the AWS CLI, which is incorrect as DynamoDB supports AWS CLI commands.

AWS Secrets Manager supports multi-Region secret replication, which is designed specifically for redundancy, disaster recovery, and multi-Region applications. With this feature, the primary secret resides in one Region (here, us-west-1) and Secrets Manager automatically maintains a replica in another Region (us-east-1). This provides local read access and resilience if one Region is impaired.

Option A accurately describes the standard configuration: enable secret replication and add us-east-1 as the replica Region. Because encryption keys are Region-scoped, the replica secret in us-east-1 should be encrypted with a KMS key in us-east-1 (either the default Secrets Manager key for that Region or a customer managed key), satisfying encryption requirements and proper key locality.

Option B is incorrect because you don’t configure replication “from the destination.” Replication is configured on the primary secret, and the replica uses a KMS key in the replica Region, not in the source Region.

Option C is not how Secrets Manager replication works. Replication is not only during rotation; it maintains replicas continuously. The “replication rule during rotation” framing is not the standard mechanism.

Option D is inappropriate and insecure/operationally complex: exporting secrets to S3 for replication is not the recommended pattern and introduces unnecessary exposure.

Therefore, enable Secrets Manager multi-Region replication and encrypt replicas with a KMS key in the destination Region.

This solution will meet the requirements by using AWS Encryption SDK, which is a client-side encryption library that enables developers to encrypt and decrypt data using data encryption keys that are protected by AWS Key Management Service (AWS KMS). The SDK encrypts the data encryption key with a customer master key (CMK) that is managed by AWS KMS, and stores it (encrypted) as part of the returned ciphertext. The developer does not need to keep track of the data encryption keys used to encrypt data, as they are stored with the encrypted data and can be retrieved and decrypted by using AWS KMS when needed. Option A is not optimal because it will require manual tracking of the data encryption keys used for each data object, which is error-prone and inefficient. Option C is not optimal because it will store the data encryption keys automatically in Amazon S3, which is unnecessary and insecure as Amazon S3 is not designed for storing encryption keys. Option D is not optimal because it will store the data encryption key in the user data for the EC2 instance, which is also unnecessary and insecure as user data is not encrypted by default.

This solution will meet the requirements by using IAM database authentication for Aurora, which enables using IAM roles or users to authenticate with Aurora databases instead of using passwords or other secrets. The developer can use IAM database authentication for Aurora to enable secure database connections for all the Lambda functions that access Aurora DB instance. The developer can create an IAM role with permission to connect to Aurora DB instance and attach it to each Lambda function. The developer can also configure Aurora DB instance to use IAM database authentication and enable encryption in transit using SSL certificates. This way, the Lambda functions can use a single securely encrypted database connection string to access Aurora without needing any secrets or passwords. Option B is not optimal because it will store the credentials and read them from an encrypted Amazon RDS DB instance, which may introduce additional costs and complexity for managing and accessing another RDS DB instance. Option C is not optimal because it will store the credentials in AWS Systems Manager Parameter Store as a secure string parameter, which may require additional steps or permissions to retrieve and decrypt the credentials from Parameter Store. Option D is not optimal because it will use Lambda environment variables with a shared AWS Key Management Service (AWS KMS) key for encryption, which may not be secure or scalable as environment variables are stored as plain text unless encrypted with AWS KMS.

This solution meets the requirements most cost-effectively because it optimizes the photos on demand and caches them for future requests. Lambda@Edge allows the developer to run Lambda functions at AWS locations closer to viewers, which can reduce latency and improve photo quality. The developer can create a Lambda@Edge function that uses the GET parameters from each request to optimize the photos with the required dimensions and resolutions and returns them as a response. The function can also store a copy of the processed photos on Amazon S3 for subsequent requests, which can reduce processing time and costs. Using S3 Batch Operations to create new variants of the photos will incur additional storage costs and may not cover all possible dimensions and resolutions. Creating a dynamic CloudFront origin or a Lambda@Edge function to route requests to corresponding photo variants will require maintaining a mapping of device types and photo variants, which can be complex and error-prone.

The GenerateDataKey API returns a data key that is encrypted under a symmetric encryption KMS key that you specify, and a plaintext copy of the same data key1. The data key is a random byte string that can be used with any standard encryption algorithm, such as AES or SM42. The plaintext data key can be used to encrypt or decrypt data outside of AWS KMS, while the encrypted data key can be stored with the encrypted data and later decrypted by AWS KMS1.

In this scenario, the developer needs to use the GenerateDataKey API to encrypt the PDF file so that it can be decrypted later. The developer also needs to use an AWS KMS symmetric customer managed key for encryption. To achieve this, the developer can follow these steps:

Call the GenerateDataKey API with the symmetric customer managed key ID and the desired length or specification of the data key. The API will return an encrypted data key and a plaintext data key.

Write the encrypted data key to disk for later use. This will allow the developer to decrypt the data key and the PDF file later by using AWS KMS.

Use the plaintext data key and a symmetric encryption algorithm to encrypt the PDF file. The developer can use any standard encryption library or tool to perform this operation, such as OpenSSL or AWS Encryption SDK.

Discard the plaintext data key from memory as soon as possible after using it. This will prevent unauthorized access or leakage of the data key.

Why Option A is Correct:Converting a Lambda function to use a container image involves packaging the function code into a container image, storing the image in Amazon Elastic Container Registry (ECR), and updating the function to use the ECR repository URI.

Why Other Options are Incorrect:

Option B: SAM templates support container-based Lambda deployment, but storing the image in S3 is not applicable.

Option C: CloudFormation does not natively support specifying Lambda container images in S3.

Option D: While partially correct, it omits the need to specify the image tag for the deployment.

AWS Documentation References:

Lambda Container Images