Pass the Amazon Web Services AWS Certified Associate DVA-C02 Questions and answers with Dumpstech

Why Option A is Correct:DynamoDB supports incremental exports to Amazon S3 natively, making data analytics-ready with minimal operational overhead.

Why Other Options are Incorrect:

Option B: DynamoDB Streams require additional processing logic to write to S3, increasing complexity.

Option C & D: Using EMR for data movement adds unnecessary operational overhead compared to native exports.

AWS Documentation References:

DynamoDB Exports to S3

Amazon API Gateway is a service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. Amazon CloudWatch is a service that monitors AWS resources and applications. API Gateway provides several CloudWatch metrics to help developers troubleshoot issues with their APIs. Two of the metrics that can help the developer troubleshoot the issue of API Gateway timing out are:

IntegrationLatency: This metric measures the time between when API Gateway relays a request to the backend and when it receives a response from the backend. A high value for this metric indicates that the backend is taking too long to respond and may cause API Gateway to time out.

Latency: This metric measures the time between when API Gateway receives a request from a client and when it returns a response to the client. A high value for this metric indicates that either the integration latency is high or API Gateway is taking too long to process the request or response.

Requirement Summary:

NLP Lambda function with a large pre-trained model

Lambda layer became 8.7 GB → Exceeds AWS limits

Function returns RequestEntityTooLargeException

Need: High-performing, portable, low initialization time

Important AWS Limits:

Lambda Layers size limit (combined across all layers): 250 MB (unzipped)

Deployment package size (unzipped): 250 MB

Lambda container image support allows up to 10 GB image size

Evaluate Options:

A: Store model in S3 and load during execution

Leads to cold start latency every time

Model loading from S3 is slower and not suitable for real-time NLP

Not optimal for performance

B: Use EFS mounted to Lambda

⚠️ Valid for large models, but adds latency during cold start as model loads from EFS

Requires EFS setup, VPC, and has added network I/O overhead

Still slower than bundling in container image

C: Split into five Lambda layers

Still violates the total layer size limit of 250 MB (unzipped)

You cannot exceed that even with multiple layers

D: Use Docker container image

Allows bundling up to 10 GB of dependencies and models

High portability and performance

Avoids latency of downloading models at runtime

Ideal for scientific/NLP models

Lambda container image support: https://docs.aws.amazon.com/lambda/latest/dg/images-create.html

Lambda limits: https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-limits.html

Using large models with Lambda: https://aws.amazon.com/blogs/machine-learning/deploying-large-machine-learning-models-on-aws-lambda-with-container-images/

This solution will solve the deployment issue by deploying the new version of the application to one new EC2 instance at a time, while keeping the old version running on the existing instances. This way, there will always be at least four instances serving traffic during the deployment, and no downtime or performance degradation will occur. Option A is not optimal because it will increase the cost of running the Elastic Beanstalk environment without solving the deployment issue. Option B is not optimal because it will split the traffic between two versions of the application, which may cause inconsistency and confusion for the customers. Option D is not optimal because it will deploy the new version of the application to two existing instances at a time, which may reduce the capacity below four instances during the deployment.

This solution will meet the requirements by using AWS X-Ray to enable tracing of application requests to debug performance issues in the code. AWS X-Ray is a service that collects data about requests that the applications serve, and provides tools to view, filter, and gain insights into that data. The developer can install the AWS X-Ray daemon on the EC2 instances, which is a software that listens for traffic on UDP port 2000, gathers raw segment data, and relays it to the X-Ray API. The developer can also install and configure the AWS X-Ray SDK for Python in the application, which is a library that enables instrumenting Python code to generate and send trace data to the X-Ray daemon. Option A is not optimal because it will install the Amazon CloudWatch agent on the EC2 instances, which is a software that collects metrics and logs from EC2 instances and on-premises servers, not application performance data. Option C is not optimal because it will configure the application to write JSON-formatted logs to /var/log/cloudwatch, which is not a valid path or destination for CloudWatch logs. Option D is not optimal because it will configure the application to write trace data to /var/log/xray, which is also not a valid path or destination for X-Ray trace data.

Default SSE in DynamoDB: DynamoDB tables are encrypted at rest by default using an AWS owned key (SSE-S3).

No Additional Action Needed: Creating a table without explicitly specifying a KMS key will use this default encryption.

AWS Elastic Beanstalk supports several deployment policies, and in this case, the requirement is to forward a specific percentage of traffic to the new version without causing downtime. The Traffic-splitting deployment policy is the most appropriate choice.

Traffic-splitting Deployment: This deployment method allows you to gradually shift a specified percentage of incoming traffic from the old environment version to the new one. During the evaluation period, if any issues are detected, the traffic can be redirected back to the old version.

No Downtime: This method ensures no downtime since both versions of the application run concurrently, and traffic is split between them.

Alternatives:

Rolling deployments (Option A): These gradually replace instances but may result in partial downtime if some instances fail during deployment.

In-place deployments (Option C): In-place deployments replace instances without creating new ones, which can lead to downtime.

Immutable deployments (Option D): While this ensures no downtime by creating entirely new instances, it doesn't provide traffic splitting during the evaluation phase.

Elastic Beanstalk Deployment Policies

The requirement is specific: certain JSON fields must be encrypted at the edge (before traversing the origin path) and must remain encrypted end-to-end through CloudFront → API Gateway → Lambda → DynamoDB. The AWS feature designed for encrypting specific fields at the edge is CloudFront field-level encryption. With field-level encryption, CloudFront encrypts designated fields in an HTTPS request before forwarding the request to the origin. The origin (API Gateway/Lambda) receives the encrypted values, and only trusted components that have the private key can decrypt them—ensuring the fields remain protected throughout the stack.

Option B matches this exactly: field-level encryption uses an asymmetric key pair (public key used by CloudFront to encrypt; private key held securely by the application for decryption). This satisfies “encrypted at the edge” and “remain encrypted throughout the full stack.”

The “PII encrypted at rest in DynamoDB” requirement is also satisfied because DynamoDB supports encryption at rest by default (and can use AWS owned or customer managed KMS keys). Field-level encryption adds granular protection for only the most sensitive attributes beyond standard at-rest encryption.

Option A (Lambda@Edge encryption) could encrypt at edge, but it is more custom code, higher operational complexity, and is not as direct/standard as CloudFront field-level encryption for encrypting request fields.

Option C encrypts in Lambda, not at the edge—data would already have traversed CloudFront and API Gateway in plaintext form before Lambda encrypts it, violating the “encrypted at the edge” requirement.

Option D is not a defined mechanism for edge encryption; API Gateway methods do not provide edge field encryption with KMS in this way.

Therefore, CloudFront field-level encryption is the correct solution.

Comprehensive and Detailed Step-by-Step Explanation:

Option A: Use Amazon S3 for Shared Test Events:

Storing JSON test event files in an S3 bucket provides a centralized, cost-effective, and highly available solution.

Granular IAM policies can restrict access to specific developers or roles, ensuring security while maintaining consistency for shared test events.

This solution has minimal operational overhead and integrates easily with existing workflows.

Why Other Options Are Incorrect:

Option B: Using DynamoDB and a Lambda function introduces unnecessary complexity for a relatively simple requirement. S3 provides a simpler and more cost-efficient solution.

Option C: AWS Lambda test events are not inherently shareable across developers, making this option invalid.

Option D: Using a Git repository adds operational overhead and requires developers to clone/update repositories for access, which is more cumbersome compared to S3.

AWS Secrets Manager is a service that helps securely store, rotate, and manage secrets such as API keys, passwords, and tokens. The developer can store the API credentials in AWS Secrets Manager and retrieve them at runtime by using the AWS SDK. This solution will meet the requirements of security, code management, and performance. Storing the API credentials in a local code variable or an S3 object is not secure, as it exposes the credentials to unauthorized access or leakage. Storing the API credentials in a DynamoDB table is also not secure, as it requires additional encryption and access control measures. Moreover, retrieving the credentials from S3 or DynamoDB may affect application performance due to network latency.

Comprehensive Detailed Step by Step Explanation with All AWS Developer References:

To ensure that only a specific AWS Step Functions state machine (myStateMachine) can assume the service role, you must configure the correct trust policy in AWS IAM.

Trust Policies: Trust policies determine which entities (services or users) are allowed to assume the role. In this case, we want to restrict the trust policy to only allow the specific state machine (myStateMachine) to assume the role.

Using ArnLike: The condition "ArnLike" is used to specify that the SourceArn (which refers to the ARN of the entity assuming the role) must match a specific ARN. Option A specifies the exact ARN of the myStateMachine state machine, ensuring that only this state machine can assume the role.

Option B: This option is incorrect because it uses a wildcard (*) for the account ID, which would allow any state machine in the ap-south-1 region to assume the role, not just the specific one.

AWS Step Functions IAM Policies

IAM Roles for EC2 (A): The most secure way to provide AWS permissions from EC2.

Create a role with a policy allowing s3:GetObject on the specific bucket.

Attach the role to an instance profile and associate that profile with your instances.

Pre-signed URLs (C): Temporary, authenticated URLs for specific S3 actions.

Modify the app to use the AWS SDK to call GeneratePresignedUrl.

Embed these URLs when a user is properly logged in, allowing download access.

Amazon ElastiCache is a service that offers fully managed in-memory data stores that are compatible with Redis or Memcached. The developer can create an ElastiCache for Redis instance and enable encryption of data in transit and at rest. This will ensure that the PHI is encrypted at all times. The developer can store frequently accessed data in the cache and use Redis features such as sorting and ranking to enhance the performance of the application.