Pass the Amazon Web Services AWS Certified Associate DVA-C02 Questions and answers with CertsForce

The key security requirement is to limit both scope and duration of credentials used by an external application (running outside AWS). The most secure AWS-native way to do this is to use temporary security credentials issued by AWS Security Token Service (STS), rather than long-term IAM user access keys. Temporary credentials have a short, configurable lifetime and are tied to permissions defined by an IAM role and (optionally) session policies, which enforces least privilege.

With STS AssumeRole, the application requests temporary credentials for a specific IAM role. The role’s permission policy strictly defines what AWS actions and resources the session can access. The resulting credentials automatically expire, reducing the blast radius if the credentials are exposed. This approach also supports best practices such as rotating session credentials frequently and using external IDs and condition keys (where applicable) to reduce confused-deputy risks.

Options A and B rely on long-term IAM user credentials. Even if stored in environment variables or AWS Secrets Manager, these are still persistent credentials that do not inherently meet the “limit duration” requirement and are higher risk if leaked. Secrets Manager improves storage and rotation workflows, but it does not change the fact that IAM user access keys are long-lived by default.

Option C (GetFederationToken) is not the best fit here. Federation tokens are typically used to obtain temporary credentials for a federated user session and are commonly associated with IAM users (or scenarios like providing temporary access to third parties) rather than the standard, role-based pattern for an application assuming permissions. The most direct and widely recommended method for applications needing scoped, time-bound AWS access is AssumeRole.

Therefore, D is the most secure solution: create an IAM role with least-privilege permissions and have the application call STS AssumeRole to obtain short-lived credentials for AWS API calls.

For asynchronous Lambda invocations, AWS provides Lambda Destinations, which can route the result of every invocation to different targets based on outcome. Destinations support separate configuration for on-success and on-failure, and they send a structured payload that includes metadata and the function response (or error information). This payload is delivered as a JSON document, satisfying the requirement to record function responses in JSON format while also capturing every invocation record.

Option B matches this pattern directly: configure an on-failure destination (S3) and an on-success destination (SNS). With this configuration, each async invocation that succeeds results in a JSON record being delivered to the SNS topic, enabling downstream processing, notifications, or fan-out to other services. Each async invocation that fails results in a JSON record being delivered to S3, which provides durable, cost-effective storage for later analysis or replay workflows. This design requires minimal code changes because the routing is handled by Lambda’s destination configuration rather than custom logic in the function.

Option C relies on a DLQ for failures but then requires custom code to store success records in DynamoDB, increasing development effort and operational complexity. Option A is not aligned: canary deployments and log groups do not provide “multiple destinations per invocation outcome,” and CloudWatch Logs do not natively separate success/failure records as destinations with structured invocation payloads. Option D proposes OpenSearch as a success destination, but Lambda Destinations do not use OpenSearch directly as a destination target; the supported destination types are typically SQS, SNS, EventBridge, and Lambda, and you can store records in S3 through other integrations. Therefore, the best match that uses built-in destinations and records JSON invocation results is B.

Because the developer cannot change the legacy application code, the solution must apply controls at the logging layer. CloudWatch Logs provides data protection policies that can automatically detect sensitive data using managed data identifiers (including credit card data) and apply masking (de-identification) as log events are ingested. This ensures that sensitive values such as card numbers and verification codes are not displayed in plaintext to general viewers of the log group.

With option A, enabling a data protection policy on the log group and configuring it to mask the relevant credit card data ensures that when support staff query or view logs, the sensitive fields appear redacted. CloudWatch Logs also supports controlled access to view the original unmasked values through an explicit permission: users who have the appropriate IAM authorization (such as logs:Unmask) can retrieve or view the sensitive data, while everyone else sees only the masked version. Granting logs:Unmask to application administrators satisfies the requirement that administrators can access the sensitive data, while withholding it from support staff enforces the restriction.

Option B (KMS encryption) provides encryption at rest for the log group but does not prevent authorized readers from seeing sensitive data once decrypted. Support staff who can read logs would still see plaintext card data. Option C is not a standard or operationally efficient pattern for CloudWatch Logs redaction; Macie is primarily for discovering sensitive data in S3 and does not serve as the native masking mechanism for CloudWatch Logs ingestion. Option D is not applicable: AWS WAF inspects HTTP requests/responses at the edge or load balancer/API layer, not application log streams already being emitted to CloudWatch.

Therefore, A is the correct solution: use CloudWatch Logs data protection to mask sensitive data by default and grant logs:Unmask only to administrators.

Why Option C is Correct:SQL Server Always On availability groups require a shared storage solution. Amazon FSx for Windows File Server provides the shared storage necessary to implement Always On availability groups in a highly available configuration.

Why Other Options are Incorrect:

Option A: A single EBS volume cannot provide shared storage for Always On availability groups.

Option B: RDS does not support SQL Server Always On availability groups.

Option D: S3 is not a suitable storage tier for SQL Server database operations.

AWS Documentation References:

Amazon FSx for Windows File Server

The AWS Serverless Application Model Command Line Interface (AWS SAM CLI) is a command-line tool for local development and testing of Serverless applications3. The sam local generate-event command of AWS SAM CLI generates sample events for automated tests3. The sam local invoke command is used to invoke Lambda functions3. Therefore, option C is correct.

For a serverless web application that needs user registration and authentication with minimal configuration, the standard AWS solution is Amazon Cognito User Pools. User Pools provide managed user directories, sign-up/sign-in flows, MFA options, password reset, and token-based authentication (OAuth2/OIDC/JWT). This integrates naturally with API Gateway (Cognito authorizers) and Lambda.

Option A is best because it uses Cognito User Pools plus an app client and the Hosted UI, which provides ready-made sign-up/sign-in pages. Hosted UI minimizes custom UI and backend authentication code while still allowing branding customization and secure token issuance. The SPA can authenticate via Cognito, receive JWT tokens, and call API Gateway endpoints securely.

Option B (identity pool) is primarily for granting temporary AWS credentials to access AWS services directly (federation). It does not replace User Pools for user registration/login flows; typically identity pools are used in addition to user pools, not instead, and require more configuration.

Option C adds unnecessary infrastructure (EC2) and defeats the “minimize configuration” goal.

Option D is not appropriate for end-user authentication. IAM users/groups are for workforce/admin access, not for customer-facing apps.

Therefore, Cognito User Pool + Hosted UI is the minimal-configuration secure solution.

AWS Secrets Manager supports multi-Region secret replication, which is designed specifically for redundancy, disaster recovery, and multi-Region applications. With this feature, the primary secret resides in one Region (here, us-west-1) and Secrets Manager automatically maintains a replica in another Region (us-east-1). This provides local read access and resilience if one Region is impaired.

Option A accurately describes the standard configuration: enable secret replication and add us-east-1 as the replica Region. Because encryption keys are Region-scoped, the replica secret in us-east-1 should be encrypted with a KMS key in us-east-1 (either the default Secrets Manager key for that Region or a customer managed key), satisfying encryption requirements and proper key locality.

Option B is incorrect because you don’t configure replication “from the destination.” Replication is configured on the primary secret, and the replica uses a KMS key in the replica Region, not in the source Region.

Option C is not how Secrets Manager replication works. Replication is not only during rotation; it maintains replicas continuously. The “replication rule during rotation” framing is not the standard mechanism.

Option D is inappropriate and insecure/operationally complex: exporting secrets to S3 for replication is not the recommended pattern and introduces unnecessary exposure.

Therefore, enable Secrets Manager multi-Region replication and encrypt replicas with a KMS key in the destination Region.

This solution will meet the requirements by using AWS Serverless Application Model (AWS SAM) templates and gradual deployments to automatically test the Lambda functions. AWS SAM templates are configuration files that define serverless applications and resources such as Lambda functions. Gradual deployments are a feature of AWS SAM that enable deploying new versions of Lambda functions incrementally, shifting traffic gradually, and performing validation tests during deployment. The developer can enable gradual deployments through AWS SAM templates by adding a DeploymentPreference property to each Lambda function resource in the template. The developer can set the deployment preference type to Canary10Percent30Minutes, which means that 10 percent of traffic will be shifted to the new version of the Lambda function for 30 minutes before shifting 100 percent of traffic. The developer can also use hooks to test the deployment, which are custom Lambda functions that run before or after traffic shifting and perform validation tests or rollback actions.

Store the credentials in AWS Secrets Manager and enable rotation. Configure the API to have Secrets Manager access. This is correct. This solution will meet the requirements most securely, because it uses a service that is designed to store and manage secrets such as API credentials. AWS Secrets Manager helps you protect access to your applications, services, and IT resources by enabling you to rotate, manage, and retrieve secrets throughout their lifecycle1. You can store secrets such as passwords, database strings, API keys, and license codes as encrypted values2. You can also configure automatic rotation of your secrets on a schedule that you specify3. You can use the AWS SDK or CLI to retrieve secrets from Secrets Manager when you need them4. This way, you can avoid storing credentials in plaintext files or hardcoding them in your code.

The solution that will meet the requirements is to use CloudFormation to create an AWS Secrets Manager secret. Use a CloudFormation dynamic reference to retrieve the secret’s value for the OpenSearch Service domain’s MasterUserOptions. Create an IAM role that has the secretsmanager:GetSecretValue permission. Assign the role to the Lambda function. Store the secret’s name as the Lambda function’s environment variable. Resolve the secret’s value at runtime. This way, the developer can pass the credentials to the Lambda function in a secure way, as AWS Secrets Manager encrypts and manages the secrets. The developer can also use a dynamic reference to avoid exposing the secret’s value in plain text in the CloudFormation template. The other options either involve passing the credentials as plain text parameters, which is not secure, or encrypting them with AWS KMS, which is less convenient than using AWS Secrets Manager.

When using AWS SAM local (sam local invoke, sam local start-api), the Lambda code runs in a local container on the developer’s machine. If that code uses the AWS SDK to call AWS services, it needs AWS credentials available in the local environment. The recommended way is to rely on the AWS SDK’s standard credential provider chain, which includes credentials stored by the AWS CLI in ~/.aws/credentials and selected via a named profile.

By running aws configure --profile , the developer creates a dedicated set of access keys (and optionally a session token/region) for the test account. Then, running SAM with sam local invoke --profile causes SAM to supply those credentials to the local container so the function can authenticate to AWS and make real API calls in the intended test account. This approach is clean, repeatable, and avoids hardcoding secrets into templates or source code.

Option A is insecure and not the intended use of SAM templates; templates are infrastructure definitions, not secret stores. Option C sets the Lambda execution role for deployed functions in AWS, but it does not automatically grant credentials to code running locally on a laptop. Option D misuses --parameter-overrides, which is meant for overriding template parameters at deployment/build time, not for securely injecting AWS access keys into local execution.

Therefore, the correct approach is B: configure an AWS CLI profile and run SAM local with the --profile option so the Lambda code can call AWS APIs in the test account using standard credential handling.

The core requirement is to perform a one-time deployment for testing without impacting the existing pre-production stack that other team members rely on. The safest way to avoid disruption is to deploy into an isolated AWS account (a dedicated development/testing account) instead of modifying the shared pre-production environment.

Option C achieves this with the least effort: use the AWS SAM CLI to package and deploy the same SAM application into a new AWS account designated for development. This creates an isolated copy of the stack (Lambda + SNS topics) where the developer can validate changes without affecting the shared pre-production deployment or the release pipeline.

Option A still deploys into pre-production, which directly violates the requirement to avoid impacting the existing application. A “debug parameter” does not prevent resource updates or side effects.

Option B is inconsistent: a CloudFormation change set is created against a specific account/stack. You cannot create a change set in one account and “execute it” in a different account as stated. Cross-account execution would require different credentials and a separate deployment process.

Option D introduces additional pipeline/stage complexity and is not necessary for a one-time test; it also implies changing the existing stack/pipeline, which can itself cause disruption.