Pass the Amazon Web Services AWS Certified Associate DVA-C02 Questions and answers with CertsForce

Amazon DynamoDB is a fully managed NoSQL database service that can store and retrieve any amount of data with high availability and performance. DynamoDB can handle concurrent requests from multiple IoT devices without throttling or data loss. To prevent duplicate requests from causing inconsistencies or data loss, the Lambda function can use DynamoDB conditional writes to check if the unique identifier for each request already exists in the table before processing the request. If the identifier exists, the function can skip or abort the request; otherwise, it can process the request and store the identifier in the table. Reference: Using conditional writes

Amazon Simple Queue Service (Amazon SQS) is a fully managed queue service that allows you to de-couple and scale for applications1. Amazon SQS offers two types of queues: Standard and FIFO (First In First Out) queues1. The FIFO queue uses the messageDeduplicationId property to treat messages with the same value as duplicate2. Therefore, changing the Amazon SQS standard queue to an Amazon SQS FIFO queue using the Amazon SQS message deduplication ID can help resolve the issue of the Lambda function processing some messages multiple times. Therefore, option A is correct.

Amazon API Gateway is a service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. Amazon CloudWatch is a service that monitors AWS resources and applications. API Gateway provides several CloudWatch metrics to help developers troubleshoot issues with their APIs. Two of the metrics that can help the developer troubleshoot the issue of API Gateway timing out are:

IntegrationLatency: This metric measures the time between when API Gateway relays a request to the backend and when it receives a response from the backend. A high value for this metric indicates that the backend is taking too long to respond and may cause API Gateway to time out.

Latency: This metric measures the time between when API Gateway receives a request from a client and when it returns a response to the client. A high value for this metric indicates that either the integration latency is high or API Gateway is taking too long to process the request or response.

Problem: CloudFormation updates reset Parameter Store parameters, disrupting application behavior.

Deletion Policy: CloudFormation has a deletion policy that controls resource behavior when a stack is deleted or updated. The ' Retain ' policy instructs CloudFormation to preserve a resource ' s current state.

Least Development Effort: This solution involves a simple CloudFormation template modification, requiring minimal code changes.

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. DynamoDB Streams is a feature that captures data modification events in DynamoDB tables. The developer can enable DynamoDB Streams on the table and create a trigger to connect the DynamoDB stream to the Lambda function. This solution will enable the Lambda function to detect changes to the DynamoDB table in near real time.

This solution will meet the requirements by allowing the Lambda functions to access the DB cluster securely within the same VPC without crossing the public internet. The developer can configure a VPC endpoint for RDS in a private subnet and assign it to the Lambda functions. The developer can also configure a security group for the Lambda functions that allows inbound traffic from the DB cluster on port 3306 (MySQL). Option A is not optimal because it will expose the DB cluster to public access, which may compromise its security and data integrity. Option B is not optimal because it will introduce additional latency and complexity to use an RDS database proxy for accessing the DB cluster from Lambda functions within the same VPC. Option C is not optimal because it will require additional costs and configuration to use a NAT gateway for accessing resources in private subnets from Lambda functions.

CloudFront is a content delivery network that caches objects at edge locations to reduce latency and origin load. When the developer updates static artifacts in the origin S3 bucket, CloudFront may continue serving cached versions until the objects expire based on cache-control headers or the distribution’s TTL settings. That is why the developer sees the updated files in S3 but not on the site.

The standard fix is to perform a CloudFront cache invalidation for the updated object paths (for example, /app.js, /styles.css, or /* if needed). An invalidation forces CloudFront edge locations to remove the cached objects so the next viewer request fetches the latest version from the S3 origin.

Option C directly addresses this behavior and is the correct operational practice when cache TTLs would otherwise delay updates.

Option A (Object Lock) is for WORM retention/compliance and has nothing to do with CloudFront cache refresh.

Option B might change what exists in S3 but does not guarantee CloudFront will stop serving cached content; the cache can still serve objects even if deleted from the origin (until it revalidates/refreshes).

Option D is unnecessary; the origin does not need to change to fetch updated content.

Therefore, invalidate the CloudFront cache after deployment to ensure the new artifacts are served.

Amazon Cognito User Pools: A managed user directory service, simplifying user registration and login.

Social Identity Providers: Cognito supports integration with external providers (e.g., Google, Facebook), reducing development effort.

IAM Roles for Authorization: Cognito-managed IAM roles grant fine-grained access to AWS resources (like Lambda functions).

Operational Overhead: Cognito minimizes the need to manage user identities and credentials independently.

This solution allows the developer to create and delete branches in AWS CodeCommit by granting the codecommit:CreateBranch and codecommit:DeleteBranch permissions. These are the minimum permissions required for this task, following the principle of least privilege. Option B grants too many permissions, such as codecommit:Put*, which allows the developer to create, update, or delete any resource in CodeCommit. Option C grants too few permissions, such as codecommit:Update*, which does not allow the developer to create or delete branches. Option D grants all permissions, such as codecommit:*, which is not secure or recommended.

AWS best practice is to store sensitive values like database passwords, OAuth tokens, and API keys in a dedicated secrets service rather than in source code or configuration files. AWS Secrets Manager is specifically designed for this use case: secure storage, retrieval through APIs/SDKs, fine-grained IAM access control, encryption at rest, auditing through CloudTrail, and—critically—built-in secret rotation.

AWS documentation describes Secrets Manager rotation as an automated process that uses a rotation schedule and typically invokes a Lambda function to update the secret in both Secrets Manager and the target system (for example, a database). The rotation schedule can be configured to a custom interval, including every 6 months, satisfying the requirement.

Option A is incorrect because AWS KMS manages encryption keys, not application secrets. KMS key rotation rotates KMS keys, not database credentials or API tokens.

Option B is incorrect because ACM manages TLS certificates, not arbitrary secrets like API keys and OAuth tokens.

Option C is incorrect because EventBridge can schedule events, but it is not a secrets storage service and does not provide secure secret lifecycle management and integrated rotation workflows by itself.

Therefore, storing secrets in AWS Secrets Manager and enabling automatic rotation with a 6-month schedule is the correct solution.

AWS CodeCommit is a service that provides fully managed source control for hosting secure and scalable private Git repositories. The development team can use CodeCommit to store the program code and prepare for the CI/CD pipeline. CodeCommit integrates with other AWS services such as CodePipeline, CodeBuild, and CodeDeploy to automate the code build and deployment process.

Amazon Machine Images (AMIs) are encrypted snapshots of EC2 instances that can be used to launch new instances. The developer can create new AMIs from the existing instances and specify encryption parameters. The developer can copy the encrypted AMIs to the destination Region and use them to create a new application stack. The developer can delete the unencrypted AMIs after the encryption process is complete. This solution will meet the encryption requirement and allow the developer to expand the application to run in the destination Region.

The AWS Serverless Application Model (AWS SAM) comes built-in with CodeDeploy to provide gradual AWS Lambda deployments1. The DeploymentPreference property in AWS SAM allows you to specify the type of deployment that you want. The Canary10Percent10Minutes option means that 10 percent of your customer traffic is immediately shifted to your new version. After 10 minutes, all traffic is shifted to the new version1. The AutoPublishAlias property in AWS SAM allows AWS SAM to automatically create an alias that points to the updated version of the Lambda function1. Therefore, option A is correct.

AWS Lambda is a service that lets you run code without provisioning or managing servers. Lambda functions can be configured to access resources in a VPC, such as an Aurora database, by specifying one or more subnets and security groups in the VPC settings of the function. A security group acts as a virtual firewall that controls inbound and outbound traffic for the resources in a VPC. To allow a Lambda function to communicate with an Aurora database, both resources need to be associated with the same security group, and the security group rules need to allow TCP traffic on Port 3306, which is the default port for MySQL databases. Reference: [Configuring a Lambda function to access resources in a VPC]