Pass the Amazon Web Services AWS Certified Associate DVA-C02 Questions and answers with CertsForce

The solution that will meet the requirements is to add a new stage to the pipeline. Use AWS CodeBuild as the provider. Add the new stage before the stage that deploys code revisions to the test environment. Write a buildspec that fails the CodeBuild stage if any test does not pass. Use the test reports feature of CodeBuild to integrate the report with the CodeBuild console. View the test results in CodeBuild. Resolve any issues. This way, the developer can run the unit tests automatically during the CI/CD process and catch any bugs before deploying to the test environment. The developer can also use the test reports feature of CodeBuild to view and analyze the test results in a graphical interface. The other options either involve running the tests manually, running them after deployment, or using a different provider that requires additional configuration and integration.

The solution that will meet the requirements is to create an Amazon EventBridge rule that runs on a regular schedule to invoke the Lambda function. This way, the developer can use an automated and serverless way to invoke the function every 10 minutes. The developer can also use a cron expression or a rate expression to specify the schedule for the rule. The other options either involve using an Amazon EC2 instance, which is not serverless, or using environment variables or query parameters, which do not trigger the function.

Store the credentials in AWS Secrets Manager and enable rotation. Configure the API to have Secrets Manager access. This is correct. This solution will meet the requirements most securely, because it uses a service that is designed to store and manage secrets such as API credentials. AWS Secrets Manager helps you protect access to your applications, services, and IT resources by enabling you to rotate, manage, and retrieve secrets throughout their lifecycle1. You can store secrets such as passwords, database strings, API keys, and license codes as encrypted values2. You can also configure automatic rotation of your secrets on a schedule that you specify3. You can use the AWS SDK or CLI to retrieve secrets from Secrets Manager when you need them4. This way, you can avoid storing credentials in plaintext files or hardcoding them in your code.

Why Option C is Correct:Amazon Verified Permissions provides fine-grained access control capabilities, making it ideal for managing complex user permissions. It integrates with OIDC IdPs for authentication and allows applications to request authorization decisions dynamically. It is also easily adaptable to newer applications.

Why Other Options are Incorrect:

Option A: Cognito identity pools do not natively support fine-grained permission analysis or management.

Option B: Managing permissions in application logic adds significant operational overhead.

Option D: IAM roles are not designed for application-specific fine-grained access control and are more suitable for resource-level permissions.

AWS Documentation References:

Amazon Verified Permissions

Option B: The target group port in the ALB must match the port specified in the ECS task definition. If there is a mismatch, the ALB health check will fail since it cannot correctly route traffic to the container.

Option E: The ALB listener must have a default action that forwards requests to the correct target group associated with the ECS service. If this configuration is missing, the health check will fail as no traffic is routed to the service.

Option A is irrelevant to resolving health check issues since capacity providers relate to provisioning compute capacity.

Option C (hosted zone) is not directly related to ALB health checks.

Option D (redirecting traffic) is not related to ECS health check configurations.

Amazon API Gateway supports mock integration responses, which are predefined responses that can be returned without sending requests to a backend service. Mock integration responses can be used for testing or prototyping purposes, or for simulating different backend responses based on certain conditions. A request mapping template can be used to select a mock integration response based on an expression that evaluates some aspects of the request, such as headers, query strings, or body content. This solution does not require any additional resources or code changes and has the least operational overhead. Reference: Set up mock integrations for an API Gateway REST API

https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-mock-integration.html

AWS Elastic Beanstalk supports several deployment policies, and in this case, the requirement is to forward a specific percentage of traffic to the new version without causing downtime. The Traffic-splitting deployment policy is the most appropriate choice.

Traffic-splitting Deployment: This deployment method allows you to gradually shift a specified percentage of incoming traffic from the old environment version to the new one. During the evaluation period, if any issues are detected, the traffic can be redirected back to the old version.

No Downtime: This method ensures no downtime since both versions of the application run concurrently, and traffic is split between them.

Alternatives:

Rolling deployments (Option A): These gradually replace instances but may result in partial downtime if some instances fail during deployment.

In-place deployments (Option C): In-place deployments replace instances without creating new ones, which can lead to downtime.

Immutable deployments (Option D): While this ensures no downtime by creating entirely new instances, it doesn ' t provide traffic splitting during the evaluation phase.

Elastic Beanstalk Deployment Policies

A common performance issue for Lambda functions that access relational databases is the overhead of establishing a new database connection on every invocation . In the provided pseudocode, each call to lambda_handler opens a connection, executes one statement, and closes the connection. When the function runs hundreds of times per hour , repeatedly creating and tearing down connections adds latency (TCP handshake, TLS negotiation if used, authentication, database session setup), and can also increase load on the database connection manager.

AWS guidance for Lambda execution environments explains that the runtime environment may be reused across multiple invocations of the same function (a “warm” execution environment). Code that is initialized outside the handler runs once per execution environment lifecycle and can be reused on subsequent invocations in that environment. By moving database.connect() into the global scope (module-level initialization), the function can reuse an existing connection when the execution environment is warm, reducing per-invocation latency and improving overall throughput.

This change directly targets the slow part of the flow (connection setup) without changing the database engine, resizing the database, or adding unrelated concurrency settings. Increasing reserved concurrency (A) controls scaling limits but does not reduce the per-invocation connection overhead; it can even amplify connection storms. Resizing the database (B) might help capacity, but it does not address the repeated connection establishment cost and is not the first optimization. Replacing RDS with DynamoDB (D) is a major redesign and unnecessary for the stated issue.

So the best improvement, with minimal code change and aligned with Lambda best practices, is option C : create the connection outside the handler and reuse it when possible, while still handling retries and reconnect logic if the connection becomes stale.

Reserved concurrency guarantees a specific number of concurrent executions for a critical Lambda function. This ensures that the critical function always has sufficient resources to execute, even if other functions are consuming concurrency.

Why Option A:

Ensures Function Availability: Reserved concurrency isolates the critical Lambda function from other functions.

Low Overhead: Configuring reserved concurrency is straightforward and requires minimal setup.

Why Not Other Options:

Option B: Provisioned concurrency is ideal for reducing cold starts, not for managing execution limits.

Option C & D: Alarms and re-invocation mechanisms add complexity without resolving the root cause.

Managing Concurrency for AWS Lambda

EventBridge (formerly CloudWatch Events) is the ideal service for real-time event monitoring.

CloudTrail logs IAM role creation.

EventBridge rules can filter CloudTrail events and trigger SNS notifications instantly.

Why Option A is Correct:Creating a CloudWatch metric filter with " ERROR " as the search term ensures that occurrences of the word " ERROR " in logs are counted. An alarm can then be set to notify the SNS topic when the count exceeds 1. This is the standard approach to monitor specific patterns in CloudWatch Logs.

Why Other Options are Incorrect:

Option B: CloudWatch Logs Insights is used for querying logs manually and does not integrate directly with alarms for automated notifications.

Option C: SNS subscription filters are not a feature for filtering log patterns in CloudWatch Logs.

Option D: CloudWatch alarms do not directly include log filter patterns; a metric filter is needed to create the metric first.

AWS Documentation References:

Creating CloudWatch Metric Filters

The requirement is to redact PII before the object content reaches the consumer, while the analytics service continues to use standard S3 GET requests. The most operationally efficient way is Amazon S3 Object Lambda.

S3 Object Lambda lets you add your own code to process and transform data as it is retrieved from S3. Instead of the analytics service reading directly from the bucket, it reads through an S3 Object Lambda Access Point. When the service performs a GET request, S3 invokes the associated Lambda function, which can modify the object payload on the fly—for example, by calling an external or internal PII redaction API and returning a redacted version of the report. The original object remains unchanged in the bucket, while consumers receive the transformed (redacted) response.

This approach is operationally efficient because it avoids:

duplicating and storing redacted copies of every report,

refactoring the analytics service to use a different datastore or ingestion path,

building a separate proxy service layer.

Option A requires significant refactoring and ongoing ETL/warehouse ops.

Option C provides confidentiality via encryption but does not perform redaction (analytics would still see PII after decryption).

Option D changes the access pattern completely (analytics no longer uses GET) and adds messaging complexity without directly returning redacted object content.

Therefore, S3 Object Lambda + Object Lambda Access Point is the most efficient solution to redact data at retrieval time.

The correct answer is C because the API Gateway integration timeout is set to 15 seconds , while the Lambda function timeout is 20 seconds . If the Lambda function takes longer than 15 seconds to return a response, API Gateway will stop waiting and return an HTTP 504 Gateway Timeout to the client, even if the Lambda function itself has not yet timed out. This exactly matches the symptom described in the question.

The fact that there are no errors in the Lambda logs is also an important clue. If Lambda were failing internally, timing out at its own limit, or throwing exceptions, those events would typically appear in Lambda logs. Instead, the likely problem is that API Gateway is timing out first, before Lambda reaches its own timeout threshold or produces an error.

Option A is incorrect because reserved concurrency affects the number of concurrent executions available to Lambda, not the integration response wait time. Option B is incorrect because increasing the Lambda timeout beyond 20 seconds would not help if API Gateway is still configured to stop waiting after 15 seconds. Option D is incorrect because per-client throttling limits control request rates, not backend timeout behavior.

The proper fix is to increase the API Gateway integration timeout so that API Gateway can wait long enough for the Lambda function to complete. This ensures that requests that legitimately need more than 15 seconds can still return successful responses instead of 504 errors.