Pass the Amazon Web Services AWS Certified Associate DVA-C02 Questions and answers with CertsForce

The IAM policy shown in the image is a resource-based policy that grants or denies access to an S3 bucket based on certain conditions. The first statement allows access to any S3 action on any object in the “DOC-EXAMPLE-BUCKET” bucket when the request is made over HTTPS (the value of aws:SecureTransport is true). The second statement denies access to the s3:GetObject and s3:PutObject actions on any object in the “DOC-EXAMPLE-BUCKET/secrets” prefix when the request is made over HTTP (the value of aws:SecureTransport is false). Therefore, the policy allows access on all objects in the “DOC-EXAMPLE-BUCKET” bucket except on objects that start with “secrets”. Reference: Using IAM policies for Amazon S3

AWS IAM role permissions are evaluated dynamically . According to AWS documentation, when an IAM role attached to an EC2 instance is updated, the updated permissions are available to applications running on that instance without requiring a restart . The EC2 instance retrieves temporary credentials through the instance metadata service, and those credentials are refreshed automatically.

In this scenario, the least disruptive approach is to update the IAM role policy to include the required s3:GetObject permission. Once the permission is added, the application can immediately retry access to the S3 bucket without restarting, stopping, or terminating the EC2 instance.

Terminating or restarting the instance (Options A and C) introduces unnecessary downtime and operational overhead. Modifying the S3 bucket policy (Option D) is unnecessary because the problem lies with missing role permissions, not bucket access configuration.

AWS best practices strongly recommend using IAM roles for EC2 and updating permissions dynamically to avoid service interruption. Therefore, simply adding the required permission to the role is the correct and most efficient solution.

Why Option B is Correct:The RetainExceptOnCreate deletion policy ensures that the IAM user is retained after successful stack creation but is deleted if the stack creation fails or rolls back. This meets both requirements.

Why Other Options are Incorrect:

Option A: The Retain policy retains the resource regardless of stack status and does not delete the IAM user upon rollback.

Option C: Updating the service role for termination protection does not address the specific deletion behavior for the IAM user.

Option D: Stack policy controls updates, not resource deletion behavior during rollbacks.

AWS Documentation References:

CloudFormation DeletionPolicy Attribute

This solution allows the environment variables to be passed to the container when it is launched by AWS Fargate using Amazon ECS. The task definition is a text file that describes one or more containers that form an application. It contains various parameters for configuring the containers, such as CPU and memory requirements, network mode, and environment variables. The environment parameter is an array of key-value pairs that specify environment variables to pass to a container. Defining an array that includes the environment variables under the entryPoint parameter within the task definition will not pass them to the container, but use them as command-line arguments for overriding the default entry point of a container. Defining an array that includes the environment variables under the environment or entryPoint parameter within the service definition will not pass them to the container, but cause an error because these parameters are not valid for a service definition.

The correct answer is B because when an IAM role is attached to an Amazon EC2 instance through an instance profile, changes to the permissions policy for that role propagate automatically to applications that use the instance role credentials. This is the least disruptive approach because the developer does not need to restart, hibernate, terminate, or replace the EC2 instance.

AWS documentation explains that applications running on EC2 can obtain temporary security credentials from the instance metadata service for the attached IAM role. When the IAM policy attached to that role is updated to allow Amazon S3 read access , new temporary credentials issued for the role will reflect the updated permissions. This makes it possible to correct the access issue without changing the application deployment model or interrupting the running instance.

Option A is unnecessary because terminating and relaunching the instance causes avoidable disruption. Option C is also unnecessary because hibernation and restart are not required for IAM policy changes to take effect. Option D is not the best answer because although bucket policies can grant access, the issue identified is specifically that the instance role lacks S3 read permission , and restarting the instance is still unnecessary.

The AWS best-practice approach is to grant the required permission directly to the IAM role used by the EC2 instance. This keeps authorization centralized and lets the running application continue using temporary role credentials with minimal operational impact.

Therefore, the solution with the least application disruption is to add the S3 read permission to the IAM role , making B the correct answer.

AWS Lambda has a maximum execution time of 15 minutes , which makes batch-style processing unsuitable as workloads scale. AWS best practices recommend using event-driven architectures to process individual objects independently and in parallel.

Amazon S3 event notifications invoke Lambda automatically whenever a new object is uploaded. This allows each file to be processed in its own execution, eliminating long-running batch jobs and enabling horizontal scaling. AWS Lambda automatically scales concurrency based on event volume, ensuring faster processing as uploads increase.

To prevent duplicate processing, AWS documentation recommends using an idempotency mechanism . Storing processed file identifiers or transaction IDs in Amazon DynamoDB provides a highly available, low-latency way to track processed files. DynamoDB’s conditional writes can enforce exactly-once processing semantics.

Options B, C, and D either increase operational overhead, reintroduce batching issues, or rely on unreliable polling mechanisms that can miss or reprocess files.

Thus, using S3 events with DynamoDB tracking is the correct and scalable solution.

Step-by-Step Breakdown:

Requirement Summary:

Encrypt S3 objects using KMS keys

Cross-account read access to another AWS account

Minimize operational overhead

Option A: Use a customer managed key + key policy granting kms:Decrypt to second account

Correct: Customer managed keys allow full control of key policy.

You can add a statement to allow cross-account access using the second account’s IAM principal.

Option B: Use AWS managed key + key policy granting access to second account

Incorrect: AWS-managed KMS keys (aws/s3) cannot be modified to add cross-account access in key policies.

Option C: SCP that grants s3:GetObject to second account

Incorrect: SCPs are used to restrict or allow permissions across AWS Organizations, not to grant S3 or KMS access directly.

Option D: Create a bucket policy granting s3:GetObject to second account

Correct: Bucket policies can grant cross-account access to specific IAM users or roles in the second account.

Option E: Gateway endpoint for S3 with cross-account access

Incorrect: Gateway endpoints only apply within the same VPC/account. Cross-account use with endpoint policies is not the correct pattern for this use case.

Cross-account S3 access with KMS: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html

KMS cross-account key policy: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html

Bucket Policy for cross-account access: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

The requirement is to rotate database credentials at least weekly . The AWS service that is purpose-built for storing and automatically rotating secrets is AWS Secrets Manager . Secrets Manager supports rotation schedules (including daily, weekly, or custom intervals) and integrates with supported databases through rotation Lambda functions. With rotation enabled, Secrets Manager can periodically generate a new password, update the secret value, and apply the new credential to the database user, while allowing applications to retrieve the current credential securely at runtime.

Option C matches this best practice: create a database user, store the username/password in a Secrets Manager secret, and enable rotation (daily rotation more than satisfies a weekly requirement). Applications on EC2 can retrieve the secret at startup or on a refresh interval using the AWS SDK, and can cache it according to best practices to reduce API calls, while still supporting rotation.

Option A (Parameter Store secure string) encrypts parameters, but Parameter Store does not provide the same managed secret rotation workflow for database credentials; rotating the KMS key is not the same as rotating the database password. Option B is not applicable as stated for RDS for Microsoft SQL Server: IAM database authentication is supported for specific engines (commonly MySQL and PostgreSQL) and is not the standard mechanism for SQL Server password rotation. Option D is insecure and operationally fragile: embedding long-lived credentials in user data and environment variables makes rotation difficult and increases exposure risk.

Therefore, the most secure and compliant configuration is C : store DB credentials in AWS Secrets Manager and enable automated rotation on an interval that meets or exceeds the weekly rotation requirement.

Step 1: Understanding the Requirements

Best Practices for Security:

Minimize the use of hardcoded credentials or long-lived access keys.

Use IAM roles for EC2 instances to securely grant permissions to applications running on the instance.

Access Scope: The application needs read-only access to an S3 bucket.

Step 2: Solution Analysis

Option A:

Define an IAM policy with the required s3:GetObject permissions.

Attach this policy to an IAM role.

Assign the role to the EC2 instance profile.

This approach follows security best practices by eliminating the need for static credentials and using temporary, scoped credentials provided by the instance profile.

Correct option.

Option B:

IAM groups are used for organizing users, not for EC2 instances or instance profiles.

Not suitable.

Option C:

IAM users are associated with specific individuals or applications and require static credentials.

This violates security best practices for temporary credentials and roles.

Not suitable.

Option D:

IAM web identity federation is used for applications that authenticate users via third-party identity providers.

This is unnecessary for EC2 instances and does not align with the requirements.

Not suitable.

Step 3: Implementation Steps

Create an IAM Policy:

Grant read-only access to the S3 bucket:

json

Copy code

{

" Version " : " 2012-10-17 " ,

" Statement " : [

{

" Effect " : " Allow " ,

" Action " : " s3:GetObject " ,

" Resource " : " arn:aws:s3:::your-bucket-name/* "

}

]

}

Attach the Policy to an IAM Role:

Create an IAM role and attach the policy to the role.

Associate the Role with the EC2 Instance:

Attach the role to the instance profile used by the EC2 instance.

AWS Developer References:

IAM Roles for Amazon EC2

Amazon S3 Permissions Reference

AWS Secrets Manager is purpose-built for storing, retrieving, and rotating secrets such as database credentials. For supported databases, Secrets Manager can rotate credentials automatically and update both the stored secret and the database credentials. That directly addresses the risk: credentials are stored securely, access is controlled by IAM, and rotation is automated. Systems Manager Parameter Store can securely store parameters, but it does not provide the same managed database credential rotation workflow. Rotating a KMS key is not the same as rotating database credentials; it only changes encryption key material behavior, not the database password. S3 is not the right service for active secrets management. AWS documentation recommends moving hardcoded database credentials to Secrets Manager and rotating them. ( AWS Documentation )

===============

Comprehensive and Detailed Explanation (250–300 words):

AWS Secrets Manager supports cross-Region secret replication , which allows secrets to be automatically copied to other Regions and kept in sync during rotation. AWS documentation recommends secret replication for multi-Region applications to ensure local access and reduce dependency on cross-Region calls.

In this scenario, the primary Region continues to retrieve credentials from the original secret (Option A). The secondary Region retrieves credentials from the replica secret (Option B), ensuring low latency and resilience during Regional failures.

Promoting the replica to a standalone secret (Option C) breaks automatic rotation synchronization and increases operational overhead. Environment variables (Option E) are not suitable for rotating credentials. Option D is vague and does not address multi-Region availability.

Thus, using the primary secret and a replicated secret is the correct approach.

CloudWatch for Log Analysis: CloudWatch is the best fit here because logs are already centralized. Here ' s the process:

Metric Filter: Create a metric filter on the CloudWatch Logs log group. Design a pattern to specifically identify application error messages.

Custom Metric: This filter generates a new custom CloudWatch metric (e.g., ApplicationErrors). This metric tracks the error count.

CloudWatch Alarm: Create an alarm on the ApplicationErrors metric. Configure the alarm with your desired threshold and a 5-minute evaluation period.

SNS Action: Set the alarm to trigger an SNS notification when it enters the alarm state.

Feature flags are a classic configuration-management use case: values change over time, multiple applications share them, and clients should retrieve updates efficiently with local caching. AWS AppConfig (part of AWS Systems Manager) is purpose-built to deploy and manage application configuration and feature flags. It provides controlled rollout, validation, and centralized configuration management. For operational efficiency, AWS offers the AWS AppConfig Agent for compute environments such as EC2.

With option C, the AppConfig Agent runs on each EC2 instance and polls AppConfig on a configured interval for updates. The agent maintains a local cache and exposes the current configuration through a localhost HTTP endpoint . The application then reads the feature flag values from the local endpoint, which is fast and reduces direct calls to AWS APIs. This meets both requirements: periodic polling for new values and caching once retrieved, while minimizing application changes and centralizing operational control in AppConfig.

Option D (Parameter Store + in-memory cache) can work, but it pushes more responsibility into each application: polling logic, caching behavior, error handling, and consistency. Option A misuses Secrets Manager (intended for secrets, not dynamic flags) and adds ElastiCache operational overhead. Option B similarly adds DAX and DynamoDB infrastructure and is not a standard feature-flag pattern; it also requires the app to implement polling and caching logic, reducing operational efficiency.

Therefore, C is the most operationally efficient solution: store flags in AWS AppConfig , run the AppConfig Agent on EC2 to handle polling and caching, and have the application read flags from the agent’s localhost endpoint.