Pass the Amazon Web Services AWS Certified Associate DVA-C02 Questions and answers with CertsForce

Amazon API Gateway is a service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. Amazon CloudWatch is a service that monitors AWS resources and applications. API Gateway provides several CloudWatch metrics to help developers troubleshoot issues with their APIs. Two of the metrics that can help the developer troubleshoot the issue of API Gateway timing out are:

IntegrationLatency: This metric measures the time between when API Gateway relays a request to the backend and when it receives a response from the backend. A high value for this metric indicates that the backend is taking too long to respond and may cause API Gateway to time out.

Latency: This metric measures the time between when API Gateway receives a request from a client and when it returns a response to the client. A high value for this metric indicates that either the integration latency is high or API Gateway is taking too long to process the request or response.

CloudFormation and Dynamic References: The DefinitionSubstitutions property in CloudFormation allows you to pass values into Step Functions state machines at runtime.

Cost-Effectiveness: This solution is cost-effective as it leverages CloudFormation's built-in capabilities, avoiding the need for additional services like Secrets Manager or AppConfig.

IAM instance profiles are containers for IAM roles that can be associated with EC2 instances. An IAM role is a set of permissions that grant access to AWS resources. An IAM role can be used to allow an EC2 instance to access an S3 bucket by including the appropriate permissions in the role’s policy. The S3:ListBucket permission allows listing the objects in an S3 bucket. By updating the IAM instance profile with this permission, the application on the EC2 instance can retrieve the objects from the S3 bucket and display them to the user. Reference: Using an IAM role to grant permissions to applications running on Amazon EC2 instances

This solution allows the developer to overcome the limit for the combined maximum of characters for environment variables in AWS CodeBuild. AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. The developer can store large numbers of environment variables as parameters in Parameter Store and reference them in the buildspec file using parameter references. Adding export LC_ALL=“en_US.utf8” command to the pre_build section will not affect the environment variables limit. Using Amazon Cognito or an Amazon S3 bucket to store key-value pairs for environment variables will require additional configuration and integration.

https://aws.amazon.com/blogs/devops/automated-code-review-on-pull-requests-using-aws-codecommit-and-aws-codebuild/

These solutions will mitigate the error most cost-effectively because they do not require increasing the provisioned throughput of the DynamoDB table or creating additional resources. Exponential backoff is a retry strategy that increases the waiting time between retries to reduce the number of requests sent to DynamoDB. The AWS SDKs for DynamoDB implement exponential backoff by default and also provide other features such as automatic pagination and encryption. Increasing the read and write throughput of the DynamoDB table, creating a DynamoDB Accelerator (DAX) cluster, or creating a second DynamoDB table will incur additional costs and complexity.

This solution allows easy and secure control of access to the downloads at the lowest cost because it uses a content delivery network (CDN) that can cache and distribute firmware updates to customers around the world, and uses a mechanism that can restrict access to specific files or versions. Amazon CloudFront is a CDN that can improve performance, availability, and security of web applications by delivering content from edge locations closer to customers. Amazon S3 is a storage service that can store firmware updates in buckets and objects. Signed URLs are URLs that include additional information, such as an expiration date and time, that give users temporary access to specific objects in S3 buckets. The developer can use CloudFront to serve firmware updates from S3 buckets and use signed URLs to control who can download them and for how long. Creating a dedicated CloudFront distribution for each customer will incur unnecessary costs and complexity. Using Amazon CloudFront with AWS Lambda@Edge will require additional programming overhead to implement custom logic at the edge locations. Using Amazon API Gateway and AWS Lambda to control access to an S3 bucket will also require additional programming overhead and may not provide optimal performance or availability.

Requirement Summary:

Lambda function accesses RDS for MySQL

Credentials are currentlyhardcoded in code(insecure)

Must enableautomated credential rotation every 30 days

Option A: Use AWS Secrets Manager + automatic rotation

✅Best and secure option

Secrets Manager allows:

Secure storage of secrets

Integration withRDS for automatic rotation

Scheduled rotation every X days (e.g., 30 days)

Lambda canfetch credentialsvia SDK (GetSecretValue)

Option B: Use SSM Parameter Store + rotation

❌SSMdoes not support automatic rotationof secrets.

You'd need to build custom rotation logic = higher operational overhead.

Option C: Encrypted S3 + Object Lambda rotation

❌Not intended for credential storage.

S3 is not asecrets management system, and Object Lambda does not perform rotation.

Option D: SSM + EventBridge rotation

❌No native integration between Parameter Store and EventBridge for secret rotation.

You’d need to build custom Lambda functions = higher maintenance.

Secrets Manager rotation for RDS:https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

Secure retrieval in Lambda:https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html

Integration with RDS MySQL:https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_rds_config.html