Pass the Amazon Web Services AWS Certified Associate DVA-C02 Questions and answers with CertsForce

Step-by-Step Breakdown:

Requirement Summary:

In-transit encryption (when data is moving between client and S3)

Encryptionat rest using AWS KMS keys(which arerotatableon-demand)

Option A: Write an S3 bucket policy to allow only encrypted connections over HTTPS by using permissions boundary

❌Incorrect: Permissions boundaries are for IAM policy control, not S3 bucket policies.

Also, encryption enforcement in-transit is not achieved through permissions boundaries.

Option B: Configure an S3 bucket policy to enable client-side encryption

❌Incorrect: AWS doesnotenforce client-side encryption via S3 bucket policies.

Client-side encryption must be handled entirely by the application.

Also, KMS is forserver-side encryption, not client-side.

Option C: Configure the application to encrypt the objects by using an AWS KMS customer managed key before uploading the objects

✅Correct: This fulfills the requirement of encrypting objectsat restusing aKMS CMK, which can be rotated.

You can specify the KMS key using the SSE-KMS option when putting an object.

Option D: Write an S3 bucket policy to allow only encrypted connections over HTTPS by using the aws:SecureTransport condition

✅Correct: This enforcesin-transit encryption, which ensures that only HTTPS connections are allowed.

This is the AWS-recommended way to enforce encryption in transit via bucket policy.

Option E: Configure S3 Block Public Access settings for the S3 bucket to allow only encrypted connections over HTTPS

❌Incorrect: Block Public Access is used to prevent public exposure of the bucket.

It hasnothing to do with encryption enforcement, whether in transit or at rest.

Using SSE-KMS:https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html

aws:SecureTransport condition in bucket policies:https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html

Server-side encryption with AWS KMS:https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html

The solution that will meet the requirements most efficiently is to create a Lambda environment variable to store the table name. Use the standard method for the programming language to retrieve the variable. This way, the developer can avoid hard-coding the table name in the Lambda function code and easily change the table name by updating the environment variable. The other options either involve storing the table name in a file, which is less efficient and secure than using an environment variable, or creating a global variable, which is not recommended as it can cause concurrency issues.

Requirement Summary:

Customercredit card datamay be exposed

Data is stored inAmazon S3

Developer mustidentify all exposure risks

Tool to Use:

✅Amazon Macieis designed to:

Automatically scan S3for sensitive data

Detectfinancial information, PII, credentials, etc.

Finding Type Mapping:

Credit card datamaps to: SensitiveData:S3Object/Financial

Evaluate Options:

A. Athena + filtering

❌Athena is a query engine; it doesn’tdetect sensitive dataautomatically

✅B. Macie + Financial finding type

✅Correct

Designed for this use case

C. Macie + Personal finding type

❌Personal maps to names, addresses, etc., notcredit cards

D. Athena + Financial

❌Again, Athena can’t classify data – it only queries structured data

Macie Overview:https://docs.aws.amazon.com/macie/latest/userguide/what-is-macie.html

Finding Types:https://docs.aws.amazon.com/macie/latest/user/findings-types.html

Financial finding type: SensitiveData:S3Object/Financial

This solution will meet the requirements by allowing the Lambda functions to access the DB cluster securely within the same VPC without crossing the public internet. The developer can configure a VPC endpoint for RDS in a private subnet and assign it to the Lambda functions. The developer can also configure a security group forthe Lambda functions that allows inbound traffic from the DB cluster on port 3306 (MySQL). Option A is not optimal because it will expose the DB cluster to public access, which may compromise its security and data integrity. Option B is not optimal because it will introduce additional latency and complexity to use an RDS database proxy for accessing the DB cluster from Lambda functions within the same VPC. Option C is not optimal because it will require additional costs and configuration to use a NAT gateway for accessing resources in private subnets from Lambda functions.

This is a frequent trouble. Web applications cannot access the resources in other domains by default, except some exceptions. You must configure CORS on the resources to be accessed.https://docs.aws.amazon.com/AmazonS3/latest/userguide/cors.html

This solution allows the Lambda function to be invoked by the DynamoDB stream whenever updates are made to items in the DynamoDB table. Event source mapping is a feature of Lambda that enables a function to be triggered by an event source, such as a DynamoDB stream, an Amazon Kinesis stream, or an Amazon Simple Queue Service (SQS) queue. The developer can configure event source mapping for the Lambda function using the AWS Management Console, the AWS CLI, or the AWS SDKs. Changing the StreamViewType parameter value to NEW_AND_OLD_IMAGES for the DynamoDB table will not affect the invocation of the Lambda function, but only change the information that is written to the stream record. Mapping an Amazon Simple Notification Service (Amazon SNS) topic to the DynamoDB stream will not invoke the Lambda function directly, but require an additional subscription from the Lambda function to the SNS topic. Increasing the maximum runtime (timeout) setting of the Lambda function will not affect the invocation of the Lambda function, but only change how long the function can run before it is terminated.

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. DynamoDB Streams is a feature that captures data modification events in DynamoDB tables. The developer can enable DynamoDB Streams on the table and create a trigger to connect the DynamoDB stream to the Lambda function. This solution will enable the Lambda function to detect changes to the DynamoDB table in near real time.

This solution will most likely solve the issues because it will grant the IAM user the necessary permission to access the DynamoDB table using the AWS CLI command. The error message indicates that the IAM user does not have sufficient access rights to perform the scan operation on the table. Option A is not optimal because it will change the command to use put-item instead of scan, which will not achieve the desired result of getting data from the table. Option B is not optimalbecause it will involve contacting AWS Support, which may not be necessary or efficient for this issue. Option C is not optimal because it will state that DynamoDB cannot be accessed from the AWS CLI, which is incorrect as DynamoDB supports AWS CLI commands.