Pass the Amazon Web Services AWS Certified Associate DVA-C02 Questions and answers with CertsForce

Requirement Summary:

WebSocket-based messaging app using API Gateway WebSocket APIs

Need to:

Identify clients repeatedly connecting/disconnecting

Be able to remove problematic clients

Evaluate Options:

A. Switch to HTTP APIs

HTTP APIs don’t support WebSocket connections

B. Switch to REST APIs

REST APIs are not compatible with WebSockets

C. Use the callback URL to disconnect clients

⚠️ Possible, but not a direct option

Callback URLs are used for sending messages to connected clients, not for disconnecting

D. Track client status in ElastiCache

Good solution: Store and update connection state (connected, disconnected, timestamps)

Helps track abuse or reconnections

E. Implement $connect and $disconnect routes

Required to capture connection lifecycle events

These can be used to log/store client behavior and decide on removal

WebSocket routes in API Gateway: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-route-selection.html

Managing WebSocket connections: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-mapping-template-reference.html

The correct answer is D because Amazon CloudFront is the AWS content delivery network (CDN) designed to improve performance for users who access content globally. In this scenario, the application serves millions of video clips from Amazon S3 to users around the world, and the main problem is poor streaming quality as traffic scales. CloudFront addresses this by caching content at edge locations that are geographically closer to users, reducing latency and improving throughput.

AWS documentation emphasizes that CloudFront works especially well with Amazon S3 as an origin for static and streaming content. Instead of every viewer retrieving video data directly from the S3 bucket’s Region, CloudFront serves cached objects from nearby edge locations. This provides a major performance boost for global audiences and helps absorb large traffic spikes more efficiently.

Option A is incorrect because Route 53 geolocation routing directs DNS queries based on location, but it does not cache or accelerate video delivery. Option B can improve regional redundancy, but simply replicating objects across Regions does not automatically provide fast global delivery or edge caching. Option C is about storage cost optimization, not delivery performance.

CloudFront is also well suited for sudden spikes in traffic because AWS’s edge network is built for high-scale distribution. For video streaming workloads, the reduction in latency and the ability to serve content from nearby cached locations usually provide the largest performance improvement compared to the other options.

Therefore, the best solution is to create an Amazon CloudFront distribution with Amazon S3 as the origin , making D the correct answer.

Requirement Summary:

Secrets managed in AWS Secrets Manager

DB: Amazon RDS for PostgreSQL

Need automated password rotation

Must maintain high availability

Least development effort

Rotation Strategies:

Single-user rotation strategy

Simplest to implement

The secret contains one set of credentials used by app and rotation logic

Supports automated rotation

AWS provides built-in Lambda rotation templates for RDS

A. Alternating-users strategy

⚠️ More complex

Requires application to switch users during rotation window

B. Manual secret + CLI rotation

Too much manual work

Not scalable or reliable

C. Multivalue answer rotation

Not a valid strategy in this context

Doesn’t apply to Secrets Manager

Secrets Manager rotation strategies: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

RDS PostgreSQL secret rotation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-single-user

The best solution for this requirement is option A. Creating an Amazon EventBridge rule that has a rate expression that will run the rule every 15 minutes and adding the Lambda function as the target of the EventBridge rule is the most efficient way to invoke the Lambda function periodically. This solution does not require any additional resources or development effort, and it leverages the built-in scheduling capabilities of EventBridge1.

To begin using AWS X-Ray, the team must (1) instrument the application to emit trace segments/subsegments and (2) ensure there is a component that can send trace data to the X-Ray service.

Instrumenting code is typically done with the AWS X-Ray SDK (language-specific). This adds tracing to inbound requests and downstream calls, creates segments/subsegments, and attaches annotations/metadata. That corresponds to Option C.

For many compute environments (especially EC2, ECS on EC2, and on-prem servers), the application sends trace data via the X-Ray daemon/agent running locally. The daemon batches segments and forwards them to the X-Ray service endpoint. That corresponds to Option D.

Option B is helpful after traces exist (using the X-Ray console or CloudWatch ServiceLens), but it is not a prerequisite to “begin using” X-Ray.

Option A is unrelated. X-Ray does not require SQS for instrumentation output.

Option E is incorrect because X-Ray stores trace data in its managed backend; you do not create a DynamoDB table for trace logs.

Therefore, the team needs to instrument the code with the X-Ray SDK and install/run the X-Ray agent/daemon on the servers where the application runs.

The most secure way to handle database credentials for a CodeBuild stage—especially with a company requirement for automatic rotation—is to store credentials in AWS Secrets Manager and reference the secret securely from the CodeBuild environment. Secrets Manager is purpose-built to store, retrieve, and rotate secrets such as database credentials, API keys, and tokens. It encrypts secrets at rest (using AWS KMS), supports fine-grained IAM access control, and integrates with services like CodeBuild through environment variables and runtime retrieval.

With CodeBuild, the developer can configure environment variables to reference a Secrets Manager secret (rather than embedding credentials in buildspec.yml). This ensures that the build process retrieves the latest rotated credentials at runtime, reducing exposure risk and eliminating manual credential updates.

Option B is weaker because Systems Manager Parameter Store (SecureString) is a secure storage mechanism, but automatic rotation is not a native Parameter Store feature in the same way it is in Secrets Manager for database credentials. Secrets Manager provides managed rotation workflows (often via Lambda rotation functions) and scheduling that directly matches the requirement.

Options A and D violate secure handling practices by hardcoding credentials or storing plaintext connection strings. Both approaches significantly increase risk of exposure through source control, build logs, or environment inspection. Additionally, bolting on rotation via Lambda or EventBridge does not address the primary weakness of hardcoded/plaintext secret distribution.

Therefore, AWS Secrets Manager with automatic rotation, referenced securely from CodeBuild environment variables, is the most secure solution.

This solution will ensure that all orders and updates are stored to Amazon S3 with the least development effort because it uses DynamoDB Streams to capture changes in the DynamoDB table and trigger a Lambda function to write those changes to the S3 bucket. This way, the original Lambda function and API Gateway API endpoint do not need to be modified, and no additional services are required. Option A is not optimal because it will require more development effort to create a new Lambda function and a new API Gateway API endpoint, and to modify the original Lambda function to post updates to the new API endpoint. Option B is not optimal because it will introduce additional costs and complexity to use Amazon Kinesis Data Streams to create a new data stream, and to modify the Lambda function to publish orders to the data stream. Option D is not optimal because it will require more development effort to modify the Lambda function to publish to a new Amazon SNS topic, and to create and subscribe a new Lambda function to the topic.

AWS CodeBuild supports parallel test execution through batch builds and multiple compute environments. This feature allows a single CodeBuild project to divide test workloads across multiple isolated environments that run concurrently. Each environment executes a subset of the test suite, significantly reducing total build time.

AWS documentation emphasizes using native CodeBuild capabilities to minimize operational complexity. Parallel execution eliminates the need to manually manage infrastructure, test orchestration logic, or EC2 fleets. CodeBuild automatically provisions and terminates build environments, scales as needed, and integrates seamlessly with CI/CD pipelines.

Options A and D require manual coordination and infrastructure management, increasing operational overhead. Option C does not address the performance problem.

Therefore, using CodeBuild’s parallel compute environments is the most efficient and AWS-recommended approach.

Problem: Large bundle size increases Lambda deployment time.

Lambda Layers: Layers let you package dependencies separately from your function code. This optimizes the deployment package, making updates faster.

Modularization: Breaking down dependencies into layers improves code organization and reusability.

Lambda throttling occurs when the number of concurrent executions exceeds the available concurrency. This can happen due to account-level concurrency limits, function-level reserved concurrency limits, or sudden traffic spikes.

The most operationally efficient ways to reduce throttling are to increase available concurrency:

Option C: Increasing the function’s reserved concurrency can reduce throttling when the function is being constrained by a too-low reserved concurrency value. Reserved concurrency guarantees a fixed amount of concurrency for the function (and also caps it). If the cap is currently too low, raising it allows more parallel executions and reduces throttles.

Option E: If throttling is due to the account concurrency quota being reached (or burst scaling limits in some patterns), the correct fix is to request a service quota increase. This increases the total available concurrency capacity for the account (and/or specific dimensions), allowing more simultaneous executions across functions.

Why the others are not correct:

A (migrate to EKS) is high effort and not operationally efficient for solving Lambda throttling.

B (maximum age of events) applies to asynchronous event retries/queues; it does not reduce throttling—it only changes how long events remain eligible for processing.

D is irrelevant: adding lambda:GetFunctionConcurrency to the execution role only allows reading settings and does not change throttling behavior.

Therefore, the best operational fixes are to increase reserved concurrency and request a concurrency quota increase.

The requirement is to search for partial matches of email_address but scoped to a specific customer_type. In DynamoDB, efficient partial matching is performed with a Query on a sort key using the begins_with() condition. However, Query requires that the partition key be specified exactly, so we need an index where customer_type can be used as the partition key, and email_address can be used as the sort key for prefix matching.

A Global Secondary Index (GSI) can be added to an existing table without recreating it, and it can use a different partition key and sort key from the base table. Option A correctly proposes a GSI with:

Partition key: customer_type

Sort key: email_address

Then the Lambda can run a Query on the GSI like: customer_type = :ct AND begins_with(email_address, :prefix) which returns emails that start with the typed prefix for that customer type.

Option B is wrong because it keeps email_address as the partition key. That would require an exact email value (not a prefix) to Query, and you cannot do begins_with on a partition key; begins_with is for sort keys.

Options C and D are invalid because Local Secondary Indexes (LSIs) must share the same partition key as the base table (here, email_address). You cannot create an LSI with customer_type or job_title as the partition key when the table partition key is email_address.

Therefore, adding a GSI (customer_type PK, email_address SK) and querying it with begins_with is the correct solution.

For asynchronous Lambda invocations , AWS provides built-in failure handling options that require minimal code and minimal operational work. When an async invocation fails (after Lambda’s internal retry behavior), the event can be sent to a dead-letter queue (DLQ) so it is not lost. A DLQ is the standard mechanism for capturing events that could not be processed successfully, preserving the original payload for later inspection and reprocessing.

Using a DLQ (typically Amazon SQS or Amazon SNS ) gives durable storage of failed events and decouples failure recovery from the main execution path. The developer can later re-drive the messages by building a simple replay process, such as moving messages from the DLQ back to the original event source or invoking the function again with the stored payloads. This aligns with the requirement: “store messages that resulted in failed invocations so the application can retry later.”

Among the options, C is the only one that uses Lambda’s native async failure capture mechanism. Options A and B introduce unnecessary complexity and do not reliably store the original failed invocation payloads as a first-class workflow (CloudWatch Logs is not a message queue, and EventBridge→SNS doesn’t automatically capture only failed events from Lambda async invocations). Option D changes the architecture to an SQS pull model for the Lambda function; while valid, it is more than needed and adds design/operational considerations (polling, batching, visibility timeouts, DLQ configuration on the queue, etc.) compared with simply enabling DLQ support for async invokes.

Therefore, the least operational overhead solution is C : configure a dead-letter queue for the Lambda function’s asynchronous invocations so failed events are stored for later retry.