Amazon Web Services DVA-C02 - AWS Certified Developer - Associate

https://docs.aws.amazon.com/lambda/latest/dg/nodejs-context.html https://docs.aws.amazon.com/lambda/latest/dg/nodejs-logging.html

There is no explicit information for the runtime, the code is written in Node.js.

AWS Lambda is a service that lets developers run code without provisioning or managing servers. The developer can use the AWS request ID field in the context object to obtain a unique identifier for each function invocation. The developer can configure the application to write logs to standard output, which will be captured by Amazon CloudWatch Logs. This solution will meet the requirement of logging key events with a unique identifier.

Requirement Summary:

DynamoDB Provisioned Mode

ProvisionedThroughputExceededException error occurring

App hosted on a small burstable EC2 instance

Option A: Move to a larger EC2 instance

May improve local performance, but does not solve DynamoDB provisioned throughput limits.

Option B: Increase DynamoDB RCUs

Valid: This directly increases the read throughput capacity of the table.

Helps handle more traffic and reduce throughput exceptions.

Option C: Reduce frequency via exponential backoff

Best practice: Using exponential backoff and jitter reduces request pressure and spreads retries out to avoid spiking.

Option D: Increase frequency of retries by reducing delay

Opposite of best practice. Increases load, worsening the issue.

Option E: Change to on-demand mode

Also valid in general, but question is scoped around provisioned capacity.

Since minimizing cost or workload type isn ' t mentioned, and scaling the existing model is the focus, prefer B and C.

ProvisionedThroughputExceededException: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HandlingErrors.html

Exponential backoff: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Programming.Errors.html

Capacity modes: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html

Amazon Simple Queue Service (Amazon SQS) is a fully managed queue service that allows you to de-couple and scale for applications1. Amazon SQS offers two types of queues: Standard and FIFO (First In First Out) queues1. The FIFO queue uses the messageDeduplicationId property to treat messages with the same value as duplicate2. Therefore, changing the Amazon SQS standard queue to an Amazon SQS FIFO queue using the Amazon SQS message deduplication ID can help resolve the issue of the Lambda function processing some messages multiple times. Therefore, option A is correct.

Step-by-Step Breakdown:

Requirement Summary:

Use AWS SAM to deploy:

1 Lambda Function

1 S3 Bucket

Lambda needs read-only access to the S3 bucket

Solution must be expressed via AWS SAM template

Option A: Reference a second Lambda authorizer function

Incorrect: Lambda authorizers are used in API Gateway for authentication, not for granting S3 permissions.

Option B: Add a custom S3 bucket policy to the Lambda function

Incorrect: Bucket policies control who can access the bucket, not what the Lambda function can do.

The permission must be granted to the Lambda’s IAM execution role.

Option C: Create an Amazon SQS topic for only S3 object reads

Incorrect: SQS cannot read objects from S3 and is not relevant to this scenario.

Option D: Add the S3ReadPolicy template to the Lambda function ' s execution role

Correct: AWS SAM provides managed policy templates like AmazonS3ReadOnlyAccess and shortcuts like S3ReadPolicy.

You can apply these to the Lambda’s execution role using the Policies: section in your SAM template.

Example SAM YAML:

yaml

CopyEdit

Resources:

MyFunction:

Type: AWS::Serverless::Function

Properties:

CodeUri: my-code/

Handler: app.handler

Runtime: python3.11

Policies:

- S3ReadPolicy:

BucketName: !Ref MyBucket

MyBucket:

Type: AWS::S3::Bucket

Properties:

BucketName: my-personal-bucket-name

SAM Policy Templates: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html

Example using S3ReadPolicy: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html#s3-readpolicy

The correct answer is C because reserved concurrency guarantees that a specific AWS Lambda function has access to a defined number of concurrent executions. In this scenario, the function normally runs correctly but occasionally receives a surge of up to 500 S3 object-created events per minute . Since each invocation runs for about 30 seconds , the function may need substantial concurrency during those bursts. Configuring reserved concurrency ensures that this function has dedicated execution capacity available during peak periods and is not affected by concurrency consumption from other functions in the account.

AWS documentation explains that reserved concurrency both sets the maximum concurrency for a function and reserves that capacity exclusively for the function. This is especially helpful when one function must continue operating reliably under burst traffic. Even though other functions are currently running as expected, reserved concurrency is the direct AWS mechanism to protect the processing function from account-level concurrency contention during spikes.

Option A is incorrect because the function already completes in about 30 seconds; changing timeout does not solve high-volume invocation scaling. Option B is not the best answer because adding a Lambda layer does not guarantee improved throughput or concurrency handling. Option D is incorrect because decreasing memory usually reduces available CPU and can make performance worse, which would increase the chance of delays or failures.

Therefore, the most effective approach is to configure reserved concurrency for the processing function so it can continue to run reliably during high-volume object upload periods.

The application relies on shared file storage that behaves like NFS and must be accessible concurrently by multiple containers across Kubernetes nodes. AWS documentation clearly identifies Amazon EFS as the AWS-native, fully managed, NFS-compatible file system designed for this purpose.

Amazon EFS provides elastic scaling , high availability across multiple Availability Zones, and native integration with container orchestration platforms. It is the most direct replacement for on-premises NFS, requiring minimal architectural change.

To run Kubernetes workloads on AWS with high availability, AWS recommends Amazon EKS , a managed Kubernetes service that automatically handles control plane availability and upgrades. EKS integrates natively with EFS using the Amazon EFS CSI driver, allowing pods across multiple nodes to mount the same file system concurrently.

Amazon EBS (Options A, C, and D) is block storage that can be attached to only one EC2 instance at a time (except in limited Multi-Attach scenarios) and is therefore unsuitable for shared NFS-style access across a Kubernetes cluster.

Uploading container images to Amazon ECR ensures secure, scalable storage for container images and seamless integration with EKS.

Therefore, migrating the NFS data to Amazon EFS and running the workloads on Amazon EKS is the fastest, most scalable, and AWS-recommended solution.

The goal is near-real-time propagation of changes from one DynamoDB table (Accounts) to another service’s datastore (Payments) while keeping services decoupled. The simplest and most reliable DynamoDB-native change feed is Amazon DynamoDB Streams.

DynamoDB Streams captures item-level modifications (inserts, updates, deletes) in time order and makes them available as a stream of change records. A consumer (commonly an AWS Lambda function) can process stream records and apply the necessary updates to the Payments database/table (or publish events for downstream processing). This provides near-real-time updates with minimal operational overhead, strong integration, and a decoupled architecture because the Accounts service simply emits changes and does not need to call Payments synchronously.

Option A (Glue ETL) is batch-oriented and adds heavy operational complexity; it’s not the simplest nor near-real-time.

Option B introduces a cache as a synchronization mechanism, which complicates consistency and durability; caches are not ideal as the primary propagation channel.

Option C (Firehose) is designed for delivering streaming data to destinations like S3, Redshift, OpenSearch, etc., and is not the standard approach for DynamoDB-to-DynamoDB change replication.

Therefore, DynamoDB Streams is the best fit for near-real-time, decoupled updates between DynamoDB-backed microservices.

Lambda Concurrency: The ' maximum concurrency ' setting in event source mappings controls the maximum number of simultaneous invocations Lambda allows for that specific source.

Prioritizing Queues: Setting a lower maximum concurrency for the ' high priority queue ' ensures it ' s processed first while allowing more concurrent invocations from the ' low priority queue ' .

Batching: Batch size settings affect the number of messages Lambda retrieves from a queue per invocation, which is less relevant to the prioritization requirement.

Amazon API Gateway is a service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. The developer can enable API caching in API Gateway to cache responses from the backend integration point for a specified time-to-live (TTL) period. This can improve the responsiveness of the APIs by reducing the number of calls made to the backend service.

AWS CloudFormation parameters allow templates to be reused across multiple environments by injecting environment-specific values at deployment time. AWS documentation recommends parameters for environment names such as dev, test, and prod.

To ensure unique resource names, CloudFormation intrinsic functions can dynamically construct names. Fn::Sub allows string interpolation, and !Ref retrieves the parameter value. Together, they enable resource names like myapp-dev-bucket or myapp-prod-role.

Conditions (Option B) control whether resources are created but do not generate unique names. Rules (Option C) validate parameters but do not affect naming. Fn::GetAtt (Option E) retrieves resource attributes and is not used to build names.

Therefore, defining an environment name parameter and using Fn::Sub with !Ref is the correct and AWS-recommended approach.

Comprehensive and Detailed Step-by-Step Explanation:

Option D: Use Lambda with Container Images

AWS Lambda supports container images up to 10 GB in size, making it suitable for applications with large dependencies, such as a video codec library larger than 250 MB.

By creating separate container images for video compression and decompression, the application can efficiently isolate functionality while ensuring that each function includes the required dependencies.

The container images are stored in Amazon ECR and used to create the Lambda functions.

Why Other Options Are Incorrect:

Option A: A single Lambda function with all functionalities and dependencies in one zip file is not feasible due to the 250 MB deployment package size limit for zip files.

Option B: Including the library in two separate zip files still exceeds the size limit for Lambda zip deployment packages.

Option C: While using a Lambda layer can reduce redundancy, the combined size of the layer and the zip files would exceed the limit of 250 MB.

Why Option A is Correct:Running an AWS Lambda function within the same VPC ensures secure communication without exposing the API application to public IP addresses. The Lambda function can serve as a secure EventBridge target to send events to the API.

Why Other Options are Incorrect:

Option B & C: Internet-facing load balancers expose public IP addresses, which violates compliance requirements.

Option D: EventBridge cannot directly target an endpoint within a private VPC without intermediary services like Lambda.

AWS Documentation References:

EventBridge Targets

Requirement Summary:

Multi-tier app on EC2 + Aurora PostgreSQL

Must comply with least privilege and security policies

Need to manage credentials and API keys securely

Must support key rotation on demand

Evaluate Options:

A. Secrets Manager + AWS managed KMS keys

Best practice for secure secret storage

Supports auto rotation

Uses AWS SDK to fetch at runtime (secure, avoids hardcoding)

AWS managed keys are rotated automatically and easier to manage

B. Secrets Manager + customer managed keys

Also valid, but adds complexity

Since the question asks for LEAST development effort, AWS-managed keys are preferred

C. Store secrets in code

Violates all security best practices

D. Use SSM Parameter Store + AWS managed keys

Possible, but Secrets Manager is preferred when rotation is needed

Parameter Store does not natively rotate secrets

Secrets Manager: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

Automatic key rotation: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

Best practices for secret management: https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html