Amazon Web Services DVA-C02 - AWS Certified Developer - Associate

AWS Amplify is a set of tools and services that enables developers to build and deploy full-stack web and mobile applications that are powered by AWS. AWS Amplify supports hosting static websites on Amazon S3 and Amazon CloudFront, with HTTPS enabled by default. AWS Amplify also integrates with various version control systems, such as AWS CodeCommit, Bitbucket, and GitHub, and allows developers to connect different branches to different environments. AWS Amplify automatically builds and deploys the website whenever code changes are merged to a connected branch, enabling phased releases with minimal operational overhead. Reference: AWS Amplify Console

The correct answer is A because AWS Lambda requires permissions in the function’s execution role to create log groups, create log streams, and put log events into Amazon CloudWatch Logs . If the Lambda function is throwing errors but there are no CloudWatch log entries, the most likely cause is that the execution role does not include the necessary logging permissions. AWS documentation states that Lambda automatically sends logs from function code and the execution environment to CloudWatch Logs, but this behavior depends on the function’s IAM role having permissions such as logs:CreateLogGroup , logs:CreateLogStream , and logs:PutLogEvents .

This aligns with the scenario because the source code already attempts to write logs before saving data to DynamoDB. If the function is invoked and errors are visible in CloudWatch metrics, but logs never appear, then logging is failing before or during delivery to CloudWatch Logs. Assigning the proper IAM permissions resolves that problem directly.

Option B is incorrect because CloudWatch Lambda Insights provides enhanced monitoring and performance telemetry, but it does not replace the basic permissions required for CloudWatch Logs delivery. Option C is incorrect because AWS X-Ray helps trace requests and diagnose latency or service interactions, but it does not solve missing log stream permissions. Option D is incorrect because CloudWatch does not need to be added as a trusted principal to the Lambda execution role; the trusted entity for that role is the Lambda service .

Therefore, the developer should update the Lambda execution role to include the required CloudWatch Logs permissions.

Option D is correct because Amazon SNS supports message filtering by message attributes , including numeric filtering. The transaction price can be published as an SNS message attribute, and the subscription filter policy can match only messages where the price is above the required threshold. This gives the company direct notifications only for qualifying transactions without adding Lambda processing, SQS redrive logic, CloudWatch alarms, or custom filtering code. AWS documentation confirms that SNS subscription filter policies can match message attributes and that numeric value range matching supports operators such as greater than and less than. The DLQ-based options are wrong because DLQs are for failed message delivery or processing, not business-rule filtering. The Lambda/SQS option works but adds unnecessary operational overhead.

===============

The requirement describes a linear deployment for Lambda: shift 10% of traffic, wait 10 minutes, then shift another 10%, repeating until all traffic uses the new version. That maps exactly to CodeDeployDefault.LambdaLinear10PercentEvery10Minutes. A canary deployment would shift an initial percentage, wait, and then shift the remaining traffic all at once, so LambdaCanary10Percent10Minutes is not correct. OneAtATime applies to instance-based deployments and does not describe Lambda traffic shifting. The ECS option is for Amazon ECS deployments, not Lambda. AWS CodeDeploy documentation lists predefined Lambda deployment configurations and states that CodeDeployDefault.LambdaLinear10PercentEvery10Minutes shifts 10% of traffic every 10 minutes until all traffic is shifted. ( AWS Documentation )

===============

The correct answer is D because the current DynamoDB table design is causing a hot partition problem. The table uses order_date as the partition key, which means that during peak ordering periods, a very large number of writes are likely targeting the same partition key value for the current date. In DynamoDB, write throttling often occurs when traffic is not evenly distributed across partition keys, even when the table uses on-demand mode . On-demand capacity can automatically scale, but it still depends on proper key distribution to avoid concentrated activity on a small number of partitions.

By changing the partition key to customer_id and using order_id as the sort key, writes will be spread across many customers instead of being concentrated on a small number of date values. This creates a more balanced write pattern and better aligns with DynamoDB best practices for high-scale workloads. DynamoDB documentation emphasizes choosing partition keys with high cardinality and even request distribution to avoid throttling and improve performance.

Option A is not a good design because a sequential partition key can still create uneven access patterns and usually does not support meaningful access requirements. Option B is not the best answer because simply increasing capacity does not fix a poor partition key design; hot partitions can still throttle. Option C is unnecessary because the issue is not that DynamoDB is the wrong service, but that the table schema needs redesign.

Therefore, the best solution is to refactor the key schema so that writes distribute more evenly across partitions, which is exactly what D achieves.

Requirement Summary:

Customer credit card data may be exposed

Data is stored in Amazon S3

Developer must identify all exposure risks

Tool to Use:

Amazon Macie is designed to:

Automatically scan S3 for sensitive data

Detect financial information, PII, credentials, etc.

Finding Type Mapping:

Credit card data maps to: SensitiveData:S3Object/Financial

Evaluate Options:

A. Athena + filtering

Athena is a query engine; it doesn’t detect sensitive data automatically

B. Macie + Financial finding type

Correct

Designed for this use case

C. Macie + Personal finding type

Personal maps to names, addresses, etc., not credit cards

D. Athena + Financial

Again, Athena can’t classify data – it only queries structured data

Macie Overview: https://docs.aws.amazon.com/macie/latest/userguide/what-is-macie.html

Finding Types: https://docs.aws.amazon.com/macie/latest/user/findings-types.html

Financial finding type: SensitiveData:S3Object/Financial

Amazon SQS standard queues provide at-least-once delivery, which means messages can be delivered more than once. When Lambda is triggered by an SQS standard queue, duplicate delivery can occur due to retries, visibility timeouts, or transient errors. Therefore, “processed multiple times” is expected behavior unless the system implements deduplication or idempotency.

The most cost-effective way within the provided options to reduce duplicate processing is to use an SQS FIFO queue with deduplication. FIFO queues support exactly-once processing semantics within the constraints of the service (by preventing duplicate message delivery within the deduplication interval when a MessageDeduplicationId is used or content-based deduplication is enabled). This directly mitigates duplicate processing without requiring large architectural changes.

Option B (DLQ) is important for handling poison messages, but it does not prevent duplicates in normal processing; it only captures messages that fail repeatedly.

Option C (concurrency = 1) reduces parallelism but does not eliminate duplicates; the same message can still be delivered again if the visibility timeout expires or retries occur.

Option D is a major redesign and not cost-effective for simply addressing duplicate SQS message processing.

💡 Note: In real production systems, the best practice is to make processing idempotent (so duplicates do no harm). But among the choices, FIFO + deduplication is the most direct and cost-effective fix.

Therefore, switch to an SQS FIFO queue and use deduplication.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_lambda-access-dynamodb.html

To ensure a Lambda function URL is reachable only through CloudFront, the solution must (1) make CloudFront the only authorized caller, and (2) prevent direct public access to the function URL endpoint. The AWS-native way to do this is to use a resource-based policy on the Lambda function that permits invocation only from the specific CloudFront distribution, combined with CloudFront’s Origin Access Control (OAC) to sign origin requests.

A Lambda function URL can be configured for IAM-based authorization, and Lambda supports resource-based permissions (via lambda:AddPermission) that restrict who can invoke it. By scoping the permission so that only the CloudFront distribution (identified by a source ARN / distribution identifier) is allowed, direct requests that do not come through CloudFront will be rejected. This enforces the requirement that the function URL cannot be accessed directly.

CloudFront OAC is the modern mechanism to securely access origins by having CloudFront sign the requests it sends to the origin. When CloudFront signs requests and the origin (here, the Lambda function URL) is configured to accept only authorized requests per its resource policy, CloudFront becomes the only viable access path.

Option A is incorrect because CloudFront does not use a “resource-based policy” to grant access to an origin in this way; the enforcement must happen at the origin. Option C is not how CloudFront accesses origins; CloudFront does not assume a customer IAM role to fetch origin content. Option D is fragile and not recommended: CloudFront IP ranges can change and are not intended to be used as a static allowlist for origin protection; additionally, IP-based controls do not provide the same strong identity-based authorization that OAC + resource policy provides.

Therefore, B is the correct solution: restrict the Lambda function URL with a Lambda resource-based policy and configure CloudFront with OAC so only CloudFront-originated requests are accepted.

This solution will solve the deployment issue by deploying the new version of the application to one new EC2 instance at a time, while keeping the old version running on the existing instances. This way, there will always be at least four instances serving traffic during the deployment, and no downtime or performance degradation will occur. Option A is not optimal because it will increase the cost of running the Elastic Beanstalk environment without solving the deployment issue. Option B is not optimal because it will split the traffic between two versions of the application, which may cause inconsistency and confusion for the customers. Option D is not optimal because it will deploy the new version of the application to two existing instances at a time, which may reduce the capacity below four instances during the deployment.