Amazon Web Services DVA-C02 - AWS Certified Developer - Associate

Step 1: Understanding the Requirements

Gradual Traffic Shift: Test the new version by routing only 10% of production traffic to it.

Lambda Deployment: Use versioning and aliases to manage Lambda function updates.

Step 2: Solution Analysis

Option A:

Publishing a new version creates an immutable version of the Lambda function with the updated code.

This is a prerequisite for deploying changes using weighted aliases.

Correct option.

Option B:

API Gateway stages are not used for weighted routing; they represent environments like "dev" or "prod."

Weighted routing is implemented using Lambda aliases, not API Gateway stages.

Not suitable.

Option C:

Lambda aliases allow traffic to be split between versions using weighted routing.

Assign a 90% weight to the old version and 10% to the new version to implement the gradual rollout.

Correct option.

Option D:

Network Load Balancers are not suitable for managing Lambda function traffic directly.

Not applicable.

Option E:

Route 53 routing policies apply at the DNS level and are not designed for Lambda version management.

Not suitable.

Step 3: Implementation Steps

Publish a New Version:

Publish the updated Lambda function code as a new version.

Create an Alias and Configure Weighted Routing:

Create an alias (e.g., prod) and associate it with both the old and new versions.

Set weights for traffic distribution:

aws lambda update-alias --function-name my-function \

--name prod --routing-config '{"AdditionalVersionWeights": {"2": 0.1}}'

AWS Developer References:

Lambda Function Aliases

Weighted Traffic Routing with Lambda

The correct policy condition ensures that:

The LeadingKeys condition restricts operations to the authenticated user's user_id.

The Attributes condition limits the updatable attributes to user_name.

Explanation of Choices:

Option A: Correctly enforces both the key restriction (dynamodb:LeadingKeys) and ensures only the user_name attribute can be updated.

Option B, C, D: Use incorrect conditions, such as referencing user_name in the LeadingKeys or including other attributes like user_id in updatable fields.

Comprehensive Detailed and Lengthy Step-by-Step Explanation with All AWS Developer References:

1. Understanding the Use Case:

The company wants to gradually release a new feature to 15% of users to perform testing. AWS AppConfig is designed to manage and deploy configurations, including feature flags, allowing controlled rollouts.

2. Key AWS AppConfig Features:

Feature Flags: Enable or disable features dynamically without redeploying code.

Variants: Define different configurations for subsets of users.

Targeting Rules: Specify rules for which users receive a particular variant.

3. Explanation of the Options:

Option A:"Set up a custom script within the application to randomly select 15% of users. Assign a flag for the new feature to the selected users."While possible, this approach requires significant operational effort to manage user selection and ensure randomness. It does not leverage AWS AppConfig's built-in capabilities, which increases overhead.

Option B:"Create separate AWS AppConfig feature flags for both groups of users. Configure the flags to target 15% of users."Creating multiple feature flags for different user groups complicates configuration management and does not optimize the use of AWS AppConfig.

Option C:"Create an AWS AppConfig feature flag. Define a variant for the new feature, and create a rule to target 15% of users."This is the correct solution. Using AWS AppConfig feature flags with variants and targeting rules is the most efficient approach. It minimizes operational overhead by leveraging AWS AppConfig's built-in targeting and rollout capabilities.

Option D:"Use AWS AppConfig to create a feature flag without variants. Implement a custom traffic splitting mechanism in the application code."This approach requires custom implementation within the application code, increasing complexity and operational effort.

4. Implementation Steps for Option C:

Set Up AWS AppConfig:

Open the AWS Systems Manager Console.

Navigate to AppConfig.

Create a Feature Flag:

Define a new configuration for the feature flag.

Add variants (e.g., "enabled" for the new feature and "disabled" for no change).

Define a Targeting Rule:

Use percentage-based targeting to define a rule that applies the "enabled" variant to 15% of users.

Targeting rules can use attributes like user IDs or geographic locations.

Deploy the Configuration:

Deploy the configuration using a controlled rollout to ensure gradual exposure.

CloudFront is a content delivery network that caches objects at edge locations to reduce latency and origin load. When the developer updates static artifacts in the origin S3 bucket, CloudFront may continue serving cached versions until the objects expire based on cache-control headers or the distribution’s TTL settings. That is why the developer sees the updated files in S3 but not on the site.

The standard fix is to perform a CloudFront cache invalidation for the updated object paths (for example, /app.js, /styles.css, or /* if needed). An invalidation forces CloudFront edge locations to remove the cached objects so the next viewer request fetches the latest version from the S3 origin.

Option C directly addresses this behavior and is the correct operational practice when cache TTLs would otherwise delay updates.

Option A (Object Lock) is for WORM retention/compliance and has nothing to do with CloudFront cache refresh.

Option B might change what exists in S3 but does not guarantee CloudFront will stop serving cached content; the cache can still serve objects even if deleted from the origin (until it revalidates/refreshes).

Option D is unnecessary; the origin does not need to change to fetch updated content.

Therefore, invalidate the CloudFront cache after deployment to ensure the new artifacts are served.

The objects are “rarely accessed after 1 week” but must remain immediately available at all times. That means the storage class must support millisecond access without a restore process. S3 Standard-Infrequent Access (Standard-IA) is designed for exactly this: lower storage cost than S3 Standard, while still providing rapid access when needed.

With option B, an S3 Lifecycle rule transitions objects from S3 Standard to S3 Standard-IA after 7 days. This aligns perfectly with the usage pattern: frequent access initially, then infrequent access after a week, while keeping immediate availability.

Option C (S3 Glacier Flexible Retrieval) is not appropriate because Glacier classes are archival. Access typically requires a restore operation and retrieval time (minutes to hours), which violates “immediately available at all times.”

Option A expires objects, which deletes them after 7 days—this contradicts the requirement to keep objects available.

Option D is irrelevant because delete markers exist only when versioning is enabled. The bucket does not have versioning enabled, so this rule would not help.

Therefore, transitioning to S3 Standard-IA after 7 days is the correct cost-optimized solution while maintaining immediate availability.

“Encryption in transit” for S3 means requiring requests to use HTTPS (TLS) rather than HTTP. AWS provides a standard policy condition key, aws:SecureTransport, that evaluates to true when the request is made over SSL/TLS and false when it is not. To enforce TLS for all cross-account GetObject requests, the most reliable control point is the S3 bucket resource-based policy, because the bucket is the resource being accessed and the bucket owner can enforce conditions regardless of which external account is calling.

Option A is the established pattern: add an explicit Deny statement in the bucket policy that denies all S3 actions (or at least s3:GetObject) when aws:SecureTransport is false. An explicit deny overrides any allows, ensuring that even if another account’s IAM policy allows access, the request will still be blocked if it is not using HTTPS.

Option B is backwards because it would allow insecure transport rather than deny it.

Option C is weaker because you cannot reliably enforce policies in other accounts (and principals could change roles or permissions). The bucket owner should enforce transport security at the bucket level.

Option D is not the right layer: the KMS key policy controls key usage, but the S3 GetObject transport requirement is best enforced by the S3 bucket policy. Also, S3 access can be denied before KMS is even involved.

Therefore, enforce HTTPS by adding a bucket policy Deny when aws:SecureTransport is false.

Tracing Distributed Systems: AWS X-Ray is designed to trace requests across services, helping identify bottlenecks in distributed applications like this one.

No Code Changes: Enabling X-Ray tracing often requires minimal code changes, meeting the requirement.

Identifying Bottlenecks: Analyzing X-Ray traces and logs will reveal latency in communications between different AWS services, leading to the high duration time.