Amazon Web Services DVA-C02 - AWS Certified Developer - Associate

The solution that will meet the requirements is to add a second cache behavior to the distribution with the same origin as the default cache behavior. Set the path pattern for the second cache behavior to the path of the login page, and make viewer access unrestricted. Keep the default cache behavior’s settings unchanged. This way, the login page can be accessed without authentication, while all other content remains secure and requires signed cookies. The other options either do not allow unauthenticated access to the login page, or expose private content to unauthorized users.

Comprehensive Detailed Step by Step Explanation with All AWS Developer References:

To redact PII from S3 objects before they are accessed by the analytics service, the most efficient solution is to use S3 Object Lambda. S3 Object Lambda allows you to add your own code (Lambda function) to process and transform data when it is retrieved from Amazon S3. You can attach a Lambda function to an S3 Object Lambda Access Point, which in this case would run a redaction API to remove PII from the reports.

Operational Efficiency: S3 Object Lambda handles data processing on the fly, without requiring the data to be permanently transformed or moved to another service (like Amazon Redshift).

Alternatives:

Option A: Loading the data into Amazon Redshift would require refactoring the analytics service and maintaining an additional data pipeline, increasing complexity.

Option C: Using AWS KMS for encryption protects data at rest and in transit, but it does not address PII redaction.

Option D: SNS is a messaging service and does not support direct data transformation.

This solution will meet the requirements by using Amazon CloudWatch Logs to capture and analyze the logs from API Gateway. Amazon CloudWatch Logs is a service that monitors, stores, and accesses log files from AWS resources. The developer can turn on execution logging and access logging in Amazon CloudWatch Logs for the API stage, which enables logging information about API execution and client access to the API. The developer can create a CloudWatch Logs log group, which is a collection of log streams that share the same retention, monitoring, and access control settings. The developer can specify the Amazon Resource Name (ARN) of the log group for the API stage, which instructs API Gateway to send the logs to the specified log group. The developer can then examine the logs to determine the cause of the HTTP 400 response errors. Option A is not optimal because it will create an Amazon Kinesis Data Firehose delivery stream to receive API call logs from API Gateway, which may introduce additional costs and complexity for delivering and processing streaming data. Option B is not optimal because it will turn on AWS CloudTrail Insights and create a trail, which is a feature that helps identify and troubleshoot unusual API activity or operational issues, not HTTP response errors. Option C is not optimal because it will turn on AWS X-Ray for the API stage, which is a service that helps analyze and debug distributed applications, not HTTP response errors.

The requirements are: (1) store an API key that a Lambda function will use, (2) ensure the secret is encrypted at rest using AWS KMS , and (3) the company must control key rotation , which implies using a customer managed KMS key (CMK) rather than an AWS managed key.

Option C meets the requirements by storing the API key in AWS Systems Manager Parameter Store as a SecureString parameter encrypted with a customer managed KMS key . SecureString is designed for sensitive configuration data and integrates with KMS so the organization can choose the CMK, manage its lifecycle, and control rotation policies. The Lambda function can retrieve the parameter at runtime using the AWS SDK, and IAM policies can tightly control access to the parameter and to the KMS key.

Option E also meets the requirements by storing the API key in a Lambda environment variable encrypted with a customer managed KMS key . Lambda encrypts environment variables at rest and allows you to specify a customer managed KMS key for encryption. This gives the company control over key rotation and key policy, satisfying the “must control key rotation” requirement. The function reads the value from the environment at runtime without additional network calls.

Why the other options fail:

A uses an AWS managed KMS key, which does not satisfy the requirement for the company to control rotation (you cannot manage rotation of AWS managed keys in the same way).

B is a plain String parameter, which is not encrypted as a secret and does not meet the at-rest encryption requirement.

D uses an AWS managed KMS key, again failing the company-controlled rotation requirement.

Therefore, the two valid solutions are C (Parameter Store SecureString with a customer managed CMK) and E (Lambda environment variable encrypted with a customer managed CMK).

This solution is the most efficient method to grant users access to AWS resources without requiring them to log in. Amazon Cognito is a service that provides user sign-up, sign-in, and access control for web and mobile applications. Amazon Cognito identity pools support both authenticated and unauthenticated users. Unauthenticated users receive access to your AWS resources even if they aren’t logged in with any of your identity providers (IdPs). You can use Amazon Cognito to associate unauthenticated users with an IAM role that has limited access to resources, such as Amazon S3 buckets or DynamoDB tables. This degree of access is useful to display content to users before they log in or to allow them to perform certain actions without signing up. Using an identity provider to securely authenticate with the application will require users to log in, which does not meet the requirement. Creating an AWS Lambda function to create an IAM user when a user accesses the application will incur unnecessary costs and complexity, and may pose security risks if not implemented properly. Creating credentials using AWS KMS and applying them to users when using the application will also incur unnecessary costs and complexity, and may not provide fine-grained access control for resources.

This solution will meet the requirements by using the Time to Live (TTL) feature of DynamoDB, which enables automatically deleting items from a table after a certain time period. The developer can add a new attribute of type Number that has a timestamp that is set to 48 hours after the blog post creation time, which represents the expiration time of the item. The developer can configure the DynamoDB table with a TTL that references the new attribute, which instructs DynamoDB to delete the item when the current time is greater than or equal to the expiration time. This solution is also cost-effective as it does not incur any additional charges for deleting expired items. Option A is not optimal because it will create a script to find and remove old posts with a table scan and a batch write item API operation, which may consume more read and write capacity units and incur more costs. Option B is not optimal because it will use Amazon Elastic Container Service (Amazon ECS) and AWS Fargate to run the script, which may introduce additional costs and complexity for managing and scaling containers. Option C is not optimal because it will create a global secondary index (GSI) that uses the expiration time as a sort key, which may consume more storage space and incur more costs.

Feature flags are a classic configuration-management use case: values change over time, multiple applications share them, and clients should retrieve updates efficiently with local caching. AWS AppConfig (part of AWS Systems Manager) is purpose-built to deploy and manage application configuration and feature flags. It provides controlled rollout, validation, and centralized configuration management. For operational efficiency, AWS offers the AWS AppConfig Agent for compute environments such as EC2.

With option C, the AppConfig Agent runs on each EC2 instance and polls AppConfig on a configured interval for updates. The agent maintains a local cache and exposes the current configuration through a localhost HTTP endpoint . The application then reads the feature flag values from the local endpoint, which is fast and reduces direct calls to AWS APIs. This meets both requirements: periodic polling for new values and caching once retrieved, while minimizing application changes and centralizing operational control in AppConfig.

Option D (Parameter Store + in-memory cache) can work, but it pushes more responsibility into each application: polling logic, caching behavior, error handling, and consistency. Option A misuses Secrets Manager (intended for secrets, not dynamic flags) and adds ElastiCache operational overhead. Option B similarly adds DAX and DynamoDB infrastructure and is not a standard feature-flag pattern; it also requires the app to implement polling and caching logic, reducing operational efficiency.

Therefore, C is the most operationally efficient solution: store flags in AWS AppConfig , run the AppConfig Agent on EC2 to handle polling and caching, and have the application read flags from the agent’s localhost endpoint.

Comprehensive and Detailed Step-by-Step Explanation:

Option A: Use Amazon S3 for Shared Test Events:

Storing JSON test event files in an S3 bucket provides a centralized, cost-effective, and highly available solution.

Granular IAM policies can restrict access to specific developers or roles, ensuring security while maintaining consistency for shared test events.

This solution has minimal operational overhead and integrates easily with existing workflows.

Why Other Options Are Incorrect:

Option B: Using DynamoDB and a Lambda function introduces unnecessary complexity for a relatively simple requirement. S3 provides a simpler and more cost-efficient solution.

Option C: AWS Lambda test events are not inherently shareable across developers, making this option invalid.

Option D: Using a Git repository adds operational overhead and requires developers to clone/update repositories for access, which is more cumbersome compared to S3.

AWS IAM role permissions are evaluated dynamically . According to AWS documentation, when an IAM role attached to an EC2 instance is updated, the updated permissions are available to applications running on that instance without requiring a restart . The EC2 instance retrieves temporary credentials through the instance metadata service, and those credentials are refreshed automatically.

In this scenario, the least disruptive approach is to update the IAM role policy to include the required s3:GetObject permission. Once the permission is added, the application can immediately retry access to the S3 bucket without restarting, stopping, or terminating the EC2 instance.

Terminating or restarting the instance (Options A and C) introduces unnecessary downtime and operational overhead. Modifying the S3 bucket policy (Option D) is unnecessary because the problem lies with missing role permissions, not bucket access configuration.

AWS best practices strongly recommend using IAM roles for EC2 and updating permissions dynamically to avoid service interruption. Therefore, simply adding the required permission to the role is the correct and most efficient solution.

Amazon S3 event notifications can invoke AWS Lambda functions at very high rates during traffic spikes. In this scenario, up to 500 objects per minute can result in hundreds of concurrent Lambda invocations. By default, Lambda functions share the account’s unreserved concurrency pool , which can cause throttling if the pool is exhausted by sudden bursts.

AWS Lambda reserved concurrency guarantees a specific number of concurrent executions for a function. By configuring reserved concurrency, the developer ensures that sufficient execution capacity is always available for this specific function, regardless of other Lambda workloads in the account. This prevents throttling during high-volume S3 event bursts.

Increasing the timeout (Option A) does not address concurrency limits. Adding a layer (Option B) does not solve invocation throttling. Decreasing memory (Option D) can actually worsen performance and increase execution time.

AWS documentation explicitly recommends reserved concurrency when workloads experience unpredictable or bursty invocation patterns and must run reliably. Therefore, reserving concurrency is the correct and AWS-recommended solution.

Comprehensive and Detailed Step-by-Step Explanation:

Customer Managed Keys (CMK) for Granular Control (Option B):

Customer-managed KMS keys are required to meet the security policy requirement of team-specific control over KMS key rotation. Each team can manage the lifecycle of its own key.

The kms:Decrypt permission allows the Lambda function execution roles to decrypt the environment variables during runtime.

This solution adheres to the principle of least privilege and satisfies the need for team-specific key control.

Why Other Options Are Incorrect:

Option A: AWS-managed keys cannot provide team-specific control or support the custom rotation policy required by the teams.

Option C: Adding kms:CreateGrant and kms:Encrypt permissions to Lambda roles is unnecessary for this scenario. The key usage is limited to decryption at runtime.

Option D: AWS-managed keys still lack team-specific control, and adding kms:CreateGrant and kms:Encrypt is redundant.

Amazon API Gateway supports multiple stages , allowing developers to deploy and test different versions of an API independently. By creating a new test stage , the developer can route traffic to an updated Lambda function without impacting production users.

AWS documentation recommends using stage variables to dynamically reference different Lambda function versions or aliases. This approach enables safe testing while reusing the same API configuration.

Canary deployments (Option A) expose a portion of production users to the new code, which violates the requirement. Changing the endpoint type (Option B) disrupts production. Duplicating the entire stack (Option D) introduces unnecessary complexity and overhead.

Using a separate test stage is the most efficient, low-risk, and AWS-recommended solution.

A CloudFormation change set is the correct tool when a developer needs to preview the impact of template updates before applying them. Change sets show which resources CloudFormation will add, modify, replace, or delete. This allows the developer to review stack changes and avoid unintended updates. Stack sets are for deploying stacks across multiple accounts or Regions, not for previewing a single stack update. AWS X-Ray traces application requests and does not inspect infrastructure updates. CloudFormation hooks can enforce rules during provisioning, but they are not the standard mechanism for reviewing planned stack changes. AWS documentation states that change sets let users preview how proposed changes might affect running resources before executing the update. ( AWS Documentation )

===============