Amazon Web Services DVA-C02 - AWS Certified Developer - Associate

For a serverless web application that needs user registration and authentication with minimal configuration, the standard AWS solution is Amazon Cognito User Pools. User Pools provide managed user directories, sign-up/sign-in flows, MFA options, password reset, and token-based authentication (OAuth2/OIDC/JWT). This integrates naturally with API Gateway (Cognito authorizers) and Lambda.

Option A is best because it uses Cognito User Pools plus an app client and the Hosted UI, which provides ready-made sign-up/sign-in pages. Hosted UI minimizes custom UI and backend authentication code while still allowing branding customization and secure token issuance. The SPA can authenticate via Cognito, receive JWT tokens, and call API Gateway endpoints securely.

Option B (identity pool) is primarily for granting temporary AWS credentials to access AWS services directly (federation). It does not replace User Pools for user registration/login flows; typically identity pools are used in addition to user pools, not instead, and require more configuration.

Option C adds unnecessary infrastructure (EC2) and defeats the “minimize configuration” goal.

Option D is not appropriate for end-user authentication. IAM users/groups are for workforce/admin access, not for customer-facing apps.

Therefore, Cognito User Pool + Hosted UI is the minimal-configuration secure solution.

Step 1: Understanding the Requirements

Best Practices for Security:

Minimize the use of hardcoded credentials or long-lived access keys.

Use IAM roles for EC2 instances to securely grant permissions to applications running on the instance.

Access Scope: The application needs read-only access to an S3 bucket.

Step 2: Solution Analysis

Option A:

Define an IAM policy with the required s3:GetObject permissions.

Attach this policy to an IAM role.

Assign the role to the EC2 instance profile.

This approach follows security best practices by eliminating the need for static credentials and using temporary, scoped credentials provided by the instance profile.

Correct option.

Option B:

IAM groups are used for organizing users, not for EC2 instances or instance profiles.

Not suitable.

Option C:

IAM users are associated with specific individuals or applications and require static credentials.

This violates security best practices for temporary credentials and roles.

Not suitable.

Option D:

IAM web identity federation is used for applications that authenticate users via third-party identity providers.

This is unnecessary for EC2 instances and does not align with the requirements.

Not suitable.

Step 3: Implementation Steps

Create an IAM Policy:

Grant read-only access to the S3 bucket:

json

Copy code

{

" Version " : " 2012-10-17 " ,

" Statement " : [

{

" Effect " : " Allow " ,

" Action " : " s3:GetObject " ,

" Resource " : " arn:aws:s3:::your-bucket-name/* "

}

]

}

Attach the Policy to an IAM Role:

Create an IAM role and attach the policy to the role.

Associate the Role with the EC2 Instance:

Attach the role to the instance profile used by the EC2 instance.

AWS Developer References:

IAM Roles for Amazon EC2

Amazon S3 Permissions Reference

Requirement Summary:

DynamoDB table Orders

Partition key: OrderID

No sort key

100,000+ records

Need to efficiently retrieve all records where:

OrderSource = " MobileApp "

Must optimize for user experience (i.e., performance)

Evaluate Options:

Option A: Scan with FilterExpression

Inefficient for large tables

A Scan reads every item in the table and then applies a filter condition.

This is slow, expensive, and not scalable as the dataset grows.

Option B: Create a Local Secondary Index (LSI) with OrderSource

Invalid: LSIs require the same partition key (OrderID) as the base table.

Since OrderSource is not part of the primary key, and we want to query based on it, LSI won’t help.

Option C: Create a GSI with OrderSource as the sort key

Misuse of sort key: Querying by sort key alone is not allowed in DynamoDB.

You must specify a partition key in a Query.

This design is not valid for the use case.

Option D: Create a GSI with OrderSource as the partition key

BEST CHOICE: With a GSI on OrderSource, you can query efficiently for all items where OrderSource = " MobileApp " .

DynamoDB GSIs allow an alternative access pattern for queries not supported by the base table schema.

GSI Design: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GSI.html

Querying a GSI: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Query.html

Scan vs Query: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/bp-query-scan.html

This is a cross-account access pattern using STS AssumeRole. Account A owns the DynamoDB table and has created an IAM role (AccessPII) with permissions to access the table. Account A also configured a trust policy that allows principals from Account B to assume the role. That trust policy alone is not enough; the caller in Account B must also be allowed to call sts:AssumeRole.

Therefore, in Account B, the EC2 instance profile role (the role attached to the EC2 instances running the app) must have permission to assume the role in Account A. That is Option A.

Next, the application must actually obtain temporary credentials for the Account A role. The standard way is to call STS AssumeRole in the application logic (or use an SDK credential provider that assumes a role). This yields temporary credentials that have the permissions of the AccessPII role, allowing DynamoDB access in Account A. That is Option D.

Option B is not correct because granting direct DynamoDB table permissions in Account B does not grant access to a table owned by Account A unless Account A also grants access via a resource policy (DynamoDB resource policies exist but the scenario already sets up role assumption; the intended solution is AssumeRole).

Option C is incomplete/wrong: getting temporary credentials from the EC2 role alone gives permissions of the EC2 role in Account B, not the permissions in Account A. You must assume the cross-account role.

Option E is for IAM user MFA session tokens, not cross-account role assumption for an EC2 role.

Therefore, grant sts:AssumeRole to the EC2 role and call AssumeRole in code.

AWS Elastic Beanstalk supports several deployment policies, and in this case, the requirement is to forward a specific percentage of traffic to the new version without causing downtime. The Traffic-splitting deployment policy is the most appropriate choice.

Traffic-splitting Deployment: This deployment method allows you to gradually shift a specified percentage of incoming traffic from the old environment version to the new one. During the evaluation period, if any issues are detected, the traffic can be redirected back to the old version.

No Downtime: This method ensures no downtime since both versions of the application run concurrently, and traffic is split between them.

Alternatives:

Rolling deployments (Option A): These gradually replace instances but may result in partial downtime if some instances fail during deployment.

In-place deployments (Option C): In-place deployments replace instances without creating new ones, which can lead to downtime.

Immutable deployments (Option D): While this ensures no downtime by creating entirely new instances, it doesn ' t provide traffic splitting during the evaluation phase.

Elastic Beanstalk Deployment Policies

In DynamoDB, queries can only be performed on the Partition Key and Sort Key. If you need to perform high-performance queries on a non-key attribute, you must create a Global Secondary Index (GSI). A GSI allows you to define a new partition key (and optional sort key) for the existing data, enabling efficient queries on those attributes. Scans (Option C) are inefficient and get slower as data grows, regardless of parallelism.

The solution that will meet the requirements most cost-effectively is to store the smart meter readings in an Amazon DynamoDB table. Create a composite key by using the location ID and timestamp columns. Use the columns to filter on the customers’ data. This way, the company can leverage the scalability, performance, and low latency of DynamoDB to store and retrieve the smart meter readings. The company can also use the composite key to query the data by location ID and timestamp efficiently. The other options either involve more expensive or less scalable services, or do not provide low-latency access to the current usage.

This solution meets the requirements in the most operationally efficient manner because it does not require any infrastructure provisioning or management. The developer can create a Lambda function that makes the API call and configure an EventBridge rule that triggers the function once a day at a designated time. This is a serverless solution that scales automatically and only charges for the execution time of the function.

Lambda throttling occurs when the number of concurrent executions exceeds the available concurrency. This can happen due to account-level concurrency limits, function-level reserved concurrency limits, or sudden traffic spikes.

The most operationally efficient ways to reduce throttling are to increase available concurrency:

Option C: Increasing the function’s reserved concurrency can reduce throttling when the function is being constrained by a too-low reserved concurrency value. Reserved concurrency guarantees a fixed amount of concurrency for the function (and also caps it). If the cap is currently too low, raising it allows more parallel executions and reduces throttles.

Option E: If throttling is due to the account concurrency quota being reached (or burst scaling limits in some patterns), the correct fix is to request a service quota increase. This increases the total available concurrency capacity for the account (and/or specific dimensions), allowing more simultaneous executions across functions.

Why the others are not correct:

A (migrate to EKS) is high effort and not operationally efficient for solving Lambda throttling.

B (maximum age of events) applies to asynchronous event retries/queues; it does not reduce throttling—it only changes how long events remain eligible for processing.

D is irrelevant: adding lambda:GetFunctionConcurrency to the execution role only allows reading settings and does not change throttling behavior.

Therefore, the best operational fixes are to increase reserved concurrency and request a concurrency quota increase.

The command that will meet the requirements is sam sync -watch. This command enables AWS SAM Accelerate mode, which allows the developer to only redeploy the Lambda functions that have changed. The -watch flag enables file watching, which automatically detects changes in the source code and triggers a redeployment. The other commands either do not enable AWS SAM Accelerate mode, or do not redeploy the Lambda functions automatically.

Comprehensive and Detailed Explanation (250–300 words):

For in-place deployments , AWS CodeDeploy updates instances directly rather than using blue/green infrastructure. AWS documentation states that when automatic rollback is enabled and a deployment fails (for example, due to failed health checks or validation scripts), CodeDeploy initiates a rollback deployment .

In an in-place rollback, CodeDeploy redeploys the last known successful application revision to the affected instances. This rollback is treated as a new deployment , complete with its own deployment ID and lifecycle events. CodeDeploy does not use snapshots, Route 53 switching, or external promotion logic for in-place deployments.

Options A and B describe mechanisms that are used in other services or blue/green strategies, not in-place deployments. Option D is incorrect because CodePipeline orchestrates stages but does not perform rollback logic for CodeDeploy.

Therefore, redeploying the previous stable version as a new deployment is the correct behavior.

Comprehensive and Detailed Explanation (250–300 words):

Amazon SQS uses a visibility timeout to prevent other consumers from processing a message while it is being handled. If a Lambda function does not complete processing before the visibility timeout expires, the message becomes visible again and can be processed a second time.

AWS documentation states that the SQS visibility timeout should be greater than the maximum Lambda execution time . If not, messages may be delivered multiple times, even though processing is still in progress.

Increasing the Lambda timeout or memory does not directly affect message visibility. Increasing batch size can worsen the problem by increasing processing time.

Therefore, increasing the SQS visibility timeout is the correct and AWS-recommended solution.