Amazon Web Services DVA-C02 - AWS Certified Developer - Associate

Requirement Summary:

Developer usesAWS IAM Identity Center (SSO)withAWS CLI / SDKs

Initially working fine

Now receiving AccessDenied errors

No changes to config or scripts

Key Understanding:

IAM Identity Center credentials aretemporary and time-limited. When you use SSO-based access via the AWS CLI (aws sso login), it obtainstemporary credentialsstored in the local cache.

By default,these expire in 1 hour(can be extended).

Evaluate Options:

A. Permissions to CLI binary changed

❌Unlikely – this would produce execution errors, not AccessDenied from AWS API

B. Permission set lacks required permissions

❌Then the error would have occurred from the beginning, not after time

✅C. IAM Identity Center credentials expired

✅Most likely– user hasn't refreshed credentials using aws sso login again

After expiration, API calls fail with AccessDenied

D. Developer is calling the wrong AWS account

❌Would likely show different types of errors (AccountNotFound, etc.)

SSO and AWS CLI:https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

Troubleshooting SSO CLI:https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html

AWS Elastic Beanstalk supports several deployment policies, and in this case, the requirement is to forward a specific percentage of traffic to the new version without causing downtime. TheTraffic-splittingdeployment policy is the most appropriate choice.

Traffic-splitting Deployment: This deployment method allows you to gradually shift a specified percentage of incoming traffic from the old environment version to the new one. During the evaluation period, if any issues are detected, the traffic can be redirected back to the old version.

No Downtime: This method ensures no downtime since both versions of the application run concurrently, and traffic is split between them.

Alternatives:

Rolling deployments (Option A): These gradually replace instances but may result in partial downtime if some instances fail during deployment.

In-place deployments (Option C): In-place deployments replace instances without creating new ones, which can lead to downtime.

Immutable deployments (Option D): While this ensures no downtime by creating entirely new instances, it doesn't provide traffic splitting during the evaluation phase.

Why Option D is Correct:When using a container-based AWS Lambda function, you are responsible for updating the base image for runtime patches. Rebuilding the container with the latest Node.js patch version ensures the function is updated with the required security patches. Publishing a new version of the Lambda function makes the updated image available for use.

Why Other Options are Incorrect:

Option A:The runtime update mode applies to functions using AWS-managed runtimes, not container-based runtimes.

Option B:Redeploying the same version of the Lambda function does not apply the security patch.

Option C:Rebuilding with the AWS OS base image does not guarantee that the latest Node.js patch version is included.

AWS Documentation References:

Lambda Function Container Images

Node.js Updates in AWS Lambda

Comprehensive and Detailed Step-by-Step Explanation:

Option C: Edge-Optimized API Gateway with Custom Domain Name:

Edge-Optimized API Gateway:This endpoint type automatically leverages the Amazon CloudFront global distribution network, minimizing latency for API users distributed globally.

Custom Domain Name:API Gateway supports custom domain names for APIs. Importing the TLS certificate into AWS Certificate Manager (ACM) and associating it with the custom domain name ensures secure connections.

Disabling the Default Endpoint:Prevents direct access via the default API Gateway URL, enforcing the use of the custom domain name.

Why Other Options Are Incorrect:

Option A:While CloudFront can distribute API requests globally, API Gateway with edge-optimized endpoints already provides this functionality natively without requiring Lambda@Edge.

Option B:Private endpoint types are used for internal access via VPC, which does not meet the global distribution and low-latency requirement.

Option D:CloudFront Functions are not needed because API Gateway’s edge-optimized endpoints handle global distribution efficiently.

This solution meets the requirements in the most secure way because it uses a service that is integrated with CloudFormation to manage sensitive data in encrypted form.AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store sensitive data as secure string parameters, which are encrypted using an AWS Key Management Service (AWS KMS) key of your choice. You can also use dynamic references in your CloudFormation templates to specify template values that are stored in Parameter Store or Secrets Manager without having to include them in your templates. Dynamic references are resolved only during stack creation or update operations, which reduces exposure risks for sensitive data. Putting sensitive data into a CloudFormation parameter will not encrypt them or protect them from unauthorized access. Putting sensitive data into an Amazon S3 bucket or Amazon Elastic File System (Amazon EFS) will require additional configuration and integration with CloudFormation and may not provide fine-grained access control or encryption for sensitive data.

The solution that will meet the requirements with the most operational efficiency is to create a new CodePipeline stage that occurs after the container image is built. Configure ECR basic image scanning to scan on image push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check the scan results and to fail the pipeline if there are findings. This way, the container image is analyzed earlier in the CI/CD pipeline and any vulnerabilities are detected and reported before deploying to the EKS cluster. The other options either delay the analysis until after deployment, which increases the risk of exposing insecure images, or perform analysis on the source code instead of the container image, which may not capture all the dependencies and configurations that affect the security posture of the image.

Amazon EC2 instances can send the state-change notification events to Amazon EventBridge. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-instance-state-changes.html Amazon EventBridge can send and receive events between event buses in AWS accounts. https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html

The UnprocessedKeys element indicates that the BatchGetItem operation did not process all of the requested items in the current response. This can happen if the response size limit is exceeded or if the table’s provisioned throughput is exceeded. To handle this situation, the developer should retry the batch operation with exponential backoff and randomized delay to avoid throttling errors and reduce the load on the table. The developer should also use an AWS SDK to make the requests, as the SDKs automatically retry requests that return UnprocessedKeys.

CodeDeploy Predefined Configurations: CodeDeploy offers built-in deployment configurations for common scenarios.

Canary Deployment: Canary deployments gradually shift traffic to a new version, ideal for controlled rollouts like this requirement.

CodeDeployDefault.ECSCanary10Percent15Minutes: This configuration matches the company's requirements, shifting 10% of traffic initially and then completing the rollout after 15 minutes.