Amazon Web Services DVA-C02 - AWS Certified Developer - Associate

For API Gateway REST APIs, configuration changes (new resources/methods) do not automatically become callable from a stage until a new API Gateway Deployment is created and associated with the stage. In CloudFormation, an AWS::ApiGateway::Deployment resource is immutable and effectively represents a snapshot of the API configuration at a point in time. If the Deployment resource does not change (for example, its logical ID or a property that forces replacement), CloudFormation may not create a new deployment even though the stack update succeeds—resulting in the stage still pointing to the old deployment. The symptom is exactly what’s described: new methods return 404 because they are not part of the deployed snapshot.

A common operational fix is to create a new deployment explicitly during CI/CD. Option C does this by running aws apigateway create-deployment, which creates a fresh deployment that includes the new resources/methods and makes them available on the stage.

Option D is unrelated (CloudFront invalidation).

Options A and B do not affect API Gateway deployment snapshots.

💡 In pure CloudFormation, another common pattern is to force a new deployment by changing the Deployment logical ID or embedding a timestamp/hash in the deployment description. But among the options given, running create-deployment is the direct fix.

Therefore, add a pipeline step to run aws apigateway create-deployment.

The correct answer is C because reserved concurrency guarantees that a specific AWS Lambda function has access to a defined number of concurrent executions. In this scenario, the function normally runs correctly but occasionally receives a surge of up to 500 S3 object-created events per minute . Since each invocation runs for about 30 seconds , the function may need substantial concurrency during those bursts. Configuring reserved concurrency ensures that this function has dedicated execution capacity available during peak periods and is not affected by concurrency consumption from other functions in the account.

AWS documentation explains that reserved concurrency both sets the maximum concurrency for a function and reserves that capacity exclusively for the function. This is especially helpful when one function must continue operating reliably under burst traffic. Even though other functions are currently running as expected, reserved concurrency is the direct AWS mechanism to protect the processing function from account-level concurrency contention during spikes.

Option A is incorrect because the function already completes in about 30 seconds; changing timeout does not solve high-volume invocation scaling. Option B is not the best answer because adding a Lambda layer does not guarantee improved throughput or concurrency handling. Option D is incorrect because decreasing memory usually reduces available CPU and can make performance worse, which would increase the chance of delays or failures.

Therefore, the most effective approach is to configure reserved concurrency for the processing function so it can continue to run reliably during high-volume object upload periods.

For in-place deployments, AWS CodeDeploy uses a set of predefined hooks that run in a specific order during each deployment lifecycle event. The hooks are ApplicationStop, BeforeInstall, AfterInstall, ApplicationStart, and ValidateService. The run order of the hooks for in-place deployments is as follows:

ApplicationStop: This hook runs first on all instances and stops the current application that is running on the instances.

BeforeInstall: This hook runs after ApplicationStop on all instances and performs any tasks required before installing the new application revision.

AfterInstall: This hook runs after BeforeInstall on all instances and performs any tasks required after installing the new application revision.

ApplicationStart: This hook runs after AfterInstall on all instances and starts the new application that has been installed on the instances.

ValidateService: This hook runs last on all instances and verifies that the new application is running properly on the instances.

Why Option D is Correct:When using a container-based AWS Lambda function, you are responsible for updating the base image for runtime patches. Rebuilding the container with the latest Node.js patch version ensures the function is updated with the required security patches. Publishing a new version of the Lambda function makes the updated image available for use.

Why Other Options are Incorrect:

Option A: The runtime update mode applies to functions using AWS-managed runtimes, not container-based runtimes.

Option B: Redeploying the same version of the Lambda function does not apply the security patch.

Option C: Rebuilding with the AWS OS base image does not guarantee that the latest Node.js patch version is included.

AWS Documentation References:

Lambda Function Container Images

Node.js Updates in AWS Lambda

The requirement is to run a single analysis job once per day at a specific time , after branch offices have uploaded their daily reports. The most cost-effective and straightforward way to trigger a Lambda function on a fixed schedule is to use Amazon EventBridge scheduled rules (cron or rate expressions). With a scheduled rule, EventBridge invokes the Lambda function at the exact predefined time each day without requiring any continuously running resources, polling logic, or additional orchestration unless it is needed.

Option D fits perfectly: an EventBridge schedule is purpose-built for time-based triggers, and you pay only for the invocations and any EventBridge rule evaluations according to AWS pricing, with minimal operational overhead. The Lambda function will run exactly once each day and can then read all relevant objects from the S3 bucket and process them in a single pass as designed.

Option A (S3 event notifications) triggers the Lambda function per upload , which is not aligned with “single pass once per day.” It could cause multiple invocations and additional cost and complexity (coordination, waiting for all branches, handling partial arrival). Option B (Step Functions) can schedule via EventBridge as well, but Step Functions introduces additional state machine costs and is unnecessary if the requirement is simply a scheduled single Lambda invocation. Option C is the least cost-effective: running continuously to “wait” until a time wastes compute time and increases cost, and it is not an event-driven design.

Therefore, D is the most cost-effective solution: use an EventBridge scheduled rule to invoke the Lambda function once daily at the predefined time.

Why Option A is Correct:

The ArnLike condition with the specific ARN for myStateMachine ensures that only this state machine can assume the role. The format urn:aws:states is correct for specifying Step Functions resources.

Why Other Options are Incorrect:

Option B: Wildcards (*) in the ARN allow more resources to assume the role, which violates the requirement.

Option C: This condition restricts the account but not the specific state machine.

Option D: A StringNotEquals condition is used to deny specific values, which does not ensure exclusivity for the desired state machine.

AWS Documentation References:

IAM Trust Policies for Step Functions

CloudFront is a content delivery network that caches objects at edge locations to reduce latency and origin load. When the developer updates static artifacts in the origin S3 bucket, CloudFront may continue serving cached versions until the objects expire based on cache-control headers or the distribution’s TTL settings. That is why the developer sees the updated files in S3 but not on the site.

The standard fix is to perform a CloudFront cache invalidation for the updated object paths (for example, /app.js, /styles.css, or /* if needed). An invalidation forces CloudFront edge locations to remove the cached objects so the next viewer request fetches the latest version from the S3 origin.

Option C directly addresses this behavior and is the correct operational practice when cache TTLs would otherwise delay updates.

Option A (Object Lock) is for WORM retention/compliance and has nothing to do with CloudFront cache refresh.

Option B might change what exists in S3 but does not guarantee CloudFront will stop serving cached content; the cache can still serve objects even if deleted from the origin (until it revalidates/refreshes).

Option D is unnecessary; the origin does not need to change to fetch updated content.

Therefore, invalidate the CloudFront cache after deployment to ensure the new artifacts are served.

This solution allows the developer to troubleshoot the failure by capturing unprocessed events in a queue for further analysis. Dead Letter Queues (DLQs) are queues that store messages that could not be processed by a service, such as Lambda, for various reasons, such as configuration errors, throttling limits, or permissions issues. The developer can configure DLQs for Lambda functions by sending events to either an Amazon Simple Queue Service (SQS) queue or an Amazon Simple Notification Service (SNS) topic. The developer can then inspect the messages in the queue or topic to identify and fix the root cause of the failure. Configuring AWS CloudTrail logging will not capture invocation failures for asynchronous Lambda invocations, but only record API calls made by or on behalf of Lambda. Configuring Amazon Simple Workflow Service (SWF) or AWS Config will not process any direct unprocessed events, but require additional integration and configuration.

The correct answer is A because AWS CodeBuild natively integrates with AWS Secrets Manager for securely injecting secrets into build environments. In the env section of buildspec.yml , CodeBuild supports a secrets-manager mapping that references a secret directly. This approach keeps the secret encrypted at rest in Secrets Manager, makes it available to the build only when needed, and minimizes custom retrieval logic and operational complexity.

This solution also aligns with the requirement that the secret must not appear in the build logs. AWS CodeBuild is designed to handle environment variables sourced from supported secret stores in a way that avoids exposing plaintext secret values during normal build output. By granting the minimum necessary IAM permissions to the CodeBuild service role, access to the secret is tightly controlled according to least-privilege principles.

Option B is not the best answer because storing secrets in S3 and downloading them during the build adds unnecessary operational overhead and increases the chance of accidental exposure. NoEcho is associated with CloudFormation parameters, not with securely masking S3-downloaded secrets in CodeBuild logs. Option C can also work because Parameter Store integrates with CodeBuild, but for secrets specifically, Secrets Manager is the more direct AWS-managed secret storage service and is generally preferred for this use case. Option D is less efficient because custom CLI retrieval in pre-build steps adds more code and more operational work than native integration.

Therefore, the solution with the least operational overhead and strong security is to use Secrets Manager with the buildspec.yml secrets-manager mapping , making A the correct answer.

This solution allows the developer to keep the dependencies of the Lambda functions up to date with the least additional complexity because it eliminates the need to update each function individually. A Lambda layer is a ZIP archive that contains libraries, custom runtimes, or other dependencies. The developer can create a layer that contains all of the shared dependencies and attach it to multiple Lambda functions. When the developer updates the layer, all of the functions that use the layer will have access to the latest version of the dependencies.

The application relies on shared file storage that behaves like NFS and must be accessible concurrently by multiple containers across Kubernetes nodes. AWS documentation clearly identifies Amazon EFS as the AWS-native, fully managed, NFS-compatible file system designed for this purpose.

Amazon EFS provides elastic scaling , high availability across multiple Availability Zones, and native integration with container orchestration platforms. It is the most direct replacement for on-premises NFS, requiring minimal architectural change.

To run Kubernetes workloads on AWS with high availability, AWS recommends Amazon EKS , a managed Kubernetes service that automatically handles control plane availability and upgrades. EKS integrates natively with EFS using the Amazon EFS CSI driver, allowing pods across multiple nodes to mount the same file system concurrently.

Amazon EBS (Options A, C, and D) is block storage that can be attached to only one EC2 instance at a time (except in limited Multi-Attach scenarios) and is therefore unsuitable for shared NFS-style access across a Kubernetes cluster.

Uploading container images to Amazon ECR ensures secure, scalable storage for container images and seamless integration with EKS.

Therefore, migrating the NFS data to Amazon EFS and running the workloads on Amazon EKS is the fastest, most scalable, and AWS-recommended solution.

Problem: Directory access without file names fails.

S3 Static Website Hosting:

Configuring S3 as a static website enables automatic serving of index.html for directory requests.

Bucket policies ensure correct access permissions.

Updating the CloudFront origin simplifies routing.

Avoiding Public Exposure: The S3 website endpoint allows CloudFront to access content without making the bucket public.

The key constraint is no changes to the Lambda code, while still fanning out notifications so that each department receives only its relevant file locations in its existing SQS queue. The cleanest “plumbing-only” pattern is S3 → SNS → SQS with SNS subscription filter policies.

Amazon S3 event notifications can publish events to an SNS topic. SNS then delivers messages to multiple subscribers, including SQS queues. By subscribing each department’s SQS queue to the SNS topic, the system can fan out the event to all queues. To ensure each department receives only its relevant events, the developer can configure SNS subscription filter policies (for example, based on object key prefixes like /deptA/, /deptB/). This routes messages without requiring any change to the Lambda function.

Option D is not ideal because S3 event notifications do not provide the same flexible filtering/routing to multiple SQS queues as SNS filter policies do (and configuring many direct notifications becomes harder to manage).

Options B and C require Lambda code changes, which violates the requirement.

Therefore, use S3 event notifications to SNS, subscribe each department SQS queue, and use filter policies for routing.