Amazon Web Services DVA-C02 - AWS Certified Developer - Associate

Amazon S3 Glacier Instant Retrieval is an archive storage class that delivers the lowest-cost storage for long-lived data that is rarely accessed and requires retrieval in milliseconds. With S3 Glacier Instant Retrieval, you can save up to 68% on storage costs compared to using the S3 Standard-Infrequent Access (S3 Standard-IA) storage class, when your data is accessed once per quarter. https://aws.amazon.com/s3/storage-classes/glacier/instant-retrieval/

Understanding Storage Requirements:

Files are large and infrequently accessed, but need to be available within minutes when requested in the first year.

Long-term (7-year) retention is required.

Cost-effectiveness is a top priority.

Why S3 Glacier Instant Retrieval:

Matches the retrieval requirements (access within minutes).

More cost-effective than S3 Standard for infrequently accessed data.

Simpler to use than traditional Glacier where retrievals take hours.

Why S3 Glacier Deep Archive:

Most cost-effective S3 storage class for long term archival.

Meets the 7-year retention requirement.

S3 Lifecycle Policy:

Automate the transition from Glacier Instant Retrieval to Glacier Deep Archive after one year.

Optimize costs by matching storage classes to access patterns.

Comprehensive Detailed and Lengthy Step-by-Step Explanation with All AWS Developer References:

1. Understanding the Use Case:

The company wants to gradually release a new feature to 15% of users to perform testing. AWS AppConfig is designed to manage and deploy configurations, including feature flags, allowing controlled rollouts.

2. Key AWS AppConfig Features:

Feature Flags: Enable or disable features dynamically without redeploying code.

Variants: Define different configurations for subsets of users.

Targeting Rules: Specify rules for which users receive a particular variant.

3. Explanation of the Options:

Option A: " Set up a custom script within the application to randomly select 15% of users. Assign a flag for the new feature to the selected users. " While possible, this approach requires significant operational effort to manage user selection and ensure randomness. It does not leverage AWS AppConfig ' s built-in capabilities, which increases overhead.

Option B: " Create separate AWS AppConfig feature flags for both groups of users. Configure the flags to target 15% of users. " Creating multiple feature flags for different user groups complicates configuration management and does not optimize the use of AWS AppConfig.

Option C: " Create an AWS AppConfig feature flag. Define a variant for the new feature, and create a rule to target 15% of users. " This is the correct solution. Using AWS AppConfig feature flags with variants and targeting rules is the most efficient approach. It minimizes operational overhead by leveraging AWS AppConfig ' s built-in targeting and rollout capabilities.

Option D: " Use AWS AppConfig to create a feature flag without variants. Implement a custom traffic splitting mechanism in the application code. " This approach requires custom implementation within the application code, increasing complexity and operational effort.

4. Implementation Steps for Option C:

Set Up AWS AppConfig:

Open the AWS Systems Manager Console.

Navigate to AppConfig.

Create a Feature Flag:

Define a new configuration for the feature flag.

Add variants (e.g., " enabled " for the new feature and " disabled " for no change).

Define a Targeting Rule:

Use percentage-based targeting to define a rule that applies the " enabled " variant to 15% of users.

Targeting rules can use attributes like user IDs or geographic locations.

Deploy the Configuration:

Deploy the configuration using a controlled rollout to ensure gradual exposure.

To determine who deleted an Amazon RDS DB instance, the correct source of truth is AWS CloudTrail, which records API activity and includes the identity (IAM user, role, assumed role session) that made the call. Deleting an RDS instance is performed through the RDS API action DeleteDBInstance, and CloudTrail logs an event for this action that contains key fields such as userIdentity, eventTime, eventName, sourceIPAddress, and request parameters identifying the DB instance (for example, dBInstanceIdentifier).

Because the DB instance was deleted within the past 90 days, CloudTrail Event History is commonly sufficient (Event History typically retains 90 days of management events). If the company has a CloudTrail trail configured to deliver logs to S3/CloudWatch Logs, those logs can also be queried for the same event.

Option A directly matches this: retrieve CloudTrail events for DeleteDBInstance related to mysql-db and inspect the userIdentity section to identify the IAM principal that performed the deletion.

Option B is not reliable because RDS log groups (when enabled) capture database engine logs (slow query log, error log, general log) and do not record control-plane actions like who deleted the instance.

Option C is incorrect because X-Ray traces application-level request flows; it does not audit administrative actions like RDS deletion.

Option D is not applicable: Systems Manager inventory does not provide authoritative records of RDS deletions or the IAM principal responsible.

Therefore, CloudTrail lookup for DeleteDBInstance events is the correct solution.

Problem: CloudFormation can ' t find the custom AMI in the target region (us-west-1) because AMIs are region-specific.

Copying AMIs:

AMIs can be copied across regions, maintaining their configuration.

This approach minimizes operational overhead as the existing CloudFormation template can be reused with a minor update.

Updating the Template:

Modify the CloudFormation template in us-west-1 to reference the newly copied AMI ' s ID in that region.

The correct answer is C because Amazon SNS subscription filter policies are the native AWS feature for ensuring that only messages with matching attributes are delivered to a specific subscription. In this scenario, the Lambda function should process only refund messages from an SNS topic that contains multiple payment activity message types. By applying a subscription filter policy to the Lambda subscription, SNS delivers only the refund-related notifications to the function.

This is the most operationally efficient solution because filtering happens before invocation of the Lambda function. That means the Lambda function is not triggered for irrelevant payment events, which reduces unnecessary invocations, lowers compute cost, and simplifies the function code. AWS documentation recommends using subscription filter policies with SNS when subscribers should receive only a subset of messages based on message attributes.

Option A is incorrect because Lambda event filtering is available for some event sources, but for SNS-to-Lambda integration , the AWS-native filtering point is the SNS subscription itself. Option B is less efficient because it still invokes the Lambda function for every message and then discards non-refund messages in code. That increases operational overhead and cost. Option D is unrelated to the requirement because batching changes invocation behavior but does not filter by message type.

Therefore, the best design is to publish all payment activity events to SNS with appropriate message attributes and configure an SNS subscription filter policy so that only refund messages invoke the Lambda function. This approach is simple, scalable, and aligns with AWS event-driven architecture best practices.

Why Option A is Correct:Creating a CloudWatch metric filter with " ERROR " as the search term ensures that occurrences of the word " ERROR " in logs are counted. An alarm can then be set to notify the SNS topic when the count exceeds 1. This is the standard approach to monitor specific patterns in CloudWatch Logs.

Why Other Options are Incorrect:

Option B: CloudWatch Logs Insights is used for querying logs manually and does not integrate directly with alarms for automated notifications.

Option C: SNS subscription filters are not a feature for filtering log patterns in CloudWatch Logs.

Option D: CloudWatch alarms do not directly include log filter patterns; a metric filter is needed to create the metric first.

AWS Documentation References:

Creating CloudWatch Metric Filters

When IAM user credentials require MFA for API access, the correct approach is to obtain temporary security credentials from AWS Security Token Service (STS) that are validated with an MFA code. AWS documentation describes using STS to issue temporary credentials that applications can use instead of long-term access keys, especially when MFA is required.

The specific STS API operation used for an IAM user to obtain temporary credentials is GetSessionToken. This call supports MFA by accepting the user’s MFA device serial number and a time-based one-time password (TOTP) code. STS then returns a set of temporary credentials: AccessKeyId, SecretAccessKey, and SessionToken, which the SDK can use to sign subsequent API requests. This is the standard method for enabling MFA-protected API access for IAM users.

Why the other options are wrong:

GetFederationToken is used to obtain temporary credentials for a federated user, often for scenarios where you want to grant access to resources for users who do not have IAM users. It’s not the typical method for IAM-user MFA enforcement for all calls.

GetCallerIdentity simply returns identity details for the current credentials; it does not generate credentials.

DecodeAuthorizationMessage is used to decode encoded authorization failure messages returned by AWS, not to authenticate.

Therefore, to access an API protected by MFA requirements for an IAM user, the developer should call GetSessionToken and then use the returned temporary credentials in the AWS SDK.

The requirement here is to ensure that Lambda functions are executed in a specific order. AWS Step Functions is a low-code workflow orchestration service that enables you to sequence AWS services, such as AWS Lambda, into workflows. It is purpose-built for situations like this, where different steps need to be executed in a strict sequence.

AWS Step Functions: Step Functions allows developers to design workflows as state machines, where each state corresponds to a particular function. In this case, the developer can create a Step Functions state machine where each step (order processing, inventory management, etc.) is represented by a Lambda function.

Operational Overhead: Step Functions have very low operational overhead because it natively handles retries, error handling, and function sequencing.

Alternatives:

Amazon SQS (Option A): While SQS can manage message ordering, it requires more manual handling of each step and the logic to sequentially invoke the Lambda functions.

Amazon SNS (Option B): SNS is a pub/sub service and is not designed to handle sequences of Lambda executions.

EventBridge (Option D): EventBridge Scheduler allows you to invoke Lambda functions based on scheduled times, but it doesn’t directly support sequencing based on workflow logic.Therefore, AWS Step Functions is the most appropriate solution due to its native orchestration capabilities and minimal operational complexity.

AWS Step Functions documentation

Why Option C is Correct:Implementing a connection pool in the Redis client reduces connection overhead and avoids frequent connection establishment, which helps to reduce latency and connection failures.

Why Other Options are Incorrect:

Option A: Exponential backoff retry strategies help with transient failures but do not resolve latency caused by frequent connection establishment.

Option B: Storing scores in application memory adds complexity and risks inconsistency.

Option D: Adding more nodes is unnecessary unless the cluster is under heavy load. Latency due to connection failures is better addressed at the application level.

AWS Documentation References:

Amazon ElastiCache Best Practices

To meet the requirement:

Users must be able to upload (PutObject) and read (GetObject) files but not delete them.

Option D ensures users cannot delete files by omitting the s3:DeleteObject action while allowing s3:GetObject and s3:PutObject.

Option A: Includes s3:DeleteObject, which allows users to delete files and does not meet the requirement.

Option B: Contains unrelated actions like CreateBucket, which is not relevant here.

Option C: Adds s3:PutObjectRetention, which is unnecessary and does not restrict DeleteObject.

This solution meets the requirements with the least amount of configuration because it uses a feature of AWS CDK that allows custom logic to be executed during stack deployment or deletion. The AWS Cloud Development Kit (AWS CDK) is a software development framework that allows you to define cloud infrastructure as code and provision it through CloudFormation. An AWS CDK custom resource is a construct that enables you to create resources that are not natively supported by CloudFormation or perform tasks that are not supported by CloudFormation during stack deployment or deletion. The developer can write a handler function in the code that uses AWS SDK calls to check for and delete unused resources, and create an AWS CDK custom resource that attaches the function code to a Lambda function and invokes it when the deployment stack runs. This way, the developer can automate the cleanup process without requiring additional configuration or integration. Creating a CloudFormation template from a JSON file will require additional configuration and integration with the central AWS CDK application. Creating an API in AWS Amplify will require additional configuration and integration with the central AWS CDK application and may not provide optimal performance or availability. Writing a handler function in the AWS Lambda console will require additional configuration and integration with the central AWS CDK application.

Option B: The target group port in the ALB must match the port specified in the ECS task definition. If there is a mismatch, the ALB health check will fail since it cannot correctly route traffic to the container.

Option E: The ALB listener must have a default action that forwards requests to the correct target group associated with the ECS service. If this configuration is missing, the health check will fail as no traffic is routed to the service.

Option A is irrelevant to resolving health check issues since capacity providers relate to provisioning compute capacity.

Option C (hosted zone) is not directly related to ALB health checks.

Option D (redirecting traffic) is not related to ECS health check configurations.