Amazon Web Services DVA-C02 - AWS Certified Developer - Associate

Step 1: Problem Understanding

Asymmetric Encryption Requirement:Users encrypt data with apublic key, and only the company can decrypt it using aprivate key.

Data Encryption at Rest and In Transit:The data must be encrypted during upload (in transit) and when stored in Amazon S3 (at rest).

Step 2: Solution Analysis

Option A:Server-side encryption with Amazon S3 managed keys (SSE-S3).

Amazon S3 manages the encryption and decryption keys.

This does not meet the requirement for asymmetric encryption, where the company uses a private key.

Not suitable.

Option B:Server-side encryption with customer-provided keys (SSE-C).

Requires the user to supply encryption keys during the upload process.

Does not align with the asymmetric encryption requirement.

Not suitable.

Option C:Client-side encryption with a data key.

Data key encryption is symmetric, not asymmetric.

Does not satisfy the requirement for a public-private key pair.

Not suitable.

Option D:Client-side encryption with a customer-managed encryption key.

Data is encrypted on the client side using thepublic key.

Only the company can decrypt the data using the correspondingprivate key.

Data remains encrypted during upload (in transit) and in S3 (at rest).

Correct option.

Step 3: Implementation Steps for Option D

Generate Key Pair:

The company generates an RSA key pair (public/private) for encryption and decryption.

Encrypt Data on Client Side:

Use the public key to encrypt the data before uploading to S3.

S3 Upload:

Upload the encrypted data to S3 over an HTTPS connection.

Decrypt Data on the Server:

Use the private key to decrypt data when needed.

AWS Developer References:

Amazon S3 Encryption Options

Asymmetric Key Cryptography in AWS

The solution that will meet the requirements is to write data to Amazon ElastiCache. This way, the application can write session data to a fast, scalable, and reliable in-memory data store that can be served reliably across multiple requests. The other options either involve writing data to persistent storage, which is slower and more expensive than in-memory storage, or writing data to the root filesystem, which is not shared among multiple EC2 instances.

Configuring the Lambda function to use ephemeral storage and processing data in the /tmp directory improves performance by leveraging local storage during execution.

Why Option C is Correct:

Ephemeral Storage: Lambda provides temporary storage (up to 10 GB) in the /tmp directory for each invocation, which is faster than pulling data directly from S3 multiple times.

Performance Boost: Data can be downloaded to /tmp, processed locally, and uploaded to the destination S3 bucket, minimizing S3 network calls.

Low Overhead: This approach requires only minimal changes to the function's configuration.

Why Not Other Options:

Option A: Using Amazon EFS adds complexity and is unnecessary for this use case.

Option B: Scheduling the function does not address the root cause of slow performance.

Option D: Lambda layers improve deployment efficiency, not runtime performance for this scenario.

Visibility Timeout:When an SQS message is processed by a consumer (here, the Lambda function), it's temporarily hidden from other consumers. Visibility timeout controls this duration.

How It Helps:

Increase the visibility timeout beyond the maximum processing time your Lambda might typically take for long videos.

This prevents the message from reappearing in the queue while Lambda is still working, avoiding premature timeouts.

Why Option B is Correct:Amazon ECS does not natively process docker-compose.yml files. Instead, the configurations from docker-compose.yml must be converted into ECS-compatible configurations within a task definition. Task definitions are the primary way to specify container configurations in ECS, including service dependencies like databases, caches, and volumes.

Steps to Resolve the Error:

Extract the configurations from the docker-compose.yml file.

Map the dependencies and settings to the appropriate ECS task definition fields.

Deploy the task definition to the ECS cluster.

Why Other Options are Incorrect:

Option A:Docker labels do not directly impact ECS task execution or integrate with ECS service configurations.

Option C:ECS namespaces do not exist as a feature.

Option D:Changing the service type to REPLICA does not resolve the issue of missing service dependency configurations.

AWS Documentation References:

Amazon ECS Task Definitions

Migrating Docker Compose Workloads to ECS

Why Option A is Correct:

The ArnLike condition with the specific ARN for myStateMachine ensures that only this state machine can assume the role. The format urn:aws:states is correct for specifying Step Functions resources.

Why Other Options are Incorrect:

Option B:Wildcards (*) in the ARN allow more resources to assume the role, which violates the requirement.

Option C:This condition restricts the account but not the specific state machine.

Option D:A StringNotEquals condition is used to deny specific values, which does not ensure exclusivity for the desired state machine.

AWS Documentation References:

IAM Trust Policies for Step Functions

The Secrets Manager Agent provides an out-of-the-box solution for securely caching secrets locally, reducing latency and operational overhead.

Why Option B is Correct:

Caching: The agent securely caches secrets locally, minimizing Secrets Manager API calls.

Security: Secrets remain secure during retrieval and storage.

Low Operational Overhead: Managed solution eliminates the need for custom logic.

Why Not Other Options:

Option A: Custom scripts introduce complexity and require ongoing maintenance.

Option C: Using Redis requires managing an additional service, increasing overhead.

Option D: Storing secrets in S3 lacks the fine-grained security controls of Secrets Manager.

Requirement Summary:

WebSocket-based messaging app usingAPI Gateway WebSocket APIs

Need to:

Identify clients repeatedlyconnecting/disconnecting

Be able toremoveproblematic clients

Evaluate Options:

A. Switch to HTTP APIs

❌HTTP APIs don’t supportWebSocketconnections

B. Switch to REST APIs

❌REST APIs arenot compatiblewith WebSockets

✅C. Use the callback URL to disconnect clients

⚠️Possible, butnot a direct option

Callback URLs are used forsending messages to connected clients, not for disconnecting

✅D. Track client status in ElastiCache

✅Good solution: Store and update connection state (connected, disconnected, timestamps)

Helpstrack abuse or reconnections

✅E. Implement $connect and $disconnect routes

✅Required to captureconnection lifecycle events

These can be used to log/store client behavior and decide on removal

WebSocket routes in API Gateway:https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-route-selection.html

Managing WebSocket connections:https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-mapping-template-reference.html