Amazon Web Services DVA-C02 - AWS Certified Developer - Associate

The correct policy condition ensures that:

The LeadingKeys condition restricts operations to the authenticated user ' s user_id.

The Attributes condition limits the updatable attributes to user_name.

Explanation of Choices:

Option A: Correctly enforces both the key restriction (dynamodb:LeadingKeys) and ensures only the user_name attribute can be updated.

Option B, C, D: Use incorrect conditions, such as referencing user_name in the LeadingKeys or including other attributes like user_id in updatable fields.

AWS CloudFormation is a service that allows developers to model and provision AWS resources using templates. A CloudFormation template can define the load test resources, such as EC2 instances, load balancers, and Auto Scaling groups. A CloudFormation stack set is a collection of stacks that can be created and managed from a single template in multiple Regions and accounts. The AWS CLI create-stack-set command can be used to create a stack set from a template and specify the Regions where the stacks should be created. Reference: Working with AWS CloudFormation stack sets

This solution will meet the requirements by using AWS Secrets Manager, which is a service that helps protect secrets such as database credentials by encrypting them with AWS Key Management Service (AWS KMS) and enabling automatic rotation of secrets. The developer can use an AWS Secrets Manager resource in AWS CloudFormation template, which enables creating and managing secrets as part of a CloudFormation stack. The developer can use an AWS::SecretsManager::Secret resource type to generate and rotate the password for accessing RDS database during deployment. The developer can also specify a RotationSchedule property for the secret resource, which defines how often to rotate the secret and which Lambda function to use for rotation logic. Option A is not optimal because it will use an AWS Lambda function as a CloudFormation custom resource, which may introduce additional complexity and overhead for creating and managing a custom resource and implementing rotation logic. Option B is not optimal because it will use an AWS Systems Manager Parameter Store resource with the SecureString data type, which does not support automatic rotation of secrets. Option C is not optimal because it will use a cron daemon on the application’s host to generate and rotate the password, which may incur more costs and require more maintenance for running and securing a host.

The response from the API call indicates that the ProvisionedThroughputExceededException exception has occurred. This exception means that the rate of incoming requests exceeds the throughput limit for one or more shards in a stream. To mitigate this exception, the developer can use one or more of the following techniques:

Implement retries with exponential backoff. This will introduce randomness in the retry intervals and avoid overwhelming the shards with retries.

Reduce the frequency and/or size of the requests. This will reduce the load on the shards and avoid throttling errors.

Increase the number of shards in the stream. This will increase the throughput capacity of the stream and accommodate higher request rates.

Use a PutRecord API instead of PutRecords. This will reduce the number of records per request and avoid exceeding the payload limit.

The solution that will meet the requirements is to add a test phase to the amplify.yml build settings for the application. This way, the developer can run end-to-end tests on every code commit and catch any bugs before deploying to production. The other options either do not support end-to-end testing, or do not run tests automatically.

To monitor memory usage in Amazon Elastic Beanstalk environments, it ' s important to understand that default Elastic Beanstalk monitoring capabilities in Amazon CloudWatch do not track memory usage, as memory metrics are not collected by default. Instead, the Amazon CloudWatch agent must be configured to collect memory usage metrics.

Why Option C is Correct:

The Amazon CloudWatch agent can be installed and configured to monitor system-level metrics such as memory and disk utilization.

To enable memory tracking, developers need to install the CloudWatch agent on the Amazon Elastic Compute Cloud (EC2) instances associated with the Elastic Beanstalk environment.

After installation, the agent can be configured to collect memory metrics, which can then be sent to CloudWatch for further analysis.

How to Implement This Solution:

Install the CloudWatch Agent:Use .ebextensions or AWS Systems Manager to install and configure the CloudWatch agent on the EC2 instances running in the Elastic Beanstalk environment.

Modify CloudWatch Agent Configuration:Create a config.json file that specifies memory usage tracking and other desired metrics.

Enable Metrics Reporting:The CloudWatch agent can push the metrics to CloudWatch, where they can be monitored.

Why Other Options are Incorrect:

Option A: Configuring the agent to push logs is not sufficient to track memory metrics. This option addresses logging but not system-level metrics like memory usage.

Option B: The .ebextensions directory is used to customize Elastic Beanstalk environments but does not directly track memory metrics without additional configuration of the CloudWatch agent.

Option D: Configuring a CloudWatch dashboard will only visualize the metrics that are already being collected. It will not enable memory usage tracking.

AWS Documentation References:

Amazon CloudWatch Agent Overview

Elastic Beanstalk Customization Using .ebextensions

Monitoring Custom Metrics

This solution will most likely solve the issues because it will grant the IAM user the necessary permission to access the DynamoDB table using the AWS CLI command. The error message indicates that the IAM user does not have sufficient access rights to perform the scan operation on the table. Option A is not optimal because it will change the command to use put-item instead of scan, which will not achieve the desired result of getting data from the table. Option B is not optimal because it will involve contacting AWS Support, which may not be necessary or efficient for this issue. Option C is not optimal because it will state that DynamoDB cannot be accessed from the AWS CLI, which is incorrect as DynamoDB supports AWS CLI commands.

API Gateway mock integration is designed for exactly this situation: generating API responses directly from API Gateway without requiring a working backend. This lets dependent teams test immediately while the real backend is still being developed. The developer can configure the integration request and integration response mapping to return specific payloads and status codes. Request validators check incoming requests but do not generate backend responses. Gateway responses customize API Gateway-generated error responses, not normal business responses for application testing. A Lambda authorizer controls access and would require a Lambda function, which adds unnecessary implementation work. AWS documentation confirms that mock integrations let API developers generate responses directly from API Gateway and unblock teams before backend development is complete. ( AWS Documentation )

===============

This solution will meet the requirements by creating a Lambda function execution role, which is an IAM role that grants permissions to a Lambda function to access AWS resources such as Amazon S3 objects. The developer can attach a policy to the role that grants access to specific objects in the S3 bucket that are required by the application, following the principle of least privilege. Option A is not optimal because it will hardcode the credentials that are required to access S3 objects in the application code, which is insecure and difficult to maintain. Option B is not optimal because it will create a secret access key and access key ID with permission to access the S3 bucket, which will introduce additional security risks and complexity for storing and managing credentials. Option D is not optimal because it will store the secret access key and access key ID as environment variables in Lambda, which is also insecure and difficult to maintain.

For this workload, the access pattern is centered on each user’s activity history over time (the company is planning a marketing campaign based on each user’s activity). In DynamoDB, the most effective way to store and query time-ordered events per entity is to use a composite primary key where the entity identifier is the partition key and a time attribute is the sort key . Therefore, using user ID as the partition key groups all events for a given user together, and using timestamp as the sort key allows efficient retrieval in chronological order and supports range queries (for example, “activities in the last 7 days” or “between two dates”).

This design also helps maximize provisioned throughput efficiency and reduce throttling risk because it distributes data across partitions based on the partition key values (user IDs). With many users, writes and reads naturally spread across multiple partition key values rather than concentrating on a small set. The sort key further enables multiple activity records per user without overwriting items and supports precise queries without scanning.

Option B (product ID as partition key) does not align with the stated marketing need (per-user activity). It would cluster all users’ actions for a popular product into the same partition key, increasing the chance of hot partitions and throttling. Option C also risks hot partitions for popular product IDs; auto scaling helps capacity management but does not fix poor key distribution or hot-key access patterns. Option D (monotonic counter as partition key) is particularly problematic: sequential keys can create uneven distribution and a throughput bottleneck pattern, and it does not support user-centric queries efficiently.

Thus, A best matches the data model (user events over time), supports efficient queries, and reduces throttling risk by distributing workload across user IDs.

The requirements call for (1) standardized templates to define serverless infrastructure, (2) the ability to test locally before deployment, and (3) integrating deployment and infrastructure changes into an existing AWS CodePipeline workflow. AWS Serverless Application Model (AWS SAM) is designed specifically for serverless applications and extends CloudFormation with serverless-specific resources (such as AWS::Serverless::Function, APIs, event sources). SAM also provides the SAM CLI , which includes local testing capabilities (for example, sam local invoke and sam local start-api) that emulate Lambda and API Gateway behavior for rapid iteration before deployment.

Option A fits all requirements: create an AWS SAM template as the infrastructure definition and add pipeline stages that execute the necessary SAM CLI commands (commonly sam build and sam deploy, and optionally test commands) as part of the CI/CD process. This makes deployments repeatable and automated, ensures infrastructure changes are deployed in lockstep with application changes, and keeps everything governed by the existing CodePipeline.

Option D uses SAM but relies on a standalone script outside the pipeline, which conflicts with the requirement to incorporate infrastructure changes into the existing pipeline. Option C (plain CloudFormation) can define infrastructure, but it does not inherently provide the same streamlined local testing workflow that SAM CLI provides for serverless event sources and APIs. Option B is unrelated: Step Functions is an orchestration service and its definition language is not a general infrastructure templating and local-testing solution for serverless deployments.

Therefore, A is the correct strategy: use AWS SAM templates and integrate SAM CLI build/deploy steps into CodePipeline to automate deployments and support local testing while managing infrastructure as code.

This solution allows the fastest response for the query because it enables the query to use a single partition key value (the Product ID) and a range of sort key values (the Product Rating) to find the matching items. A global secondary index (GSI) is an index that has a partition key and an optional sort key that are different from those on the base table. A GSI can be created at any time and can be queried or scanned independently of the base table. A local secondary index (LSI) is an index that has the same partition key as the base table, but a different sort key. An LSI can only be created when the base table is created and must be queried together with the base table partition key. Using a GSI with Product ID as the partition key and Review ID as the sort key will not allow the query to use a range of sort key values to find the highest ratings. Using an LSI with Product ID as the partition key and Product Rating as the sort key will not work because Product ID is not the partition key of the base table. Using an LSI with Review ID as the partition key and Product ID as the sort key will not allow the query to use a single partition key value to find the matching items.

The solution that will meet the requirements is to write data to Amazon ElastiCache. This way, the application can write session data to a fast, scalable, and reliable in-memory data store that can be served reliably across multiple requests. The other options either involve writing data to persistent storage, which is slower and more expensive than in-memory storage, or writing data to the root filesystem, which is not shared among multiple EC2 instances.

This solution will meet the requirements by using AWS Encryption SDK, which is a client-side encryption library that enables developers to encrypt and decrypt data using data encryption keys that are protected by AWS Key Management Service (AWS KMS). The SDK encrypts the data encryption key with a customer master key (CMK) that is managed by AWS KMS, and stores it (encrypted) as part of the returned ciphertext. The developer does not need to keep track of the data encryption keys used to encrypt data, as they are stored with the encrypted data and can be retrieved and decrypted by using AWS KMS when needed. Option A is not optimal because it will require manual tracking of the data encryption keys used for each data object, which is error-prone and inefficient. Option C is not optimal because it will store the data encryption keys automatically in Amazon S3, which is unnecessary and insecure as Amazon S3 is not designed for storing encryption keys. Option D is not optimal because it will store the data encryption key in the user data for the EC2 instance, which is also unnecessary and insecure as user data is not encrypted by default.