Amazon Web Services DVA-C02 - AWS Certified Developer - Associate

The requirement in this scenario is encryption in transit for sensitive data exchanged between two EC2-based application fleets. AWS best practices clearly distinguish between network isolation and transport-layer encryption . Security groups (Option A) restrict traffic but do not encrypt it. EBS encryption (Option C) protects data at rest and does not affect data transmitted over the network.

Although a Site-to-Site VPN (Option B) would encrypt traffic, AWS documentation considers this approach unnecessary and operationally heavy when both workloads run inside AWS and application-level encryption is sufficient.

The most efficient and AWS-recommended approach is to use TLS (HTTPS) for application communication. AWS Certificate Manager (ACM) allows developers to provision and manage TLS certificates without manual certificate handling. Apache can be configured to use HTTPS with ACM-issued certificates, ensuring that all API traffic between the fleets is encrypted in transit using industry-standard TLS.

AWS documentation consistently recommends TLS for service-to-service communication within AWS when sensitive data is transmitted. This approach minimizes operational overhead, avoids additional networking infrastructure, and integrates natively with existing EC2-based applications.

Therefore, using ACM-issued certificates and HTTPS for Apache communication is the correct and most efficient solution.

Amazon Simple Queue Service (Amazon SQS) is a fully managed queue service that allows you to de-couple and scale for applications1. Amazon SQS offers two types of queues: Standard and FIFO (First In First Out) queues1. The FIFO queue uses the messageDeduplicationId property to treat messages with the same value as duplicate2. Therefore, changing the Amazon SQS standard queue to an Amazon SQS FIFO queue using the Amazon SQS message deduplication ID can help resolve the issue of the Lambda function processing some messages multiple times. Therefore, option A is correct.

The requirement is real-time UI updates “immediately” without refreshing the dashboard. The most operationally efficient AWS-native method is to use API Gateway WebSocket APIs to push updates from the backend to the browser.

With option A, the client establishes a WebSocket connection and receives a connection ID. The application can associate uploads (or job IDs) with that connection ID (commonly storing the mapping in DynamoDB or another datastore). When the long-running validation finishes, the backend uses the WebSocket management API to post a message to the specific connection ID, and the browser updates the UI dynamically. This eliminates polling/refresh and scales well without managing servers.

Option B requires running and maintaining an EC2-hosted WebSocket server (patching, scaling, uptime), which is more operational overhead.

Option C uses email, which is not immediate UI updating and doesn’t update the dashboard without user action.

Option D is not appropriate: SNS does not directly push notifications to a web browser in a standard way, and it adds unnecessary complexity.

Therefore, using API Gateway WebSocket to push validation results to connected clients is the most operationally efficient solution.

API Gateway Mocking: This feature is built for decoupling development dependencies. Here ' s the process:

Create resources and methods in your API Gateway.

Set the integration type to ' MOCK ' .

Define Integration Responses, mapping HTTP status codes to desired mocked responses (JSON, etc.).

Deployment and Use:

Create a deployment stage for the API.

Frontend teams can call this API and get the mocked responses without a real backend.

Storing secrets in environment variables encrypted with AWS KMS is a standard secure practice for Lambda. By using a Customer Managed Key (CMK), you can audit every decryption request via CloudTrail. This ensures the keys are never in plaintext in the management console or code. Options B and C are highly insecure as they expose keys in URLs or client-side code. Tags (Option D) are not meant for sensitive secrets and are not encrypted.

Comprehensive Detailed Step by Step Explanation with All AWS Developer References:

When you need to provide an AWS Lambda function access to private resources in a VPC, the most common and straightforward approach is to attach the Lambda function to a VPC via private subnets. Once the Lambda function is associated with the VPC, you need to configure appropriate security groups to control the access to the private resources.

Lambda with VPC Access: Lambda functions can be attached to private subnets in a VPC, allowing them to access resources like RDS, EC2, or internal services within that VPC.

Security Groups: A security group acts as a virtual firewall for the Lambda function, ensuring that it can access only the necessary resources and ports in the VPC.

Alternatives:

Option B involves routing traffic through a VPN, which adds unnecessary complexity and operational overhead compared to simply attaching the Lambda to the VPC.

Option C requires configuring a VPC endpoint and a NAT gateway, which can be complex and costly.

Option D refers to AWS PrivateLink, which is used to access services over private connections, but it ' s unnecessary in this scenario unless you need a cross-VPC connection.

Lambda functions in a VPC

Comprehensive and Detailed Explanation (250–300 words) From Exact Extract of AWS Developer Documents:

AWS Secrets Manager is designed to securely store, rotate, and manage sensitive information such as API keys, database credentials, and tokens. A core feature of Secrets Manager is secret versioning , which enables recovery from failed or partial rotation events. Each secret version is associated with staging labels , most notably AWSCURRENT and AWSPREVIOUS .

According to AWS documentation, during a successful rotation, Secrets Manager creates a new secret version and assigns it the AWSCURRENT label, while the previous version is retained with the AWSPREVIOUS label. Applications that retrieve secrets typically reference the secret using the AWSCURRENT label. If a rotation fails after updating the secret value but before synchronizing the change with the external system, authentication failures can occur.

AWS explicitly states that in such scenarios, customers can restore service quickly by moving the AWSCURRENT label back to the previous version . This rollback capability allows applications to immediately resume using the last known valid credentials without modifying application code, redeploying resources, or interacting with external systems.

This approach represents the least operational overhead because it is a metadata-only operation within Secrets Manager. No new secrets are created, no Lambda functions are invoked, and no manual updates are required in the external REST services. Additionally, AWS recommends postponing troubleshooting until service availability is restored, which aligns precisely with the requirement in this scenario.

Other options introduce unnecessary complexity, increased risk of human error, and longer recovery times. Therefore, rolling back to the last working secret version is the fastest, safest, and AWS-recommended solution.

AWS Secrets Manager is purpose-built for storing, retrieving, and rotating secrets such as database credentials. For supported databases, Secrets Manager can rotate credentials automatically and update both the stored secret and the database credentials. That directly addresses the risk: credentials are stored securely, access is controlled by IAM, and rotation is automated. Systems Manager Parameter Store can securely store parameters, but it does not provide the same managed database credential rotation workflow. Rotating a KMS key is not the same as rotating database credentials; it only changes encryption key material behavior, not the database password. S3 is not the right service for active secrets management. AWS documentation recommends moving hardcoded database credentials to Secrets Manager and rotating them. ( AWS Documentation )

===============

Step-by-Step Breakdown:

Requirement Summary:

Use AWS SAM to deploy:

1 Lambda Function

1 S3 Bucket

Lambda needs read-only access to the S3 bucket

Solution must be expressed via AWS SAM template

Option A: Reference a second Lambda authorizer function

Incorrect: Lambda authorizers are used in API Gateway for authentication, not for granting S3 permissions.

Option B: Add a custom S3 bucket policy to the Lambda function

Incorrect: Bucket policies control who can access the bucket, not what the Lambda function can do.

The permission must be granted to the Lambda’s IAM execution role.

Option C: Create an Amazon SQS topic for only S3 object reads

Incorrect: SQS cannot read objects from S3 and is not relevant to this scenario.

Option D: Add the S3ReadPolicy template to the Lambda function ' s execution role

Correct: AWS SAM provides managed policy templates like AmazonS3ReadOnlyAccess and shortcuts like S3ReadPolicy.

You can apply these to the Lambda’s execution role using the Policies: section in your SAM template.

Example SAM YAML:

yaml

CopyEdit

Resources:

MyFunction:

Type: AWS::Serverless::Function

Properties:

CodeUri: my-code/

Handler: app.handler

Runtime: python3.11

Policies:

- S3ReadPolicy:

BucketName: !Ref MyBucket

MyBucket:

Type: AWS::S3::Bucket

Properties:

BucketName: my-personal-bucket-name

SAM Policy Templates: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html

Example using S3ReadPolicy: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html#s3-readpolicy

AWS Lambda automatically integrates with Amazon CloudWatch Logs, but logging only works if the function’s execution role has the correct IAM permissions . AWS documentation states that Lambda functions require permissions for logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents to successfully publish log entries.

In this scenario, CloudWatch metrics show errors, which confirms that the function is executing. The absence of logs despite logging statements in the code strongly indicates a missing IAM permission issue , not a runtime or tracing issue.

CloudWatch Lambda Insights (Option B) provides performance metrics but does not enable basic logging. AWS X-Ray (Option C) provides distributed tracing but does not replace CloudWatch Logs. Option D is invalid because CloudWatch does not assume roles to collect logs.

AWS documentation explicitly identifies missing log permissions as the most common cause of absent Lambda logs. Therefore, granting the Lambda execution role the appropriate CloudWatch Logs permissions resolves the issue.

Why Option B is Correct:Setting the visibility timeout ensures that once a message is being processed, it is temporarily hidden from other consumers. The Lambda function must delete processed messages to avoid re-processing when the visibility timeout expires.

Why Other Options are Incorrect:

Option A: Message retention affects how long messages stay in the queue, not how they are processed.

Option C: Receive message wait time optimizes long polling but does not prevent re-processing.

Option D: Delivery delay introduces latency for new messages and does not address message re-processing.

AWS Documentation References:

Using SQS Visibility Timeout

https://aws.amazon.com/blogs/devops/automated-code-review-on-pull-requests-using-aws-codecommit-and-aws-codebuild/

Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service that enables pub/sub communication between distributed systems. The developer can create an SNS topic and configure the Lambda function to publish messages with specific attributes to the topic. The developer can subscribe each partner to the SNS topic and apply the appropriate filter policy to the topic subscriptions. This way, each partner will receive updates for only their own orders based on the message attributes. This solution will meet the requirements in the most scalable way and allow adding new partners in the future with minimal code changes.

S3 Glacier Instant Retrieval is designed for long-lived data that is rarely accessed but requires millisecond retrieval when needed (meeting the " instant access " requirement for the first 90 days). After 90 days, moving to S3 Glacier Flexible Retrieval (formerly Standard) is more cost-effective because it has lower storage costs, though it has retrieval times of minutes to hours (meeting the " more than 10 minutes " requirement).