Amazon Web Services DVA-C02 - AWS Certified Developer - Associate

AWS Lambda SnapStart is designed specifically to reduce cold start latency for Java and .NET runtimes. SnapStart works by initializing the function once, taking a snapshot of the execution environment, and then reusing that snapshot for future cold starts. This dramatically reduces startup time, often from several seconds to milliseconds.

SnapStart requires the function to be published as a version , and an alias must reference that version. AWS documentation clearly states that SnapStart is the recommended solution for latency-sensitive Lambda workloads with infrequent invocations.

Reserved concurrency (Option B) limits scaling but does not eliminate cold starts. Lambda layers (Option C) improve code organization but have minimal impact on cold start latency. Adding the function to a VPC (Option D) typically increases cold start time due to network interface initialization.

Therefore, enabling SnapStart on a published .NET Lambda function is the correct and AWS-endorsed solution.

Step Functions Retriers: Retriers provide a built-in way to gracefully handle transient errors within State Machines. Here ' s how to use them:

Directly attach a retrier to the problematic ' GetResource ' task.

Configure the retrier:

ErrorEquals: Set this to [ ' TooManyRequestsException ' ] to target the specific error.

IntervalSeconds: Set to 10 for the desired retry delay.

MaxAttempts: Set to 1, as you want only one retry attempt.

Error Handling:

Upon ' TooManyRequestsException ' , the retrier triggers the task again after 10 seconds.

On a second failure, Step Functions moves to the next state or fails the workflow, as per your design.

' IllegalArgumentException ' causes error propagation as intended.

DynamoDB distributes throughput across partitions based on the hash key. A hot partition (caused by high usage of a specific hash key) can result in a ProvisionedThroughputExceededException, even if overall usage is below the provisioned capacity.

Why Option B is Correct:

Partition-Level Limits: Each partition has a limit of 3,000 read capacity units or 1,000 write capacity units per second.

Hot Partition: Excessive use of a single hash key can overwhelm its partition.

Why Not Other Options:

Option A: DynamoDB storage size does not affect throughput.

Option C: Provisioned scaling operations are unrelated to throughput errors.

Option D: Sort keys do not impact partition-level throughput.

DynamoDB Partition Key Design Best Practices

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. The developer can store each employee’s contact information in a DynamoDB table along with the object keys for the photos stored in Amazon S3. Amazon S3 is an object storage service that offers industry-leading scalability, data availability, security, and performance. The developer can use AWS APIs to search and retrieve the employee details and photos from DynamoDB and S3.

Why Option B is Correct:RDS Proxy manages database connections efficiently, reducing overhead on the RDS instance and mitigating " too many connections " errors.

Why Other Options are Incorrect:

Option A: DAX is for DynamoDB, not RDS.

Option C: Migration to PostgreSQL does not address the current issue.

Option D: ElastiCache is useful for caching but does not solve connection pool issues.

AWS Documentation References:

Amazon RDS Proxy

Why Option A is Correct:Auto-scaling with a target utilization ensures the DynamoDB table dynamically adjusts capacity based on workload, maintaining high performance while optimizing cost. Setting a reasonable target utilization minimizes overprovisioning and throttling risks.

Why Other Options are Incorrect:

Option B: On-demand capacity is costlier than provisioned throughput for predictable workloads.

Option C: Using manual CloudWatch alarms and Lambda for scaling is less efficient and adds operational overhead.

Option D: DAX accelerates read performance but does not improve write performance.

AWS Documentation References:

DynamoDB Auto Scaling

AWS Secrets Manager is purpose-built for securely storing and managing sensitive information such as API keys, tokens, and credentials. It provides automatic secret rotation , fine-grained IAM access control, encryption at rest using AWS KMS, and audit logging through AWS CloudTrail. This makes it the most secure and scalable option for managing short-lived authentication keys.

AWS Lambda extensions enable efficient secret retrieval by caching secrets locally within the execution environment. This reduces repeated calls to Secrets Manager on every invocation, improving performance and lowering costs while maintaining up-to-date credentials. AWS documentation explicitly recommends using Lambda extensions or caching logic for secrets that are frequently accessed.

Storing secrets in S3 (Option B) or environment variables (Option C) lacks built-in rotation and increases exposure risk. Parameter Store (Option D) supports encryption but does not provide native rotation for secrets without custom automation, making it less suitable for this use case.

Therefore, Secrets Manager with Lambda extensions provides the most secure, automated, and operationally efficient solution.

The correct answers are D and E .

The requirement states that the company does not want to manage the underlying hosts . That means the containerized application should run on AWS Fargate , which is the serverless compute engine for Amazon ECS. With Fargate, AWS manages the underlying infrastructure, so the company does not need to provision, patch, or scale EC2 instances. To run a task on Fargate, the task definition must specify FARGATE in the requiresCompatibilities field. That is why D is correct.

The developer also needs to monitor CPU and memory utilization in the Amazon CloudWatch console . For ECS tasks on Fargate, the task definition must specify valid CPU and memory values. These values define the task’s resource allocation and enable ECS and CloudWatch to report utilization metrics against those configured resources. Therefore, E is also required.

Option A applies to ECS on EC2, where the company would manage cluster instances, which violates the requirement. Option B is unnecessary because ECS and CloudWatch already provide the needed service metrics without requiring a custom script. Option C is incorrect because the task does not need cloudwatch:GetMetricData permission merely for CloudWatch to display CPU and memory utilization metrics.

This design follows AWS best practices for running containers without host management while still gaining built-in observability. By selecting Fargate and defining the CPU and memory values in the task definition, the application can run serverlessly on ECS and expose the required utilization metrics in CloudWatch.

Therefore, the correct combination is D and E .

This solution meets the requirements most cost-effectively because it optimizes the photos on demand and caches them for future requests. Lambda@Edge allows the developer to run Lambda functions at AWS locations closer to viewers, which can reduce latency and improve photo quality. The developer can create a Lambda@Edge function that uses the GET parameters from each request to optimize the photos with the required dimensions and resolutions and returns them as a response. The function can also store a copy of the processed photos on Amazon S3 for subsequent requests, which can reduce processing time and costs. Using S3 Batch Operations to create new variants of the photos will incur additional storage costs and may not cover all possible dimensions and resolutions. Creating a dynamic CloudFront origin or a Lambda@Edge function to route requests to corresponding photo variants will require maintaining a mapping of device types and photo variants, which can be complex and error-prone.

The solution that will meet the requirements is to use the AWS SDK ssm PutParameter operation in the Lambda function from the existing custom resource to store the credentials as a parameter. Set the parameter value to reference the new credentials. Set the parameter type to SecureString. This way, the developer can store the API credentials with minimal operational overhead, as AWS Systems Manager Parameter Store provides secure and scalable storage for configuration data. The SecureString parameter type encrypts the parameter value with AWS Key Management Service (AWS KMS). The other options either involve adding additional resources to the CloudFormation template, which increases complexity and cost, or do not encrypt the parameter value, which reduces security.

These solutions will mitigate the error most cost-effectively because they do not require increasing the provisioned throughput of the DynamoDB table or creating additional resources. Exponential backoff is a retry strategy that increases the waiting time between retries to reduce the number of requests sent to DynamoDB. The AWS SDKs for DynamoDB implement exponential backoff by default and also provide other features such as automatic pagination and encryption. Increasing the read and write throughput of the DynamoDB table, creating a DynamoDB Accelerator (DAX) cluster, or creating a second DynamoDB table will incur additional costs and complexity.

This solution allows the Lambda function to be invoked by the DynamoDB stream whenever updates are made to items in the DynamoDB table. Event source mapping is a feature of Lambda that enables a function to be triggered by an event source, such as a DynamoDB stream, an Amazon Kinesis stream, or an Amazon Simple Queue Service (SQS) queue. The developer can configure event source mapping for the Lambda function using the AWS Management Console, the AWS CLI, or the AWS SDKs. Changing the StreamViewType parameter value to NEW_AND_OLD_IMAGES for the DynamoDB table will not affect the invocation of the Lambda function, but only change the information that is written to the stream record. Mapping an Amazon Simple Notification Service (Amazon SNS) topic to the DynamoDB stream will not invoke the Lambda function directly, but require an additional subscription from the Lambda function to the SNS topic. Increasing the maximum runtime (timeout) setting of the Lambda function will not affect the invocation of the Lambda function, but only change how long the function can run before it is terminated.

Because the developer cannot change the legacy application code, the solution must apply controls at the logging layer . CloudWatch Logs provides data protection policies that can automatically detect sensitive data using managed data identifiers (including credit card data) and apply masking (de-identification) as log events are ingested. This ensures that sensitive values such as card numbers and verification codes are not displayed in plaintext to general viewers of the log group.

With option A, enabling a data protection policy on the log group and configuring it to mask the relevant credit card data ensures that when support staff query or view logs, the sensitive fields appear redacted. CloudWatch Logs also supports controlled access to view the original unmasked values through an explicit permission: users who have the appropriate IAM authorization (such as logs:Unmask) can retrieve or view the sensitive data, while everyone else sees only the masked version. Granting logs:Unmask to application administrators satisfies the requirement that administrators can access the sensitive data, while withholding it from support staff enforces the restriction.

Option B (KMS encryption) provides encryption at rest for the log group but does not prevent authorized readers from seeing sensitive data once decrypted. Support staff who can read logs would still see plaintext card data. Option C is not a standard or operationally efficient pattern for CloudWatch Logs redaction; Macie is primarily for discovering sensitive data in S3 and does not serve as the native masking mechanism for CloudWatch Logs ingestion. Option D is not applicable: AWS WAF inspects HTTP requests/responses at the edge or load balancer/API layer, not application log streams already being emitted to CloudWatch.

Therefore, A is the correct solution: use CloudWatch Logs data protection to mask sensitive data by default and grant logs:Unmask only to administrators.

AWS AppConfig Feature Flags are designed to release features safely with minimal code changes. The lowest operational overhead approach is to use a single feature flag and configure it to deliver the feature to a percentage of users through built-in targeting rules and variants.

With option C, the developer creates one AppConfig feature flag and defines a variant that represents the new feature behavior (for example, enabled=true or a “newExperience” variant). Then the developer creates a rule in AppConfig to target 15% of users. AppConfig feature flags support rules that can evaluate attributes (such as user IDs or other contextual attributes supplied by the application) and apply percentage-based rollout. This avoids building and maintaining custom rollout logic in the application.

Option A and D both require implementing and maintaining custom traffic splitting in code, which increases complexity and operational burden, and risks inconsistent behavior across clients/services.

Option B adds extra configuration overhead and complexity by managing multiple feature flags for “groups” instead of using a single flag with a variant and rule. A single flag with variants is the clean, scalable pattern.

Therefore, create one AppConfig feature flag, define a variant, and configure a rule to target 15% of users.