Free Practice Questions for Amazon Web Services DVA-C02 Exam

For a serverless web application that needs user registration and authentication with minimal configuration, the standard AWS solution is Amazon Cognito User Pools. User Pools provide managed user directories, sign-up/sign-in flows, MFA options, password reset, and token-based authentication (OAuth2/OIDC/JWT). This integrates naturally with API Gateway (Cognito authorizers) and Lambda.

Option A is best because it uses Cognito User Pools plus an app client and the Hosted UI, which provides ready-made sign-up/sign-in pages. Hosted UI minimizes custom UI and backend authentication code while still allowing branding customization and secure token issuance. The SPA can authenticate via Cognito, receive JWT tokens, and call API Gateway endpoints securely.

Option B (identity pool) is primarily for granting temporary AWS credentials to access AWS services directly (federation). It does not replace User Pools for user registration/login flows; typically identity pools are used in addition to user pools, not instead, and require more configuration.

Option C adds unnecessary infrastructure (EC2) and defeats the “minimize configuration” goal.

Option D is not appropriate for end-user authentication. IAM users/groups are for workforce/admin access, not for customer-facing apps.

Therefore, Cognito User Pool + Hosted UI is the minimal-configuration secure solution.

Amazon Kinesis Data Firehose is a service that delivers real-time streaming data to destinations such as Amazon S3, Amazon Redshift, Amazon OpenSearch Service, and Amazon Kinesis Data Analytics. The developer can implement Kinesis Data Firehose data transformation as an AWS Lambda function. The function can remove pattern-based customer identifiers from the data and return the modified data to Kinesis Data Firehose. The developer can set an Amazon S3 bucket as the destination of the delivery stream.

In AWS Lambda, CPU power scales proportionally with the memory configuration. Lambda does not let you directly set “CPU cores” as a standalone setting in the general case; instead, increasing the function’s configured memory increases the CPU allocation (and other resources such as network throughput) available to the function. Therefore, to reduce latency caused by insufficient CPU, the developer should increase the function’s memory setting.

Option B directly addresses the CPU limitation in the supported Lambda configuration model. This is a common performance tuning approach: raise memory, benchmark, and find the optimal cost/performance point.

Option A is not the right lever for most Lambda functions because Lambda compute is configured via memory (and architecture), not by directly raising a “vCPU quota” per function in a typical tuning workflow.

Option C increases /tmp storage capacity and helps when dealing with large temporary files, not CPU availability.

Option D increases the maximum runtime allowed per invocation, but it does not give the function more CPU and will not reduce latency caused by CPU starvation.

Therefore, increasing the allocated memory is the correct way to increase CPU for a Lambda function.

The requirement is application-level encryption (client-side) in addition to RDS encryption at rest, specifically to prevent database administrators from viewing PHI. Also, some PHI objects are large, so the solution must encrypt locally without size limitations.

AWS best practice for large data encryption with KMS is envelope encryption. With envelope encryption, the application generates a data encryption key (DEK) (typically obtained from KMS using GenerateDataKey). The application uses the plaintext DEK locally with a symmetric algorithm (such as AES-GCM) to encrypt the large PHI payload efficiently. The DEK itself is then protected by encrypting it with a KMS customer managed key (CMK), producing an encrypted data key that can be safely stored alongside the ciphertext. Only principals with permission to use the CMK can decrypt the DEK and then decrypt the PHI data. This ensures that even database administrators who can access the RDS data cannot read PHI without KMS authorization.

Option A is not suitable because the KMS Encrypt operation is intended for small payloads (KMS has size limits for direct encryption), making it inappropriate for large PHI files.

Option B is insecure because embedding encryption keys in source code violates key management best practices and makes rotation and compromise containment difficult.

Option C provides only storage-level encryption for the database volume; it does not ensure that PHI remains unreadable to administrators who can access the database content.

Therefore, using envelope encryption with a KMS customer managed key and storing the encrypted data key with the record is the most secure solution.

This solution allows the API to invoke the Lambda function asynchronously, which means that the API will return an immediate response without waiting for the function to complete. The X-Amz-Invocation-Type header specifies the invocation type of the Lambda function, and setting it to ‘Event’ means that the function will be invoked asynchronously. The function can then use Amazon Simple Email Service (SES) to send an email message when the report processing is complete.

Step-by-Step Breakdown:

Requirement Summary:

Use AWS SAM to deploy:

1 Lambda Function

1 S3 Bucket

Lambda needs read-only access to the S3 bucket

Solution must be expressed via AWS SAM template

Option A: Reference a second Lambda authorizer function

Incorrect: Lambda authorizers are used in API Gateway for authentication, not for granting S3 permissions.

Option B: Add a custom S3 bucket policy to the Lambda function

Incorrect: Bucket policies control who can access the bucket, not what the Lambda function can do.

The permission must be granted to the Lambda’s IAM execution role.

Option C: Create an Amazon SQS topic for only S3 object reads

Incorrect: SQS cannot read objects from S3 and is not relevant to this scenario.

Option D: Add the S3ReadPolicy template to the Lambda function's execution role

Correct: AWS SAM provides managed policy templates like AmazonS3ReadOnlyAccess and shortcuts like S3ReadPolicy.

You can apply these to the Lambda’s execution role using the Policies: section in your SAM template.

Example SAM YAML:

yaml

CopyEdit

Resources:

MyFunction:

Type: AWS::Serverless::Function

Properties:

CodeUri: my-code/

Handler: app.handler

Runtime: python3.11

Policies:

- S3ReadPolicy:

BucketName: !Ref MyBucket

MyBucket:

Type: AWS::S3::Bucket

Properties:

BucketName: my-personal-bucket-name

SAM Policy Templates: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html

Example using S3ReadPolicy: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html#s3-readpolicy

A feature branch is a branch that is created from the main branch to work on a specific feature or task1. Feature branches allow developers to isolate their work from the main branch and avoid conflicts with other changes1. Feature branches can be merged back to the main branch when the feature or task is completed and tested1.

In this scenario, the developer needs to maintain two parallel streams of work: one for fixing and updating the current version of the application that is deployed in production, and another for developing the new version of the application. The developer can use feature branches to achieve this goal.

The developer can create a feature branch from the main branch for production bug fixes. This branch will contain the code that is currently deployed in production, and any fixes or updates that need to be applied to it. The developer can push this branch to the CodeCommit repository and use it to deploy changes to the production environment.

The developer can also create a second feature branch from the main branch for development of the new version of the application. This branch will contain the code that is under development for the new version, and any changes or enhancements that are part of it. The developer can push this branch to the CodeCommit repository and use it to test and deploy the new version of the application in a separate environment.

By using feature branches, the developer can keep the main branch stable and clean, and avoid mixing code from different versions of the application. The developer can also easily switch between branches and merge them when needed.