Free Practice Questions for Amazon Web Services DVA-C02 Exam

Why Option C is Correct:Ensuring that pipeline artifacts are encrypted with a customer-managed AWS KMS key involves configuring the S3 bucket policy to require encryption. This policy ensures all objects uploaded to the bucket are encrypted with the specified KMS key.

Why Other Options are Incorrect:

Option A: A gateway endpoint improves S3 access efficiency but does not enforce encryption.

Option B: Encrypting CloudWatch Logs is unrelated to securing pipeline artifacts.

Option D: Configuring SNS for encryption does not affect the artifacts stored in the S3 bucket.

AWS Documentation References:

Using Server-Side Encryption with S3 Bucket Policies

Amazon S3 automatically scales to handle high request rates, but request parallelism is optimized when objects are distributed across multiple prefixes. AWS documentation explains that S3 internally partitions data by key name, and distributing objects across multiple prefixes allows requests to be spread across multiple partitions.

When many GET requests target objects within the same prefix, they may contend for the same internal partition, limiting throughput. By designing object keys with multiple prefixes—such as including hashed or randomized components—applications can significantly increase parallel request handling.

Options A and D do not address S3 request partitioning. Global Accelerator improves network latency for supported endpoints but does not increase S3 request parallelism. Direct Connect improves network consistency but does not change how S3 scales requests internally. Option B worsens the problem by concentrating traffic into a single prefix.

Therefore, partitioning objects by prefixes is the correct and AWS-recommended solution.

Comprehensive and Detailed Explanation (250–300 words):

For in-place deployments , AWS CodeDeploy updates instances directly rather than using blue/green infrastructure. AWS documentation states that when automatic rollback is enabled and a deployment fails (for example, due to failed health checks or validation scripts), CodeDeploy initiates a rollback deployment .

In an in-place rollback, CodeDeploy redeploys the last known successful application revision to the affected instances. This rollback is treated as a new deployment , complete with its own deployment ID and lifecycle events. CodeDeploy does not use snapshots, Route 53 switching, or external promotion logic for in-place deployments.

Options A and B describe mechanisms that are used in other services or blue/green strategies, not in-place deployments. Option D is incorrect because CodePipeline orchestrates stages but does not perform rollback logic for CodeDeploy.

Therefore, redeploying the previous stable version as a new deployment is the correct behavior.

Comprehensive Detailed Step by Step Explanation with All AWS Developer References:

To ensure that only a specific AWS Step Functions state machine (myStateMachine) can assume the service role, you must configure the correct trust policy in AWS IAM.

Trust Policies: Trust policies determine which entities (services or users) are allowed to assume the role. In this case, we want to restrict the trust policy to only allow the specific state machine (myStateMachine) to assume the role.

Using ArnLike: The condition " ArnLike " is used to specify that the SourceArn (which refers to the ARN of the entity assuming the role) must match a specific ARN. Option A specifies the exact ARN of the myStateMachine state machine, ensuring that only this state machine can assume the role.

Option B: This option is incorrect because it uses a wildcard (*) for the account ID, which would allow any state machine in the ap-south-1 region to assume the role, not just the specific one.

AWS Step Functions IAM Policies

Amazon DynamoDB performance depends heavily on partition key design . AWS documentation warns against access patterns that repeatedly target the same partition key, as this causes hot partitions , even in on-demand mode.

In this scenario, most reads focus on the current day’s forecast for a small number of large cities. Using CityId alone as the partition key would cause hot partitions for those cities. Adding a calculated suffix (such as a hash or modulo value) to CityId spreads read requests across multiple partitions while still allowing efficient querying.

Using ForecastDate as the partition key (Options C and D) would concentrate traffic on a single value (today’s date), creating severe hot partition issues. Option B lacks a meaningful access pattern and complicates queries.

AWS documentation explicitly recommends key-suffix techniques for workloads with skewed access patterns to distribute traffic evenly. Therefore, using CityId with a calculated suffix as the partition key is the correct design.

Comprehensive Detailed Step by Step Explanation with All AWS Developer References:

To redact PII from S3 objects before they are accessed by the analytics service, the most efficient solution is to use S3 Object Lambda. S3 Object Lambda allows you to add your own code (Lambda function) to process and transform data when it is retrieved from Amazon S3. You can attach a Lambda function to an S3 Object Lambda Access Point, which in this case would run a redaction API to remove PII from the reports.

Operational Efficiency: S3 Object Lambda handles data processing on the fly, without requiring the data to be permanently transformed or moved to another service (like Amazon Redshift).

Alternatives:

Option A: Loading the data into Amazon Redshift would require refactoring the analytics service and maintaining an additional data pipeline, increasing complexity.

Option C: Using AWS KMS for encryption protects data at rest and in transit, but it does not address PII redaction.

Option D: SNS is a messaging service and does not support direct data transformation.

This solution will ensure that the repository package’s unit tests run in the new deployment environment with the least overhead because it uses AWS CodeBuild to build and test the code in a fully managed service, and AWS CodePipeline to orchestrate the deployment stages and actions. Option A is not optimal because it will use AWS CodeCommit instead of AWS CodeBuild, which is a source control service, not a build and test service. Option C is not optimal because it will use AWS CodeDeploy instead of AWS CodeBuild, which is a deployment service, not a build and test service. Option D is not optimal because it will add an action to the source stage instead of creating a new stage, which will not follow the best practice of separating different deployment phases.

AWS CloudFormation parameters allow templates to be reused across multiple environments by injecting environment-specific values at deployment time. AWS documentation recommends parameters for environment names such as dev, test, and prod.

To ensure unique resource names, CloudFormation intrinsic functions can dynamically construct names. Fn::Sub allows string interpolation, and !Ref retrieves the parameter value. Together, they enable resource names like myapp-dev-bucket or myapp-prod-role.

Conditions (Option B) control whether resources are created but do not generate unique names. Rules (Option C) validate parameters but do not affect naming. Fn::GetAtt (Option E) retrieves resource attributes and is not used to build names.

Therefore, defining an environment name parameter and using Fn::Sub with !Ref is the correct and AWS-recommended approach.

In DynamoDB, a ConditionalCheckFailedException occurs when an UpdateItem, PutItem, or DeleteItem operation includes a ConditionExpression that evaluates to false for the target item at the time of the write. This is expected behavior: DynamoDB uses conditional expressions for optimistic concurrency control and for enforcing business rules atomically at write time.

In this scenario, the developer wants to update only items whose status is Inactive by adding an email address. The most correct way to prevent conditional failures is to ensure the update request’s condition matches the intended target state. By adding (or correcting) a condition expression such as #st = :inactive (with expression attribute names/values), the update will proceed only when the item’s status is actually " Inactive " . Items that are " Active " will be skipped by design rather than causing unexpected failures in the workflow.

Option B checks whether the email attribute exists, but that does not enforce the key business rule (“only inactive items”) and may still fail depending on whether the attribute is present or absent across items. Option C (retry on ConditionalCheckFailedException) is not appropriate: the failure is not transient like throttling; it indicates the condition was not met, and retrying will likely fail again unless the item changes state. Option D is unrelated because email format validation is not what triggers DynamoDB conditional failures; the exception is about the conditional expression not matching item state.

Therefore, the correct fix is A : update the request’s conditional expression to explicitly check that status equals " Inactive " before applying the update. This ensures only the intended items are modified and eliminates unnecessary conditional failures.

Amazon Q Developer Pro is an AWS-native, generative AI–powered development assistant designed to help developers write, test, and review code directly within supported IDEs such as Visual Studio Code and JetBrains. AWS documentation highlights Amazon Q Developer Pro as a productivity tool that accelerates development without requiring additional infrastructure .

Amazon Q Developer Pro can automatically generate unit tests , suggest improvements, identify potential bugs, and provide context-aware code reviews . Because it integrates directly into the IDE, developers receive immediate feedback during development, which shortens feedback loops and improves overall code quality.

Options A, B, and C require additional tooling, scripting, or manual processes. While CodeBuild and CodeGuru Reviewer are valuable services, they introduce pipeline complexity and do not provide real-time, IDE-integrated assistance for writing tests and reviewing code.

Amazon Q Developer Pro uniquely satisfies all stated requirements:

No infrastructure to manage

Native IDE integration

Automated unit test generation

AI-assisted code reviews

Therefore, using Amazon Q Developer Pro is the most efficient and modern AWS-recommended solution.

Default SSE in DynamoDB: DynamoDB tables are encrypted at rest by default using an AWS owned key (SSE-S3).

No Additional Action Needed: Creating a table without explicitly specifying a KMS key will use this default encryption.

The requirement is to analyze existing Lambda logs using a request ID that appears in both functions, and to do so with the least development effort . Amazon CloudWatch Logs Insights is purpose-built for interactive log analysis: it lets you run ad-hoc queries over CloudWatch log groups using a query language that supports filtering, parsing, sorting, and aggregation. This means you can quickly search across the relevant Lambda log groups and filter results to only entries that contain a specific request ID.

With Logs Insights, the developer can select both Lambda log groups, set a time range around the failure, and run a query such as filtering on the request ID field or matching the request ID string in the message. This provides a fast way to reconstruct the end-to-end flow and identify where the failure occurred—without writing any custom code, building data pipelines, or exporting logs.

Option A (using an AWS SDK) requires writing and maintaining code to call CloudWatch Logs APIs, handle pagination, time windows, filtering, and correlation across groups—more effort than necessary. Option B (export to S3 + Athena) adds significant setup (export tasks, S3 storage, Athena tables/partitions) and is better suited to large-scale analytics or long-term archival, not quick troubleshooting. Option D (Live Tail) is primarily for real-time streaming of new log events; it is less suitable for retrospective investigation of an incident that already happened, and it doesn’t provide the same structured querying and cross-log-group correlation capabilities as Logs Insights.

Therefore, CloudWatch Logs Insights (C) is the most direct, AWS-native, low-effort solution to query both Lambda log groups and filter by request IDs to troubleshoot the failing process flow.

Lambda Destinations on Failure: Allow routing asynchronous function invocations to specified resources (like another Lambda function) upon failure.

Error Handling: The error-handling Lambda receives details about the failure, enabling logging and custom actions.

Direct Integration: This solution leverages native Lambda functionality for a simpler implementation.