Free Practice Questions for Amazon Web Services DVA-C02 Exam

Problem: CloudFormation updates reset Parameter Store parameters, disrupting application behavior.

Deletion Policy: CloudFormation has a deletion policy that controls resource behavior when a stack is deleted or updated. The ' Retain ' policy instructs CloudFormation to preserve a resource ' s current state.

Least Development Effort: This solution involves a simple CloudFormation template modification, requiring minimal code changes.

The correct answer is C because Amazon SNS subscription filter policies are the native AWS feature for ensuring that only messages with matching attributes are delivered to a specific subscription. In this scenario, the Lambda function should process only refund messages from an SNS topic that contains multiple payment activity message types. By applying a subscription filter policy to the Lambda subscription, SNS delivers only the refund-related notifications to the function.

This is the most operationally efficient solution because filtering happens before invocation of the Lambda function. That means the Lambda function is not triggered for irrelevant payment events, which reduces unnecessary invocations, lowers compute cost, and simplifies the function code. AWS documentation recommends using subscription filter policies with SNS when subscribers should receive only a subset of messages based on message attributes.

Option A is incorrect because Lambda event filtering is available for some event sources, but for SNS-to-Lambda integration , the AWS-native filtering point is the SNS subscription itself. Option B is less efficient because it still invokes the Lambda function for every message and then discards non-refund messages in code. That increases operational overhead and cost. Option D is unrelated to the requirement because batching changes invocation behavior but does not filter by message type.

Therefore, the best design is to publish all payment activity events to SNS with appropriate message attributes and configure an SNS subscription filter policy so that only refund messages invoke the Lambda function. This approach is simple, scalable, and aligns with AWS event-driven architecture best practices.

AWS Secrets Manager is a service that allows you to store and manage secrets, such as database credentials, API keys, and passwords, in a secure and centralized way. It also provides features such as automatic secret rotation, auditing, and monitoring1. By using AWS Secrets Manager, you can avoid hardcoding credentials in your code, which is a bad security practice and makes it difficult to update them. You can also replicate your secrets to another Region, which is useful for disaster recovery purposes2. To access your secrets from your application, you can use the ARN of the secret, which is a unique identifier that includes the Region name. This way, your application can use the appropriate secret based on the Region where it is deployed3.

AWS Secrets Manager

Replicating and sharing secrets

Using your own encryption keys

AWS AppConfig , a capability of AWS Systems Manager, is specifically designed to manage feature flags , configuration changes, and application toggles safely and dynamically. AWS documentation highlights AppConfig as the recommended service for enabling and disabling application features without redeploying code.

Feature flags in AppConfig allow developers to control visibility, rollout strategies, and gradual releases across environments. AppConfig supports validation, monitoring, and rollback to prevent misconfigurations from impacting users.

Option A is incorrect because AWS AppSync is a GraphQL service and does not manage feature flags. Options B and D misuse data storage and synchronization services for configuration management, introducing unnecessary complexity and risk.

Using AWS AppConfig enables developers to hide features , activate them instantly when ready, and manage them centrally with minimal operational overhead.

Therefore, AWS AppConfig feature flags are the correct and AWS-recommended solution.

The requirement here is to ensure that Lambda functions are executed in a specific order. AWS Step Functions is a low-code workflow orchestration service that enables you to sequence AWS services, such as AWS Lambda, into workflows. It is purpose-built for situations like this, where different steps need to be executed in a strict sequence.

AWS Step Functions: Step Functions allows developers to design workflows as state machines, where each state corresponds to a particular function. In this case, the developer can create a Step Functions state machine where each step (order processing, inventory management, etc.) is represented by a Lambda function.

Operational Overhead: Step Functions have very low operational overhead because it natively handles retries, error handling, and function sequencing.

Alternatives:

Amazon SQS (Option A): While SQS can manage message ordering, it requires more manual handling of each step and the logic to sequentially invoke the Lambda functions.

Amazon SNS (Option B): SNS is a pub/sub service and is not designed to handle sequences of Lambda executions.

EventBridge (Option D): EventBridge Scheduler allows you to invoke Lambda functions based on scheduled times, but it doesn’t directly support sequencing based on workflow logic.Therefore, AWS Step Functions is the most appropriate solution due to its native orchestration capabilities and minimal operational complexity.

AWS Step Functions documentation

IAM Roles for EC2 (A): The most secure way to provide AWS permissions from EC2.

Create a role with a policy allowing s3:GetObject on the specific bucket.

Attach the role to an instance profile and associate that profile with your instances.

Pre-signed URLs (C): Temporary, authenticated URLs for specific S3 actions.

Modify the app to use the AWS SDK to call GeneratePresignedUrl.

Embed these URLs when a user is properly logged in, allowing download access.

AWS Lambda supports versions and aliases to manage deployments safely. An alias is a named pointer to a specific function version (for example, prod → version 5). Importantly, Lambda aliases can be configured with routing configuration to split incoming invocation traffic between two versions. This enables canary or linear deployments where most traffic goes to the stable version and a small percentage goes to the new version for testing. If issues occur, the developer can quickly shift traffic back by updating the alias.

Option B is the native, simplest, and recommended solution for Lambda traffic shifting.

Option A is not correct because Route 53 weighted routing can split DNS queries between endpoints, but it does not natively target Lambda versions directly for most invocation patterns, and it’s not the standard mechanism for Lambda version traffic shifting.

Option C is unnecessary and adds operational overhead. ALB can invoke Lambda targets, but splitting between Lambda versions is more naturally handled by aliases without provisioning and managing an ALB.

Option D misunderstands layers: layers are for dependencies/shared code, not for deploying new versions or traffic splitting.

Therefore, using a Lambda alias with weighted routing between versions meets the requirement.

Step-by-Step Breakdown:

Requirement Summary:

Get notified when EC2 CPU Utilization > 80%

Option A: CloudWatch Alarm with SNS

Correct and standard AWS practice

CloudWatch automatically collects EC2 metrics, including CPUUtilization.

You can set a CloudWatch Alarm with a threshold (80% in this case).

Then, trigger an SNS notification to email, SMS, Lambda, etc.

Option B: AWS CloudTrail alarm

Incorrect: CloudTrail logs API activity, not performance metrics.

It doesn’t track metrics like CPU utilization.

Option C: Cron job on EC2 running --describe-instance-information

Incorrect: This doesn’t give CPU usage.

Also inefficient, and polling is bad practice when CloudWatch already monitors this natively.

Option D: Lambda function querying CloudTrail for CPU usage

Incorrect and conceptually flawed.

CloudTrail does not store performance metrics; CloudWatch does.

CloudWatch Alarms for EC2: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html

EC2 Metrics in CloudWatch: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/viewing_metrics_with_cloudwatch.html

Amazon SNS Notification Setup: https://docs.aws.amazon.com/sns/latest/dg/sns-email-notifications.html

To ensure a Lambda function URL is reachable only through CloudFront, the solution must (1) make CloudFront the only authorized caller, and (2) prevent direct public access to the function URL endpoint. The AWS-native way to do this is to use a resource-based policy on the Lambda function that permits invocation only from the specific CloudFront distribution, combined with CloudFront’s Origin Access Control (OAC) to sign origin requests.

A Lambda function URL can be configured for IAM-based authorization, and Lambda supports resource-based permissions (via lambda:AddPermission) that restrict who can invoke it. By scoping the permission so that only the CloudFront distribution (identified by a source ARN / distribution identifier) is allowed, direct requests that do not come through CloudFront will be rejected. This enforces the requirement that the function URL cannot be accessed directly.

CloudFront OAC is the modern mechanism to securely access origins by having CloudFront sign the requests it sends to the origin. When CloudFront signs requests and the origin (here, the Lambda function URL) is configured to accept only authorized requests per its resource policy, CloudFront becomes the only viable access path.

Option A is incorrect because CloudFront does not use a “resource-based policy” to grant access to an origin in this way; the enforcement must happen at the origin. Option C is not how CloudFront accesses origins; CloudFront does not assume a customer IAM role to fetch origin content. Option D is fragile and not recommended: CloudFront IP ranges can change and are not intended to be used as a static allowlist for origin protection; additionally, IP-based controls do not provide the same strong identity-based authorization that OAC + resource policy provides.

Therefore, B is the correct solution: restrict the Lambda function URL with a Lambda resource-based policy and configure CloudFront with OAC so only CloudFront-originated requests are accepted.

This solution allows easy and secure control of access to the downloads at the lowest cost because it uses a content delivery network (CDN) that can cache and distribute firmware updates to customers around the world, and uses a mechanism that can restrict access to specific files or versions. Amazon CloudFront is a CDN that can improve performance, availability, and security of web applications by delivering content from edge locations closer to customers. Amazon S3 is a storage service that can store firmware updates in buckets and objects. Signed URLs are URLs that include additional information, such as an expiration date and time, that give users temporary access to specific objects in S3 buckets. The developer can use CloudFront to serve firmware updates from S3 buckets and use signed URLs to control who can download them and for how long. Creating a dedicated CloudFront distribution for each customer will incur unnecessary costs and complexity. Using Amazon CloudFront with AWS Lambda@Edge will require additional programming overhead to implement custom logic at the edge locations. Using Amazon API Gateway and AWS Lambda to control access to an S3 bucket will also require additional programming overhead and may not provide optimal performance or availability.

DynamoDB TTL (Time-to-Live): A native feature that automatically deletes items after a specified expiration time.

Efficiency: Eliminates the need for scheduled deletion jobs, optimizing write throughput by avoiding potential throttling conflicts.

Seamless Integration: TTL works directly within DynamoDB, requiring minimal development overhead.

Amazon DynamoDB supports conditional writes , which allow developers to enforce data integrity rules directly at the database layer. AWS documentation states that conditional expressions are the recommended way to prevent accidental overwrites and ensure idempotent writes.

Using a PutItem operation with the condition expression

attribute_not_exists(transactionId) ensures that the write succeeds only if the item does not already exist . If a duplicate transaction is received, DynamoDB rejects the request without modifying the existing record.

This approach is highly cost-effective because it avoids additional read operations. Option A doubles request cost by performing a read before every write. TTL (Option B) is unrelated to overwrite prevention. Option C does the opposite of the requirement by ensuring the attribute exists.

AWS explicitly recommends conditional writes for handling duplicates and enforcing uniqueness with minimal cost and latency.

Therefore, implementing a conditional put with attribute_not_exists(transactionId) is the correct solution.