Free Practice Questions for Amazon Web Services DVA-C02 Exam

Amazon CloudWatch is a service that monitors AWS resources and applications. The developer can publish custom metrics to CloudWatch that record the failures of the external payment processing API calls. The developer can configure a CloudWatch alarm to notify the existing SNS topic when the error rate exceeds 5% of the total number of transactions in an hour. This solution will meet the requirements in a near real-time and scalable way.

This solution will meet the requirements by using AWS Serverless Application Model (AWS SAM) templates and gradual deployments to automatically test the Lambda functions. AWS SAM templates are configuration files that define serverless applications and resources such as Lambda functions. Gradual deployments are a feature of AWS SAM that enable deploying new versions of Lambda functions incrementally, shifting traffic gradually, and performing validation tests during deployment. The developer can enable gradual deployments through AWS SAM templates by adding a DeploymentPreference property to each Lambda function resource in the template. The developer can set the deployment preference type to Canary10Percent30Minutes, which means that 10 percent of traffic will be shifted to the new version of the Lambda function for 30 minutes before shifting 100 percent of traffic. The developer can also use hooks to test the deployment, which are custom Lambda functions that run before or after traffic shifting and perform validation tests or rollback actions.

Step 1: Problem Understanding

Asymmetric Encryption Requirement: Users encrypt data with a public key, and only the company can decrypt it using a private key.

Data Encryption at Rest and In Transit: The data must be encrypted during upload (in transit) and when stored in Amazon S3 (at rest).

Step 2: Solution Analysis

Option A: Server-side encryption with Amazon S3 managed keys (SSE-S3).

Amazon S3 manages the encryption and decryption keys.

This does not meet the requirement for asymmetric encryption, where the company uses a private key.

Not suitable.

Option B: Server-side encryption with customer-provided keys (SSE-C).

Requires the user to supply encryption keys during the upload process.

Does not align with the asymmetric encryption requirement.

Not suitable.

Option C: Client-side encryption with a data key.

Data key encryption is symmetric, not asymmetric.

Does not satisfy the requirement for a public-private key pair.

Not suitable.

Option D: Client-side encryption with a customer-managed encryption key.

Data is encrypted on the client side using the public key.

Only the company can decrypt the data using the corresponding private key.

Data remains encrypted during upload (in transit) and in S3 (at rest).

Correct option.

Step 3: Implementation Steps for Option D

Generate Key Pair:

The company generates an RSA key pair (public/private) for encryption and decryption.

Encrypt Data on Client Side:

Use the public key to encrypt the data before uploading to S3.

S3 Upload:

Upload the encrypted data to S3 over an HTTPS connection.

Decrypt Data on the Server:

Use the private key to decrypt data when needed.

AWS Developer References:

Amazon S3 Encryption Options

Asymmetric Key Cryptography in AWS

Lambda throttling occurs when the number of concurrent executions exceeds the available concurrency. This can happen due to account-level concurrency limits, function-level reserved concurrency limits, or sudden traffic spikes.

The most operationally efficient ways to reduce throttling are to increase available concurrency:

Option C: Increasing the function’s reserved concurrency can reduce throttling when the function is being constrained by a too-low reserved concurrency value. Reserved concurrency guarantees a fixed amount of concurrency for the function (and also caps it). If the cap is currently too low, raising it allows more parallel executions and reduces throttles.

Option E: If throttling is due to the account concurrency quota being reached (or burst scaling limits in some patterns), the correct fix is to request a service quota increase. This increases the total available concurrency capacity for the account (and/or specific dimensions), allowing more simultaneous executions across functions.

Why the others are not correct:

A (migrate to EKS) is high effort and not operationally efficient for solving Lambda throttling.

B (maximum age of events) applies to asynchronous event retries/queues; it does not reduce throttling—it only changes how long events remain eligible for processing.

D is irrelevant: adding lambda:GetFunctionConcurrency to the execution role only allows reading settings and does not change throttling behavior.

Therefore, the best operational fixes are to increase reserved concurrency and request a concurrency quota increase.

AWS CodeBuild integrates natively with AWS Secrets Manager, allowing secrets to be securely injected into build environments without being exposed in logs. When referenced using the secrets-manager mapping in the env section of buildspec.yml, CodeBuild automatically retrieves and decrypts the secret at runtime.

AWS documentation states that Secrets Manager provides encryption at rest using AWS KMS, fine-grained IAM access control, and automatic rotation support. Secrets retrieved this way are masked in build logs by default, satisfying the requirement that secrets do not appear in logs.

Parameter Store (Option C) can store encrypted values, but Secrets Manager is AWS’s preferred service for managing secrets, especially when rotation and auditing are required. Options B and D introduce unnecessary steps and higher operational overhead.

Therefore, Secrets Manager with CodeBuild environment variables is the most secure and operationally efficient solution.

Because the Lambda function is successfully triggered by the S3 event notification, the invocation path (S3 → Lambda) is working correctly. The failure occurs specifically when the function tries to write to DynamoDB, which strongly indicates an authorization problem rather than an invocation, scaling, or infrastructure issue.

In AWS, a Lambda function interacts with other services by using its execution role (an IAM role). AWS documentation explains that a Lambda function must have explicit IAM permissions to call downstream services such as DynamoDB. To write items, the role typically needs actions like dynamodb:PutItem (and sometimes dynamodb:UpdateItem, dynamodb:BatchWriteItem, depending on code behavior) on the target table resource ARN. If these permissions are missing or scoped incorrectly, DynamoDB returns an AccessDeniedException (or similar) and the function fails at the write step.

Option A is unlikely because exceeding concurrency would typically prevent invocation or cause throttling at the Lambda service level, not selectively fail only at DynamoDB write time after the function begins executing.

Option B is incorrect: DynamoDB does not require a GSI to support writes. GSIs are for alternate query access patterns, not mandatory for write operations.

Option D is incorrect because DynamoDB is a regional service, not tied to a single Availability Zone, and Lambda does not need to be “in the same AZ” to access it.

Therefore, the most likely cause is that the Lambda execution role lacks the necessary IAM permissions to perform DynamoDB write operations.

API Gateway Stages: Stages in API Gateway represent distinct environments (like PROD and DEV) allowing different configurations.

Stage Variables: Stage variables store environment-specific information, including Lambda function aliases.

Ease of Management: This solution offers a straightforward way to manage different Lambda function versions across environments.

An Application Load Balancer can invoke Lambda functions as targets, but ALB must be explicitly granted permission to invoke the function. This is done by adding a resource-based permission to the Lambda function policy that allows the Elastic Load Balancing service principal to call lambda:InvokeFunction, typically scoped to the specific target group ARN.

If the developer registers the function as a target but does not add the required permission, the ALB will not be able to invoke the function when requests arrive. This is a common integration oversight: the target registration succeeds, but invocation fails because Lambda denies the call.

Option A is incorrect because ALB does support Lambda targets.

Option B is incorrect because Lambda targets can be configured through the console, CLI, or APIs.

Option D is unrelated: cross-zone load balancing affects distribution of traffic across AZs for instance/IP targets, not whether Lambda invocation is authorized.

Why Option A is Correct:Creating a CloudWatch metric filter with "ERROR" as the search term ensures that occurrences of the word "ERROR" in logs are counted. An alarm can then be set to notify the SNS topic when the count exceeds 1. This is the standard approach to monitor specific patterns in CloudWatch Logs.

Why Other Options are Incorrect:

Option B: CloudWatch Logs Insights is used for querying logs manually and does not integrate directly with alarms for automated notifications.

Option C: SNS subscription filters are not a feature for filtering log patterns in CloudWatch Logs.

Option D: CloudWatch alarms do not directly include log filter patterns; a metric filter is needed to create the metric first.

AWS Documentation References:

Creating CloudWatch Metric Filters

To measure how long an application spends calling downstream AWS services (for example, DynamoDB, S3, SNS, etc.) in a distributed system, the most effective AWS-native approach is AWS X-Ray with appropriate instrumentation. X-Ray provides distributed tracing by capturing end-to-end request paths and breaking each request into segments and subsegments with precise timing information. When the application is instrumented with the X-Ray SDK, client handlers/interceptors automatically create subsegments for calls to AWS services, recording latency, response status, and error/throttle indicators.

This directly satisfies the requirement: determine the length of time of calls to various downstream services. In the X-Ray trace map and trace details, the developer can see per-service timing, identify which dependency is slow, and distinguish application processing time from downstream call time. This is specifically designed for performance bottleneck analysis and root cause investigation across distributed components.

Option A (VPC Flow Logs) captures network flow metadata (source/destination, ports, bytes, accept/reject), not application-level request timing to AWS service APIs, and it won’t show the latency breakdown per downstream service call.

Option B can work only if the application is already logging detailed timing for each call, but this is manual, inconsistent across services, and does not give a unified distributed trace view. It is also higher effort than using standard tracing instrumentation.

Option C increases CloudWatch metric granularity for EC2 but does not show per-request downstream service call durations.

Therefore, implementing AWS X-Ray with client handlers is the correct solution.