Free Practice Questions for Amazon Web Services DVA-C02 Exam

This is a feature flag / dynamic configuration requirement: enable a new feature for a subset of users (premium customers), toggle it on/off quickly based on feedback/performance, and deploy configuration changes safely with validation and without disruption. AWS AppConfig (part of AWS Systems Manager) is designed for exactly this use case.

AWS AppConfig helps create, manage, and deploy application configurations, including feature flags, in a controlled way. It supports configuration validators (such as JSON schema or Lambda validators) to catch errors before deployment. It also supports controlled rollouts with deployment strategies to reduce blast radius (for example, gradual deployments). This allows rapid changes without redeploying code and minimizes disruption.

Option A aligns perfectly: use AppConfig feature flags to target premium users and toggle the feature quickly.

Option B is incorrect because Secrets Manager is for sensitive secrets (passwords, API keys), not feature flag management and progressive configuration deployments.

Option C is incorrect because AWS Config evaluates resource compliance and records configuration changes of AWS resources; it does not serve runtime feature flag delivery.

Option D (Parameter Store) can store configuration values, but it does not provide the same feature-flag-focused capabilities, validation/deployment strategies, and safe rollout controls that AppConfig provides. Also, “lifecycle rules” is not how Parameter Store toggles features.

Why Option A is Correct:Running an AWS Lambda function within the same VPC ensures secure communication without exposing the API application to public IP addresses. The Lambda function can serve as a secure EventBridge target to send events to the API.

Why Other Options are Incorrect:

Option B & C: Internet-facing load balancers expose public IP addresses, which violates compliance requirements.

Option D: EventBridge cannot directly target an endpoint within a private VPC without intermediary services like Lambda.

AWS Documentation References:

EventBridge Targets

The workload is explicitly very I/O intensive and requires reading the same file multiple times. Reading repeatedly from S3 across the network will introduce latency and repeated network I/O. For best performance, the function should download the file once to fast local storage and perform all repeated reads locally.

AWS Lambda provides ephemeral storage mounted at /tmp. AWS allows increasing this ephemeral storage beyond the default size. Because the files are at most 2 GB, the developer can configure the Lambda function’s ephemeral storage to 2 GB and copy each S3 object into /tmp before processing. This converts repeated network reads into repeated local filesystem reads, which is significantly faster and more consistent for I/O-heavy workloads.

Option D (read directly from S3) is the least optimized because each pass over the file requires additional network I/O and S3 GET requests.

Option A is not feasible: Lambda cannot directly attach and manage an EBS volume like an EC2 instance can.

Option B is not applicable: ENA is an EC2 networking feature; Lambda networking is managed by the service and does not allow attaching ENAs for performance tuning in that way.

Because the files are disposable after processing, using ephemeral /tmp storage is also cost-effective and operationally simple, and it is aligned with the “process once per file” pattern.

Therefore, increase Lambda ephemeral storage and copy the video into /tmp for repeated reads.

The solution that will meet the requirements is to add a second cache behavior to the distribution with the same origin as the default cache behavior. Set the path pattern for the second cache behavior to the path of the login page, and make viewer access unrestricted. Keep the default cache behavior’s settings unchanged. This way, the login page can be accessed without authentication, while all other content remains secure and requires signed cookies. The other options either do not allow unauthenticated access to the login page, or expose private content to unauthorized users.

The issue occurs because the SSM Parameter Store parameters are managed by CloudFormation as stack resources. When CloudFormation performs a stack update, it will attempt to ensure the deployed resources match the template. If the template includes a parameter value, CloudFormation can overwrite the current value during updates, which explains why the application’s runtime modifications are lost.

The developer’s requirement is to continue deploying the stack (including adding resources/tags) without resetting parameter values that are modified outside CloudFormation. The lowest-effort way to do this is to prevent CloudFormation from updating those specific Parameter Store resources during stack updates.

A CloudFormation stack policy can explicitly deny update actions on selected resources (in this case, the SSM parameters). Stack policies are designed to protect critical resources from being unintentionally modified during stack updates. With an update-deny policy applied to the SSM parameter resources, CloudFormation can still update other resources (such as adding tags or creating new components), but it will not overwrite the parameter values that the application has changed.

Option A (DeletionPolicy: Retain) only affects what happens when a resource is deleted or replaced, not whether CloudFormation updates the resource in place. It will not reliably prevent stack updates from resetting values.

Options B and C are larger architecture changes and require migrating configuration storage to DynamoDB or RDS—much more development effort and operational overhead.

Therefore, applying a stack policy to deny updates on Parameter Store parameters is the best and least-effort solution.

CodeDeploy Predefined Configurations: CodeDeploy offers built-in deployment configurations for common scenarios.

Canary Deployment: Canary deployments gradually shift traffic to a new version, ideal for controlled rollouts like this requirement.

CodeDeployDefault.ECSCanary10Percent15Minutes: This configuration matches the company's requirements, shifting 10% of traffic initially and then completing the rollout after 15 minutes.

The requirement is to redact PII before the object content reaches the consumer, while the analytics service continues to use standard S3 GET requests. The most operationally efficient way is Amazon S3 Object Lambda.

S3 Object Lambda lets you add your own code to process and transform data as it is retrieved from S3. Instead of the analytics service reading directly from the bucket, it reads through an S3 Object Lambda Access Point. When the service performs a GET request, S3 invokes the associated Lambda function, which can modify the object payload on the fly—for example, by calling an external or internal PII redaction API and returning a redacted version of the report. The original object remains unchanged in the bucket, while consumers receive the transformed (redacted) response.

This approach is operationally efficient because it avoids:

duplicating and storing redacted copies of every report,

refactoring the analytics service to use a different datastore or ingestion path,

building a separate proxy service layer.

Option A requires significant refactoring and ongoing ETL/warehouse ops.

Option C provides confidentiality via encryption but does not perform redaction (analytics would still see PII after decryption).

Option D changes the access pattern completely (analytics no longer uses GET) and adds messaging complexity without directly returning redacted object content.

Therefore, S3 Object Lambda + Object Lambda Access Point is the most efficient solution to redact data at retrieval time.

Requirement Summary:

NLP Lambda function with a large pre-trained model

Lambda layer became 8.7 GB → Exceeds AWS limits

Function returns RequestEntityTooLargeException

Need: High-performing, portable, low initialization time

Important AWS Limits:

Lambda Layers size limit (combined across all layers): 250 MB (unzipped)

Deployment package size (unzipped): 250 MB

Lambda container image support allows up to 10 GB image size

Evaluate Options:

A: Store model in S3 and load during execution

Leads to cold start latency every time

Model loading from S3 is slower and not suitable for real-time NLP

Not optimal for performance

B: Use EFS mounted to Lambda

⚠️ Valid for large models, but adds latency during cold start as model loads from EFS

Requires EFS setup, VPC, and has added network I/O overhead

Still slower than bundling in container image

C: Split into five Lambda layers

Still violates the total layer size limit of 250 MB (unzipped)

You cannot exceed that even with multiple layers

D: Use Docker container image

Allows bundling up to 10 GB of dependencies and models

High portability and performance

Avoids latency of downloading models at runtime

Ideal for scientific/NLP models

Lambda container image support: https://docs.aws.amazon.com/lambda/latest/dg/images-create.html

Lambda limits: https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-limits.html

Using large models with Lambda: https://aws.amazon.com/blogs/machine-learning/deploying-large-machine-learning-models-on-aws-lambda-with-container-images/

Tracing Distributed Systems: AWS X-Ray is designed to trace requests across services, helping identify bottlenecks in distributed applications like this one.

No Code Changes: Enabling X-Ray tracing often requires minimal code changes, meeting the requirement.

Identifying Bottlenecks: Analyzing X-Ray traces and logs will reveal latency in communications between different AWS services, leading to the high duration time.

Comprehensive Detailed Step by Step Explanation with All AWS Developer References:

To ensure that only a specific AWS Step Functions state machine (myStateMachine) can assume the service role, you must configure the correct trust policy in AWS IAM.

Trust Policies: Trust policies determine which entities (services or users) are allowed to assume the role. In this case, we want to restrict the trust policy to only allow the specific state machine (myStateMachine) to assume the role.

Using ArnLike: The condition "ArnLike" is used to specify that the SourceArn (which refers to the ARN of the entity assuming the role) must match a specific ARN. Option A specifies the exact ARN of the myStateMachine state machine, ensuring that only this state machine can assume the role.

Option B: This option is incorrect because it uses a wildcard (*) for the account ID, which would allow any state machine in the ap-south-1 region to assume the role, not just the specific one.

AWS Step Functions IAM Policies