DVA-C02 Amazon Web Services AWS Certified Developer - Associate Free Practice Exam Questions (2026 Updated)

Requirement Summary:

Store customer orders in DynamoDB

Must encrypt data at rest

Company wants to use a key it generates (i.e., customer managed key)

Evaluate Options:

A. Set encryption to None, manually encrypt/decrypt in code

Overhead and error-prone

Also non-compliant with AWS encryption best practices

B. Use customer managed KMS key

Exactly meets the requirement: customer generates and controls the key

During table creation, you can specify a KMS CMK ARN

C. Default encryption + kms:Encrypt in SDK

Misunderstanding: DynamoDB handles encryption automatically

You don’t need to call kms:Encrypt manually in SDK

D. Use AWS managed key

Does not meet the requirement of using custom company-generated key

DynamoDB encryption: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html

KMS customer managed keys: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk

Principle of Least Privilege: Granting specific permissions through an IAM role is more secure than directly attaching policies to a function or using root user credentials.

IAM Roles for Lambda: Designed to provide temporary credentials to Lambda functions, enhancing security.

Reusability: The existing IAM policy ensures the correct S3 and DynamoDB access is granted.

Requirement Summary:

DynamoDB table Orders

Partition key: OrderID

No sort key

100,000+ records

Need to efficiently retrieve all records where:

OrderSource = " MobileApp "

Must optimize for user experience (i.e., performance)

Evaluate Options:

Option A: Scan with FilterExpression

Inefficient for large tables

A Scan reads every item in the table and then applies a filter condition.

This is slow, expensive, and not scalable as the dataset grows.

Option B: Create a Local Secondary Index (LSI) with OrderSource

Invalid: LSIs require the same partition key (OrderID) as the base table.

Since OrderSource is not part of the primary key, and we want to query based on it, LSI won’t help.

Option C: Create a GSI with OrderSource as the sort key

Misuse of sort key: Querying by sort key alone is not allowed in DynamoDB.

You must specify a partition key in a Query.

This design is not valid for the use case.

Option D: Create a GSI with OrderSource as the partition key

BEST CHOICE: With a GSI on OrderSource, you can query efficiently for all items where OrderSource = " MobileApp " .

DynamoDB GSIs allow an alternative access pattern for queries not supported by the base table schema.

GSI Design: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GSI.html

Querying a GSI: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Query.html

Scan vs Query: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/bp-query-scan.html

Amazon CloudWatch is the service that collects and stores logs from AWS Lambda functions. The developer can use CloudWatch Logs Insights to query and analyze the logs for errors and metrics. Option A is not correct because Amazon S3 is a storage service that does not store Lambda function logs. Option B is not correct because AWS CloudTrail is a service that records API calls and events for AWS services, not Lambda function logs. Option D is not correct because Amazon DynamoDB is a database service that does not store Lambda function logs.

To add a caching layer for frequently requested data (such as “most viewed products”), the AWS-native choice is Amazon ElastiCache, commonly using Redis for low-latency key/value caching, counters, sorted sets, and leaderboard-like patterns. Redis is particularly well-suited for ecommerce “top N” or popularity queries because it supports atomic increments and sorted sets, enabling efficient ranking updates.

Option B correctly introduces an ElastiCache (Redis OSS) cluster and updates the application to read from Redis first (cache-aside or write-through patterns) instead of hitting the RDS MySQL cluster for every request. This offloads read pressure from the database, reduces latency, and improves overall throughput.

Option A is not a valid RDS feature: you do not add a “cache node” to an RDS MySQL cluster as part of RDS itself.

Option C is incorrect because DAX is a caching layer specifically for DynamoDB, not for RDS MySQL.

Option D improves availability via Multi-AZ standby, but the standby is not for read scaling in standard RDS Multi-AZ (it’s primarily for failover). It does not provide a cache and does not solve the performance needs for hot reads.

The most secure and AWS-recommended way for a Lambda function to access other AWS services is to use an IAM execution role. Lambda assumes this role at runtime and receives temporary credentials that are automatically rotated by AWS. The developer attaches the necessary permissions (the existing IAM policy) to that role, and then configures the Lambda function to use the role.

Option B follows least privilege and avoids long-term credentials. It also integrates with AWS security tooling: IAM Access Analyzer, CloudTrail, and policy boundaries can all be applied cleanly. Because the policy already exists, this requires minimal extra work: create/choose the execution role, attach the policy, and assign the role to the function.

Option A is not correct because IAM policies are attached to IAM identities (users, groups, roles) — not directly to Lambda functions as standalone entities. Lambda permissions are granted through the function’s execution role.

Option C is insecure because it uses long-term IAM user access keys embedded in environment variables. Even if encrypted, this expands the blast radius, complicates rotation, and contradicts AWS best practices for avoiding static credentials inside code/runtime.

Option D is extremely insecure and noncompliant. Root user access keys should not be used for applications and should generally not exist.

Therefore, create and attach the existing policy to a Lambda execution IAM role and assign that role to the function.

Requirement Summary:

NLP Lambda function with a large pre-trained model

Lambda layer became 8.7 GB → Exceeds AWS limits

Function returns RequestEntityTooLargeException

Need: High-performing, portable, low initialization time

Important AWS Limits:

Lambda Layers size limit (combined across all layers): 250 MB (unzipped)

Deployment package size (unzipped): 250 MB

Lambda container image support allows up to 10 GB image size

Evaluate Options:

A: Store model in S3 and load during execution

Leads to cold start latency every time

Model loading from S3 is slower and not suitable for real-time NLP

Not optimal for performance

B: Use EFS mounted to Lambda

⚠️ Valid for large models, but adds latency during cold start as model loads from EFS

Requires EFS setup, VPC, and has added network I/O overhead

Still slower than bundling in container image

C: Split into five Lambda layers

Still violates the total layer size limit of 250 MB (unzipped)

You cannot exceed that even with multiple layers

D: Use Docker container image

Allows bundling up to 10 GB of dependencies and models

High portability and performance

Avoids latency of downloading models at runtime

Ideal for scientific/NLP models

Lambda container image support: https://docs.aws.amazon.com/lambda/latest/dg/images-create.html

Lambda limits: https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-limits.html

Using large models with Lambda: https://aws.amazon.com/blogs/machine-learning/deploying-large-machine-learning-models-on-aws-lambda-with-container-images/

For service-to-service calls inside AWS, the simplest and most secure way to authenticate a caller (Lambda) to an API Gateway HTTP API is to use IAM authorization . When IAM auth is enabled on a route, API Gateway requires requests to be signed with AWS Signature Version 4 (SigV4) . The calling Lambda function can sign the request using the AWS SDK (or SigV4 utilities) and its execution role credentials .

With this approach, you grant the Lambda function’s execution role explicit permission to invoke the API by allowing the execute-api:Invoke action on the API’s ARN. API Gateway then evaluates the SigV4-signed request against IAM to decide whether to authorize the call. This creates a clean, auditable permission model and avoids embedding static secrets.

Option A is incorrect and overly complex: JWT authorizers are typically used for end-user or workload identities from an OIDC/JWT provider; creating an IAM IdP is not how you enable JWT authorizers for HTTP APIs, and it does not directly solve Lambda-to-API authentication. Option C (API keys) is not considered an authentication mechanism for HTTP APIs in the same way; API keys are primarily for usage plans/throttling (and are more common with REST APIs). Storing an API key in environment variables is also weaker than IAM-based, short-lived credentials. Option D is backwards: a Lambda resource-based policy controls who can invoke the Lambda function, not who can call an API Gateway endpoint.

Therefore, B is the correct solution: enable IAM authorization on the HTTP API route and grant the Lambda function’s IAM role permission to invoke the API (and sign requests with SigV4).

The correct answer is B because messages in an Amazon SQS queue become temporarily hidden from other consumers only for the duration of the queue’s visibility timeout . If the Lambda function is still processing a message when that visibility timeout expires, the message becomes visible again and can be received another time, which looks like the message is reappearing during processing.

AWS documentation explains that when Lambda polls SQS, the queue’s visibility timeout must be configured long enough to allow the function to finish processing and for Lambda to delete the message successfully. If the visibility timeout is too short, duplicate processing can occur even when the function is working correctly.

Option A is not the best answer because increasing the Lambda timeout alone does not prevent the message from reappearing if the SQS visibility timeout remains shorter than the processing duration. Option C could improve performance in some cases, but it does not directly address the root cause of message visibility. Option D changes how many messages are processed together, but it does not solve the issue of messages becoming visible again before processing is complete.

The key operational principle is that the SQS visibility timeout should exceed the Lambda processing time , with enough buffer for retries and deletion. This ensures that while Lambda is processing the message, other consumers do not see it again. Therefore, the correct fix is to increase the visibility timeout of the SQS queue , making B the correct answer.

SQS Delivery Behavior: Standard SQS queues guarantee at-least-once delivery, meaning messages may be processed more than once. This can lead to duplicate emails in this scenario.

Visibility Timeout: If the visibility timeout on the SQS queue is too short, a message might become visible for another consumer before the first Lambda function finishes processing it. This can also lead to duplicates.

AWS AppConfig , a capability of AWS Systems Manager, is specifically designed to manage feature flags , configuration changes, and application toggles safely and dynamically. AWS documentation highlights AppConfig as the recommended service for enabling and disabling application features without redeploying code.

Feature flags in AppConfig allow developers to control visibility, rollout strategies, and gradual releases across environments. AppConfig supports validation, monitoring, and rollback to prevent misconfigurations from impacting users.

Option A is incorrect because AWS AppSync is a GraphQL service and does not manage feature flags. Options B and D misuse data storage and synchronization services for configuration management, introducing unnecessary complexity and risk.

Using AWS AppConfig enables developers to hide features , activate them instantly when ready, and manage them centrally with minimal operational overhead.

Therefore, AWS AppConfig feature flags are the correct and AWS-recommended solution.

AWS CloudFormation parameters allow templates to be reused across multiple environments by injecting environment-specific values at deployment time. AWS documentation recommends parameters for environment names such as dev, test, and prod.

To ensure unique resource names, CloudFormation intrinsic functions can dynamically construct names. Fn::Sub allows string interpolation, and !Ref retrieves the parameter value. Together, they enable resource names like myapp-dev-bucket or myapp-prod-role.

Conditions (Option B) control whether resources are created but do not generate unique names. Rules (Option C) validate parameters but do not affect naming. Fn::GetAtt (Option E) retrieves resource attributes and is not used to build names.

Therefore, defining an environment name parameter and using Fn::Sub with !Ref is the correct and AWS-recommended approach.

Comprehensive Detailed and Lengthy Step-by-Step Explanation with All AWS Developer References:

1. Understanding the Use Case:

The API needs to:

Generate responses without backend integrations: This indicates the use of mock responses for testing.

Be used by multiple internal teams during development.

Minimize operational overhead.

2. Key Features of Amazon API Gateway:

REST APIs: Fully managed API Gateway option that supports advanced capabilities like mock integrations, request/response transformation, and more.

HTTP APIs: Lightweight option for building APIs quickly. It supports fewer features but has lower operational complexity and cost.

Mock Integration: Allows API Gateway to return pre-defined responses without requiring backend integration.

3. Explanation of the Options:

Option A: " Create an Amazon API Gateway REST API. Set up a proxy resource that has the HTTP proxy integration type. " A proxy integration requires a backend service for handling requests. This does not meet the requirement of " no backend integrations. "

Option B: " Create an Amazon API Gateway HTTP API. Provision a VPC link, and set up a private integration on the API to connect to a VPC. " This requires setting up a VPC and provisioning resources, which increases operational overhead and is unnecessary for this use case.

Option C: " Create an Amazon API Gateway HTTP API. Enable mock integration on the method of the API resource. " While HTTP APIs can enable mock integrations, they have limited support for advanced features compared to REST APIs, such as detailed request/response customization. REST APIs are better suited for development environments requiring mock responses.

Option D: " Create an Amazon API Gateway REST API. Enable mock integration on the method of the API resource. " This is the correct answer. REST APIs with mock integration allow defining pre-configured responses directly within API Gateway, making them ideal for scenarios where backend services are unavailable. It provides flexibility for testing while minimizing operational overhead.

4. Implementation Steps:

To enable mock integration with REST API:

Create a REST API in API Gateway:

Open the API Gateway Console.

Choose Create API > REST API.

Define the API Resource and Methods:

Add a resource and method (e.g., GET or POST).

Set Up Mock Integration:

Select the method, and in the Integration Type, choose Mock Integration.

Configure the Mock Response:

Define a 200 OK response with the desired response body and headers.

Deploy the API:

Deploy the API to a stage (e.g., dev) to make it accessible.

5. Why REST API Over HTTP API?

REST APIs support detailed request/response transformations and robust mock integration features, which are ideal for development and testing scenarios.

While HTTP APIs offer lower cost and simplicity, they lack some advanced features required for fine-tuned mock integrations.

AWS Lambda combined with Amazon S3 event notifications provides the most cost-effective and lowest-latency solution for processing objects uploaded to S3. AWS documentation states that S3 event notifications can invoke Lambda functions immediately after object creation, eliminating delays associated with polling or scheduled execution.

Because the data arrives only about 10 times per day and processing completes quickly, Lambda is ideal due to its pay-per-invocation pricing model . There is no need to maintain always-on infrastructure, which significantly reduces cost compared to running EC2 instances. The developer pays only for execution time and requests.

Using CloudWatch alarms (Option A) or scheduled events (Option C) introduces unnecessary latency and complexity. These approaches either delay processing or require periodic checks rather than reacting instantly to object uploads. Polling from EC2 (Option D) is the most expensive and least efficient option because it requires continuously running compute resources.

AWS best practices for event-driven architectures explicitly recommend S3 event notifications → Lambda for near-real-time processing of uploaded data. This approach minimizes operational overhead, achieves near-zero idle cost, and provides the fastest possible response to new data.

Therefore, invoking a Lambda function directly through an S3 event notification is the optimal solution.

Step-by-Step Breakdown:

Requirement Summary:

Get notified when EC2 CPU Utilization > 80%

Option A: CloudWatch Alarm with SNS

Correct and standard AWS practice

CloudWatch automatically collects EC2 metrics, including CPUUtilization.

You can set a CloudWatch Alarm with a threshold (80% in this case).

Then, trigger an SNS notification to email, SMS, Lambda, etc.

Option B: AWS CloudTrail alarm

Incorrect: CloudTrail logs API activity, not performance metrics.

It doesn’t track metrics like CPU utilization.

Option C: Cron job on EC2 running --describe-instance-information

Incorrect: This doesn’t give CPU usage.

Also inefficient, and polling is bad practice when CloudWatch already monitors this natively.

Option D: Lambda function querying CloudTrail for CPU usage

Incorrect and conceptually flawed.

CloudTrail does not store performance metrics; CloudWatch does.

CloudWatch Alarms for EC2: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html

EC2 Metrics in CloudWatch: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/viewing_metrics_with_cloudwatch.html

Amazon SNS Notification Setup: https://docs.aws.amazon.com/sns/latest/dg/sns-email-notifications.html

Amazon API Gateway supports canary deployments , which are designed specifically for controlled production rollouts. Canary deployments allow a developer to direct a configurable percentage of traffic to a new deployment while the remainder continues to use the existing deployment.

AWS documentation states that canary releases help minimize customer impact by exposing only a subset of users to potential issues. Because the routing is request-based , individual users are less likely to encounter inconsistent behavior across multiple requests.

Route 53 weighted routing (Option B) operates at the DNS level and can result in users being routed unpredictably due to DNS caching. An Application Load Balancer (Option C) is not supported as a direct frontend for API Gateway stages and adds unnecessary complexity. Option A lacks traffic control guarantees.

Therefore, configuring a canary deployment on the production stage is the AWS-recommended and lowest-risk approach.

Amazon S3 is a service that provides highly scalable, durable, and secure object storage. The developer can create an S3 bucket to host the repository and migrate the existing .xml files to the S3 bucket. The developer can update the application code to use the AWS SDK to read and write configuration files from S3. This solution will meet the requirement of high availability for the repository in a cost-effective way.

This workload is overwhelmingly read-heavy and repeatedly queries the same relatively static reference data (postal codes mapped to coordinates). The best way to reduce latency and offload Amazon RDS is to introduce an application-side cache using a lazy loading (cache-aside) pattern and choose a TTL that reflects how often the underlying data changes.

With lazy loading , the application first checks the cache for the postal code. If the value is present (a cache hit), the application returns the coordinates immediately with low latency and without querying the database. If the value is absent (a cache miss), the application reads from RDS, returns the result, and then populates the cache for subsequent requests. This pattern is operationally simple and widely used because the application controls what is cached and when.

A large TTL is appropriate here because postal-code-to-coordinate mappings typically do not change frequently. A longer TTL maximizes cache hit ratio, which is critical because each postal code is requested thousands of times per day. High cache hit rates reduce database read load, decrease query contention, and substantially improve response times. In contrast, a small TTL would cause frequent expirations and repeated database lookups, reducing the performance benefit and increasing database load.

Write-through and write-behind caching (options C and B) are designed to coordinate caching with writes . They are useful when write consistency and write performance are central concerns. Here, writes are rare; the performance issue is repeated reads. Write-behind can also introduce consistency delays, which is unnecessary for this scenario.

Therefore, the best change is D : implement a lazy loading (cache-aside) caching strategy with a large TTL to keep hot, rarely changing postal code lookups in cache and dramatically reduce read latency and database load.

This solution will meet the requirements by using AWS Secrets Manager, which is a service that helps protect secrets such as database credentials by encrypting them with AWS Key Management Service (AWS KMS) and enabling automatic rotation of secrets. The developer can use an AWS Secrets Manager resource in AWS CloudFormation template, which enables creating and managing secrets as part of a CloudFormation stack. The developer can use an AWS::SecretsManager::Secret resource type to generate and rotate the password for accessing RDS database during deployment. The developer can also specify a RotationSchedule property for the secret resource, which defines how often to rotate the secret and which Lambda function to use for rotation logic. Option A is not optimal because it will use an AWS Lambda function as a CloudFormation custom resource, which may introduce additional complexity and overhead for creating and managing a custom resource and implementing rotation logic. Option B is not optimal because it will use an AWS Systems Manager Parameter Store resource with the SecureString data type, which does not support automatic rotation of secrets. Option C is not optimal because it will use a cron daemon on the application’s host to generate and rotate the password, which may incur more costs and require more maintenance for running and securing a host.

To create a central logging solution for microservices, using Amazon CloudWatch Logs is a recommended and effective approach. Here ' s why:

Amazon CloudWatch Logs Streams allow you to centralize logs from different services, which is crucial as the number of microservices increases.

Each microservice can have its own dedicated log stream within Amazon CloudWatch Logs, providing clear segregation of logs while still allowing centralized management.

This setup enables developers to monitor, search, and analyze logs efficiently using tools like CloudWatch Insights.

Other options like CloudTrail (B) are designed for API activity monitoring, not application logs. VPC Flow Logs (C) focus on network traffic rather than application behavior. AWS Cloud Map (D) is for service discovery and routing, not logging.

The requirement here is to ensure that Lambda functions are executed in a specific order. AWS Step Functions is a low-code workflow orchestration service that enables you to sequence AWS services, such as AWS Lambda, into workflows. It is purpose-built for situations like this, where different steps need to be executed in a strict sequence.

AWS Step Functions: Step Functions allows developers to design workflows as state machines, where each state corresponds to a particular function. In this case, the developer can create a Step Functions state machine where each step (order processing, inventory management, etc.) is represented by a Lambda function.

Operational Overhead: Step Functions have very low operational overhead because it natively handles retries, error handling, and function sequencing.

Alternatives:

Amazon SQS (Option A): While SQS can manage message ordering, it requires more manual handling of each step and the logic to sequentially invoke the Lambda functions.

Amazon SNS (Option B): SNS is a pub/sub service and is not designed to handle sequences of Lambda executions.

EventBridge (Option D): EventBridge Scheduler allows you to invoke Lambda functions based on scheduled times, but it doesn’t directly support sequencing based on workflow logic.Therefore, AWS Step Functions is the most appropriate solution due to its native orchestration capabilities and minimal operational complexity.

AWS Step Functions documentation

The correct answer is B because AWS AppConfig is designed specifically for application configuration, feature flags, controlled rollouts, configuration validation, and safe deployment practices . The scenario requires rollout in staging first, then gradual exposure to 10% of production users , audience targeting by user attributes , validation before deployment, and the ability to perform instant rollback without redeploying code . AWS AppConfig feature flags provide all of these capabilities.

AWS documentation describes AppConfig as a service for creating, managing, and deploying dynamic application configurations. With feature flags, a company can separate release from deployment and safely enable or disable features for selected audiences. AppConfig supports environment-scoped configurations , so staging and production can have different flag states. It also supports deployment strategies for gradual rollouts and includes validators to check configuration before deployment. In addition, AppConfig supports immediate rollback if a problem occurs, which is a major advantage over approaches that depend on application redeployment.

Option A is incorrect because environment variables typically require a deployment change and do not provide audience targeting, staged rollout controls, or fast rollback. Option C is better suited for storing configuration values, but it does not provide the same rich feature flag targeting and rollout management capabilities as AppConfig. Option D is possible in theory, but it requires building and maintaining a custom service, which is more complex and less reliable than using the managed AWS service built for this purpose.

Therefore, AWS AppConfig feature flags are the best fit for the stated requirements.

Lambda Destinations on Failure: Allow routing asynchronous function invocations to specified resources (like another Lambda function) upon failure.

Error Handling: The error-handling Lambda receives details about the failure, enabling logging and custom actions.

Direct Integration: This solution leverages native Lambda functionality for a simpler implementation.

The base table’s primary key is UserID, which means efficient Query operations on the table natively require specifying UserID (partition key equality). The required access pattern, however, is to retrieve many users for a given Location and then filter/sort by RegistrationDate (users who registered after a given date). Because Location is not part of the table’s primary key, the efficient DynamoDB approach is to create an index that supports this access pattern.

A global secondary index (GSI) can have a different partition key and sort key than the base table. By creating a GSI with Location as the partition key and RegistrationDate as the sort key, the application can use the Query operation to fetch all users in a specific location (Location = :loc) and apply a sort key condition such as RegistrationDate > :date (or BETWEEN), which is efficient and avoids a full-table scan. This design is the canonical pattern for optimizing DynamoDB queries: model the table and indexes around known access patterns so the application can use Query instead of Scan.

Option C (LSI) is not valid for this requirement because an LSI must use the same partition key as the base table (UserID). Since the access pattern is by Location, an LSI cannot make Location the partition key. Option B (Scan + filter) is inefficient at scale because Scan reads every item (or every item in the scanned segments) and then filters results, consuming read capacity and increasing latency. Option D (BatchGetItem) requires the caller to already know the primary keys of the items to retrieve; it cannot discover “all users in a location after a date” and does not support filtering in the way Query on an index does.

Therefore, A is the correct and most efficient solution: a GSI on (Location, RegistrationDate) and Query with a date range condition.

Problem: Large bundle size increases Lambda deployment time.

Lambda Layers: Layers let you package dependencies separately from your function code. This optimizes the deployment package, making updates faster.

Modularization: Breaking down dependencies into layers improves code organization and reusability.

This solution will meet the requirements by creating a Lambda function execution role, which is an IAM role that grants permissions to a Lambda function to access AWS resources such as Amazon S3 objects. The developer can attach a policy to the role that grants access to specific objects in the S3 bucket that are required by the application, following the principle of least privilege. Option A is not optimal because it will hardcode the credentials that are required to access S3 objects in the application code, which is insecure and difficult to maintain. Option B is not optimal because it will create a secret access key and access key ID with permission to access the S3 bucket, which will introduce additional security risks and complexity for storing and managing credentials. Option D is not optimal because it will store the secret access key and access key ID as environment variables in Lambda, which is also insecure and difficult to maintain.

The goal is to reduce a given item’s price by 100 only when the resulting value would not fall below 500 . That means the update should occur only when the current Price is at least 600 (because Price - 100 > = 500 ⇒ Price > = 600). The requirement also says to do this with the least number of calls to DynamoDB. The most efficient approach is to use a single UpdateItem call with a ConditionExpression so DynamoDB enforces the rule atomically.

Option B does exactly that: issue one UpdateItem request that updates Price = Price - :delta (using an update expression) while including a condition like Price > = :minPriceBeforeReduction (where :minPriceBeforeReduction is 600). If the condition is true, DynamoDB performs the update; if it’s false, DynamoDB rejects the write with ConditionalCheckFailedException. This avoids a separate read/query call and prevents race conditions where the price could change between a read and a subsequent write.

Option A requires two calls (Query then UpdateItem) and is vulnerable to time-of-check/time-of-use issues unless additional conditional logic is added to the update anyway. Option C adds an extra condition on category, but the requirement is “reduce all inventory prices” subject to the minimum resulting price; filtering by category is unnecessary and can cause eligible items in other categories to be skipped. Option D expresses the rule in a mathematical form; while conceptually correct, DynamoDB condition expressions do not generally support arbitrary arithmetic in the condition the same way as a simple comparison, so the standard implementation is to compare against 600 directly.

Therefore, B is the correct choice: one UpdateItem call with a condition expression Price > = 600 minimizes DynamoDB calls and enforces the pricing rule safely and atomically.