DVA-C02 Amazon Web Services AWS Certified Developer - Associate Free Practice Exam Questions (2025 Updated)

Scenario: Application needs to fetch songs and artists efficiently in a single operation.

BatchGetItem: This DynamoDB operation retrieves multiple items across different tables based on their primary keys in a single request.

Optimized for Request Batching: This approach reduces network traffic compared to performing multiple queries individually.

Data Modeling: The songs table is designed appropriately for this access pattern using artistName as the sort key.

Amazon API Gateway is a service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. The developer can enable API caching in API Gateway to cache responses from the backend integration point for a specified time-to-live (TTL) period. This can improve the responsiveness of the APIs by reducing the number of calls made to the backend service.

Comprehensive Detailed Step by Step Explanation with All AWS Developer References:

When you need to provide an AWS Lambda function access to private resources in a VPC, the most common and straightforward approach is to attach the Lambda function to a VPC via private subnets. Once the Lambda function is associated with the VPC, you need to configure appropriate security groups to control the access to the private resources.

Lambda with VPC Access: Lambda functions can be attached to private subnets in a VPC, allowing them to access resources like RDS, EC2, or internal services within that VPC.

Security Groups: A security group acts as a virtual firewall for the Lambda function, ensuring that it can access only the necessary resources and ports in the VPC.

Alternatives:

Option Binvolves routing traffic through a VPN, which adds unnecessary complexity and operational overhead compared to simply attaching the Lambda to the VPC.

Option Crequires configuring a VPC endpoint and a NAT gateway, which can be complex and costly.

Option Drefers to AWS PrivateLink, which is used to access services over private connections, but it's unnecessary in this scenario unless you need a cross-VPC connection.

Comprehensive Detailed Step by Step Explanation with All AWS Developer References:

To ensure that only a specific AWS Step Functions state machine (myStateMachine) can assume the service role, you must configure the correct trust policy in AWS IAM.

Trust Policies: Trust policies determine which entities (services or users) are allowed to assume the role. In this case, we want to restrict the trust policy to only allow the specific state machine (myStateMachine) to assume the role.

Using ArnLike: The condition "ArnLike" is used to specify that the SourceArn (which refers to the ARN of the entity assuming the role) must match a specific ARN. OptionAspecifies the exact ARN of the myStateMachine state machine, ensuring that only this state machine can assume the role.

Option B: This option is incorrect because it uses a wildcard (*) for the account ID, which would allow any state machine in the ap-south-1 region to assume the role, not just the specific one.

This step should be completed prior to deploying the application because it prepares the application artifacts for deployment. The AWS Serverless Application Model (AWS SAM) is a framework that simplifies building and deploying serverless applications on AWS. The AWS SAM CLI is a command-line tool that helps you create, test, and deploy serverless applications using AWS SAM templates. The sam package command bundles the application artifacts, such as Lambda function code and API definitions, and uploads them to an Amazon S3 bucket. The command also returns a CloudFormation template that is ready to be deployed with the sam deploy command. Compressing the application to a zip file and uploading it to AWS Lambda will not work because it does not use AWS SAM templates or CloudFormation. Testing the new Lambda function by first tracing it in AWS X-Ray will not prepare the application for deployment, but only monitor its performance and errors. Creating the application environment using the eb create my-env command will not work because it is a command for AWS Elastic Beanstalk, not AWS SAM.

This solution will meet the requirements by creating a single S3 bucket policy that denies access to the S3 bucket unless the request comes from one of the specified VPC endpoints. The aws:SourceVpce condition key is used to match the ID of the VPC endpoint that is used to access the S3 bucket. The StringNotEquals condition operator is used to negate the condition, so that only requests from the listed VPC endpoints are allowed. Option A is not optimal because it will create multiple S3 bucket policies, which is not possible as only one bucket policy can be attached to an S3 bucket. Option B is not optimal because it will use the aws:SourceVpc condition key, which matches the ID of the VPC that is used to access the S3 bucket, not the VPC endpoint. Option C is not optimal because it will use the StringNotEquals condition operator with a single value, which will deny access to the S3 bucket from all VPC endpoints except one.

This solution will limit the ability to download a premier content file in the S3 bucket to paid subscribers only because it uses a pre-signed object URL that grants temporary access to an S3 object for a specified duration. The pre-signed object URL can be generated by the company’s website when a paid subscriber requests a download, and can be verified by Amazon S3 using the signature in the URL. Option A is not optimal because it will allow anyone to download the content from the S3 bucket without verifying their subscription status. Option C is not optimal because it will require additional steps and costs to configure multi-factor authentication for accessing the S3 bucket objects, which may not be feasible or user-friendly for paid subscribers. Option D is not optimal because it will not prevent non-paying website visitors from accessing the S3 bucket objects, but only encrypt them at rest.

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-overview.html#access-control-resource-ownership

TheImmutabledeployment method is the best choice when a company requires minimal downtime and automatic rollback in case of a failure. Here's why:

InImmutable deployments, a new set of instances is launched with the updated version. These instances are tested and validated before they replace the old instances. This ensures zero downtime and immediate rollback if the deployment fails.

All at once (A)causes downtime because the update replaces all instances simultaneously.

Rolling deployments (B)update a few instances at a time, but if a failure occurs midway, downtime or partial unavailability can happen.

Snapshots (C)are not a deployment strategy in Elastic Beanstalk.

Comprehensive and Detailed Step-by-Step Explanation:

Issue Analysis:

The stream uses service name as the partition key. This can cause "hot partition" issues when a few service names generate significantly more logs compared to others, causing uneven distribution of data across shards.

Metrics show that the write capacity used is below provisioned capacity, which confirms that the throughput errors are due to shard-level limits and not overall capacity.

Option C: Change Partition Key to Creation Timestamp:

By changing the partition key to the creation timestamp (or a composite key including timestamp), the distribution of data across shards can be randomized, ensuring an even spread of records.

This resolves the shard overutilization issue and eliminates ProvisionedThroughputExceededException.

Why Other Options Are Incorrect:

Option A:Switching to on-demand capacity mode might temporarily alleviate the issue, but the root cause (hot partitioning) remains unresolved.

Option B:Adding shards increases capacity but does not fix the skewed data distribution caused by using the service name as the partition key.

Option D:Creating separate streams for each service adds unnecessary complexity and does not scale well as the number of services grows.

Distributed Tracing with X-Ray: X-Ray helps visualize request paths and identify bottlenecks in applications distributed across Regions.

Region Annotations (Automatic for AWS Services): X-Ray automatically adds a Region annotation to segments representing calls to AWS services. This aids in tracing cross-Region traffic.

Region Annotations (Manual for User-Defined): For segments representing calls to user-defined services in different Regions, the developer needs to add the Region annotation manually to enable comprehensive tracing.

Amazon API Gateway is a service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. The developer can define a development stage on the API Gateway API and instruct the other developers to point the endpoints to the development stage. This way, the developer can provide beta access to the new version of the API without affecting customers who use the production stage. This solution will meet the requirements with the least operational overhead.

This solution will meet the requirements by using AWS Secrets Manager, which is a service that helps protect secrets such as database credentials by encrypting them with AWS Key Management Service (AWS KMS) and enabling automatic rotation of secrets. The developer can use an AWS Secrets Manager resource in AWS CloudFormation template, which enables creating and managing secrets as part of a CloudFormation stack. The developer can use an AWS::SecretsManager::Secret resource type to generate and rotate the password for accessing RDS database during deployment. The developer can also specify a RotationSchedule property for the secret resource, which defines how often to rotate the secret and which Lambda function to use for rotation logic. Option A is not optimal because it will use an AWS Lambda function as a CloudFormation custom resource, which may introduce additional complexity and overhead for creating and managing a custom resource and implementing rotation logic. Option B is not optimal because it will use an AWS Systems Manager Parameter Store resource with the SecureString data type, which does not support automatic rotation of secrets. Option C is not optimal because it will use a cron daemon on the application’s host to generate and rotate the password, which may incur more costs and require more maintenance for running and securing a host.

This solution will meet the requirements by using AWS X-Ray to analyze and debug the performance issues with the distributed Lambda applications. AWS X-Ray is a service that collects data about requests that the applications serve, and provides tools to view, filter, and gain insights into that data. The developer can use AWS X-Ray to identify the root cause of the performance issues by examining the segments and errors that show the details of each request and the components that make up the applications. Option A is not optimal because it will use logging statements and Amazon CloudWatch, which may not provide enough information or visibility into the distributed applications. Option B is not optimal because it will use AWS CloudTrail, which is a service that records API calls and events for AWS services, not application performance data. Option D is not optimal because it will use Amazon Inspector, which is a service that helps improve the security and compliance of applications on Amazon EC2 instances, not Lambda functions.

Step-by-Step Breakdown:

Requirement Summary:

Encrypt S3 objects usingKMS keys

Cross-account read accessto another AWS account

Minimize operational overhead

Option A: Use a customer managed key + key policy granting kms:Decrypt to second account

✅Correct: Customer managed keys allow full control ofkey policy.

You can add a statement to allowcross-account accessusing the second account’s IAM principal.

Option B: Use AWS managed key + key policy granting access to second account

❌Incorrect: AWS-managed KMS keys (aws/s3)cannot be modifiedto add cross-account access in key policies.

Option C: SCP that grants s3:GetObject to second account

❌Incorrect: SCPs are used torestrict or allow permissions across AWS Organizations, not togrant S3 or KMS accessdirectly.

Option D: Create a bucket policy granting s3:GetObject to second account

✅Correct: Bucket policies can grantcross-account accessto specific IAM users or roles in the second account.

Option E: Gateway endpoint for S3 with cross-account access

❌Incorrect: Gateway endpoints only applywithin the same VPC/account. Cross-account use with endpoint policies is not the correct pattern for this use case.

Cross-account S3 access with KMS:https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html

KMS cross-account key policy:https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html

Bucket Policy for cross-account access:https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

Using a dead-letter queue (DLQ) with Amazon SQS is the most operationally efficient solution for handling unprocessable messages.

Amazon SQS Dead-Letter Queue:

A DLQ is used to capture messages that fail processing after a specified number of attempts.

Allows the application to continue processing other messages without being blocked.

Messages in the DLQ can be analyzed later for debugging and resolution.

Why DLQ is the Best Option:

Operational Efficiency: Automatically defers messages with errors, ensuring the queue is not blocked.

Analysis Ready: Messages in the DLQ can be inspected to identify recurring issues.

Scalable: Works seamlessly with Lambda and SQS at scale.

Why Not Other Options:

Option A: Logs the messages but does not resolve the queue blockage issue.

Option C: FIFO queues and 0-second retention do not provide error handling or analysis capabilities.

Option D: Alerts administrators but does not handle or store the unprocessable messages.

Steps to Implement:

Create a new SQS queue to serve as the DLQ.

Attach the DLQ to the primary queue and configure the Maximum Receives setting.

S3 Object Lambda allows you to add your own code to process data retrieved from S3 before returning it to an application. You can use an AWS Lambda function to modify the data, such as removing PII, redacting confidential information, or resizing images. You can create an S3 Object Lambda access point and associate it with your Lambda function. Then, you can use the access point to request objects from S3 and get the modified data back. This way, you can maintain only one copy of the original document in S3 and apply different transformations depending on who accesses it. Reference: Using AWS Lambda with Amazon S3