Free Amazon Web Services DVA-C02 Practice Exam with Questions & Answers | Set: 11

This solution will most likely solve the issues because it will grant the IAM user the necessary permission to access the DynamoDB table using the AWS CLI command. The error message indicates that the IAM user does not have sufficient access rights to perform the scan operation on the table. Option A is not optimal because it will change the command to use put-item instead of scan, which will not achieve the desired result of getting data from the table. Option B is not optimal because it will involve contacting AWS Support, which may not be necessary or efficient for this issue. Option C is not optimal because it will state that DynamoDB cannot be accessed from the AWS CLI, which is incorrect as DynamoDB supports AWS CLI commands.

Step 1: Understanding the Requirements

Gradual Traffic Shift: Test the new version by routing only 10% of production traffic to it.

Lambda Deployment: Use versioning and aliases to manage Lambda function updates.

Step 2: Solution Analysis

Option A:

Publishing a new version creates an immutable version of the Lambda function with the updated code.

This is a prerequisite for deploying changes using weighted aliases.

Correct option.

Option B:

API Gateway stages are not used for weighted routing; they represent environments like " dev " or " prod. "

Weighted routing is implemented using Lambda aliases, not API Gateway stages.

Not suitable.

Option C:

Lambda aliases allow traffic to be split between versions using weighted routing.

Assign a 90% weight to the old version and 10% to the new version to implement the gradual rollout.

Correct option.

Option D:

Network Load Balancers are not suitable for managing Lambda function traffic directly.

Not applicable.

Option E:

Route 53 routing policies apply at the DNS level and are not designed for Lambda version management.

Not suitable.

Step 3: Implementation Steps

Publish a New Version:

Publish the updated Lambda function code as a new version.

Create an Alias and Configure Weighted Routing:

Create an alias (e.g., prod) and associate it with both the old and new versions.

Set weights for traffic distribution:

aws lambda update-alias --function-name my-function \

--name prod --routing-config ' { " AdditionalVersionWeights " : { " 2 " : 0.1}} '

AWS Developer References:

Lambda Function Aliases

Weighted Traffic Routing with Lambda

The requirement is to automatically delete objects for basic users after 90 days with the least development effort. Amazon S3 provides a built-in, fully managed feature for this: S3 Lifecycle configuration rules . Lifecycle rules can filter objects by prefix (and/or tags) and then perform actions such as expiring (deleting) objects after a specified number of days since creation. Because the bucket does not have versioning enabled, the relevant action is to expire the current object after the retention period.

Option C matches this exactly: create an S3 Lifecycle rule that applies only to objects under the basic/ prefix and configure the rule to expire current versions after 90 days . S3 then automatically and continuously enforces the policy without any code, scheduling, or operational maintenance. This is typically the lowest-effort and most reliable approach because it is handled by S3 itself.

Option A requires writing and operating a Lambda function plus a scheduler, handling pagination, permissions, error handling, retries, and potential costs and throttling when scanning large buckets. That is more development and operational effort than a lifecycle rule. Option B is incorrect because it targets the premium/ prefix, but premium objects must be retained indefinitely. Option D refers to delete markers and unfinished multipart uploads; delete markers are relevant primarily for versioned buckets , and cleaning up multipart uploads does not implement the required “delete basic objects after 90 days” behavior.

Therefore, the correct solution is C : use an S3 Lifecycle rule scoped to the basic/ prefix to expire objects after 90 days, achieving automated retention with minimal development effort.

AWS Lambda versions and aliases are designed specifically to support safe deployments, testing, and rollback. A Lambda version is immutable, meaning its code and configuration cannot change once published. Aliases act as pointers to specific versions and can be updated instantly.

AWS documentation recommends using aliases to manage environments such as dev , test , and prod . Each environment can reference a specific Lambda version, allowing the same function codebase to be promoted across accounts with confidence. If a defect is detected in production, the alias can be quickly repointed to a previously known good version, enabling an immediate rollback without redeployment.

Options B, C, and D introduce higher operational overhead or do not provide safe rollback. Deploying separately increases risk and management effort. Lambda layers are not intended for environment promotion. Environment variables do not protect against faulty code deployments.

Therefore, using Lambda versions and aliases is the most efficient and AWS-recommended solution.

To run a containerized job hourly in ECS with minimal infrastructure management, the best choice is AWS Fargate. Fargate is a serverless compute engine for containers that runs ECS tasks without the developer needing to provision, patch, or scale EC2 instances.

With option C, the developer defines an ECS task definition using the Fargate launch type and schedules it (commonly via Amazon EventBridge Scheduler / EventBridge rule triggering RunTask). ECS handles the placement, networking, and execution of the task on managed infrastructure. This is the least operational overhead approach because there are no instances to manage and no capacity planning required, which fits an hourly job with small CPU/RAM needs.

Option A (capacity providers) is primarily for managing EC2 capacity for ECS and still requires underlying instances, which increases operational burden.

Option B runs the app on an EC2 instance, which requires instance lifecycle management, OS patching, scaling considerations, and failure handling.

Option D refers to managed node groups (an EKS concept) and does not apply cleanly to ECS. Even in a Kubernetes context, nodes still need management compared to Fargate.

Therefore, defining a Fargate task is the simplest and lowest-management solution.

To create a central logging solution for microservices, using Amazon CloudWatch Logs is a recommended and effective approach. Here ' s why:

Amazon CloudWatch Logs Streams allow you to centralize logs from different services, which is crucial as the number of microservices increases.

Each microservice can have its own dedicated log stream within Amazon CloudWatch Logs, providing clear segregation of logs while still allowing centralized management.

This setup enables developers to monitor, search, and analyze logs efficiently using tools like CloudWatch Insights.

Other options like CloudTrail (B) are designed for API activity monitoring, not application logs. VPC Flow Logs (C) focus on network traffic rather than application behavior. AWS Cloud Map (D) is for service discovery and routing, not logging.

Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service that enables pub/sub communication between distributed systems. The developer can create an SNS topic and configure the Lambda function to publish messages with specific attributes to the topic. The developer can subscribe each partner to the SNS topic and apply the appropriate filter policy to the topic subscriptions. This way, each partner will receive updates for only their own orders based on the message attributes. This solution will meet the requirements in the most scalable way and allow adding new partners in the future with minimal code changes.

Amazon API Gateway supports canary deployments , which are designed specifically for controlled production rollouts. Canary deployments allow a developer to direct a configurable percentage of traffic to a new deployment while the remainder continues to use the existing deployment.

AWS documentation states that canary releases help minimize customer impact by exposing only a subset of users to potential issues. Because the routing is request-based , individual users are less likely to encounter inconsistent behavior across multiple requests.

Route 53 weighted routing (Option B) operates at the DNS level and can result in users being routed unpredictably due to DNS caching. An Application Load Balancer (Option C) is not supported as a direct frontend for API Gateway stages and adds unnecessary complexity. Option A lacks traffic control guarantees.

Therefore, configuring a canary deployment on the production stage is the AWS-recommended and lowest-risk approach.

Requirement Summary:

Customer credit card data may be exposed

Data is stored in Amazon S3

Developer must identify all exposure risks

Tool to Use:

Amazon Macie is designed to:

Automatically scan S3 for sensitive data

Detect financial information, PII, credentials, etc.

Finding Type Mapping:

Credit card data maps to: SensitiveData:S3Object/Financial

Evaluate Options:

A. Athena + filtering

Athena is a query engine; it doesn’t detect sensitive data automatically

B. Macie + Financial finding type

Correct

Designed for this use case

C. Macie + Personal finding type

Personal maps to names, addresses, etc., not credit cards

D. Athena + Financial

Again, Athena can’t classify data – it only queries structured data

Macie Overview: https://docs.aws.amazon.com/macie/latest/userguide/what-is-macie.html

Finding Types: https://docs.aws.amazon.com/macie/latest/user/findings-types.html

Financial finding type: SensitiveData:S3Object/Financial

The application relies on shared file storage that behaves like NFS and must be accessible concurrently by multiple containers across Kubernetes nodes. AWS documentation clearly identifies Amazon EFS as the AWS-native, fully managed, NFS-compatible file system designed for this purpose.

Amazon EFS provides elastic scaling , high availability across multiple Availability Zones, and native integration with container orchestration platforms. It is the most direct replacement for on-premises NFS, requiring minimal architectural change.

To run Kubernetes workloads on AWS with high availability, AWS recommends Amazon EKS , a managed Kubernetes service that automatically handles control plane availability and upgrades. EKS integrates natively with EFS using the Amazon EFS CSI driver, allowing pods across multiple nodes to mount the same file system concurrently.

Amazon EBS (Options A, C, and D) is block storage that can be attached to only one EC2 instance at a time (except in limited Multi-Attach scenarios) and is therefore unsuitable for shared NFS-style access across a Kubernetes cluster.

Uploading container images to Amazon ECR ensures secure, scalable storage for container images and seamless integration with EKS.

Therefore, migrating the NFS data to Amazon EFS and running the workloads on Amazon EKS is the fastest, most scalable, and AWS-recommended solution.

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-overview.html#access-control-resource-ownership

Maximum concurrency for SQS as an event source allows customers to control the maximum concurrent invokes by the SQS event source1. When multiple SQS event sources are configured to a function, customers can control the maximum concurrent invokes of individual SQS event source1.

In this scenario, the developer needs to resolve the issue of the third-party API frequently returning an HTTP 429 Too Many Requests error message, which prevents a significant number of messages from being processed successfully. To achieve this, the developer can follow these steps:

Find out the documented rate limits of the third-party API, which specify how many requests can be made in a given time period.

Configure maximum concurrency on the SQS event source based on the rate limits of the third-party API. This will limit the number of concurrent invokes by the SQS event source and prevent exceeding the rate limits of the third-party API.

Test and monitor the application performance and adjust the maximum concurrency value as needed.

By using this solution, the developer can reduce the frequency of HTTP 429 errors and improve the message processing success rate. The developer can also avoid throttling or blocking by the third-party API.

Problem: CloudFormation can ' t find the custom AMI in the target region (us-west-1) because AMIs are region-specific.

Copying AMIs:

AMIs can be copied across regions, maintaining their configuration.

This approach minimizes operational overhead as the existing CloudFormation template can be reused with a minor update.

Updating the Template:

Modify the CloudFormation template in us-west-1 to reference the newly copied AMI ' s ID in that region.

The correct answer is C because AWS AppConfig provides built-in support for feature flags , allowing developers to enable or disable features dynamically without redeploying application code. This is exactly what the question requires: keeping features hidden from end users until the features are ready for release, and then selectively activating them when appropriate.

AWS documentation describes AppConfig as a service for managing application configuration in a safe and controlled way. Feature flags in AppConfig let teams separate deployment from release , which is a core best practice in modern application development. A developer can deploy code that contains unfinished or hidden functionality, while the actual visibility and activation of that functionality is controlled through feature flag values stored in an AppConfig configuration profile. When the feature is ready, the flag can be turned on without changing the application package.

Option A is incorrect because AWS AppSync is a managed GraphQL service and is not the AWS feature flag service for application configuration management. Option B is incorrect because DynamoDB Streams are used for capturing item-level changes and reacting to table updates, not for controlled feature activation. Option D is incorrect because Amplify DataStore is intended for client-side data synchronization and offline access patterns, not centralized production feature flag management.

Using AppConfig also provides operational benefits such as deployment strategies, configuration validation, and rollback support, which make it safer than building a custom feature toggle mechanism. For these reasons, AWS AppConfig feature flags are the most appropriate and AWS-recommended solution for hiding prerelease features and selectively enabling them later.

Therefore, C is the correct answer.