Free Amazon Web Services DVA-C02 Practice Exam with Questions & Answers | Set: 6

To rotate database credentials without downtime, Secrets Manager recommends the alternating users (dual user) rotation strategy. With a single-user strategy, Secrets Manager changes the password for the same database user that the application is actively using. If the application continues using cached/old credentials during rotation, authentication failures and downtime can occur.

With the alternating users strategy, two database users exist (often named something like appuser and appuser_clone). Secrets Manager alternates which user is “active” in the secret. During rotation, Secrets Manager updates the inactive user’s password, verifies it, updates the secret to point to the newly updated user, and then (optionally) retires the old credentials. This approach minimizes disruption because there is always one known-good credential set while the other is being updated.

The question specifically requires regular rotation using Secrets Manager. That is achieved by enabling automatic rotation on the secret with a schedule (for example, every 30/60/90 days). Automatic rotation invokes the rotation Lambda (AWS-provided or configured) and performs the workflow without manual intervention.

Option D combines both requirements: automatic rotation plus the alternating users strategy for high availability and no downtime.

Option B mentions alternating users but “managed rotation” is not the standard term used in these choices as the primary differentiator—automatic rotation is the necessary capability to rotate regularly without manual effort.

Options A and C (single user) are more likely to cause downtime during rotation.

Therefore, configure automatic rotation with the alternating users rotation strategy.

In CodePipeline, the service designed to run builds, execute unit/integration tests, and produce build artifacts (including test reports) is AWS CodeBuild. CodeBuild runs commands specified in a buildspec.yml file and supports reporting outputs such as test results (for example, JUnit XML), code coverage, and other build metadata.

Option A is correct because the developer can configure the CodeBuild project to run the test suite during the build phase and configure the buildspec to publish test report files. This integrates naturally into CodePipeline as a build stage, and the reports are generated consistently on each pipeline execution.

Option B is incorrect: CodeDeploy is for deploying applications (in-place/blue-green) and lifecycle hooks, not for standard build/test report generation.

Option C increases operational overhead by managing an EC2 build server, which is unnecessary when CodeBuild provides managed build environments.

Option D is unrelated: CodeArtifact is a package repository, not a test reporting solution.

Therefore, use CodeBuild and configure test reports via the buildspec.

The AWS Serverless Application Model Command Line Interface (AWS SAM CLI) is a command-line tool for local development and testing of Serverless applications3. The sam local generate-event command of AWS SAM CLI generates sample events for automated tests3. The sam local invoke command is used to invoke Lambda functions3. Therefore, option C is correct.

DynamoDB already supports encryption at rest by default (with AWS owned keys or AWS managed/customer managed KMS keys). However, the requirement here is stronger and explicit: patient data must be encrypted before it is stored in DynamoDB, meaning the encryption must occur client-side / application-side so that the data remains encrypted as it traverses the stack and is still encrypted when written to the table. This is often required for highly sensitive PII/PHI where administrators or downstream systems should not see plaintext.

Option A meets this requirement by encrypting the payload inside the Lambda function before making the PutItem call to DynamoDB, using KMS-backed envelope encryption via the AWS Encryption SDK (the option names it “Database Encryption SDK,” but the intent is client-side encryption). The encrypted fields remain ciphertext in transit to DynamoDB and at rest inside DynamoDB, satisfying both “in transit” and “at rest” with encryption happening prior to storage.

Option B only ensures DynamoDB encryption at rest at the service level, but the data would still be plaintext in the item attributes as seen by the application and anyone with DynamoDB read permissions (even though stored encrypted on disk). It does not guarantee “encrypted before stored.”

Option C encrypting after the write via streams is too late: plaintext would already be stored (and potentially accessed) before post-processing.

Option D adds unnecessary workflow complexity. Encrypting in a queue still requires encryption before DynamoDB, but it does not inherently simplify compared to encrypting directly in the Lambda that writes to DynamoDB.

Therefore, client-side encryption in Lambda using KMS-backed encryption is the correct solution.

A function alias is a pointer to a specific Lambda function version. You can use aliases to create different environments for your function, such as development, testing, and production. You can also use aliases to perform blue/green deployments by shifting traffic between two versions of your function gradually. This way, you can easily roll back to a previous version if something goes wrong, without having to redeploy your code or change your configuration. Reference: AWS Lambda function aliases

The command that will meet the requirements is sam sync -watch. This command enables AWS SAM Accelerate mode, which allows the developer to only redeploy the Lambda functions that have changed. The -watch flag enables file watching, which automatically detects changes in the source code and triggers a redeployment. The other commands either do not enable AWS SAM Accelerate mode, or do not redeploy the Lambda functions automatically.

Problem: Directory access without file names fails.

S3 Static Website Hosting:

Configuring S3 as a static website enables automatic serving of index.html for directory requests.

Bucket policies ensure correct access permissions.

Updating the CloudFront origin simplifies routing.

Avoiding Public Exposure: The S3 website endpoint allows CloudFront to access content without making the bucket public.

For client-side encryption with AWS KMS, the documented pattern is envelope encryption: you use KMS to generate and protect a data encryption key (DEK), and you use that DEK locally to encrypt the actual data. This is the correct approach for large payloads (such as 10 MB documents), because the KMS Encrypt API is intended for encrypting small amounts of data (KMS is not designed to directly encrypt multi-megabyte application payloads).

With envelope encryption, the application calls GenerateDataKey on AWS KMS, specifying the KMS key (customer managed key) to use. KMS returns two versions of the DEK in the response:

a plaintext DEK (usable immediately by the application for local cryptographic operations), and

a ciphertext (encrypted) DEK that is encrypted under the specified KMS key.

The application then uses the plaintext DEK to encrypt the 10 MB document on the client side (for example, using an authenticated encryption mode such as AES-GCM via a standard crypto library). After encryption completes, the application must not persist the plaintext DEK; instead, it stores the encrypted document alongside the ciphertext DEK. Later, to decrypt, the application sends the ciphertext DEK to KMS using Decrypt to recover the plaintext DEK, and then decrypts the document locally.

Therefore, option D is correct because it explicitly uses GenerateDataKey and the plaintext DEK to encrypt the data, which is the required envelope-encryption flow. Options A, B, and C do not follow the correct KMS envelope-encryption process for large client-side payloads.

Tracing Distributed Systems: AWS X-Ray is designed to trace requests across services, helping identify bottlenecks in distributed applications like this one.

No Code Changes: Enabling X-Ray tracing often requires minimal code changes, meeting the requirement.

Identifying Bottlenecks: Analyzing X-Ray traces and logs will reveal latency in communications between different AWS services, leading to the high duration time.

The base table’s primary key is UserID, which means efficient Query operations on the table natively require specifying UserID (partition key equality). The required access pattern, however, is to retrieve many users for a given Location and then filter/sort by RegistrationDate (users who registered after a given date). Because Location is not part of the table’s primary key, the efficient DynamoDB approach is to create an index that supports this access pattern.

A global secondary index (GSI) can have a different partition key and sort key than the base table. By creating a GSI with Location as the partition key and RegistrationDate as the sort key, the application can use the Query operation to fetch all users in a specific location (Location = :loc) and apply a sort key condition such as RegistrationDate > :date (or BETWEEN), which is efficient and avoids a full-table scan. This design is the canonical pattern for optimizing DynamoDB queries: model the table and indexes around known access patterns so the application can use Query instead of Scan.

Option C (LSI) is not valid for this requirement because an LSI must use the same partition key as the base table (UserID). Since the access pattern is by Location, an LSI cannot make Location the partition key. Option B (Scan + filter) is inefficient at scale because Scan reads every item (or every item in the scanned segments) and then filters results, consuming read capacity and increasing latency. Option D (BatchGetItem) requires the caller to already know the primary keys of the items to retrieve; it cannot discover “all users in a location after a date” and does not support filtering in the way Query on an index does.

Therefore, A is the correct and most efficient solution: a GSI on (Location, RegistrationDate) and Query with a date range condition.

The requirement in this scenario is encryption in transit for sensitive data exchanged between two EC2-based application fleets. AWS best practices clearly distinguish between network isolation and transport-layer encryption. Security groups (Option A) restrict traffic but do not encrypt it. EBS encryption (Option C) protects data at rest and does not affect data transmitted over the network.

Although a Site-to-Site VPN (Option B) would encrypt traffic, AWS documentation considers this approach unnecessary and operationally heavy when both workloads run inside AWS and application-level encryption is sufficient.

The most efficient and AWS-recommended approach is to use TLS (HTTPS) for application communication. AWS Certificate Manager (ACM) allows developers to provision and manage TLS certificates without manual certificate handling. Apache can be configured to use HTTPS with ACM-issued certificates, ensuring that all API traffic between the fleets is encrypted in transit using industry-standard TLS.

AWS documentation consistently recommends TLS for service-to-service communication within AWS when sensitive data is transmitted. This approach minimizes operational overhead, avoids additional networking infrastructure, and integrates natively with existing EC2-based applications.

Therefore, using ACM-issued certificates and HTTPS for Apache communication is the correct and most efficient solution.

Comprehensive and Detailed Step-by-Step Explanation:

Option D: Use Lambda with Container Images

AWS Lambda supports container images up to 10 GB in size, making it suitable for applications with large dependencies, such as a video codec library larger than 250 MB.

By creating separate container images for video compression and decompression, the application can efficiently isolate functionality while ensuring that each function includes the required dependencies.

The container images are stored in Amazon ECR and used to create the Lambda functions.

Why Other Options Are Incorrect:

Option A: A single Lambda function with all functionalities and dependencies in one zip file is not feasible due to the 250 MB deployment package size limit for zip files.

Option B: Including the library in two separate zip files still exceeds the size limit for Lambda zip deployment packages.

Option C: While using a Lambda layer can reduce redundancy, the combined size of the layer and the zip files would exceed the limit of 250 MB.

AWS Amplify’s most direct support for GraphQL APIs is through AWS AppSync, and the Amplify CLI can generate and configure an AppSync GraphQL API directly from a schema with minimal setup. The requirement says the API already has an existing GraphQL schema, and the goal is to migrate it with the least configuration effort.

Option D is the simplest: run amplify add api, choose GraphQL, and provide the existing schema. Amplify then provisions the AppSync API, sets up the schema, creates the backend resources (depending on chosen data sources), and wires the configuration into the Amplify project so the SPA can consume the API.

Option A is incorrect because it selects REST and does not align with an existing GraphQL schema.

Option B is incorrect because API Gateway is not the native GraphQL service and would require additional mapping/proxy logic—more configuration.

Option C can be valid if an AppSync API already exists and you want to import it, but the question asks to “migrate the API along with the application” with least configuration. Creating it directly in Amplify is typically less configuration than creating separately and importing.

Therefore, using Amplify CLI to add a GraphQL API and supply the existing schema is the least-config approach.