Free Amazon Web Services DVA-C02 Practice Exam with Questions & Answers | Set: 7

Why Option B is Correct:The RetainExceptOnCreate deletion policy ensures that the IAM user is retained after successful stack creation but is deleted if the stack creation fails or rolls back. This meets both requirements.

Why Other Options are Incorrect:

Option A: The Retain policy retains the resource regardless of stack status and does not delete the IAM user upon rollback.

Option C: Updating the service role for termination protection does not address the specific deletion behavior for the IAM user.

Option D: Stack policy controls updates, not resource deletion behavior during rollbacks.

AWS Documentation References:

CloudFormation DeletionPolicy Attribute

Amazon Q Developer Pro is an AWS-native, generative AI–powered development assistant designed to help developers write, test, and review code directly within supported IDEs such as Visual Studio Code and JetBrains. AWS documentation highlights Amazon Q Developer Pro as a productivity tool that accelerates development without requiring additional infrastructure .

Amazon Q Developer Pro can automatically generate unit tests , suggest improvements, identify potential bugs, and provide context-aware code reviews . Because it integrates directly into the IDE, developers receive immediate feedback during development, which shortens feedback loops and improves overall code quality.

Options A, B, and C require additional tooling, scripting, or manual processes. While CodeBuild and CodeGuru Reviewer are valuable services, they introduce pipeline complexity and do not provide real-time, IDE-integrated assistance for writing tests and reviewing code.

Amazon Q Developer Pro uniquely satisfies all stated requirements:

No infrastructure to manage

Native IDE integration

Automated unit test generation

AI-assisted code reviews

Therefore, using Amazon Q Developer Pro is the most efficient and modern AWS-recommended solution.

To meet the requirement:

Users must be able to upload (PutObject) and read (GetObject) files but not delete them.

Option D ensures users cannot delete files by omitting the s3:DeleteObject action while allowing s3:GetObject and s3:PutObject.

Option A: Includes s3:DeleteObject, which allows users to delete files and does not meet the requirement.

Option B: Contains unrelated actions like CreateBucket, which is not relevant here.

Option C: Adds s3:PutObjectRetention, which is unnecessary and does not restrict DeleteObject.

This solution will meet the requirements by creating a Lambda function execution role, which is an IAM role that grants permissions to a Lambda function to access AWS resources such as Amazon S3 objects. The developer can attach a policy to the role that grants access to specific objects in the S3 bucket that are required by the application, following the principle of least privilege. Option A is not optimal because it will hardcode the credentials that are required to access S3 objects in the application code, which is insecure and difficult to maintain. Option B is not optimal because it will create a secret access key and access key ID with permission to access the S3 bucket, which will introduce additional security risks and complexity for storing and managing credentials. Option D is not optimal because it will store the secret access key and access key ID as environment variables in Lambda, which is also insecure and difficult to maintain.

The requirement is to search for partial matches of email_address but scoped to a specific customer_type. In DynamoDB, efficient partial matching is performed with a Query on a sort key using the begins_with() condition. However, Query requires that the partition key be specified exactly, so we need an index where customer_type can be used as the partition key, and email_address can be used as the sort key for prefix matching.

A Global Secondary Index (GSI) can be added to an existing table without recreating it, and it can use a different partition key and sort key from the base table. Option A correctly proposes a GSI with:

Partition key: customer_type

Sort key: email_address

Then the Lambda can run a Query on the GSI like: customer_type = :ct AND begins_with(email_address, :prefix) which returns emails that start with the typed prefix for that customer type.

Option B is wrong because it keeps email_address as the partition key. That would require an exact email value (not a prefix) to Query, and you cannot do begins_with on a partition key; begins_with is for sort keys.

Options C and D are invalid because Local Secondary Indexes (LSIs) must share the same partition key as the base table (here, email_address). You cannot create an LSI with customer_type or job_title as the partition key when the table partition key is email_address.

Therefore, adding a GSI (customer_type PK, email_address SK) and querying it with begins_with is the correct solution.

Amazon API Gateway is a service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. The developer can enable API caching in API Gateway to cache responses from the backend integration point for a specified time-to-live (TTL) period. This can improve the responsiveness of the APIs by reducing the number of calls made to the backend service.

The most secure and AWS-recommended way for a Lambda function to access other AWS services is to use an IAM execution role. Lambda assumes this role at runtime and receives temporary credentials that are automatically rotated by AWS. The developer attaches the necessary permissions (the existing IAM policy) to that role, and then configures the Lambda function to use the role.

Option B follows least privilege and avoids long-term credentials. It also integrates with AWS security tooling: IAM Access Analyzer, CloudTrail, and policy boundaries can all be applied cleanly. Because the policy already exists, this requires minimal extra work: create/choose the execution role, attach the policy, and assign the role to the function.

Option A is not correct because IAM policies are attached to IAM identities (users, groups, roles) — not directly to Lambda functions as standalone entities. Lambda permissions are granted through the function’s execution role.

Option C is insecure because it uses long-term IAM user access keys embedded in environment variables. Even if encrypted, this expands the blast radius, complicates rotation, and contradicts AWS best practices for avoiding static credentials inside code/runtime.

Option D is extremely insecure and noncompliant. Root user access keys should not be used for applications and should generally not exist.

Therefore, create and attach the existing policy to a Lambda execution IAM role and assign that role to the function.

Amazon Cognito User Pools: A managed user directory service, simplifying user registration and login.

Social Identity Providers: Cognito supports integration with external providers (e.g., Google, Facebook), reducing development effort.

IAM Roles for Authorization: Cognito-managed IAM roles grant fine-grained access to AWS resources (like Lambda functions).

Operational Overhead: Cognito minimizes the need to manage user identities and credentials independently.

Amazon API Gateway supports multiple stages , allowing developers to deploy and test different versions of an API independently. By creating a new test stage , the developer can route traffic to an updated Lambda function without impacting production users.

AWS documentation recommends using stage variables to dynamically reference different Lambda function versions or aliases. This approach enables safe testing while reusing the same API configuration.

Canary deployments (Option A) expose a portion of production users to the new code, which violates the requirement. Changing the endpoint type (Option B) disrupts production. Duplicating the entire stack (Option D) introduces unnecessary complexity and overhead.

Using a separate test stage is the most efficient, low-risk, and AWS-recommended solution.

DynamoDB TTL (Time-to-Live): A native feature that automatically deletes items after a specified expiration time.

Efficiency: Eliminates the need for scheduled deletion jobs, optimizing write throughput by avoiding potential throttling conflicts.

Seamless Integration: TTL works directly within DynamoDB, requiring minimal development overhead.

The solution that will meet the requirements with the most operational efficiency is to create a new CodePipeline stage that occurs after the container image is built. Configure ECR basic image scanning to scan on image push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check the scan results and to fail the pipeline if there are findings. This way, the container image is analyzed earlier in the CI/CD pipeline and any vulnerabilities are detected and reported before deploying to the EKS cluster. The other options either delay the analysis until after deployment, which increases the risk of exposing insecure images, or perform analysis on the source code instead of the container image, which may not capture all the dependencies and configurations that affect the security posture of the image.

Secrets Management: AWS Secrets Manager is designed specifically for storing and managing sensitive credentials.

Built-in Rotation: Secrets Manager provides automatic secret rotation functionality, enhancing security posture significantly.

IAM Integration: IAM policies and roles grant fine-grained access to ECS Fargate, ensuring the principle of least privilege.

Reduced Overhead: This solution centralizes secrets management and automates rotation, reducing operational overhead compared to the other options.

The correct answer is C because Amazon SNS FIFO topics are designed for applications that require both message ordering and deduplication , and high throughput mode extends the throughput capability to support large-scale workloads such as sending thousands of notifications per second . This directly matches the requirement for ordered notification delivery at very high scale.

The requirement to filter out some notifications before sending them to the HTTP endpoint is also handled natively by SNS subscription filter policies . With a filter policy, only messages with matching message attributes are delivered to the subscribed endpoint. This means the application can publish all notification events to the SNS topic, while SNS ensures that only relevant notifications are forwarded to the HTTP subscriber. This avoids unnecessary downstream traffic and reduces custom logic.

Option A is incorrect because Amazon Data Firehose is intended primarily for streaming data delivery to analytics and storage destinations, not for ordered notification delivery to HTTP endpoints with filtering requirements. Option B is incorrect because Amazon SQS standard queues do not preserve strict ordering . Also, this design adds Lambda processing complexity and does not align as cleanly with native FIFO and filtering capabilities. Option D is not the best choice because EventBridge supports filtering and API destinations, but it does not provide the same straightforward FIFO ordered delivery guarantee required here.

Therefore, Amazon SNS FIFO in high throughput mode with an HTTP subscription and subscription filter policy is the AWS service combination that best satisfies all the stated requirements.