Sample questions
AWS Certified Developer Associate DVA-C02 practice questions
A developer is troubleshooting an AWS Lambda function that is triggered by an S3 event. The function occasionally fails with a timeout error. CloudWatch logs show that the timeout occurs during the processing of large files. The function has a memory setting of 128 MB and a timeout of 3 seconds. The developer wants to process large files without modifying the code. Which parameter should the developer adjust first?
Trap 1: Increase the function's timeout
Increasing timeout might prevent the error but does not address the underlying slowness; it is better to first try increasing memory.
Trap 2: Increase the function's reserved concurrency
Concurrency controls the number of simultaneous invocations, not the execution time of a single invocation.
Trap 3: Increase the S3 event notification batch size
S3 event notifications do not have a batch size; each event triggers a separate invocation.
- A
Increase the function's memory
More memory provides more CPU, which can speed up processing and reduce the chance of timeout without code changes.
- B
Increase the function's timeout
Why wrong: Increasing timeout might prevent the error but does not address the underlying slowness; it is better to first try increasing memory.
- C
Increase the function's reserved concurrency
Why wrong: Concurrency controls the number of simultaneous invocations, not the execution time of a single invocation.
- D
Increase the S3 event notification batch size
Why wrong: S3 event notifications do not have a batch size; each event triggers a separate invocation.
A developer needs to call AWS APIs from application code running on EC2. Which credential source should the AWS SDK use by default?
Trap 1: Static credentials committed to Git
This does not meet the stated requirement as directly as the correct option.
Trap 2: A credentials file copied into the AMI
This does not meet the stated requirement as directly as the correct option.
Trap 3: The root account access key
This does not meet the stated requirement as directly as the correct option.
- A
Static credentials committed to Git
Why wrong: This does not meet the stated requirement as directly as the correct option.
- B
A credentials file copied into the AMI
Why wrong: This does not meet the stated requirement as directly as the correct option.
- C
The root account access key
Why wrong: This does not meet the stated requirement as directly as the correct option.
- D
Temporary credentials from the instance profile role
Correct for the stated requirement.
A developer needs to allow an IAM user in a different AWS account to assume a role in the developer's account. The role has permissions to access an S3 bucket. Which policy is required in the developer's account to enable this cross-account access?
Trap 1: An S3 bucket policy granting access to the external account
The bucket policy can grant direct access to the external user without assuming a role, but the question specifies using a role.
Trap 2: An IAM user policy in the external account allowing sts:AssumeRole
This policy is needed in the external account, not in the developer's account.
Trap 3: An AWS Organizations service control policy allowing cross-account…
SCPs are used to restrict permissions within an organization, not to grant trust relationships.
- A
An IAM role with a trust policy that allows the external account's root user or specific IAM users/roles to assume the role
Correct. The trust policy on the role specifies which principals from other accounts can assume it.
- B
An S3 bucket policy granting access to the external account
Why wrong: The bucket policy can grant direct access to the external user without assuming a role, but the question specifies using a role.
- C
An IAM user policy in the external account allowing sts:AssumeRole
Why wrong: This policy is needed in the external account, not in the developer's account.
- D
An AWS Organizations service control policy allowing cross-account access
Why wrong: SCPs are used to restrict permissions within an organization, not to grant trust relationships.
A developer needs to grant an IAM role in Account B read-only access to objects in an S3 bucket in Account A. The bucket is encrypted with server-side encryption using AWS KMS (SSE-KMS) with a customer managed key (CMK) in Account A. Which combination of policies is required for the cross-account access to succeed?
Trap 1: The bucket policy in Account A grants s3:GetObject to the role, and…
The question specifies a customer managed key, which requires explicit key policy grants. AWS managed keys cannot be used in cross-account scenarios.
Trap 2: The bucket policy in Account A grants s3:GetObject to the role, and…
IAM roles require IAM policies to authorize actions, even if resource-based policies grant access. The role must have an IAM policy allowing s3:GetObject and kms:Decrypt.
Trap 3: Only the bucket policy in Account A needs to grant s3:GetObject to…
SSE-KMS with a customer managed key requires explicit KMS permissions. The default key (AWS managed key) cannot be used for cross-account access.
- A
The bucket policy in Account A grants s3:GetObject to the role, the KMS key policy grants kms:Decrypt to the role, and the role in Account B has an IAM policy allowing s3:GetObject and kms:Decrypt
All three policies are required: bucket policy and key policy in Account A grant the necessary permissions, and the IAM role in Account B must have the corresponding IAM policy to authorize the use of those grants.
- B
The bucket policy in Account A grants s3:GetObject to the role, and the role in Account B has an IAM policy allowing s3:GetObject. No KMS permissions are needed because SSE-KMS uses AWS managed keys by default.
Why wrong: The question specifies a customer managed key, which requires explicit key policy grants. AWS managed keys cannot be used in cross-account scenarios.
- C
The bucket policy in Account A grants s3:GetObject to the role, and the KMS key policy grants kms:Decrypt to the role. The role in Account B does not need additional IAM policies because the bucket and key policies provide sufficient permissions.
Why wrong: IAM roles require IAM policies to authorize actions, even if resource-based policies grant access. The role must have an IAM policy allowing s3:GetObject and kms:Decrypt.
- D
Only the bucket policy in Account A needs to grant s3:GetObject to the role. KMS is not involved because the bucket is encrypted with SSE-KMS but the role can decrypt using the default KMS key.
Why wrong: SSE-KMS with a customer managed key requires explicit KMS permissions. The default key (AWS managed key) cannot be used for cross-account access.
An API Gateway HTTP API should allow access only to users authenticated by an external OIDC provider. Which authorizer type is most appropriate?
Trap 1: IAM authorizer
This does not meet the stated requirement as directly as the correct option.
Trap 2: API key authorizer
This does not meet the stated requirement as directly as the correct option.
Trap 3: S3 bucket policy
This does not meet the stated requirement as directly as the correct option.
- A
IAM authorizer
Why wrong: This does not meet the stated requirement as directly as the correct option.
- B
API key authorizer
Why wrong: This does not meet the stated requirement as directly as the correct option.
- C
JWT authorizer configured for the issuer and audience
Correct for the stated requirement.
- D
S3 bucket policy
Why wrong: This does not meet the stated requirement as directly as the correct option.
A developer monitors an AWS Lambda function that processes messages from an Amazon SQS queue. CloudWatch logs show that the function's execution time has increased significantly over the past week, and it now frequently times out at the 5-minute timeout. The function's code has not been changed recently. The function makes calls to an Amazon DynamoDB table. What is the most likely cause of the increased execution time?
Trap 1: The SQS queue's visibility timeout is too short, causing duplicate…
A short visibility timeout could cause duplicate messages but would not directly increase execution time; it could even decrease it as messages are reprocessed.
Trap 2: The Lambda function's memory is too low, causing CPU throttling.
If memory were insufficient, the function would likely fail with out-of-memory errors, not consistently reach the 5-minute timeout.
Trap 3: The DynamoDB table's indexes are missing, causing full table scans.
Missing indexes could increase query time, but full table scans are only done with Scan operations, not typical Get/Query patterns. Also, this would not appear suddenly without code or schema changes.
- A
The DynamoDB table's read capacity units are underprovisioned, causing throttling.
Underprovisioned capacity throttles read/write requests, causing Lambda to retry, increasing execution time and potentially causing timeouts.
- B
The SQS queue's visibility timeout is too short, causing duplicate processing.
Why wrong: A short visibility timeout could cause duplicate messages but would not directly increase execution time; it could even decrease it as messages are reprocessed.
- C
The Lambda function's memory is too low, causing CPU throttling.
Why wrong: If memory were insufficient, the function would likely fail with out-of-memory errors, not consistently reach the 5-minute timeout.
- D
The DynamoDB table's indexes are missing, causing full table scans.
Why wrong: Missing indexes could increase query time, but full table scans are only done with Scan operations, not typical Get/Query patterns. Also, this would not appear suddenly without code or schema changes.
A developer needs to allow an EC2 instance to read from a DynamoDB table. Which is the best practice to grant permissions?
Trap 1: Generate an IAM user access key and store it in the application…
Storing keys in config is insecure.
Trap 2: Hardcode the AWS credentials in the application code.
Hardcoding is a security risk.
Trap 3: Add the DynamoDB table ARN to the EC2 instance's security group.
Security groups do not grant DynamoDB access.
- A
Create an IAM role with the required permissions and attach it to the EC2 instance.
IAM roles are the secure way to grant permissions to EC2.
- B
Generate an IAM user access key and store it in the application configuration.
Why wrong: Storing keys in config is insecure.
- C
Hardcode the AWS credentials in the application code.
Why wrong: Hardcoding is a security risk.
- D
Add the DynamoDB table ARN to the EC2 instance's security group.
Why wrong: Security groups do not grant DynamoDB access.
A developer is designing a serverless application using AWS Lambda and API Gateway. The application needs to authenticate users via a third-party identity provider (IdP). Which TWO services can be used to manage user authentication?
Trap 1: AWS IAM
Not designed for third-party IdP authentication directly.
Trap 2: AWS Security Token Service (STS)
Issues temporary credentials, not for authentication.
Trap 3: AWS Secrets Manager
Manages secrets, not authentication.
- A
Amazon Cognito User Pools
Can federate with third-party IdPs.
- B
AWS IAM
Why wrong: Not designed for third-party IdP authentication directly.
- C
AWS Lambda custom authorizer
Can validate tokens from third-party IdPs.
- D
AWS Security Token Service (STS)
Why wrong: Issues temporary credentials, not for authentication.
- E
AWS Secrets Manager
Why wrong: Manages secrets, not authentication.
A developer wants to grant a user in a different AWS account access to an S3 bucket. The developer has written a bucket policy that allows the user's IAM user ARN. However, the access is still denied. What is the most likely reason?
Trap 1: The bucket policy does not have a principal of '*' to allow…
The bucket policy can grant access to a specific user ARN; a wildcard principal is not required for cross-account access.
Trap 2: The bucket is in a different region than the user's account
S3 is global; cross-region access is allowed and does not cause access denial.
Trap 3: The user is using the wrong S3 endpoint (e.g., path-style vs…
Using the wrong endpoint type may result in errors like 301 or 400, but not an explicit access denied (403) response.
- A
The user's IAM user policy does not explicitly allow the required S3 action
In cross-account access, both the bucket policy and the user's IAM policy must grant permission. The user's policy must include an Allow for the action (e.g., s3:GetObject).
- B
The bucket policy does not have a principal of '*' to allow external accounts
Why wrong: The bucket policy can grant access to a specific user ARN; a wildcard principal is not required for cross-account access.
- C
The bucket is in a different region than the user's account
Why wrong: S3 is global; cross-region access is allowed and does not cause access denial.
- D
The user is using the wrong S3 endpoint (e.g., path-style vs virtual-hosted)
Why wrong: Using the wrong endpoint type may result in errors like 301 or 400, but not an explicit access denied (403) response.
Based on the CloudTrail log entry, which security concern should be investigated?
Exhibit
Refer to the exhibit.
CloudTrail log entry:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"arn": "arn:aws:sts::123456789012:assumed-role/AdminRole/MySession",
"accountId": "123456789012",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"arn": "arn:aws:iam::123456789012:role/AdminRole"
},
"attributes": {
"creationDate": "2024-01-15T10:00:00Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2024-01-15T10:05:00Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "RunInstances",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.5",
"userAgent": "console.amazonaws.com",
"requestParameters": {
"instancesSet": {
"items": [
{
"imageId": "ami-0abcdef1234567890"
}
]
}
}
}Trap 1: The role used has too many permissions.
The role is AdminRole, but the concern is MFA.
Trap 2: The instance was launched in an unauthorized region.
No indication of unauthorized region.
Trap 3: The source IP address is from a suspicious location.
Not enough info to determine suspicious.
- A
The role used has too many permissions.
Why wrong: The role is AdminRole, but the concern is MFA.
- B
The instance was launched in an unauthorized region.
Why wrong: No indication of unauthorized region.
- C
Multi-factor authentication (MFA) was not used when assuming the role.
mfaAuthenticated is false, indicating no MFA.
- D
The source IP address is from a suspicious location.
Why wrong: Not enough info to determine suspicious.
A developer wants to securely store database credentials for a Lambda function. Which AWS service should be used?
Trap 1: AWS Systems Manager Parameter Store
Parameter Store can store secrets but Secrets Manager is better for credentials.
Trap 2: Amazon S3 with server-side encryption
S3 is not ideal for storing secrets due to access management complexity.
Trap 3: Amazon DynamoDB
DynamoDB is not designed for secret storage.
- A
AWS Secrets Manager
Secrets Manager is purpose-built for secrets management.
- B
AWS Systems Manager Parameter Store
Why wrong: Parameter Store can store secrets but Secrets Manager is better for credentials.
- C
Amazon S3 with server-side encryption
Why wrong: S3 is not ideal for storing secrets due to access management complexity.
- D
Amazon DynamoDB
Why wrong: DynamoDB is not designed for secret storage.
A company has an IAM policy that allows access to an S3 bucket only if the request comes from a specific VPC endpoint. The developer notices that requests from an EC2 instance in that VPC are being denied. What is the most likely cause?
Trap 1: The bucket policy does not have a condition checking aws:SourceVpce
If the IAM policy already restricts to the VPC endpoint, the bucket policy may not need the condition. The denial is likely from the endpoint policy, not the absence of a condition.
Trap 2: The route table does not have a route to the S3 endpoint
Missing route would cause network connectivity failure (e.g., timeout), not an IAM authorization denial.
Trap 3: The security group does not allow outbound HTTPS traffic
Security groups control network traffic. If HTTPS is blocked, the request would time out, not return an access denied error.
- A
The VPC endpoint policy does not allow the required S3 action for the principal
VPC endpoint policies can restrict what actions are allowed through the endpoint. If the policy denies 's3:GetObject' for the role or user, access will be denied even if IAM and bucket policies allow it.
- B
The bucket policy does not have a condition checking aws:SourceVpce
Why wrong: If the IAM policy already restricts to the VPC endpoint, the bucket policy may not need the condition. The denial is likely from the endpoint policy, not the absence of a condition.
- C
The route table does not have a route to the S3 endpoint
Why wrong: Missing route would cause network connectivity failure (e.g., timeout), not an IAM authorization denial.
- D
The security group does not allow outbound HTTPS traffic
Why wrong: Security groups control network traffic. If HTTPS is blocked, the request would time out, not return an access denied error.
A company is using AWS CodeCommit and wants to ensure that all commits are signed with GPG keys. Which approach should be used to enforce this?
Trap 1: Use AWS Organizations service control policies (SCPs) to deny…
SCPs are for organizations, not for individual repositories.
Trap 2: Enable 'Require signed commits' in the CodeCommit repository…
CodeCommit does not have such a setting.
Trap 3: Use an AWS Lambda function as a pre-commit hook in the repository.
CodeCommit does not support pre-commit hooks.
- A
Use AWS Organizations service control policies (SCPs) to deny unsigned commits.
Why wrong: SCPs are for organizations, not for individual repositories.
- B
Enable 'Require signed commits' in the CodeCommit repository settings.
Why wrong: CodeCommit does not have such a setting.
- C
Create an IAM policy that denies codecommit:GitPush unless the commit is signed.
IAM policies can enforce signed commits using conditions.
- D
Use an AWS Lambda function as a pre-commit hook in the repository.
Why wrong: CodeCommit does not support pre-commit hooks.
An application uses IAM roles to grant EC2 instances access to S3. The developer notices that the application works correctly in one account but fails with access denied in another account. What is the most likely cause?
Trap 1: The IAM role is not attached to the EC2 instance
If the role were missing, the application would not get credentials at all.
Trap 2: The EC2 instance does not have internet access
Access denied suggests a permission issue, not network connectivity.
Trap 3: The KMS key policy does not allow decryption
This would only apply if S3 server-side encryption with KMS is used.
- A
The IAM role is not attached to the EC2 instance
Why wrong: If the role were missing, the application would not get credentials at all.
- B
The EC2 instance does not have internet access
Why wrong: Access denied suggests a permission issue, not network connectivity.
- C
The S3 bucket policy does not grant access to the IAM role
Cross-account access requires the S3 bucket policy to explicitly allow the IAM role.
- D
The KMS key policy does not allow decryption
Why wrong: This would only apply if S3 server-side encryption with KMS is used.
A developer is creating an IAM policy to allow a Lambda function to write logs to CloudWatch. Which policy should be attached to the Lambda execution role?
Trap 1: AdministratorAccess
Too permissive, violates least privilege.
Trap 2: AmazonDynamoDBFullAccess
This is for DynamoDB, not CloudWatch.
Trap 3: AmazonS3FullAccess
This is for S3, not CloudWatch.
- A
AWSLambdaBasicExecutionRole
This managed policy grants the necessary CloudWatch Logs permissions.
- B
AdministratorAccess
Why wrong: Too permissive, violates least privilege.
- C
AmazonDynamoDBFullAccess
Why wrong: This is for DynamoDB, not CloudWatch.
- D
AmazonS3FullAccess
Why wrong: This is for S3, not CloudWatch.
A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all encryption keys be rotated every 90 days. Which key type should the company use to meet this requirement with minimal operational overhead?
Trap 1: Customer managed KMS key with manual rotation
Manual rotation would require operational overhead, not minimal.
Trap 2: AWS managed KMS key
AWS managed keys are automatically rotated every 365 days, not 90 days.
Trap 3: AWS owned KMS key
AWS owned keys are not visible to customers and cannot be configured for rotation.
- A
Customer managed KMS key with manual rotation
Why wrong: Manual rotation would require operational overhead, not minimal.
- B
Customer managed KMS key with automatic rotation enabled
Customer managed keys allow you to set a custom rotation period (e.g., 90 days) and enable automatic rotation.
- C
AWS managed KMS key
Why wrong: AWS managed keys are automatically rotated every 365 days, not 90 days.
- D
AWS owned KMS key
Why wrong: AWS owned keys are not visible to customers and cannot be configured for rotation.
A developer applied the above bucket policy to an S3 bucket. What is the outcome?
Exhibit
Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyNonHttps",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}Trap 1: Anonymous users are allowed to read objects.
The policy does not grant any allow, only denies non-HTTPS.
Trap 2: Only write requests are denied if not using HTTPS.
The action is s3:* (all actions).
Trap 3: The policy has no effect because it uses Deny.
Deny is effective.
- A
Anonymous users are allowed to read objects.
Why wrong: The policy does not grant any allow, only denies non-HTTPS.
- B
Only write requests are denied if not using HTTPS.
Why wrong: The action is s3:* (all actions).
- C
All requests to the bucket must use HTTPS; otherwise, they are denied.
The condition denies access when SecureTransport is false.
- D
The policy has no effect because it uses Deny.
Why wrong: Deny is effective.
A developer is creating an IAM policy for an EC2 instance to allow it to read from an S3 bucket. Which of the following are required? (Choose TWO.)
Trap 1: Use KMS to encrypt the S3 objects
Encryption is not required for access.
Trap 2: Configure an S3 bucket policy allowing the role
Not needed if the role is in the same account.
Trap 3: Create an instance profile and assign a key pair
Instance profile is automatically created with role; key pair is for SSH, not permissions.
- A
Create an IAM role with s3:GetObject permissions
The IAM role provides the permissions.
- B
Use KMS to encrypt the S3 objects
Why wrong: Encryption is not required for access.
- C
Configure an S3 bucket policy allowing the role
Why wrong: Not needed if the role is in the same account.
- D
Attach the IAM role to the EC2 instance
The role must be attached to grant permissions.
- E
Create an instance profile and assign a key pair
Why wrong: Instance profile is automatically created with role; key pair is for SSH, not permissions.
A developer is building a serverless application using AWS Lambda and API Gateway. The Lambda function needs to access a DynamoDB table that stores sensitive customer data. The developer wants to follow the principle of least privilege. Which IAM role configuration should be used?
Trap 1: Configure a resource-based policy on the Lambda function to allow…
Resource-based policies are used for cross-account access, not for granting DynamoDB permissions to Lambda.
Trap 2: Attach the AmazonDynamoDBFullAccess managed policy to the Lambda…
This grants full access to all DynamoDB tables, violating least privilege.
Trap 3: Use an S3 bucket policy to grant the Lambda function access to the…
S3 bucket policies are for S3 access, not DynamoDB.
- A
Configure a resource-based policy on the Lambda function to allow DynamoDB access.
Why wrong: Resource-based policies are used for cross-account access, not for granting DynamoDB permissions to Lambda.
- B
Attach the AmazonDynamoDBFullAccess managed policy to the Lambda execution role.
Why wrong: This grants full access to all DynamoDB tables, violating least privilege.
- C
Use an S3 bucket policy to grant the Lambda function access to the DynamoDB table.
Why wrong: S3 bucket policies are for S3 access, not DynamoDB.
- D
Create a custom IAM policy with specific DynamoDB actions (e.g., GetItem, PutItem) on the specific table and attach it to the Lambda execution role.
This follows the principle of least privilege by granting only necessary actions on the specific table.
A company wants to allow cross-account access to an S3 bucket in Account A from a role in Account B. The S3 bucket policy in Account A allows the role's ARN. However, access is denied. What is the most likely missing step?
Trap 1: Add a bucket policy that denies access to all principals.
This would block access, not fix it.
Trap 2: Disable block public access settings on the bucket.
The access is not public; it's cross-account via a role, so block public access is irrelevant.
Trap 3: Enable ACLs on the S3 bucket.
ACLs are legacy and not required for cross-account access with bucket policies.
- A
Add a bucket policy that denies access to all principals.
Why wrong: This would block access, not fix it.
- B
The role in Account B must have an IAM policy that allows the S3 actions.
Cross-account access requires both the resource-based policy (bucket policy) and the identity-based policy (IAM role) to grant permissions.
- C
Disable block public access settings on the bucket.
Why wrong: The access is not public; it's cross-account via a role, so block public access is irrelevant.
- D
Enable ACLs on the S3 bucket.
Why wrong: ACLs are legacy and not required for cross-account access with bucket policies.
A company wants to encrypt data at rest in Amazon RDS for MySQL. Which TWO actions should be taken?
Trap 1: Encrypt individual tables using MySQL native encryption.
RDS encryption at rest encrypts the entire storage, not per-table.
Trap 2: Enable encryption at rest after the DB instance is created.
You cannot enable encryption on an existing DB instance; you must create a new one.
Trap 3: Use client-side encryption to encrypt data before sending to RDS.
Client-side encryption is separate from RDS encryption at rest.
- A
Enable encryption at rest when creating the DB instance.
RDS encryption at rest must be enabled at creation time.
- B
Encrypt individual tables using MySQL native encryption.
Why wrong: RDS encryption at rest encrypts the entire storage, not per-table.
- C
Enable encryption at rest after the DB instance is created.
Why wrong: You cannot enable encryption on an existing DB instance; you must create a new one.
- D
Use AWS KMS to manage the encryption keys.
RDS uses KMS to generate and manage keys for encryption.
- E
Use client-side encryption to encrypt data before sending to RDS.
Why wrong: Client-side encryption is separate from RDS encryption at rest.
A developer wants to encrypt data in transit between an API Gateway REST API and its clients. Which configuration should be used?
Trap 1: Use a custom domain name with a certificate from ACM.
Custom domain names are optional; the default API Gateway endpoint already supports HTTPS.
Trap 2: Implement client-side encryption using a JavaScript library.
Client-side encryption does not ensure encryption in transit between client and server.
Trap 3: Attach an AWS WAF web ACL to the API Gateway.
WAF provides security filtering, not encryption in transit.
- A
Use a custom domain name with a certificate from ACM.
Why wrong: Custom domain names are optional; the default API Gateway endpoint already supports HTTPS.
- B
Implement client-side encryption using a JavaScript library.
Why wrong: Client-side encryption does not ensure encryption in transit between client and server.
- C
Use the default HTTPS endpoint provided by API Gateway.
API Gateway automatically provides HTTPS for REST APIs, encrypting data in transit.
- D
Attach an AWS WAF web ACL to the API Gateway.
Why wrong: WAF provides security filtering, not encryption in transit.
A developer needs to securely store database credentials used by an application running on EC2. Which AWS service should be used?
Trap 1: AWS Systems Manager Parameter Store
Parameter Store can store secrets but lacks automatic rotation; Secrets Manager is better for database credentials.
Trap 2: Amazon S3
S3 is not designed for secret management and would require additional encryption and access control.
Trap 3: AWS Certificate Manager (ACM)
ACM manages SSL/TLS certificates, not database credentials.
- A
AWS Secrets Manager
Secrets Manager is designed for secure storage and automatic rotation of secrets like database credentials.
- B
AWS Systems Manager Parameter Store
Why wrong: Parameter Store can store secrets but lacks automatic rotation; Secrets Manager is better for database credentials.
- C
Amazon S3
Why wrong: S3 is not designed for secret management and would require additional encryption and access control.
- D
AWS Certificate Manager (ACM)
Why wrong: ACM manages SSL/TLS certificates, not database credentials.
A developer is designing a serverless application using API Gateway, Lambda, and DynamoDB. The API must authenticate users using a JWT token. Which API Gateway feature should the developer use to validate the JWT before invoking the Lambda function?
Trap 1: Use an IAM authorizer with a resource policy.
IAM authorizer uses AWS SigV4, not JWT.
Trap 2: Use an Amazon Cognito user pool authorizer.
This validates Cognito tokens, but custom JWT requires a Lambda authorizer.
Trap 3: Use an API Gateway resource policy to allow only authenticated IPs.
Resource policies do not authenticate users.
- A
Use an IAM authorizer with a resource policy.
Why wrong: IAM authorizer uses AWS SigV4, not JWT.
- B
Use an Amazon Cognito user pool authorizer.
Why wrong: This validates Cognito tokens, but custom JWT requires a Lambda authorizer.
- C
Use a Lambda authorizer (custom authorizer).
Lambda authorizer can validate any JWT.
- D
Use an API Gateway resource policy to allow only authenticated IPs.
Why wrong: Resource policies do not authenticate users.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.