AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 9761050

1616 questions total · 22pages · All types, answers revealed

Page 13

Page 14 of 22

Page 15
976
MCQhard

A developer is designing a microservice that processes orders. The service must ensure that each order is processed exactly once. The developer uses an SQS queue to decouple the order submission from processing. Which SQS feature should be used to prevent duplicate processing?

A.Standard queue with visibility timeout
B.FIFO queue with content-based deduplication
C.FIFO queue with a dead-letter queue
D.Standard queue with message retention period
AnswerB

FIFO queues provide exactly-once processing.

Why this answer

Option B is correct because SQS FIFO queues support exactly-once processing through deduplication based on message deduplication ID. Option A is wrong because standard queues guarantee at-least-once delivery. Option C is wrong because visibility timeout prevents other consumers from processing the same message, but does not prevent duplicates if the message is delivered again.

Option D is wrong because dead-letter queues store messages that could not be processed, they do not prevent duplicates.

977
MCQhard

Refer to the exhibit. An IAM policy attached to a user includes the above statement. The user uploads an object to the S3 bucket without specifying any encryption header. What is the outcome?

A.The upload succeeds and the object is encrypted with SSE-KMS.
B.The upload succeeds and the object is not encrypted.
C.The upload succeeds and the object is encrypted with SSE-S3.
D.The upload fails with an Access Denied error.
AnswerD

The condition is not satisfied, so the Allow does not apply, and there is no other Allow statement.

Why this answer

Option D is correct because the condition requires the encryption header to be AES256. If no header is provided, the condition is not met, so the action is denied. Option A is wrong because the condition is not satisfied, so the Allow does not apply.

Option B is wrong because the condition specifically requires AES256, not SSE-KMS. Option C is wrong because the upload is denied.

978
MCQeasy

A developer is creating a CI/CD pipeline using AWS CodeBuild and AWS CodeDeploy for a Java application that runs on EC2 instances. The build process must compile the code, run unit tests, and package the application into a WAR file. The deployment should use the blue/green deployment strategy. What is the correct sequence of actions?

A.Use CodeCommit to store the source code, CodeBuild to build, and CodePipeline to orchestrate the deployment.
B.Use CodeDeploy to build the application and then use CodePipeline to deploy it.
C.Use Elastic Beanstalk to build and deploy the application.
D.Use CodeBuild to compile and package the application, and then use CodeDeploy to perform the blue/green deployment.
AnswerA, D

This is a common pipeline, but the question asks for the sequence of actions for build and deployment specifically; however, CodePipeline orchestrates the entire process.

Why this answer

Option B is correct. CodeBuild compiles and packages the application, then CodeDeploy performs the blue/green deployment. Option A is wrong because CodeDeploy does not build.

Option C is wrong because CodeCommit is for source control, not building. Option D is wrong because Elastic Beanstalk is a platform-as-a-service, not a CI/CD service.

979
MCQhard

A DevOps engineer is designing a CI/CD pipeline for a microservices application. The team wants to deploy updates to the production environment gradually and automatically roll back if health checks fail. Which AWS service and deployment configuration should the engineer use?

A.Use AWS CloudFormation with a blue/green deployment and a CloudWatch alarm to trigger rollback.
B.Use AWS Elastic Beanstalk with a rolling update and a CloudWatch alarm to trigger rollback.
C.Use AWS CodeDeploy with a canary deployment and a CloudWatch alarm to trigger automatic rollback.
D.Use AWS CodePipeline with a manual approval step and a CloudWatch alarm to trigger rollback.
AnswerC

CodeDeploy canary shifts traffic in increments and automatically rolls back if the alarm triggers.

Why this answer

Option B is correct because AWS CodeDeploy with a canary deployment allows gradual traffic shifting and automatic rollback on CloudWatch alarm failure. Option A is incorrect because CloudFormation with a blue/green deployment requires manual rollback. Option C is incorrect because Elastic Beanstalk with rolling updates does not support canary-based traffic shifting.

Option D is incorrect because CodePipeline alone does not handle deployment strategies or health check-based rollbacks.

980
MCQeasy

A developer wants to debug an AWS Lambda function by viewing real-time logs. Which AWS service should the developer use?

A.Amazon CloudWatch Logs
B.AWS X-Ray
C.Amazon S3
D.AWS CloudTrail
AnswerA

Lambda automatically sends logs to CloudWatch Logs.

Why this answer

Option A is correct because CloudWatch Logs captures Lambda logs. Option B is wrong because X-Ray is for tracing. Option C is wrong because CloudTrail is for API calls.

Option D is wrong because S3 can store logs but not in real-time.

981
MCQhard

A developer is using AWS CodeDeploy to deploy an application to an EC2 Auto Scaling group. The developer wants the deployment to automatically roll back if any of the new instances fail a health check within the first 10 minutes after deployment. Which configuration should the developer set in the CodeDeploy deployment group?

A.Configure a CloudWatch alarm and enable alarm-based automatic rollback in the AutoRollbackConfiguration.
B.Set the DeploymentStyle to 'BLUE_GREEN' and configure the 'LoadBalancerInfo' with the target group.
C.Create a lifecycle hook for the Auto Scaling group to trigger a rollback script.
D.Set a TriggerConfiguration in the deployment group to send notifications on deployment failure.
AnswerA

The AutoRollbackConfiguration in the deployment group allows you to specify events that trigger an automatic rollback, including alarm (CloudWatch alarm). The developer can set an alarm that monitors health check metrics and configure the deployment group to roll back if that alarm is in the ALARM state.

Why this answer

Option A is correct because CodeDeploy's AutoRollbackConfiguration allows you to specify CloudWatch alarms as triggers for automatic rollback. By creating a CloudWatch alarm that monitors the EC2 Auto Scaling group's health check failures and setting the alarm's evaluation period to 10 minutes, the deployment will automatically roll back if any new instance fails a health check within that window. This directly meets the requirement without custom scripting or manual intervention.

Exam trap

The trap here is that candidates confuse event-based notifications (TriggerConfiguration) with automated rollback actions (AutoRollbackConfiguration), or mistakenly think lifecycle hooks or deployment style settings inherently provide health-check-based rollback.

How to eliminate wrong answers

Option B is wrong because setting DeploymentStyle to 'BLUE_GREEN' and configuring LoadBalancerInfo with a target group only defines the deployment strategy and traffic routing; it does not enable automatic rollback based on health check failures. Option C is wrong because Auto Scaling lifecycle hooks are designed to pause instance launch or termination to run custom actions (e.g., install software), not to trigger rollback logic in CodeDeploy; they cannot directly initiate a deployment rollback. Option D is wrong because TriggerConfiguration in a deployment group is used to send Amazon SNS notifications on deployment events (e.g., success, failure), not to automatically roll back a deployment based on health checks.

982
Multi-Selectmedium

A company is using AWS CloudFormation to deploy and manage infrastructure. The developer wants to implement a CI/CD pipeline that automatically deploys CloudFormation stacks. The pipeline should be able to create, update, and delete stacks. Which THREE AWS services should the developer use together?

Select 3 answers
A.AWS CodeBuild
B.AWS CodeDeploy
C.AWS Lambda
D.AWS CloudFormation
E.AWS CodePipeline
AnswersA, D, E

Can run validation and packaging.

Why this answer

Options A, B, and E are correct because CodePipeline orchestrates the pipeline, CodeBuild can run scripts or validate templates, and CloudFormation performs the stack operations. Option C is wrong because CodeDeploy is for application deployment, not CloudFormation. Option D is wrong because Lambda can be used but is not required.

983
MCQmedium

A company has an S3 bucket that stores log files. The bucket policy grants the AWSServiceRoleForSSO service role write access. However, the logs are not being written. What is the MOST likely reason?

A.The bucket has S3 Block Public Access enabled, which blocks all service role access.
B.The bucket policy uses a service role ARN that is not a valid principal for S3 bucket policies.
C.The bucket ACL is set to private, which prevents service role writes.
D.The bucket has default encryption enabled using SSE-S3, which prevents writes from service roles.
AnswerB

Service roles are not valid principals in S3 bucket policies; use the service's principal instead.

Why this answer

Option A is correct because S3 bucket policies must grant access to the principal, and the service role is not a valid principal for S3 bucket policies. Option B is wrong because SSE-S3 does not block writes. Option C is wrong because Block Public Access does not affect service roles.

Option D is wrong because ACLs are disabled by default but service roles use bucket policies.

984
MCQhard

A developer attached the IAM policy above to an IAM user. The user reports being unable to list objects in the bucket 'my-bucket' using the AWS CLI command 'aws s3 ls s3://my-bucket/'. What is the most likely reason?

A.The IAM policy does not allow the s3:GetObject action on the bucket.
B.The IAM policy resource for s3:ListBucket should include the bucket and objects.
C.The IAM policy is missing the s3:ListAllMyBuckets action.
D.The IAM policy does not include the s3:GetBucketLocation action.
AnswerD

The CLI needs GetBucketLocation to determine the bucket's region.

Why this answer

The `aws s3 ls s3://my-bucket/` command requires the `s3:GetBucketLocation` permission to determine the bucket's region before listing its contents. Without this action, the CLI fails with an error like 'An error occurred (AccessDenied) when calling the GetBucketLocation operation', even if `s3:ListBucket` is granted. Option D correctly identifies this missing permission as the root cause.

Exam trap

The trap here is that candidates often focus on the `ListBucket` permission and overlook the prerequisite `GetBucketLocation` call, assuming the CLI only needs the list action for the `ls` command.

How to eliminate wrong answers

Option A is wrong because `s3:GetObject` is not required for listing objects; it is needed for downloading objects, not for the `ls` command. Option B is wrong because the resource for `s3:ListBucket` should be the bucket ARN (`arn:aws:s3:::my-bucket`), not the bucket and objects; specifying objects in the resource would incorrectly restrict the action. Option C is wrong because `s3:ListAllMyBuckets` is only needed for the `aws s3 ls` command without a bucket argument (listing all buckets), not for listing objects in a specific bucket.

985
MCQhard

A developer is troubleshooting performance issues in an application that uses Amazon ElastiCache for Redis. The application experiences periodic latency spikes during peak hours. The developer checks CloudWatch metrics and sees that the 'Evictions' metric is consistently high and the 'CacheHitRate' metric is low. The cluster uses a single cache.t3.small node. Which action will most likely improve the cache hit rate and reduce latency?

A.Increase the number of replicas
B.Enable cluster mode and add more shards
C.Increase the TTL of cached items
D.Use a larger instance type
AnswerD

Upgrading to a larger instance type (e.g., cache.t3.medium) increases available memory, reducing evictions and improving cache hit rate. This is a simple, non-disruptive change that directly addresses insufficient memory.

Why this answer

The correct answer is D because the symptoms—high evictions and low cache hit rate—indicate that the single cache.t3.small node is running out of memory. Using a larger instance type increases the available memory, allowing more data to be cached, reducing evictions, and improving the cache hit rate. This directly addresses the root cause of memory pressure without changing the cluster architecture or data expiration behavior.

Exam trap

The trap here is that candidates often confuse scaling out (adding replicas or shards) with scaling up (increasing instance size), but for a single-node cluster suffering from memory exhaustion, the most direct and effective solution is to increase memory capacity, not to add replicas or change the cluster mode.

How to eliminate wrong answers

Option A is wrong because increasing the number of replicas does not increase the total memory capacity of the cluster; replicas are read-only copies that improve read scalability and fault tolerance, but they share the same memory limit as the primary node, so evictions and cache hit rate remain unchanged. Option B is wrong because enabling cluster mode and adding more shards distributes data across multiple nodes, which can increase total memory, but it requires application changes to support sharding and is more complex than simply scaling up the instance size; the immediate, simplest fix for a single-node cluster under memory pressure is to increase memory. Option C is wrong because increasing the TTL of cached items only delays their expiration, but if the cache is already full and evicting items due to memory pressure, longer TTLs will not prevent evictions—they may even worsen the problem by keeping stale data in memory longer.

986
MCQeasy

A company wants to ensure that all data in transit between a web application and its users is encrypted. Which AWS service can provide SSL/TLS termination?

A.Amazon CloudFront
B.Application Load Balancer (ALB)
C.Amazon Route 53
D.Amazon EC2 instance
AnswerB

ALB can terminate SSL/TLS.

Why this answer

Option A is correct because ALB can terminate SSL/TLS and decrypt traffic. Option B is wrong because CloudFront can also terminate SSL, but the question asks which service can provide termination, and ALB is a common choice. Option C is wrong because EC2 instances can handle SSL but that is not a service.

Option D is wrong because Route 53 is DNS and does not terminate SSL.

987
MCQeasy

A developer is using AWS CodeDeploy to deploy a revision to an EC2/On-Premises deployment group. The deployment fails because the specified deployment configuration requires a minimum of 1 healthy host, but the deployment group has 0 instances. What is the most likely cause?

A.The deployment group is not associated with any Auto Scaling group.
B.The deployment configuration requires too many healthy hosts.
C.The CodeDeploy agent is not installed on the instances.
D.The deployment group does not have any Amazon EC2 instances registered.
AnswerD

No instances means no healthy hosts.

Why this answer

Option A is correct because if the deployment group has no instances, there are no healthy hosts to meet the minimum. Option B is wrong because the deployment group can exist without instances, but deployment will fail. Option C is wrong because the deployment configuration settings are correct.

Option D is wrong because CodeDeploy agent not running would cause instance failure, not group failure.

988
MCQhard

A developer is using AWS Secrets Manager to rotate database credentials automatically. The rotation fails with the error 'The secret value is not valid JSON.' What is the most likely cause?

A.The secret is in a different AWS region than the Lambda rotation function.
B.The secret value was stored as a plain string instead of a JSON object.
C.The secret name is not base64-encoded.
D.The secret does not have the correct version label.
AnswerB

Secrets Manager requires JSON format for automatic rotation to parse username, password, etc.

Why this answer

AWS Secrets Manager requires secret values to be stored as valid JSON objects when automatic rotation is configured. If the secret is stored as a plain string (e.g., a single password string without key-value pairs), the rotation function cannot parse it, resulting in the 'The secret value is not valid JSON' error. This is because the Lambda rotation function expects to read and write a JSON structure to manage the credentials during rotation.

Exam trap

The trap here is that candidates may confuse the JSON validation error with other rotation failures, such as network issues or permission errors, but the specific error message 'The secret value is not valid JSON' directly points to the secret's format being incorrect.

How to eliminate wrong answers

Option A is wrong because the Lambda rotation function and the secret must be in the same AWS region; cross-region rotation is not supported, but this would cause a different error (e.g., 'AccessDenied' or 'ResourceNotFoundException'), not a JSON parsing error. Option C is wrong because secret names are not required to be base64-encoded; they are plain text strings that identify the secret, and base64 encoding is irrelevant to JSON validity. Option D is wrong because version labels (e.g., AWSCURRENT, AWSPREVIOUS) are managed automatically by Secrets Manager during rotation; an incorrect version label would cause a versioning error, not a JSON parsing failure.

989
MCQhard

A developer is using AWS Step Functions to orchestrate a workflow that includes a Lambda function for data transformation. The Lambda function occasionally times out after 15 seconds. The Step Function execution fails with a 'States.Timeout' error. The developer wants to retry the Lambda task up to 3 times with exponential backoff. Which configuration should the developer add to the state definition in the Amazon States Language (ASL)?

A."Retry": [ { "ErrorEquals": ["States.Timeout"], "IntervalSeconds": 1, "BackoffRate": 2, "MaxAttempts": 3 } ]
B."Retry": [ { "ErrorEquals": ["States.Timeout"], "IntervalSeconds": 2, "BackoffRate": 3, "MaxAttempts": 5 } ]
C."Retry": [ { "ErrorEquals": ["States.Timeout"], "IntervalSeconds": 1, "BackoffRate": 2, "MaxAttempts": 2 } ]
D."Retry": [ { "ErrorEquals": ["Lambda.ServiceException"], "IntervalSeconds": 1, "BackoffRate": 2, "MaxAttempts": 3 } ]
AnswerA

Correctly catches States.Timeout, exponential backoff with 3 attempts.

Why this answer

Option C is correct because it defines a Retry with a 1-second interval, backoff rate of 2, and max attempts of 3. Option A is wrong because it uses 'ErrorEquals' with 'Lambda.ServiceException' which is not the timeout error; the error is 'States.Timeout'. Option B is wrong because it has 'MaxAttempts' as 5, not 3.

Option D is wrong because it has only 2 max attempts.

990
MCQmedium

A developer is deploying a containerized application to Amazon ECS with the Fargate launch type using AWS CodeDeploy for blue/green deployments. The application is behind an Application Load Balancer (ALB). What is the minimum number of ALB target groups required for a blue/green deployment?

A.1
B.2
C.3
D.4
AnswerB

Two target groups are needed—one for the running task set and one for the new task set. CodeDeploy shifts traffic between them.

Why this answer

In a blue/green deployment with Amazon ECS (Fargate) and AWS CodeDeploy, the deployment process requires two distinct target groups: one for the 'blue' (current) environment and one for the 'green' (new) environment. CodeDeploy shifts traffic from the blue target group to the green target group during the deployment, allowing for instant rollback by switching back. A single target group cannot differentiate between the two environments, and three or more are unnecessary because the blue/green model only needs two active target groups at any time.

Exam trap

The trap here is that candidates often assume a single target group is sufficient because they think of the ALB as handling traffic routing on its own, but they miss that blue/green deployments require two separate target groups to isolate the old and new environments for traffic shifting and rollback.

How to eliminate wrong answers

Option A is wrong because a single target group cannot support blue/green deployments; it would force an in-place update, which defeats the purpose of having separate environments for traffic shifting and rollback. Option C is wrong because three target groups are not required; the blue/green model only needs one for the current version and one for the new version, with no third group needed for routing or testing. Option D is wrong because four target groups are excessive and would add unnecessary complexity; the standard blue/green deployment with ECS and CodeDeploy uses exactly two target groups.

991
MCQmedium

A Lambda function must retrieve feature flags at runtime with low latency and controlled rollout. Which AWS service is most appropriate?

A.AWS CloudFormation Parameters
B.AWS IAM Access Analyzer
C.Amazon Inspector
D.AWS AppConfig
AnswerD

Correct for the stated requirement.

Why this answer

AWS AppConfig is the correct choice because it is purpose-built for managing application configuration at runtime, including feature flags, with support for controlled rollouts (e.g., percentage-based deployments, canary releases) and low-latency retrieval via the AppConfig agent or direct API calls. It integrates with AWS Lambda to fetch configuration values on-demand without requiring a full deployment, enabling dynamic feature toggling.

Exam trap

The trap here is that candidates may confuse AWS AppConfig with AWS Systems Manager Parameter Store or AWS Secrets Manager, but AppConfig is the only service that combines runtime configuration retrieval with controlled rollout and validation, which is explicitly required for feature flags.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation Parameters are used to pass values into CloudFormation templates at stack creation or update time, not for runtime retrieval of feature flags with low latency and controlled rollout. Option B is wrong because AWS IAM Access Analyzer is a security tool that analyzes resource policies to identify unintended access, not a service for managing feature flags or application configuration. Option C is wrong because Amazon Inspector is a vulnerability management service that scans workloads for software vulnerabilities and network exposure, not a runtime configuration or feature flag service.

992
MCQhard

A developer deploys a Lambda function that transforms incoming JSON payloads and writes results to DynamoDB. After a recent code update, the function frequently times out with 5-second durations. The function has a 15-second timeout and 512 MB memory. CloudWatch Logs show no errors. The DynamoDB table has autoscaling enabled. What is the MOST likely cause of the increased duration?

A.DynamoDB write capacity is insufficient, causing throttling and retries.
B.The function is reading the input payload from S3 instead of API Gateway, causing network latency.
C.A new dependency in the deployment package increased the function's initialization time beyond the duration of the function's reserved concurrency warm start window.
D.The function code throws an unhandled exception that is not logged.
AnswerC

This is a common cause of timeout after adding dependencies.

Why this answer

Option A is correct because a new dependency introduced in the update may increase initialization time, leading to timeouts if the function is not provisioned with enough concurrency or if the new library is large. Option B is wrong because Lambda can read from S3 without issue. Option C is wrong because DynamoDB autoscaling handles capacity.

Option D is wrong because CloudWatch Logs would show errors if code threw exceptions.

993
MCQeasy

A developer runs an application on Amazon EC2 that needs to securely store database credentials (username and password). The security team requires that the credentials be automatically rotated every 30 days. Which AWS service should the developer use to store and automatically rotate the credentials?

A.AWS Systems Manager Parameter Store with a SecureString parameter.
B.AWS Secrets Manager with automatic rotation enabled.
C.AWS Identity and Access Management (IAM) roles for EC2.
D.AWS Key Management Service (KMS) to store the credentials as encrypted data.
AnswerB

Secrets Manager is designed for managing secrets and supports automatic rotation for many database services. It can rotate the credentials on a schedule as required.

Why this answer

AWS Secrets Manager is designed specifically for managing secrets such as database credentials, with built-in capabilities for automatic rotation according to a schedule (e.g., every 30 days). It integrates natively with supported databases (e.g., Amazon RDS, Redshift, DocumentDB) to rotate credentials without custom code, and it encrypts secrets at rest using AWS KMS. This makes it the correct choice for the developer's requirement of secure storage and automated rotation.

Exam trap

The trap here is that candidates often confuse Parameter Store's SecureString (which can store encrypted secrets but lacks built-in rotation) with Secrets Manager, overlooking the explicit requirement for automatic rotation.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store with a SecureString parameter can store encrypted credentials but does not support automatic rotation of the secret value; rotation would require custom automation via AWS Lambda or other services. Option C is wrong because IAM roles for EC2 provide temporary credentials for AWS API access, not for storing or rotating database credentials (username/password); they cannot be used to store secrets. Option D is wrong because AWS KMS is a key management service for encryption keys, not a secret storage service; it cannot store credentials or perform rotation.

994
MCQhard

A developer is troubleshooting access to an Amazon S3 bucket. The bucket policy allows access to the developer's IAM role, but the developer receives an Access Denied error when trying to upload objects. The developer is using an IAM user with access keys for API calls. What is the most likely cause?

A.The developer’s IAM user does not have s3:PutObject permission
B.The bucket policy does not include a Principal element
C.The S3 bucket is in a different region from the developer's API endpoint
D.The bucket policy allows the role ARN, but the developer is using user credentials
AnswerD

The bucket policy references the role ARN, but the developer is using IAM user credentials; thus access is denied.

Why this answer

When using IAM user credentials, the bucket policy must grant access to the IAM user ARN, not the role ARN. The developer is using user credentials, so the bucket policy should reference the user, not the role.

995
MCQmedium

A developer is using the AWS CLI to upload a large file to S3. The file is 2 GB. The developer uses the following command: aws s3 cp largefile.zip s3://mybucket/. The upload is taking longer than expected. Which change would MOST improve the upload speed?

A.Disable multipart upload by setting --no-multipart.
B.Increase the multipart upload part size using the --multipart-upload-part-size option.
C.Enable S3 Transfer Acceleration on the bucket and use the --endpoint-url parameter.
D.Use the aws s3api put-object command instead.
AnswerB

Increasing part size reduces the number of parts, improving speed.

Why this answer

For large files, the aws s3 cp command automatically uses multipart upload, but increasing the part size can reduce the number of parts and improve throughput. Using aws s3api put-object is single-part and not suitable for large files. Disabling multipart upload would slow it down.

S3 Transfer Acceleration reduces latency over long distances, but does not necessarily improve throughput for a single upload.

996
MCQmedium

An independent software vendor (ISV) is building a serverless application that processes incoming HTTP requests. The incoming requests must be validated against an OpenAPI schema before being passed to the Lambda function. Which AWS service should the ISV use to perform this validation?

A.Amazon API Gateway (with request validation)
B.AWS WAF
C.Amazon Cognito
D.AWS AppSync
AnswerA

Correct. API Gateway can validate requests against an OpenAPI schema before forwarding them to the Lambda function, reducing unnecessary invocations and improving security.

Why this answer

Amazon API Gateway's request validation feature can validate incoming HTTP requests against an OpenAPI (Swagger) schema before the request reaches the Lambda function. This offloads validation from the Lambda code, reducing cost and latency by rejecting invalid requests early. The ISV can define the schema in the API Gateway REST API or HTTP API, and API Gateway will automatically check headers, query strings, and request bodies against the schema.

Exam trap

The trap here is confusing AWS WAF's ability to inspect HTTP requests (e.g., body size, headers) with API Gateway's schema-based validation, leading candidates to choose WAF for payload validation instead of API Gateway's built-in request validation.

How to eliminate wrong answers

Option B (AWS WAF) is wrong because WAF is a web application firewall that filters traffic based on IP addresses, SQL injection patterns, or cross-site scripting, not for validating request payloads against an OpenAPI schema. Option C (Amazon Cognito) is wrong because Cognito provides authentication, authorization, and user management, not request schema validation. Option D (AWS AppSync) is wrong because AppSync is a managed GraphQL service for real-time data synchronization and offline access, not for validating RESTful HTTP requests against an OpenAPI schema.

997
MCQmedium

A company's application uses Amazon DynamoDB as its database. The application reads the same item multiple times per second and occasionally sees stale data. The DynamoDB table uses the default eventually consistent reads. What should the developer change to ensure strongly consistent reads?

A.Increase the read capacity units of the table.
B.Use DynamoDB Accelerator (DAX) to cache the item.
C.Set the ConsistentRead parameter to true in the GetItem call.
D.Use DynamoDB transactions for all read operations.
AnswerC

Strongly consistent reads are available by setting ConsistentRead=true.

Why this answer

Option C is correct because DynamoDB's default read consistency model is eventually consistent, which can return stale data if an item is updated shortly before the read. By setting the `ConsistentRead` parameter to `true` in the `GetItem` call, the developer forces a strongly consistent read, ensuring the response reflects the most recent write. This directly addresses the stale data issue without changing throughput or adding caching.

Exam trap

The trap here is that candidates often confuse throughput scaling (Option A) or caching (Option B) with consistency guarantees, or mistakenly think transactions (Option D) are required for strong consistency, when in fact a simple parameter change on the read operation is the correct and minimal fix.

How to eliminate wrong answers

Option A is wrong because increasing read capacity units (RCUs) only affects throughput and cost, not the consistency model; eventually consistent reads still return stale data regardless of RCU count. Option B is wrong because DynamoDB Accelerator (DAX) is an in-memory cache that improves read performance but does not guarantee strong consistency; it can serve stale data from its cache. Option D is wrong because DynamoDB transactions are designed for atomic, isolated multi-item operations (using `TransactGetItems` or `TransactWriteItems`), not for ensuring single-item strong consistency; using transactions for simple reads adds unnecessary overhead and cost.

998
MCQmedium

A company uses AWS CodePipeline with a source stage from Amazon S3. The pipeline triggers on changes to the S3 bucket. However, the pipeline does not trigger when a new object is uploaded. What is the MOST likely cause?

A.The S3 bucket policy denies access to CodePipeline.
B.The S3 bucket does not have an event notification configured for the pipeline.
C.The pipeline is not configured with a webhook.
D.The object is encrypted and CodePipeline cannot read it.
AnswerB

Event notifications are needed to trigger the pipeline.

Why this answer

Option A is correct because S3 event notifications must be configured to invoke the pipeline. Option B is wrong because the bucket policy is not related. Option C is wrong because the pipeline is not triggered by S3 events directly.

Option D is wrong because encryption does not affect triggering.

999
Multi-Selectmedium

A developer is designing a system that requires processing of streaming data from IoT devices in real time. The processed data will be stored in an S3 bucket for analytics. Which AWS services should the developer use together to build this solution? (Choose TWO.)

Select 2 answers
A.Amazon Kinesis Data Firehose
B.Amazon Kinesis Data Streams
C.AWS Lambda
D.Amazon S3
E.Amazon SQS
AnswersA, B

Firehose can load streaming data into S3 for analytics.

Why this answer

The correct answers are A and D. Amazon Kinesis Data Streams ingests streaming data, and Amazon Kinesis Data Firehose delivers that data to S3. Option B is wrong because Lambda is not a streaming ingestion service.

Option C is wrong because SQS is for message queues, not real-time streaming. Option E is wrong because S3 is the destination, not the processing service.

1000
Multi-Selecthard

A developer is troubleshooting an EC2 instance that is unreachable via SSH. The instance is in a public subnet with a security group that allows inbound SSH from 0.0.0.0/0. Which THREE are possible causes? (Choose 3.)

Select 3 answers
A.The network ACL associated with the subnet is blocking inbound SSH.
B.The SSH key pair used to launch the instance is incorrect.
C.The instance is in the 'stopped' state.
D.The instance does not have an IAM role with the necessary permissions.
E.The instance does not have a public IPv4 address.
AnswersA, C, E

Network ACLs are stateless and must allow both inbound and outbound traffic.

Why this answer

Network ACLs can block traffic even if security group allows. The instance may not have a public IP. The IAM role doesn't affect SSH access.

The key pair is used for authentication, not connectivity. The instance may be stopped.

1001
MCQeasy

A developer is troubleshooting an AWS Lambda function that processes files uploaded to an Amazon S3 bucket. The function sometimes times out when processing large files. CloudWatch Logs show that the function's execution time correlates with file size. The function is configured with 128 MB memory and a timeout of 30 seconds. Which action should the developer take to resolve the timeout for large files without refactoring the code?

A.Increase the Lambda function's memory
B.Increase the Lambda function's timeout
C.Increase the S3 event notification batch size
D.Enable Lambda function reserved concurrency
AnswerB

The timeout error occurs because the function exceeds the configured 30-second limit. Increasing the timeout allows large files more time to complete processing, directly resolving the error without code changes.

Why this answer

The Lambda function times out because processing large files exceeds the 30-second timeout. Since the execution time correlates with file size and the code cannot be refactored, the only way to resolve the timeout is to increase the function's timeout setting. This directly extends the maximum allowed execution duration, allowing large files to complete processing without code changes.

Exam trap

The trap here is that candidates often assume increasing memory will always solve performance issues, but when the root cause is a hard timeout limit, only increasing the timeout setting directly addresses the timeout error without code changes.

How to eliminate wrong answers

Option A is wrong because increasing memory also increases CPU and network throughput proportionally, which can reduce execution time, but the question explicitly states 'without refactoring the code' and the issue is a hard timeout—memory increase does not change the maximum allowed execution duration. Option C is wrong because S3 event notification batch size controls how many events are sent per invocation, not the timeout or execution time for a single file; it would not resolve a timeout caused by processing a single large file. Option D is wrong because reserved concurrency guarantees a set number of concurrent executions but does not affect the timeout duration or execution time per invocation.

1002
MCQmedium

A developer is building a serverless application using API Gateway and Lambda. The API must be accessible only from a specific VPC. How can the developer achieve this?

A.Use security groups to restrict access to the API Gateway.
B.Create the API Gateway inside the VPC.
C.Use CloudFront with an origin access identity to restrict access.
D.Create a VPC endpoint for API Gateway and attach a resource policy to the API that allows access only from the VPC endpoint.
AnswerD

This restricts API access to the VPC.

Why this answer

Option B is correct because resource policies on API Gateway can restrict access to a VPC or VPC endpoint. Option A is incorrect because API Gateway is a regional service and cannot be placed inside a VPC. Option C is incorrect because security groups are for EC2, not API Gateway.

Option D is incorrect because CloudFront does not restrict access to a specific VPC.

1003
Multi-Selecthard

A developer is designing a microservices architecture where each service communicates over HTTPS. They need to ensure that only authorized services can invoke each other. Which TWO services can be used to manage authentication and authorization between services?

Select 2 answers
A.AWS App Mesh
B.AWS Resource Access Manager
C.AWS VPC Lattice
D.AWS Direct Connect
E.Amazon API Gateway
AnswersA, E

Supports mTLS for service authentication.

Why this answer

Option A and Option C are correct. AWS App Mesh provides service-to-service authentication using mTLS. AWS Resource Access Manager (RAM) is not correct.

API Gateway can use IAM authorization or Lambda authorizers. VPC Lattice provides service-to-service authentication. AWS Direct Connect is for dedicated network connections.

1004
MCQeasy

A developer is creating an ECS task definition using the JSON shown in the exhibit. The task fails to run with an error about insufficient memory. What is the issue?

A.The container port is not mapped to a host port.
B.The task definition does not specify a network mode.
C.The task memory and cpu values are specified as strings instead of integers.
D.The container memory is less than the task memory.
AnswerC

Memory and cpu must be integers, not strings.

Why this answer

Option A is correct because the container memory (256) plus task memory (512) must be consistent; the task memory is 512 but the container memory is 256, which is okay, but the error indicates the container memory is higher than task memory? Actually, the task memory is 512, container memory 256, so it's fine. However, the exhibit shows task memory as a string '512' and CPU as '256'; they should be integers. Option A is the most likely: the task memory is set to 512 but the container memory is 256, which is less, so that's not an issue.

Wait, the error is about insufficient memory. Perhaps the container memory should be equal to task memory? Actually, the error might be because the task memory is not enough for the container? The container memory is 256, task memory 512, so that's fine. Let me reconsider.

The exhibit shows 'memory': '512' (string) and 'cpu': '256' (string). In ECS task definition, memory and cpu must be integers, not strings. That could cause the task to fail.

Option B is correct: the values are strings. Option A is wrong because container memory is less than task memory. Option C is wrong because container port mapping is valid.

Option D is wrong because network mode is not specified, but default is bridge which is fine.

1005
MCQeasy

A developer needs to grant an IAM user the ability to create and manage EC2 instances, but only in the us-east-1 region. Which IAM policy statement should be used?

A.{"Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": {"StringEquals": {"ec2:Region": "us-east-1"}}}
B.{"Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*"}
C.{"Effect": "Allow", "Action": "ec2:*", "Resource": "arn:aws:ec2:us-east-1:*:*"}
D.{"Effect": "Allow", "Action": "ec2:*", "Resource": "*"}
AnswerA

Condition restricts region.

Why this answer

Option A is correct because the Condition element with ec2:Region restricts actions to a specific region. Option B is wrong because Resource ARN cannot specify region for EC2 instances that way. Option C is wrong because without condition, it allows all regions.

Option D is wrong because the Action is not properly scoped.

1006
MCQeasy

A developer is deploying an application using AWS Elastic Beanstalk. The application requires a custom Amazon Machine Image (AMI) that includes specific software packages not available in the standard Elastic Beanstalk platform. Which approach should the developer use to ensure the custom AMI is used for all EC2 instances in the environment?

A.Create a custom platform using the Packer tool and specify it in the environment configuration.
B.Use the Elastic Beanstalk console to change the AMI ID in the environment configuration after creation.
C.Modify the .ebextensions configuration file to specify the custom AMI ID.
D.Launch a new environment with a different platform version that includes the required software.
AnswerA

This is the correct method to use a custom AMI in Elastic Beanstalk by defining a custom platform.

Why this answer

Option A is correct because AWS Elastic Beanstalk allows you to create a custom platform using Packer, which can include a custom AMI with specific software packages. You then specify this custom platform in the environment configuration, ensuring all EC2 instances in the environment use that AMI. This approach is the only supported method for using a custom AMI that is not part of the standard Elastic Beanstalk platform.

Exam trap

The trap here is that candidates often think .ebextensions can override the AMI, but .ebextensions only configures the instance after launch, not the base image itself.

How to eliminate wrong answers

Option B is wrong because you cannot change the AMI ID in the Elastic Beanstalk console after environment creation; the AMI is tied to the platform version and cannot be directly modified. Option C is wrong because .ebextensions configuration files cannot specify a custom AMI ID; they are used for additional configuration like packages, files, and services, not for overriding the base AMI. Option D is wrong because launching a new environment with a different platform version that includes the required software is not feasible if the software is not available in any standard platform; custom platforms are required for such cases.

1007
Drag & Dropmedium

Drag and drop the steps to configure an S3 bucket for static website hosting in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the bucket, then enable static website hosting, configure index and error documents, set appropriate permissions, and finally upload content.

1008
Multi-Selecteasy

A developer is tasked with encrypting data at rest for an Amazon RDS for MySQL database. The developer wants to use AWS KMS for key management. Which TWO configurations are valid? (Choose TWO.)

Select 2 answers
A.Create a customer managed KMS key and specify it when creating the DB instance.
B.Enable encryption after the DB instance is created by modifying the DB instance.
C.Enable encryption using the default AWS managed key for RDS.
D.Use S3 server-side encryption (SSE-S3) with the RDS instance.
E.Use an AWS owned KMS key for encryption.
AnswersA, C

Customer managed keys are supported.

Why this answer

Option A is correct because you can create a customer managed KMS key and specify it when creating the DB instance. Amazon RDS for MySQL supports encryption at rest using AWS KMS, and you can choose a customer managed key at launch time. This key is used to encrypt the DB instance's storage, automated backups, read replicas, and snapshots.

Exam trap

The trap here is that candidates may think encryption can be toggled on after creation (Option B) or that AWS owned keys are a valid choice for RDS (Option E), but AWS explicitly requires encryption to be set at launch and only supports AWS managed or customer managed keys for RDS.

1009
Multi-Selectmedium

A company is deploying a critical application using AWS CodeDeploy. To minimize downtime, they want to perform a blue/green deployment. Which TWO strategies should they implement?

Select 2 answers
A.Create an Elastic Load Balancer to route traffic between the blue and green environments.
B.Use an Amazon Route 53 weighted routing policy to gradually shift traffic.
C.Configure an AWS Lambda function to perform A/B testing during deployment.
D.Use an Amazon CloudFront distribution with multiple origins.
E.Ensure the new instances are registered with the target group before switching traffic.
AnswersA, E

ELB is required for traffic shifting.

Why this answer

Option B (use an Elastic Load Balancer) is correct because blue/green deployments require traffic switching between environments. Option D (register instances with the ELB) is correct because the new instance group must be registered to receive traffic. Option A is wrong because a 'swap' is not a standard approach.

Option C is wrong because DNS changes are not typically used with CodeDeploy. Option E is wrong because CodeDeploy does not support A/B testing natively.

1010
MCQeasy

A company uses AWS CodePipeline to automate releases. The pipeline includes a source stage from CodeCommit, a build stage with CodeBuild, and a deploy stage with CodeDeploy. The build stage fails intermittently due to insufficient memory. What should the developer do to resolve this?

A.Increase the compute type of the CodeBuild project.
B.Change the deployment configuration to CodeDeploy.Default.AllAtOnce.
C.Switch the source to an S3 bucket.
D.Modify the buildspec.yml to use less memory.
AnswerA

Larger compute type provides more memory.

Why this answer

The correct answer is D. CodeBuild allows you to increase the compute type to provide more memory. Option A (change buildspec) does not change memory.

Option B (change source) is irrelevant. Option C (change deployment config) is for deploy stage.

1011
MCQeasy

A company is deploying a containerized application on Amazon ECS using the Fargate launch type. The deployment must ensure zero downtime. Which ECS deployment configuration should be used?

A.Rolling update with a minimum healthy percent of 50% and maximum percent of 200%
B.Set the task placement strategy to REPLICA
C.Use the DAEMON scheduling strategy with a deployment circuit breaker
D.Blue/green deployment using AWS CodeDeploy
AnswerD

Blue/green deployment with CodeDeploy allows you to test new version before shifting traffic, ensuring zero downtime.

Why this answer

Option D is correct. Blue/green deployment with CodeDeploy allows you to shift traffic gradually and automatically roll back if issues arise, ensuring zero downtime. Option A is wrong because rolling update can cause downtime if not configured properly? Actually rolling update can also achieve zero downtime if you have enough capacity, but the question asks for config that ensures zero downtime, and blue/green is more reliable.

Option B is wrong because 'DAEMON' scheduling strategy is for running one task per instance, not for zero-downtime deployment. Option C is wrong because 'REPLICA' is a task placement strategy, not a deployment type.

1012
MCQeasy

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The developer wants to ensure that the Lambda function's environment variables are encrypted at rest. What is the most straightforward way to achieve this?

A.No action needed; SAM automatically encrypts environment variables at rest using a default KMS key.
B.Enable encryption in the SAM template using the 'Encrypt' property.
C.Modify the Lambda function's code to encrypt environment variables before deployment.
D.Create a customer managed KMS key and specify it in the SAM template.
AnswerA

SAM uses AWS managed keys to encrypt environment variables by default.

Why this answer

Option A is correct because SAM automatically enables encryption at rest for environment variables using AWS KMS. Option B is wrong because the encryption is done by default. Option C is wrong because manual KMS key creation is not required for default encryption.

Option D is wrong because the serverless function handler does not affect encryption.

1013
MCQmedium

A developer is deploying an application using AWS CodeDeploy with an in-place deployment configuration. The application runs on an EC2 instance behind an Application Load Balancer. The deployment fails because the health check fails after the new version is installed. What should the developer do to prevent the deployment from failing due to health checks?

A.Deregister the instance from the target group before deployment and register it after.
B.Switch to a blue/green deployment strategy.
C.Configure a longer health check grace period in the CodeDeploy application specification.
D.Increase the health check interval on the load balancer.
AnswerC

The grace period allows the application to initialize before health checks are performed, preventing premature failure.

Why this answer

The correct answer is D. Configuring a longer health check grace period allows the application to start and stabilize before the load balancer checks its health. Option A is wrong because deregistering the instance during deployment is not a standard practice and may cause traffic loss.

Option B is wrong because a blue/green deployment is a different strategy, not a fix for in-place deployment. Option C is wrong because increasing the interval alone does not provide a grace period.

1014
Multi-Selecteasy

Which TWO services can be used to store and retrieve application configuration data in AWS? (Choose 2)

Select 2 answers
A.AWS CloudTrail
B.Amazon Simple Queue Service (SQS)
C.AWS Systems Manager Parameter Store
D.Amazon DynamoDB
E.AWS AppConfig
AnswersC, E

Parameter Store is a service for storing configuration data and secrets.

Why this answer

AWS Systems Manager Parameter Store (Option C) is a managed service specifically designed to store and retrieve application configuration data, such as database connection strings, passwords, and license keys. It integrates with AWS KMS for encryption and supports hierarchical parameter paths, making it ideal for configuration management without custom code.

Exam trap

The trap here is that candidates often select DynamoDB (Option D) because it can store key-value data, but the question asks for services 'used to store and retrieve application configuration data'—DynamoDB is a general-purpose database, not a dedicated configuration service, and AWS offers purpose-built services (Parameter Store and AppConfig) that are the correct answers.

1015
MCQhard

A developer is using AWS Lambda to process files uploaded to an S3 bucket. The Lambda function needs to write logs to CloudWatch Logs. Which of the following is required to allow this?

A.Attach an IAM policy to the Lambda execution role with CloudWatch Logs permissions
B.Add a resource-based policy to the Lambda function
C.Configure the S3 bucket to trigger Lambda, and Lambda automatically logs to CloudWatch
D.Create an IAM role for CloudWatch Logs and assign it to the Lambda function
AnswerA

The execution role's policy must allow CloudWatch Logs actions.

Why this answer

The Lambda function's execution role must include a policy that allows logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents. This is the standard approach for Lambda logging.

1016
MCQmedium

A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all encryption keys be rotated automatically every year. Which solution meets this requirement with the LEAST operational overhead?

A.Use an AWS managed key (aws/s3) for S3 encryption.
B.Use a customer managed key and enable automatic rotation.
C.Create a customer managed key and rotate it manually every year.
D.Use an asymmetric KMS key and rotate it automatically.
AnswerA

AWS managed keys are automatically rotated every year.

Why this answer

Option B is correct because AWS managed keys (aws/s3) are automatically rotated annually with no effort. Option A requires manual rotation. Option C is for customer managed keys and requires enabling automatic rotation.

Option D is for asymmetric keys, which are not used for S3 encryption.

1017
MCQmedium

A company uses AWS CodePipeline to deploy a static website to Amazon S3. The pipeline has a build stage that compiles the website and a deploy stage that syncs the build output to an S3 bucket. After a recent change, the pipeline succeeds but the website does not show the updated content. What is the most likely cause?

A.Amazon CloudFront is caching the old content and needs an invalidation.
B.The build output is empty because the build failed silently.
C.The deploy action is configured to skip if the source content has not changed.
D.The S3 bucket policy does not allow public read access.
AnswerA

CloudFront caches content; invalidation forces update.

Why this answer

Option B is correct because S3 static websites often use CloudFront for caching; an invalidation is needed after updates. Option A is wrong because if the bucket policy blocked uploads, the deploy stage would fail. Option C is wrong because if the build output was empty, the deploy would still sync (maybe nothing changes).

Option D is wrong because CodePipeline would have failed if the deploy action failed.

1018
MCQmedium

A company is using AWS CloudTrail to monitor API activity. A developer notices that some actions are not logged. What is a possible reason?

A.Some services are not integrated with CloudTrail.
B.CloudTrail only logs read events.
C.CloudTrail has a 24-hour delay.
D.The CloudTrail trail is not enabled in the correct region.
AnswerA

Not all services log to CloudTrail.

Why this answer

CloudTrail does not log all AWS services by default; some services must be enabled separately.

1019
Multi-Selectmedium

A developer is designing a serverless application that uses AWS Lambda and Amazon DynamoDB. The application needs to handle high traffic spikes without data loss. Which TWO actions should the developer take?

Select 2 answers
A.Enable DynamoDB Auto Scaling
B.Use Provisioned IOPS for DynamoDB
C.Enable DynamoDB Streams
D.Use Amazon SQS to buffer requests to Lambda
E.Increase the Lambda concurrency limit to the maximum
AnswersA, D

Auto scaling adjusts read/write capacity to handle traffic spikes.

Why this answer

Option B is correct because SQS decouples processing and provides a buffer. Option D is correct because DynamoDB auto scaling handles capacity. Option A is wrong because Lambda concurrency limit would throttle.

Option C is not directly related. Option E is wrong because Provisioned IOPS is for EBS.

1020
Multi-Selectmedium

Which TWO IAM policy conditions can be used to enforce multi-factor authentication (MFA) for API calls?

Select 2 answers
A.Condition: { "Null": { "aws:MultiFactorAuthPresent": "false" } }
B.Condition: { "StringLike": { "iam:MFADeviceType": "Virtual" } }
C.Condition: { "ForAllValues:StringEquals": { "aws:SourceIdentity": "admin" } }
D.Condition: { "StringEquals": { "iam:ResourcePath": "/" } }
E.Condition: { "Bool": { "aws:MultiFactorAuthPresent": "true" } }
AnswersA, E

This denies access if the MFA key is absent (null), effectively requiring MFA.

Why this answer

Options B and D are correct. 'Bool' condition with 'aws:MultiFactorAuthPresent' checks if MFA was used. 'Null' condition can check if the MFA key is absent. Option A is wrong because it checks the user's path. Option C is wrong because it checks the MFA device type.

Option E is wrong because it checks the caller identity.

1021
MCQhard

A developer is working on a serverless application that uses Amazon DynamoDB as the database. The application reads and writes data to a DynamoDB table named 'Orders'. The table has a partition key 'OrderID' and a sort key 'OrderDate'. The application experiences high read latency during peak hours. The developer checks the CloudWatch metrics and notices high ReadThrottleEvents for the table. The table's read capacity is set to on-demand mode. The developer also notices that the application performs many queries that scan the entire table to find orders by customer ID, which is not a key attribute. What should the developer do to reduce read throttling?

A.Enable DynamoDB Accelerator (DAX) to cache the read results.
B.Switch the table to provisioned capacity mode and increase the read capacity units.
C.Create a Global Secondary Index (GSI) on the CustomerID attribute and query the index instead of scanning the table.
D.Keep the table in on-demand mode but increase the maximum read capacity limit.
AnswerC

A GSI allows efficient querying by CustomerID, avoiding full table scans.

Why this answer

Option C is correct because creating a Global Secondary Index (GSI) on CustomerID allows efficient queries without scanning. Option A is wrong because increasing read capacity units doesn't apply to on-demand mode. Option B is wrong because on-demand mode already handles spikes, but throttling can still occur if a partition's throughput is exceeded.

Option D is wrong because DAX is an in-memory cache that can reduce read load, but it doesn't fix the inefficient query pattern.

1022
MCQmedium

A company is using AWS CodePipeline to deploy a web application. The pipeline must securely store and use database credentials. Which AWS service should the developer use to store the credentials and retrieve them during deployment?

A.IAM role attached to the CodePipeline service role.
B.AWS Secrets Manager.
C.AWS Systems Manager Parameter Store with a SecureString parameter.
D.Amazon DynamoDB with server-side encryption.
AnswerB

Secrets Manager is the recommended service for storing and rotating database credentials securely.

Why this answer

AWS Secrets Manager is designed to store secrets like database passwords and supports automatic rotation. It integrates with CodePipeline via Lambda functions. Option A is wrong because SSM Parameter Store can store secrets but lacks native rotation for RDS.

Option C is wrong because DynamoDB is not a secrets store. Option D is wrong because IAM roles are for AWS service access, not for storing database credentials.

1023
MCQhard

A developer is deploying a serverless application using AWS SAM. The developer wants to run integration tests against the deployed API Gateway endpoints before promoting the deployment to production. The developer uses AWS CodePipeline with a canary deployment strategy. How can the developer implement testing in the pipeline?

A.Use AWS CloudFormation stack outputs to get the endpoint URL and manually test.
B.Add a Lambda function as a test action in CodePipeline that runs after the deploy stage and before the final promote.
C.Use API Gateway stage variables to route a percentage of traffic to the new version and monitor.
D.Configure CodeBuild to run tests after deployment.
AnswerB

Lambda can run integration tests against the canary.

Why this answer

Option A is correct because CodePipeline can invoke a Lambda function as a test action after the canary deployment. This allows running tests against the canary before full rollout. Option B is wrong because it requires manual step.

Option C is wrong because CodeBuild is for build, not test after deployment. Option D is wrong because API Gateway stage variables are not designed for canary testing in this context.

1024
MCQeasy

A company wants to encrypt data at rest in an S3 bucket using server-side encryption. Which option provides the MOST control over the encryption key?

A.SSE-KMS (AWS KMS keys)
B.SSE-C (customer-provided keys)
C.Client-side encryption
D.SSE-S3 (S3-managed keys)
AnswerB

The customer provides and manages the encryption keys.

Why this answer

SSE-C (customer-provided keys) gives you the most control because you manage the encryption key yourself—you provide the key in each request, and AWS discards it after use. This means you have full lifecycle control over the key material, including rotation, deletion, and access policies, without AWS ever storing the key. In contrast, SSE-KMS and SSE-S3 rely on AWS-managed or AWS-controlled key stores, reducing your direct control.

Exam trap

The trap here is that candidates confuse 'most control' with 'easiest management' and pick SSE-KMS, but the question explicitly asks for the option that provides the MOST control over the encryption key, which is SSE-C because you own and manage the key entirely.

How to eliminate wrong answers

Option A is wrong because SSE-KMS uses AWS KMS keys, where AWS manages the key store and you share control with AWS via key policies and grants, so you do not have the most control. Option C is wrong because client-side encryption encrypts data before sending it to S3, which gives you full control over the key, but the question specifically asks about server-side encryption, so this is out of scope. Option D is wrong because SSE-S3 uses S3-managed keys (AES-256) where AWS fully manages the key lifecycle, giving you the least control over the encryption key.

1025
MCQeasy

A developer is using Amazon S3 to host a static website. The developer updates the files, but users still see the old version. What is the most likely cause?

A.The S3 bucket has server-side caching enabled.
B.The browser is caching the old files.
C.The files are being served from a CloudFront distribution with TTL.
D.The files are stored in a different S3 bucket.
AnswerB

Browser caching is the most common cause.

Why this answer

S3 static website hosting serves objects directly. If users see old content, it's likely due to browser caching. Option A is correct.

Option B is wrong because S3 does not cache content at the bucket level. Option C is wrong because CloudFront is not mentioned. Option D is wrong because S3 static hosting serves files from the bucket.

1026
MCQmedium

A developer is deploying an application with AWS CodeDeploy. The application needs to access a database password. Which service should be used to securely store and retrieve the password?

A.AWS Systems Manager Parameter Store
B.AWS CloudFormation template parameters
C.Amazon DynamoDB with encryption at rest
D.AWS Secrets Manager
AnswerD

Secrets Manager is purpose-built for storing secrets and supports automatic rotation.

Why this answer

Option C is correct because AWS Secrets Manager is designed to store secrets and automatically rotate them. Option A is wrong because Parameter Store can store secrets but lacks automatic rotation. Option B is wrong because DynamoDB is a database, not a secrets store.

Option D is wrong because CloudFormation is for infrastructure as code, not secret management.

1027
Multi-Selectmedium

Users receive AccessDenied when downloading SSE-KMS encrypted S3 objects cross-account. Which two policies may need changes?

Select 2 answers
A.CloudFront cache policy
B.S3 bucket/object access policy or IAM policy
C.KMS key policy allowing decrypt to the caller
D.Route 53 resolver rule policy
AnswersB, C

Correct for the stated requirement.

Why this answer

When accessing SSE-KMS encrypted S3 objects cross-account, the S3 bucket policy or the IAM policy must explicitly grant the s3:GetObject permission to the caller. Additionally, the KMS key policy must allow the kms:Decrypt action for the caller's AWS account or IAM role, because SSE-KMS uses a customer master key (CMK) to encrypt the object, and decryption requires KMS permissions. Without both policies, the request fails with AccessDenied even if the S3 permissions are correct.

Exam trap

The trap here is that candidates often assume only the S3 bucket policy needs updating, forgetting that SSE-KMS adds a second authorization layer via KMS key policies, which must explicitly allow the decrypt action for the cross-account caller.

1028
MCQhard

A developer is designing a multi-tier application. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier. Which security group configuration meets these requirements?

A.Web tier SG allows inbound from application tier SG.
B.Web tier SG allows inbound 0.0.0.0/0 on port 80; Application tier SG allows inbound from web tier SG on port 8080.
C.Both SGs allow inbound 0.0.0.0/0 on necessary ports.
D.Web tier SG allows inbound 0.0.0.0/0 on port 80; Application tier SG allows inbound from 0.0.0.0/0 on port 443.
AnswerB

Web tier is internet-facing, app tier only from web tier.

Why this answer

Application tier security group should allow inbound traffic only from the web tier security group, not from the internet or CIDR ranges.

1029
MCQhard

A developer uses the AWS SDK to list thousands of DynamoDB items from a query. Only the first page is processed. What should be implemented?

A.Pagination using LastEvaluatedKey until no further key is returned
B.A larger Lambda memory setting only
C.A global secondary index with the same key
D.Strongly consistent reads on every request
AnswerA

Correct for the stated requirement.

Why this answer

The DynamoDB Query API returns paginated results, with a maximum of 1 MB of data per page. The `LastEvaluatedKey` in the response indicates that more items exist. To retrieve all items, the application must check for `LastEvaluatedKey` and, if present, issue a subsequent Query request with the `ExclusiveStartKey` parameter set to that value, repeating until `LastEvaluatedKey` is no longer returned.

This is the standard pagination pattern for DynamoDB.

Exam trap

The trap here is that candidates may assume DynamoDB returns all matching items in a single response, overlooking the 1 MB pagination limit and the necessity of handling `LastEvaluatedKey` in a loop.

How to eliminate wrong answers

Option B is wrong because increasing Lambda memory only increases CPU and network bandwidth, but does not change the DynamoDB API's 1 MB page size limit or the need to handle pagination; the query would still return only the first page. Option C is wrong because a global secondary index (GSI) with the same key would not solve the pagination issue; it would simply provide an alternative query path that also returns paginated results. Option D is wrong because strongly consistent reads ensure the most up-to-date data but do not affect the number of items returned per page or the pagination mechanism; they are unrelated to the pagination problem.

1030
MCQmedium

A company uses AWS CodePipeline to automate deployments. The pipeline has a source stage that pulls from Amazon S3, a build stage using AWS CodeBuild, and a deploy stage using AWS CloudFormation. The deploy stage often fails because CloudFormation change sets are not being created. What is the most likely cause?

A.The CodeBuild project is not producing the expected output artifacts.
B.The CloudFormation deploy action is configured to use the 'CREATE_AND_EXECUTE' change set mode, but the stack does not exist yet.
C.The CloudFormation service role is missing.
D.The source stage is not configured to detect changes in the S3 bucket.
AnswerB

If the stack does not exist, the action should be configured to create a stack directly.

Why this answer

Option B is correct because when a CloudFormation deploy action in CodePipeline is configured with the 'CREATE_AND_EXECUTE' change set mode, it requires the stack to already exist. If the stack does not exist, CloudFormation cannot create a change set (since change sets compare changes against an existing stack), causing the deploy stage to fail. This is a common misconfiguration when deploying a new stack for the first time via CodePipeline.

Exam trap

The trap here is that candidates often assume 'CREATE_AND_EXECUTE' works for both new and existing stacks, but it only works for existing stacks because change sets require a current stack to diff against.

How to eliminate wrong answers

Option A is wrong because if the CodeBuild project were not producing expected output artifacts, the pipeline would likely fail at the build stage or the deploy stage would fail due to missing input artifacts, not specifically because change sets are not being created. Option C is wrong because a missing CloudFormation service role would cause a different error (e.g., 'Access Denied' or 'Unable to assume role') when CloudFormation attempts to perform stack operations, not a failure specific to change set creation. Option D is wrong because the source stage not detecting changes would mean the pipeline does not trigger at all, but the question states the deploy stage fails during execution, implying the pipeline has already triggered and progressed to the deploy stage.

1031
MCQhard

A developer is troubleshooting an IAM policy that is not working as expected. The policy has an Allow effect for s3:PutObject but the user gets AccessDenied. The user also has a Deny policy attached. What is the most likely reason?

A.The resource-based policy on S3 denies access
B.The Allow policy is evaluated before the Deny policy
C.An explicit Deny in an IAM policy overrides the Allow
D.An SCP denies the action
AnswerC

Explicit Deny takes precedence over any Allow.

Why this answer

Option C is correct because AWS IAM evaluates all policies (identity-based, resource-based, and SCPs) and an explicit Deny always overrides any Allow, regardless of the order in which the policies are written. In this scenario, even though the user has an Allow effect for s3:PutObject, the attached Deny policy explicitly denies the action, resulting in an AccessDenied error. This is a fundamental rule of AWS authorization logic: an explicit Deny cannot be overridden by any Allow.

Exam trap

The trap here is that candidates often assume the order of policy evaluation (Allow before Deny) matters, but AWS explicitly states that an explicit Deny overrides any Allow, making the order irrelevant.

How to eliminate wrong answers

Option A is wrong because a resource-based policy on S3 that denies access would also cause AccessDenied, but the question states the user has a Deny policy attached, making the explicit Deny in the IAM policy the most likely reason. Option B is wrong because AWS evaluates all policies in a single pass, and the order of evaluation (Allow before Deny) does not matter; the explicit Deny always takes precedence. Option D is wrong because while an SCP could deny the action, the question specifically mentions the user has a Deny policy attached, and SCPs apply at the account or OU level, not directly to the user; the most direct cause is the attached Deny policy.

1032
MCQeasy

An application running on Amazon EC2 instances behind an Application Load Balancer (ALB) intermittently returns 503 errors. The ALB health checks are failing for some instances intermittently. The developer checks the instance system logs and finds no application errors. What is the most likely cause of the health check failures?

A.The application on the instances is experiencing resource exhaustion (e.g., memory or CPU) which causes it to stop responding to health checks temporarily
B.The security group for the instances does not allow inbound traffic from the ALB on the health check port
C.The health check path is not configured correctly and the default path returns a 404 status
D.The target group is not configured with the correct protocol
AnswerA

Intermittent failures suggest transient issues like high resource utilization. The application may become unresponsive during spikes, causing health checks to fail until resources are freed.

Why this answer

Intermittent 503 errors from the ALB combined with intermittent health check failures and no application errors in the system logs strongly point to transient resource exhaustion (CPU or memory) on the EC2 instances. When an instance runs out of memory or CPU, the application process may become unresponsive or be killed by the OS (e.g., OOM killer), causing it to fail health checks temporarily. Once resources are freed (e.g., after a spike subsides), the application resumes responding, which explains the intermittent nature of the failures.

Exam trap

The trap here is that candidates often assume health check failures are always due to misconfiguration (security groups, paths, or protocols) and overlook transient resource exhaustion, which is a common cause of intermittent failures in production.

How to eliminate wrong answers

Option B is wrong because if the security group did not allow inbound traffic from the ALB on the health check port, health checks would fail consistently, not intermittently. Option C is wrong because a misconfigured health check path returning a 404 would cause persistent health check failures, not intermittent ones. Option D is wrong because an incorrect target group protocol (e.g., HTTP vs HTTPS) would cause all health checks to fail consistently, not intermittently.

1033
MCQmedium

A developer is using AWS CodeBuild to build a Java application. The build fails with 'OutOfMemoryError'. Which configuration change would most likely resolve this issue?

A.Use a custom AMI with more memory.
B.Enable detailed CloudWatch logs for the build.
C.Increase the compute type to a larger instance size.
D.Split the build into multiple CodeBuild projects.
AnswerC

Larger compute types provide more memory for the build.

Why this answer

CodeBuild allows specifying compute type (e.g., BUILD_GENERAL1_MEDIUM) and memory. Increasing the compute type provides more memory. Option B is wrong because splitting into multiple projects adds complexity and may not resolve memory issues.

Option C is wrong because enabling detailed logs does not increase memory. Option D is wrong because CodeBuild does not support custom AMIs.

1034
MCQmedium

A developer is deploying a Lambda function that processes images uploaded to an S3 bucket. The function is triggered by S3 events. After deployment, the function does not execute when new images are uploaded. What is the MOST likely cause?

A.The S3 bucket does not have an event notification configured for the Lambda function.
B.The Lambda function memory is set too low.
C.The Lambda function does not have permission to read from the S3 bucket.
D.The Lambda function is not in the same region as the S3 bucket.
AnswerA

Notification is needed to trigger Lambda.

Why this answer

The most likely cause is that the S3 bucket does not have an event notification configured to invoke the Lambda function. S3 event notifications must be explicitly set on the bucket to trigger a Lambda function when objects are created; without this configuration, S3 will not send any invocation request to Lambda, regardless of the function's permissions or settings.

Exam trap

The trap here is that candidates often confuse the trigger configuration (S3 event notification) with the function's permissions (IAM execution role), assuming that if the function has read access to S3, it will automatically be triggered, when in fact the event notification is a separate, mandatory setup step.

How to eliminate wrong answers

Option B is wrong because low memory affects execution performance (e.g., duration, CPU allocation) but does not prevent the function from being triggered; the trigger mechanism is independent of memory settings. Option C is wrong because the Lambda function does not need permission to read from the S3 bucket to be triggered; the S3 event notification invokes the function via a resource-based policy, and the function only needs read permissions if it explicitly calls S3 GetObject in its code. Option D is wrong because S3 event notifications can invoke Lambda functions across regions; cross-region triggers are supported as long as the Lambda function's resource-based policy allows the S3 bucket's account to invoke it.

1035
MCQmedium

Refer to the exhibit. A developer applies this IAM policy to an IAM user. What is the effective result when the user attempts to download an object from the 'confidential' folder in the 'my-company-data' bucket?

A.The user cannot download objects from the confidential folder due to the explicit Deny.
B.The user can download objects from the confidential folder but cannot upload to it.
C.The user cannot download objects from any folder because the policy is invalid.
D.The user can download objects from the confidential folder because the Allow statement grants access.
AnswerA

Explicit Deny takes precedence over Allow.

Why this answer

The correct answer is A because IAM policies follow an explicit deny override, meaning that even if an Allow statement grants access, an explicit Deny statement for the same action will take precedence. In this policy, the Deny statement explicitly denies s3:GetObject for the 'confidential' folder (using a condition with StringLike on the ARN), so the user cannot download objects from that folder regardless of the Allow statement.

Exam trap

The trap here is that candidates often assume an Allow statement alone grants access, forgetting that an explicit Deny always takes precedence, even if the Allow appears broader or more permissive.

How to eliminate wrong answers

Option B is wrong because the explicit Deny prevents downloading, not just uploading, so the user cannot download objects from the confidential folder. Option C is wrong because the policy is valid; it contains both an Allow and a Deny statement, and IAM policies can have multiple statements as long as they are syntactically correct. Option D is wrong because while the Allow statement grants general access to the bucket, the explicit Deny for the 'confidential' folder overrides it, making the Allow ineffective for that specific path.

1036
MCQeasy

A developer is using AWS Certificate Manager (ACM) to provision an SSL/TLS certificate for a website hosted on CloudFront. The certificate must be renewed automatically. What is the correct action?

A.The developer must configure a Lambda function to renew the certificate.
B.The certificate cannot be used with CloudFront; ACM certificates are only for ALB.
C.ACM automatically renews the certificate if it uses DNS validation.
D.The developer must manually request a new certificate before expiration.
AnswerC

ACM attempts to renew certificates 60 days before expiration using DNS validation.

Why this answer

ACM automatically renews certificates that use DNS validation, provided the required DNS CNAME record remains in place. CloudFront supports ACM certificates in us-east-1, and ACM handles renewal without any manual intervention or additional infrastructure like Lambda functions.

Exam trap

The trap here is that candidates assume ACM requires manual renewal or additional automation (like Lambda), but ACM's automatic renewal for DNS-validated certificates is a key managed feature tested in the DVA-C02 exam.

How to eliminate wrong answers

Option A is wrong because ACM automatically manages renewal for DNS-validated certificates; a Lambda function is unnecessary and not part of the renewal process. Option B is wrong because ACM certificates are fully supported with CloudFront (when issued in us-east-1), not limited to ALB. Option D is wrong because ACM handles automatic renewal for eligible certificates; manual re-request is only needed if validation fails or the certificate is not eligible.

1037
MCQeasy

A developer needs to grant cross-account access to an Amazon S3 bucket. The developer's AWS account (Account A) owns the bucket, and a user in another account (Account B) needs to write objects to it. The developer has already added a bucket policy that grants the user in Account B permissions. What additional step is required?

A.No additional steps are needed; the bucket policy alone is sufficient.
B.The administrator of Account B must attach an IAM policy to the user that allows the required S3 actions.
C.Create a new IAM role in Account B and have the user assume the role.
D.Enable S3 ACLs on the bucket and grant write access to the Account B user.
AnswerB

The user in Account B needs an IAM policy that explicitly grants permissions to write to the bucket. Cross-account access requires both resource-based and identity-based policies.

Why this answer

Option B is correct because cross-account access to S3 requires both a resource-based policy (the bucket policy in Account A) and a user-based policy (an IAM identity-based policy in Account B). The bucket policy grants permissions to the Account B user, but that user cannot perform actions unless their own account explicitly allows those actions via an IAM policy. Without this, the request is denied by the user's own account's implicit deny, even if the bucket policy permits it.

Exam trap

The trap here is that candidates often assume a bucket policy alone is enough for cross-account access, forgetting that the requesting user's account must also explicitly authorize the action via an IAM policy.

How to eliminate wrong answers

Option A is wrong because a bucket policy alone is insufficient for cross-account access; the user in Account B must also have an IAM policy that allows the S3 actions, as the user's account must explicitly authorize the request. Option C is wrong because creating an IAM role in Account B and having the user assume it is an alternative approach, but it is not required; the question asks for the additional step given that a bucket policy is already in place, and the simplest correct step is to attach an IAM policy to the user, not to create a role. Option D is wrong because S3 ACLs are legacy and not recommended; more importantly, ACLs grant access to AWS accounts or canonical user IDs, not to specific IAM users, and enabling ACLs does not replace the need for an IAM policy in Account B.

1038
MCQhard

A company uses AWS KMS with customer managed keys to encrypt S3 objects. The security team requires automatic key rotation. What must the developer do to enable rotation?

A.Use AWS managed keys instead of customer managed keys
B.Rotation is enabled by default for all KMS keys
C.Enable automatic key rotation in the KMS key settings
D.Create a new key and update the alias to point to the new key annually
AnswerC

Automatic rotation can be enabled for customer managed keys.

Why this answer

For customer managed KMS keys, automatic rotation can be enabled in the key management console or via the AWS CLI. Option A is incorrect because automatic rotation is not automatic for customer managed keys; it must be enabled. Option C is incorrect because rotation does not require creating a new key.

Option D is incorrect because AWS managed keys rotate automatically, but customer managed keys require enabling rotation.

1039
Multi-Selectmedium

A developer is implementing a solution to encrypt data in transit for a web application running on an Application Load Balancer (ALB). Which TWO actions should the developer take?

Select 2 answers
A.Use client-side encryption in the application code.
B.Configure the ALB listener to use HTTPS protocol.
C.Enable S3 server-side encryption for application logs.
D.Add a security group rule to allow only HTTPS traffic.
E.Install an SSL/TLS certificate on the ALB.
AnswersB, E

HTTPS listener ensures traffic is encrypted using the certificate.

Why this answer

To encrypt data in transit, you need an SSL/TLS certificate on the ALB (A) and you must configure the listener to use HTTPS (C). The other options are not required: (B) is about server-side encryption at rest, (D) is about client-side encryption, and (E) is a security group rule for inbound traffic, not encryption.

1040
Multi-Selectmedium

A company is designing a microservices architecture using AWS Lambda. Each microservice has its own DynamoDB table. The Lambda functions need to perform CRUD operations on their respective tables. Which TWO IAM best practices should be applied? (Choose TWO.)

Select 2 answers
A.Grant access to all DynamoDB tables using a wildcard in the resource ARN.
B.Use a single IAM role shared by all Lambda functions.
C.Attach the IAM policy to the AWS account instead of the role.
D.Scope the IAM policy resource to the specific DynamoDB table ARN.
E.Create a separate IAM role for each Lambda function.
AnswersD, E

Limits access to required resources.

Why this answer

Options A and D are correct. A: Using separate IAM roles for each function enforces least privilege. D: Scoping IAM policies to specific DynamoDB tables using ARN ensures functions can only access their own table.

Option B is wrong because using a single IAM role violates least privilege. Option C is wrong because using wildcard for all tables grants too much access. Option E is wrong because attaching policies at the account level is too broad.

1041
Multi-Selecthard

A developer is designing a system that uses AWS KMS to encrypt data. Which of the following are valid ways to grant a user permission to decrypt data using a KMS key? (Select TWO.)

Select 2 answers
A.Use a resource-based policy on the KMS key that grants access to the user.
B.Create a KMS grant that allows the user to decrypt the key.
C.Attach an IAM policy to the user that allows kms:Decrypt, and ensure the key policy allows the user's account.
D.Add a statement in the S3 bucket policy that allows kms:Decrypt for the user.
E.Add a statement in the key policy that allows the IAM role to perform kms:Decrypt.
AnswersC, E

IAM policies can grant KMS actions if the key policy allows.

Why this answer

Options A and C are correct. A key policy can grant decrypt permission to an IAM role, and an IAM policy with kms:Decrypt can grant access if the key policy allows. Option B is wrong because S3 bucket policies do not grant KMS decrypt.

Option D is wrong because KMS does not have resource-based policies besides key policies. Option E is wrong because KMS grants are for cross-account, not for IAM roles in the same account.

1042
Multi-Selecthard

A CloudFormation stack update fails and rolls back. Which two practices help diagnose and reduce future deployment risk?

Select 2 answers
A.Review stack events and resource status reasons
B.Delete the stack immediately without checking events
C.Create and inspect change sets before high-risk updates
D.Disable rollback for all production deployments permanently
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because reviewing stack events and resource status reasons in CloudFormation provides detailed error messages for each resource that failed during the update. This allows you to pinpoint the exact cause of the failure, such as insufficient IAM permissions, a resource limit exceeded, or a dependency conflict. Analyzing these events is essential for diagnosing issues and preventing similar failures in future deployments.

Exam trap

The trap here is that candidates may think disabling rollback is a valid troubleshooting step for production, but the exam emphasizes that rollback is a safety feature that should not be permanently disabled, as it prevents partial updates that could leave infrastructure in an inconsistent state.

1043
MCQeasy

A developer needs to allow a user to deploy AWS CloudFormation stacks but restrict the user from creating or modifying IAM resources. Which IAM policy should the developer attach to the user?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"cloudformation:*","Resource":"*"},{"Effect":"Deny","Action":"iam:*","Resource":"*"}]}
B.{"Effect":"Allow","Action":"iam:*","Resource":"*"}
C.{"Effect":"Allow","Action":"cloudformation:*","Resource":"*"}
D.{"Effect":"Deny","Action":"cloudformation:*","Resource":"*"}
AnswerA

Allows CloudFormation but denies IAM.

Why this answer

Option D is correct because it allows CloudFormation actions but denies IAM actions. Option A is wrong because it allows all CloudFormation actions including IAM. Option B is wrong because it denies all CloudFormation actions.

Option C is wrong because it allows IAM actions.

1044
MCQeasy

A developer is using AWS CodeDeploy to deploy an application to an EC2 instance. The deployment fails with the error 'The overall deployment failed because the deployment group did not have enough instances to successfully deploy.' What is the most likely cause?

A.The revision has an incorrect file format.
B.The deployment group contains zero instances.
C.The CodeDeploy agent on the instance is not running.
D.The appspec file contains an invalid lifecycle hook.
AnswerB

CodeDeploy requires at least one instance in the group.

Why this answer

Option A is correct because the deployment group must have at least one instance. Option B is wrong because CodeDeploy agent issues cause instance-level failures. Option C is wrong because action failures cause different errors.

Option D is wrong because revision errors cause different errors.

1045
MCQmedium

A company deploys a serverless application using AWS SAM. The application includes an API Gateway REST API and multiple Lambda functions. The developer wants to deploy a new version of the API with a canary release strategy, sending 10% of traffic to the new version initially. Which SAM template configuration should the developer use?

A.Set Type: Canary in the DeploymentPreference of the Lambda function and add CanarySetting: { Percent: 10 } under DeploymentPreference.
B.Set CanarySetting: { Percent: 10 } in the API Gateway resource's properties.
C.Set Type: Canary and TrafficShiftType: Canary in the DeploymentPreference of the Lambda function.
D.Set Type: Canary in the DeploymentPreference of the Lambda function and add a Percentage: 10 property.
AnswerA

This is the correct syntax for a canary deployment in SAM.

Why this answer

Option A is correct because AWS SAM's `DeploymentPreference` with `Type: Canary` on the Lambda function enables canary traffic shifting for the API Gateway integration. The `CanarySetting` property with `Percent: 10` specifies that 10% of traffic is initially routed to the new Lambda version, while the remaining 90% goes to the previous version. This configuration leverages SAM's built-in CodeDeploy integration to manage the canary release automatically.

Exam trap

The trap here is that candidates mistakenly apply canary settings directly to the API Gateway resource or use incorrect property names like `Percentage` or `TrafficShiftType`, instead of recognizing that SAM delegates canary traffic management to the Lambda function's `DeploymentPreference` with the correct `CanarySetting` structure.

How to eliminate wrong answers

Option B is wrong because `CanarySetting` is not a valid property of an API Gateway resource in SAM; canary deployments for API Gateway are configured via the Lambda function's `DeploymentPreference`, not directly on the API resource. Option C is wrong because `TrafficShiftType` is not a valid property in SAM's `DeploymentPreference`; the correct property to specify the shift type is `Type` (e.g., Canary, Linear, AllAtOnce), and there is no separate `TrafficShiftType` field. Option D is wrong because the correct property name for the traffic percentage is `CanarySetting` with a nested `Percent` key, not a top-level `Percentage` property.

1046
MCQmedium

A company uses AWS Lambda to process user-uploaded images stored in an S3 bucket. Recently, the Lambda function started timing out, and CloudWatch Logs show 'Error: Unable to locate credentials' in the function logs. What is the most likely cause?

A.The function's environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are missing.
B.The Lambda function is configured with a different runtime that does not support the AWS SDK.
C.The Lambda execution role does not have the necessary IAM policy to access the S3 bucket.
D.The function's code is explicitly setting AWS credentials using the AWS SDK.
AnswerC

Without the correct IAM policy, the function cannot assume the role to get credentials for S3 access.

Why this answer

Option B is correct because the Lambda function's execution role must have permissions to access S3. If the role lacks the necessary IAM policy, the SDK cannot retrieve credentials to make the S3 API call. Option A is wrong because Lambda functions use a temporary credentials provider via the execution role, not the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

Option C is wrong because Lambda's execution environment sets its own credentials; setting them manually is not recommended. Option D is wrong because the error is about credentials, not the function's runtime.

1047
Multi-Selectmedium

A team wants to prevent secrets from being committed to source control and reduce blast radius if a secret is exposed. Which two practices help?

Select 2 answers
A.Store production secrets in README files
B.Use Secrets Manager or Parameter Store SecureString instead of source code
C.Give all developers AdministratorAccess
D.Rotate secrets and use least-privilege IAM policies
AnswersB, D

Correct for the stated requirement.

Why this answer

Option B is correct because AWS Secrets Manager and Systems Manager Parameter Store SecureString are purpose-built services for securely storing and managing secrets like database credentials and API keys. By using these services, secrets are never hardcoded in source code, eliminating the risk of accidental exposure through version control. This practice directly addresses the requirement to prevent secrets from being committed to source control.

Exam trap

The trap here is that candidates may think storing secrets in README files is acceptable for documentation purposes, or that broad IAM permissions like AdministratorAccess simplify management, but the DVA-C02 exam specifically tests the understanding that secrets must never be in source code and that least-privilege IAM policies reduce blast radius.

1048
MCQeasy

An application running on Amazon ECS with Fargate is unable to connect to the internet. The task definition does not have any network configuration specified. What is the MOST likely cause?

A.The security group associated with the task does not allow outbound traffic.
B.The task is not assigned a public IP address and is in a private subnet.
C.The ECS service discovery is not configured.
D.The VPC does not have an internet gateway attached.
AnswerB

Without a public IP and internet gateway, the task needs a NAT gateway for internet access.

Why this answer

Option C is correct because Fargate tasks running in awsvpc network mode need a route to the internet via a NAT gateway if they are in private subnets. Option A is wrong because tasks can access the internet without an internet gateway if they have a public IP and are in a public subnet. Option B is wrong because security groups control inbound/outbound traffic, but they do not provide internet connectivity.

Option D is wrong because ECS service discovery is for service-to-service communication within the VPC.

1049
MCQeasy

A developer needs to allow an EC2 instance to access an S3 bucket securely without storing long-term credentials on the instance. Which AWS service should be used to provide temporary credentials?

A.Create an IAM user with S3 access and store the access key on the EC2 instance.
B.Configure a security group allowing outbound traffic to S3.
C.Attach an IAM role to the EC2 instance profile with S3 permissions.
D.Use an EC2 key pair to encrypt access to S3.
AnswerC

IAM roles provide temporary credentials via STS.

Why this answer

Option C is correct because IAM roles for EC2 allow the instance to assume a role and obtain temporary credentials from STS. Option A is wrong because IAM users have long-term credentials. Option B is wrong because EC2 key pairs are for SSH access, not API credentials.

Option D is wrong because Security Groups are network firewalls.

1050
MCQeasy

A developer is using the AWS SDK for Python (Boto3) to upload objects to an S3 bucket. The developer wants to encrypt the objects at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). Which parameter should the developer include in the put_object call?

A.SSEAlgorithm: 'AES256'
B.SSEKMSKeyId: 'alias/aws/s3'
C.ServerSideEncryption: 'aws:kms'
D.ServerSideEncryption: 'AES256'
AnswerC

This specifies SSE-KMS encryption.

Why this answer

Option C is correct because the ServerSideEncryption parameter set to 'aws:kms' tells S3 to use SSE-KMS. Option A is wrong because SSEAlgorithm is not a valid parameter. Option B is wrong because SSE-S3 uses 'AES256'.

Option D is wrong because the key ID is not required if using the default KMS key.

Page 13

Page 14 of 22

Page 15