Amazon DVA-C02 Online Practice Questions and Exam Preparation

Amazon DVA-C02 Online Questions & Answers

• Question 241:

  An AWS Lambda function is invoked asynchronously to process events. Occasionally, the Lambda function falls to process events. A developer needs to collect and analyze these failed events to fix the issue. What should the developer do to meet these requirements with the LEAST development effort?

  A. Add logging statements for all events in the Lambda function. Filter AWS CloudTrail logs for errors.
  B. Configure the Lambda function to start an AWS Step Functions workflow with retries for failed events.
  C. Add a dead-letter queue to send messages to an Amazon Simple Queue Service (Amazon SQS) standard queue.
  D. Add a dead-letter queue to send messages to an Amazon Simple Notification Service (Amazon SNS) FIFO topic.
  C. Add a dead-letter queue to send messages to an Amazon Simple Queue Service (Amazon SQS) standard queue.

  ---

  Explanation

• Question 242:

  A developer is using an AWS CloudFormation template to create a pipeline in AWS CodePipeline. The template creates an Amazon S3 bucket that the pipeline references in a source stage. The template also creates an AWS CodeBuild project for a build stage. The pipeline sends notifications to an Amazon SNS topic. Logs for the CodeBuild project are stored in Amazon CloudWatch Logs.

  The company needs to ensure that the pipeline's artifacts are encrypted with an existing customer-managed AWS KMS key. The developer has granted the pipeline permissions to use the KMS key.

  Which additional step will meet these requirements?

  A. Create an Amazon S3 gateway endpoint that the pipeline can access.
  B. In the CloudFormation template, use the KMS key to encrypt the logs in CloudWatch Logs.
  C. Apply an S3 bucket policy that ensures the pipeline sends only encrypted objects to the S3 bucket.
  D. Configure the notification topic to use the existing KMS key to enable encryption with the existing KMS key.
  C. Apply an S3 bucket policy that ensures the pipeline sends only encrypted objects to the S3 bucket.

  ---

  Explanation

  Why Option C is Correct:Ensuring that pipeline artifacts are encrypted with a customer-managed AWS KMS key involves configuring the S3 bucket policy to require encryption. This policy ensures all objects uploaded to the bucket are

  encrypted with the specified KMS key.

  Why Other Options are Incorrect:

  Option A: A gateway endpoint improves S3 access efficiency but does not enforce encryption.

  Option B: Encrypting CloudWatch Logs is unrelated to securing pipeline artifacts.

  Option D: Configuring SNS for encryption does not affect the artifacts stored in the S3 bucket.

  AWS Documentation

  References:

  Using Server-Side Encryption with S3 Bucket Policies

• Question 243:

  A company is using AWS Elastic Beanstalk to manage web applications that are running on Amazon EC2 instances. A developer needs to make configuration changes. The developer must deploy the changes to new instances only.

  Which types of deployment can the developer use to meet this requirement? (Choose two.)

  A. All at once
  B. Immutable
  C. Rolling
  D. Blue/green
  E. Rolling with additional batch
  B. Immutable
  D. Blue/green

  ---

  Explanation

• Question 244:

  A company has built an AWS Lambda function to convert large image files into output files that can be used in a third-party viewer application The company recently added a new module to the function to improve the output of the generated files However, the new module has increased the bundle size and has increased the time that is needed to deploy changes to the function code.

  How can a developer increase the speed of the Lambda function deployment?

  A. Use AWS CodeDeploy to deploy the function code
  B. Use Lambda layers to package and load dependencies.
  C. Increase the memory size of the function.
  D. Use Amazon S3 to host the function dependencies
  B. Use Lambda layers to package and load dependencies.

  ---

  Explanation

  Using Lambda layers is a way to reduce the size of the deployment package and speed up the deployment process. Lambda layers are reusable components that can contain libraries, custom runtimes, or other dependencies. By using layers, the developer can separate the core function logic from the dependencies, and avoid uploading them every time the function code changes. Layers can also be shared across multiple functions or accounts, which can improve consistency and maintainability. References Working with AWS Lambda layers AWS Lambda Layers Best Practices Best practices for working with AWS Lambda functions

• Question 245:

  A company processes incoming documents from an Amazon S3 bucket. Users upload documents to an S3 bucket using a web user interface. Upon receiving files in S3, an AWS Lambda function is invoked to process the files, but the Lambda function times out intermittently.

  If the Lambda function is configured with the default settings, what will happen to the S3 event when there is a timeout exception?

  A. Notification of a failed S3 event is sent as an email through Amazon SNS.
  B. The S3 event is sent to the default Dead Letter Queue.
  C. The S3 event is processed until it is successful.
  D. The S3 event is discarded after the event is retried twice.
  D. The S3 event is discarded after the event is retried twice.

  ---

  Explanation

• Question 246:

  A developer wants to debug an application by searching and filtering log data. The application logs are stored in Amazon CloudWatch Logs. The developer creates a new metric filter to count exceptions in the application logs. However, no results are returned from the logs.

  What is the reason that no filtered results are being returned?

  A. A setup of the Amazon CloudWatch interface VPC endpoint is required for filtering the CloudWatch Logs in the VPC.
  B. CloudWatch Logs only publishes metric data for events that happen after the filter is created.
  C. The log group for CloudWatch Logs should be first streamed to Amazon OpenSearch Service before metric filtering returns the results.
  D. Metric data points for logs groups can be filtered only after they are exported to an Amazon S3 bucket.
  B. CloudWatch Logs only publishes metric data for events that happen after the filter is created.

  ---

  Explanation

• Question 247:

  A company has an application that uses an Amazon API Gateway API to invoke an AWS Lambda function. The application is latency sensitive.

  A developer needs to configure the Lambda function to reduce the cold start time that is associated with default scaling.

  What should the developer do to meet these requirements?

  A. Publish a new version of the Lambda function. Configure provisioned concurrency. Set the provisioned concurrency limit to meet the company requirements.
  B. Increase the Lambda function's memory to the maximum amount. Increase the Lambda function's reserved concurrency limit.
  C. Increase the reserved concurrency of the Lambda function to a number that matches the current production load.
  D. Use Service Quotas to request an increase in the Lambda function's concurrency limit for the AWS account where the function is deployed.
  A. Publish a new version of the Lambda function. Configure provisioned concurrency. Set the provisioned concurrency limit to meet the company requirements.

  ---

  Explanation

• Question 248:

  A company hosts its application on AWS. The application runs on an Amazon Elastic Container Service (Amazon ECS) cluster that uses AWS Fargate. The cluster runs behind an Application Load Balancer. The application stores data in an Amazon Aurora database. A developer encrypts and manages database credentials inside the application.

  The company wants to use a more secure credential storage method and implement periodic credential rotation.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Migrate the secret credentials to Amazon RDS parameter groups. Encrypt the parameter by using an AWS Key Management Service (AWS KMS) key. Turn on secret rotation. Use IAM policies and roles to grant AWS KMS permissions to access Amazon RDS.
  B. Migrate the credentials to AWS Systems Manager Parameter Store. Encrypt the parameter by using an AWS Key Management Service (AWS KMS) key. Turn on secret rotation. Use IAM policies and roles to grant Amazon ECS Fargate permissions to access to AWS Secrets Manager.
  C. Migrate the credentials to ECS Fargate environment variables. Encrypt the credentials by using an AWS Key Management Service (AWS KMS) key. Turn on secret rotation. Use IAM policies and roles to grant Amazon ECS Fargate permissions to access to AWS Secrets Manager.
  D. Migrate the credentials to AWS Secrets Manager. Encrypt the credentials by using an AWS Key Management Service (AWS KMS) key. Turn on secret rotation. Use IAM policies and roles to grant Amazon ECS Fargate permissions to access to AWS Secrets Manager by using keys.
  D. Migrate the credentials to AWS Secrets Manager. Encrypt the credentials by using an AWS Key Management Service (AWS KMS) key. Turn on secret rotation. Use IAM policies and roles to grant Amazon ECS Fargate permissions to access to AWS Secrets Manager by using keys.

  ---

  Explanation

  AWS Secrets Manager is a service that helps you store, distribute, and rotate secrets securely. You can use Secrets Manager to migrate your credentials from your application code to a secure and encrypted storage. You can also enable automatic rotation of your secrets by using AWS Lambda functions or custom logic. You can use IAM policies and roles to grant your Amazon ECS Fargate tasks permissions to access your secrets from Secrets Manager. This solution minimizes the operational overhead of managing your credentials and enhances the security of your application. References AWS Secrets Manager: Store, Distribute, and Rotate Credentials Securely | AWS News Blog Why You Should Audit and Rotate Your AWS Credentials Periodically - Cloud Academy Top 5 AWS root account best practices - TheServerSide

• Question 249:

  A developer needs to build an AWS CloudFormation template that self-populates the AWS Region variable that deploys the CloudFormation template. What is the MOST operationally efficient way to determine the Region in which the template is being deployed?

  A. Use the AWS::Region pseudo parameter.
  B. Require the Region as a CloudFormation parameter.
  C. Find the Region from the AWS::StackId pseudo parameter by using the Fn::Split intrinsic function.
  D. Dynamically import the Region by referencing the relevant parameter in AWS Systems Manager Parameter Store.
  A. Use the AWS::Region pseudo parameter.

  ---

  Explanation

• Question 250:

  A company has an Amazon S3 bucket that contains sensitive data. The data must be encrypted in transit and at rest. The company encrypts the data in the S3 bucket by using an AWS Key Management Service (AWS KMS) key. A developer needs to grant several other AWS accounts the permission to use the S3 GetObject operation to retrieve the data from the S3 bucket.

  How can the developer enforce that all requests to retrieve the data provide encryption in transit?

  A. Define a resource-based policy on the S3 bucket to deny access when a request meets the condition "aws:SecureTransport": "false".
  B. Define a resource-based policy on the S3 bucket to allow access when a request meets the condition "aws:SecureTransport": "false".
  C. Define a role-based policy on the other accounts' roles to deny access when a request meets the condition of "aws:SecureTransport": "false".
  D. Define a resource-based policy on the KMS key to deny access when a request meets the condition of "aws:SecureTransport": "false".
  A. Define a resource-based policy on the S3 bucket to deny access when a request meets the condition "aws:SecureTransport": "false".

  ---

  Explanation