AWS Certified Developer – Associate DVA-C02 AWS Certified Developer - Associate DVA-C02 - Practice Exam - 01 AWS Certified Developer - Associate DVA-C02 1 / 50 A developer is building a distributed application that writes logs to CloudWatch Logs. The operations team needs to analyze and alert on specific log patterns in near real time. Which solution should the developer implement? Use CloudWatch Logs Insights with scheduled queries Use a Lambda function triggered by log subscriptions with pattern filters Export logs to S3 and process with Glue and Athena Stream logs to Elasticsearch (OpenSearch) for indexing 2 / 50 A developer is creating a new API using Amazon API Gateway. The API must support CORS for a JavaScript client running in a browser and must handle authentication using Cognito. What must the developer do to satisfy both requirements? Add CORS headers to the Lambda function and enable Cognito authorizer Enable CORS in API Gateway settings and set up a Lambda authorizer Create a CloudFront distribution to handle CORS separately Configure CORS on each resource/method in API Gateway and enable Cognito user pool authorizer 3 / 50 A developer is building an application that uploads large files (up to 5 GB) to S3 from a web client. The developer needs to optimize the experience to reduce upload failures and ensure resumability. Which solution should the developer implement? Use pre-signed URLs for PUT operations Use S3 Transfer Acceleration with single-part uploads Use multipart upload via the S3 SDK and pre-signed part URLs Upload files through a Lambda proxy that stores them to S3 4 / 50 A Lambda function processes messages from an SQS queue. Occasionally, messages reappear in the queue after successful execution. Upon investigation, the developer sees that Lambda execution logs are incomplete. What is the MOST likely reason? The function is hitting the concurrency limit The function does not delete the message explicitly The function is timing out before completing The visibility timeout is set too high 5 / 50 A developer is using CloudFormation to deploy a Lambda function and an API Gateway endpoint. After the deployment, calling the API returns a 403 error. What is the MOST likely cause? The Lambda execution role lacks permission to execute the function The API Gateway resource policy denies public access The Lambda function is not associated with a VPC The API Gateway stage is not deployed 6 / 50 A company is transitioning from a monolithic application to microservices using AWS Lambda and API Gateway. One microservice must call another synchronously and log the entire request-response lifecycle for debugging. What is the BEST way to implement this? Use direct Lambda invocation with X-Ray tracing enabled Use API Gateway to expose both microservices and call via HTTPS with custom headers Send messages via SQS and use DLQ for logging Use CloudWatch Logs to manually correlate logs via timestamps 7 / 50 A developer needs to enforce client-side encryption for an S3 bucket used to store customer documents. The application uses a web client to upload files directly to S3 using pre-signed URLs. How can the developer enforce client-side encryption? Add metadata headers to the pre-signed URL request specifying encryption Use a Lambda@Edge function to enforce encryption at the CloudFront layer Require an encryption context in the bucket policy Use a signed URL that enforces x-amz-server-side-encryption headers 8 / 50 A developer needs to test a new Lambda function that interacts with DynamoDB and is triggered by an SQS queue. The developer wants to simulate the full workflow locally before deploying. What is the MOST effective way to achieve this? Use AWS Cloud9 with localstack to simulate the environment Deploy the resources in a sandbox AWS account and use unit tests Use SAM CLI with sam local start-lambda and Docker Use CodeBuild to run integration tests 9 / 50 A developer is using Step Functions to orchestrate a workflow that includes multiple Lambda functions. Occasionally, one function fails due to input validation issues. The developer wants to skip invalid inputs and continue with the next step. What is the BEST way to handle this scenario? Use a Catch block in the state definition and direct to a Pass state Enable retries in the Lambda function Use a parallel state and ignore failures Wrap the function in a try/catch block and return a custom success message 10 / 50 A developer deploys a containerized application to Amazon ECS (Fargate) that needs access to secrets stored in AWS Secrets Manager. The application fails to retrieve the secrets. What is the MOST likely cause? The container’s security group is blocking HTTPS access The task execution role is missing secretsmanager:GetSecretValue permission The container image doesn’t include the AWS SDK The secret’s version is marked as pending and not current 11 / 50 A developer wants to create a Lambda function to process messages from an Amazon SQS FIFO queue. The function needs to preserve the order of message processing per message group. Which approach satisfies the requirement? Use Kinesis Data Streams and replace the FIFO queue Use Step Functions with Lambda tasks to preserve ordering Use Lambda with event source mapping and set maximumConcurrency=1 Use standard SQS with deduplication and visibility timeout 12 / 50 A developer is building a multi-tenant SaaS application using Cognito user pools and wants to enforce row-level security in DynamoDB so users can only access their own data. What is the MOST efficient way to enforce this access control? Manually check the user ID in the application code before every DynamoDB call Use IAM policy variables with cognito-identity.amazonaws.com:sub in the policy condition Store user access keys in a separate ACL table Use a Lambda authorizer to authorize every access to DynamoDB 13 / 50 A developer is designing an order processing system using Amazon DynamoDB. The system must support conditional updates for inventory to prevent race conditions where multiple users may attempt to purchase the same item simultaneously. What should the developer implement? Use optimistic locking with a condition expression based on a version number Enable transactional writes for the inventory table Use strong consistency and retry logic Implement pessimistic locking using a lock table 14 / 50 An organization uses AWS Lambda functions in a multi-account setup. The Lambda functions in each account need access to a shared S3 bucket in a central logging account. The solution must be secure and auditable. Which approach should the developer use? Add cross-account IAM roles to each Lambda function Use S3 bucket policies to allow access from specified Lambda execution roles Use Lambda layers to share access logic between accounts Copy logs using AWS DataSync between buckets 15 / 50 A developer is writing a Lambda function that will interact with an external payment gateway API that requires an API key. The Lambda function should not store the API key in code or environment variables. What is the MOST secure and maintainable way to handle this requirement? Store the API key in AWS Secrets Manager and access it using Lambda’s execution role Add the API key to an encrypted JSON file in the Lambda package Save the API key in a public Parameter Store SecureString Use an S3 bucket with an ACL set to private and read the key during runtime 16 / 50 A developer is designing an image-processing application. Users upload images to an S3 bucket. A Lambda function, triggered by S3 events, extracts metadata and stores it in DynamoDB. Occasionally, some entries are missing in the database even though the image is present in the bucket. What is the MOST reliable way to ensure that all images trigger metadata processing exactly once? Use S3 event notifications with a retry-enabled Lambda trigger Move to EventBridge and add a DLQ to capture failed events Add S3 replication with events enabled in both buckets Use Amazon SQS as an intermediary event source for Lambda with deduplication logic 17 / 50 A developer is building an event-driven reporting system. Reports are uploaded to S3 by sales teams globally. Each report must be processed into a summary format within 3 seconds of upload and stored in DynamoDB. The system must scale with usage and maintain availability. What should the developer implement? Schedule a Lambda function every minute to scan S3 for new files Use Kinesis Data Firehose to capture upload metadata and process reports Use S3 event notifications to invoke a Lambda function for processing Upload reports to S3 Glacier Instant Retrieval and trigger a batch job 18 / 50 A developer is working on a CI/CD pipeline. The team wants to ensure that secrets used during testing and deployment are not exposed in logs or stored in plain text in the buildspec. What is the MOST secure way to provide secrets to the pipeline? Store secrets as environment variables in the CodeBuild project Use Parameter Store with SecureString and reference them in the buildspec Encrypt the secrets in a config file and check it into the source repo Store secrets in AWS Secrets Manager and retrieve them dynamically using CodeBuild’s service role 19 / 50 A developer is writing an AWS Lambda function that needs to process events from two separate DynamoDB streams. The function must handle high-throughput updates and preserve event ordering per stream. What is the best design? Use a single Lambda function with event source mappings for both streams Create separate Lambda functions for each stream and manage ordering via Kinesis Use one Lambda function with a Step Function to orchestrate stream processing Use EventBridge to collect stream events and invoke Lambda asynchronously 20 / 50 A developer must refactor an existing application that processes financial transactions. The application is containerized and deployed on Amazon ECS (Fargate). All database credentials are currently stored as environment variables in the task definition. The security team has mandated a move to encrypted secrets storage. What is the MOST secure and scalable approach to store and access these secrets? Use AWS Secrets Manager with dynamic rotation and reference the secret in the task definition Store secrets in an encrypted EFS volume mounted into the container Move secrets into a config file stored in a private S3 bucket with SSE-S3 enabled Store credentials in Parameter Store with default encryption and access them using EC2 instance roles 21 / 50 A developer is designing an architecture that must ingest user comments through an API, transform them with custom sentiment logic, and store the results in DynamoDB. The processing must scale automatically and maintain input-output ordering per user session. Which architecture best meets these needs? API Gateway → Lambda → Step Functions → DynamoDB API Gateway → Kinesis Data Streams → Lambda → DynamoDB API Gateway → SQS FIFO → Lambda → DynamoDB ALB → ECS (Fargate) → DynamoDB with IAM user roles 22 / 50 An analytics application aggregates user clickstream data. The backend uses a Lambda function triggered by Kinesis Data Streams. Occasionally, some records are missing from the processed output. The developer verifies that the records exist in Kinesis and the function is not throwing errors. What is the MOST likely cause? The Lambda function's timeout is too short to process all records The event source mapping batch window is not optimized The function’s iterator age is exceeding the retention window Records are being dropped due to partial batch failures and no retry logic implemented 23 / 50 A media company uses Amazon ECS (Fargate) for microservices. A developer needs to update application configuration across all environments — dev, staging, and prod — without modifying container images. Each environment requires different values for the same configuration keys. What is the most scalable way to achieve this? Store configurations as environment variables in ECS task definitions Use a shared S3 configuration file and load it at runtime Store config in Parameter Store using a path structure per environment and retrieve them dynamically in the container Hardcode environment-specific configurations in each container image 24 / 50 A company’s developer team is managing CI/CD pipelines using AWS CodePipeline and AWS CodeBuild. They want to build in automated rollback when a deployment fails, while also storing logs and build artifacts for compliance for at least 12 months. Which solution meets these requirements? Store build artifacts in S3 with versioning enabled; use CloudWatch Alarms and a Lambda rollback trigger Use CodePipeline rollback action hooks; configure S3 buckets for build artifacts with Object Lock in Governance Mode and 365-day retention Archive artifacts in S3 Glacier Deep Archive and use a Step Function to detect failed builds and rollback Write a post-deployment Lambda to validate success and revert code in CodeCommit if failure occurs 25 / 50 A developer wants to improve the security of an existing web application deployed on AWS that uses Lambda and API Gateway. Currently, the application uses an API key for authentication. Security auditors have requested token-based authentication, temporary credentials, and user-based access control. What is the MOST effective way to meet these requirements? Replace API Gateway with a self-hosted nginx proxy that uses JWT tokens Integrate API Gateway with Cognito user pools and enable token-based access control Use SAML federation and a custom token verification Lambda authorizer Replace the API key with an OAuth 2.0 token manually verified in Lambda code 26 / 50 A developer is designing a new application that requires event-driven processing of real-time data from hundreds of sensors. Each sensor sends JSON-formatted data every second. The application must process each event, enrich it with metadata from DynamoDB, and store it for further analysis. The developer wants to avoid polling or running infrastructure continuously. Which solution should the developer implement? Use AWS IoT Core to ingest sensor data and route events to Lambda using rules; perform enrichment and store in Amazon S3 Use Amazon Kinesis Data Streams to ingest data and Lambda with event source mapping for processing Use Step Functions with DynamoDB streams and a Lambda workflow for real-time enrichment Configure sensors to upload files to S3 and use Glue ETL to batch process periodically 27 / 50 A team is building a mobile application that uses Cognito identity pools for authentication and stores user data in S3. They want to allow users to share specific files with other authenticated users temporarily, without exposing their entire folder or requiring server-side authorization logic. How should the team implement this functionality securely? Use S3 pre-signed URLs with short expiration times and store them in a shared DynamoDB table Use Lambda authorizers to generate shared access URLs after validating requesters' roles Assign each user a unique IAM role that grants write access to a shared S3 bucket Use S3 event notifications to trigger a Lambda function that sends files to shared users 28 / 50 A developer is implementing an audit logging feature for a serverless app built using Amazon API Gateway and Lambda. All sensitive API calls must generate tamper-proof logs and store them in a system where logs cannot be modified or deleted after being written. The solution should have minimal operational overhead and must scale with traffic. Which approach should the developer choose? Use Lambda to log API requests to an S3 bucket with versioning enabled Use API Gateway access logging with CloudWatch Logs and apply retention policies Send logs to Amazon QLDB using a Lambda function with cryptographic hashing enabled Use a Firehose delivery stream from Lambda to store logs in an S3 bucket with Object Lock and compliance retention mode 29 / 50 A company is building a serverless customer support application. The application allows agents to view chat messages submitted by users and stored in Amazon DynamoDB. The application must meet the following security and architectural requirements: Only authenticated agents can access messages Agents should only be able to view messages assigned to them The solution must scale to thousands of concurrent agents Sensitive chat content must be encrypted and not visible to unauthorized agents Minimal custom authorization logic should be implemented What is the MOST efficient way to design this access control? Use Cognito user pools and identity pools with fine-grained IAM roles mapped to users; use DynamoDB row-level permissions based on identity Store agent IDs and assigned message IDs in a separate mapping table and perform authorization in the application code Encrypt each message with a unique KMS key, grant access through KMS grants, and verify authorization through the key policy Store chat messages in Amazon S3 and use pre-signed URLs with access conditions for each message 30 / 50 A developer is building a data processing workflow where user-submitted CSV files are uploaded to an S3 bucket. Each file is processed line by line using a Lambda function triggered by S3 event notifications. As the number of files grows, the developer notices some functions are timing out and partial data is being processed. The developer wants to redesign the solution to scale reliably, process large files efficiently, and minimize reprocessing in case of partial failures. The solution should be cost-effective and easy to maintain. Which approach should the developer take? Enable S3 batch operations and process each file using AWS Glue ETL Trigger a Lambda function from S3, which splits the file into chunks, stores each chunk in S3, and pushes chunk metadata into SQS. Another Lambda function polls SQS and processes each chunk Use an S3 event to trigger a Lambda function that invokes Step Functions to orchestrate processing in parallel for each line Upload files to S3 Glacier Instant Retrieval and use S3 Select from Lambda to process content on demand 31 / 50 A developer is building a CI/CD workflow using AWS CodePipeline and wants to ensure each build artifact is automatically tested before deployment. What should the developer do? Use a post-deployment Lambda trigger Add a CodeBuild test phase after the build stage Create a CloudFormation test stack Manually approve changes after each commit 32 / 50 A developer uses AWS SAM to deploy a Lambda function and an API Gateway. After changes, CloudFormation shows a rollback. What is the MOST likely cause? IAM role for SAM lacks necessary permissions SAM template syntax error Deletion policy set to Retain An API Gateway stage name conflict 33 / 50 A developer is creating an S3-backed static website. They want to redirect users to /index.html when they access the root URL. What should the developer configure? Add index.html as the default root object in the bucket's static website hosting settings Add a CloudFront function to rewrite root URL Configure Route 53 alias record to point to /index.html Use S3 pre-signed URLs to redirect traffic 34 / 50 A Lambda function is processing images and uploading thumbnails to an S3 bucket. The bucket has versioning and event notifications enabled. The thumbnails are being reprocessed recursively. How can this behavior be prevented? Add a metadata tag and check it before processing Use a different bucket for thumbnails Use S3 object locking Disable versioning and event notifications 35 / 50 A developer is building a real-time leaderboard API using DynamoDB. The leaderboard must be sorted by score and updated frequently. Which design provides the most efficient performance? Use a partition key for user ID and scan to sort scores Use a composite primary key with score as sort key and GSI for updates Store scores in a single partition and retrieve with pagination Use a GSI with score as partition key and user ID as sort key 36 / 50 A Lambda function processing user requests is integrated with an S3 bucket and fails with a 403 error. The function's IAM role has s3:GetObject permissions. What is the MOST likely cause? S3 bucket policy explicitly denies access from Lambda Object ACLs do not allow public access Lambda is not in the same Region as the S3 bucket The IAM role does not include s3:ListBucket permission 37 / 50 A serverless app uses Amazon SQS and AWS Lambda. The team notices that during peak hours, the Lambda function doesn't scale up to process all messages on time. What should the developer do? Configure a Lambda reserved concurrency Increase the batch size in the SQS event source mapping Move to FIFO queue for better performance Use a Kinesis stream instead of SQS 38 / 50 A developer receives the following error from DynamoDB: ProvisionedThroughputExceededException. This occurs during application peak hours. What should the developer do FIRST to resolve this? Add a global secondary index Retry failed requests using exponential backoff Enable Auto Scaling on the table Switch to DynamoDB On-Demand mode 39 / 50 A company is developing a web app using API Gateway and Lambda. They want to enforce rate limits and restrict access to certain endpoints based on user plans (free vs premium). Which API Gateway feature should the developer use? API Keys and Usage Plans Custom Authorizer with IAM roles Resource policies with throttle limits AWS WAF with token-based filters 40 / 50 A developer uses AWS CodePipeline to deploy an application. The build fails with permissions errors when accessing Amazon S3 during the build phase. What is the MOST secure and scalable solution? Add S3 credentials to a .env file in the source repo Attach an inline policy to the CodePipeline execution role with access to S3 Use a service role for CodeBuild with appropriate S3 permissions Store credentials in Parameter Store and retrieve them in the buildspec 41 / 50 A web application deployed on AWS uses Amazon Cognito for user management. The client app stores the JWT token after login. However, the client receives a 403 error after an hour of inactivity. What is the BEST solution to prevent the client from being logged out? Extend the expiration time of the access token in Cognito Store the access token in a secure cookie with a long TTL Use the refresh token to obtain a new access token automatically Store the access token in DynamoDB and refresh it on every request 42 / 50 A developer wants to use AWS X-Ray to trace requests from an API Gateway to a Lambda function and into DynamoDB. Which steps should the developer take? Enable X-Ray in API Gateway and instrument the Lambda code with the X-Ray SDK Enable logging in API Gateway and write logs manually to X-Ray from Lambda Use CloudTrail to capture the API and connect it with X-Ray for Lambda Enable logging in DynamoDB and Lambda with the same trace ID 43 / 50 A team has a containerized application deployed to Amazon ECS using the Fargate launch type. They need to update environment variables during deployment without changing the container image. What is the MOST efficient approach? Redeploy a new task definition with updated environment variables Store environment variables in S3 and mount them in the container Use AWS Secrets Manager with dynamic variable injection Use Parameter Store and reference parameters directly from ECS 44 / 50 A developer stores configuration settings in AWS Systems Manager Parameter Store. During deployment, application logs show errors retrieving the parameters. What is the MOST likely cause? Parameters are stored in a wrong path and cannot be queried The values are encrypted with a key not accessible by Lambda The parameters exceeded the character limit for a single string IAM role does not have ssm:GetParameter permission 45 / 50 A developer is building a serverless application that ingests IoT sensor data using AWS IoT Core and stores it in Amazon DynamoDB. The schema may evolve over time with new fields. Which DynamoDB design best supports this requirement? Use a strict schema with GSIs for every new field Store JSON blobs in a single column and index the entire object Use a flexible schema with a partition key and unstructured attributes Use Time-to-Live (TTL) and scan entire tables for updates 46 / 50 A developer is working on a Lambda function that runs for long durations during file conversions. The function occasionally fails with a timeout error. What is the MOST scalable and reliable solution? Increase the function timeout to the maximum and retry failed executions Break the task into smaller pieces using Step Functions with Lambda tasks Use SQS and poll for new files in a loop inside Lambda Switch to an EC2 instance and use CloudWatch Events to trigger retries 47 / 50 A company uses an Amazon Cognito user pool for authentication. The front-end app uses OAuth 2.0 to authenticate users. The app must get a new access token without forcing the user to log in again when the token expires. What should the developer implement? Store access tokens in S3 and retrieve them on session expiration Use the refresh token grant flow to obtain a new access token Use AWS STS to issue a temporary session token Use the password grant type to reauthenticate 48 / 50 A company has an application that uses AWS Lambda and Amazon DynamoDB. The Lambda function processes user data from an API Gateway event and stores it in DynamoDB. During traffic spikes, some writes are throttled. What should a developer do to resolve the throttling? Enable DynamoDB On-Demand mode Configure a Lambda reserved concurrency limit Enable DynamoDB Auto Scaling for write capacity Use a Step Function to buffer incoming requests 49 / 50 A developer is writing an application that uses Amazon SQS to decouple components. Occasionally, the messages are being processed multiple times, leading to inconsistent application behavior. What should the developer do to avoid this issue? Use FIFO queues and enable deduplication Use long polling and set a visibility timeout greater than processing time Increase the batch size of message retrieval to reduce duplication Manually delete messages from the queue only after they are sent to Dead Letter Queue 50 / 50 A developer is building an application that uploads user profile images to an S3 bucket. The application uses pre-signed URLs for upload. However, some users are bypassing the application and uploading non-image files directly using the URL. What is the MOST secure way to ensure only valid image files are uploaded? Validate file MIME type and extension in the client before generating the pre-signed URL Configure an S3 event to trigger a Lambda function that deletes non-image files after upload Use Amazon S3 Object Lambda to inspect file content before upload Use pre-signed URLs with content-type and content-length conditions, and enforce a Lambda post-upload validation Your score isThe average score is 0% 0% Restart quiz