DVA-C02 AWS Certified Developer - Associate Questions and Answers

Problem: CloudFormation updates reset Parameter Store parameters, disrupting application behavior.

Deletion Policy: CloudFormation has a deletion policy that controls resource behavior when a stack is deleted or updated. The 'Retain' policy instructs CloudFormation to preserve a resource's current state.

Least Development Effort: This solution involves a simple CloudFormation template modification, requiring minimal code changes.

In CodePipeline, the service designed to run builds, execute unit/integration tests, and produce build artifacts (including test reports) is AWS CodeBuild. CodeBuild runs commands specified in a buildspec.yml file and supports reporting outputs such as test results (for example, JUnit XML), code coverage, and other build metadata.

Option A is correct because the developer can configure the CodeBuild project to run the test suite during the build phase and configure the buildspec to publish test report files. This integrates naturally into CodePipeline as a build stage, and the reports are generated consistently on each pipeline execution.

Option B is incorrect: CodeDeploy is for deploying applications (in-place/blue-green) and lifecycle hooks, not for standard build/test report generation.

Option C increases operational overhead by managing an EC2 build server, which is unnecessary when CodeBuild provides managed build environments.

Option D is unrelated: CodeArtifact is a package repository, not a test reporting solution.

Therefore, use CodeBuild and configure test reports via the buildspec.

The most secure way to handle database credentials for a CodeBuild stage—especially with a company requirement for automatic rotation—is to store credentials in AWS Secrets Manager and reference the secret securely from the CodeBuild environment. Secrets Manager is purpose-built to store, retrieve, and rotate secrets such as database credentials, API keys, and tokens. It encrypts secrets at rest (using AWS KMS), supports fine-grained IAM access control, and integrates with services like CodeBuild through environment variables and runtime retrieval.

With CodeBuild, the developer can configure environment variables to reference a Secrets Manager secret (rather than embedding credentials in buildspec.yml). This ensures that the build process retrieves the latest rotated credentials at runtime, reducing exposure risk and eliminating manual credential updates.

Option B is weaker because Systems Manager Parameter Store (SecureString) is a secure storage mechanism, but automatic rotation is not a native Parameter Store feature in the same way it is in Secrets Manager for database credentials. Secrets Manager provides managed rotation workflows (often via Lambda rotation functions) and scheduling that directly matches the requirement.

Options A and D violate secure handling practices by hardcoding credentials or storing plaintext connection strings. Both approaches significantly increase risk of exposure through source control, build logs, or environment inspection. Additionally, bolting on rotation via Lambda or EventBridge does not address the primary weakness of hardcoded/plaintext secret distribution.

Therefore, AWS Secrets Manager with automatic rotation, referenced securely from CodeBuild environment variables, is the most secure solution.

Default SSE in DynamoDB: DynamoDB tables are encrypted at rest by default using an AWS owned key (SSE-S3).

No Additional Action Needed: Creating a table without explicitly specifying a KMS key will use this default encryption.

Comprehensive and Detailed 250 to 300 words of Explanation From AWS Developer Documents:

The key requirement in this scenario is that the data must be encrypted before it is uploaded to Amazon S3, and the data is generated outside of AWS. This explicitly points to a client-side encryption requirement.

AWS documentation distinguishes clearly between server-side encryption and client-side encryption. Server-side encryption options for Amazon S3—including enabling default bucket encryption or specifying the x-amz-server-side-encryption request header—encrypt the data after it is received by Amazon S3. Therefore, options B and D do not satisfy the requirement because the plaintext data is transmitted to AWS before encryption occurs.

Option A, using the AWS KMS encrypt command, is not suitable for large binary objects. AWS KMS is designed to encrypt small pieces of data (up to 4 KB). AWS documentation explicitly states that for large payloads, customers should use envelope encryption instead of directly encrypting data with AWS KMS.

The AWS Encryption SDK is specifically designed for client-side encryption of large data objects. It implements envelope encryption, where a data encryption key (DEK) is generated locally to encrypt the data, and the DEK is then encrypted with an AWS KMS key. This approach allows efficient encryption of large binary files while maintaining strong key management and security controls.

AWS documentation recommends the AWS Encryption SDK for applications that need to encrypt data before sending it to AWS services, including Amazon S3. It supports multiple programming languages, handles key management automatically, and ensures data confidentiality even before transmission.

Therefore, using the AWS Encryption SDK for client-side encryption is the only solution that fully satisfies all requirements.

This solution will meet the requirements by using IAM database authentication for Aurora, which enables using IAM roles or users to authenticate with Aurora databases instead of using passwords or other secrets. The developer can use IAM database authentication for Aurora to enable secure database connections for all the Lambda functions that access Aurora DB instance. The developer can create an IAM role with permission to connect to Aurora DB instance and attach it to each Lambda function. The developer can also configure Aurora DB instance to use IAM database authentication and enable encryption in transit using SSL certificates. This way, the Lambda functions can use a single securely encrypted database connection string to access Aurora without needing any secrets or passwords. Option B is not optimal because it will store the credentials and read them from an encrypted Amazon RDS DB instance, which may introduce additional costs and complexity for managing and accessing another RDS DB instance. Option C is not optimal because it will store the credentials in AWS Systems Manager Parameter Store as a secure string parameter, which may require additional steps or permissions to retrieve and decrypt the credentials from Parameter Store. Option D is not optimal because it will use Lambda environment variables with a shared AWS Key Management Service (AWS KMS) key for encryption, which may not be secure or scalable as environment variables are stored as plain text unless encrypted with AWS KMS.

Distributed Tracing with X-Ray: X-Ray helps visualize request paths and identify bottlenecks in applications distributed across Regions.

Region Annotations (Automatic for AWS Services): X-Ray automatically adds a Region annotation to segments representing calls to AWS services. This aids in tracing cross-Region traffic.

Region Annotations (Manual for User-Defined): For segments representing calls to user-defined services in different Regions, the developer needs to add the Region annotation manually to enable comprehensive tracing.

This solution allows the developer to troubleshoot the failure by capturing unprocessed events in a queue for further analysis. Dead Letter Queues (DLQs) are queues that store messages that could not be processed by a service, such as Lambda, for various reasons, such as configuration errors, throttling limits, or permissions issues. The developer can configure DLQs for Lambda functions by sending events to either an Amazon Simple Queue Service (SQS) queue or an Amazon Simple Notification Service (SNS) topic. The developer can then inspect the messages in the queue or topic to identify and fix the root cause of the failure. Configuring AWS CloudTrail logging will not capture invocation failures for asynchronous Lambda invocations, but only record API calls made by or on behalf of Lambda. Configuring Amazon Simple Workflow Service (SWF) or AWS Config will not process any direct unprocessed events, but require additional integration and configuration.

Amazon Machine Images (AMIs) are encrypted snapshots of EC2 instances that can be used to launch new instances. The developer can create new AMIs from the existing instances and specify encryption parameters. The developer can copy the encrypted AMIs to the destination Region and use them to create a new application stack. The developer can delete the unencrypted AMIs after the encryption process is complete. This solution will meet the encryption requirement and allow the developer to expand the application to run in the destination Region.

Step 1: Understanding the Requirements

Best Practices for Security:

Minimize the use of hardcoded credentials or long-lived access keys.

Use IAM roles for EC2 instances to securely grant permissions to applications running on the instance.

Access Scope: The application needs read-only access to an S3 bucket.

Step 2: Solution Analysis

Option A:

Define an IAM policy with the required s3:GetObject permissions.

Attach this policy to an IAM role.

Assign the role to the EC2 instance profile.

This approach follows security best practices by eliminating the need for static credentials and using temporary, scoped credentials provided by the instance profile.

Correct option.

Option B:

IAM groups are used for organizing users, not for EC2 instances or instance profiles.

Not suitable.

Option C:

IAM users are associated with specific individuals or applications and require static credentials.

This violates security best practices for temporary credentials and roles.

Not suitable.

Option D:

IAM web identity federation is used for applications that authenticate users via third-party identity providers.

This is unnecessary for EC2 instances and does not align with the requirements.

Not suitable.

Step 3: Implementation Steps

Create an IAM Policy:

Grant read-only access to the S3 bucket:

json

Copy code

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::your-bucket-name/*"

}

]

}

Attach the Policy to an IAM Role:

Create an IAM role and attach the policy to the role.

Associate the Role with the EC2 Instance:

Attach the role to the instance profile used by the EC2 instance.

AWS Developer References:

IAM Roles for Amazon EC2

Amazon S3 Permissions Reference

AWS Secrets Manager is a service that allows you to store and manage secrets, such as database credentials, API keys, and passwords, in a secure and centralized way. It also provides features such as automatic secret rotation, auditing, and monitoring1. By using AWS Secrets Manager, you can avoid hardcoding credentials in your code, which is a bad security practice and makes it difficult to update them. You can also replicate your secrets to another Region, which is useful for disaster recovery purposes2. To access your secrets from your application, you can use the ARN of the secret, which is a unique identifier that includes the Region name. This way, your application can use the appropriate secret based on the Region where it is deployed3.

AWS Secrets Manager

Replicating and sharing secrets

Using your own encryption keys

Why Option A is Correct:Encrypting PII at rest and in transit before storing it in DynamoDB ensures end-to-end security. Using the AWS Database Encryption SDK with KMS keys allows the Lambda function to encrypt data before transmission, meeting security and compliance requirements.

Why Other Options are Incorrect:

Option B: While AWS-managed KMS keys encrypt DynamoDB data at rest, they do not encrypt data in transit.

Option C: DynamoDB streams process updates after the data is written to the table, failing to encrypt PII in transit.

Option D: Step Functions and SQS add unnecessary complexity and still require encryption logic for both transit and at rest.

AWS Documentation References:

Encrypting Data in DynamoDB

AWS Database Encryption SDK

Requirement Summary:

DynamoDB table Orders

Partition key: OrderID

No sort key

100,000+ records

Need to efficiently retrieve all records where:

OrderSource = "MobileApp"

Must optimize for user experience (i.e., performance)

Evaluate Options:

Option A: Scan with FilterExpression

Inefficient for large tables

A Scan reads every item in the table and then applies a filter condition.

This is slow, expensive, and not scalable as the dataset grows.

Option B: Create a Local Secondary Index (LSI) with OrderSource

Invalid: LSIs require the same partition key (OrderID) as the base table.

Since OrderSource is not part of the primary key, and we want to query based on it, LSI won’t help.

Option C: Create a GSI with OrderSource as the sort key

Misuse of sort key: Querying by sort key alone is not allowed in DynamoDB.

You must specify a partition key in a Query.

This design is not valid for the use case.

Option D: Create a GSI with OrderSource as the partition key

BEST CHOICE: With a GSI on OrderSource, you can query efficiently for all items where OrderSource = "MobileApp".

DynamoDB GSIs allow an alternative access pattern for queries not supported by the base table schema.

GSI Design: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GSI.html

Querying a GSI: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Query.html

Scan vs Query: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/bp-query-scan.html

Comprehensive and Detailed Explanation (250–300 words):

For in-place deployments, AWS CodeDeploy updates instances directly rather than using blue/green infrastructure. AWS documentation states that when automatic rollback is enabled and a deployment fails (for example, due to failed health checks or validation scripts), CodeDeploy initiates a rollback deployment.

In an in-place rollback, CodeDeploy redeploys the last known successful application revision to the affected instances. This rollback is treated as a new deployment, complete with its own deployment ID and lifecycle events. CodeDeploy does not use snapshots, Route 53 switching, or external promotion logic for in-place deployments.

Options A and B describe mechanisms that are used in other services or blue/green strategies, not in-place deployments. Option D is incorrect because CodePipeline orchestrates stages but does not perform rollback logic for CodeDeploy.

Therefore, redeploying the previous stable version as a new deployment is the correct behavior.

This solution will meet the requirements by using Amazon CloudFront, which is a content delivery network (CDN) service that speeds up the delivery of web content and APIs to end users. The developer can configure the CloudFront cache, which is a set of edge locations that store copies of popular or recently accessed content close to the viewers. The developer can also update the application to return cached content based upon the default request headers, which are a set of HTTP headers that CloudFront automatically forwards to the origin server and uses to determine whether an object in an edge location is still valid. By caching the POST requests, the developer can optimize the API resources and reduce the latency for repeated queries. Option B is not optimal because it will override the cache method in the selected stage of API Gateway, which is not possible or effective as API Gateway does not support caching for POST methods by default. Option C is not optimal because it will save the latest request response in Lambda /tmp directory, which is a local storage space that is available for each Lambda function invocation, not a cache that can be shared across multiple invocations or requests. Option D is not optimal because it will save the latest request in AWS Systems Manager Parameter Store, which is a service that provides secure and scalable storage for configuration data and secrets, not a cache for API responses.

The requirement is to test a new Lambda version without impacting the production API, and to do so with the least operational overhead. In API Gateway (REST API), the simplest pattern is to create a separate stage (for example, test) and use a stage variable to control which Lambda function version (or alias) the integration invokes.

With option B, the developer creates a new stage and defines a stage variable (commonly something like lambdaAlias or lambdaVersion). The API method integration URI can reference this stage variable so that each stage points to a different Lambda alias/version. The production stage (for example, prod) continues to call the stable version, while the test stage calls the new version. This cleanly isolates testing traffic and prevents any effect on the production REST API because stages have distinct invoke URLs and deployments.

This approach is operationally efficient because it avoids duplicating the API definition (new REST API) and avoids creating extra resources/methods that must be maintained. It also provides a repeatable process: future versions can be tested by updating only stage variables or alias routing rather than restructuring the API.

Why not the others:

A adds additional resources/methods and increases API surface area and maintenance.

C duplicates the entire API, increasing overhead and configuration drift risk.

D would impact production because it changes the integration used by the existing method.

Therefore, using a new stage + stage variables to route to the updated Lambda version meets the requirements with minimal overhead.

This solution will meet the requirements by ensuring that all traffic between users and CloudFront, and all traffic between CloudFront and the web application, are encrypted using HTTPS protocol. The Origin Protocol Policy determines how CloudFront communicates with the origin server (the web application), and setting it to “HTTPS Only” will force CloudFront to use HTTPS for every request to the origin server. The Viewer Protocol Policy determines how CloudFront responds to HTTP or HTTPS requests from users, and setting it to “HTTPS Only” or “Redirect HTTP to HTTPS” will force CloudFront to use HTTPS for every response to users. Option A is not optimal because it will use AWS KMS to encrypt traffic between CloudFront and the web application, which is not necessary or supported by CloudFront. Option C is not optimal because it will set the origin’s HTTP port to 443, which is incorrect as port 443 is used for HTTPS protocol, not HTTP protocol. Option E is not optimal because it will enable the CloudFront option Restrict Viewer Access, which is used for controlling access to private content using signed URLs or signed cookies, not for encrypting traffic.

Amazon ElastiCache is a service that offers fully managed in-memory data stores that are compatible with Redis or Memcached. The developer can create an ElastiCache for Redis instance and enable encryption of data in transit and at rest. This will ensure that the PHI is encrypted at all times. The developer can store frequently accessed data in the cache and use Redis features such as sorting and ranking to enhance the performance of the application.

Containerization: Packaging the application as a container image promotes portability and standardization. Docker is the standard tool for containerization.

Amazon ECR: ECR is a managed container registry designed to work seamlessly with AWS container services.

Fargate: ECS Fargate provides serverless container orchestration, minimizing operational overhead for this proof-of-concept.

Amazon DynamoDB performance depends heavily on partition key design. AWS documentation warns against access patterns that repeatedly target the same partition key, as this causes hot partitions, even in on-demand mode.

In this scenario, most reads focus on the current day’s forecast for a small number of large cities. Using CityId alone as the partition key would cause hot partitions for those cities. Adding a calculated suffix (such as a hash or modulo value) to CityId spreads read requests across multiple partitions while still allowing efficient querying.

Using ForecastDate as the partition key (Options C and D) would concentrate traffic on a single value (today’s date), creating severe hot partition issues. Option B lacks a meaningful access pattern and complicates queries.

AWS documentation explicitly recommends key-suffix techniques for workloads with skewed access patterns to distribute traffic evenly. Therefore, using CityId with a calculated suffix as the partition key is the correct design.

Maximum concurrency for SQS as an event source allows customers to control the maximum concurrent invokes by the SQS event source1. When multiple SQS event sources are configured to a function, customers can control the maximum concurrent invokes of individual SQS event source1.

In this scenario, the developer needs to resolve the issue of the third-party API frequently returning an HTTP 429 Too Many Requests error message, which prevents a significant number of messages from being processed successfully. To achieve this, the developer can follow these steps:

Find out the documented rate limits of the third-party API, which specify how many requests can be made in a given time period.

Configure maximum concurrency on the SQS event source based on the rate limits of the third-party API. This will limit the number of concurrent invokes by the SQS event source and prevent exceeding the rate limits of the third-party API.

Test and monitor the application performance and adjust the maximum concurrency value as needed.

By using this solution, the developer can reduce the frequency of HTTP 429 errors and improve the message processing success rate. The developer can also avoid throttling or blocking by the third-party API.

This solution will meet the requirements by using AWS Secrets Manager, which is a service that helps protect secrets such as database credentials by encrypting them with AWS Key Management Service (AWS KMS) and enabling automatic rotation of secrets. The developer can create an AWS Lambda function by using the SecretsManagerRotationTemplate template in the AWS Secrets Manager console, which provides a sample code for rotating secrets for RDS DB instances, Amazon DocumentDB clusters, and Amazon Aurora DB instances. The developer can also create secrets for the database credentials in Secrets Manager, which encrypts them at rest and provides secure access to them. The developer can set up secrets rotation on a schedule, which changes the database credentials periodically according to a specified interval or event. Option A is not optimal because it will set up IAM database authentication for token-based access, which may not be compatible with all database engines and may require additional configuration and management of IAM roles or users. Option B is not optimal because it will create parameters for the database credentials in AWS Systems Manager Parameter Store, which does not support automatic rotation of secrets. Option C is not optimal because it will store the database access credentials as an encrypted Amazon S3 object in an S3 bucket, which may introduce additional costs and complexity for accessing and securing the data.

The type of keys that the developer should use to meet the requirements is symmetric customer managed keys with key material that is generated by AWS. This way, the developer can use AWS Key Management Service (AWS KMS) to encrypt the data with a symmetric key that is managed by the developer. The developer can also enable automatic annual rotation for the key, which creates new key material for the key every year. The other options either involve using Amazon S3 managed keys, which do not support automatic annual rotation, or using asymmetric keys or imported key material, which are not supported by S3 encryption.

The workload is explicitly very I/O intensive and requires reading the same file multiple times. Reading repeatedly from S3 across the network will introduce latency and repeated network I/O. For best performance, the function should download the file once to fast local storage and perform all repeated reads locally.

AWS Lambda provides ephemeral storage mounted at /tmp. AWS allows increasing this ephemeral storage beyond the default size. Because the files are at most 2 GB, the developer can configure the Lambda function’s ephemeral storage to 2 GB and copy each S3 object into /tmp before processing. This converts repeated network reads into repeated local filesystem reads, which is significantly faster and more consistent for I/O-heavy workloads.

Option D (read directly from S3) is the least optimized because each pass over the file requires additional network I/O and S3 GET requests.

Option A is not feasible: Lambda cannot directly attach and manage an EBS volume like an EC2 instance can.

Option B is not applicable: ENA is an EC2 networking feature; Lambda networking is managed by the service and does not allow attaching ENAs for performance tuning in that way.

Because the files are disposable after processing, using ephemeral /tmp storage is also cost-effective and operationally simple, and it is aligned with the “process once per file” pattern.

Therefore, increase Lambda ephemeral storage and copy the video into /tmp for repeated reads.

Requirement Summary:

Prevent unauthorized code changes in AWS Lambda

Ensure only trusted code is deployed

AWS Lambda supports Code Signing:

You can configure code signing in Lambda using AWS Signer

Packages must be digitally signed and verified against the signing profile

Rejects unauthorized/modified packages automatically

Evaluate Options:

A. Trusted code option in CodeDeploy

No such feature exists for Lambda

CodeDeploy is more for EC2/On-Prem/Containers, not Lambda code signing

B. Define code signing config + use AWS Signer

This is exactly how AWS enforces trusted code deployment

Attach a code signing configuration to the Lambda function

Use AWS Signer to digitally sign deployment packages

C. Link to KMS to sign code

KMS is not used to sign Lambda packages

KMS is for data encryption, not application code integrity

D. Set KmsKeyArn

This configures data encryption, not code signing

Lambda code signing: https://docs.aws.amazon.com/lambda/latest/dg/configuration-codesigning.html

AWS Signer overview: https://docs.aws.amazon.com/signer/latest/developerguide/what-is-signer.html

This solution will meet the requirements with the least operational overhead because it uses Amazon S3 as a scalable, secure, and durable storage service for the reports. The presigned URL will allow customers to access their reports for a limited time (8 hours) without requiring additional authentication. The S3 Lifecycle configuration rules will automatically delete the reports that are older than 2 days, reducing storage costs and complying with the data retention policy. Option A is not optimal because it will incur additional costs and complexity to store the reports as DynamoDB items, which have a size limit of 400 KB. Option B is not optimal because it will not provide customers with access to their reports within one hour, as Amazon SNS email delivery is not guaranteed. Option D is not optimal because it will require more operational overhead to manage an RDS database and a Lambda function for storing and deleting the reports.

Scenario: Application needs to fetch songs and artists efficiently in a single operation.

BatchGetItem: This DynamoDB operation retrieves multiple items across different tables based on their primary keys in a single request.

Optimized for Request Batching: This approach reduces network traffic compared to performing multiple queries individually.

Data Modeling: The songs table is designed appropriately for this access pattern using artistName as the sort key.

Amazon CloudWatch Logs Insights is a purpose-built log analytics tool that allows developers to run interactive queries directly against CloudWatch Logs. AWS documentation highlights Logs Insights as the fastest and most efficient way to search, filter, and analyze log data without exporting it.

Logs Insights queries can filter error messages, extract timestamps, and aggregate failure counts over specific time windows. This directly satisfies the requirement to identify when intermittent failures occurred and what errors caused them.

Manual browsing (Option A) and local downloads (Option C) are time-consuming and do not scale. Exporting logs to S3 and querying with Athena (Option D) introduces unnecessary infrastructure and operational overhead.

Therefore, CloudWatch Logs Insights is the most operationally efficient solution.

Amazon DynamoDB supports conditional writes, which allow developers to enforce data integrity rules directly at the database layer. AWS documentation states that conditional expressions are the recommended way to prevent accidental overwrites and ensure idempotent writes.

Using a PutItem operation with the condition expression

attribute_not_exists(transactionId) ensures that the write succeeds only if the item does not already exist. If a duplicate transaction is received, DynamoDB rejects the request without modifying the existing record.

This approach is highly cost-effective because it avoids additional read operations. Option A doubles request cost by performing a read before every write. TTL (Option B) is unrelated to overwrite prevention. Option C does the opposite of the requirement by ensuring the attribute exists.

AWS explicitly recommends conditional writes for handling duplicates and enforcing uniqueness with minimal cost and latency.

Therefore, implementing a conditional put with attribute_not_exists(transactionId) is the correct solution.

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html

Why Option C is Correct:Implementing a connection pool in the Redis client reduces connection overhead and avoids frequent connection establishment, which helps to reduce latency and connection failures.

Why Other Options are Incorrect:

Option A: Exponential backoff retry strategies help with transient failures but do not resolve latency caused by frequent connection establishment.

Option B: Storing scores in application memory adds complexity and risks inconsistency.

Option D: Adding more nodes is unnecessary unless the cluster is under heavy load. Latency due to connection failures is better addressed at the application level.

AWS Documentation References:

Amazon ElastiCache Best Practices

Amazon Cognito user pools support Lambda triggers, which are custom functions that can be executed at various stages of the user pool workflow. A post authentication Lambda trigger can be used to perform custom actions after a user is authenticated, such as sending an email notification. Amazon SES is a cloud-based email sending service that can be used to send transactional or marketing emails. A Lambda function can use the Amazon SES API to send an email to the user’s email address after the user logs in successfully. Reference: Post authentication Lambda trigger

Why Option C is Correct:Amazon Verified Permissions provides fine-grained access control capabilities, making it ideal for managing complex user permissions. It integrates with OIDC IdPs for authentication and allows applications to request authorization decisions dynamically. It is also easily adaptable to newer applications.

Why Other Options are Incorrect:

Option A: Cognito identity pools do not natively support fine-grained permission analysis or management.

Option B: Managing permissions in application logic adds significant operational overhead.

Option D: IAM roles are not designed for application-specific fine-grained access control and are more suitable for resource-level permissions.

AWS Documentation References:

Amazon Verified Permissions

Amazon S3 supports server-side encryption, which encrypts data at rest on the server that stores the data. One of the encryption options is SSE-S3, which uses keys managed by S3. To use SSE-S3, the x-amz-server-side-encryption header must be set to AES256 when invoking the PutObject API operation. This instructs S3 to encrypt the object data with SSE-S3 before saving it on disks in its data centers and decrypt it when it is downloaded. Reference: Protecting data using server-side encryption with Amazon S3-managed encryption keys (SSE-S3)

Amazon S3 supports resource-based policies, which are JSON documents that specify the permissions for accessing S3 resources. A resource-based policy can be used to enforce encryption in transit by denying access to requests that do not use HTTPS. The condition key aws:SecureTransport can be used to check if the request was sent using SSL. If the value of this key is false, the request is denied; otherwise, the request is allowed. Reference: How do I use an S3 bucket policy to require requests to use Secure Socket Layer (SSL)?

Comprehensive and Detailed Explanation (AWS Verified – 250–300 Words)

When an Amazon S3 bucket is configured with default encryption using SSE-KMS, AWS Key Management Service (KMS) plays an active role in every PutObject request. Although the IAM user already has the s3:PutObject permission, this alone is not sufficient when SSE-KMS is enabled.

According to AWS documentation, when a client uploads an object to an S3 bucket encrypted with SSE-KMS, Amazon S3 must call AWS KMS on behalf of the caller to generate a unique data encryption key. This operation requires the kms:GenerateDataKey permission on the KMS key used for encryption. If this permission is missing, the PutObject request fails with an Access Denied error—even though S3 permissions appear correct.

AWS explicitly states that IAM principals uploading objects to SSE-KMS–encrypted buckets must be allowed to use the KMS key. At a minimum, the following KMS permissions are required:

kms:GenerateDataKey

(Implicitly) access allowed by the KMS key policy

Option C correctly resolves the issue by granting the IAM user permission to generate a data key via AWS KMS, enabling successful encryption during the upload process.

Option A is invalid because s3:EncryptionConfiguration is not required for object uploads.

Option B is unnecessary because the IAM user already has s3:PutObject.

Option D is incorrect because ACLs are not used to control KMS encryption permissions and are discouraged by AWS best practices.

Requirement Summary:

Users experience buffering/delay when starting video stream

Architecture:

CloudFront → API Gateway → Lambda → DynamoDB

Need to identify root cause of performance issues

Evaluate Options:

A: Enable AWS X-Ray tracing

Ideal for end-to-end tracing

Visualizes latency across services (API Gateway, Lambda, DynamoDB)

Creates a service map for easy identification of bottlenecks or errors

Designed specifically for distributed tracing and performance monitoring

B: CloudWatch Logs Insights

⚠️ Helpful for querying logs

But lacks the visual trace linkage across services like X-Ray

Does not identify where latency accumulates

C: AWS Config

Tracks configuration changes, not runtime performance

D: CloudTrail + CloudWatch Logs

More useful for audit/logging, not tracing performance or latency issues

X-Ray overview: https://docs.aws.amazon.com/xray/latest/devguide/aws-xray.html

Service map: https://docs.aws.amazon.com/xray/latest/devguide/xray-console-service-map.html

Tracing API Gateway: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-xray.html

When multiple Lambda functions must execute in a defined sequence as part of a workflow (order processing → payment → inventory → fulfillment, etc.), the AWS service designed to coordinate and orchestrate serverless workflows is AWS Step Functions.

Option C is the least operational overhead because Step Functions provides a managed state machine that invokes Lambda functions in an explicit order with built-in support for retries, timeouts, error handling, branching, and state passing between steps. The developer defines the workflow declaratively (Amazon States Language) and Step Functions ensures the sequence is enforced consistently.

Option A (SQS) is not a workflow orchestrator. Ensuring strict sequencing would require custom coordination logic, state tracking, and careful handling of retries and ordering—more code and complexity (and standard SQS does not guarantee strict order).

Option B (SNS) fans out events and is not designed for sequential orchestration.

Option D (EventBridge Scheduler) can schedule invocations at times, but it does not coordinate multi-step workflows with dependencies and conditional transitions.

Amazon CloudWatch is the service that collects and stores logs from AWS Lambda functions. The developer can use CloudWatch Logs Insights to query and analyze the logs for errors and metrics. Option A is not correct because Amazon S3 is a storage service that does not store Lambda function logs. Option B is not correct because AWS CloudTrail is a service that records API calls and events for AWS services, not Lambda function logs. Option D is not correct because Amazon DynamoDB is a database service that does not store Lambda function logs.

Comprehensive and Detailed Step-by-Step Explanation:

Option D: Use Lambda with Container Images

AWS Lambda supports container images up to 10 GB in size, making it suitable for applications with large dependencies, such as a video codec library larger than 250 MB.

By creating separate container images for video compression and decompression, the application can efficiently isolate functionality while ensuring that each function includes the required dependencies.

The container images are stored in Amazon ECR and used to create the Lambda functions.

Why Other Options Are Incorrect:

Option A: A single Lambda function with all functionalities and dependencies in one zip file is not feasible due to the 250 MB deployment package size limit for zip files.

Option B: Including the library in two separate zip files still exceeds the size limit for Lambda zip deployment packages.

Option C: While using a Lambda layer can reduce redundancy, the combined size of the layer and the zip files would exceed the limit of 250 MB.

Amazon CloudWatch Logs data protection policies allow sensitive data such as credit card numbers to be automatically detected and masked at ingestion time. By default, masked data cannot be viewed by any user.

AWS documentation states that to allow specific principals to view masked data, two conditions must be met:

The data protection policy must include an UnmaskConfig that specifies which IAM roles are permitted to view the unmasked data.

The IAM role must have the logs:Unmask permission.

Option A configures the policy to allow the fraud detection role to unmask sensitive fields. Option B grants the necessary permission to that role. Together, these steps ensure that only the fraud detection account can view credit card numbers.

Attaching the policy to the log group (Option D) is necessary for masking but does not grant unmask access on its own. IAM roles cannot contain data protection policies (Option E), and policies are not attached in the consuming account (Option C).

Therefore, the correct combination is A and B, ensuring strict access control while maintaining compliance with security requirements.

Amazon DynamoDB is a fully managed NoSQL database service that can store and retrieve any amount of data with high availability and performance. DynamoDB can handle concurrent requests from multiple IoT devices without throttling or data loss. To prevent duplicate requests from causing inconsistencies or data loss, the Lambda function can use DynamoDB conditional writes to check if the unique identifier for each request already exists in the table before processing the request. If the identifier exists, the function can skip or abort the request; otherwise, it can process the request and store the identifier in the table. Reference: Using conditional writes

S3Bucket and S3Key: These properties in a CloudFormation AWS::Lambda::Function resource specify the location of the function's code in S3.

Least Development Effort: This solution minimizes code changes, relying on CloudFormation to reference the existing S3 deployment package.

The solution that will meet the requirements is to write data to Amazon ElastiCache. This way, the application can write session data to a fast, scalable, and reliable in-memory data store that can be served reliably across multiple requests. The other options either involve writing data to persistent storage, which is slower and more expensive than in-memory storage, or writing data to the root filesystem, which is not shared among multiple EC2 instances.

AWS Systems Manager Parameter Store is a service that provides secure, hierarchical storage for configuration data management and secrets management. The developer can update the application to retrieve the variables from Parameter Store by using the AWS SDK or the AWS CLI. The developer can use unique paths in Parameter Store for each variable in each environment, such as /dev/api-url, /test/api-url, and /prod/api-url. The developer can also store the credentials in AWS Secrets Manager, which is integrated with Parameter Store and provides additional features such as automatic rotation and encryption.

Requirement Summary:

EKS containers send logs to CloudWatch Logs

Need to process logs in real time

Trigger logic based on a specific error in logs

Evaluate Options:

Option A: SNS topic with filter policy

SNS filter policies work on message attributes, not on CloudWatch Logs subscription filters

Option B: Subscription filter on log group

This enables real-time log processing

You can create a subscription filter with a pattern matching specific error strings

Sends matched logs to a Lambda function or Kinesis

Option C: CloudWatch agent operator for trace collection

Irrelevant for log processing

Used for monitoring and tracing, not real-time log filtering

Option D: Lambda function to process logs

Once logs match the pattern, Lambda can process and act (e.g., alert, store, analyze)

Option E: EventBridge rule on a schedule

Not real-time

Scheduled EventBridge rules are for cron-like tasks, not log stream processing

Subscription filters: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html

Real-time log processing with Lambda: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html#LambdaExample

Logs in EKS to CloudWatch: https://docs.aws.amazon.com/eks/latest/userguide/fargate-logging.html

API Gateway Stage Variables: These are designed for configuring dynamic values for your APIs in different deployment stages (dev, test, prod). Here's how to use them for third-party endpoints:

In the API Gateway console, access the "Stages" section of your API.

For each stage, create a stage variable named something like thirdPartyEndpoint.

Set the value of this variable to the actual endpoint URL for that specific environment.

When configuring API requests within your API Gateway method, reference this endpoint using ${stageVariables.thirdPartyEndpoint}.

Why Stage Variables Excel Here:

Environment Isolation: This approach keeps the endpoint configuration specific to each deployment stage, ensuring the right endpoints are used during development, testing, and production cycles.

Ease of Management: You manage the endpoints directly through the API Gateway console without additional infrastructure.

The company already has SSM Agent deployed on all servers, which enables centralized, scalable fleet operations without logging in to each instance. The most operationally efficient solution is to automate key distribution using Systems Manager Run Command, executing a script across the entire fleet (or a targeted subset) in one action.

Option B uses S3 as a simple distribution source and Run Command to perform the update at scale. The developer can store the required key material in a controlled S3 location and write a script that places the key in the correct filesystem path (with correct permissions/ownership), updates authorized_keys if needed, and restarts any services if required. Run Command can target instances by tags, resource groups, or instance IDs and provides execution logging and status.

Option A is not operationally efficient because it requires logging into each server manually.

Option C and D push the distribution burden to humans (“grant team members permissions to download”), which is error-prone, slow, and not scalable. Also, distributing private keys broadly to individuals increases risk.

The correct answer is C. The developer did not update the Docker image tag to a new version.

C. The developer did not update the Docker image tag to a new version. This is correct. When deploying an application to Amazon EKS, the developer needs to specify the Docker image tag that contains the application code and configuration. If the developer does not update the Docker image tag to a new version after making changes to the application, the EKS cluster will continue to use the old Docker image tag that references the original backend resources. To fix this issue, the developer should update the Docker image tag to a new version and redeploy the application to the EKS cluster.

A. The developer did not successfully create the new AWS account. This is incorrect. The creation of a new AWS account is not related to the application’s connection to the backend resources. The developer can use any AWS account to host the EKS cluster and the backend resources, as long as they have the proper permissions and configurations.

B. The developer added a new tag to the Docker image. This is incorrect. Adding a new tag to the Docker image is not enough to deploy the changes to the application. The developer also needs to update the Docker image tag in the EKS cluster configuration, so that the EKS cluster can pull and run the new Docker image.

D. The developer pushed the changes to a new Docker image tag. This is incorrect. Pushing the changes to a new Docker image tag is not enough to deploy the changes to the application. The developer also needs to update the Docker image tag in the EKS cluster configuration, so that the EKS cluster can pull and run the new Docker image.

Requirement Summary:

Developer uses AWS IAM Identity Center (SSO) with AWS CLI / SDKs

Initially working fine

Now receiving AccessDenied errors

No changes to config or scripts

Key Understanding:

IAM Identity Center credentials are temporary and time-limited. When you use SSO-based access via the AWS CLI (aws sso login), it obtains temporary credentials stored in the local cache.

By default, these expire in 1 hour (can be extended).

Evaluate Options:

A. Permissions to CLI binary changed

Unlikely – this would produce execution errors, not AccessDenied from AWS API

B. Permission set lacks required permissions

Then the error would have occurred from the beginning, not after time

C. IAM Identity Center credentials expired

Most likely – user hasn't refreshed credentials using aws sso login again

After expiration, API calls fail with AccessDenied

D. Developer is calling the wrong AWS account

Would likely show different types of errors (AccountNotFound, etc.)

SSO and AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

Troubleshooting SSO CLI: https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html

Secrets Management: AWS Secrets Manager is designed specifically for storing and managing sensitive credentials.

Built-in Rotation: Secrets Manager provides automatic secret rotation functionality, enhancing security posture significantly.

IAM Integration: IAM policies and roles grant fine-grained access to ECS Fargate, ensuring the principle of least privilege.

Reduced Overhead: This solution centralizes secrets management and automates rotation, reducing operational overhead compared to the other options.

“Encryption in transit” for S3 means requiring requests to use HTTPS (TLS) rather than HTTP. AWS provides a standard policy condition key, aws:SecureTransport, that evaluates to true when the request is made over SSL/TLS and false when it is not. To enforce TLS for all cross-account GetObject requests, the most reliable control point is the S3 bucket resource-based policy, because the bucket is the resource being accessed and the bucket owner can enforce conditions regardless of which external account is calling.

Option A is the established pattern: add an explicit Deny statement in the bucket policy that denies all S3 actions (or at least s3:GetObject) when aws:SecureTransport is false. An explicit deny overrides any allows, ensuring that even if another account’s IAM policy allows access, the request will still be blocked if it is not using HTTPS.

Option B is backwards because it would allow insecure transport rather than deny it.

Option C is weaker because you cannot reliably enforce policies in other accounts (and principals could change roles or permissions). The bucket owner should enforce transport security at the bucket level.

Option D is not the right layer: the KMS key policy controls key usage, but the S3 GetObject transport requirement is best enforced by the S3 bucket policy. Also, S3 access can be denied before KMS is even involved.

Therefore, enforce HTTPS by adding a bucket policy Deny when aws:SecureTransport is false.

Problem: Large bundle size increases Lambda deployment time.

Lambda Layers: Layers let you package dependencies separately from your function code. This optimizes the deployment package, making updates faster.

Modularization: Breaking down dependencies into layers improves code organization and reusability.

The solution that will meet the requirements is to use CloudFormation to create an AWS Secrets Manager secret. Use a CloudFormation dynamic reference to retrieve the secret’s value for the OpenSearch Service domain’s MasterUserOptions. Create an IAM role that has the secretsmanager:GetSecretValue permission. Assign the role to the Lambda function. Store the secret’s name as the Lambda function’s environment variable. Resolve the secret’s value at runtime. This way, the developer can pass the credentials to the Lambda function in a secure way, as AWS Secrets Manager encrypts and manages the secrets. The developer can also use a dynamic reference to avoid exposing the secret’s value in plain text in the CloudFormation template. The other options either involve passing the credentials as plain text parameters, which is not secure, or encrypting them with AWS KMS, which is less convenient than using AWS Secrets Manager.

Centralized logging for microservices means collecting application logs from many services into a single managed logging backend where logs can be searched, retained, and monitored. For containerized microservices on AWS, the standard approach is to send each service’s stdout/stderr logs to Amazon CloudWatch Logs.

Option A is the appropriate solution: create separate CloudWatch Logs streams (and typically log groups) per microservice. This scales naturally as microservices increase, supports retention policies, metric filters, alarms, and integrations with tools like CloudWatch Logs Insights for querying across services. Container orchestrators (ECS/EKS) can be configured to use the CloudWatch Logs log driver so logs are shipped automatically without custom log shipping agents.

Option B (CloudTrail) logs AWS API activity, not application logs.

Option C (VPC Flow Logs) captures network flow metadata, not application-level logs.

Option D (Cloud Map) is service discovery, not logging.

Therefore, using CloudWatch Logs streams per microservice is the correct central logging approach.

Amazon Cognito user pools is a service that provides a secure user directory that scales to hundreds of millions of users. The developer can use Amazon Cognito user pools to manage user accounts and create an Amazon Cognito user pool authorizer in API Gateway to control access to the API. The developer can use the Lambda function to store the photos in Amazon S3, which is a highly scalable, durable, and secure object storage service. The developer can store the object’s S3 key as part of the photo details in the DynamoDB table, which is a fast and flexible NoSQL database service. The developer can retrieve previously uploaded photos by querying DynamoDB for the S3 key and fetching the photos from S3. This solution will meet the requirements with the least operational overhead.

The solution that will solve this problem is to create and inspect the Lambda dead-letter queue. Troubleshoot the failed functions. Reprocess the events. This way, the developer can identify and fix any issues that caused the Lambda function to fail when invoked asynchronously by API Gateway. The developer can also reprocess any orders that were not processed due to failures. The other options either do not address the root cause of the problem, or do not help recover from failures.

Mocking API Responses: API Gateway's Mock integration type enables simulating API behavior without invoking backend services.

Testing with Sample Data: Using captured responses from the real third-party API ensures realistic testing of the integration code.

Focus on Integration Logic: This solution allows the developer to isolate and test the application's interaction with the payment APIs, even without a test environment from the third-party providers.

Amazon API Gateway is a service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. Amazon CloudFront is a content delivery network (CDN) service that can improve the performance and security of web applications. The developer can use CloudFront and a custom domain name for the API Gateway REST API. To do so, the developer needs to import the SSL/TLS certificate into AWS Certificate Manager (ACM) in the us-east-1 Region. This is because CloudFront requires certificates from ACM to be in this Region. The developer also needs to create a DNS CNAME record for the custom domain that points to the CloudFront distribution.

The GenerateDataKey API returns a data key that is encrypted under a symmetric encryption KMS key that you specify, and a plaintext copy of the same data key1. The data key is a random byte string that can be used with any standard encryption algorithm, such as AES or SM42. The plaintext data key can be used to encrypt or decrypt data outside of AWS KMS, while the encrypted data key can be stored with the encrypted data and later decrypted by AWS KMS1.

In this scenario, the developer needs to use the GenerateDataKey API to encrypt the PDF file so that it can be decrypted later. The developer also needs to use an AWS KMS symmetric customer managed key for encryption. To achieve this, the developer can follow these steps:

Call the GenerateDataKey API with the symmetric customer managed key ID and the desired length or specification of the data key. The API will return an encrypted data key and a plaintext data key.

Write the encrypted data key to disk for later use. This will allow the developer to decrypt the data key and the PDF file later by using AWS KMS.

Use the plaintext data key and a symmetric encryption algorithm to encrypt the PDF file. The developer can use any standard encryption library or tool to perform this operation, such as OpenSSL or AWS Encryption SDK.

Discard the plaintext data key from memory as soon as possible after using it. This will prevent unauthorized access or leakage of the data key.

Comprehensive and Detailed Step-by-Step Explanation:

Option C: Edge-Optimized API Gateway with Custom Domain Name:

Edge-Optimized API Gateway: This endpoint type automatically leverages the Amazon CloudFront global distribution network, minimizing latency for API users distributed globally.

Custom Domain Name: API Gateway supports custom domain names for APIs. Importing the TLS certificate into AWS Certificate Manager (ACM) and associating it with the custom domain name ensures secure connections.

Disabling the Default Endpoint: Prevents direct access via the default API Gateway URL, enforcing the use of the custom domain name.

Why Other Options Are Incorrect:

Option A: While CloudFront can distribute API requests globally, API Gateway with edge-optimized endpoints already provides this functionality natively without requiring Lambda@Edge.

Option B: Private endpoint types are used for internal access via VPC, which does not meet the global distribution and low-latency requirement.

Option D: CloudFront Functions are not needed because API Gateway’s edge-optimized endpoints handle global distribution efficiently.

Comprehensive and Detailed Explanation (250–300 words):

Amazon SQS uses a visibility timeout to prevent other consumers from processing a message while it is being handled. If a Lambda function does not complete processing before the visibility timeout expires, the message becomes visible again and can be processed a second time.

AWS documentation states that the SQS visibility timeout should be greater than the maximum Lambda execution time. If not, messages may be delivered multiple times, even though processing is still in progress.

Increasing the Lambda timeout or memory does not directly affect message visibility. Increasing batch size can worsen the problem by increasing processing time.

Therefore, increasing the SQS visibility timeout is the correct and AWS-recommended solution.

Requirement Summary:

WebSocket-based messaging app using API Gateway WebSocket APIs

Need to:

Identify clients repeatedly connecting/disconnecting

Be able to remove problematic clients

Evaluate Options:

A. Switch to HTTP APIs

HTTP APIs don’t support WebSocket connections

B. Switch to REST APIs

REST APIs are not compatible with WebSockets

C. Use the callback URL to disconnect clients

⚠️ Possible, but not a direct option

Callback URLs are used for sending messages to connected clients, not for disconnecting

D. Track client status in ElastiCache

Good solution: Store and update connection state (connected, disconnected, timestamps)

Helps track abuse or reconnections

E. Implement $connect and $disconnect routes

Required to capture connection lifecycle events

These can be used to log/store client behavior and decide on removal

WebSocket routes in API Gateway: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-route-selection.html

Managing WebSocket connections: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-mapping-template-reference.html

The command that will meet the requirements is sam sync -watch. This command enables AWS SAM Accelerate mode, which allows the developer to only redeploy the Lambda functions that have changed. The -watch flag enables file watching, which automatically detects changes in the source code and triggers a redeployment. The other commands either do not enable AWS SAM Accelerate mode, or do not redeploy the Lambda functions automatically.

Instance Metadata Service: EC2 instances have access to an internal metadata service. It provides instance-specific information like instance ID, security groups, and public IP address.

Accessing Metadata:

Make an HTTP GET request to the base URL: http://169.254.169.254/latest/meta-data/

You'll get a list of available categories. The public IPv4 address is under public-ipv4.

Why Option A is Correct:Auto-scaling with a target utilization ensures the DynamoDB table dynamically adjusts capacity based on workload, maintaining high performance while optimizing cost. Setting a reasonable target utilization minimizes overprovisioning and throttling risks.

Why Other Options are Incorrect:

Option B: On-demand capacity is costlier than provisioned throughput for predictable workloads.

Option C: Using manual CloudWatch alarms and Lambda for scaling is less efficient and adds operational overhead.

Option D: DAX accelerates read performance but does not improve write performance.

AWS Documentation References:

DynamoDB Auto Scaling

Why Option D is Correct:When using a container-based AWS Lambda function, you are responsible for updating the base image for runtime patches. Rebuilding the container with the latest Node.js patch version ensures the function is updated with the required security patches. Publishing a new version of the Lambda function makes the updated image available for use.

Why Other Options are Incorrect:

Option A: The runtime update mode applies to functions using AWS-managed runtimes, not container-based runtimes.

Option B: Redeploying the same version of the Lambda function does not apply the security patch.

Option C: Rebuilding with the AWS OS base image does not guarantee that the latest Node.js patch version is included.

AWS Documentation References:

Lambda Function Container Images

Node.js Updates in AWS Lambda

This solution will meet the requirements by creating an advanced parameter in AWS Systems Manager Parameter Store, which is a secure and scalable service for storing and managing configuration data and secrets. The advanced parameter allows setting expiration and expiration notification policy types, which enable specifying an expiration date and time for the configuration and receiving notifications before the configuration expires. The Lambda code will be refactored to load the Root CA Cert from the parameter store and modify the runtime trust store outside the Lambda function handler, which will improve performance and reduce latency by avoiding repeated calls to Parameter Store and trust store modifications for each invocation of the Lambda function. Option A is not optimal because it will create a standard parameter in AWS Systems Manager Parameter Store, which does not support expiration and expiration notification policy types. Option B is not optimal because it will create a secret access key and access key ID with permission to access the S3 bucket, which will introduce additional security risks and complexity for storing and managing credentials. Option D is not optimal because it will create a Docker container from Node.js base image to invoke Lambda functions, which will incur additional costs and overhead for creating and running Docker containers.

Comprehensive and Detailed Step-by-Step Explanation:

Issue Analysis:

The stream uses service name as the partition key. This can cause "hot partition" issues when a few service names generate significantly more logs compared to others, causing uneven distribution of data across shards.

Metrics show that the write capacity used is below provisioned capacity, which confirms that the throughput errors are due to shard-level limits and not overall capacity.

Option C: Change Partition Key to Creation Timestamp:

By changing the partition key to the creation timestamp (or a composite key including timestamp), the distribution of data across shards can be randomized, ensuring an even spread of records.

This resolves the shard overutilization issue and eliminates ProvisionedThroughputExceededException.

Why Other Options Are Incorrect:

Option A: Switching to on-demand capacity mode might temporarily alleviate the issue, but the root cause (hot partitioning) remains unresolved.

Option B: Adding shards increases capacity but does not fix the skewed data distribution caused by using the service name as the partition key.

Option D: Creating separate streams for each service adds unnecessary complexity and does not scale well as the number of services grows.

The correct answer is A. Add a configuration file in TOML format to group configuration entries to every environment. Add a table for each testing and staging environment. Deploy updates to the environments by using the sam deploy command and the --config-env flag that corresponds to the each environment.

A. Add a configuration file in TOML format to group configuration entries to every environment. Add a table for each testing and staging environment. Deploy updates to the environments by using the sam deploy command and the --config-env flag that corresponds to the each environment. This is correct. This solution will meet the requirements with the least development effort, because it uses a feature of the AWS SAM CLI that supports a project-level configuration file that can be used to configure AWS SAM CLI command parameter values1. The configuration file can have multiple environments, each with its own set of parameter values, such as stack name, region, capabilities, and more2. The developer can use the --config-env option to specify which environment to use when deploying the application3. This way, the developer can avoid creating multiple templates or scripts, or manually overriding parameters for each environment.

B. Create additional AWS SAM templates for each testing and staging environment. Write a custom shell script that uses the sam deploy command and the --template-file flag to deploy updates to the environments. This is incorrect. This solution will not meet the requirements with the least development effort, because it requires creating and maintaining multiple templates and scripts for each environment. This can introduce duplication, inconsistency, and complexity in the deployment process.

C. Create one AWS SAM configuration file that has default parameters. Perform updates to the testing and staging environments by using the —parameter-overrides flag in the AWS SAM CLI and the parameters that the updates will override. This is incorrect. This solution will not meet the requirements with the least development effort, because it requires manually specifying and overriding parameters for each environment every time the developer deploys the application. This can be error-prone, tedious, and inefficient.

D. Use the existing AWS SAM template. Add additional parameters to configure specific attributes for the serverless function and database table resources that are in each environment. Deploy updates to the testing and staging environments by using the sam deploy command. This is incorrect. This solution will not meet the requirements with the least development effort, because it requires modifying the existing template and adding complexity to the resource definitions for each environment. This can also make it difficult to manage and track changes across different environments.

Why Option B is Correct:Amazon ECS does not natively process docker-compose.yml files. Instead, the configurations from docker-compose.yml must be converted into ECS-compatible configurations within a task definition. Task definitions are the primary way to specify container configurations in ECS, including service dependencies like databases, caches, and volumes.

Steps to Resolve the Error:

Extract the configurations from the docker-compose.yml file.

Map the dependencies and settings to the appropriate ECS task definition fields.

Deploy the task definition to the ECS cluster.

Why Other Options are Incorrect:

Option A: Docker labels do not directly impact ECS task execution or integrate with ECS service configurations.

Option C: ECS namespaces do not exist as a feature.

Option D: Changing the service type to REPLICA does not resolve the issue of missing service dependency configurations.

AWS Documentation References:

Amazon ECS Task Definitions

Migrating Docker Compose Workloads to ECS

For in-place deployments, AWS CodeDeploy uses a set of predefined hooks that run in a specific order during each deployment lifecycle event. The hooks are ApplicationStop, BeforeInstall, AfterInstall, ApplicationStart, and ValidateService. The run order of the hooks for in-place deployments is as follows:

ApplicationStop: This hook runs first on all instances and stops the current application that is running on the instances.

BeforeInstall: This hook runs after ApplicationStop on all instances and performs any tasks required before installing the new application revision.

AfterInstall: This hook runs after BeforeInstall on all instances and performs any tasks required after installing the new application revision.

ApplicationStart: This hook runs after AfterInstall on all instances and starts the new application that has been installed on the instances.

ValidateService: This hook runs last on all instances and verifies that the new application is running properly on the instances.

This solution will meet the requirements by allowing the developer to control what data is sent to X-Ray and CloudWatch from the application code. The developer can filter out any PII from the trace messages before sending them to X-Ray and CloudWatch, ensuring that no PII goes outside of the EC2 instances. Option B is not optimal because it will automatically instrument all incoming and outgoing requests from the application, which may include PII in the trace messages. Option C is not optimal because it will require additional services and costs to use Amazon Macie and AWS Lambda, which may not be able to detect and hide all PII from the trace messages. Option D is not optimal because it will use Open Telemetry instead of X-Ray, which may not be compatible with CloudWatch and other AWS services.

CloudWatch for Log Analysis: CloudWatch is the best fit here because logs are already centralized. Here's the process:

Metric Filter: Create a metric filter on the CloudWatch Logs log group. Design a pattern to specifically identify application error messages.

Custom Metric: This filter generates a new custom CloudWatch metric (e.g., ApplicationErrors). This metric tracks the error count.

CloudWatch Alarm: Create an alarm on the ApplicationErrors metric. Configure the alarm with your desired threshold and a 5-minute evaluation period.

SNS Action: Set the alarm to trigger an SNS notification when it enters the alarm state.

Amazon ElastiCache for Redis: An in-memory data store known for extremely low latency, ideal for caching frequently accessed, complex data.

Write-Through Caching: Ensures that data is always consistent between the cache and the database. Writes go to both Redis and RDS.

Performance Gains: Redis handles reads with minimal latency, offloading the RDS database and improving the application's responsiveness.

CloudFront is a content delivery network that caches objects at edge locations to reduce latency and origin load. When the developer updates static artifacts in the origin S3 bucket, CloudFront may continue serving cached versions until the objects expire based on cache-control headers or the distribution’s TTL settings. That is why the developer sees the updated files in S3 but not on the site.

The standard fix is to perform a CloudFront cache invalidation for the updated object paths (for example, /app.js, /styles.css, or /* if needed). An invalidation forces CloudFront edge locations to remove the cached objects so the next viewer request fetches the latest version from the S3 origin.

Option C directly addresses this behavior and is the correct operational practice when cache TTLs would otherwise delay updates.

Option A (Object Lock) is for WORM retention/compliance and has nothing to do with CloudFront cache refresh.

Option B might change what exists in S3 but does not guarantee CloudFront will stop serving cached content; the cache can still serve objects even if deleted from the origin (until it revalidates/refreshes).

Option D is unnecessary; the origin does not need to change to fetch updated content.

Therefore, invalidate the CloudFront cache after deployment to ensure the new artifacts are served.

In AWS X-Ray, filter expressions can filter trace data based on indexed fields that X-Ray can query efficiently. Custom data can be added to segments in two main ways: annotations and metadata. The critical difference is that annotations are indexed and can be used for filtering, while metadata is not indexed and is intended for additional diagnostic context that you do not typically query on.

Therefore, if the developer wants user-specified custom attributes to be usable in X-Ray filter expressions, the developer should record those attributes as annotations in the segment document. Once recorded as annotations, the developer can write filter expressions that match annotation keys/values and return only the relevant traces.

Option B is incorrect because metadata is not indexed and cannot be used in filter expressions for trace search the same way annotations can.

Option C is incorrect because segment documents have a defined schema; adding arbitrary “new segment fields” is not the intended method for searchable custom attributes.

Option D is unrelated: sampling rules control which requests get traced in the first place. They are not used to filter returned results by custom attributes after traces are recorded.

Configuring the Lambda function to use ephemeral storage and processing data in the /tmp directory improves performance by leveraging local storage during execution.

Why Option C is Correct:

Ephemeral Storage: Lambda provides temporary storage (up to 10 GB) in the /tmp directory for each invocation, which is faster than pulling data directly from S3 multiple times.

Performance Boost: Data can be downloaded to /tmp, processed locally, and uploaded to the destination S3 bucket, minimizing S3 network calls.

Low Overhead: This approach requires only minimal changes to the function's configuration.

Why Not Other Options:

Option A: Using Amazon EFS adds complexity and is unnecessary for this use case.

Option B: Scheduling the function does not address the root cause of slow performance.

Option D: Lambda layers improve deployment efficiency, not runtime performance for this scenario.

Using Ephemeral Storage in AWS Lambda

Best Practices for S3 and Lambda Performance

Amazon S3 Lifecycle rules are specifically designed to manage object versions over time. When versioning is enabled, lifecycle rules can be configured to expire noncurrent versions, retaining only a defined number of recent versions.

AWS documentation states that lifecycle rules can be used to “retain a specific number of newer noncurrent versions.” By configuring a lifecycle rule to keep one noncurrent version, Amazon S3 automatically deletes older versions while retaining the current and immediately previous versions.

Bucket policies (Option A) control access, not retention. S3 Object Lock (Option C) is designed for regulatory compliance and write-once-read-many (WORM) use cases and is not suitable for routine version cleanup. Suspending versioning (Option D) does not remove existing versions and increases application complexity.

Therefore, an S3 Lifecycle rule is the correct and AWS-recommended solution.

Comprehensive and Detailed Step-by-Step Explanation:

Option D: AWS AppConfig with CloudWatch Application Signals

AWS AppConfig is designed for managing and deploying application configurations dynamically, without redeployment.

CloudWatch Application Signals provide automatic rollback mechanisms in case of an unhealthy application state due to bad configuration changes.

This solution meets the requirements with minimal operational overhead by ensuring both dynamic updates and rollback functionality.

Why Other Options Are Incorrect:

Option A and B: AWS Secrets Manager is designed for secrets management, not dynamic application configuration. Custom Config rules add unnecessary complexity.

Option C: While CloudWatch alarms can monitor application changes, using alarms for rollback requires manual setup and lacks the automatic rollback provided by Application Signals.

The bottleneck in this architecture is typically the relational database (RDS MySQL), which has limited concurrent connections and write throughput compared with bursty API traffic. Because transaction volume spikes during the day and drops to near zero at night, the system needs a way to absorb bursts without over-provisioning the database (which would be costly and underutilized at night).

A cost-effective way to add elasticity is to introduce Amazon SQS as a buffer between API ingestion and database writes. With SQS, devices (or the API/Lambda) enqueue transactions quickly, and Lambda consumers process the queue at a controlled rate. The key is to prevent Lambda from overwhelming RDS with too many concurrent writes or connections. Setting reserved concurrency on the Lambda function limits the maximum number of concurrent executions, which effectively caps database connection pressure and smooths write load. This prevents overload events that cause errors/timeouts while still allowing the system to scale up to the reserved concurrency limit during peaks.

Option D captures this correct control mechanism: SQS for buffering + Lambda reserved concurrency matched to the DB’s connection capacity.

Option C is incorrect because “enhanced fanout” is a Kinesis Data Streams feature, not an SQS feature.

Options A and B focus on scaling Aurora read replicas, which helps read scaling, not write-heavy transaction ingestion. POS transaction processing is typically write-intensive; scaling read replicas does not solve the core elasticity problem. Also, migrating databases is higher effort and cost than adding a queue and tuning Lambda concurrency.

Therefore, adding SQS and setting Lambda reserved concurrency to protect RDS connections is the most cost-effective elasticity improvement.

Amazon S3 event notifications can invoke AWS Lambda functions at very high rates during traffic spikes. In this scenario, up to 500 objects per minute can result in hundreds of concurrent Lambda invocations. By default, Lambda functions share the account’s unreserved concurrency pool, which can cause throttling if the pool is exhausted by sudden bursts.

AWS Lambda reserved concurrency guarantees a specific number of concurrent executions for a function. By configuring reserved concurrency, the developer ensures that sufficient execution capacity is always available for this specific function, regardless of other Lambda workloads in the account. This prevents throttling during high-volume S3 event bursts.

Increasing the timeout (Option A) does not address concurrency limits. Adding a layer (Option B) does not solve invocation throttling. Decreasing memory (Option D) can actually worsen performance and increase execution time.

AWS documentation explicitly recommends reserved concurrency when workloads experience unpredictable or bursty invocation patterns and must run reliably. Therefore, reserving concurrency is the correct and AWS-recommended solution.

Global Secondary Index (GSI): GSIs enable alternative query patterns on a DynamoDB table by using different partition and sort keys.

Addressing Query Bottleneck: By making the slow-query attribute the GSI's partition key, you optimize queries on that attribute.

Scalability: GSIs automatically scale to handle increasing data volumes.

The requirement is specifically to have ECS automatically restore the last known good deployment when a new deployment fails, while the service is using the rolling update deployment type. Amazon ECS supports this through the deployment circuit breaker with the option to rollback on failures.

When enabled, the deployment circuit breaker monitors the deployment and detects failure conditions such as tasks repeatedly failing health checks, not reaching steady state, or being unable to start successfully. With rollback enabled, ECS automatically stops the failing deployment and reverts the service to the most recently completed (stable) task definition, restoring service stability without manual intervention.

Option D matches exactly: keep the rolling deployment type and enable circuit breaker + rollback. This is minimal change and directly addresses the behavior observed.

Options A and B are unrelated: service autoscaling adjusts desired count based on metrics and does not roll back failed deployments.

Option C could also achieve rollback behavior, but switching to blue/green introduces additional components (AWS CodeDeploy integration, target groups, and traffic shifting), which is unnecessary when the requirement can be met within rolling deployments.

Therefore, enabling the ECS deployment circuit breaker with rollback on failures for a rolling deployment is the correct solution.

Requirement Summary:

DynamoDB Provisioned Mode

ProvisionedThroughputExceededException error occurring

App hosted on a small burstable EC2 instance

Option A: Move to a larger EC2 instance

May improve local performance, but does not solve DynamoDB provisioned throughput limits.

Option B: Increase DynamoDB RCUs

Valid: This directly increases the read throughput capacity of the table.

Helps handle more traffic and reduce throughput exceptions.

Option C: Reduce frequency via exponential backoff

Best practice: Using exponential backoff and jitter reduces request pressure and spreads retries out to avoid spiking.

Option D: Increase frequency of retries by reducing delay

Opposite of best practice. Increases load, worsening the issue.

Option E: Change to on-demand mode

Also valid in general, but question is scoped around provisioned capacity.

Since minimizing cost or workload type isn't mentioned, and scaling the existing model is the focus, prefer B and C.

ProvisionedThroughputExceededException: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HandlingErrors.html

Exponential backoff: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Programming.Errors.html

Capacity modes: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html

Requirement Summary:

Simple REST endpoint for weather data

Light backend usage (POC, testing)

Wants caching support to reduce backend calls

Must be cost-effective

Evaluate Options:

B: Lambda + API Gateway + SAM

Serverless = No idle costs

API Gateway can enable caching (response caching at endpoint level)

SAM makes deployment simple and repeatable

Perfect for low-traffic testing

A: EKS + API Gateway

High overhead

Not cost-effective for POC/testing

C: ECS + API Gateway

Similar to A: Container orchestration not needed for light REST endpoint

D: Elastic Beanstalk + ALB + Lambda

Overly complex and does not directly expose Lambda

Beanstalk better suited for full apps, not small REST functions

 AWS SAM: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-sam.html

 API Gateway caching: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html

 Serverless Best Practices: https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html

AWS STS AssumeRole: The central operation for assuming temporary security credentials, commonly used for cross-account access.

MFA Integration: The AssumeRole call can include MFA information to enforce multi-factor authentication.

Credentials for S3 Access: The returned temporary credentials would provide the necessary permissions to access the S3 bucket in the other account.

Why Option A is Correct:

The ArnLike condition with the specific ARN for myStateMachine ensures that only this state machine can assume the role. The format urn:aws:states is correct for specifying Step Functions resources.

Why Other Options are Incorrect:

Option B: Wildcards (*) in the ARN allow more resources to assume the role, which violates the requirement.

Option C: This condition restricts the account but not the specific state machine.

Option D: A StringNotEquals condition is used to deny specific values, which does not ensure exclusivity for the desired state machine.

AWS Documentation References:

IAM Trust Policies for Step Functions

API Gateway’s canary deployments allow gradual traffic shifting to a new version of a function, minimizing disruption while testing.

Why Option A is Correct:

Gradual Rollout: Reduces risk by incrementally increasing traffic.

Rollback Support: Canary deployments make it easy to revert to the previous version.

Why Not Other Options:

Option B: Redeploying the stage disrupts all users.

Option C & D: Managing new stages and weighted routing introduces unnecessary complexity.

Canary Deployments in API Gateway

The correct answer is C. Use an AWS Lambda function that is invoked by an Amazon EventBridge scheduled event.

C. Use an AWS Lambda function that is invoked by an Amazon EventBridge scheduled event. This is correct. AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers. Lambda runs your code on a high-availability compute infrastructure and performs all of the administration of the compute resources, including server and operating system maintenance, capacity provisioning and automatic scaling, and logging1. Amazon EventBridge is a serverless event bus service that enables you to connect your applications with data from a variety of sources2. EventBridge can create rules that run on a schedule, either at regular intervals or at specific times and dates, and invoke targets such as Lambda functions3. This solution meets the requirements of creating a small application that makes the same API call once each day at a designated time, without requiring any infrastructure in the AWS Cloud or any operational overhead.

A. Use a Kubernetes cron job that runs on Amazon Elastic Kubernetes Service (Amazon EKS). This is incorrect. Amazon EKS is a fully managed Kubernetes service that allows you to run containerized applications on AWS4. Kubernetes cron jobs are tasks that run periodically on a given schedule5. This solution could meet the functional requirements of creating a small application that makes the same API call once each day at a designated time, but it would not be the most operationally efficient manner. The company would need to provision and manage an EKS cluster, which would incur additional costs and complexity.

B. Use an Amazon Linux crontab scheduled job that runs on Amazon EC2. This is incorrect. Amazon EC2 is a web service that provides secure, resizable compute capacity in the cloud6. Crontab is a Linux utility that allows you to schedule commands or scripts to run automatically at a specified time or date7. This solution could meet the functional requirements of creating a small application that makes the same API call once each day at a designated time, but it would not be the most operationally efficient manner. The company would need to provision and manage an EC2 instance, which would incur additional costs and complexity.

D. Use an AWS Batch job that is submitted to an AWS Batch job queue. This is incorrect. AWS Batch enables you to run batch computing workloads on the AWS Cloud8. Batch jobs are units of work that can be submitted to job queues, where they are executed in parallel or sequentially on compute environments9. This solution could meet the functional requirements of creating a small application that makes the same API call once each day at a designated time, but it would not be the most operationally efficient manner. The company would need to configure and manage an AWS Batch environment, which would incur additional costs and complexity.

The EC2 instances are in private subnets with no public internet access, yet the CloudWatch agent must publish metrics to Amazon CloudWatch. To send metrics, the instances need: (1) network connectivity to CloudWatch APIs, and (2) IAM permissions that allow the agent to publish metrics and logs.

The most secure approach is to avoid opening outbound internet access via a NAT gateway (which increases the network attack surface) and instead use AWS PrivateLink through a VPC interface endpoint for CloudWatch. An interface endpoint provides private connectivity from the VPC to CloudWatch without traversing the public internet.

On the permissions side, AWS provides the managed IAM policy CloudWatchAgentServerPolicy, which is intended for the CloudWatch agent running on servers to publish metrics/logs. Attaching this policy to the EC2 instance profile role provides the needed permissions while keeping scope appropriate (unlike an admin policy).

Why the other options are not best:

A uses CloudWatchAgentAdminPolicy (broader permissions than needed) and a NAT gateway (public internet path). That is not “most secure.”

B is irrelevant here because the agent is already installed and running; the issue is publishing connectivity/permissions.

D grants read-only access, which cannot publish metrics, so it cannot fix the issue.

Therefore, attach CloudWatchAgentServerPolicy to the instance role and create a VPC interface endpoint for CloudWatch.

Comprehensive Detailed and Lengthy Step-by-Step Explanation with All AWS Developer References:

1. Understanding the Use Case:

The company wants to gradually release a new feature to 15% of users to perform testing. AWS AppConfig is designed to manage and deploy configurations, including feature flags, allowing controlled rollouts.

2. Key AWS AppConfig Features:

Feature Flags: Enable or disable features dynamically without redeploying code.

Variants: Define different configurations for subsets of users.

Targeting Rules: Specify rules for which users receive a particular variant.

3. Explanation of the Options:

Option A:"Set up a custom script within the application to randomly select 15% of users. Assign a flag for the new feature to the selected users."While possible, this approach requires significant operational effort to manage user selection and ensure randomness. It does not leverage AWS AppConfig's built-in capabilities, which increases overhead.

Option B:"Create separate AWS AppConfig feature flags for both groups of users. Configure the flags to target 15% of users."Creating multiple feature flags for different user groups complicates configuration management and does not optimize the use of AWS AppConfig.

Option C:"Create an AWS AppConfig feature flag. Define a variant for the new feature, and create a rule to target 15% of users."This is the correct solution. Using AWS AppConfig feature flags with variants and targeting rules is the most efficient approach. It minimizes operational overhead by leveraging AWS AppConfig's built-in targeting and rollout capabilities.

Option D:"Use AWS AppConfig to create a feature flag without variants. Implement a custom traffic splitting mechanism in the application code."This approach requires custom implementation within the application code, increasing complexity and operational effort.

4. Implementation Steps for Option C:

Set Up AWS AppConfig:

Open the AWS Systems Manager Console.

Navigate to AppConfig.

Create a Feature Flag:

Define a new configuration for the feature flag.

Add variants (e.g., "enabled" for the new feature and "disabled" for no change).

Define a Targeting Rule:

Use percentage-based targeting to define a rule that applies the "enabled" variant to 15% of users.

Targeting rules can use attributes like user IDs or geographic locations.

Deploy the Configuration:

Deploy the configuration using a controlled rollout to ensure gradual exposure.

Why Option A is Correct:Converting a Lambda function to use a container image involves packaging the function code into a container image, storing the image in Amazon Elastic Container Registry (ECR), and updating the function to use the ECR repository URI.

Why Other Options are Incorrect:

Option B: SAM templates support container-based Lambda deployment, but storing the image in S3 is not applicable.

Option C: CloudFormation does not natively support specifying Lambda container images in S3.

Option D: While partially correct, it omits the need to specify the image tag for the deployment.

AWS Documentation References:

Lambda Container Images

The key constraint is no changes to the Lambda code, while still fanning out notifications so that each department receives only its relevant file locations in its existing SQS queue. The cleanest “plumbing-only” pattern is S3 → SNS → SQS with SNS subscription filter policies.

Amazon S3 event notifications can publish events to an SNS topic. SNS then delivers messages to multiple subscribers, including SQS queues. By subscribing each department’s SQS queue to the SNS topic, the system can fan out the event to all queues. To ensure each department receives only its relevant events, the developer can configure SNS subscription filter policies (for example, based on object key prefixes like /deptA/, /deptB/). This routes messages without requiring any change to the Lambda function.

Option D is not ideal because S3 event notifications do not provide the same flexible filtering/routing to multiple SQS queues as SNS filter policies do (and configuring many direct notifications becomes harder to manage).

Options B and C require Lambda code changes, which violates the requirement.

Therefore, use S3 event notifications to SNS, subscribe each department SQS queue, and use filter policies for routing.

When IAM user credentials require MFA for API access, the correct approach is to obtain temporary security credentials from AWS Security Token Service (STS) that are validated with an MFA code. AWS documentation describes using STS to issue temporary credentials that applications can use instead of long-term access keys, especially when MFA is required.

The specific STS API operation used for an IAM user to obtain temporary credentials is GetSessionToken. This call supports MFA by accepting the user’s MFA device serial number and a time-based one-time password (TOTP) code. STS then returns a set of temporary credentials: AccessKeyId, SecretAccessKey, and SessionToken, which the SDK can use to sign subsequent API requests. This is the standard method for enabling MFA-protected API access for IAM users.

Why the other options are wrong:

GetFederationToken is used to obtain temporary credentials for a federated user, often for scenarios where you want to grant access to resources for users who do not have IAM users. It’s not the typical method for IAM-user MFA enforcement for all calls.

GetCallerIdentity simply returns identity details for the current credentials; it does not generate credentials.

DecodeAuthorizationMessage is used to decode encoded authorization failure messages returned by AWS, not to authenticate.

Therefore, to access an API protected by MFA requirements for an IAM user, the developer should call GetSessionToken and then use the returned temporary credentials in the AWS SDK.

AWS Amplify is a set of tools and services that enables developers to build and deploy full-stack web and mobile applications that are powered by AWS. AWS Amplify supports hosting static websites on Amazon S3 and Amazon CloudFront, with HTTPS enabled by default. AWS Amplify also integrates with various version control systems, such as AWS CodeCommit, Bitbucket, and GitHub, and allows developers to connect different branches to different environments. AWS Amplify automatically builds and deploys the website whenever code changes are merged to a connected branch, enabling phased releases with minimal operational overhead. Reference: AWS Amplify Console

The response from the API call indicates that the ProvisionedThroughputExceededException exception has occurred. This exception means that the rate of incoming requests exceeds the throughput limit for one or more shards in a stream. To mitigate this exception, the developer can use one or more of the following techniques:

Implement retries with exponential backoff. This will introduce randomness in the retry intervals and avoid overwhelming the shards with retries.

Reduce the frequency and/or size of the requests. This will reduce the load on the shards and avoid throttling errors.

Increase the number of shards in the stream. This will increase the throughput capacity of the stream and accommodate higher request rates.

Use a PutRecord API instead of PutRecords. This will reduce the number of records per request and avoid exceeding the payload limit.

AWS Secrets Manager: Built for managing secrets, providing encryption, automatic rotation, and access control.

Customer Master Key (CMK): Provides an extra layer of control over encryption through AWS KMS.

Automatic Rotation: Enhances security by regularly changing the secret.

User Data Script: Allows secrets retrieval at instance startup and sets them as environment variables for seamless use within the application.

This solution will meet the requirements by using Amazon RDS Proxy, which is a fully managed, highly available database proxy for Amazon RDS that makes applications more scalable, more resilient to database failures, and more secure. The developer can create a proxy in Amazon RDS Proxy, which sits between the application and the DB instance and handles connection management, pooling, and routing. The developer can query the proxy instead of the DB instance, which reduces the number of open connections to the DB instance and avoids errors for too many connections. Option A is not optimal because it will create a read replica for the DB instance, which may not solve the problem of too many connections as read replicas also have connection limits and may incur additional costs. Option B is not optimal because it will migrate the data to an Amazon DynamoDB database, which may introduce additional complexity and overhead for migrating and accessing data from a different database service. Option C is not optimal because it will configure the Amazon Aurora MySQL DB instance for Multi-AZ deployment, which may improve availability and durability of the DB instance but not reduce the number of connections.

IAM Roles for EC2: IAM roles are the recommended way to provide AWS credentials to applications running on EC2 instances. Here's how this works:

You create an IAM role with the necessary permissions to access the target S3 bucket.

You create an instance profile and associate the IAM role with this profile.

When launching the EC2 instance, you attach this instance profile.

Temporary Security Credentials: When the application on the EC2 instance needs to access S3, it doesn't directly use access keys. Instead, the AWS SDK running on the instance retrieves temporary security credentials associated with the role. These are rotated automatically by AWS.

Step-by-Step Breakdown:

Requirement Summary:

Use AWS SAM to deploy:

1 Lambda Function

1 S3 Bucket

Lambda needs read-only access to the S3 bucket

Solution must be expressed via AWS SAM template

Option A: Reference a second Lambda authorizer function

Incorrect: Lambda authorizers are used in API Gateway for authentication, not for granting S3 permissions.

Option B: Add a custom S3 bucket policy to the Lambda function

Incorrect: Bucket policies control who can access the bucket, not what the Lambda function can do.

The permission must be granted to the Lambda’s IAM execution role.

Option C: Create an Amazon SQS topic for only S3 object reads

Incorrect: SQS cannot read objects from S3 and is not relevant to this scenario.

Option D: Add the S3ReadPolicy template to the Lambda function's execution role

Correct: AWS SAM provides managed policy templates like AmazonS3ReadOnlyAccess and shortcuts like S3ReadPolicy.

You can apply these to the Lambda’s execution role using the Policies: section in your SAM template.

Example SAM YAML:

yaml

CopyEdit

Resources:

MyFunction:

Type: AWS::Serverless::Function

Properties:

CodeUri: my-code/

Handler: app.handler

Runtime: python3.11

Policies:

- S3ReadPolicy:

BucketName: !Ref MyBucket

MyBucket:

Type: AWS::S3::Bucket

Properties:

BucketName: my-personal-bucket-name

SAM Policy Templates: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html

Example using S3ReadPolicy: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html#s3-readpolicy

Amazon S3 is a service that provides highly scalable, durable, and secure object storage. Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. AWS Lambda is a service that lets developers run code without provisioning or managing servers. The developer can configure an S3 event to invoke a Lambda function that inserts records into DynamoDB whenever a new file is added to the S3 bucket. This solution will meet the requirement of inserting a record into DynamoDB as soon as a new file is added to S3.

Amazon SQS standard queues provide at-least-once delivery, which means messages can be delivered more than once. When Lambda is triggered by an SQS standard queue, duplicate delivery can occur due to retries, visibility timeouts, or transient errors. Therefore, “processed multiple times” is expected behavior unless the system implements deduplication or idempotency.

The most cost-effective way within the provided options to reduce duplicate processing is to use an SQS FIFO queue with deduplication. FIFO queues support exactly-once processing semantics within the constraints of the service (by preventing duplicate message delivery within the deduplication interval when a MessageDeduplicationId is used or content-based deduplication is enabled). This directly mitigates duplicate processing without requiring large architectural changes.

Option B (DLQ) is important for handling poison messages, but it does not prevent duplicates in normal processing; it only captures messages that fail repeatedly.

Option C (concurrency = 1) reduces parallelism but does not eliminate duplicates; the same message can still be delivered again if the visibility timeout expires or retries occur.

Option D is a major redesign and not cost-effective for simply addressing duplicate SQS message processing.

???? Note: In real production systems, the best practice is to make processing idempotent (so duplicates do no harm). But among the choices, FIFO + deduplication is the most direct and cost-effective fix.

Therefore, switch to an SQS FIFO queue and use deduplication.

A function alias is a pointer to a specific Lambda function version. You can use aliases to create different environments for your function, such as development, testing, and production. You can also use aliases to perform blue/green deployments by shifting traffic between two versions of your function gradually. This way, you can easily roll back to a previous version if something goes wrong, without having to redeploy your code or change your configuration. Reference: AWS Lambda function aliases