DVA-C02 AWS Certified Developer - Associate Questions and Answers

The requirement is specifically to have ECS automatically restore the last known good deployment when a new deployment fails, while the service is using the rolling update deployment type. Amazon ECS supports this through the deployment circuit breaker with the option to rollback on failures.

When enabled, the deployment circuit breaker monitors the deployment and detects failure conditions such as tasks repeatedly failing health checks, not reaching steady state, or being unable to start successfully. With rollback enabled, ECS automatically stops the failing deployment and reverts the service to the most recently completed (stable) task definition, restoring service stability without manual intervention.

Option D matches exactly: keep the rolling deployment type and enable circuit breaker + rollback. This is minimal change and directly addresses the behavior observed.

Options A and B are unrelated: service autoscaling adjusts desired count based on metrics and does not roll back failed deployments.

Option C could also achieve rollback behavior, but switching to blue/green introduces additional components (AWS CodeDeploy integration, target groups, and traffic shifting), which is unnecessary when the requirement can be met within rolling deployments.

Therefore, enabling the ECS deployment circuit breaker with rollback on failures for a rolling deployment is the correct solution.

The GenerateDataKey API returns a data key that is encrypted under a symmetric encryption KMS key that you specify, and a plaintext copy of the same data key1. The data key is a random byte string that can be used with any standard encryption algorithm, such as AES or SM42. The plaintext data key can be used to encrypt or decrypt data outside of AWS KMS, while the encrypted data key can be stored with the encrypted data and later decrypted by AWS KMS1.

In this scenario, the developer needs to use the GenerateDataKey API to encrypt the PDF file so that it can be decrypted later. The developer also needs to use an AWS KMS symmetric customer managed key for encryption. To achieve this, the developer can follow these steps:

Call the GenerateDataKey API with the symmetric customer managed key ID and the desired length or specification of the data key. The API will return an encrypted data key and a plaintext data key.

Write the encrypted data key to disk for later use. This will allow the developer to decrypt the data key and the PDF file later by using AWS KMS.

Use the plaintext data key and a symmetric encryption algorithm to encrypt the PDF file. The developer can use any standard encryption library or tool to perform this operation, such as OpenSSL or AWS Encryption SDK.

Discard the plaintext data key from memory as soon as possible after using it. This will prevent unauthorized access or leakage of the data key.

For asynchronous Lambda invocations, AWS provides built-in failure handling options that require minimal code and minimal operational work. When an async invocation fails (after Lambda’s internal retry behavior), the event can be sent to a dead-letter queue (DLQ) so it is not lost. A DLQ is the standard mechanism for capturing events that could not be processed successfully, preserving the original payload for later inspection and reprocessing.

Using a DLQ (typically Amazon SQS or Amazon SNS) gives durable storage of failed events and decouples failure recovery from the main execution path. The developer can later re-drive the messages by building a simple replay process, such as moving messages from the DLQ back to the original event source or invoking the function again with the stored payloads. This aligns with the requirement: “store messages that resulted in failed invocations so the application can retry later.”

Among the options, C is the only one that uses Lambda’s native async failure capture mechanism. Options A and B introduce unnecessary complexity and do not reliably store the original failed invocation payloads as a first-class workflow (CloudWatch Logs is not a message queue, and EventBridge→SNS doesn’t automatically capture only failed events from Lambda async invocations). Option D changes the architecture to an SQS pull model for the Lambda function; while valid, it is more than needed and adds design/operational considerations (polling, batching, visibility timeouts, DLQ configuration on the queue, etc.) compared with simply enabling DLQ support for async invokes.

Therefore, the least operational overhead solution is C: configure a dead-letter queue for the Lambda function’s asynchronous invocations so failed events are stored for later retry.

Amazon S3 supports resource-based policies, which are JSON documents that specify the permissions for accessing S3 resources. A resource-based policy can be used to enforce encryption in transit by denying access to requests that do not use HTTPS. The condition key aws:SecureTransport can be used to check if the request was sent using SSL. If the value of this key is false, the request is denied; otherwise, the request is allowed. Reference: How do I use an S3 bucket policy to require requests to use Secure Socket Layer (SSL)?

Requirement Summary:

Secrets managed in AWS Secrets Manager

DB: Amazon RDS for PostgreSQL

Need automated password rotation

Must maintain high availability

Least development effort

Rotation Strategies:

Single-user rotation strategy

Simplest to implement

The secret contains one set of credentials used by app and rotation logic

Supports automated rotation

AWS provides built-in Lambda rotation templates for RDS

A. Alternating-users strategy

⚠️ More complex

Requires application to switch users during rotation window

B. Manual secret + CLI rotation

Too much manual work

Not scalable or reliable

C. Multivalue answer rotation

Not a valid strategy in this context

Doesn’t apply to Secrets Manager

Secrets Manager rotation strategies: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

RDS PostgreSQL secret rotation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-single-user

A canary deployment best matches the requirement to test a new feature with a small group of users while the current version remains deployed for everyone else. In a canary approach, a new application revision is released to a limited portion of traffic/users first. This allows the team to collect real user feedback and validate behavior under production-like conditions without exposing the full user base to risk.

AWS deployment guidance for progressive delivery aligns with this concept: you start by directing a small percentage of requests to the new version, monitor results (such as error rates, latency, and business outcomes), and keep the stable version handling the majority of traffic during the evaluation period. This directly satisfies the requirement that the “current software version remains deployed” while testing occurs.

Once the feature is validated, the canary strategy supports promoting the new revision to the remaining population by shifting traffic from the old version to the new version—commonly ending with a transition to 100% of users on the new version. This satisfies the requirement to deploy to “all other users at the same time” after the small-group validation step is complete.

Why the other options are less suitable:

All-at-once exposes all users immediately, so there is no limited-user validation phase.

In-place replaces the existing version on the same infrastructure, typically without maintaining a parallel stable path for a subset of users.

Linear gradually shifts traffic in fixed increments over time, rather than validating with a small group and then moving the remainder in one step.

AWS X-Ray SDK: The primary way to enable X-Ray tracing within applications. The SDK sends data about requests and subsegments to the X-Ray daemon for service map generation.

Instrumenting All Services: To visualize a complete microservice architecture on the service map, each relevant service must include the X-Ray SDK.

This solution allows the developer to overcome the limit for the combined maximum of characters for environment variables in AWS CodeBuild. AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. The developer can store large numbers of environment variables as parameters in Parameter Store and reference them in the buildspec file using parameter references. Adding export LC_ALL=“en_US.utf8” command to the pre_build section will not affect the environment variables limit. Using Amazon Cognito or an Amazon S3 bucket to store key-value pairs for environment variables will require additional configuration and integration.

CloudFormation and Dynamic References: The DefinitionSubstitutions property in CloudFormation allows you to pass values into Step Functions state machines at runtime.

Cost-Effectiveness: This solution is cost-effective as it leverages CloudFormation's built-in capabilities, avoiding the need for additional services like Secrets Manager or AppConfig.

S3Bucket and S3Key: These properties in a CloudFormation AWS::Lambda::Function resource specify the location of the function's code in S3.

Least Development Effort: This solution minimizes code changes, relying on CloudFormation to reference the existing S3 deployment package.

This is a cross-account access pattern using STS AssumeRole. Account A owns the DynamoDB table and has created an IAM role (AccessPII) with permissions to access the table. Account A also configured a trust policy that allows principals from Account B to assume the role. That trust policy alone is not enough; the caller in Account B must also be allowed to call sts:AssumeRole.

Therefore, in Account B, the EC2 instance profile role (the role attached to the EC2 instances running the app) must have permission to assume the role in Account A. That is Option A.

Next, the application must actually obtain temporary credentials for the Account A role. The standard way is to call STS AssumeRole in the application logic (or use an SDK credential provider that assumes a role). This yields temporary credentials that have the permissions of the AccessPII role, allowing DynamoDB access in Account A. That is Option D.

Option B is not correct because granting direct DynamoDB table permissions in Account B does not grant access to a table owned by Account A unless Account A also grants access via a resource policy (DynamoDB resource policies exist but the scenario already sets up role assumption; the intended solution is AssumeRole).

Option C is incomplete/wrong: getting temporary credentials from the EC2 role alone gives permissions of the EC2 role in Account B, not the permissions in Account A. You must assume the cross-account role.

Option E is for IAM user MFA session tokens, not cross-account role assumption for an EC2 role.

Therefore, grant sts:AssumeRole to the EC2 role and call AssumeRole in code.

A function alias is a pointer to a specific Lambda function version. You can use aliases to create different environments for your function, such as development, testing, and production. You can also use aliases to perform blue/green deployments by shifting traffic between two versions of your function gradually. This way, you can easily roll back to a previous version if something goes wrong, without having to redeploy your code or change your configuration. Reference: AWS Lambda function aliases

AWS STS AssumeRole: The central operation for assuming temporary security credentials, commonly used for cross-account access.

MFA Integration: The AssumeRole call can include MFA information to enforce multi-factor authentication.

Credentials for S3 Access: The returned temporary credentials would provide the necessary permissions to access the S3 bucket in the other account.

The solution that will meet the requirements is to use an AWS Step Functions state machine to monitor API failures. Use the Wait state to delay calling the Lambda function. This way, the developer can refactor the serverless application to accommodate the change in a way that is automated and scalable. The developer can use Step Functions to orchestrate the Lambda function and handle any errors or retries. The developer can also use the Wait state to pause the execution for a specified duration or until a specified timestamp, which can help avoid exceeding the API limits. The other options either involve using additional services that are not necessary or appropriate for this scenario, or do not address the issue of API failures.

AWS Secrets Manager supports multi-Region secret replication, which is designed specifically for redundancy, disaster recovery, and multi-Region applications. With this feature, the primary secret resides in one Region (here, us-west-1) and Secrets Manager automatically maintains a replica in another Region (us-east-1). This provides local read access and resilience if one Region is impaired.

Option A accurately describes the standard configuration: enable secret replication and add us-east-1 as the replica Region. Because encryption keys are Region-scoped, the replica secret in us-east-1 should be encrypted with a KMS key in us-east-1 (either the default Secrets Manager key for that Region or a customer managed key), satisfying encryption requirements and proper key locality.

Option B is incorrect because you don’t configure replication “from the destination.” Replication is configured on the primary secret, and the replica uses a KMS key in the replica Region, not in the source Region.

Option C is not how Secrets Manager replication works. Replication is not only during rotation; it maintains replicas continuously. The “replication rule during rotation” framing is not the standard mechanism.

Option D is inappropriate and insecure/operationally complex: exporting secrets to S3 for replication is not the recommended pattern and introduces unnecessary exposure.

Therefore, enable Secrets Manager multi-Region replication and encrypt replicas with a KMS key in the destination Region.

Comprehensive and Detailed Step-by-Step Explanation:

Customer Managed Keys (CMK) for Granular Control (Option B):

Customer-managed KMS keys are required to meet the security policy requirement of team-specific control over KMS key rotation. Each team can manage the lifecycle of its own key.

The kms:Decrypt permission allows the Lambda function execution roles to decrypt the environment variables during runtime.

This solution adheres to the principle of least privilege and satisfies the need for team-specific key control.

Why Other Options Are Incorrect:

Option A: AWS-managed keys cannot provide team-specific control or support the custom rotation policy required by the teams.

Option C: Adding kms:CreateGrant and kms:Encrypt permissions to Lambda roles is unnecessary for this scenario. The key usage is limited to decryption at runtime.

Option D: AWS-managed keys still lack team-specific control, and adding kms:CreateGrant and kms:Encrypt is redundant.

The requirement is specifically encryption at rest for messages stored in Amazon SQS. The AWS-native way to accomplish this is to enable server-side encryption (SSE) on the SQS queue. When SSE is enabled, SQS encrypts messages as they are stored and decrypts them when they are retrieved, using keys from AWS Key Management Service (AWS KMS) (either an AWS managed key for SQS or a customer managed KMS key). This provides transparent encryption at rest without requiring application-level cryptography changes.

Option C correctly states to enable SSE on the queue. Once enabled, any message content placed in the message body will be protected at rest in SQS. (Message attributes are also stored by SQS; however, the key requirement is to ensure the messages are encrypted at rest, and enabling SSE at the queue level is the control that enforces this.)

Option A (aws:SecureTransport) enforces encryption in transit by requiring HTTPS/TLS, not encryption at rest. It is a good security control, but it does not satisfy the at-rest requirement by itself. Option B is incorrect because SSE is not something the sender “sets within the message”; SSE is configured on the queue, not per-message by the microservices. Option D suggests putting sensitive data in attributes, which does not add security; it can actually increase exposure because attributes are often used for routing/filters and may be logged or surfaced in monitoring. The right pattern is to keep sensitive data where intended and rely on queue-level SSE to encrypt stored messages.

Therefore, enabling SQS SSE on the queue (C) meets the requirement to ensure messages are encrypted at rest while stored in SQS.

The customer must be able to download the generated video for at least 3 hours, which requires durable storage that persists beyond the Lambda execution environment. The best fit is Amazon S3 with a presigned URL.

Lambda’s /tmp storage (Option A) is ephemeral and scoped to the execution environment. It is not intended for durable customer downloads and can be deleted when the execution environment is recycled. A Lambda function URL also does not solve durable file hosting and would require the function to serve the content itself.

Option C uses S3 to store the video object durably and then issues a presigned URL that grants time-limited access to that specific object. Presigned URLs are designed for exactly this scenario: allow unauthenticated users temporary access to a private S3 object without making the bucket public. The developer can set the URL expiration to 3 hours (or longer), meeting the access requirement cleanly.

Option B is incorrect because S3 presigned URLs are for S3 objects, not EFS files. EFS does not natively use S3-style presigned URLs for external downloads.

Option D is not the right model: CloudFront can distribute S3 content and supports signed URLs/cookies, but CloudFront is a distribution layer, not an origin storage solution by itself. You would still need to store the video in S3 (or another origin). For the stated requirement, S3 + presigned URL is simpler and has less overhead.

Therefore, store videos in Amazon S3 and provide presigned URLs with a 3-hour expiration.

Comprehensive and Detailed Step-by-Step Explanation:

Option C: Edge-Optimized API Gateway with Custom Domain Name:

Edge-Optimized API Gateway: This endpoint type automatically leverages the Amazon CloudFront global distribution network, minimizing latency for API users distributed globally.

Custom Domain Name: API Gateway supports custom domain names for APIs. Importing the TLS certificate into AWS Certificate Manager (ACM) and associating it with the custom domain name ensures secure connections.

Disabling the Default Endpoint: Prevents direct access via the default API Gateway URL, enforcing the use of the custom domain name.

Why Other Options Are Incorrect:

Option A: While CloudFront can distribute API requests globally, API Gateway with edge-optimized endpoints already provides this functionality natively without requiring Lambda@Edge.

Option B: Private endpoint types are used for internal access via VPC, which does not meet the global distribution and low-latency requirement.

Option D: CloudFront Functions are not needed because API Gateway’s edge-optimized endpoints handle global distribution efficiently.

AWS Secrets Manager is purpose-built for securely storing and managing sensitive information such as API keys, tokens, and credentials. It provides automatic secret rotation, fine-grained IAM access control, encryption at rest using AWS KMS, and audit logging through AWS CloudTrail. This makes it the most secure and scalable option for managing short-lived authentication keys.

AWS Lambda extensions enable efficient secret retrieval by caching secrets locally within the execution environment. This reduces repeated calls to Secrets Manager on every invocation, improving performance and lowering costs while maintaining up-to-date credentials. AWS documentation explicitly recommends using Lambda extensions or caching logic for secrets that are frequently accessed.

Storing secrets in S3 (Option B) or environment variables (Option C) lacks built-in rotation and increases exposure risk. Parameter Store (Option D) supports encryption but does not provide native rotation for secrets without custom automation, making it less suitable for this use case.

Therefore, Secrets Manager with Lambda extensions provides the most secure, automated, and operationally efficient solution.

Why Option C is Correct:Ensuring that pipeline artifacts are encrypted with a customer-managed AWS KMS key involves configuring the S3 bucket policy to require encryption. This policy ensures all objects uploaded to the bucket are encrypted with the specified KMS key.

Why Other Options are Incorrect:

Option A: A gateway endpoint improves S3 access efficiency but does not enforce encryption.

Option B: Encrypting CloudWatch Logs is unrelated to securing pipeline artifacts.

Option D: Configuring SNS for encryption does not affect the artifacts stored in the S3 bucket.

AWS Documentation References:

Using Server-Side Encryption with S3 Bucket Policies

The hourly scheduled batch model is causing timeouts because the function must process an ever-growing backlog in a single invocation, which can exceed AWS Lambda’s maximum 15-minute runtime. A best-practice serverless refactor is to switch from “periodic polling” to an event-driven approach where work is split into smaller, independent units that can scale horizontally.

Configuring Amazon S3 Event Notifications to invoke Lambda on each object upload turns each file into its own discrete event. Instead of one long-running invocation that scans and processes many files, Lambda executes quickly per upload and automatically scales with incoming volume (subject to concurrency and downstream limits). This directly reduces processing time per run and eliminates the backlog buildup that leads to timeouts.

The remaining requirement is preventing duplicate processing. S3 event delivery is designed to be highly reliable, and applications should be built with idempotency in mind. Recording processed identifiers (such as a transaction ID, object key + version ID, or an application-level unique ID) in Amazon DynamoDB allows the function to check whether an item has already been processed before performing writes or downstream actions. Using DynamoDB with a conditional write (for example, “insert only if not exists”) is a common pattern to ensure exactly-once effect even when events are delivered more than once.

The other options do not meet the requirements as well: running more frequently (C) or continuously polling (D) still wastes time scanning and can still create duplicate work; moving to a single EC2 instance (B) reduces elasticity and increases operational overhead, and it doesn’t inherently solve deduplication or scaling.

Therefore, A provides scalable, event-driven processing and a straightforward deduplication mechanism.

In AWS Lambda, CPU power scales proportionally with the memory configuration. Lambda does not let you directly set “CPU cores” as a standalone setting in the general case; instead, increasing the function’s configured memory increases the CPU allocation (and other resources such as network throughput) available to the function. Therefore, to reduce latency caused by insufficient CPU, the developer should increase the function’s memory setting.

Option B directly addresses the CPU limitation in the supported Lambda configuration model. This is a common performance tuning approach: raise memory, benchmark, and find the optimal cost/performance point.

Option A is not the right lever for most Lambda functions because Lambda compute is configured via memory (and architecture), not by directly raising a “vCPU quota” per function in a typical tuning workflow.

Option C increases /tmp storage capacity and helps when dealing with large temporary files, not CPU availability.

Option D increases the maximum runtime allowed per invocation, but it does not give the function more CPU and will not reduce latency caused by CPU starvation.

Therefore, increasing the allocated memory is the correct way to increase CPU for a Lambda function.

This solution will meet the requirements by using AWS Secrets Manager, which is a service that helps protect secrets such as database credentials by encrypting them with AWS Key Management Service (AWS KMS) and enabling automatic rotation of secrets. The developer can use an AWS Secrets Manager resource in AWS CloudFormation template, which enables creating and managing secrets as part of a CloudFormation stack. The developer can use an AWS::SecretsManager::Secret resource type to generate and rotate the password for accessing RDS database during deployment. The developer can also specify a RotationSchedule property for the secret resource, which defines how often to rotate the secret and which Lambda function to use for rotation logic. Option A is not optimal because it will use an AWS Lambda function as a CloudFormation custom resource, which may introduce additional complexity and overhead for creating and managing a custom resource and implementing rotation logic. Option B is not optimal because it will use an AWS Systems Manager Parameter Store resource with the SecureString data type, which does not support automatic rotation of secrets. Option C is not optimal because it will use a cron daemon on the application’s host to generate and rotate the password, which may incur more costs and require more maintenance for running and securing a host.

DynamoDB Accelerator (DAX) provides a managed caching layer specifically optimized for DynamoDB, reducing latency for repeated read requests.

Why Option A is Correct:

Purpose-Built: DAX is designed for DynamoDB, enabling sub-millisecond response times for frequently accessed items.

Operational Efficiency: No need for additional application-level caching logic.

Why Not Other Options:

Option B: Auto Scaling increases capacity but does not address repetitive reads.

Option C: API Gateway caching helps reduce request processing time but does not optimize DynamoDB reads.

Option D: ElastiCache is a general-purpose cache, adding unnecessary complexity for DynamoDB use cases.

DynamoDB Accelerator (DAX)

To run a containerized job hourly in ECS with minimal infrastructure management, the best choice is AWS Fargate. Fargate is a serverless compute engine for containers that runs ECS tasks without the developer needing to provision, patch, or scale EC2 instances.

With option C, the developer defines an ECS task definition using the Fargate launch type and schedules it (commonly via Amazon EventBridge Scheduler / EventBridge rule triggering RunTask). ECS handles the placement, networking, and execution of the task on managed infrastructure. This is the least operational overhead approach because there are no instances to manage and no capacity planning required, which fits an hourly job with small CPU/RAM needs.

Option A (capacity providers) is primarily for managing EC2 capacity for ECS and still requires underlying instances, which increases operational burden.

Option B runs the app on an EC2 instance, which requires instance lifecycle management, OS patching, scaling considerations, and failure handling.

Option D refers to managed node groups (an EKS concept) and does not apply cleanly to ECS. Even in a Kubernetes context, nodes still need management compared to Fargate.

Therefore, defining a Fargate task is the simplest and lowest-management solution.

This solution allows the Lambda function to be invoked by the DynamoDB stream whenever updates are made to items in the DynamoDB table. Event source mapping is a feature of Lambda that enables a function to be triggered by an event source, such as a DynamoDB stream, an Amazon Kinesis stream, or an Amazon Simple Queue Service (SQS) queue. The developer can configure event source mapping for the Lambda function using the AWS Management Console, the AWS CLI, or the AWS SDKs. Changing the StreamViewType parameter value to NEW_AND_OLD_IMAGES for the DynamoDB table will not affect the invocation of the Lambda function, but only change the information that is written to the stream record. Mapping an Amazon Simple Notification Service (Amazon SNS) topic to the DynamoDB stream will not invoke the Lambda function directly, but require an additional subscription from the Lambda function to the SNS topic. Increasing the maximum runtime (timeout) setting of the Lambda function will not affect the invocation of the Lambda function, but only change how long the function can run before it is terminated.

Why Option B is Correct:RDS Proxy manages database connections efficiently, reducing overhead on the RDS instance and mitigating "too many connections" errors.

Why Other Options are Incorrect:

Option A: DAX is for DynamoDB, not RDS.

Option C: Migration to PostgreSQL does not address the current issue.

Option D: ElastiCache is useful for caching but does not solve connection pool issues.

AWS Documentation References:

Amazon RDS Proxy

Amazon SNS supports server-side encryption (SSE) using AWS KMS to protect message content at rest. Enabling SSE on the SNS topic ensures that all messages published to the topic are encrypted using a customer-managed or AWS-managed KMS key. AWS documentation explicitly states that SSE is the mechanism for encrypting SNS messages stored within the service.

For encryption in transit, AWS services rely on HTTPS/TLS. To enforce this at the IAM policy level, AWS recommends using the global condition key aws:SecureTransport. By adding an explicit Deny statement when "aws:SecureTransport": "false", the policy ensures that any request not using HTTPS is rejected. This is a common AWS security best practice and is documented across multiple AWS services.

Option E correctly enforces encryption in transit. Option B is incorrect because denying when SecureTransport is true would block valid HTTPS requests. Option D is invalid because sns:Protocol applies to subscription protocols (such as email or HTTP endpoints), not to Lambda publishing actions. Option C (VPC endpoint) is not required because Lambda-to-SNS traffic is already encrypted over TLS by default.

Therefore, enabling SNS server-side encryption and enforcing HTTPS via an IAM deny condition fully satisfies the encryption-at-rest and encryption-in-transit requirements.

Comprehensive Detailed Step by Step Explanation with All AWS Developer References:

To ensure that only a specific AWS Step Functions state machine (myStateMachine) can assume the service role, you must configure the correct trust policy in AWS IAM.

Trust Policies: Trust policies determine which entities (services or users) are allowed to assume the role. In this case, we want to restrict the trust policy to only allow the specific state machine (myStateMachine) to assume the role.

Using ArnLike: The condition "ArnLike" is used to specify that the SourceArn (which refers to the ARN of the entity assuming the role) must match a specific ARN. Option A specifies the exact ARN of the myStateMachine state machine, ensuring that only this state machine can assume the role.

Option B: This option is incorrect because it uses a wildcard (*) for the account ID, which would allow any state machine in the ap-south-1 region to assume the role, not just the specific one.

AWS Step Functions IAM Policies

This solution will meet the requirements by using AWS SAM CLI tool, which is a command line tool that lets developers locally build, test, debug, and deploy serverless applications defined by AWS SAM templates. The developer can use sam local generate-event command to generate sample events for different event sources such as API Gateway or S3. The developer can create automated test scripts that use sam local invoke command to invoke Lambda functions locally in an environment that closely simulates Lambda environment. The developer can check the response from Lambda functions and document how to run the test scripts for other developers on the team. The developer can also update CI/CD pipeline to run these test scripts before deploying with AWS CDK. Option A is not optimal because it will use cdk local invoke command, which does not exist in AWS CDK CLI tool. Option B is not optimal because it will use a unit testing framework that reproduces Lambda execution environment, which may not be accurate or consistent with Lambda environment. Option D is not optimal because it will create a Docker container from Node.js base image to invoke Lambda functions, which may introduce additional overhead and complexity for creating and running Docker containers.

Using a dead-letter queue (DLQ) with Amazon SQS is the most operationally efficient solution for handling unprocessable messages.

Amazon SQS Dead-Letter Queue:

A DLQ is used to capture messages that fail processing after a specified number of attempts.

Allows the application to continue processing other messages without being blocked.

Messages in the DLQ can be analyzed later for debugging and resolution.

Why DLQ is the Best Option:

Operational Efficiency: Automatically defers messages with errors, ensuring the queue is not blocked.

Analysis Ready: Messages in the DLQ can be inspected to identify recurring issues.

Scalable: Works seamlessly with Lambda and SQS at scale.

Why Not Other Options:

Option A: Logs the messages but does not resolve the queue blockage issue.

Option C: FIFO queues and 0-second retention do not provide error handling or analysis capabilities.

Option D: Alerts administrators but does not handle or store the unprocessable messages.

Steps to Implement:

Create a new SQS queue to serve as the DLQ.

Attach the DLQ to the primary queue and configure the Maximum Receives setting.

Using Amazon SQS Dead-Letter Queues

Best Practices for Using Amazon SQS with AWS Lambda

Increasing the number of shards of the Kinesis data stream will increase the throughput and parallelism of the data processing. Increasing the memory that is allocated to the Lambda function will also increase the CPU and network performance of the function, which will reduce the run duration and improve the processing speed. Option B is not correct because decreasing the timeout of the Lambda function will not affect the processing speed, but may cause some records to fail if they exceed the timeout limit. Option D is not correct because decreasing the number of shards of the Kinesis data stream will decrease the throughput and parallelism of the data processing, which will slow down the processing speed. Option E is not correct because increasing the timeout of the Lambda function will not affect the processing speed, but may increase the cost of running the function.

DynamoDB distributes throughput across partitions based on the hash key. A hot partition (caused by high usage of a specific hash key) can result in a ProvisionedThroughputExceededException, even if overall usage is below the provisioned capacity.

Why Option B is Correct:

Partition-Level Limits: Each partition has a limit of 3,000 read capacity units or 1,000 write capacity units per second.

Hot Partition: Excessive use of a single hash key can overwhelm its partition.

Why Not Other Options:

Option A: DynamoDB storage size does not affect throughput.

Option C: Provisioned scaling operations are unrelated to throughput errors.

Option D: Sort keys do not impact partition-level throughput.

DynamoDB Partition Key Design Best Practices

AWS Systems Manager Parameter Store is a service that provides secure, hierarchical storage for configuration data and secrets. Parameter Store supports SecureString parameters, which are encrypted using AWS Key Management Service (AWS KMS) keys. SecureString parameters can be used to store license keys in AWS and retrieve them securely from automation scripts that run in EC2 instances or CloudFormation stacks. Parameter Store is a cost-effective solution because it does not charge for storing parameters or API calls. Reference: Working with Systems Manager parameters

Comprehensive and Detailed Explanation (250–300 words):

AWS best practices for multi-tenant isolation recommend session-based access control using IAM session tags. Session tags allow temporary credentials to be scoped dynamically based on tenant context.

First, the data access role must allow sts:TagSession (Option A) so tenant identifiers can be passed securely at runtime. The Lambda function assumes this role and includes the tenant name as a session tag (Option F).

Next, IAM policies on the data access role restrict access to S3 object prefixes and DynamoDB partition keys by evaluating the session tag (Option C). This ensures that even if a bug occurs, the role cannot access data belonging to another tenant.

Resource-based DynamoDB policies and RCPs are unnecessary here and add complexity.

This approach follows AWS’s recommended attribute-based access control (ABAC) model and provides strong tenant isolation with minimal operational overhead.

This solution will meet the requirements by creating a single S3 bucket policy that denies access to the S3 bucket unless the request comes from one of the specified VPC endpoints. The aws:SourceVpce condition key is used to match the ID of the VPC endpoint that is used to access the S3 bucket. The StringNotEquals condition operator is used to negate the condition, so that only requests from the listed VPC endpoints are allowed. Option A is not optimal because it will create multiple S3 bucket policies, which is not possible as only one bucket policy can be attached to an S3 bucket. Option B is not optimal because it will use the aws:SourceVpc condition key, which matches the ID of the VPC that is used to access the S3 bucket, not the VPC endpoint. Option C is not optimal because it will use the StringNotEquals condition operator with a single value, which will deny access to the S3 bucket from all VPC endpoints except one.

This is a classic cross-account S3 access requirement: EC2 instances in Account A must read from a private S3 bucket in Account B without making the bucket public.

The correct pattern is to grant access using IAM + S3 bucket policy while keeping the bucket private. In Account B, you create an IAM role that has the necessary S3 read permissions (such as s3:GetObject and potentially s3:ListBucket depending on access needs). That is Option A.

However, permissions on the role alone are not sufficient, because the S3 bucket is in a different account and is private by default. AWS requires that the bucket owner explicitly grants access to the external principal. This is done by adding a bucket policy in Account B that allows the principal (either the role in Account A or a role session via STS) to access the bucket objects. That is Option D.

Option B is not correct in the “select two” sense because adding permissions to Account A’s instance profile role does not, by itself, grant access to a bucket owned by Account B. You still need the bucket policy or another resource-based policy from the bucket owner.

Option C violates the requirement (“without exposing the S3 bucket to anyone else”). Making the bucket public is unnecessary and insecure.

Option E is incorrect because a trust policy controls who can assume a role (sts:AssumeRole), not what S3 permissions the role has. Also, trust policies do not grant s3:Get* access.

Therefore, create an IAM role with S3 read permissions in Account B and grant access via the Account B bucket policy.

AWS Serverless Application Model (AWS SAM) is an open-source framework that enables developers to build and deploy serverless applications on AWS. AWS SAM uses a template specification that extends AWS CloudFormation to simplify the definition of serverless resources such as API Gateway, DynamoDB, and Lambda. The developer can use AWS SAM to define serverless resources in YAML and deploy them using the AWS SAM CLI.

Problem: CloudFormation updates reset Parameter Store parameters, disrupting application behavior.

Deletion Policy: CloudFormation has a deletion policy that controls resource behavior when a stack is deleted or updated. The 'Retain' policy instructs CloudFormation to preserve a resource's current state.

Least Development Effort: This solution involves a simple CloudFormation template modification, requiring minimal code changes.

Maximum concurrency for SQS as an event source allows customers to control the maximum concurrent invokes by the SQS event source1. When multiple SQS event sources are configured to a function, customers can control the maximum concurrent invokes of individual SQS event source1.

In this scenario, the developer needs to resolve the issue of the third-party API frequently returning an HTTP 429 Too Many Requests error message, which prevents a significant number of messages from being processed successfully. To achieve this, the developer can follow these steps:

Find out the documented rate limits of the third-party API, which specify how many requests can be made in a given time period.

Configure maximum concurrency on the SQS event source based on the rate limits of the third-party API. This will limit the number of concurrent invokes by the SQS event source and prevent exceeding the rate limits of the third-party API.

Test and monitor the application performance and adjust the maximum concurrency value as needed.

By using this solution, the developer can reduce the frequency of HTTP 429 errors and improve the message processing success rate. The developer can also avoid throttling or blocking by the third-party API.

IAM instance profiles are containers for IAM roles that can be associated with EC2 instances. An IAM role is a set of permissions that grant access to AWS resources. An IAM role can be used to allow an EC2 instance to access an S3 bucket by including the appropriate permissions in the role’s policy. The S3:ListBucket permission allows listing the objects in an S3 bucket. By updating the IAM instance profile with this permission, the application on the EC2 instance can retrieve the objects from the S3 bucket and display them to the user. Reference: Using an IAM role to grant permissions to applications running on Amazon EC2 instances

Comprehensive Detailed and Lengthy Step-by-Step Explanation with All AWS Developer References:

1. Understanding the Use Case:

The API needs to:

Generate responses without backend integrations: This indicates the use of mock responses for testing.

Be used by multiple internal teams during development.

Minimize operational overhead.

2. Key Features of Amazon API Gateway:

REST APIs: Fully managed API Gateway option that supports advanced capabilities like mock integrations, request/response transformation, and more.

HTTP APIs: Lightweight option for building APIs quickly. It supports fewer features but has lower operational complexity and cost.

Mock Integration: Allows API Gateway to return pre-defined responses without requiring backend integration.

3. Explanation of the Options:

Option A:"Create an Amazon API Gateway REST API. Set up a proxy resource that has the HTTP proxy integration type."A proxy integration requires a backend service for handling requests. This does not meet the requirement of "no backend integrations."

Option B:"Create an Amazon API Gateway HTTP API. Provision a VPC link, and set up a private integration on the API to connect to a VPC."This requires setting up a VPC and provisioning resources, which increases operational overhead and is unnecessary for this use case.

Option C:"Create an Amazon API Gateway HTTP API. Enable mock integration on the method of the API resource."While HTTP APIs can enable mock integrations, they have limited support for advanced features compared to REST APIs, such as detailed request/response customization. REST APIs are better suited for development environments requiring mock responses.

Option D:"Create an Amazon API Gateway REST API. Enable mock integration on the method of the API resource."This is the correct answer. REST APIs with mock integration allow defining pre-configured responses directly within API Gateway, making them ideal for scenarios where backend services are unavailable. It provides flexibility for testing while minimizing operational overhead.

4. Implementation Steps:

To enable mock integration with REST API:

Create a REST API in API Gateway:

Open the API Gateway Console.

Choose Create API > REST API.

Define the API Resource and Methods:

Add a resource and method (e.g., GET or POST).

Set Up Mock Integration:

Select the method, and in the Integration Type, choose Mock Integration.

Configure the Mock Response:

Define a 200 OK response with the desired response body and headers.

Deploy the API:

Deploy the API to a stage (e.g., dev) to make it accessible.

5. Why REST API Over HTTP API?

REST APIs support detailed request/response transformations and robust mock integration features, which are ideal for development and testing scenarios.

While HTTP APIs offer lower cost and simplicity, they lack some advanced features required for fine-tuned mock integrations.

Configuring the Lambda function to use ephemeral storage and processing data in the /tmp directory improves performance by leveraging local storage during execution.

Why Option C is Correct:

Ephemeral Storage: Lambda provides temporary storage (up to 10 GB) in the /tmp directory for each invocation, which is faster than pulling data directly from S3 multiple times.

Performance Boost: Data can be downloaded to /tmp, processed locally, and uploaded to the destination S3 bucket, minimizing S3 network calls.

Low Overhead: This approach requires only minimal changes to the function's configuration.

Why Not Other Options:

Option A: Using Amazon EFS adds complexity and is unnecessary for this use case.

Option B: Scheduling the function does not address the root cause of slow performance.

Option D: Lambda layers improve deployment efficiency, not runtime performance for this scenario.

Using Ephemeral Storage in AWS Lambda

Best Practices for S3 and Lambda Performance

To test an updated Lambda integration without impacting production traffic, the key is to isolate test requests from the production stage that real users call. In API Gateway, a stage represents a deployed snapshot of an API configuration, and each stage has its own invoke URL. Creating a separate test stage provides immediate traffic isolation because production users continue using the production stage URL, while the developer tests using the test stage URL.

Using stage variables is a common API Gateway pattern to parameterize integrations per stage. For Lambda backends, stage variables can reference different Lambda function ARNs, aliases, or versions (depending on the integration style), allowing the same API resources and methods to route to different backends per stage. This lets the developer deploy and validate the updated Lambda function only in the test stage while keeping the production stage pointing to the stable Lambda version. The result is operationally efficient: minimal duplicated infrastructure, clear separation, and easy rollback by switching stage variables or redeploying only the stage configuration.

Option A (canary on the existing stage) intentionally shifts a percentage of production traffic to the new version, which violates the requirement that testing must not affect any production users. Option B (private endpoint) changes network accessibility and can break production access; it also does not provide safe version testing. Option D (clone entire stack) can work but has higher operational overhead (duplicate resources, additional deployment management) than using native stage isolation.

Therefore, C best meets the requirements: create a new test stage, use stage variables to point that stage to the updated Lambda function, and test safely using the test stage URL while production remains unaffected.

Amazon API Gateway stages are designed to represent different deployment environments such as development, testing, and production. AWS documentation recommends using separate stages combined with stage variables to reference different backend resources without duplicating API definitions.

In this scenario, the development stage already uses a stage variable to reference the Lambda dev alias. To expose the production alias safely, the developer should deploy the API to a new stage named production and configure a stage variable that points to the Lambda prod alias. This approach allows the same API configuration and methods to be reused while cleanly separating environments.

Stage variables are resolved at runtime and are commonly used to reference Lambda aliases in integration ARNs. This enables controlled promotion of code from development to production without modifying methods or integrations.

Creating new methods (Options A and B) is unnecessary and increases operational complexity. Directly hardcoding the Lambda alias in the integration (Option D) removes flexibility and deviates from AWS best practices for environment separation.

Therefore, deploying a new API stage and using stage variables to reference the prod Lambda alias is the correct and most efficient solution.

Amazon DynamoDB throttling during peak periods is commonly caused by hot partitions. In this scenario, using order_date as the partition key results in a large number of writes targeting the same partition during peak ordering times. Even in on-demand mode, DynamoDB enforces per-partition limits, which leads to throttling when traffic is unevenly distributed.

AWS best practices emphasize designing partition keys that provide high cardinality and uniform access patterns. Using customerId as the partition key distributes write traffic across many partitions because customer IDs naturally vary and scale with the number of users.

Switching to provisioned capacity (Option B) does not solve the root cause and can still result in throttling due to uneven access patterns. Sequential partition keys (Option A) worsen the hot partition problem. Migrating to Aurora (Option C) is unnecessary and does not address DynamoDB design issues.

AWS documentation clearly states that access pattern design is critical, and changing the partition key to better distribute workload is the correct solution. Therefore, using customerId as the partition key resolves throttling and aligns with DynamoDB best practices.

The requirements are: (1) store an API key that a Lambda function will use, (2) ensure the secret is encrypted at rest using AWS KMS, and (3) the company must control key rotation, which implies using a customer managed KMS key (CMK) rather than an AWS managed key.

Option C meets the requirements by storing the API key in AWS Systems Manager Parameter Store as a SecureString parameter encrypted with a customer managed KMS key. SecureString is designed for sensitive configuration data and integrates with KMS so the organization can choose the CMK, manage its lifecycle, and control rotation policies. The Lambda function can retrieve the parameter at runtime using the AWS SDK, and IAM policies can tightly control access to the parameter and to the KMS key.

Option E also meets the requirements by storing the API key in a Lambda environment variable encrypted with a customer managed KMS key. Lambda encrypts environment variables at rest and allows you to specify a customer managed KMS key for encryption. This gives the company control over key rotation and key policy, satisfying the “must control key rotation” requirement. The function reads the value from the environment at runtime without additional network calls.

Why the other options fail:

A uses an AWS managed KMS key, which does not satisfy the requirement for the company to control rotation (you cannot manage rotation of AWS managed keys in the same way).

B is a plain String parameter, which is not encrypted as a secret and does not meet the at-rest encryption requirement.

D uses an AWS managed KMS key, again failing the company-controlled rotation requirement.

Therefore, the two valid solutions are C (Parameter Store SecureString with a customer managed CMK) and E (Lambda environment variable encrypted with a customer managed CMK).

An inline IAM policy is directly attached to a specific IAM user, group, or role and applies only to that principal. AWS documentation states that inline policies are useful when permissions should be tightly scoped and not reused.

In this scenario, the Admin group policy cannot be changed, but one specific user needs permanent delete permissions. Attaching an inline policy directly to that user grants the required permissions without impacting other Admin users.

AWS managed policies (Option A) are reusable and not suitable for user-specific access. IAM trust relationships (Option C) control role assumption, not resource permissions. AWS STS (Option D) provides temporary credentials, not permanent access.

Therefore, an inline policy is the correct solution.

The best solution for this requirement is option A. Creating an Amazon EventBridge rule that has a rate expression that will run the rule every 15 minutes and adding the Lambda function as the target of the EventBridge rule is the most efficient way to invoke the Lambda function periodically. This solution does not require any additional resources or development effort, and it leverages the built-in scheduling capabilities of EventBridge1.

Amazon API Gateway has a hard integration timeout that determines how long it waits for a backend response. If the backend (Lambda) does not respond within this time, API Gateway returns an HTTP 504 error to the client.

In this scenario, the Lambda function timeout is longer (20 seconds) than the API Gateway integration timeout (15 seconds). AWS documentation states that API Gateway will terminate the request once its timeout is exceeded, even if Lambda continues executing successfully. This explains why there are no Lambda errors despite 504 responses.

Increasing the Lambda timeout (Option B) does not help because API Gateway times out first. Reserved concurrency (Option A) and throttling limits (Option D) are unrelated to request duration.

The correct solution is to increase the API Gateway integration timeout so that it exceeds the maximum expected Lambda execution time. This ensures API Gateway waits long enough for the Lambda response.

Therefore, increasing the API Gateway timeout prevents HTTP 504 errors.

The Immutable deployment method is the best choice when a company requires minimal downtime and automatic rollback in case of a failure. Here's why:

In Immutable deployments, a new set of instances is launched with the updated version. These instances are tested and validated before they replace the old instances. This ensures zero downtime and immediate rollback if the deployment fails.

All at once (A) causes downtime because the update replaces all instances simultaneously.

Rolling deployments (B) update a few instances at a time, but if a failure occurs midway, downtime or partial unavailability can happen.

Snapshots (C) are not a deployment strategy in Elastic Beanstalk.

Step-by-Step Breakdown:

Requirement Summary:

AWS AppSync API needs to invoke Lambda functions

Some Lambda functions are long-running

AppSync should return immediately, minimizing operational overhead

**Option A: AppSync + Lambda as data source using Event Mode

Correct: AWS AppSync supports asynchronous (event) invocation of Lambda data sources using Event Mode.

Event Mode means:

AppSync invokes Lambda asynchronously

Immediately returns a response to the client (typically a predefined payload or null)

Ideal for fire-and-forget workloads or when the response is not immediately needed

Option B: Increase Lambda timeout

Incorrect: This keeps AppSync waiting.

Even with increased timeout, synchronous invocations would block AppSync responses.

Option C: SQS queue + polling Lambda

Possible but too complex for this use case.

Requires additional infrastructure: queue + mapping + custom logic.

Higher operational overhead compared to built-in AppSync Event Mode.

Option D: Enable caching in AppSync

Irrelevant: AppSync cache is for optimizing repeated read queries, not for async workflows.

Asynchronous Lambda with AppSync: https://docs.aws.amazon.com/appsync/latest/devguide/resolver-mapping-template-reference-lambda.html#async-lambda-invocation

Lambda as AppSync Data Source: https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-lambda-resolvers.html

Event Mode Docs: https://docs.aws.amazon.com/appsync/latest/devguide/lambda-resolvers.html#event-invocation-mode

Amazon API Gateway provides tools for creating and documenting web APIs that route HTTP requests to Lambda functions2. You can secure access to your API with authentication and authorization controls. Your APIs can serve traffic over the internet or can be accessible only within your VPC2. You can override the cache method in the selected stage of API Gateway2. Therefore, option B is correct.

Step 1: Understanding the Problem

Processing in Batches: The application must process records in groups.

Sequential Processing: Each record in the batch must be processed before writing to Aurora.

Solution Goals: Use services that support ordered, batched processing and integrate with Aurora.

Step 2: Solution Analysis

Option A:

Amazon Kinesis Data Streams supports ordered data processing.

AWS Lambda can process batches of records via event source mapping with MaximumBatchingWindowInSeconds for timing control.

Configuring the batching window ensures efficient processing and compliance with the workflow.

Correct Option.

Option B:

Amazon SQS is not designed for streaming; it provides reliable, unordered message delivery.

Setting MaximumBatchingWindowInSeconds to 0 disables batching, which is contrary to the requirement.

Not suitable.

Option C:

Amazon MSK provides Kafka-based streaming but requires custom EC2-based processing.

This increases system complexity and operational overhead.

Not ideal for serverless requirements.

Option D:

DynamoDB Streams is event-driven but lacks strong native integration for batch ordering.

Using ECS adds unnecessary complexity.

Not suitable.

Step 3: Implementation Steps for Option A

Set up Kinesis Data Stream:

Configure shards based on the expected throughput.

Configure Lambda with Event Source Mapping:

Enable Kinesis as the event source for Lambda.

Set MaximumBatchingWindowInSeconds to 300 to accumulate data for processing.

Example:

{

"EventSourceArn": "arn:aws:kinesis:region:account-id:stream/stream-name",

"BatchSize": 100,

"MaximumBatchingWindowInSeconds": 300

}

Write Processed Data to Aurora:

Use AWS RDS Data API for efficient database operations from Lambda.

AWS Developer References:

Amazon Kinesis Data Streams Developer Guide

AWS Lambda Event Source Mapping

Batch Processing with Lambda

The command that will meet the requirements is sam sync -watch. This command enables AWS SAM Accelerate mode, which allows the developer to only redeploy the Lambda functions that have changed. The -watch flag enables file watching, which automatically detects changes in the source code and triggers a redeployment. The other commands either do not enable AWS SAM Accelerate mode, or do not redeploy the Lambda functions automatically.

AWS Elastic Beanstalk supports several deployment policies, and in this case, the requirement is to forward a specific percentage of traffic to the new version without causing downtime. The Traffic-splitting deployment policy is the most appropriate choice.

Traffic-splitting Deployment: This deployment method allows you to gradually shift a specified percentage of incoming traffic from the old environment version to the new one. During the evaluation period, if any issues are detected, the traffic can be redirected back to the old version.

No Downtime: This method ensures no downtime since both versions of the application run concurrently, and traffic is split between them.

Alternatives:

Rolling deployments (Option A): These gradually replace instances but may result in partial downtime if some instances fail during deployment.

In-place deployments (Option C): In-place deployments replace instances without creating new ones, which can lead to downtime.

Immutable deployments (Option D): While this ensures no downtime by creating entirely new instances, it doesn't provide traffic splitting during the evaluation phase.

Elastic Beanstalk Deployment Policies

The requirement is to analyze existing Lambda logs using a request ID that appears in both functions, and to do so with the least development effort. Amazon CloudWatch Logs Insights is purpose-built for interactive log analysis: it lets you run ad-hoc queries over CloudWatch log groups using a query language that supports filtering, parsing, sorting, and aggregation. This means you can quickly search across the relevant Lambda log groups and filter results to only entries that contain a specific request ID.

With Logs Insights, the developer can select both Lambda log groups, set a time range around the failure, and run a query such as filtering on the request ID field or matching the request ID string in the message. This provides a fast way to reconstruct the end-to-end flow and identify where the failure occurred—without writing any custom code, building data pipelines, or exporting logs.

Option A (using an AWS SDK) requires writing and maintaining code to call CloudWatch Logs APIs, handle pagination, time windows, filtering, and correlation across groups—more effort than necessary. Option B (export to S3 + Athena) adds significant setup (export tasks, S3 storage, Athena tables/partitions) and is better suited to large-scale analytics or long-term archival, not quick troubleshooting. Option D (Live Tail) is primarily for real-time streaming of new log events; it is less suitable for retrospective investigation of an incident that already happened, and it doesn’t provide the same structured querying and cross-log-group correlation capabilities as Logs Insights.

Therefore, CloudWatch Logs Insights (C) is the most direct, AWS-native, low-effort solution to query both Lambda log groups and filter by request IDs to troubleshoot the failing process flow.

https://docs.aws.amazon.com/step-functions/latest/dg/welcome.html

AWS CloudFormation is a service that enables developers to model and provision AWS resources using templates. The developer can add a CloudFormation Deletion Policy attribute with the Retain value to the database resource. This will prevent the database from being deleted when the stack is deleted or updated. The developer can also update the CloudFormation stack policy to prevent updates to the database. This will prevent accidental changes to the database configuration or properties.

A feature branch is a branch that is created from the main branch to work on a specific feature or task1. Feature branches allow developers to isolate their work from the main branch and avoid conflicts with other changes1. Feature branches can be merged back to the main branch when the feature or task is completed and tested1.

In this scenario, the developer needs to maintain two parallel streams of work: one for fixing and updating the current version of the application that is deployed in production, and another for developing the new version of the application. The developer can use feature branches to achieve this goal.

The developer can create a feature branch from the main branch for production bug fixes. This branch will contain the code that is currently deployed in production, and any fixes or updates that need to be applied to it. The developer can push this branch to the CodeCommit repository and use it to deploy changes to the production environment.

The developer can also create a second feature branch from the main branch for development of the new version of the application. This branch will contain the code that is under development for the new version, and any changes or enhancements that are part of it. The developer can push this branch to the CodeCommit repository and use it to test and deploy the new version of the application in a separate environment.

By using feature branches, the developer can keep the main branch stable and clean, and avoid mixing code from different versions of the application. The developer can also easily switch between branches and merge them when needed.

The goal is minimal downtime during deployment and fast rollback if problems occur. In Elastic Beanstalk, the approach that best satisfies both is a blue/green deployment.

With blue/green, the developer deploys the new application version to a separate environment (green) while the current production environment (blue) continues serving traffic. Once validation is complete (health checks, smoke tests), the developer performs a controlled CNAME swap (or routing switch) so traffic shifts from blue to green with near-zero downtime. This reduces risk because the existing environment remains intact and can immediately resume traffic if issues are detected.

Rollback time is also minimized because reverting is simply switching traffic back to the original environment (swap back), rather than rolling back changes across the same environment.

Why the other options are weaker:

All-at-once (C) introduces the highest downtime and risk because it replaces all instances at once, potentially taking the application fully offline and making rollback slower.

Rolling (A) reduces downtime compared to all-at-once, but instances are still updated in-place; if issues appear mid-deployment, rollback is more complex and slower than swapping environments.

Rolling with additional batches (B) can further reduce capacity impact by adding extra instances during deployment, but rollback still involves reversing updates in the same environment and is typically slower than blue/green.

Therefore, deploying to a new environment and using blue/green provides the least downtime and the fastest rollback.

The solution that will meet the requirements is to add a second cache behavior to the distribution with the same origin as the default cache behavior. Set the path pattern for the second cache behavior to the path of the login page, and make viewer access unrestricted. Keep the default cache behavior’s settings unchanged. This way, the login page can be accessed without authentication, while all other content remains secure and requires signed cookies. The other options either do not allow unauthenticated access to the login page, or expose private content to unauthorized users.

The type of keys that the developer should use to meet the requirements is symmetric customer managed keys with key material that is generated by AWS. This way, the developer can use AWS Key Management Service (AWS KMS) to encrypt the data with a symmetric key that is managed by the developer. The developer can also enable automatic annual rotation for the key, which creates new key material for the key every year. The other options either involve using Amazon S3 managed keys, which do not support automatic annual rotation, or using asymmetric keys or imported key material, which are not supported by S3 encryption.

For in-place deployments, AWS CodeDeploy uses a set of predefined hooks that run in a specific order during each deployment lifecycle event. The hooks are ApplicationStop, BeforeInstall, AfterInstall, ApplicationStart, and ValidateService. The run order of the hooks for in-place deployments is as follows:

ApplicationStop: This hook runs first on all instances and stops the current application that is running on the instances.

BeforeInstall: This hook runs after ApplicationStop on all instances and performs any tasks required before installing the new application revision.

AfterInstall: This hook runs after BeforeInstall on all instances and performs any tasks required after installing the new application revision.

ApplicationStart: This hook runs after AfterInstall on all instances and starts the new application that has been installed on the instances.

ValidateService: This hook runs last on all instances and verifies that the new application is running properly on the instances.

This benefit occurs when initializing the AWS SDK outside of the Lambda handler function because it allows the SDK instance to be reused across multiple invocations of the same function. This can improve performance and reduce latency by avoiding unnecessary initialization overhead. If the SDK is initialized inside the handler function, it will create a new SDK instance for each invocation, which can increase memory usage and execution time.

Comprehensive Detailed Step by Step Explanation with All AWS Developer References:

When you need to provide an AWS Lambda function access to private resources in a VPC, the most common and straightforward approach is to attach the Lambda function to a VPC via private subnets. Once the Lambda function is associated with the VPC, you need to configure appropriate security groups to control the access to the private resources.

Lambda with VPC Access: Lambda functions can be attached to private subnets in a VPC, allowing them to access resources like RDS, EC2, or internal services within that VPC.

Security Groups: A security group acts as a virtual firewall for the Lambda function, ensuring that it can access only the necessary resources and ports in the VPC.

Alternatives:

Option B involves routing traffic through a VPN, which adds unnecessary complexity and operational overhead compared to simply attaching the Lambda to the VPC.

Option C requires configuring a VPC endpoint and a NAT gateway, which can be complex and costly.

Option D refers to AWS PrivateLink, which is used to access services over private connections, but it's unnecessary in this scenario unless you need a cross-VPC connection.

Lambda functions in a VPC

Amazon ElastiCache for Redis: An in-memory data store known for extremely low latency, ideal for caching frequently accessed, complex data.

Write-Through Caching: Ensures that data is always consistent between the cache and the database. Writes go to both Redis and RDS.

Performance Gains: Redis handles reads with minimal latency, offloading the RDS database and improving the application's responsiveness.

Problem: Large bundle size increases Lambda deployment time.

Lambda Layers: Layers let you package dependencies separately from your function code. This optimizes the deployment package, making updates faster.

Modularization: Breaking down dependencies into layers improves code organization and reusability.

This solution will meet the requirements by using AWS Secrets Manager, which is a service that helps protect secrets such as database credentials by encrypting them with AWS Key Management Service (AWS KMS) and enabling automatic rotation of secrets. The developer can create an AWS Lambda function by using the SecretsManagerRotationTemplate template in the AWS Secrets Manager console, which provides a sample code for rotating secrets for RDS DB instances, Amazon DocumentDB clusters, and Amazon Aurora DB instances. The developer can also create secrets for the database credentials in Secrets Manager, which encrypts them at rest and provides secure access to them. The developer can set up secrets rotation on a schedule, which changes the database credentials periodically according to a specified interval or event. Option A is not optimal because it will set up IAM database authentication for token-based access, which may not be compatible with all database engines and may require additional configuration and management of IAM roles or users. Option B is not optimal because it will create parameters for the database credentials in AWS Systems Manager Parameter Store, which does not support automatic rotation of secrets. Option C is not optimal because it will store the database access credentials as an encrypted Amazon S3 object in an S3 bucket, which may introduce additional costs and complexity for accessing and securing the data.

Why Option C is Correct:

Amazon ElastiCache (Memcached) provides low-latency, in-memory caching suitable for session storage. It ensures stateless web tier operations and supports the high throughput of 5000 requests per minute.

Why Other Options are Incorrect:

Option A: RDS has higher latency compared to in-memory caching solutions like ElastiCache.

Option B: Shared file systems introduce additional complexity and are not ideal for low-latency session data storage.

Option D: DynamoDB has low latency but is less performant than ElastiCache for in-memory session management.

AWS Documentation References:

Amazon ElastiCache for Session State Management

https://aws.amazon.com/blogs/devops/automated-code-review-on-pull-requests-using-aws-codecommit-and-aws-codebuild/

This solution meets the requirements with the least amount of configuration because it uses a feature of AWS CDK that allows custom logic to be executed during stack deployment or deletion. The AWS Cloud Development Kit (AWS CDK) is a software development framework that allows you to define cloud infrastructure as code and provision it through CloudFormation. An AWS CDK custom resource is a construct that enables you to create resources that are not natively supported by CloudFormation or perform tasks that are not supported by CloudFormation during stack deployment or deletion. The developer can write a handler function in the code that uses AWS SDK calls to check for and delete unused resources, and create an AWS CDK custom resource that attaches the function code to a Lambda function and invokes it when the deployment stack runs. This way, the developer can automate the cleanup process without requiring additional configuration or integration. Creating a CloudFormation template from a JSON file will require additional configuration and integration with the central AWS CDK application. Creating an API in AWS Amplify will require additional configuration and integration with the central AWS CDK application and may not provide optimal performance or availability. Writing a handler function in the AWS Lambda console will require additional configuration and integration with the central AWS CDK application.

Store the credentials in AWS Secrets Manager and enable rotation. Configure the API to have Secrets Manager access. This is correct. This solution will meet the requirements most securely, because it uses a service that is designed to store and manage secrets such as API credentials. AWS Secrets Manager helps you protect access to your applications, services, and IT resources by enabling you to rotate, manage, and retrieve secrets throughout their lifecycle1. You can store secrets such as passwords, database strings, API keys, and license codes as encrypted values2. You can also configure automatic rotation of your secrets on a schedule that you specify3. You can use the AWS SDK or CLI to retrieve secrets from Secrets Manager when you need them4. This way, you can avoid storing credentials in plaintext files or hardcoding them in your code.

This solution allows the developer to troubleshoot the failure by capturing unprocessed events in a queue for further analysis. Dead Letter Queues (DLQs) are queues that store messages that could not be processed by a service, such as Lambda, for various reasons, such as configuration errors, throttling limits, or permissions issues. The developer can configure DLQs for Lambda functions by sending events to either an Amazon Simple Queue Service (SQS) queue or an Amazon Simple Notification Service (SNS) topic. The developer can then inspect the messages in the queue or topic to identify and fix the root cause of the failure. Configuring AWS CloudTrail logging will not capture invocation failures for asynchronous Lambda invocations, but only record API calls made by or on behalf of Lambda. Configuring Amazon Simple Workflow Service (SWF) or AWS Config will not process any direct unprocessed events, but require additional integration and configuration.

This solution allows the developer to create and delete branches in AWS CodeCommit by granting the codecommit:CreateBranch and codecommit:DeleteBranch permissions. These are the minimum permissions required for this task, following the principle of least privilege. Option B grants too many permissions, such as codecommit:Put*, which allows the developer to create, update, or delete any resource in CodeCommit. Option C grants too few permissions, such as codecommit:Update*, which does not allow the developer to create or delete branches. Option D grants all permissions, such as codecommit:*, which is not secure or recommended.

When multiple Lambda functions must execute in a defined sequence as part of a workflow (order processing → payment → inventory → fulfillment, etc.), the AWS service designed to coordinate and orchestrate serverless workflows is AWS Step Functions.

Option C is the least operational overhead because Step Functions provides a managed state machine that invokes Lambda functions in an explicit order with built-in support for retries, timeouts, error handling, branching, and state passing between steps. The developer defines the workflow declaratively (Amazon States Language) and Step Functions ensures the sequence is enforced consistently.

Option A (SQS) is not a workflow orchestrator. Ensuring strict sequencing would require custom coordination logic, state tracking, and careful handling of retries and ordering—more code and complexity (and standard SQS does not guarantee strict order).

Option B (SNS) fans out events and is not designed for sequential orchestration.

Option D (EventBridge Scheduler) can schedule invocations at times, but it does not coordinate multi-step workflows with dependencies and conditional transitions.

The Secrets Manager Agent provides an out-of-the-box solution for securely caching secrets locally, reducing latency and operational overhead.

Why Option B is Correct:

Caching: The agent securely caches secrets locally, minimizing Secrets Manager API calls.

Security: Secrets remain secure during retrieval and storage.

Low Operational Overhead: Managed solution eliminates the need for custom logic.

Why Not Other Options:

Option A: Custom scripts introduce complexity and require ongoing maintenance.

Option C: Using Redis requires managing an additional service, increasing overhead.

Option D: Storing secrets in S3 lacks the fine-grained security controls of Secrets Manager.

Caching Secrets in AWS Secrets Manager

This solution will meet the requirements by using AWS X-Ray to analyze and debug the performance issues with the distributed Lambda applications. AWS X-Ray is a service that collects data about requests that the applications serve, and provides tools to view, filter, and gain insights into that data. The developer can use AWS X-Ray to identify the root cause of the performance issues by examining the segments and errors that show the details of each request and the components that make up the applications. Option A is not optimal because it will use logging statements and Amazon CloudWatch, which may not provide enough information or visibility into the distributed applications. Option B is not optimal because it will use AWS CloudTrail, which is a service that records API calls and events for AWS services, not application performance data. Option D is not optimal because it will use Amazon Inspector, which is a service that helps improve the security and compliance of applications on Amazon EC2 instances, not Lambda functions.

Why Option D is Correct:When using a container-based AWS Lambda function, you are responsible for updating the base image for runtime patches. Rebuilding the container with the latest Node.js patch version ensures the function is updated with the required security patches. Publishing a new version of the Lambda function makes the updated image available for use.

Why Other Options are Incorrect:

Option A: The runtime update mode applies to functions using AWS-managed runtimes, not container-based runtimes.

Option B: Redeploying the same version of the Lambda function does not apply the security patch.

Option C: Rebuilding with the AWS OS base image does not guarantee that the latest Node.js patch version is included.

AWS Documentation References:

Lambda Function Container Images

Node.js Updates in AWS Lambda

AWS CloudFormation is a service that allows developers to model and provision AWS resources using templates. A CloudFormation template can define the load test resources, such as EC2 instances, load balancers, and Auto Scaling groups. A CloudFormation stack set is a collection of stacks that can be created and managed from a single template in multiple Regions and accounts. The AWS CLI create-stack-set command can be used to create a stack set from a template and specify the Regions where the stacks should be created. Reference: Working with AWS CloudFormation stack sets

If a bucket policy denies delete operations for all principals, but objects are still being removed, the most likely cause is S3 Lifecycle configuration. Lifecycle expiration is an S3-managed action that deletes objects automatically based on rules (such as “expire after N days”). These deletions occur as part of the S3 service’s lifecycle management and are not “someone calling DeleteObject” in the usual way from an IAM principal. As a result, developers often observe objects disappearing even though bucket policies deny deletes.

Therefore, to prevent additional deletions, the developer should review and remove (or modify) any Lifecycle rules that expire or transition/delete objects. This directly stops S3 from automatically deleting the log files.

Option A would not help if the policy already denies deletes and no explicit allow is causing the issue. Also, a deny overrides allow anyway.

Option C is unrelated: access points do not bypass bucket policies.

Option D is unlikely and not the primary control plane mechanism for automated S3 deletions. EventBridge can trigger workflows, but the direct, common AWS-native mechanism for periodic deletion is Lifecycle expiration.

Therefore, removing S3 Lifecycle expiration rules prevents further deletions.

The requirement is to run a single analysis job once per day at a specific time, after branch offices have uploaded their daily reports. The most cost-effective and straightforward way to trigger a Lambda function on a fixed schedule is to use Amazon EventBridge scheduled rules (cron or rate expressions). With a scheduled rule, EventBridge invokes the Lambda function at the exact predefined time each day without requiring any continuously running resources, polling logic, or additional orchestration unless it is needed.

Option D fits perfectly: an EventBridge schedule is purpose-built for time-based triggers, and you pay only for the invocations and any EventBridge rule evaluations according to AWS pricing, with minimal operational overhead. The Lambda function will run exactly once each day and can then read all relevant objects from the S3 bucket and process them in a single pass as designed.

Option A (S3 event notifications) triggers the Lambda function per upload, which is not aligned with “single pass once per day.” It could cause multiple invocations and additional cost and complexity (coordination, waiting for all branches, handling partial arrival). Option B (Step Functions) can schedule via EventBridge as well, but Step Functions introduces additional state machine costs and is unnecessary if the requirement is simply a scheduled single Lambda invocation. Option C is the least cost-effective: running continuously to “wait” until a time wastes compute time and increases cost, and it is not an event-driven design.

Therefore, D is the most cost-effective solution: use an EventBridge scheduled rule to invoke the Lambda function once daily at the predefined time.

Amazon S3 is a service that provides highly scalable, durable, and secure object storage. The developer can create an S3 bucket to host the repository and migrate the existing .xml files to the S3 bucket. The developer can update the application code to use the AWS SDK to read and write configuration files from S3. This solution will meet the requirement of high availability for the repository in a cost-effective way.

AWS Lambda SnapStart is designed specifically to reduce cold start latency for Java and .NET runtimes. SnapStart works by initializing the function once, taking a snapshot of the execution environment, and then reusing that snapshot for future cold starts. This dramatically reduces startup time, often from several seconds to milliseconds.

SnapStart requires the function to be published as a version, and an alias must reference that version. AWS documentation clearly states that SnapStart is the recommended solution for latency-sensitive Lambda workloads with infrequent invocations.

Reserved concurrency (Option B) limits scaling but does not eliminate cold starts. Lambda layers (Option C) improve code organization but have minimal impact on cold start latency. Adding the function to a VPC (Option D) typically increases cold start time due to network interface initialization.

Therefore, enabling SnapStart on a published .NET Lambda function is the correct and AWS-endorsed solution.

This step should be completed prior to deploying the application because it prepares the application artifacts for deployment. The AWS Serverless Application Model (AWS SAM) is a framework that simplifies building and deploying serverless applications on AWS. The AWS SAM CLI is a command-line tool that helps you create, test, and deploy serverless applications using AWS SAM templates. The sam package command bundles the application artifacts, such as Lambda function code and API definitions, and uploads them to an Amazon S3 bucket. The command also returns a CloudFormation template that is ready to be deployed with the sam deploy command. Compressing the application to a zip file and uploading it to AWS Lambda will not work because it does not use AWS SAM templates or CloudFormation. Testing the new Lambda function by first tracing it in AWS X-Ray will not prepare the application for deployment, but only monitor its performance and errors. Creating the application environment using the eb create my-env command will not work because it is a command for AWS Elastic Beanstalk, not AWS SAM.

The requirement is to test a new Lambda version without impacting the production API, and to do so with the least operational overhead. In API Gateway (REST API), the simplest pattern is to create a separate stage (for example, test) and use a stage variable to control which Lambda function version (or alias) the integration invokes.

With option B, the developer creates a new stage and defines a stage variable (commonly something like lambdaAlias or lambdaVersion). The API method integration URI can reference this stage variable so that each stage points to a different Lambda alias/version. The production stage (for example, prod) continues to call the stable version, while the test stage calls the new version. This cleanly isolates testing traffic and prevents any effect on the production REST API because stages have distinct invoke URLs and deployments.

This approach is operationally efficient because it avoids duplicating the API definition (new REST API) and avoids creating extra resources/methods that must be maintained. It also provides a repeatable process: future versions can be tested by updating only stage variables or alias routing rather than restructuring the API.

Why not the others:

A adds additional resources/methods and increases API surface area and maintenance.

C duplicates the entire API, increasing overhead and configuration drift risk.

D would impact production because it changes the integration used by the existing method.

Therefore, using a new stage + stage variables to route to the updated Lambda version meets the requirements with minimal overhead.

EventBridge (formerly CloudWatch Events) is the ideal service for real-time event monitoring.

CloudTrail logs IAM role creation.

EventBridge rules can filter CloudTrail events and trigger SNS notifications instantly.

Amazon S3 event notifications can invoke AWS Lambda functions at very high rates during traffic spikes. In this scenario, up to 500 objects per minute can result in hundreds of concurrent Lambda invocations. By default, Lambda functions share the account’s unreserved concurrency pool, which can cause throttling if the pool is exhausted by sudden bursts.

AWS Lambda reserved concurrency guarantees a specific number of concurrent executions for a function. By configuring reserved concurrency, the developer ensures that sufficient execution capacity is always available for this specific function, regardless of other Lambda workloads in the account. This prevents throttling during high-volume S3 event bursts.

Increasing the timeout (Option A) does not address concurrency limits. Adding a layer (Option B) does not solve invocation throttling. Decreasing memory (Option D) can actually worsen performance and increase execution time.

AWS documentation explicitly recommends reserved concurrency when workloads experience unpredictable or bursty invocation patterns and must run reliably. Therefore, reserving concurrency is the correct and AWS-recommended solution.

Requirement Summary:

DynamoDB Provisioned Mode

ProvisionedThroughputExceededException error occurring

App hosted on a small burstable EC2 instance

Option A: Move to a larger EC2 instance

May improve local performance, but does not solve DynamoDB provisioned throughput limits.

Option B: Increase DynamoDB RCUs

Valid: This directly increases the read throughput capacity of the table.

Helps handle more traffic and reduce throughput exceptions.

Option C: Reduce frequency via exponential backoff

Best practice: Using exponential backoff and jitter reduces request pressure and spreads retries out to avoid spiking.

Option D: Increase frequency of retries by reducing delay

Opposite of best practice. Increases load, worsening the issue.

Option E: Change to on-demand mode

Also valid in general, but question is scoped around provisioned capacity.

Since minimizing cost or workload type isn't mentioned, and scaling the existing model is the focus, prefer B and C.

ProvisionedThroughputExceededException: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HandlingErrors.html

Exponential backoff: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Programming.Errors.html

Capacity modes: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html

The objects are “rarely accessed after 1 week” but must remain immediately available at all times. That means the storage class must support millisecond access without a restore process. S3 Standard-Infrequent Access (Standard-IA) is designed for exactly this: lower storage cost than S3 Standard, while still providing rapid access when needed.

With option B, an S3 Lifecycle rule transitions objects from S3 Standard to S3 Standard-IA after 7 days. This aligns perfectly with the usage pattern: frequent access initially, then infrequent access after a week, while keeping immediate availability.

Option C (S3 Glacier Flexible Retrieval) is not appropriate because Glacier classes are archival. Access typically requires a restore operation and retrieval time (minutes to hours), which violates “immediately available at all times.”

Option A expires objects, which deletes them after 7 days—this contradicts the requirement to keep objects available.

Option D is irrelevant because delete markers exist only when versioning is enabled. The bucket does not have versioning enabled, so this rule would not help.

Therefore, transitioning to S3 Standard-IA after 7 days is the correct cost-optimized solution while maintaining immediate availability.

This solution allows the fastest response for the query because it enables the query to use a single partition key value (the Product ID) and a range of sort key values (the Product Rating) to find the matching items. A global secondary index (GSI) is an index that has a partition key and an optional sort key that are different from those on the base table. A GSI can be created at any time and can be queried or scanned independently of the base table. A local secondary index (LSI) is an index that has the same partition key as the base table, but a different sort key. An LSI can only be created when the base table is created and must be queried together with the base table partition key. Using a GSI with Product ID as the partition key and Review ID as the sort key will not allow the query to use a range of sort key values to find the highest ratings. Using an LSI with Product ID as the partition key and Product Rating as the sort key will not work because Product ID is not the partition key of the base table. Using an LSI with Review ID as the partition key and Product ID as the sort key will not allow the query to use a single partition key value to find the matching items.

Amazon API Gateway mock integrations allow developers to return static or templated responses without invoking any backend services. AWS documentation specifically recommends mock integrations for early API development and testing, when backend implementations are unavailable or incomplete.

With mock integrations, API Gateway itself generates responses based on mapping templates. This enables frontend and integration testing teams to validate request formats, response schemas, authentication, and error handling without deploying compute resources or writing application logic.

Options B, C, and D all require additional infrastructure or application logic, increasing engineering effort. Mock integrations require no backend code, no servers, and minimal configuration.

Therefore, using API Gateway mock integrations is the fastest and lowest-effort solution.

This solution will meet the requirements by creating an advanced parameter in AWS Systems Manager Parameter Store, which is a secure and scalable service for storing and managing configuration data and secrets. The advanced parameter allows setting expiration and expiration notification policy types, which enable specifying an expiration date and time for the configuration and receiving notifications before the configuration expires. The Lambda code will be refactored to load the Root CA Cert from the parameter store and modify the runtime trust store outside the Lambda function handler, which will improve performance and reduce latency by avoiding repeated calls to Parameter Store and trust store modifications for each invocation of the Lambda function. Option A is not optimal because it will create a standard parameter in AWS Systems Manager Parameter Store, which does not support expiration and expiration notification policy types. Option B is not optimal because it will create a secret access key and access key ID with permission to access the S3 bucket, which will introduce additional security risks and complexity for storing and managing credentials. Option D is not optimal because it will create a Docker container from Node.js base image to invoke Lambda functions, which will incur additional costs and overhead for creating and running Docker containers.

Requirement Summary:

Users experience buffering/delay when starting video stream

Architecture:

CloudFront → API Gateway → Lambda → DynamoDB

Need to identify root cause of performance issues

Evaluate Options:

A: Enable AWS X-Ray tracing

Ideal for end-to-end tracing

Visualizes latency across services (API Gateway, Lambda, DynamoDB)

Creates a service map for easy identification of bottlenecks or errors

Designed specifically for distributed tracing and performance monitoring

B: CloudWatch Logs Insights

⚠️ Helpful for querying logs

But lacks the visual trace linkage across services like X-Ray

Does not identify where latency accumulates

C: AWS Config

Tracks configuration changes, not runtime performance

D: CloudTrail + CloudWatch Logs

More useful for audit/logging, not tracing performance or latency issues

X-Ray overview: https://docs.aws.amazon.com/xray/latest/devguide/aws-xray.html

Service map: https://docs.aws.amazon.com/xray/latest/devguide/xray-console-service-map.html

Tracing API Gateway: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-xray.html

API Gateway Stages: Stages in API Gateway represent distinct environments (like PROD and DEV) allowing different configurations.

Stage Variables: Stage variables store environment-specific information, including Lambda function aliases.

Ease of Management: This solution offers a straightforward way to manage different Lambda function versions across environments.

The Deployment Preference Type property specifies how traffic should be shifted between versions of a Lambda function1. The Canary10Percent10Minutes option means that 10% of the traffic is immediately shifted to the new version, and after 10 minutes, the remaining 90% of the traffic is shifted1. This matches the requirement of shifting 10% of the traffic for the first 10 minutes, and then switching all traffic to the new version.

The AutoPublishAlias property enables AWS SAM to automatically create and update a Lambda alias that points to the latest version of the function1. This is required to use the Deployment Preference Type property1. The alias name can be specified by the developer, and it can be used to invoke the function with the latest code.

This solution will meet the requirements by using AWS Serverless Application Model (AWS SAM) templates and gradual deployments to automatically test the Lambda functions. AWS SAM templates are configuration files that define serverless applications and resources such as Lambda functions. Gradual deployments are a feature of AWS SAM that enable deploying new versions of Lambda functions incrementally, shifting traffic gradually, and performing validation tests during deployment. The developer can enable gradual deployments through AWS SAM templates by adding a DeploymentPreference property to each Lambda function resource in the template. The developer can set the deployment preference type to Canary10Percent30Minutes, which means that 10 percent of traffic will be shifted to the new version of the Lambda function for 30 minutes before shifting 100 percent of traffic. The developer can also use hooks to test the deployment, which are custom Lambda functions that run before or after traffic shifting and perform validation tests or rollback actions.

The symptoms point to a missing event source mapping between Amazon SQS and the processing Lambda function. The parsing function successfully sends messages to SQS (the queue depth increases), but the processing function is not running for production events—evidenced by no CloudWatch logs during those runs. If Lambda is not being invoked, it will not generate any logs. In an SQS-based architecture, Lambda does not “pull” messages from a queue unless the queue is configured as a Lambda trigger (an event source mapping). The event source mapping tells Lambda to poll the queue, batch messages, and invoke the function with those messages.

In isolated tests, the developer likely invoked the processing function manually with mock events (for example, via the Lambda console or sam local invoke), which would create logs. But in production, because the function is supposed to be driven by SQS, it must have an SQS trigger configured; otherwise, messages will accumulate indefinitely and the function will never execute.

Option C (grant permissions) is necessary in many cases, but it does not explain the absence of logs and growing queue depth by itself if the trigger is missing. With the standard SQS→Lambda integration, Lambda’s service polls the queue using the function’s execution role permissions (sqs:ReceiveMessage, sqs:DeleteMessage, sqs:GetQueueAttributes, etc.), but the polling does not occur without the event source mapping. Option D is not the root cause because the function isn’t being invoked; and if it were invoked, AWS-managed logging typically works unless the execution role lacks logging permissions. Option B is incorrect because the parsing function is not supposed to be triggered by SQS; it produces messages to SQS.

Therefore, configuring the SQS queue as a trigger for the processing Lambda function (A) resolves the issue and ensures production S3 events flow through parsing to SQS and then into processing automatically.

The UnprocessedKeys element indicates that the BatchGetItem operation did not process all of the requested items in the current response. This can happen if the response size limit is exceeded or if the table’s provisioned throughput is exceeded. To handle this situation, the developer should retry the batch operation with exponential backoff and randomized delay to avoid throttling errors and reduce the load on the table. The developer should also use an AWS SDK to make the requests, as the SDKs automatically retry requests that return UnprocessedKeys.

Why Option A is Correct:

The ArnLike condition with the specific ARN for myStateMachine ensures that only this state machine can assume the role. The format urn:aws:states is correct for specifying Step Functions resources.

Why Other Options are Incorrect:

Option B: Wildcards (*) in the ARN allow more resources to assume the role, which violates the requirement.

Option C: This condition restricts the account but not the specific state machine.

Option D: A StringNotEquals condition is used to deny specific values, which does not ensure exclusivity for the desired state machine.

AWS Documentation References:

IAM Trust Policies for Step Functions

Amazon CloudWatch is a service that monitors AWS resources and applications. The developer can publish custom metrics to CloudWatch that record the failures of the external payment processing API calls. The developer can configure a CloudWatch alarm to notify the existing SNS topic when the error rate exceeds 5% of the total number of transactions in an hour. This solution will meet the requirements in a near real-time and scalable way.

This solution will meet the requirements by using AWS Config to monitor and evaluate whether Secrets Manager secrets are unused or have been deleted, based on specified time periods. The secrets manager-secret-unused managed rule is a predefined rule that checks whether Secrets Manager secrets have been rotated within a specified number of days or have been deleted within a specified number of days after last accessed date. The Amazon EventBridge rule will trigger a notification when the AWS Config managed rule is met, alerting the developer about unused secrets that can be removed without causing application downtime. Option A is not optimal because it will use AWS CloudTrail log file delivery to an Amazon S3 bucket, which will incur additional costs and complexity for storing and analyzing log files that may not contain relevant information about secret usage. Option C is not optimal because it will deactivate the application secrets and monitor the application error logs temporarily, which will cause application downtime and potential data loss. Option D is not optimal because it will use AWS X-Ray to trace secret usage, which will introduce additional overhead and latency for instrumenting and sampling requests that may not be related to secret usage.

The solution that will meet the requirements is to use CloudFormation to create an AWS Secrets Manager secret. Use a CloudFormation dynamic reference to retrieve the secret’s value for the OpenSearch Service domain’s MasterUserOptions. Create an IAM role that has the secretsmanager:GetSecretValue permission. Assign the role to the Lambda function. Store the secret’s name as the Lambda function’s environment variable. Resolve the secret’s value at runtime. This way, the developer can pass the credentials to the Lambda function in a secure way, as AWS Secrets Manager encrypts and manages the secrets. The developer can also use a dynamic reference to avoid exposing the secret’s value in plain text in the CloudFormation template. The other options either involve passing the credentials as plain text parameters, which is not secure, or encrypting them with AWS KMS, which is less convenient than using AWS Secrets Manager.

Amazon API Gateway supports multiple stages, allowing developers to deploy and test different versions of an API independently. By creating a new test stage, the developer can route traffic to an updated Lambda function without impacting production users.

AWS documentation recommends using stage variables to dynamically reference different Lambda function versions or aliases. This approach enables safe testing while reusing the same API configuration.

Canary deployments (Option A) expose a portion of production users to the new code, which violates the requirement. Changing the endpoint type (Option B) disrupts production. Duplicating the entire stack (Option D) introduces unnecessary complexity and overhead.

Using a separate test stage is the most efficient, low-risk, and AWS-recommended solution.

The error message "Task timed out after 3.01 seconds" indicates that the Lambda invocation exceeded the function’s configured timeout setting, which appears to be set to approximately 3 seconds. Larger images (>2 MB) take longer to transfer between services (due to network latency, throughput, and downstream service response time), so the runtime crosses the timeout threshold and Lambda forcibly terminates the execution. This is a configuration problem, not necessarily a code defect.

To resolve the issue without modifying the function code, the developer should increase the Lambda function’s timeout value. Lambda allows configuring the maximum runtime per invocation (up to the service limit). By increasing the timeout to a value that comfortably covers the expected transfer and processing initiation time for larger payloads, the function can complete its work successfully. This directly addresses the failure mode while keeping the existing implementation unchanged.

Option D (provisioned concurrency) reduces cold start latency by keeping execution environments initialized, but it does not extend the allowed runtime for a single invocation. If the function consistently needs more than 3 seconds for larger images, provisioned concurrency will not prevent timeouts. Option C (concurrency quota increase) increases the number of concurrent executions allowed, which can help throughput under load, but again does not affect per-invocation runtime limits. Option B avoids the problem by skipping large images, but it violates the functional need to process them and is not a general solution.

Therefore, the correct solution is A: increase the Lambda timeout so the function has sufficient time to move larger images between AWS services.

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. The developer can store each employee’s contact information in a DynamoDB table along with the object keys for the photos stored in Amazon S3. Amazon S3 is an object storage service that offers industry-leading scalability, data availability, security, and performance. The developer can use AWS APIs to search and retrieve the employee details and photos from DynamoDB and S3.

Amazon RDS for MySQL supports read replicas, which are copies of the primary database instance that can handle read-only queries. Read replicas can improve the read performance of the database by offloading the read workload from the primary instance and distributing it across multiple replicas. To use read replicas, the application code needs to be modified to direct read queries to the URL of the read replicas, while write queries still go to the URL of the primary instance. This solution requires less current and future effort than using a multi-AZ deployment, which does not provide read scaling benefits, or using open source replication software, which requires additional configuration and maintenance. Reference: Working with read replicas

S3 Object Lambda allows you to add your own code to process data retrieved from S3 before returning it to an application. You can use an AWS Lambda function to modify the data, such as removing PII, redacting confidential information, or resizing images. You can create an S3 Object Lambda access point and associate it with your Lambda function. Then, you can use the access point to request objects from S3 and get the modified data back. This way, you can maintain only one copy of the original document in S3 and apply different transformations depending on who accesses it. Reference: Using AWS Lambda with Amazon S3

In the CloudFormation template, the developer should create a parameter with the list of approved EC2 instance types as AllowedValues. This way, users can select the instance type they want to use when launching the CloudFormation stack, but only from the approved list.

The issue occurs because the SSM Parameter Store parameters are managed by CloudFormation as stack resources. When CloudFormation performs a stack update, it will attempt to ensure the deployed resources match the template. If the template includes a parameter value, CloudFormation can overwrite the current value during updates, which explains why the application’s runtime modifications are lost.

The developer’s requirement is to continue deploying the stack (including adding resources/tags) without resetting parameter values that are modified outside CloudFormation. The lowest-effort way to do this is to prevent CloudFormation from updating those specific Parameter Store resources during stack updates.

A CloudFormation stack policy can explicitly deny update actions on selected resources (in this case, the SSM parameters). Stack policies are designed to protect critical resources from being unintentionally modified during stack updates. With an update-deny policy applied to the SSM parameter resources, CloudFormation can still update other resources (such as adding tags or creating new components), but it will not overwrite the parameter values that the application has changed.

Option A (DeletionPolicy: Retain) only affects what happens when a resource is deleted or replaced, not whether CloudFormation updates the resource in place. It will not reliably prevent stack updates from resetting values.

Options B and C are larger architecture changes and require migrating configuration storage to DynamoDB or RDS—much more development effort and operational overhead.

Therefore, applying a stack policy to deny updates on Parameter Store parameters is the best and least-effort solution.

The requirement emphasizes collaboration, frequent code changes, and deploying from source control with the fewest manual steps. This aligns with a CI/CD pipeline approach where commits or merges automatically trigger builds and deployments. Using AWS CodePipeline orchestrates the stages (source, build, deploy), and AWS CodeBuild performs the build/package steps for the Lambda/serverless application. When integrated with a repository (such as CodeCommit, GitHub, or another supported provider), CodePipeline can automatically start when changes are merged into specific branches, enabling consistent, repeatable deployments.

Option C provides the least operational overhead for teams: developers push code and merge pull requests; the pipeline automatically builds artifacts, runs tests (if configured), packages dependencies, and deploys updates to Lambda (often via AWS SAM/CloudFormation under the hood). This removes manual “build on my laptop” drift, prevents inconsistent deployments between developers, and supports frequent iteration safely.

Option B (SAM CLI from a local machine) requires a developer to manually run build/deploy commands and assumes each developer’s environment is configured correctly. That increases manual steps and the risk of differences across machines. Option D (uploading zip in the console) is highly manual and not suitable for frequent changes or team collaboration. Option A is also suboptimal because storing built artifacts in source control is an anti-pattern; builds should be reproducible and produced by CI, not committed binaries.

Therefore, C is the best choice: set up CodePipeline + CodeBuild so merges to controlled branches automatically trigger builds and deployments to AWS Lambda with minimal manual intervention.

AWS Systems Manager Parameter Store is a service that provides secure, hierarchical storage for configuration data management and secrets management. The developer can update the application to retrieve the variables from Parameter Store by using the AWS SDK or the AWS CLI. The developer can use unique paths in Parameter Store for each variable in each environment, such as /dev/api-url, /test/api-url, and /prod/api-url. The developer can also store the credentials in AWS Secrets Manager, which is integrated with Parameter Store and provides additional features such as automatic rotation and encryption.

Comprehensive Detailed Step by Step Explanation with All AWS Developer References:

The AWS Serverless Application Model (SAM) includes features for local testing and debugging of AWS Lambda functions. One of the most efficient ways to generate test payloads that match actual AWS event structures is by using the sam local generate-event command.

sam local generate-event: This command allows developers to create pre-configured test event payloads for various AWS services (e.g., S3, API Gateway, SNS). These generated events accurately reflect the format that the service would use in a live environment, reducing the manual work required to create these events from scratch.

Operational Overhead: This approach reduces overhead since the developer does not need to manually create or maintain test events. It ensures that the structure is correct and up-to-date with the latest AWS standards.

Alternatives:

Option A suggests using shareable test events, but manually creating or sharing these events introduces more overhead.

Option B and C both involve manually storing and maintaining test events, which adds unnecessary complexity compared to using sam local generate-event.

AWS SAM CLI documentation

AWS IAM role permissions are evaluated dynamically. According to AWS documentation, when an IAM role attached to an EC2 instance is updated, the updated permissions are available to applications running on that instance without requiring a restart. The EC2 instance retrieves temporary credentials through the instance metadata service, and those credentials are refreshed automatically.

In this scenario, the least disruptive approach is to update the IAM role policy to include the required s3:GetObject permission. Once the permission is added, the application can immediately retry access to the S3 bucket without restarting, stopping, or terminating the EC2 instance.

Terminating or restarting the instance (Options A and C) introduces unnecessary downtime and operational overhead. Modifying the S3 bucket policy (Option D) is unnecessary because the problem lies with missing role permissions, not bucket access configuration.

AWS best practices strongly recommend using IAM roles for EC2 and updating permissions dynamically to avoid service interruption. Therefore, simply adding the required permission to the role is the correct and most efficient solution.

Scenario: Application needs to fetch songs and artists efficiently in a single operation.

BatchGetItem: This DynamoDB operation retrieves multiple items across different tables based on their primary keys in a single request.

Optimized for Request Batching: This approach reduces network traffic compared to performing multiple queries individually.

Data Modeling: The songs table is designed appropriately for this access pattern using artistName as the sort key.

This solution will meet the requirements by ensuring that all traffic between users and CloudFront, and all traffic between CloudFront and the web application, are encrypted using HTTPS protocol. The Origin Protocol Policy determines how CloudFront communicates with the origin server (the web application), and setting it to “HTTPS Only” will force CloudFront to use HTTPS for every request to the origin server. The Viewer Protocol Policy determines how CloudFront responds to HTTP or HTTPS requests from users, and setting it to “HTTPS Only” or “Redirect HTTP to HTTPS” will force CloudFront to use HTTPS for every response to users. Option A is not optimal because it will use AWS KMS to encrypt traffic between CloudFront and the web application, which is not necessary or supported by CloudFront. Option C is not optimal because it will set the origin’s HTTP port to 443, which is incorrect as port 443 is used for HTTPS protocol, not HTTP protocol. Option E is not optimal because it will enable the CloudFront option Restrict Viewer Access, which is used for controlling access to private content using signed URLs or signed cookies, not for encrypting traffic.

The issue is write throttling during peak login surges. In DynamoDB provisioned capacity mode, throttling happens when the workload exceeds the table’s configured write capacity units (WCU) (or a partition becomes “hot”). To resolve throttling and reduce latency, the table must have sufficient write capacity available when the surge occurs.

Option B directly addresses this by increasing the table’s provisioned throughput (WCU). With more write capacity, DynamoDB can accept more writes per second without returning throttling errors, which reduces retries and improves end-user latency during peak usage.

Option E is also effective: switching the table to on-demand capacity mode automatically accommodates traffic spikes without the team needing to forecast and pre-provision capacity. On-demand is designed for unpredictable workloads and can scale to handle sudden surges, reducing the risk of throttling caused by under-provisioning. For many teams, this is the fastest operational fix because it removes manual capacity planning and reactive scaling steps.

Why the other options are not the best fit:

A (DAX) improves read performance and reduces read latency, but it does not fix write throttling.

C (retries and exponential backoff) is a best practice for handling throttling gracefully, but it does not “resolve” throttling; it reduces contention and improves success rates at the cost of higher latency, and it does not increase available capacity.

D focuses on control plane operations (schema/index/table management) which are unrelated to data plane write throttling during login surges.

Therefore, the two solutions that meet the requirements to resolve write throttling and reduce latency are B (increase provisioned throughput) and E (switch to on-demand capacity mode for automatic scaling).

AWS Lambda is a service that lets you run code without provisioning or managing servers. Lambda functions can be configured to access resources in a VPC, such as an Aurora database, by specifying one or more subnets and security groups in the VPC settings of the function. A security group acts as a virtual firewall that controls inbound and outbound traffic for the resources in a VPC. To allow a Lambda function to communicate with an Aurora database, both resources need to be associated with the same security group, and the security group rules need to allow TCP traffic on Port 3306, which is the default port for MySQL databases. Reference: [Configuring a Lambda function to access resources in a VPC]

Amazon CloudWatch is a service that monitors AWS resources and applications. The developer can use CloudWatch to monitor and troubleshoot all applications from one place. To do so, the developer needs to download the CloudWatch agent to the on-premises server and configure the agent to use IAM user credentials with permissions for CloudWatch. The agent will collect logs and metrics from the on-premises server and send them to CloudWatch.

Comprehensive and Detailed Step-by-Step Explanation:

Option A: Amazon Cognito Identity Pool with Unauthenticated Role

Cognito identity pools can generate temporary AWS credentials for both authenticated and unauthenticated users.

For guest users, Cognito assigns an unauthenticated role with limited permissions, ensuring secure access to only their resources.

This is the most secure and efficient solution for managing AWS credentials dynamically without hardcoding or storing them.

Why Other Options Are Incorrect:

Option B: Hardcoding IAM credentials in the application is insecure and violates best practices.

Option C and D: Temporary keys stored in KMS or Secrets Manager require additional implementation overhead and do not inherently manage user-specific access.

The described behavior is a classic cache stampede (also called the “thundering herd” problem): a large set of hot keys share the same expiration time, so they all expire simultaneously. When that happens, many requests miss the cache at the same moment and fall back to the backend database, creating a sudden spike in database load and causing increased latency and poor user experience.

The most effective fix that preserves freshness is to introduce jitter—a small, randomized variance—into the TTL values so cached objects do not all expire at the same time. With TTL jitter, each item still has a bounded lifetime (so freshness is maintained), but expirations become spread out over time. That smooths cache-miss rates and prevents synchronized regeneration, reducing bursts of database traffic. This is a common best practice in high-load caching systems precisely to avoid mass expiration events.

Option A (increase TTL) might reduce how frequently a stampede occurs, but it does not solve the root cause: keys can still align and expire together, and a longer TTL can also reduce freshness if product data changes. Option B (more replicas, disable cluster mode) changes topology and read scaling, but it does not prevent synchronized expiry or the resulting backend spike; disabling cluster mode could also reduce scale for large keyspaces. Option D (more shards) can improve cache throughput capacity, but it does not address the core issue that backend load spikes occur when items expire simultaneously; lowering replica count could even reduce read availability.

Therefore, C is the correct solution: keep TTL-based freshness, but add a randomized component (for example, TTL = baseTTL + random(0..jitter)) so expirations are distributed and the backend database is protected from sudden bursts.

Amazon API Gateway allows you to create, deploy, and manage a RESTful API to expose backend HTTP endpoints, AWS Lambda functions, or other AWS services1. You can use API Gateway to perform basic validation of an API request before proceeding with the integration request1. When the validation fails, API Gateway immediately fails the request, returns a 400 error response to the caller, and publishes the validation results in CloudWatch Logs1.

To test changes before deploying to a production environment, you can modify the existing API to add request validation and deploy the updated API to a new API Gateway stage1. This allows you to perform tests without affecting the production environment. Once testing is complete and successful, you can then deploy the updated API to the API Gateway production stage1.

This approach has the least operational overhead as it avoids unnecessary creation of new APIs or exporting and importing of APIs. It leverages the existing infrastructure and only requires changes in the configuration of the existing API1.

The solution that will solve this problem is to create and inspect the Lambda dead-letter queue. Troubleshoot the failed functions. Reprocess the events. This way, the developer can identify and fix any issues that caused the Lambda function to fail when invoked asynchronously by API Gateway. The developer can also reprocess any orders that were not processed due to failures. The other options either do not address the root cause of the problem, or do not help recover from failures.

Comprehensive and Detailed Explanation (AWS Verified – 250–300 Words)

When an Amazon S3 bucket is configured with default encryption using SSE-KMS, AWS Key Management Service (KMS) plays an active role in every PutObject request. Although the IAM user already has the s3:PutObject permission, this alone is not sufficient when SSE-KMS is enabled.

According to AWS documentation, when a client uploads an object to an S3 bucket encrypted with SSE-KMS, Amazon S3 must call AWS KMS on behalf of the caller to generate a unique data encryption key. This operation requires the kms:GenerateDataKey permission on the KMS key used for encryption. If this permission is missing, the PutObject request fails with an Access Denied error—even though S3 permissions appear correct.

AWS explicitly states that IAM principals uploading objects to SSE-KMS–encrypted buckets must be allowed to use the KMS key. At a minimum, the following KMS permissions are required:

kms:GenerateDataKey

(Implicitly) access allowed by the KMS key policy

Option C correctly resolves the issue by granting the IAM user permission to generate a data key via AWS KMS, enabling successful encryption during the upload process.

Option A is invalid because s3:EncryptionConfiguration is not required for object uploads.

Option B is unnecessary because the IAM user already has s3:PutObject.

Option D is incorrect because ACLs are not used to control KMS encryption permissions and are discouraged by AWS best practices.