Amazon Web Services AWS Certified Developer - Associate DVA-C02 Exam Dumps: Updated Questions & Answers (June 2026)

Amazon EC2 instances can send the state-change notification events to Amazon EventBridge. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-instance-state-changes.html Amazon EventBridge can send and receive events between event buses in AWS accounts. https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html

Instance Metadata Service: EC2 instances have access to an internal metadata service. It provides instance-specific information like instance ID, security groups, and public IP address.

Accessing Metadata:

Make an HTTP GET request to the base URL: http://169.254.169.254/latest/meta-data/

You ' ll get a list of available categories. The public IPv4 address is under public-ipv4.

Why Option B is Correct:Amazon ECS does not natively process docker-compose.yml files. Instead, the configurations from docker-compose.yml must be converted into ECS-compatible configurations within a task definition. Task definitions are the primary way to specify container configurations in ECS, including service dependencies like databases, caches, and volumes.

Steps to Resolve the Error:

Extract the configurations from the docker-compose.yml file.

Map the dependencies and settings to the appropriate ECS task definition fields.

Deploy the task definition to the ECS cluster.

Why Other Options are Incorrect:

Option A: Docker labels do not directly impact ECS task execution or integrate with ECS service configurations.

Option C: ECS namespaces do not exist as a feature.

Option D: Changing the service type to REPLICA does not resolve the issue of missing service dependency configurations.

AWS Documentation References:

Amazon ECS Task Definitions

Migrating Docker Compose Workloads to ECS

The correct answer is C because AWS AppConfig feature flags support variants and targeting rules , which allow developers to enable different feature behavior for different audiences with minimal custom code. In this scenario, the requirement is to enable a premium feature only for a specific group of users identified by their user IDs . AppConfig can handle this directly by defining multiple flag variants and applying rules that target the intended users.

This is the solution with the least development effort because the targeting logic is managed in AppConfig instead of being implemented and maintained in the application code. AWS documentation for AppConfig feature flags emphasizes dynamic control of feature rollout, audience targeting, and safe configuration management. By configuring the targeting rules centrally, the developer can change which users receive the premium feature without redeploying the application.

Option A is less desirable because it pushes the user ID evaluation logic into the application, increasing development and maintenance effort. Option B is more cumbersome because creating separate feature flags for every user group does not scale well and adds administrative overhead. Option D is not the intended AppConfig pattern and introduces unnecessary complexity by requiring an external database lookup during flag evaluation.

Using one feature flag with multiple variants and targeting rules is the cleanest and most AWS-native design for selective rollout to a defined user segment. It keeps the configuration centralized, reduces code changes, and supports flexible future updates.

Therefore, the best solution is C .

The correct answer is A because the requirement is to encrypt data in transit and data at rest while ensuring that the developer can manage encryption keys . AWS Key Management Service (AWS KMS) is the AWS-managed service specifically designed for creating, controlling, and auditing cryptographic keys. When used with the AWS Encryption SDK , it supports envelope encryption , a recommended pattern for protecting sensitive application data.

In this model, the application uses data keys to encrypt the actual sensitive data, while AWS KMS protects and manages the master keys that encrypt those data keys. This provides strong security and centralized key management, including access control through IAM, key rotation options, and auditability through AWS logging integrations. For data in transit , the application should also use TLS/HTTPS , which is standard AWS guidance for secure communications.

Option B is incorrect because Parameter Store is not the correct mechanism for directly managing application encryption keys in this way. SecureString protects stored values, but it is not a substitute for using KMS as the primary managed key service for encryption architecture. Option C is incorrect because Secrets Manager is intended for storing secrets such as passwords and tokens, not as the main key management system for application encryption design. Option D is incorrect because SSE-S3 uses Amazon S3-managed keys, not customer-managed KMS keys, so it does not satisfy the requirement that the developer be able to manage encryption keys.

Therefore, AWS KMS with envelope encryption through the AWS Encryption SDK is the most appropriate and secure solution.

AWS CodeArtifact publishes events to Amazon EventBridge when a package is created, modified, or deleted. The most operationally efficient (serverless) way to send an email notification from an EventBridge event is to set an Amazon SNS topic as the target. The team subscribes to the SNS topic. This avoids the need to write and maintain custom Lambda code (Option B) or Step Functions (Option D).

AWS SAM provides built-in tooling to generate realistic event payloads that match the structure of events produced by AWS services (such as S3, SNS, SQS, API Gateway, EventBridge, and others). The command designed specifically for this purpose is sam local generate-event. It produces sample event JSON that mirrors the format AWS services deliver to Lambda, which meets the requirement that payload structures match real service events.

This approach also requires the least development effort because the developer does not need to manually craft and maintain JSON payload files. Instead, the developer can generate the appropriate event type with SAM, optionally tweak values (bucket name, object key, request parameters), and then run sam local invoke using the generated payload. This significantly reduces mistakes and saves time, especially when testing multiple event sources.

Why other options are less suitable:

A (shareable test events) is vague and typically still requires manual creation/maintenance.

B requires manually creating payloads, which is error-prone and higher effort.

C adds unnecessary operational overhead (S3 storage) and still relies on manual payload creation.

Therefore, using sam local generate-event is the quickest and lowest-effort way to generate accurate AWS-service-like test payloads for local Lambda testing.

Configuring the Lambda function to use ephemeral storage and processing data in the /tmp directory improves performance by leveraging local storage during execution.

Why Option C is Correct:

Ephemeral Storage: Lambda provides temporary storage (up to 10 GB) in the /tmp directory for each invocation, which is faster than pulling data directly from S3 multiple times.

Performance Boost: Data can be downloaded to /tmp, processed locally, and uploaded to the destination S3 bucket, minimizing S3 network calls.

Low Overhead: This approach requires only minimal changes to the function ' s configuration.

Why Not Other Options:

Option A: Using Amazon EFS adds complexity and is unnecessary for this use case.

Option B: Scheduling the function does not address the root cause of slow performance.

Option D: Lambda layers improve deployment efficiency, not runtime performance for this scenario.

Using Ephemeral Storage in AWS Lambda

Best Practices for S3 and Lambda Performance

This solution allows the developer to test the changes without affecting the production environment. Cloning an API creates a copy of the API definition that can be modified independently. The developer can then add request validation to the new API and test it using a testing tool. After verifying that the changes work as expected, the developer can apply the same changes to the existing API and deploy it to production.

The AWS Serverless Application Model Command Line Interface (AWS SAM CLI) is a command-line tool for local development and testing of Serverless applications3. The sam local generate-event command of AWS SAM CLI generates sample events for automated tests3. The sam local invoke command is used to invoke Lambda functions3. Therefore, option C is correct.

To meet the requirement:

Users must be able to upload (PutObject) and read (GetObject) files but not delete them.

Option D ensures users cannot delete files by omitting the s3:DeleteObject action while allowing s3:GetObject and s3:PutObject.

Option A: Includes s3:DeleteObject, which allows users to delete files and does not meet the requirement.

Option B: Contains unrelated actions like CreateBucket, which is not relevant here.

Option C: Adds s3:PutObjectRetention, which is unnecessary and does not restrict DeleteObject.

The requirement is to analyze existing Lambda logs using a request ID that appears in both functions, and to do so with the least development effort . Amazon CloudWatch Logs Insights is purpose-built for interactive log analysis: it lets you run ad-hoc queries over CloudWatch log groups using a query language that supports filtering, parsing, sorting, and aggregation. This means you can quickly search across the relevant Lambda log groups and filter results to only entries that contain a specific request ID.

With Logs Insights, the developer can select both Lambda log groups, set a time range around the failure, and run a query such as filtering on the request ID field or matching the request ID string in the message. This provides a fast way to reconstruct the end-to-end flow and identify where the failure occurred—without writing any custom code, building data pipelines, or exporting logs.

Option A (using an AWS SDK) requires writing and maintaining code to call CloudWatch Logs APIs, handle pagination, time windows, filtering, and correlation across groups—more effort than necessary. Option B (export to S3 + Athena) adds significant setup (export tasks, S3 storage, Athena tables/partitions) and is better suited to large-scale analytics or long-term archival, not quick troubleshooting. Option D (Live Tail) is primarily for real-time streaming of new log events; it is less suitable for retrospective investigation of an incident that already happened, and it doesn’t provide the same structured querying and cross-log-group correlation capabilities as Logs Insights.

Therefore, CloudWatch Logs Insights (C) is the most direct, AWS-native, low-effort solution to query both Lambda log groups and filter by request IDs to troubleshoot the failing process flow.

AWS Secrets Manager is a service that allows you to store and manage secrets, such as database credentials, API keys, and passwords, in a secure and centralized way. It also provides features such as automatic secret rotation, auditing, and monitoring1. By using AWS Secrets Manager, you can avoid hardcoding credentials in your code, which is a bad security practice and makes it difficult to update them. You can also replicate your secrets to another Region, which is useful for disaster recovery purposes2. To access your secrets from your application, you can use the ARN of the secret, which is a unique identifier that includes the Region name. This way, your application can use the appropriate secret based on the Region where it is deployed3.

AWS Secrets Manager

Replicating and sharing secrets

Using your own encryption keys