Amazon Web Services AWS Certified Developer - Associate DVA-C02 Exam Dumps: Updated Questions & Answers (April 2026)

SNS as a Fan-out Mechanism: SNS is perfect for triggering multiple actions from a single event (here, the image upload).

Workflow:

SNS Topic: Create an SNS topic that will be the central notification point.

S3 Event Notification: Configure the S3 bucket to send ' Object Created ' event notifications to the SNS topic.

Lambda Subscription: Subscribe your thumbnail-creating Lambda function to the SNS topic.

Email Subscription: Subscribe an email address to the SNS topic to trigger notifications.

The requirement is to rotate database credentials at least weekly . The AWS service that is purpose-built for storing and automatically rotating secrets is AWS Secrets Manager . Secrets Manager supports rotation schedules (including daily, weekly, or custom intervals) and integrates with supported databases through rotation Lambda functions. With rotation enabled, Secrets Manager can periodically generate a new password, update the secret value, and apply the new credential to the database user, while allowing applications to retrieve the current credential securely at runtime.

Option C matches this best practice: create a database user, store the username/password in a Secrets Manager secret, and enable rotation (daily rotation more than satisfies a weekly requirement). Applications on EC2 can retrieve the secret at startup or on a refresh interval using the AWS SDK, and can cache it according to best practices to reduce API calls, while still supporting rotation.

Option A (Parameter Store secure string) encrypts parameters, but Parameter Store does not provide the same managed secret rotation workflow for database credentials; rotating the KMS key is not the same as rotating the database password. Option B is not applicable as stated for RDS for Microsoft SQL Server: IAM database authentication is supported for specific engines (commonly MySQL and PostgreSQL) and is not the standard mechanism for SQL Server password rotation. Option D is insecure and operationally fragile: embedding long-lived credentials in user data and environment variables makes rotation difficult and increases exposure risk.

Therefore, the most secure and compliant configuration is C : store DB credentials in AWS Secrets Manager and enable automated rotation on an interval that meets or exceeds the weekly rotation requirement.

The requirement is specific: certain JSON fields must be encrypted at the edge (before traversing the origin path) and must remain encrypted end-to-end through CloudFront → API Gateway → Lambda → DynamoDB. The AWS feature designed for encrypting specific fields at the edge is CloudFront field-level encryption. With field-level encryption, CloudFront encrypts designated fields in an HTTPS request before forwarding the request to the origin. The origin (API Gateway/Lambda) receives the encrypted values, and only trusted components that have the private key can decrypt them—ensuring the fields remain protected throughout the stack.

Option B matches this exactly: field-level encryption uses an asymmetric key pair (public key used by CloudFront to encrypt; private key held securely by the application for decryption). This satisfies “encrypted at the edge” and “remain encrypted throughout the full stack.”

The “PII encrypted at rest in DynamoDB” requirement is also satisfied because DynamoDB supports encryption at rest by default (and can use AWS owned or customer managed KMS keys). Field-level encryption adds granular protection for only the most sensitive attributes beyond standard at-rest encryption.

Option A (Lambda@Edge encryption) could encrypt at edge, but it is more custom code, higher operational complexity, and is not as direct/standard as CloudFront field-level encryption for encrypting request fields.

Option C encrypts in Lambda, not at the edge—data would already have traversed CloudFront and API Gateway in plaintext form before Lambda encrypts it, violating the “encrypted at the edge” requirement.

Option D is not a defined mechanism for edge encryption; API Gateway methods do not provide edge field encryption with KMS in this way.

Therefore, CloudFront field-level encryption is the correct solution.

AWS Lambda versions and aliases are designed specifically to support safe deployments, testing, and rollback. A Lambda version is immutable, meaning its code and configuration cannot change once published. Aliases act as pointers to specific versions and can be updated instantly.

AWS documentation recommends using aliases to manage environments such as dev , test , and prod . Each environment can reference a specific Lambda version, allowing the same function codebase to be promoted across accounts with confidence. If a defect is detected in production, the alias can be quickly repointed to a previously known good version, enabling an immediate rollback without redeployment.

Options B, C, and D introduce higher operational overhead or do not provide safe rollback. Deploying separately increases risk and management effort. Lambda layers are not intended for environment promotion. Environment variables do not protect against faulty code deployments.

Therefore, using Lambda versions and aliases is the most efficient and AWS-recommended solution.

Step-by-Step Breakdown:

Requirement Summary:

AWS AppSync API needs to invoke Lambda functions

Some Lambda functions are long-running

AppSync should return immediately, minimizing operational overhead

**Option A: AppSync + Lambda as data source using Event Mode

Correct: AWS AppSync supports asynchronous (event) invocation of Lambda data sources using Event Mode.

Event Mode means:

AppSync invokes Lambda asynchronously

Immediately returns a response to the client (typically a predefined payload or null)

Ideal for fire-and-forget workloads or when the response is not immediately needed

Option B: Increase Lambda timeout

Incorrect: This keeps AppSync waiting.

Even with increased timeout, synchronous invocations would block AppSync responses.

Option C: SQS queue + polling Lambda

Possible but too complex for this use case.

Requires additional infrastructure: queue + mapping + custom logic.

Higher operational overhead compared to built-in AppSync Event Mode.

Option D: Enable caching in AppSync

Irrelevant: AppSync cache is for optimizing repeated read queries, not for async workflows.

Asynchronous Lambda with AppSync: https://docs.aws.amazon.com/appsync/latest/devguide/resolver-mapping-template-reference-lambda.html#async-lambda-invocation

Lambda as AppSync Data Source: https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-lambda-resolvers.html

Event Mode Docs: https://docs.aws.amazon.com/appsync/latest/devguide/lambda-resolvers.html#event-invocation-mode

Requirement Summary:

E-commerce app using Amazon RDS for MySQL

Needs caching layer for most-viewed products

Evaluate Options:

A. Add a cache node to RDS

No such feature in RDS for MySQL

Caching must be implemented outside RDS

B. ElastiCache for Redis (OSS)

Purpose-built for caching frequently accessed data

Reduces read pressure on RDS

Fast in-memory access (microseconds)

Seamless integration into app logic

C. DynamoDB DAX

DAX is for accelerating DynamoDB, not RDS

D. RDS standby instance

Read from standby is not allowed

Standby is for failover only, not for load balancing

ElastiCache for Redis: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.html

Caching with Redis for RDS: https://aws.amazon.com/blogs/database/caching-strategies-using-amazon-elasticache-for-read-heavy-workloads-on-amazon-rds/

Step 1: Problem Understanding

Asymmetric Encryption Requirement: Users encrypt data with a public key, and only the company can decrypt it using a private key.

Data Encryption at Rest and In Transit: The data must be encrypted during upload (in transit) and when stored in Amazon S3 (at rest).

Step 2: Solution Analysis

Option A: Server-side encryption with Amazon S3 managed keys (SSE-S3).

Amazon S3 manages the encryption and decryption keys.

This does not meet the requirement for asymmetric encryption, where the company uses a private key.

Not suitable.

Option B: Server-side encryption with customer-provided keys (SSE-C).

Requires the user to supply encryption keys during the upload process.

Does not align with the asymmetric encryption requirement.

Not suitable.

Option C: Client-side encryption with a data key.

Data key encryption is symmetric, not asymmetric.

Does not satisfy the requirement for a public-private key pair.

Not suitable.

Option D: Client-side encryption with a customer-managed encryption key.

Data is encrypted on the client side using the public key.

Only the company can decrypt the data using the corresponding private key.

Data remains encrypted during upload (in transit) and in S3 (at rest).

Correct option.

Step 3: Implementation Steps for Option D

Generate Key Pair:

The company generates an RSA key pair (public/private) for encryption and decryption.

Encrypt Data on Client Side:

Use the public key to encrypt the data before uploading to S3.

S3 Upload:

Upload the encrypted data to S3 over an HTTPS connection.

Decrypt Data on the Server:

Use the private key to decrypt data when needed.

AWS Developer References:

Amazon S3 Encryption Options

Asymmetric Key Cryptography in AWS

For API Gateway REST APIs, configuration changes (new resources/methods) do not automatically become callable from a stage until a new API Gateway Deployment is created and associated with the stage. In CloudFormation, an AWS::ApiGateway::Deployment resource is immutable and effectively represents a snapshot of the API configuration at a point in time. If the Deployment resource does not change (for example, its logical ID or a property that forces replacement), CloudFormation may not create a new deployment even though the stack update succeeds—resulting in the stage still pointing to the old deployment. The symptom is exactly what’s described: new methods return 404 because they are not part of the deployed snapshot.

A common operational fix is to create a new deployment explicitly during CI/CD. Option C does this by running aws apigateway create-deployment, which creates a fresh deployment that includes the new resources/methods and makes them available on the stage.

Option D is unrelated (CloudFront invalidation).

Options A and B do not affect API Gateway deployment snapshots.

???? In pure CloudFormation, another common pattern is to force a new deployment by changing the Deployment logical ID or embedding a timestamp/hash in the deployment description. But among the options given, running create-deployment is the direct fix.

Therefore, add a pipeline step to run aws apigateway create-deployment.

The requirement is application-level encryption (client-side) in addition to RDS encryption at rest, specifically to prevent database administrators from viewing PHI. Also, some PHI objects are large, so the solution must encrypt locally without size limitations.

AWS best practice for large data encryption with KMS is envelope encryption. With envelope encryption, the application generates a data encryption key (DEK) (typically obtained from KMS using GenerateDataKey). The application uses the plaintext DEK locally with a symmetric algorithm (such as AES-GCM) to encrypt the large PHI payload efficiently. The DEK itself is then protected by encrypting it with a KMS customer managed key (CMK), producing an encrypted data key that can be safely stored alongside the ciphertext. Only principals with permission to use the CMK can decrypt the DEK and then decrypt the PHI data. This ensures that even database administrators who can access the RDS data cannot read PHI without KMS authorization.

Option A is not suitable because the KMS Encrypt operation is intended for small payloads (KMS has size limits for direct encryption), making it inappropriate for large PHI files.

Option B is insecure because embedding encryption keys in source code violates key management best practices and makes rotation and compromise containment difficult.

Option C provides only storage-level encryption for the database volume; it does not ensure that PHI remains unreadable to administrators who can access the database content.

Therefore, using envelope encryption with a KMS customer managed key and storing the encrypted data key with the record is the most secure solution.

Requirement Summary:

Lambda function:

Retrieves an item from DynamoDB

Updates its attributes or creates it if it does not exist

Has primary key

Needs minimum required IAM permissions

Analysis of Required Permissions:

To get an item and update it or create it if it doesn ' t exist, the Lambda function must use the **PutItem** or **UpdateItem** API, and read with **GetItem**.

Valid API options:

GetItem: Read the item from the table.

UpdateItem: Update existing item attributes or insert if it doesn ' t exist (with UpdateExpression and ConditionExpression).

When UpdateItem is used without a conditional check for existence, it can create a new item if it does not exist (acts like upsert).

DescribeTable: (Optional) Used if you need table metadata (not strictly required here).

Evaluate the Choices:

Option A:

DeleteItem – Not needed

GetItem –

PutItem – (can create/replace but not partial update)

Close, but PutItem overwrites the full item, not update-in-place. Acceptable, but UpdateItem is better suited.

Option B:

UpdateItem – Required to modify attributes or insert new item

GetItem – Required to check existence or read data

DescribeTable – Optional, but not harmful

BEST FIT – Matches the update-or-create logic.

Option C:

GetRecords – This is used for DynamoDB Streams, not standard GetItem

PutItem –

UpdateTable – Used to change table settings, not data manipulation

Incorrect usage context

Option D:

UpdateItem, GetItem, PutItem – all valid

But UpdateItem alone is sufficient; including PutItem might not be necessary Also, image is faded (possibly invalid), and it ' s redundant

UpdateItem API: https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateItem.html

PutItem vs UpdateItem: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithItems.html

IAM actions for DynamoDB: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodb.html

Amazon CloudFront field-level encryption is specifically designed to protect sensitive fields in HTTP requests. It allows CloudFront to encrypt specific request fields at the edge using asymmetric encryption , ensuring that only authorized application components that possess the private key can decrypt the data.

This approach ensures that sensitive fields remain encrypted throughout transit and processing, while non-sensitive fields can still be accessed normally. This satisfies the requirement that only specific parts of the application can decrypt the data.

Field-level encryption is a native CloudFront capability and is far more secure and scalable than implementing custom encryption logic in Lambda@Edge or Lambda functions. AWS documentation emphasizes using built-in CloudFront security features to minimize operational overhead and reduce the risk of cryptographic implementation errors.

Options A and B introduce unnecessary complexity and custom cryptographic handling, which AWS generally discourages when managed services are available. Option D only secures transport and access control and does not encrypt individual data fields.

Therefore, CloudFront field-level encryption with asymmetric keys is the AWS-recommended and correct solution.

The correct answers are D and E .

The requirement states that the company does not want to manage the underlying hosts . That means the containerized application should run on AWS Fargate , which is the serverless compute engine for Amazon ECS. With Fargate, AWS manages the underlying infrastructure, so the company does not need to provision, patch, or scale EC2 instances. To run a task on Fargate, the task definition must specify FARGATE in the requiresCompatibilities field. That is why D is correct.

The developer also needs to monitor CPU and memory utilization in the Amazon CloudWatch console . For ECS tasks on Fargate, the task definition must specify valid CPU and memory values. These values define the task’s resource allocation and enable ECS and CloudWatch to report utilization metrics against those configured resources. Therefore, E is also required.

Option A applies to ECS on EC2, where the company would manage cluster instances, which violates the requirement. Option B is unnecessary because ECS and CloudWatch already provide the needed service metrics without requiring a custom script. Option C is incorrect because the task does not need cloudwatch:GetMetricData permission merely for CloudWatch to display CPU and memory utilization metrics.

This design follows AWS best practices for running containers without host management while still gaining built-in observability. By selecting Fargate and defining the CPU and memory values in the task definition, the application can run serverlessly on ECS and expose the required utilization metrics in CloudWatch.

Therefore, the correct combination is D and E .

Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service that enables pub/sub communication between distributed systems. The developer can create an SNS topic and configure the Lambda function to publish messages with specific attributes to the topic. The developer can subscribe each partner to the SNS topic and apply the appropriate filter policy to the topic subscriptions. This way, each partner will receive updates for only their own orders based on the message attributes. This solution will meet the requirements in the most scalable way and allow adding new partners in the future with minimal code changes.

The requirement is to run a single analysis job once per day at a specific time , after branch offices have uploaded their daily reports. The most cost-effective and straightforward way to trigger a Lambda function on a fixed schedule is to use Amazon EventBridge scheduled rules (cron or rate expressions). With a scheduled rule, EventBridge invokes the Lambda function at the exact predefined time each day without requiring any continuously running resources, polling logic, or additional orchestration unless it is needed.

Option D fits perfectly: an EventBridge schedule is purpose-built for time-based triggers, and you pay only for the invocations and any EventBridge rule evaluations according to AWS pricing, with minimal operational overhead. The Lambda function will run exactly once each day and can then read all relevant objects from the S3 bucket and process them in a single pass as designed.

Option A (S3 event notifications) triggers the Lambda function per upload , which is not aligned with “single pass once per day.” It could cause multiple invocations and additional cost and complexity (coordination, waiting for all branches, handling partial arrival). Option B (Step Functions) can schedule via EventBridge as well, but Step Functions introduces additional state machine costs and is unnecessary if the requirement is simply a scheduled single Lambda invocation. Option C is the least cost-effective: running continuously to “wait” until a time wastes compute time and increases cost, and it is not an event-driven design.

Therefore, D is the most cost-effective solution: use an EventBridge scheduled rule to invoke the Lambda function once daily at the predefined time.

The AWS Serverless Application Model Command Line Interface (AWS SAM CLI) is a command-line tool for local development and testing of Serverless applications3. The sam local generate-event command of AWS SAM CLI generates sample events for automated tests3. The sam local invoke command is used to invoke Lambda functions3. Therefore, option C is correct.