Amazon DVA-C02 Exam Questions Instant Access

Question 1

A developer needs to deploy an application running on AWS Fargate using Amazon ECS The application has environment variables that must be passed to a container for the application to initialize.

How should the environment variables be passed to the container?

ADefine an array that includes the environment variables under the environment parameter within the service definition.

BDefine an array that includes the environment variables under the environment parameter within the task definition.

CDefine an array that includes the environment variables under the entryPoint parameter within the task definition.

DDefine an array that includes the environment variables under the entryPoint parameter within the service definition.

Answer : B

This solution allows the environment variables to be passed to the container when it is launched by AWS Fargate using Amazon ECS. The task definition is a text file that describes one or more containers that form an application. It contains various parameters for configuring the containers, such as CPU and memory requirements, network mode, and environment variables. The environment parameter is an array of key-value pairs that specify environment variables to pass to a container. Defining an array that includes the environment variables under the entryPoint parameter within the task definition will not pass them to the container, but use them as command-line arguments for overriding the default entry point of a container. Defining an array that includes the environment variables under the environment or entryPoint parameter within the service definition will not pass them to the container, but cause an error because these parameters are not valid for a service definition.

Question 2

An Amazon Simple Queue Service (Amazon SQS) queue serves as an event source for an AWS Lambda function In the SQS queue, each item corresponds to a video file that the Lambda function must convert to a smaller resolution The Lambda function is timing out on longer video files, but the Lambda function's timeout is already configured to its maximum value

What should a developer do to avoid the timeouts without additional code changes'?

AIncrease the memory configuration of the Lambda function

BIncrease the visibility timeout on the SQS queue

CIncrease the instance size of the host that runs the Lambda function.

DUse multi-threading for the conversion.

Answer : B

Visibility Timeout: When an SQS message is processed by a consumer (here, the Lambda function), it's temporarily hidden from other consumers. Visibility timeout controls this duration.

How It Helps:

Increase the visibility timeout beyond the maximum processing time your Lambda might typically take for long videos.

This prevents the message from reappearing in the queue while Lambda is still working, avoiding premature timeouts.

SQS Visibility Timeout:https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.html

Question 3

A developer is building an image-processing application that includes an AWS Lambda function. The Lambda function moves images from one AWS service to another AWS service for image processing. For images that are larger than 2 MB, the Lambda function returns the following error: "Task timed out after 3.01 seconds."

The developer needs to resolve the error without modifying the Lambda function code.

Which solution will meet these requirements?

AIncrease the Lambda function's timeout value.

BConfigure the Lambda function to not move images that are larger than 2 MB.

CRequest a concurrency quota increase for the Lambda function.

DConfigure provisioned concurrency for the Lambda function.

Answer : A

The error message 'Task timed out after 3.01 seconds' indicates that the Lambda invocation exceeded the function's configured timeout setting, which appears to be set to approximately 3 seconds. Larger images (>2 MB) take longer to transfer between services (due to network latency, throughput, and downstream service response time), so the runtime crosses the timeout threshold and Lambda forcibly terminates the execution. This is a configuration problem, not necessarily a code defect.

To resolve the issue without modifying the function code, the developer should increase the Lambda function's timeout value. Lambda allows configuring the maximum runtime per invocation (up to the service limit). By increasing the timeout to a value that comfortably covers the expected transfer and processing initiation time for larger payloads, the function can complete its work successfully. This directly addresses the failure mode while keeping the existing implementation unchanged.

Option D (provisioned concurrency) reduces cold start latency by keeping execution environments initialized, but it does not extend the allowed runtime for a single invocation. If the function consistently needs more than 3 seconds for larger images, provisioned concurrency will not prevent timeouts. Option C (concurrency quota increase) increases the number of concurrent executions allowed, which can help throughput under load, but again does not affect per-invocation runtime limits. Option B avoids the problem by skipping large images, but it violates the functional need to process them and is not a general solution.

Therefore, the correct solution is A: increase the Lambda timeout so the function has sufficient time to move larger images between AWS services.

Question 4

A company has an application that uses an AWS Lambda function to process customer orders. The company notices that the application processes some orders more than once.

A developer needs to update the application to prevent duplicate processing.

Which solution will meet this requirement with the LEAST implementation effort?

AImplement a de-duplication mechanism that uses Amazon DynamoDB as the control database. Configure the Lambda function to check for the existence of a unique identifier before processing each event.

BCreate a custom Amazon ECS task to perform idempotency checks. Use AWS Step Functions to integrate the ECS task with the Lambda function.

CConfigure the Lambda function to retry failed invocations. Implement a retry mechanism that has a fixed delay between attempts to handle duplicate events.

DUse Amazon Athena to query processed events to identify duplicate records. Add processing logic to the Lambda function to handle the duplication scenarios that the query identifies.

Answer : A

Requirement Summary:

Orders are being processed more than once

Need to prevent duplicate processing

Looking for least implementation effort

Key Concept:

Lambda + Event-driven patterns can occasionally result in duplicate invocations (at-least-once delivery model)

You need idempotency (i.e., prevent repeated processing of same event)

Evaluate Options:

A . Use DynamoDB for de-duplication

Simple and widely used approach

Store a unique orderId as the primary key

Before processing, check if order exists

If yes skip

If no process and store the ID

Minimal code changes required

B . ECS + Step Functions

Overkill for basic de-duplication

Adds significant complexity

C . Retry logic with fixed delay

Doesn't prevent duplication --- makes it worse

Retrying might trigger the same message again

D . Athena to identify duplicates

Reactive solution, not preventative

Not suitable for real-time event de-duplication

Lambda idempotency: https://docs.aws.amazon.com/lambda/latest/dg/invocation-retries.html

Using DynamoDB for idempotent design: https://aws.amazon.com/blogs/compute/how-to-design-idempotent-APIs-on-aws/

Question 5

A developer is building an API that uses an Amazon CloudFront distribution to forward requests to an AWS Lambda function URL. The developer must ensure that the function URL can be accessed only through the CloudFront distribution and not directly.

Which solution will meet this requirement?

ACreate a resource-based policy for the CloudFront distribution. Configure the policy to allow access to the function URL.

BConfigure a resource-based policy for the Lambda function to allow only the CloudFront distribution to access the function URL. Configure the distribution to use an origin access control (OAC) for requests to the function URL.

CCreate an IAM role that has permissions to invoke the function URL. Configure a service role that has a CloudFront trust policy and permissions to make requests to the function URL.

DConfigure a resource-based policy for the Lambda function to allow only the CloudFront distribution's IP address range to access the function.

Answer : B

To ensure a Lambda function URL is reachable only through CloudFront, the solution must (1) make CloudFront the only authorized caller, and (2) prevent direct public access to the function URL endpoint. The AWS-native way to do this is to use a resource-based policy on the Lambda function that permits invocation only from the specific CloudFront distribution, combined with CloudFront's Origin Access Control (OAC) to sign origin requests.

A Lambda function URL can be configured for IAM-based authorization, and Lambda supports resource-based permissions (via lambda:AddPermission) that restrict who can invoke it. By scoping the permission so that only the CloudFront distribution (identified by a source ARN / distribution identifier) is allowed, direct requests that do not come through CloudFront will be rejected. This enforces the requirement that the function URL cannot be accessed directly.

CloudFront OAC is the modern mechanism to securely access origins by having CloudFront sign the requests it sends to the origin. When CloudFront signs requests and the origin (here, the Lambda function URL) is configured to accept only authorized requests per its resource policy, CloudFront becomes the only viable access path.

Option A is incorrect because CloudFront does not use a ''resource-based policy'' to grant access to an origin in this way; the enforcement must happen at the origin. Option C is not how CloudFront accesses origins; CloudFront does not assume a customer IAM role to fetch origin content. Option D is fragile and not recommended: CloudFront IP ranges can change and are not intended to be used as a static allowlist for origin protection; additionally, IP-based controls do not provide the same strong identity-based authorization that OAC + resource policy provides.

Question 6

A company has built an AWS Lambda function to convert large image files into output files that can be used in a third-party viewer application The company recently added a new module to the function to improve the output of the generated files However, the new module has increased the bundle size and has increased the time that is needed to deploy changes to the function code.

How can a developer increase the speed of the Lambda function deployment?

AUse AWS CodeDeploy to deploy the function code

BUse Lambda layers to package and load dependencies.

CIncrease the memory size of the function.

DUse Amazon S3 to host the function dependencies

Answer : B

Problem: Large bundle size increases Lambda deployment time.

Lambda Layers: Layers let you package dependencies separately from your function code. This optimizes the deployment package, making updates faster.

Modularization: Breaking down dependencies into layers improves code organization and reusability.

AWS Lambda Layers:https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html

Question 7

A developer uses AWS IAM Identity Center to interact with the AWS CLI and AWS SDKs on a local workstation. API calls to AWS services were working when the SSO access was first configured. However, the developer is now receiving Access Denied errors. The developer has not changed any configuration files or scripts that were previously working on the workstation.

What is the MOST likely cause of the developer's access issue?

AThe access permissions to the developer's AWS CLI binary file have changed.

BThe permission set that is assumed by IAM Identity Center does not have the necessary permissions to complete the API call.

CThe credentials from the IAM Identity Center federated role have expired.

DThe developer is attempting to make API calls to the incorrect AWS account.

Answer : C

Requirement Summary:

Developer uses AWS IAM Identity Center (SSO) with AWS CLI / SDKs

Initially working fine

Now receiving AccessDenied errors

No changes to config or scripts

Key Understanding:

IAM Identity Center credentials are temporary and time-limited. When you use SSO-based access via the AWS CLI (aws sso login), it obtains temporary credentials stored in the local cache.

By default, these expire in 1 hour (can be extended).

Evaluate Options:

A . Permissions to CLI binary changed

Unlikely -- this would produce execution errors, not AccessDenied from AWS API

B . Permission set lacks required permissions

Then the error would have occurred from the beginning, not after time

C . IAM Identity Center credentials expired

Most likely -- user hasn't refreshed credentials using aws sso login again

After expiration, API calls fail with AccessDenied

D . Developer is calling the wrong AWS account

Would likely show different types of errors (AccountNotFound, etc.)

SSO and AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

Troubleshooting SSO CLI: https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html

Amazon AWS Certified Developer - Associate DVA-C02 Exam Questions