Amazon DVA-C02 Exam Practice Test Instant Access

Question 1

An application ingests data from an Amazon Kinesis data stream. The shards in the data stream are set for normal traffic.

During tests for peak traffic, the application ingests data slowly. A developer needs to adjust the data stream to handle the peak traffic.

What should the developer do to meet this requirement MOST cost-effectively?

AInstall the Kinesis Producer Library {KPL) to ingest data into the data stream.

BSwitch to on-demand capacity mode for the data stream. Specify a partition key when writing data to the data stream.

CDecrease the amount of time that data is kept in the data stream by using the DecreaseStreamRetention Period API operation.

DIncrease the shard count in the data stream by using the UpdateShardCount API operation.

Answer : D

Question 2

A company caches session information for a web application in an Amazon DynamoDB table. The company wants an automated way to delete old items from the table.

What is the simplest way to do this?

AWrite a script that deletes old records; schedule the script as a cron job on an Amazon EC2 instance.

BAdd an attribute with the expiration time; enable the Time To Live feature based on that attribute.

CEach day, create a new table to hold session data; delete the previous day's table.

DAdd an attribute with the expiration time; name the attribute ItemExpiration.

Answer : B

Question 3

A developer is planning to migrate on-premises company data to Amazon S3. The data must be encrypted, and the encryption Keys must support automate annual rotation. The company must use AWS Key Management Service (AWS KMS) to encrypt the data.

When type of keys should the developer use to meet these requirements?

AAmazon S3 managed keys

BSymmetric customer managed keys with key material that is generated by AWS

CAsymmetric customer managed keys with key material that generated by AWS

DSymmetric customer managed keys with imported key material

Answer : B

The type of keys that the developer should use to meet the requirements is symmetric customer managed keys with key material that is generated by AWS. This way, the developer can use AWS Key Management Service (AWS KMS) to encrypt the data with a symmetric key that is managed by the developer. The developer can also enable automatic annual rotation for the key, which creates new key material for the key every year. The other options either involve using Amazon S3 managed keys, which do not support automatic annual rotation, or using asymmetric keys or imported key material, which are not supported by S3 encryption.

Question 4

A developer wants to expand an application to run in multiple AWS Regions. The developer wants to copy Amazon Machine Images (AMIs) with the latest changes and create a new application stack in the destination Region. According to company requirements, all AMIs must be encrypted in all Regions. However, not all the AMIs that the company uses are encrypted.

How can the developer expand the application to run in the destination Region while meeting the encryption requirement?

ACreate new AMIs, and specify encryption parameters. Copy the encrypted AMIs to the destination Region. Delete the unencrypted AMIs.

BUse AWS Key Management Service (AWS KMS) to enable encryption on the unencrypted AMIs. Copy the encrypted AMIs to the destination Region.

CUse AWS Certificate Manager (ACM) to enable encryption on the unencrypted AMIs. Copy the encrypted AMIs to the destination Region.

DCopy the unencrypted AMIs to the destination Region. Enable encryption by default in the destination Region.

Answer : A

Amazon Machine Images (AMIs) are encrypted snapshots of EC2 instances that can be used to launch new instances. The developer can create new AMIs from the existing instances and specify encryption parameters. The developer can copy the encrypted AMIs to the destination Region and use them to create a new application stack. The developer can delete the unencrypted AMIs after the encryption process is complete. This solution will meet the encryption requirement and allow the developer to expand the application to run in the destination Region.

[Amazon Machine Images (AMI) - Amazon Elastic Compute Cloud]

[Encrypting an Amazon EBS Snapshot - Amazon Elastic Compute Cloud]

[Copying an AMI - Amazon Elastic Compute Cloud]

Question 5

A company maintains a REST service using Amazon API Gateway and the API Gateway native API key validation. The company recently launched a new registration page, which allows users to sign up for the service. The registration page creates a new API key using CreateApiKey and sends the new key to the user. When the user attempts to call the API using this key. the user receives a 403 Forbidden error. Existing users are unaffected and can still call the API.

What code updates will grant these new users access to the API?

AThe createDeploymer.t method must be called so the API can be redeployed to include the newly created API key.

BThe updateAuthorizer method must be called to update the API's authorizer to include the newly created API key

CThe importApiKeys method must be called to import all newly created API keys into the current stage of the API.

DThe createUsagePlanKey method must be called to associate the newly created API key with the correct usage plan.

Answer : D

Question 6

A gaming application stores scores for players in an Amazon DynamoDB table that has four attributes: user_id, user_name, user_score, and user_rank. The users are allowed to update their names only. A user is authenticated by web identity federation. Which set of conditions should be added in the policy attached to the role for the dynamodb:PutItem API call?

"Condition": {

"ForAllValues:StringEquals": {

"dynamodb:LeadingKeys": ["${www.amazon.com:user_id}"],

"dynamodb:Attributes": ["user_name"]

}

"Condition": {

"ForAllValues:StringEquals": {

"dynamodb:LeadingKeys": ["${www.amazon.com:user_name}"],

"dynamodb:Attributes": ["user_id"]

}

"Condition": {

"ForAllValues:StringEquals": {

"dynamodb:LeadingKeys": ["${www.amazon.com:user_id}"],

"dynamodb:Attributes": ["user_name", "user_id"]

}

"Condition": {

"ForAllValues:StringEquals": {

"dynamodb:LeadingKeys": ["${www.amazon.com:user_name}"],

"dynamodb:Attributes": ["username", "userid"]

}

AOption A

BOption B

COption C

DOption D

Answer : A

The correct policy condition ensures that:

The LeadingKeys condition restricts operations to the authenticated user's user_id.

The Attributes condition limits the updatable attributes to user_name.

Explanation of Choices:

Option A: Correctly enforces both the key restriction (dynamodb:LeadingKeys) and ensures only the user_name attribute can be updated.

Option B, C, D: Use incorrect conditions, such as referencing user_name in the LeadingKeys or including other attributes like user_id in updatable fields.

Reference: AWS DynamoDB Condition Keys Documentation

Question 7

A company is using Amazon OpenSearch Service to implement an audit monitoring system. A developer needs to create an AWS Cloudformation custom resource that is associated with an AWS Lambda function to configure the OpenSearch Service domain. The Lambda function must access the OpenSearch Service domain by using Open Search Service internal master user credentials.

What is the MOST secure way to pass these credentials to the Lambdas function?

AUse a CloudFormation parameter to pass the master user credentials at deployment to the OpenSearch Service domain's MasterUserOptions and the Lambda function's environment variable. Set the No Echo attenuate to true.

BUse a CloudFormation parameter to pass the master user credentials at deployment to the OpenSearch Service domain's MasterUserOptions and to create a parameter. In AWS Systems Manager Parameter Store. Set the No Echo attribute to true. Create an 1AM role that has the ssm GetParameter permission. Assign me role to the Lambda function. Store me parameter name as the Lambda function's environment variable. Resolve the parameter's value at runtime.

CUse a CloudFormation parameter to pass the master uses credentials at deployment to the OpenSearch Service domain's MasterUserOptions and the Lambda function's environment varleWe Encrypt the parameters value by using the AWS Key Management Service (AWS KMS) encrypt command.

DUse CloudFoimalion to create an AWS Secrets Manager Secret. Use a CloudFormation dynamic reference to retrieve the secret's value for the OpenSearch Service domain's MasterUserOptions. Create an 1AM role that has the secrets manager. GetSecretvalue permission. Assign the role to the Lambda Function Store the secrets name as the Lambda function's environment variable. Resole the secret's value at runtime.

Answer : D

The solution that will meet the requirements is to use CloudFormation to create an AWS Secrets Manager secret. Use a CloudFormation dynamic reference to retrieve the secret's value for the OpenSearch Service domain's MasterUserOptions. Create an IAM role that has the secretsmanager:GetSecretValue permission. Assign the role to the Lambda function. Store the secret's name as the Lambda function's environment variable. Resolve the secret's value at runtime. This way, the developer can pass the credentials to the Lambda function in a secure way, as AWS Secrets Manager encrypts and manages the secrets. The developer can also use a dynamic reference to avoid exposing the secret's value in plain text in the CloudFormation template. The other options either involve passing the credentials as plain text parameters, which is not secure, or encrypting them with AWS KMS, which is less convenient than using AWS Secrets Manager.

Amazon DVA-C02 AWS Certified Developer - Associate Exam Practice Test