Amazon AWS Certified Developer - Associate DVA-C02 Exam Questions

Page: 1 / 14
Total 600 questions

Want more questions? Get Premium Access.
()

Question 1

A company has an application that runs across multiple AWS Regions. The application is experiencing performance issues at irregular intervals. A developer must use AWS X-Ray to implement distributed tracing for the application to troubleshoot the root cause of the performance issues.

What should the developer do to meet this requirement?

AUse the X-Ray console to add annotations for AWS services and user-defined services

BUse Region annotation that X-Ray adds automatically for AWS services Add Region annotation for user-defined services

CUse the X-Ray daemon to add annotations for AWS services and user-defined services

DUse Region annotation that X-Ray adds automatically for user-defined services Configure X-Ray to add Region annotation for AWS services

Answer : B

Distributed Tracing with X-Ray:X-Ray helps visualize request paths and identify bottlenecks in applications distributed across Regions.

Region Annotations (Automatic for AWS Services):X-Ray automatically adds a Region annotation to segments representing calls to AWS services. This aids in tracing cross-Region traffic.

Region Annotations (Manual for User-Defined):For segments representing calls to user-defined services in different Regions, the developer needs to add the Region annotation manually to enable comprehensive tracing.

AWS X-Ray:https://aws.amazon.com/xray/

Question 2

A company uses AWS CloudFormation to deploy an application that uses an Amazon API Gateway REST API with AWS Lambda function integration. The application uses Amazon DynamoDB for data persistence. The application has three stages: development, testing, and production. Each stage uses its own DynamoDB table. The company has encountered unexpected issues when promoting changes to the production stage. A developer needs to route 20% of the traffic to the new production stage API with the next production release. The developer needs to route the remaining 80% of the traffic to the existing production stage. The solution must minimize the number of errors that any single customer experiences. Which approach should the developer take to meet these requirements?

AUpdate 20% of the planned changes to the production stage. Deploy the new production stage. Monitor the results. Repeat this process five times to test all planned changes.

BUpdate the Amazon Route 53 DNS record entry for the production stage API to use a weighted routing policy. Set the weight to 80. Add a second record for the production domain name. Change the second routing policy to a weighted routing policy. Set the weight of the second policy to 20. Change the alias of the second policy to use the testing stage API.

CDeploy an Application Load Balancer (ALB) in front of the REST API. Change the production API Amazon Route 53 record to point traffic to the ALB. Register the production and testing stages as targets of the ALB with weights of 80% and 20%, respectively.

DConfigure canary settings for the production stage API. Change the percentage of traffic directed to canary deployment to 20%. Make the planned updates to the production stage. Deploy the changes.

Answer : D

The correct answer is D because Amazon API Gateway REST APIs support canary deployments for stages, which allow a developer to send a controlled percentage of production traffic to a new API deployment while the rest of the traffic continues to use the current deployment. Setting the canary percentage to 20% directly satisfies the requirement to route 20% of traffic to the new release and 80% to the existing production release.

This is the best approach because API Gateway canary deployments are specifically designed to reduce the blast radius of new releases in production. AWS documentation explains that canary releases enable testing of a new deployment with a subset of client traffic before promoting it fully. Since the canary runs within the same production stage, this minimizes the number of errors experienced by any single customer compared to less controlled alternatives. It is also cleaner than routing users to the testing stage, because a testing stage often has different configuration, data, or dependencies and is not intended to serve production traffic.

Option A is incorrect because partially deploying only some planned changes is not a safe traffic-routing strategy. Option B is incorrect because weighted Route 53 routing between production and testing stages does not provide the same controlled deployment semantics and may send the same customer to inconsistent backends. Option C is incorrect because placing an ALB in front of API Gateway is unnecessary and not the intended deployment pattern for API Gateway stage traffic shifting.

Therefore, API Gateway stage canary settings are the AWS-native solution that best meets the requirement.

Question 3

A company stores data in an Amazon S3 bucket. The data is updated multiple times every day from an application that runs on a server in the company's on-premises data center. The company enables S3 Versioning on the S3 bucket. After some time, the company observes multiple versions of the same objects in the S3 bucket. The company needs the S3 bucket to keep the current version of each object and the version immediately previous to the current version. Which solution will meet these requirements?

AConfigure an S3 bucket policy to retain one newer noncurrent version of the objects.

BConfigure an S3 Lifecycle rule to retain one newer noncurrent version of the objects.

CEnable S3 Object Lock. Configure an S3 Object Lock policy to retain one newer noncurrent version of the objects.

DSuspend S3 Versioning. Modify the application code to check the number of object versions before updating the objects.

Answer : B

The correct answer is B because Amazon S3 Lifecycle rules can manage versioned objects, including noncurrent object versions. In a versioning-enabled bucket, the newest object version is the current version, and older ones become noncurrent versions. The requirement is to keep the current version and only the immediately previous version. S3 Lifecycle is the native feature designed to expire or retain noncurrent versions according to policy.

AWS documentation explains that lifecycle configuration for versioned buckets can specify how many newer noncurrent versions to retain before Amazon S3 permanently removes older noncurrent versions. This directly matches the requirement to preserve only the latest prior version while cleaning up older historical versions automatically.

Option A is incorrect because an S3 bucket policy controls access permissions, not retention behavior for object versions. Option C is incorrect because S3 Object Lock is intended for write-once-read-many retention and legal hold scenarios, not for maintaining only one previous object version. Option D is not appropriate because suspending versioning would stop creation of new full versions going forward, but it would not provide an automated retention policy for existing versions, and modifying the application adds unnecessary complexity.

Using an S3 Lifecycle rule is the most operationally efficient and AWS-native solution. It allows the bucket to continue using versioning for protection against accidental overwrites while automatically limiting retained noncurrent versions to only what the business needs. Therefore, B is the correct answer.

Question 4

A company runs applications on Amazon EKS containers. The company sends application logs from the containers to an Amazon CloudWatch Logs log group. The company needs to process log data in real time based on a specific error in the application logs. Which combination of steps will meet these requirements? (Select TWO.)

ACreate an Amazon SNS topic that has a subscription filter policy.

BCreate a subscription filter on the log group that has a filter pattern.

CSet up an Amazon CloudWatch agent operator to manage the trace collection daemon in Amazon EKS.

DCreate an AWS Lambda function to process the logs.

ECreate an Amazon EventBridge rule to invoke the AWS Lambda function on a schedule.

Answer : B, D

Requirement Summary:

EKS containers send logs to CloudWatch Logs

Need to process logs in real time

Trigger logic based on a specific error in logs

Evaluate Options:

Option A: SNS topic with filter policy

SNS filter policies work on message attributes, not on CloudWatch Logs subscription filters

Option B: Subscription filter on log group

This enables real-time log processing

You can create a subscription filter with a pattern matching specific error strings

Sends matched logs to a Lambda function or Kinesis

Option C: CloudWatch agent operator for trace collection

Irrelevant for log processing

Used for monitoring and tracing, not real-time log filtering

Option D: Lambda function to process logs

Once logs match the pattern, Lambda can process and act (e.g., alert, store, analyze)

Option E: EventBridge rule on a schedule

Not real-time

Scheduled EventBridge rules are for cron-like tasks, not log stream processing

Subscription filters: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html

Real-time log processing with Lambda: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html#LambdaExample

Logs in EKS to CloudWatch: https://docs.aws.amazon.com/eks/latest/userguide/fargate-logging.html

Question 5

A developer is building an application that uses an Amazon RDS for PostgreSQL database. To meet security requirements, the developer needs to ensure that data is encrypted at rest. The developer must be able to rotate the encryption keys on demand.

AUse an AWS KMS managed encryption key to encrypt the database.

BCreate a symmetric customer managed AWS KMS key. Use the key to encrypt the database.

CCreate a 256-bit AES-GCM encryption key. Store the key in AWS Secrets Manager, and enable managed rotation. Use the key to encrypt the database.

DCreate a 256-bit AES-GCM encryption key. Store the key in AWS Secrets Manager. Configure an AWS Lambda function to perform key rotation. Use the key to encrypt the database.

Answer : B

Why Option B is Correct:A customer-managed AWS Key Management Service (KMS) key allows for encryption at rest and provides the ability to rotate the key on demand. This ensures compliance with security requirements for key management and database encryption.

RDS integrates natively with AWS KMS, allowing the use of a customer-managed key for encrypting data at rest.

Key rotation can be managed directly in AWS KMS without needing custom solutions.

Why Other Options are Incorrect:

Option A: AWS KMS managed encryption keys (AWS-owned keys) do not support key rotation on demand.

Option C & D: Storing keys in AWS Secrets Manager with custom rotation is not a recommended approach for database encryption. AWS KMS is designed specifically for secure key management and encryption.

AWS Documentation Reference:

Encrypting Amazon RDS Resources

AWS Key Management Service (KMS)

Question 6

A company wants to migrate its web application to AWS and leverage auto scaling to handle peak workloads. The solutions architect determined that the best metric for an auto scaling event is the number of concurrent users.

Based on this information, what should the developer use to auto scale based on concurrent users?

AAn Amazon SNS topic to be invoked when a concurrent user threshold is met

BAn Amazon CloudWatch NetworkIn metric

CAmazon CloudFront to leverage AWS edge locations

DA custom Amazon CloudWatch metric for concurrent users

Answer : D

Concurrent users is an application-level metric, not a default infrastructure metric. CloudWatch provides standard metrics such as CPU utilization, network input, and request counts for many AWS services, but it will not automatically know how many active users the application currently has unless the application publishes that value. The correct design is to publish concurrent user count as a custom CloudWatch metric and use that metric in the scaling policy. SNS is a notification service, not a metric source. CloudFront can improve content delivery, but it does not directly define application auto scaling based on concurrent users. NetworkIn might correlate with load but is not the metric chosen by the architect. CloudWatch supports custom metrics and alarms for threshold-based actions. (AWS Documentation)

===============

Question 7

A developer is building an application on a fleet of Amazon EC2 Linux instances that run the Apache web server. The application must send API calls that contain sensitive customer data to a second fleet of Linux instances that also run Apache. The two fleets are deployed in peered VPCs within the same AWS account and AWS Region.

All sensitive data must be encrypted in transit.

Which solution will meet these requirements in the MOST operationally efficient way?

ACreate security groups in each VPC that allow traffic only from the other fleet's security group.

BCreate an AWS Site-to-Site VPN connection between the two peered VPCs and route the API traffic through the VPN.

CEncrypt all Amazon EBS volumes with a customer managed AWS KMS key and attach an IAM instance profile that allows access to the key.

DRequest a certificate through AWS Certificate Manager (ACM) and redeploy both fleets by using TLS for Apache with the ACM-issued certificate.

Answer : D

The requirement in this scenario is encryption in transit for sensitive data exchanged between two EC2-based application fleets. AWS best practices clearly distinguish between network isolation and transport-layer encryption. Security groups (Option A) restrict traffic but do not encrypt it. EBS encryption (Option C) protects data at rest and does not affect data transmitted over the network.

Although a Site-to-Site VPN (Option B) would encrypt traffic, AWS documentation considers this approach unnecessary and operationally heavy when both workloads run inside AWS and application-level encryption is sufficient.

The most efficient and AWS-recommended approach is to use TLS (HTTPS) for application communication. AWS Certificate Manager (ACM) allows developers to provision and manage TLS certificates without manual certificate handling. Apache can be configured to use HTTPS with ACM-issued certificates, ensuring that all API traffic between the fleets is encrypted in transit using industry-standard TLS.

AWS documentation consistently recommends TLS for service-to-service communication within AWS when sensitive data is transmitted. This approach minimizes operational overhead, avoids additional networking infrastructure, and integrates natively with existing EC2-based applications.

Therefore, using ACM-issued certificates and HTTPS for Apache communication is the correct and most efficient solution.