Practice Free DVA-C02 AWS Certified Developer - Associate Exam Questions Answers With Explanation

Distributed Tracing with X-Ray: X-Ray helps visualize request paths and identify bottlenecks in applications distributed across Regions.

Region Annotations (Automatic for AWS Services): X-Ray automatically adds a Region annotation to segments representing calls to AWS services. This aids in tracing cross-Region traffic.

Region Annotations (Manual for User-Defined): For segments representing calls to user-defined services in different Regions, the developer needs to add the Region annotation manually to enable comprehensive tracing.

The correct answer is D because Amazon CloudFront is the AWS content delivery network (CDN) designed to improve performance for users who access content globally. In this scenario, the application serves millions of video clips from Amazon S3 to users around the world, and the main problem is poor streaming quality as traffic scales. CloudFront addresses this by caching content at edge locations that are geographically closer to users, reducing latency and improving throughput.

AWS documentation emphasizes that CloudFront works especially well with Amazon S3 as an origin for static and streaming content. Instead of every viewer retrieving video data directly from the S3 bucket’s Region, CloudFront serves cached objects from nearby edge locations. This provides a major performance boost for global audiences and helps absorb large traffic spikes more efficiently.

Option A is incorrect because Route 53 geolocation routing directs DNS queries based on location, but it does not cache or accelerate video delivery. Option B can improve regional redundancy, but simply replicating objects across Regions does not automatically provide fast global delivery or edge caching. Option C is about storage cost optimization, not delivery performance.

CloudFront is also well suited for sudden spikes in traffic because AWS’s edge network is built for high-scale distribution. For video streaming workloads, the reduction in latency and the ability to serve content from nearby cached locations usually provide the largest performance improvement compared to the other options.

Therefore, the best solution is to create an Amazon CloudFront distribution with Amazon S3 as the origin , making D the correct answer.

Amazon S3 Lifecycle rules are specifically designed to manage object versions over time. When versioning is enabled, lifecycle rules can be configured to expire noncurrent versions , retaining only a defined number of recent versions.

AWS documentation states that lifecycle rules can be used to “retain a specific number of newer noncurrent versions.” By configuring a lifecycle rule to keep one noncurrent version , Amazon S3 automatically deletes older versions while retaining the current and immediately previous versions.

Bucket policies (Option A) control access, not retention. S3 Object Lock (Option C) is designed for regulatory compliance and write-once-read-many (WORM) use cases and is not suitable for routine version cleanup. Suspending versioning (Option D) does not remove existing versions and increases application complexity.

Therefore, an S3 Lifecycle rule is the correct and AWS-recommended solution.

Amazon S3 supports resource-based policies, which are JSON documents that specify the permissions for accessing S3 resources. A resource-based policy can be used to enforce encryption in transit by denying access to requests that do not use HTTPS. The condition key aws:SecureTransport can be used to check if the request was sent using SSL. If the value of this key is false, the request is denied; otherwise, the request is allowed. Reference: How do I use an S3 bucket policy to require requests to use Secure Socket Layer (SSL)?

For this workload, the access pattern is centered on each user’s activity history over time (the company is planning a marketing campaign based on each user’s activity). In DynamoDB, the most effective way to store and query time-ordered events per entity is to use a composite primary key where the entity identifier is the partition key and a time attribute is the sort key . Therefore, using user ID as the partition key groups all events for a given user together, and using timestamp as the sort key allows efficient retrieval in chronological order and supports range queries (for example, “activities in the last 7 days” or “between two dates”).

This design also helps maximize provisioned throughput efficiency and reduce throttling risk because it distributes data across partitions based on the partition key values (user IDs). With many users, writes and reads naturally spread across multiple partition key values rather than concentrating on a small set. The sort key further enables multiple activity records per user without overwriting items and supports precise queries without scanning.

Option B (product ID as partition key) does not align with the stated marketing need (per-user activity). It would cluster all users’ actions for a popular product into the same partition key, increasing the chance of hot partitions and throttling. Option C also risks hot partitions for popular product IDs; auto scaling helps capacity management but does not fix poor key distribution or hot-key access patterns. Option D (monotonic counter as partition key) is particularly problematic: sequential keys can create uneven distribution and a throughput bottleneck pattern, and it does not support user-centric queries efficiently.

Thus, A best matches the data model (user events over time), supports efficient queries, and reduces throttling risk by distributing workload across user IDs.

Step-by-Step Breakdown:

Requirement Summary:

Get notified when EC2 CPU Utilization > 80%

Option A: CloudWatch Alarm with SNS

Correct and standard AWS practice

CloudWatch automatically collects EC2 metrics, including CPUUtilization.

You can set a CloudWatch Alarm with a threshold (80% in this case).

Then, trigger an SNS notification to email, SMS, Lambda, etc.

Option B: AWS CloudTrail alarm

Incorrect: CloudTrail logs API activity, not performance metrics.

It doesn’t track metrics like CPU utilization.

Option C: Cron job on EC2 running --describe-instance-information

Incorrect: This doesn’t give CPU usage.

Also inefficient, and polling is bad practice when CloudWatch already monitors this natively.

Option D: Lambda function querying CloudTrail for CPU usage

Incorrect and conceptually flawed.

CloudTrail does not store performance metrics; CloudWatch does.

CloudWatch Alarms for EC2: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html

EC2 Metrics in CloudWatch: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/viewing_metrics_with_cloudwatch.html

Amazon SNS Notification Setup: https://docs.aws.amazon.com/sns/latest/dg/sns-email-notifications.html

The core requirement is to perform a one-time deployment for testing without impacting the existing pre-production stack that other team members rely on. The safest way to avoid disruption is to deploy into an isolated AWS account (a dedicated development/testing account) instead of modifying the shared pre-production environment.

Option C achieves this with the least effort: use the AWS SAM CLI to package and deploy the same SAM application into a new AWS account designated for development. This creates an isolated copy of the stack (Lambda + SNS topics) where the developer can validate changes without affecting the shared pre-production deployment or the release pipeline.

Option A still deploys into pre-production, which directly violates the requirement to avoid impacting the existing application. A “debug parameter” does not prevent resource updates or side effects.

Option B is inconsistent: a CloudFormation change set is created against a specific account/stack. You cannot create a change set in one account and “execute it” in a different account as stated. Cross-account execution would require different credentials and a separate deployment process.

Option D introduces additional pipeline/stage complexity and is not necessary for a one-time test; it also implies changing the existing stack/pipeline, which can itself cause disruption.

This solution will meet the requirements by using AWS Serverless Application Model (AWS SAM) templates and gradual deployments to automatically test the Lambda functions. AWS SAM templates are configuration files that define serverless applications and resources such as Lambda functions. Gradual deployments are a feature of AWS SAM that enable deploying new versions of Lambda functions incrementally, shifting traffic gradually, and performing validation tests during deployment. The developer can enable gradual deployments through AWS SAM templates by adding a DeploymentPreference property to each Lambda function resource in the template. The developer can set the deployment preference type to Canary10Percent30Minutes, which means that 10 percent of traffic will be shifted to the new version of the Lambda function for 30 minutes before shifting 100 percent of traffic. The developer can also use hooks to test the deployment, which are custom Lambda functions that run before or after traffic shifting and perform validation tests or rollback actions.

The correct answers are D and E .

The requirement states that the company does not want to manage the underlying hosts . That means the containerized application should run on AWS Fargate , which is the serverless compute engine for Amazon ECS. With Fargate, AWS manages the underlying infrastructure, so the company does not need to provision, patch, or scale EC2 instances. To run a task on Fargate, the task definition must specify FARGATE in the requiresCompatibilities field. That is why D is correct.

The developer also needs to monitor CPU and memory utilization in the Amazon CloudWatch console . For ECS tasks on Fargate, the task definition must specify valid CPU and memory values. These values define the task’s resource allocation and enable ECS and CloudWatch to report utilization metrics against those configured resources. Therefore, E is also required.

Option A applies to ECS on EC2, where the company would manage cluster instances, which violates the requirement. Option B is unnecessary because ECS and CloudWatch already provide the needed service metrics without requiring a custom script. Option C is incorrect because the task does not need cloudwatch:GetMetricData permission merely for CloudWatch to display CPU and memory utilization metrics.

This design follows AWS best practices for running containers without host management while still gaining built-in observability. By selecting Fargate and defining the CPU and memory values in the task definition, the application can run serverlessly on ECS and expose the required utilization metrics in CloudWatch.

Therefore, the correct combination is D and E .

Comprehensive and Detailed Step-by-Step Explanation:

To ensure successful software deployments using AWS CodeDeploy, the application specification file (appspec.yml or appspec.json) must adhere to specific requirements:

File Format Requirement (Option B):

The appspec.yml file is a YAML-formatted file required for defining deployment actions and file locations. This is the modern and recommended format for application specification files.

It can also be a JSON-formatted file named appspec.json, but YAML is most commonly used and accepted.

File Placement Requirement (Option D):

The application specification file must reside in the root directory of the application ' s source code. This is necessary so that AWS CodeDeploy can detect and use the file during deployment.

Incorrect Options:

Option A: While a JSON-formatted file (appspec.json) is valid, this is not a mandatory requirement. YAML is also acceptable, and this option does not account for it.

Option C: The application specification file is not required to be stored in AWS CodeBuild; it must be included in the source code ' s directory structure.

Option E: The application specification file does not need to be stored in Amazon S3. S3 is commonly used for application artifacts, but the appspec.yml or appspec.json file must exist within the deployment package or source code root.

The requirements describe a real-time streaming use case where multiple processing applications must read the same stream in parallel, each must be able to resume processing after interruptions without data loss, and the system should support adding new processors with minimal duplication. Amazon Kinesis Data Streams (KDS) is purpose-built for this pattern.

With Kinesis Data Streams, producers write records to a stream that is split into shards. Multiple consumer applications can independently read from the stream using separate consumer groups (for example, using Kinesis Client Library). Each consumer maintains its own checkpoint (sequence number position), which allows it to resume from the last processed record after a restart or failure. This directly meets the “resume without losing data” requirement.

KDS also supports a configurable retention period (commonly 24 hours by default, extendable), enabling replay and recovery without forcing producers to re-send data or duplicating messages for each processor. Adding new consumers is straightforward: a new processor can begin reading the existing stream (from latest or from a trim horizon), which minimizes duplication compared to fan-out duplication patterns.

Why the others don’t fit:

SQS is a queue, not a stream. Multiple consumers typically compete for messages rather than all consuming the same messages independently, and duplication is required if multiple apps must process the same data.

Kinesis Data Firehose is primarily for delivery to destinations (S3, Redshift, OpenSearch) and not designed for multiple real-time parallel consumers with replay semantics.

EventBridge is event routing with limited replay/resume semantics compared to KDS and is not intended for high-throughput stream processing with per-consumer checkpoints.

Therefore, Amazon Kinesis Data Streams satisfies all requirements.

The requirement is to rotate database credentials at least weekly . The AWS service that is purpose-built for storing and automatically rotating secrets is AWS Secrets Manager . Secrets Manager supports rotation schedules (including daily, weekly, or custom intervals) and integrates with supported databases through rotation Lambda functions. With rotation enabled, Secrets Manager can periodically generate a new password, update the secret value, and apply the new credential to the database user, while allowing applications to retrieve the current credential securely at runtime.

Option C matches this best practice: create a database user, store the username/password in a Secrets Manager secret, and enable rotation (daily rotation more than satisfies a weekly requirement). Applications on EC2 can retrieve the secret at startup or on a refresh interval using the AWS SDK, and can cache it according to best practices to reduce API calls, while still supporting rotation.

Option A (Parameter Store secure string) encrypts parameters, but Parameter Store does not provide the same managed secret rotation workflow for database credentials; rotating the KMS key is not the same as rotating the database password. Option B is not applicable as stated for RDS for Microsoft SQL Server: IAM database authentication is supported for specific engines (commonly MySQL and PostgreSQL) and is not the standard mechanism for SQL Server password rotation. Option D is insecure and operationally fragile: embedding long-lived credentials in user data and environment variables makes rotation difficult and increases exposure risk.

Therefore, the most secure and compliant configuration is C : store DB credentials in AWS Secrets Manager and enable automated rotation on an interval that meets or exceeds the weekly rotation requirement.

Requirement Summary:

WebSocket-based messaging app using API Gateway WebSocket APIs

Need to:

Identify clients repeatedly connecting/disconnecting

Be able to remove problematic clients

Evaluate Options:

A. Switch to HTTP APIs

HTTP APIs don’t support WebSocket connections

B. Switch to REST APIs

REST APIs are not compatible with WebSockets

C. Use the callback URL to disconnect clients

?? Possible, but not a direct option

Callback URLs are used for sending messages to connected clients, not for disconnecting

D. Track client status in ElastiCache

Good solution: Store and update connection state (connected, disconnected, timestamps)

Helps track abuse or reconnections

E. Implement $connect and $disconnect routes

Required to capture connection lifecycle events

These can be used to log/store client behavior and decide on removal

WebSocket routes in API Gateway: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-route-selection.html

Managing WebSocket connections: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-mapping-template-reference.html

Why Option A is Correct:

The ArnLike condition with the specific ARN for myStateMachine ensures that only this state machine can assume the role. The format urn:aws:states is correct for specifying Step Functions resources.

Why Other Options are Incorrect:

Option B: Wildcards (*) in the ARN allow more resources to assume the role, which violates the requirement.

Option C: This condition restricts the account but not the specific state machine.

Option D: A StringNotEquals condition is used to deny specific values, which does not ensure exclusivity for the desired state machine.

AWS Documentation References:

IAM Trust Policies for Step Functions

The correct answer is D because the current DynamoDB table design is causing a hot partition problem. The table uses order_date as the partition key, which means that during peak ordering periods, a very large number of writes are likely targeting the same partition key value for the current date. In DynamoDB, write throttling often occurs when traffic is not evenly distributed across partition keys, even when the table uses on-demand mode . On-demand capacity can automatically scale, but it still depends on proper key distribution to avoid concentrated activity on a small number of partitions.

By changing the partition key to customer_id and using order_id as the sort key, writes will be spread across many customers instead of being concentrated on a small number of date values. This creates a more balanced write pattern and better aligns with DynamoDB best practices for high-scale workloads. DynamoDB documentation emphasizes choosing partition keys with high cardinality and even request distribution to avoid throttling and improve performance.

Option A is not a good design because a sequential partition key can still create uneven access patterns and usually does not support meaningful access requirements. Option B is not the best answer because simply increasing capacity does not fix a poor partition key design; hot partitions can still throttle. Option C is unnecessary because the issue is not that DynamoDB is the wrong service, but that the table schema needs redesign.

Therefore, the best solution is to refactor the key schema so that writes distribute more evenly across partitions, which is exactly what D achieves.

This step should be completed prior to deploying the application because it prepares the application artifacts for deployment. The AWS Serverless Application Model (AWS SAM) is a framework that simplifies building and deploying serverless applications on AWS. The AWS SAM CLI is a command-line tool that helps you create, test, and deploy serverless applications using AWS SAM templates. The sam package command bundles the application artifacts, such as Lambda function code and API definitions, and uploads them to an Amazon S3 bucket. The command also returns a CloudFormation template that is ready to be deployed with the sam deploy command. Compressing the application to a zip file and uploading it to AWS Lambda will not work because it does not use AWS SAM templates or CloudFormation. Testing the new Lambda function by first tracing it in AWS X-Ray will not prepare the application for deployment, but only monitor its performance and errors. Creating the application environment using the eb create my-env command will not work because it is a command for AWS Elastic Beanstalk, not AWS SAM.

The correct answer is A. Add a configuration file in TOML format to group configuration entries to every environment. Add a table for each testing and staging environment. Deploy updates to the environments by using the sam deploy command and the --config-env flag that corresponds to the each environment.

A. Add a configuration file in TOML format to group configuration entries to every environment. Add a table for each testing and staging environment. Deploy updates to the environments by using the sam deploy command and the --config-env flag that corresponds to the each environment. This is correct. This solution will meet the requirements with the least development effort, because it uses a feature of the AWS SAM CLI that supports a project-level configuration file that can be used to configure AWS SAM CLI command parameter values1. The configuration file can have multiple environments, each with its own set of parameter values, such as stack name, region, capabilities, and more2. The developer can use the --config-env option to specify which environment to use when deploying the application3. This way, the developer can avoid creating multiple templates or scripts, or manually overriding parameters for each environment.

B. Create additional AWS SAM templates for each testing and staging environment. Write a custom shell script that uses the sam deploy command and the --template-file flag to deploy updates to the environments. This is incorrect. This solution will not meet the requirements with the least development effort, because it requires creating and maintaining multiple templates and scripts for each environment. This can introduce duplication, inconsistency, and complexity in the deployment process.

C. Create one AWS SAM configuration file that has default parameters. Perform updates to the testing and staging environments by using the —parameter-overrides flag in the AWS SAM CLI and the parameters that the updates will override. This is incorrect. This solution will not meet the requirements with the least development effort, because it requires manually specifying and overriding parameters for each environment every time the developer deploys the application. This can be error-prone, tedious, and inefficient.

D. Use the existing AWS SAM template. Add additional parameters to configure specific attributes for the serverless function and database table resources that are in each environment. Deploy updates to the testing and staging environments by using the sam deploy command. This is incorrect. This solution will not meet the requirements with the least development effort, because it requires modifying the existing template and adding complexity to the resource definitions for each environment. This can also make it difficult to manage and track changes across different environments.

To give the frontend team immediate access to stable endpoints without waiting for a real backend implementation, the simplest approach is to use API Gateway MOCK integration . A MOCK integration lets API Gateway generate a response directly, without invoking Lambda or any other backend. This is ideal for early UI development because you can return consistent, predefined payloads and status codes for each method.

With MOCK integration, you configure an integration request (often using a static mapping template) to produce a dummy request payload that triggers a response, and then you configure integration responses to return specific HTTP status codes (such as 200, 400, 500) along with predefined JSON bodies. You can also set response headers (for example, Content-Type: application/json) and use mapping templates to shape the returned JSON. This satisfies the requirement to “return predefined HTTP status codes and JSON responses” while minimizing development effort and avoiding the need to deploy placeholder Lambda functions.

Option A (AWS_PROXY with Lambda) can work, but it requires creating and deploying Lambda functions and IAM permissions just to return static data—more effort than necessary. Option C (HTTP PROXY) depends on an external placeholder service, which adds another system to build and maintain. Option D is incorrect because HTTP status codes are not defined in the method request ; they are defined through method responses and realized through integration responses in API Gateway’s integration configuration.

Therefore, B is the best solution: MOCK integration with integration request/response mappings provides quick, code-free stubs that unblock frontend development.

Requirement Summary:

Customer credit card data may be exposed

Data is stored in Amazon S3

Developer must identify all exposure risks

Tool to Use:

Amazon Macie is designed to:

Automatically scan S3 for sensitive data

Detect financial information, PII, credentials, etc.

Finding Type Mapping:

Credit card data maps to: SensitiveData:S3Object/Financial

Evaluate Options:

A. Athena + filtering

Athena is a query engine; it doesn’t detect sensitive data automatically

B. Macie + Financial finding type

Correct

Designed for this use case

C. Macie + Personal finding type

Personal maps to names, addresses, etc., not credit cards

D. Athena + Financial

Again, Athena can’t classify data – it only queries structured data

Macie Overview: https://docs.aws.amazon.com/macie/latest/userguide/what-is-macie.html

Finding Types: https://docs.aws.amazon.com/macie/latest/user/findings-types.html

Financial finding type: SensitiveData:S3Object/Financial

This is a feature flag / dynamic configuration requirement: enable a new feature for a subset of users (premium customers), toggle it on/off quickly based on feedback/performance, and deploy configuration changes safely with validation and without disruption. AWS AppConfig (part of AWS Systems Manager) is designed for exactly this use case.

AWS AppConfig helps create, manage, and deploy application configurations, including feature flags, in a controlled way. It supports configuration validators (such as JSON schema or Lambda validators) to catch errors before deployment. It also supports controlled rollouts with deployment strategies to reduce blast radius (for example, gradual deployments). This allows rapid changes without redeploying code and minimizes disruption.

Option A aligns perfectly: use AppConfig feature flags to target premium users and toggle the feature quickly.

Option B is incorrect because Secrets Manager is for sensitive secrets (passwords, API keys), not feature flag management and progressive configuration deployments.

Option C is incorrect because AWS Config evaluates resource compliance and records configuration changes of AWS resources; it does not serve runtime feature flag delivery.

Option D (Parameter Store) can store configuration values, but it does not provide the same feature-flag-focused capabilities, validation/deployment strategies, and safe rollout controls that AppConfig provides. Also, “lifecycle rules” is not how Parameter Store toggles features.

The Immutable deployment method is the best choice when a company requires minimal downtime and automatic rollback in case of a failure. Here ' s why:

In Immutable deployments, a new set of instances is launched with the updated version. These instances are tested and validated before they replace the old instances. This ensures zero downtime and immediate rollback if the deployment fails.

All at once (A) causes downtime because the update replaces all instances simultaneously.

Rolling deployments (B) update a few instances at a time, but if a failure occurs midway, downtime or partial unavailability can happen.

Snapshots (C) are not a deployment strategy in Elastic Beanstalk.

The requirement is for a single secret value to be available in multiple AWS Regions while remaining consistent across those Regions, with the least operational overhead . AWS Secrets Manager provides a managed capability for this use case: secret replication (also referred to as multi-Region secrets). When replication is enabled from a primary Region, Secrets Manager automatically creates and maintains synchronized replicas of the secret in the selected secondary Regions. Updates to the primary secret are propagated to the replicas so the secret value remains consistent across Regions.

This approach (option C) minimizes operational effort because AWS manages the replication workflow, consistency, and the lifecycle of replicas. The application in each Region can retrieve the secret from the local Region endpoint of Secrets Manager by referencing the Region-appropriate secret ARN, improving latency and reducing cross-Region dependency. It also improves resilience: if a Region has issues, workloads in another Region can still read the replicated secret locally.

Option A recreates managed replication with custom glue (Lambda + EventBridge), which adds code, scheduling, error handling, permissions, retries, and monitoring—higher operational overhead and more failure modes. Option B introduces a cross-Region runtime dependency on the primary Region and increases latency; local caching also risks stale secret values during rotations/updates unless carefully managed, and it reduces resilience if the primary Region is impaired. Option D (independent secrets per Region) increases operational overhead and directly risks inconsistency, because keeping values synchronized becomes a manual or custom automated process.

Therefore, C is the best solution: enable Secrets Manager replication in the primary Region and have applications in each Region read from their local replicated secret ARN to achieve consistent, multi-Region availability with minimal operational work.

Why Option B is Correct:Setting the visibility timeout ensures that once a message is being processed, it is temporarily hidden from other consumers. The Lambda function must delete processed messages to avoid re-processing when the visibility timeout expires.

Why Other Options are Incorrect:

Option A: Message retention affects how long messages stay in the queue, not how they are processed.

Option C: Receive message wait time optimizes long polling but does not prevent re-processing.

Option D: Delivery delay introduces latency for new messages and does not address message re-processing.

AWS Documentation References:

Using SQS Visibility Timeout

Amazon EventBridge: A service that reacts to events from various AWS sources, including S3. Rules define which events trigger actions (like invoking Lambda functions).

S3 Object Created Events: EventBridge can detect these, providing seamless integration for automated CSV processing.

S3 Lifecycle Rules: Allow for actions based on object age or prefixes. These can directly trigger Lambda functions for file processing.

The correct answer is C. Use an AWS Lambda function that is invoked by an Amazon EventBridge scheduled event.

C. Use an AWS Lambda function that is invoked by an Amazon EventBridge scheduled event. This is correct. AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers. Lambda runs your code on a high-availability compute infrastructure and performs all of the administration of the compute resources, including server and operating system maintenance, capacity provisioning and automatic scaling, and logging1. Amazon EventBridge is a serverless event bus service that enables you to connect your applications with data from a variety of sources2. EventBridge can create rules that run on a schedule, either at regular intervals or at specific times and dates, and invoke targets such as Lambda functions3. This solution meets the requirements of creating a small application that makes the same API call once each day at a designated time, without requiring any infrastructure in the AWS Cloud or any operational overhead.

A. Use a Kubernetes cron job that runs on Amazon Elastic Kubernetes Service (Amazon EKS). This is incorrect. Amazon EKS is a fully managed Kubernetes service that allows you to run containerized applications on AWS4. Kubernetes cron jobs are tasks that run periodically on a given schedule5. This solution could meet the functional requirements of creating a small application that makes the same API call once each day at a designated time, but it would not be the most operationally efficient manner. The company would need to provision and manage an EKS cluster, which would incur additional costs and complexity.

B. Use an Amazon Linux crontab scheduled job that runs on Amazon EC2. This is incorrect. Amazon EC2 is a web service that provides secure, resizable compute capacity in the cloud6. Crontab is a Linux utility that allows you to schedule commands or scripts to run automatically at a specified time or date7. This solution could meet the functional requirements of creating a small application that makes the same API call once each day at a designated time, but it would not be the most operationally efficient manner. The company would need to provision and manage an EC2 instance, which would incur additional costs and complexity.

D. Use an AWS Batch job that is submitted to an AWS Batch job queue. This is incorrect. AWS Batch enables you to run batch computing workloads on the AWS Cloud8. Batch jobs are units of work that can be submitted to job queues, where they are executed in parallel or sequentially on compute environments9. This solution could meet the functional requirements of creating a small application that makes the same API call once each day at a designated time, but it would not be the most operationally efficient manner. The company would need to configure and manage an AWS Batch environment, which would incur additional costs and complexity.

AWS Lambda is a service that lets you run code without provisioning or managing servers. Lambda functions can be configured to access resources in a VPC, such as an Aurora database, by specifying one or more subnets and security groups in the VPC settings of the function. A security group acts as a virtual firewall that controls inbound and outbound traffic for the resources in a VPC. To allow a Lambda function to communicate with an Aurora database, both resources need to be associated with the same security group, and the security group rules need to allow TCP traffic on Port 3306, which is the default port for MySQL databases. Reference: [Configuring a Lambda function to access resources in a VPC]

The error message " Task timed out after 3.01 seconds " indicates that the Lambda invocation exceeded the function’s configured timeout setting, which appears to be set to approximately 3 seconds . Larger images ( > 2 MB) take longer to transfer between services (due to network latency, throughput, and downstream service response time), so the runtime crosses the timeout threshold and Lambda forcibly terminates the execution. This is a configuration problem, not necessarily a code defect.

To resolve the issue without modifying the function code , the developer should increase the Lambda function’s timeout value . Lambda allows configuring the maximum runtime per invocation (up to the service limit). By increasing the timeout to a value that comfortably covers the expected transfer and processing initiation time for larger payloads, the function can complete its work successfully. This directly addresses the failure mode while keeping the existing implementation unchanged.

Option D (provisioned concurrency) reduces cold start latency by keeping execution environments initialized, but it does not extend the allowed runtime for a single invocation. If the function consistently needs more than 3 seconds for larger images, provisioned concurrency will not prevent timeouts. Option C (concurrency quota increase) increases the number of concurrent executions allowed, which can help throughput under load, but again does not affect per-invocation runtime limits. Option B avoids the problem by skipping large images, but it violates the functional need to process them and is not a general solution.

Therefore, the correct solution is A : increase the Lambda timeout so the function has sufficient time to move larger images between AWS services.

DynamoDB distributes throughput across partitions based on the hash key. A hot partition (caused by high usage of a specific hash key) can result in a ProvisionedThroughputExceededException, even if overall usage is below the provisioned capacity.

Why Option B is Correct:

Partition-Level Limits: Each partition has a limit of 3,000 read capacity units or 1,000 write capacity units per second.

Hot Partition: Excessive use of a single hash key can overwhelm its partition.

Why Not Other Options:

Option A: DynamoDB storage size does not affect throughput.

Option C: Provisioned scaling operations are unrelated to throughput errors.

Option D: Sort keys do not impact partition-level throughput.

DynamoDB Partition Key Design Best Practices

The requirement emphasizes collaboration , frequent code changes , and deploying from source control with the fewest manual steps. This aligns with a CI/CD pipeline approach where commits or merges automatically trigger builds and deployments. Using AWS CodePipeline orchestrates the stages (source, build, deploy), and AWS CodeBuild performs the build/package steps for the Lambda/serverless application. When integrated with a repository (such as CodeCommit, GitHub, or another supported provider), CodePipeline can automatically start when changes are merged into specific branches, enabling consistent, repeatable deployments.

Option C provides the least operational overhead for teams: developers push code and merge pull requests; the pipeline automatically builds artifacts, runs tests (if configured), packages dependencies, and deploys updates to Lambda (often via AWS SAM/CloudFormation under the hood). This removes manual “build on my laptop” drift, prevents inconsistent deployments between developers, and supports frequent iteration safely.

Option B (SAM CLI from a local machine) requires a developer to manually run build/deploy commands and assumes each developer’s environment is configured correctly. That increases manual steps and the risk of differences across machines. Option D (uploading zip in the console) is highly manual and not suitable for frequent changes or team collaboration. Option A is also suboptimal because storing built artifacts in source control is an anti-pattern; builds should be reproducible and produced by CI, not committed binaries.

Therefore, C is the best choice: set up CodePipeline + CodeBuild so merges to controlled branches automatically trigger builds and deployments to AWS Lambda with minimal manual intervention.

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-overview.html#access-control-resource-ownership

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. The developer can create a DynamoDB table and configure the table with a primary key that consists of the title as the partition key and the release year as the sort key. This will enable querying for a given title and release year efficiently. The developer can also create a global secondary index that uses the genre as the partition key and the title as the sort key. This will enable querying for a given genre efficiently. The developer can store additional properties about the cast and production crew as attributes in the DynamoDB table. These attributes can have different data types and structures, and they do not need to be consistent across items.

In AWS X-Ray, filter expressions can filter trace data based on indexed fields that X-Ray can query efficiently. Custom data can be added to segments in two main ways: annotations and metadata. The critical difference is that annotations are indexed and can be used for filtering, while metadata is not indexed and is intended for additional diagnostic context that you do not typically query on.

Therefore, if the developer wants user-specified custom attributes to be usable in X-Ray filter expressions, the developer should record those attributes as annotations in the segment document. Once recorded as annotations, the developer can write filter expressions that match annotation keys/values and return only the relevant traces.

Option B is incorrect because metadata is not indexed and cannot be used in filter expressions for trace search the same way annotations can.

Option C is incorrect because segment documents have a defined schema; adding arbitrary “new segment fields” is not the intended method for searchable custom attributes.

Option D is unrelated: sampling rules control which requests get traced in the first place. They are not used to filter returned results by custom attributes after traces are recorded.

An Application Load Balancer can invoke Lambda functions as targets, but ALB must be explicitly granted permission to invoke the function. This is done by adding a resource-based permission to the Lambda function policy that allows the Elastic Load Balancing service principal to call lambda:InvokeFunction, typically scoped to the specific target group ARN.

If the developer registers the function as a target but does not add the required permission, the ALB will not be able to invoke the function when requests arrive. This is a common integration oversight: the target registration succeeds, but invocation fails because Lambda denies the call.

Option A is incorrect because ALB does support Lambda targets.

Option B is incorrect because Lambda targets can be configured through the console, CLI, or APIs.

Option D is unrelated: cross-zone load balancing affects distribution of traffic across AZs for instance/IP targets, not whether Lambda invocation is authorized.

This solution meets the requirements because it encrypts data at rest using AWS KMS keys and provides an audit trail of when and by whom they were used. Server-side encryption with AWS KMS managed keys (SSE-KMS) is a feature of Amazon S3 that encrypts data using keys that are managed by AWS KMS. When SSE-KMS is enabled for an S3 bucket or object, S3 requests AWS KMS to generate data keys and encrypts data using these keys. AWS KMS logs every use of its keys in AWS CloudTrail, which records all API calls to AWS KMS as events. These events include information such as who made the request, when it was made, and which key was used. The company policy can use CloudTrail logs to audit critical events related to their data encryption and access. Server-side encryption with Amazon S3 managed keys (SSE-S3) also encrypts data at rest using keys that are managed by S3, but does not provide an audit trail of key usage. Server-side encryption with customer-provided keys (SSE-C) and server-side encryption with self-managed keys also encrypt data at rest using keys that are provided or managed by customers, but do not provide an audit trail of key usage and require additional overhead for key management.

Amazon Machine Images (AMIs) are encrypted snapshots of EC2 instances that can be used to launch new instances. The developer can create new AMIs from the existing instances and specify encryption parameters. The developer can copy the encrypted AMIs to the destination Region and use them to create a new application stack. The developer can delete the unencrypted AMIs after the encryption process is complete. This solution will meet the encryption requirement and allow the developer to expand the application to run in the destination Region.

Step-by-Step Breakdown:

Requirement Summary:

AWS AppSync API needs to invoke Lambda functions

Some Lambda functions are long-running

AppSync should return immediately, minimizing operational overhead

**Option A: AppSync + Lambda as data source using Event Mode

Correct: AWS AppSync supports asynchronous (event) invocation of Lambda data sources using Event Mode.

Event Mode means:

AppSync invokes Lambda asynchronously

Immediately returns a response to the client (typically a predefined payload or null)

Ideal for fire-and-forget workloads or when the response is not immediately needed

Option B: Increase Lambda timeout

Incorrect: This keeps AppSync waiting.

Even with increased timeout, synchronous invocations would block AppSync responses.

Option C: SQS queue + polling Lambda

Possible but too complex for this use case.

Requires additional infrastructure: queue + mapping + custom logic.

Higher operational overhead compared to built-in AppSync Event Mode.

Option D: Enable caching in AppSync

Irrelevant: AppSync cache is for optimizing repeated read queries, not for async workflows.

Asynchronous Lambda with AppSync: https://docs.aws.amazon.com/appsync/latest/devguide/resolver-mapping-template-reference-lambda.html#async-lambda-invocation

Lambda as AppSync Data Source: https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-lambda-resolvers.html

Event Mode Docs: https://docs.aws.amazon.com/appsync/latest/devguide/lambda-resolvers.html#event-invocation-mode

Understand the Problem: The existing DynamoDB table has email_address as the partition key. Searching by customer_type requires a different data access pattern. We need an efficient way to query for partial matches on email_address based on customer_type.

Why Global Secondary Index (GSI):

GSIs allow you to define a different partition key and sort key from the main table, enabling new query patterns.

In this case, having customer_type as the GSI ' s partition key lets you group all emails with the same customer type together.

Using email_address as the sort key allows ordering within each customer type, facilitating the partial matching.

Querying the GSI:

You ' ll perform a query operation on the GSI, not the original table.

Use the begins_with key condition expression on the GSI ' s sort key (email_address) to find partial matches as the user types in the customer_type field.

Amazon Cognito user pools is a service that provides a secure user directory that scales to hundreds of millions of users. The developer can use Amazon Cognito user pools to manage user accounts and create an Amazon Cognito user pool authorizer in API Gateway to control access to the API. The developer can use the Lambda function to store the photos in Amazon S3, which is a highly scalable, durable, and secure object storage service. The developer can store the object’s S3 key as part of the photo details in the DynamoDB table, which is a fast and flexible NoSQL database service. The developer can retrieve previously uploaded photos by querying DynamoDB for the S3 key and fetching the photos from S3. This solution will meet the requirements with the least operational overhead.

For asynchronous Lambda invocations, AWS provides Lambda Destinations , which can route the result of every invocation to different targets based on outcome. Destinations support separate configuration for on-success and on-failure , and they send a structured payload that includes metadata and the function response (or error information). This payload is delivered as a JSON document , satisfying the requirement to record function responses in JSON format while also capturing every invocation record.

Option B matches this pattern directly: configure an on-failure destination (S3) and an on-success destination (SNS). With this configuration, each async invocation that succeeds results in a JSON record being delivered to the SNS topic, enabling downstream processing, notifications, or fan-out to other services. Each async invocation that fails results in a JSON record being delivered to S3, which provides durable, cost-effective storage for later analysis or replay workflows. This design requires minimal code changes because the routing is handled by Lambda’s destination configuration rather than custom logic in the function.

Option C relies on a DLQ for failures but then requires custom code to store success records in DynamoDB, increasing development effort and operational complexity. Option A is not aligned: canary deployments and log groups do not provide “multiple destinations per invocation outcome,” and CloudWatch Logs do not natively separate success/failure records as destinations with structured invocation payloads. Option D proposes OpenSearch as a success destination, but Lambda Destinations do not use OpenSearch directly as a destination target; the supported destination types are typically SQS, SNS, EventBridge, and Lambda , and you can store records in S3 through other integrations. Therefore, the best match that uses built-in destinations and records JSON invocation results is B .

An Inline Policy is a policy that is embedded directly into an IAM user, group, or role. When you use an inline policy, you maintain a strict one-to-one relationship between the policy and the identity. Since the requirement is to grant a specific " permanent " right to only one specific user within a group without changing the shared group policy, an inline policy attached directly to that individual user is the correct approach.

Concurrent users is an application-level metric, not a default infrastructure metric. CloudWatch provides standard metrics such as CPU utilization, network input, and request counts for many AWS services, but it will not automatically know how many active users the application currently has unless the application publishes that value. The correct design is to publish concurrent user count as a custom CloudWatch metric and use that metric in the scaling policy. SNS is a notification service, not a metric source. CloudFront can improve content delivery, but it does not directly define application auto scaling based on concurrent users. NetworkIn might correlate with load but is not the metric chosen by the architect. CloudWatch supports custom metrics and alarms for threshold-based actions. ( AWS Documentation )

===============

Step 1: Problem Understanding

Asymmetric Encryption Requirement: Users encrypt data with a public key, and only the company can decrypt it using a private key.

Data Encryption at Rest and In Transit: The data must be encrypted during upload (in transit) and when stored in Amazon S3 (at rest).

Step 2: Solution Analysis

Option A: Server-side encryption with Amazon S3 managed keys (SSE-S3).

Amazon S3 manages the encryption and decryption keys.

This does not meet the requirement for asymmetric encryption, where the company uses a private key.

Not suitable.

Option B: Server-side encryption with customer-provided keys (SSE-C).

Requires the user to supply encryption keys during the upload process.

Does not align with the asymmetric encryption requirement.

Not suitable.

Option C: Client-side encryption with a data key.

Data key encryption is symmetric, not asymmetric.

Does not satisfy the requirement for a public-private key pair.

Not suitable.

Option D: Client-side encryption with a customer-managed encryption key.

Data is encrypted on the client side using the public key.

Only the company can decrypt the data using the corresponding private key.

Data remains encrypted during upload (in transit) and in S3 (at rest).

Correct option.

Step 3: Implementation Steps for Option D

Generate Key Pair:

The company generates an RSA key pair (public/private) for encryption and decryption.

Encrypt Data on Client Side:

Use the public key to encrypt the data before uploading to S3.

S3 Upload:

Upload the encrypted data to S3 over an HTTPS connection.

Decrypt Data on the Server:

Use the private key to decrypt data when needed.

AWS Developer References:

Amazon S3 Encryption Options

Asymmetric Key Cryptography in AWS

The bottleneck is the database read path, shown by the sudden increase in the RDS ReadLatency metric. Because the application performs more reads than writes, caching frequently requested query results with Amazon ElastiCache is the most direct way to reduce database load and improve response time. Scaling ECS tasks or instances might increase application capacity, but it can also increase read pressure on the database and worsen latency. RDS for MySQL does not use DynamoDB-style read capacity units, so option C is invalid. Increasing ECS task memory helps only if the application containers are memory constrained, which is not indicated. AWS performance guidance identifies caching as a way to improve read latency, read throughput, and efficiency for read-heavy workloads. ( AWS Documentation )

===============

Amazon S3 supports server-side encryption, which encrypts data at rest on the server that stores the data. One of the encryption options is SSE-S3, which uses keys managed by S3. To use SSE-S3, the x-amz-server-side-encryption header must be set to AES256 when invoking the PutObject API operation. This instructs S3 to encrypt the object data with SSE-S3 before saving it on disks in its data centers and decrypt it when it is downloaded. Reference: Protecting data using server-side encryption with Amazon S3-managed encryption keys (SSE-S3)

The response from the API call indicates that the ProvisionedThroughputExceededException exception has occurred. This exception means that the rate of incoming requests exceeds the throughput limit for one or more shards in a stream. To mitigate this exception, the developer can use one or more of the following techniques:

Implement retries with exponential backoff. This will introduce randomness in the retry intervals and avoid overwhelming the shards with retries.

Reduce the frequency and/or size of the requests. This will reduce the load on the shards and avoid throttling errors.

Increase the number of shards in the stream. This will increase the throughput capacity of the stream and accommodate higher request rates.

Use a PutRecord API instead of PutRecords. This will reduce the number of records per request and avoid exceeding the payload limit.

Comprehensive and Detailed 250 to 300 words of Explanation (AWS-doc-aligned):

The most operationally efficient way to share and patch common dependencies across multiple Lambda functions is to use AWS Lambda layers . A Lambda layer is an independently managed deployment artifact that can contain libraries and other dependencies. Multiple functions can reference the same layer, which avoids packaging identical open source modules into each function bundle.

When a vulnerability or bug is found in a shared module, you patch it once by publishing a new layer version that contains the updated dependencies. Then you update each Lambda function configuration to reference the new layer version. This centralizes dependency management, reduces duplicated artifacts, and makes rollouts and rollbacks cleaner (you can switch layer versions quickly). It also keeps function deployment packages smaller, which often improves deployment speed and can reduce cold-start overhead associated with larger bundles.

The other options introduce unnecessary operational burden:

Downloading modules at cold start (CloudFront/S3) increases latency and adds failure modes at runtime.

Hosting a private registry on EC2 requires patching, scaling, availability management, and security hardening—high operational overhead.

A CloudFormation registry extension and daily scans are not a standard or efficient mechanism for packaging runtime Node.js dependencies into Lambda functions.

Lambda layers are a documented AWS-native feature intended for precisely this use case: sharing common code and libraries across functions while enabling controlled versioning. Therefore, creating a layer for the open source modules and updating the functions to consume the layer is the most efficient and maintainable approach.

Lambda Layers allow you to pull common code and dependencies out of your function ' s deployment package. By putting the open source modules into a layer shared by all three functions, you only need to update the layer once when a bug is found. Then, you update the functions to use the new layer version. This is the most efficient way to manage shared dependencies across multiple functions.

The requirement is real-time UI updates “immediately” without refreshing the dashboard. The most operationally efficient AWS-native method is to use API Gateway WebSocket APIs to push updates from the backend to the browser.

With option A, the client establishes a WebSocket connection and receives a connection ID. The application can associate uploads (or job IDs) with that connection ID (commonly storing the mapping in DynamoDB or another datastore). When the long-running validation finishes, the backend uses the WebSocket management API to post a message to the specific connection ID, and the browser updates the UI dynamically. This eliminates polling/refresh and scales well without managing servers.

Option B requires running and maintaining an EC2-hosted WebSocket server (patching, scaling, uptime), which is more operational overhead.

Option C uses email, which is not immediate UI updating and doesn’t update the dashboard without user action.

Option D is not appropriate: SNS does not directly push notifications to a web browser in a standard way, and it adds unnecessary complexity.

Therefore, using API Gateway WebSocket to push validation results to connected clients is the most operationally efficient solution.

For cross-account access from EC2 in Account A to a Kinesis data stream in Account B , the recommended secure pattern is to use STS AssumeRole into a role in the resource-owning account (Account B). This ensures Account B retains control over what permissions are granted to external principals and allows Account A workloads to obtain temporary credentials scoped to the required actions.

First, create an IAM role in Account B that has the necessary Kinesis read permissions (such as kinesis:GetRecords, kinesis:GetShardIterator, kinesis:DescribeStream, and related read actions as required). That corresponds to option B . This role represents the permission boundary controlled by Account B for accessing its stream.

Second, configure the role’s trust policy in Account B to allow the instance profile role (or another IAM principal) from Account A to assume it. In practice, the trust relationship is defined on the Account B role and specifies the Account A role as the trusted principal, enabling sts:AssumeRole. This corresponds to option C (the intent is “allow the instance profile role to assume the IAM role in Account B”).

Option A alone is insufficient because permissions in Account A do not grant access to resources owned by Account B without an explicit cross-account authorization path. Option D is incorrect because trust policies do not “allow reads from the stream”; they allow principals to assume roles , and permissions policies allow service actions. Option E (resource-based policy) is not the primary mechanism for Kinesis Data Streams cross-account access in this scenario compared with the standard role assumption model; the secure and common approach is to assume a role in the owning account.

Therefore, the correct actions are B (create the role with read permissions in Account B) and C (configure trust to allow Account A’s instance role to assume it).

The correct answer is D because the most cost-effective way to prevent PutItem from overwriting an existing item in Amazon DynamoDB is to use a conditional write with attribute_not_exists(transactionID) . AWS documentation explains that conditional expressions allow write operations to succeed only when specified conditions are true. In this case, the write should occur only if the item does not already exist. That preserves the original processing date for the first received transaction and prevents duplicates from replacing it.

This is the most cost-effective solution because it uses a single write request instead of adding an additional read operation. Since duplicate transactions happen infrequently and most items are unique, using GetItem first, as in option A, would introduce an extra read for every transaction, increasing cost and adding latency. A conditional put avoids that overhead and keeps the logic atomic. It also protects against race conditions where two requests might check for existence at nearly the same time and both attempt to write.

Option B is incorrect because TTL only controls automatic expiration of items and does not prevent overwrites. Option C is incorrect because attribute_exists(transactionID) would allow the write only when the item already exists, which is the opposite of the required behavior.

Therefore, the correct DynamoDB pattern is to use PutItem with a condition expression of attribute_not_exists(transactionID) so that existing records are not updated and the earliest processing date is preserved.

DynamoDB access control operates at the table and item level , not at individual attribute deny rules in IAM or resource-based policies. Therefore, Option A is not supported. Encrypting the entire table with KMS (Option B) protects data at rest but does not prevent the Lambda function from reading sensitive attributes once access is granted.

To ensure the Lambda function cannot access PII, AWS documentation recommends controlling which attributes are returned from queries and scans. Using a projection expression (Option E) ensures that only non-PII attributes are returned to the function, even if PII exists in the item. This is a standard DynamoDB best practice for limiting data exposure.

For additional protection, client-side or application-level encryption should be used for sensitive fields. Option C uses envelope encryption with AWS KMS to encrypt only PII attributes. Even if the function retrieves the encrypted attribute, it cannot decrypt the data without KMS permissions. This ensures strong isolation of sensitive data.

ABAC (Option D) controls access to resources, not attributes, and therefore does not satisfy the requirement.

Thus, combining attribute-level encryption with projection expressions meets the security requirement.

When using AWS SAM local (sam local invoke, sam local start-api), the Lambda code runs in a local container on the developer’s machine. If that code uses the AWS SDK to call AWS services, it needs AWS credentials available in the local environment. The recommended way is to rely on the AWS SDK’s standard credential provider chain, which includes credentials stored by the AWS CLI in ~/.aws/credentials and selected via a named profile .

By running aws configure --profile < profileName > , the developer creates a dedicated set of access keys (and optionally a session token/region) for the test account. Then, running SAM with sam local invoke --profile < profileName > causes SAM to supply those credentials to the local container so the function can authenticate to AWS and make real API calls in the intended test account. This approach is clean, repeatable, and avoids hardcoding secrets into templates or source code.

Option A is insecure and not the intended use of SAM templates; templates are infrastructure definitions, not secret stores. Option C sets the Lambda execution role for deployed functions in AWS, but it does not automatically grant credentials to code running locally on a laptop. Option D misuses --parameter-overrides, which is meant for overriding template parameters at deployment/build time, not for securely injecting AWS access keys into local execution.

Therefore, the correct approach is B : configure an AWS CLI profile and run SAM local with the --profile option so the Lambda code can call AWS APIs in the test account using standard credential handling.

The most secure solution is A because AWS Secrets Manager is purpose-built for storing, retrieving, and managing secrets such as database credentials, API keys, and tokens. In AWS guidance, Secrets Manager is recommended when applications need secure secret storage with controlled access, encryption, and integration with runtime retrieval patterns. By storing the credentials as a secret and passing only the secret ARN through an environment variable, the Lambda function avoids exposing the actual username and password in plaintext configuration.

The AWS Parameters and Secrets Lambda Extension is specifically designed to let Lambda functions retrieve secrets securely at invocation time. This reduces the risk of accidental exposure in code, deployment artifacts, or function configuration. Secrets Manager also supports automatic rotation , which is a major security advantage for database credentials and is one of the main reasons AWS recommends it over hardcoded or manually managed values.

Option B is incorrect because base64 is only encoding, not encryption, and embedding credentials in source code is insecure. Option C is less appropriate because a string type parameter in Systems Manager Parameter Store is not the secure choice for sensitive credentials; secure storage there would require SecureString , but even then Secrets Manager is the stronger AWS-recommended service for database secrets. Option D only masks values in CloudFormation outputs and logs with NoEcho ; it does not provide secure runtime secret retrieval or secret lifecycle management.

Therefore, A is the best and most secure answer according to AWS security best practices for Lambda applications handling database credentials.

Comprehensive and Detailed Step-by-Step Explanation:

Option C: Use AWS CodePipeline for CI/CD Workflow:

AWS CodePipeline automates the entire CI/CD pipeline, including build, deploy, and test stages. This minimizes manual effort and integrates well with AWS services.

API Gateway Stages: Represent different environments, such as dev, test, and prod, allowing isolated deployment and testing.

AWS CloudFormation Templates: Ensure that the infrastructure for Lambda and API Gateway is consistent across environments.

AWS CodeBuild for Automated Tests: Validates the deployments in each stage, ensuring integration and functionality are tested post-deployment.

Why Other Options Are Incorrect:

Option A and B: While using AWS SAM or CloudFormation for infrastructure management is valid, these options lack the fully automated CI/CD pipeline provided by CodePipeline.

Option D: Manually invoking Lambda functions using the AWS CLI introduces operational overhead and lacks the automation provided by CodePipeline.

Browsers enforce the Same-Origin Policy, which restricts web pages from requesting resources (like JavaScript files, fonts, and other assets) from a different domain/origin unless the target explicitly allows it. When the developer moved shared JavaScript and web fonts into a separate “central” S3 bucket, the applications likely began fetching these assets from a different origin than the app’s primary origin (for example, different domain, subdomain, or CloudFront distribution). As a result, the browser blocks those requests unless the response includes the appropriate CORS headers.

AWS documentation for Amazon S3 explains that to allow cross-origin requests from browsers, you must configure Cross-Origin Resource Sharing (CORS) on the S3 bucket that serves the resources. A CORS configuration defines allowed origins, methods (such as GET), and headers. For fonts in particular, browsers are strict and commonly require CORS headers to load fonts across origins.

Option C directly addresses this by adding a CORS policy to the central bucket, allowing the subsidiary application origins to retrieve JS and font files without being blocked.

Option B (bucket policy) controls authorization at the AWS request level, but it does not instruct browsers to allow cross-origin access. Even if the request is authorized, the browser can still block it if CORS headers are missing.

Option A (access points) is also about access management and does not solve browser CORS enforcement.

Option D (Content-MD5) is for integrity checking and is unrelated to cross-origin browser blocking.

Elastic Beanstalk application version lifecycle settings can delete old application versions from Elastic Beanstalk records and can optionally delete the source bundle from the S3 bucket. To retain the source code, the lifecycle policy must be configured not to delete the source bundle from S3. Enabling S3 versioning is not the correct control because Elastic Beanstalk itself can be configured to retain or delete source bundles. Increasing the version quota only changes how many application versions Elastic Beanstalk tracks before lifecycle cleanup occurs; it does not guarantee S3 source bundle retention. Disabling a separate S3 lifecycle policy is not the targeted Elastic Beanstalk setting. AWS documentation states that when Elastic Beanstalk deletes an application version, the source bundle remains in S3 unless the rule is configured to delete it. ( AWS Documentation )

===============

Step-by-Step Breakdown:

Requirement Summary:

Encrypt S3 objects using KMS keys

Cross-account read access to another AWS account

Minimize operational overhead

Option A: Use a customer managed key + key policy granting kms:Decrypt to second account

Correct: Customer managed keys allow full control of key policy.

You can add a statement to allow cross-account access using the second account’s IAM principal.

Option B: Use AWS managed key + key policy granting access to second account

Incorrect: AWS-managed KMS keys (aws/s3) cannot be modified to add cross-account access in key policies.

Option C: SCP that grants s3:GetObject to second account

Incorrect: SCPs are used to restrict or allow permissions across AWS Organizations, not to grant S3 or KMS access directly.

Option D: Create a bucket policy granting s3:GetObject to second account

Correct: Bucket policies can grant cross-account access to specific IAM users or roles in the second account.

Option E: Gateway endpoint for S3 with cross-account access

Incorrect: Gateway endpoints only apply within the same VPC/account. Cross-account use with endpoint policies is not the correct pattern for this use case.

Cross-account S3 access with KMS: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html

KMS cross-account key policy: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html

Bucket Policy for cross-account access: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

Amazon CloudFront field-level encryption is specifically designed to protect sensitive fields in HTTP requests. It allows CloudFront to encrypt specific request fields at the edge using asymmetric encryption , ensuring that only authorized application components that possess the private key can decrypt the data.

This approach ensures that sensitive fields remain encrypted throughout transit and processing, while non-sensitive fields can still be accessed normally. This satisfies the requirement that only specific parts of the application can decrypt the data.

Field-level encryption is a native CloudFront capability and is far more secure and scalable than implementing custom encryption logic in Lambda@Edge or Lambda functions. AWS documentation emphasizes using built-in CloudFront security features to minimize operational overhead and reduce the risk of cryptographic implementation errors.

Options A and B introduce unnecessary complexity and custom cryptographic handling, which AWS generally discourages when managed services are available. Option D only secures transport and access control and does not encrypt individual data fields.

Therefore, CloudFront field-level encryption with asymmetric keys is the AWS-recommended and correct solution.

The command that will meet the requirements is sam sync -watch. This command enables AWS SAM Accelerate mode, which allows the developer to only redeploy the Lambda functions that have changed. The -watch flag enables file watching, which automatically detects changes in the source code and triggers a redeployment. The other commands either do not enable AWS SAM Accelerate mode, or do not redeploy the Lambda functions automatically.

This solution allows the developer to keep the dependencies of the Lambda functions up to date with the least additional complexity because it eliminates the need to update each function individually. A Lambda layer is a ZIP archive that contains libraries, custom runtimes, or other dependencies. The developer can create a layer that contains all of the shared dependencies and attach it to multiple Lambda functions. When the developer updates the layer, all of the functions that use the layer will have access to the latest version of the dependencies.

Comprehensive Detailed Step by Step Explanation with All AWS Developer References:

The AWS Serverless Application Model (SAM) includes features for local testing and debugging of AWS Lambda functions. One of the most efficient ways to generate test payloads that match actual AWS event structures is by using the sam local generate-event command.

sam local generate-event: This command allows developers to create pre-configured test event payloads for various AWS services (e.g., S3, API Gateway, SNS). These generated events accurately reflect the format that the service would use in a live environment, reducing the manual work required to create these events from scratch.

Operational Overhead: This approach reduces overhead since the developer does not need to manually create or maintain test events. It ensures that the structure is correct and up-to-date with the latest AWS standards.

Alternatives:

Option A suggests using shareable test events, but manually creating or sharing these events introduces more overhead.

Option B and C both involve manually storing and maintaining test events, which adds unnecessary complexity compared to using sam local generate-event.

AWS SAM CLI documentation

S3 Object Lambda allows you to add your own code to process data retrieved from S3 before returning it to an application. You can use an AWS Lambda function to modify the data, such as removing PII, redacting confidential information, or resizing images. You can create an S3 Object Lambda access point and associate it with your Lambda function. Then, you can use the access point to request objects from S3 and get the modified data back. This way, you can maintain only one copy of the original document in S3 and apply different transformations depending on who accesses it. Reference: Using AWS Lambda with Amazon S3

This solution will meet the requirements by using AWS Encryption SDK, which is a client-side encryption library that enables developers to encrypt and decrypt data using data encryption keys that are protected by AWS Key Management Service (AWS KMS). The SDK encrypts the data encryption key with a customer master key (CMK) that is managed by AWS KMS, and stores it (encrypted) as part of the returned ciphertext. The developer does not need to keep track of the data encryption keys used to encrypt data, as they are stored with the encrypted data and can be retrieved and decrypted by using AWS KMS when needed. Option A is not optimal because it will require manual tracking of the data encryption keys used for each data object, which is error-prone and inefficient. Option C is not optimal because it will store the data encryption keys automatically in Amazon S3, which is unnecessary and insecure as Amazon S3 is not designed for storing encryption keys. Option D is not optimal because it will store the data encryption key in the user data for the EC2 instance, which is also unnecessary and insecure as user data is not encrypted by default.

The requirements call for (1) standardized templates to define serverless infrastructure, (2) the ability to test locally before deployment, and (3) integrating deployment and infrastructure changes into an existing AWS CodePipeline workflow. AWS Serverless Application Model (AWS SAM) is designed specifically for serverless applications and extends CloudFormation with serverless-specific resources (such as AWS::Serverless::Function, APIs, event sources). SAM also provides the SAM CLI , which includes local testing capabilities (for example, sam local invoke and sam local start-api) that emulate Lambda and API Gateway behavior for rapid iteration before deployment.

Option A fits all requirements: create an AWS SAM template as the infrastructure definition and add pipeline stages that execute the necessary SAM CLI commands (commonly sam build and sam deploy, and optionally test commands) as part of the CI/CD process. This makes deployments repeatable and automated, ensures infrastructure changes are deployed in lockstep with application changes, and keeps everything governed by the existing CodePipeline.

Option D uses SAM but relies on a standalone script outside the pipeline, which conflicts with the requirement to incorporate infrastructure changes into the existing pipeline. Option C (plain CloudFormation) can define infrastructure, but it does not inherently provide the same streamlined local testing workflow that SAM CLI provides for serverless event sources and APIs. Option B is unrelated: Step Functions is an orchestration service and its definition language is not a general infrastructure templating and local-testing solution for serverless deployments.

Therefore, A is the correct strategy: use AWS SAM templates and integrate SAM CLI build/deploy steps into CodePipeline to automate deployments and support local testing while managing infrastructure as code.

Requirement Summary:

Lambda function:

Retrieves an item from DynamoDB

Updates its attributes or creates it if it does not exist

Has primary key

Needs minimum required IAM permissions

Analysis of Required Permissions:

To get an item and update it or create it if it doesn ' t exist, the Lambda function must use the **PutItem** or **UpdateItem** API, and read with **GetItem**.

Valid API options:

GetItem: Read the item from the table.

UpdateItem: Update existing item attributes or insert if it doesn ' t exist (with UpdateExpression and ConditionExpression).

When UpdateItem is used without a conditional check for existence, it can create a new item if it does not exist (acts like upsert).

DescribeTable: (Optional) Used if you need table metadata (not strictly required here).

Evaluate the Choices:

Option A:

DeleteItem – Not needed

GetItem –

PutItem – (can create/replace but not partial update)

Close, but PutItem overwrites the full item, not update-in-place. Acceptable, but UpdateItem is better suited.

Option B:

UpdateItem – Required to modify attributes or insert new item

GetItem – Required to check existence or read data

DescribeTable – Optional, but not harmful

BEST FIT – Matches the update-or-create logic.

Option C:

GetRecords – This is used for DynamoDB Streams, not standard GetItem

PutItem –

UpdateTable – Used to change table settings, not data manipulation

Incorrect usage context

Option D:

UpdateItem, GetItem, PutItem – all valid

But UpdateItem alone is sufficient; including PutItem might not be necessary Also, image is faded (possibly invalid), and it ' s redundant

UpdateItem API: https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateItem.html

PutItem vs UpdateItem: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithItems.html

IAM actions for DynamoDB: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodb.html

Lambda Destinations on Failure: Allow routing asynchronous function invocations to specified resources (like another Lambda function) upon failure.

Error Handling: The error-handling Lambda receives details about the failure, enabling logging and custom actions.

Direct Integration: This solution leverages native Lambda functionality for a simpler implementation.

Option B: The target group port in the ALB must match the port specified in the ECS task definition. If there is a mismatch, the ALB health check will fail since it cannot correctly route traffic to the container.

Option E: The ALB listener must have a default action that forwards requests to the correct target group associated with the ECS service. If this configuration is missing, the health check will fail as no traffic is routed to the service.

Option A is irrelevant to resolving health check issues since capacity providers relate to provisioning compute capacity.

Option C (hosted zone) is not directly related to ALB health checks.

Option D (redirecting traffic) is not related to ECS health check configurations.

AWS Secrets Manager is a service that helps securely store, rotate, and manage secrets such as API keys, passwords, and tokens. The developer can store the API credentials in AWS Secrets Manager and retrieve them at runtime by using the AWS SDK. This solution will meet the requirements of security, code management, and performance. Storing the API credentials in a local code variable or an S3 object is not secure, as it exposes the credentials to unauthorized access or leakage. Storing the API credentials in a DynamoDB table is also not secure, as it requires additional encryption and access control measures. Moreover, retrieving the credentials from S3 or DynamoDB may affect application performance due to network latency.

Why Option C is Correct:

Amazon ElastiCache (Memcached) provides low-latency, in-memory caching suitable for session storage. It ensures stateless web tier operations and supports the high throughput of 5000 requests per minute.

Why Other Options are Incorrect:

Option A: RDS has higher latency compared to in-memory caching solutions like ElastiCache.

Option B: Shared file systems introduce additional complexity and are not ideal for low-latency session data storage.

Option D: DynamoDB has low latency but is less performant than ElastiCache for in-memory session management.

AWS Documentation References:

Amazon ElastiCache for Session State Management

Amazon API Gateway provides tools for creating and documenting web APIs that route HTTP requests to Lambda functions2. You can secure access to your API with authentication and authorization controls. Your APIs can serve traffic over the internet or can be accessible only within your VPC2. You can override the cache method in the selected stage of API Gateway2. Therefore, option B is correct.

AWS Secrets Manager is specifically designed for sensitive information like database credentials. It supports automatic rotation and cross-account access. Using the " AWS Parameters and Secrets Lambda Extension " is the modern, high-performance way to retrieve secrets. It caches the secret locally in the Lambda execution environment, reducing latency and cost (API call volume) while ensuring the credentials are not stored in plaintext in environment variables or source code.

The least implementation effort is to publish a custom CloudWatch metric from the existing Lambda function that records the number of orders in each batch, then create a CloudWatch alarm that sends a notification to the SNS topic when the metric value is 0. This avoids building a separate stream-processing pipeline or scheduled analytics job. A new Kinesis consumer and Lambda function would add unnecessary services and operational complexity. A 24-hour scheduled function is also slower than required because the notification must happen as soon as possible. Logging to Kinesis only creates more data movement and still requires separate analysis logic. CloudWatch supports custom metrics, and CloudWatch alarms can send notifications through Amazon SNS when metric thresholds are breached. ( AWS Documentation )

===============

AWS best practice is to store sensitive values like database passwords, OAuth tokens, and API keys in a dedicated secrets service rather than in source code or configuration files. AWS Secrets Manager is specifically designed for this use case: secure storage, retrieval through APIs/SDKs, fine-grained IAM access control, encryption at rest, auditing through CloudTrail, and—critically—built-in secret rotation.

AWS documentation describes Secrets Manager rotation as an automated process that uses a rotation schedule and typically invokes a Lambda function to update the secret in both Secrets Manager and the target system (for example, a database). The rotation schedule can be configured to a custom interval, including every 6 months, satisfying the requirement.

Option A is incorrect because AWS KMS manages encryption keys, not application secrets. KMS key rotation rotates KMS keys, not database credentials or API tokens.

Option B is incorrect because ACM manages TLS certificates, not arbitrary secrets like API keys and OAuth tokens.

Option C is incorrect because EventBridge can schedule events, but it is not a secrets storage service and does not provide secure secret lifecycle management and integrated rotation workflows by itself.

Therefore, storing secrets in AWS Secrets Manager and enabling automatic rotation with a 6-month schedule is the correct solution.

SQS Delivery Behavior: Standard SQS queues guarantee at-least-once delivery, meaning messages may be processed more than once. This can lead to duplicate emails in this scenario.

Visibility Timeout: If the visibility timeout on the SQS queue is too short, a message might become visible for another consumer before the first Lambda function finishes processing it. This can also lead to duplicates.

For CloudFormation or AWS SAM templates that reference local artifacts, the source code must be uploaded to Amazon S3 before CloudFormation can deploy it. The aws cloudformation package command scans the template for local artifacts, uploads those artifacts to an S3 bucket, and outputs a modified template that references the S3 object locations. That packaged template can then be deployed with aws cloudformation deploy. There is no standard aws cloudformation compile, aws lambda zip, or aws serverless create-package command for this workflow. The Transform: AWS::Serverless-2016-10-31 declaration means SAM resources are being transformed through CloudFormation, but local code artifacts still need packaging. AWS documentation describes aws cloudformation package as the command for uploading local artifacts referenced by a CloudFormation template to S3. ( AWS Documentation )

===============

This solution allows the CloudFormation service role to access the S3 bucket from any account, as long as it has the S3 GetObject permission. The bucket policy grants access to any principal with the GetObject permission, which is the least privilege needed to deploy the Lambda code. This is more secure than granting ListBucket permission, which is not required for deploying Lambda code, or using a service-based link, which is not supported for Lambda functions.

Why Option C is Correct:Ensuring that pipeline artifacts are encrypted with a customer-managed AWS KMS key involves configuring the S3 bucket policy to require encryption. This policy ensures all objects uploaded to the bucket are encrypted with the specified KMS key.

Why Other Options are Incorrect:

Option A: A gateway endpoint improves S3 access efficiency but does not enforce encryption.

Option B: Encrypting CloudWatch Logs is unrelated to securing pipeline artifacts.

Option D: Configuring SNS for encryption does not affect the artifacts stored in the S3 bucket.

AWS Documentation References:

Using Server-Side Encryption with S3 Bucket Policies

Maximum concurrency for SQS as an event source allows customers to control the maximum concurrent invokes by the SQS event source1. When multiple SQS event sources are configured to a function, customers can control the maximum concurrent invokes of individual SQS event source1.

In this scenario, the developer needs to resolve the issue of the third-party API frequently returning an HTTP 429 Too Many Requests error message, which prevents a significant number of messages from being processed successfully. To achieve this, the developer can follow these steps:

Find out the documented rate limits of the third-party API, which specify how many requests can be made in a given time period.

Configure maximum concurrency on the SQS event source based on the rate limits of the third-party API. This will limit the number of concurrent invokes by the SQS event source and prevent exceeding the rate limits of the third-party API.

Test and monitor the application performance and adjust the maximum concurrency value as needed.

By using this solution, the developer can reduce the frequency of HTTP 429 errors and improve the message processing success rate. The developer can also avoid throttling or blocking by the third-party API.

For in-place deployments, AWS CodeDeploy uses a set of predefined hooks that run in a specific order during each deployment lifecycle event. The hooks are ApplicationStop, BeforeInstall, AfterInstall, ApplicationStart, and ValidateService. The run order of the hooks for in-place deployments is as follows:

ApplicationStop: This hook runs first on all instances and stops the current application that is running on the instances.

BeforeInstall: This hook runs after ApplicationStop on all instances and performs any tasks required before installing the new application revision.

AfterInstall: This hook runs after BeforeInstall on all instances and performs any tasks required after installing the new application revision.

ApplicationStart: This hook runs after AfterInstall on all instances and starts the new application that has been installed on the instances.

ValidateService: This hook runs last on all instances and verifies that the new application is running properly on the instances.

Why Option A is Correct:Converting a Lambda function to use a container image involves packaging the function code into a container image, storing the image in Amazon Elastic Container Registry (ECR), and updating the function to use the ECR repository URI.

Why Other Options are Incorrect:

Option B: SAM templates support container-based Lambda deployment, but storing the image in S3 is not applicable.

Option C: CloudFormation does not natively support specifying Lambda container images in S3.

Option D: While partially correct, it omits the need to specify the image tag for the deployment.

AWS Documentation References:

Lambda Container Images

Amazon API Gateway is a service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. Amazon CloudFront is a content delivery network (CDN) service that can improve the performance and security of web applications. The developer can use CloudFront and a custom domain name for the API Gateway REST API. To do so, the developer needs to import the SSL/TLS certificate into AWS Certificate Manager (ACM) in the us-east-1 Region. This is because CloudFront requires certificates from ACM to be in this Region. The developer also needs to create a DNS CNAME record for the custom domain that points to the CloudFront distribution.

A global secondary index is the correct way to support a new DynamoDB access pattern that uses a different partition key from the base table. The existing table is keyed by customerId and orderId, but the new Lambda function must query by order_date and orderId. An LSI cannot solve this because an LSI must use the same partition key as the base table and only allows an alternate sort key. A table scan is operationally inefficient and becomes expensive and slow as the table grows. DynamoDB Streams are for change data capture and event-driven processing, not for querying historical records by a new key pattern. A GSI with order_date as the partition key and orderId as the sort key directly supports efficient Query operations.

===============

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. The developer can store each employee’s contact information in a DynamoDB table along with the object keys for the photos stored in Amazon S3. Amazon S3 is an object storage service that offers industry-leading scalability, data availability, security, and performance. The developer can use AWS APIs to search and retrieve the employee details and photos from DynamoDB and S3.

This solution meets the requirements most cost-effectively because it optimizes the photos on demand and caches them for future requests. Lambda@Edge allows the developer to run Lambda functions at AWS locations closer to viewers, which can reduce latency and improve photo quality. The developer can create a Lambda@Edge function that uses the GET parameters from each request to optimize the photos with the required dimensions and resolutions and returns them as a response. The function can also store a copy of the processed photos on Amazon S3 for subsequent requests, which can reduce processing time and costs. Using S3 Batch Operations to create new variants of the photos will incur additional storage costs and may not cover all possible dimensions and resolutions. Creating a dynamic CloudFront origin or a Lambda@Edge function to route requests to corresponding photo variants will require maintaining a mapping of device types and photo variants, which can be complex and error-prone.

With Lambda’s SQS event source mapping, messages are delivered with at-least-once semantics. When processing messages in batches (up to 10 per invocation), a common source of unnecessary downstream API calls occurs when only some records in the batch fail. Without special handling, a failure can cause the entire batch to be retried, which means records that were already successfully processed can be delivered again, leading to duplicate calls to the third-party API.

To minimize unnecessary API calls while still preserving at-least-once delivery, the best solution is to enable partial batch response (also described as “report batch item failures”). When enabled, the Lambda function returns a response that explicitly identifies which message(s) failed (by messageId). The event source mapping then retries only the failed messages , while successfully processed messages are deleted from the queue. This reduces duplicates and avoids re-sending already successful records to the third-party API, while still ensuring failed items are retried until they succeed or are moved to a DLQ (if configured).

Option A (FIFO + content-based deduplication) helps prevent duplicate enqueue events within the deduplication window, but it does not stop duplicate deliveries caused by retries, visibility timeouts, or partial failures in a batch. Option B (reserved concurrency = 1) reduces parallelism but does not prevent retries or batch-level duplication; it can also hurt throughput. Option D (DLQ) is important for poison-pill handling but does not reduce duplicate API calls during normal retry behavior; it merely captures messages after the maximum receive count.

Therefore, C is the correct choice: enable batch item failure reporting and implement the function to return partial batch responses so only failed messages are retried, minimizing unnecessary third-party API calls while maintaining at-least-once delivery.

The requirement is application-level encryption (client-side) in addition to RDS encryption at rest, specifically to prevent database administrators from viewing PHI. Also, some PHI objects are large, so the solution must encrypt locally without size limitations.

AWS best practice for large data encryption with KMS is envelope encryption. With envelope encryption, the application generates a data encryption key (DEK) (typically obtained from KMS using GenerateDataKey). The application uses the plaintext DEK locally with a symmetric algorithm (such as AES-GCM) to encrypt the large PHI payload efficiently. The DEK itself is then protected by encrypting it with a KMS customer managed key (CMK), producing an encrypted data key that can be safely stored alongside the ciphertext. Only principals with permission to use the CMK can decrypt the DEK and then decrypt the PHI data. This ensures that even database administrators who can access the RDS data cannot read PHI without KMS authorization.

Option A is not suitable because the KMS Encrypt operation is intended for small payloads (KMS has size limits for direct encryption), making it inappropriate for large PHI files.

Option B is insecure because embedding encryption keys in source code violates key management best practices and makes rotation and compromise containment difficult.

Option C provides only storage-level encryption for the database volume; it does not ensure that PHI remains unreadable to administrators who can access the database content.

Therefore, using envelope encryption with a KMS customer managed key and storing the encrypted data key with the record is the most secure solution.

The requirement is encryption in transit for sensitive data sent in API calls between two Apache-based EC2 fleets in peered VPCs . The most operationally efficient approach is to restrict network access and rely on standard TLS at the application layer. Among the provided options, the only operationally simple and directly relevant network control is security group referencing across VPC peering within the same account and Region.

By creating security groups that allow inbound traffic only from the other fleet’s security group , the developer ensures that only the intended instances can communicate over the required ports (for example, 443 for HTTPS). This is operationally efficient because it avoids managing IP allowlists that change with Auto Scaling and keeps the trust boundary tied to instance membership rather than addresses. It also supports least privilege by limiting which sources can reach the service.

Why the other options are not the best fit:

B (Site-to-Site VPN) is unnecessary for VPC peering in the same account/Region and adds significant operational overhead. It also does not replace the need for TLS at the application layer to guarantee encryption to the endpoint.

C (EBS encryption) addresses encryption at rest on volumes, not encryption in transit between fleets.

D (Nitro Enclaves) is heavy and unrelated to the core requirement; enclaves protect data-in-use and do not replace standard TLS for network encryption.

Important nuance: Security groups alone do not encrypt traffic; encryption is achieved by using HTTPS/TLS between the Apache services. However, option A is the most operationally efficient control offered here to implement secure connectivity between the fleets (paired with using HTTPS on Apache, which is the standard for encrypting API calls).

Therefore, A best meets the requirement with the least operational complexity.

CloudFront is a content delivery network that caches objects at edge locations to reduce latency and origin load. When the developer updates static artifacts in the origin S3 bucket, CloudFront may continue serving cached versions until the objects expire based on cache-control headers or the distribution’s TTL settings. That is why the developer sees the updated files in S3 but not on the site.

The standard fix is to perform a CloudFront cache invalidation for the updated object paths (for example, /app.js, /styles.css, or /* if needed). An invalidation forces CloudFront edge locations to remove the cached objects so the next viewer request fetches the latest version from the S3 origin.

Option C directly addresses this behavior and is the correct operational practice when cache TTLs would otherwise delay updates.

Option A (Object Lock) is for WORM retention/compliance and has nothing to do with CloudFront cache refresh.

Option B might change what exists in S3 but does not guarantee CloudFront will stop serving cached content; the cache can still serve objects even if deleted from the origin (until it revalidates/refreshes).

Option D is unnecessary; the origin does not need to change to fetch updated content.

Therefore, invalidate the CloudFront cache after deployment to ensure the new artifacts are served.

Requirement Summary:

Orders are being processed more than once

Need to prevent duplicate processing

Looking for least implementation effort

Key Concept:

Lambda + Event-driven patterns can occasionally result in duplicate invocations (at-least-once delivery model)

You need idempotency (i.e., prevent repeated processing of same event)

Evaluate Options:

A. Use DynamoDB for de-duplication

Simple and widely used approach

Store a unique orderId as the primary key

Before processing, check if order exists

If yes ? skip

If no ? process and store the ID

Minimal code changes required

B. ECS + Step Functions

Overkill for basic de-duplication

Adds significant complexity

C. Retry logic with fixed delay

Doesn ' t prevent duplication — makes it worse

Retrying might trigger the same message again

D. Athena to identify duplicates

Reactive solution, not preventative

Not suitable for real-time event de-duplication

Lambda idempotency: https://docs.aws.amazon.com/lambda/latest/dg/invocation-retries.html

Using DynamoDB for idempotent design: https://aws.amazon.com/blogs/compute/how-to-design-idempotent-APIs-on-aws/

In the CloudFormation template, the developer should create a parameter with the list of approved EC2 instance types as AllowedValues. This way, users can select the instance type they want to use when launching the CloudFormation stack, but only from the approved list.

Amazon Q Developer (formerly part of CodeWhisperer) is an AI-powered assistant integrated into IDEs (like VS Code or JetBrains). It can generate unit tests, explain code, and suggest improvements. Highlighting a specific function and asking the agent to generate a unit test is the fastest, lowest-effort way for a developer to test a function before committing code, as it happens directly within the development workflow.

AWS Amplify is a set of tools and services that enables developers to build and deploy full-stack web and mobile applications that are powered by AWS. AWS Amplify supports hosting static websites on Amazon S3 and Amazon CloudFront, with HTTPS enabled by default. AWS Amplify also integrates with various version control systems, such as AWS CodeCommit, Bitbucket, and GitHub, and allows developers to connect different branches to different environments. AWS Amplify automatically builds and deploys the website whenever code changes are merged to a connected branch, enabling phased releases with minimal operational overhead. Reference: AWS Amplify Console

To meet the requirement for encryption " at rest, " you must enable Server-Side Encryption (SSE) on the SNS topic (Option A). To ensure encryption " in transit, " you must enforce HTTPS. The aws:SecureTransport global condition key checks if the request was made over SSL/TLS. Adding a Deny statement where aws:SecureTransport is false (Option E) effectively mandates that only encrypted connections are allowed to publish to the topic.

Comprehensive and Detailed Step-by-Step Explanation:

Option D: Use Lambda with Container Images

AWS Lambda supports container images up to 10 GB in size, making it suitable for applications with large dependencies, such as a video codec library larger than 250 MB.

By creating separate container images for video compression and decompression, the application can efficiently isolate functionality while ensuring that each function includes the required dependencies.

The container images are stored in Amazon ECR and used to create the Lambda functions.

Why Other Options Are Incorrect:

Option A: A single Lambda function with all functionalities and dependencies in one zip file is not feasible due to the 250 MB deployment package size limit for zip files.

Option B: Including the library in two separate zip files still exceeds the size limit for Lambda zip deployment packages.

Option C: While using a Lambda layer can reduce redundancy, the combined size of the layer and the zip files would exceed the limit of 250 MB.

The correct answer is B because Amazon S3 Lifecycle rules can manage versioned objects, including noncurrent object versions . In a versioning-enabled bucket, the newest object version is the current version, and older ones become noncurrent versions. The requirement is to keep the current version and only the immediately previous version. S3 Lifecycle is the native feature designed to expire or retain noncurrent versions according to policy.

AWS documentation explains that lifecycle configuration for versioned buckets can specify how many newer noncurrent versions to retain before Amazon S3 permanently removes older noncurrent versions. This directly matches the requirement to preserve only the latest prior version while cleaning up older historical versions automatically.

Option A is incorrect because an S3 bucket policy controls access permissions, not retention behavior for object versions. Option C is incorrect because S3 Object Lock is intended for write-once-read-many retention and legal hold scenarios, not for maintaining only one previous object version. Option D is not appropriate because suspending versioning would stop creation of new full versions going forward, but it would not provide an automated retention policy for existing versions, and modifying the application adds unnecessary complexity.

Using an S3 Lifecycle rule is the most operationally efficient and AWS-native solution. It allows the bucket to continue using versioning for protection against accidental overwrites while automatically limiting retained noncurrent versions to only what the business needs. Therefore, B is the correct answer.

AWS Secrets Manager supports multi-Region secret replication, which is designed specifically for redundancy, disaster recovery, and multi-Region applications. With this feature, the primary secret resides in one Region (here, us-west-1) and Secrets Manager automatically maintains a replica in another Region (us-east-1). This provides local read access and resilience if one Region is impaired.

Option A accurately describes the standard configuration: enable secret replication and add us-east-1 as the replica Region. Because encryption keys are Region-scoped, the replica secret in us-east-1 should be encrypted with a KMS key in us-east-1 (either the default Secrets Manager key for that Region or a customer managed key), satisfying encryption requirements and proper key locality.

Option B is incorrect because you don’t configure replication “from the destination.” Replication is configured on the primary secret, and the replica uses a KMS key in the replica Region, not in the source Region.

Option C is not how Secrets Manager replication works. Replication is not only during rotation; it maintains replicas continuously. The “replication rule during rotation” framing is not the standard mechanism.

Option D is inappropriate and insecure/operationally complex: exporting secrets to S3 for replication is not the recommended pattern and introduces unnecessary exposure.

Therefore, enable Secrets Manager multi-Region replication and encrypt replicas with a KMS key in the destination Region.

Why Option B is Correct:The pilot light strategy keeps a minimal version of the environment in another Region and scales up during a disaster. It achieves an RTO and RPO of hours at a low cost and complexity.

Why Other Options are Incorrect:

Option A: Warm standby is more expensive as it keeps a scaled-down, fully functioning version running in another Region.

Option C: Backup and restore has a longer RTO and RPO than hours.

Option D: Multi-site active-active is costly and more complex than required.

AWS Documentation References:

Disaster Recovery Strategies on AWS

Requirement Summary:

Secrets managed in AWS Secrets Manager

DB: Amazon RDS for PostgreSQL

Need automated password rotation

Must maintain high availability

Least development effort

Rotation Strategies:

Single-user rotation strategy

Simplest to implement

The secret contains one set of credentials used by app and rotation logic

Supports automated rotation

AWS provides built-in Lambda rotation templates for RDS

A. Alternating-users strategy

?? More complex

Requires application to switch users during rotation window

B. Manual secret + CLI rotation

Too much manual work

Not scalable or reliable

C. Multivalue answer rotation

Not a valid strategy in this context

Doesn’t apply to Secrets Manager

Secrets Manager rotation strategies: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

RDS PostgreSQL secret rotation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-single-user

The UnprocessedKeys element indicates that the BatchGetItem operation did not process all of the requested items in the current response. This can happen if the response size limit is exceeded or if the table’s provisioned throughput is exceeded. To handle this situation, the developer should retry the batch operation with exponential backoff and randomized delay to avoid throttling errors and reduce the load on the table. The developer should also use an AWS SDK to make the requests, as the SDKs automatically retry requests that return UnprocessedKeys.

Comprehensive and Detailed Step-by-Step Explanation:

The requirement is to query records by CustomerID, which is not the current partition key (OrderID). To achieve this efficiently:

Option A: Create a GSI with CustomerID as the Partition Key:

A Global Secondary Index (GSI) allows developers to create a different partition key and optional sort key for querying the data.

By creating a GSI with CustomerID as the partition key, the developer can query the table efficiently using CustomerID as the primary lookup key.

This avoids scanning the entire table and matches the requirement.

Why Other Options Are Incorrect:

Option B: Using CustomerID as a sort key for the GSI and performing a scan operation is inefficient. Queries are optimized, but scans are not.

Option C and D: Local Secondary Indexes (LSI) are only valid when the partition key remains the same as the base table. Since OrderID is the base table’s partition key, using CustomerID as the partition key or sort key in an LSI is not valid.

The correct answer is B because Amazon CloudWatch Logs Insights is the AWS-native tool for interactively searching, filtering, and analyzing log data that is already stored in CloudWatch Logs. In this case, the developer needs to investigate intermittent Lambda failures within a specific 1-hour period , identify logs related to failures, and capture the timestamps of those failures. Logs Insights is purpose-built for exactly this kind of operational troubleshooting.

AWS documentation describes Logs Insights as a fully integrated log analytics capability that can query log groups by time range and pattern. The developer can run a query that filters for error-related log messages, extracts timestamp fields, and sorts the results to find exactly when failures occurred. This is highly efficient because it does not require exporting logs, writing custom parsing scripts, or manually browsing through streams.

Option A is possible but not the most operationally efficient. Browsing logs through the CLI is slower and more manual, especially for intermittent failures. Option C is inefficient because downloading logs to a local machine adds unnecessary steps and operational overhead. Option D can work for large-scale analytics, but exporting to S3 and querying with Athena is more complex than needed for logs that are already in CloudWatch Logs.

Therefore, the best solution is to use CloudWatch Logs Insights to query the Lambda log group for failure patterns and timestamps. This provides fast, targeted, and operationally efficient troubleshooting directly within AWS.

Amazon Cognito User Pools: A managed user directory service, simplifying user registration and login.

Social Identity Providers: Cognito supports integration with external providers (e.g., Google, Facebook), reducing development effort.

IAM Roles for Authorization: Cognito-managed IAM roles grant fine-grained access to AWS resources (like Lambda functions).

Operational Overhead: Cognito minimizes the need to manage user identities and credentials independently.

Amazon CloudFront is a global content delivery network (CDN) designed to deliver static and streaming content with low latency and high throughput . AWS documentation explicitly recommends CloudFront for media streaming and high-request-rate workloads.

By placing CloudFront in front of Amazon S3, video content is cached at edge locations close to end users. This dramatically reduces latency, minimizes buffering, and offloads request volume from the S3 bucket. CloudFront is built to handle sudden traffic spikes and supports tens of thousands of requests per second per edge location.

Route 53 routing policies (Option A) control DNS resolution but do not cache content. Cross-Region Replication (Option B) improves regional availability but does not provide edge caching or streaming optimization. S3 Intelligent-Tiering (Option C) optimizes storage cost, not performance.

Therefore, using CloudFront with S3 as the origin provides the largest and most immediate performance improvement.

This solution will solve the deployment issue by deploying the new version of the application to one new EC2 instance at a time, while keeping the old version running on the existing instances. This way, there will always be at least four instances serving traffic during the deployment, and no downtime or performance degradation will occur. Option A is not optimal because it will increase the cost of running the Elastic Beanstalk environment without solving the deployment issue. Option B is not optimal because it will split the traffic between two versions of the application, which may cause inconsistency and confusion for the customers. Option D is not optimal because it will deploy the new version of the application to two existing instances at a time, which may reduce the capacity below four instances during the deployment.

Problem: Large bundle size increases Lambda deployment time.

Lambda Layers: Layers let you package dependencies separately from your function code. This optimizes the deployment package, making updates faster.

Modularization: Breaking down dependencies into layers improves code organization and reusability.

CloudFormation and Lambda Environment Variables:

CloudFormation is an excellent tool to manage infrastructure as code, including the log group resource.

Lambda functions can access environment variables at runtime, making them a suitable way to pass configuration information like the log group ARN.

CloudFormation Template Modification:

In your CloudFormation template, define the log group resource.

In the Lambda function resource, add an Environment section:

YAML

Environment:

Variables:

LOG_GROUP_ARN: !Ref LogGroupResourceName

Use code with caution.

content_copy

The !Ref intrinsic function retrieves the log group ' s ARN, which CloudFormation generates during stack creation.

Using the ARN in Your Lambda Function:

Within your Lambda code, access the LOG_GROUP_ARN environment variable.

Configure your logging library (e.g., Python ' s logging module) to send logs to the specified log group.

The most operationally efficient way to remove time-bound data from a DynamoDB table is to use Time to Live (TTL) . TTL is a DynamoDB feature that lets you define an attribute (typically a Unix epoch timestamp) that represents an item’s expiration time. After the timestamp has passed, DynamoDB automatically marks the item as expired and later deletes it in the background. This directly satisfies the requirement because the telemetry is only valuable for a limited time, yet it is currently stored indefinitely.

Enabling TTL (option C) improves performance and operational efficiency by preventing the table from growing without bounds. As the item count grows, access patterns that rely on scans, large partitions, or indexes can degrade, and storage-related overhead increases. TTL helps keep the dataset “fresh” by automatically removing stale telemetry, reducing the amount of data the application must work around and decreasing overall storage footprint.

Option A is operationally heavier: scanning and deleting items with a scheduled Lambda introduces ongoing maintenance, costs, and risk of throttling (table scans can be expensive and disruptive). It also requires custom logic, error handling, and retries. Option B addresses cost optimization for archived data but does not fix the DynamoDB table size or the performance degradation caused by keeping old data in the table; archiving is useful, but you still need an efficient deletion mechanism from DynamoDB. Option D (on-demand capacity mode) changes how capacity is managed, not how much data is stored; it does not remove stale items and therefore does not address the core problem.

Therefore, the best and most operationally efficient solution is C : add a TTL attribute to each telemetry item and enable TTL on the DynamoDB table so DynamoDB automatically expires and deletes old telemetry.

Why Option A is Correct:Encrypting PII at rest and in transit before storing it in DynamoDB ensures end-to-end security. Using the AWS Database Encryption SDK with KMS keys allows the Lambda function to encrypt data before transmission, meeting security and compliance requirements.

Why Other Options are Incorrect:

Option B: While AWS-managed KMS keys encrypt DynamoDB data at rest, they do not encrypt data in transit.

Option C: DynamoDB streams process updates after the data is written to the table, failing to encrypt PII in transit.

Option D: Step Functions and SQS add unnecessary complexity and still require encryption logic for both transit and at rest.

AWS Documentation References:

Encrypting Data in DynamoDB

AWS Database Encryption SDK

The key constraint is no changes to the Lambda code, while still fanning out notifications so that each department receives only its relevant file locations in its existing SQS queue. The cleanest “plumbing-only” pattern is S3 ? SNS ? SQS with SNS subscription filter policies.

Amazon S3 event notifications can publish events to an SNS topic. SNS then delivers messages to multiple subscribers, including SQS queues. By subscribing each department’s SQS queue to the SNS topic, the system can fan out the event to all queues. To ensure each department receives only its relevant events, the developer can configure SNS subscription filter policies (for example, based on object key prefixes like /deptA/, /deptB/). This routes messages without requiring any change to the Lambda function.

Option D is not ideal because S3 event notifications do not provide the same flexible filtering/routing to multiple SQS queues as SNS filter policies do (and configuring many direct notifications becomes harder to manage).

Options B and C require Lambda code changes, which violates the requirement.

Therefore, use S3 event notifications to SNS, subscribe each department SQS queue, and use filter policies for routing.

The solution that will meet the requirements with the least development effort is to set the image resize Lambda function as a destination of the avatar generator Lambda function for the events that fail processing. This way, the fallback mechanism is automatically triggered by the Lambda service without requiring any additional components or configuration. The other options involve creating and managing additional resources such as queues, topics, state machines, or rules, which would increase the complexity and cost of the solution.

The access restriction must be applied to the REST API, not merely to the static website bucket. API Gateway resource policies can control who can invoke an API and can restrict access by source IP address ranges or CIDR blocks. That directly satisfies the requirement that only computers from the corporate CIDR range can invoke the API. An S3 bucket policy would restrict access to the static website content, but the API endpoint could still be called directly unless API Gateway is also protected. An IAM service- linked role is not the correct control plane for client source IP filtering. Network ACLs apply at the subnet level inside a VPC and do not control public API Gateway invocation. AWS documentation confirms API Gateway resource policies support specified source IP address ranges. ( AWS Documentation )

===============

Pseudo Parameters: CloudFormation provides pseudo parameters that reference runtime context, including the current AWS Region.

Operational Efficiency: The AWS::Region pseudo parameter offers the most direct and self-contained way to obtain the Region dynamically within the template.

AWS SAM CLI is the correct tool for local Lambda testing with realistic event payloads. The developer can use sam local generate-event s3 put to create a sample S3 PutObject event and then pass that event to sam local invoke to run the Lambda function locally. This avoids deploying to production or manually constructing event JSON. Uploading an object to S3 will invoke a Lambda function configured in AWS, not a local function. The aws lambda invoke command invokes a deployed Lambda function, not a local one. The AWS Management Console also tests deployed functions, not local code. AWS SAM documentation confirms that sam local generate-event creates supported AWS service event payloads and sam local invoke invokes Lambda functions locally. ( AWS Documentation )

===============

Amazon API Gateway stages are designed to represent different deployment environments such as development, testing, and production. AWS documentation recommends using separate stages combined with stage variables to reference different backend resources without duplicating API definitions.

In this scenario, the development stage already uses a stage variable to reference the Lambda dev alias. To expose the production alias safely, the developer should deploy the API to a new stage named production and configure a stage variable that points to the Lambda prod alias. This approach allows the same API configuration and methods to be reused while cleanly separating environments.

Stage variables are resolved at runtime and are commonly used to reference Lambda aliases in integration ARNs. This enables controlled promotion of code from development to production without modifying methods or integrations.

Creating new methods (Options A and B) is unnecessary and increases operational complexity. Directly hardcoding the Lambda alias in the integration (Option D) removes flexibility and deviates from AWS best practices for environment separation.

Therefore, deploying a new API stage and using stage variables to reference the prod Lambda alias is the correct and most efficient solution.

The correct answer is A because AWS CodeBuild natively integrates with AWS Secrets Manager for securely injecting secrets into build environments. In the env section of buildspec.yml , CodeBuild supports a secrets-manager mapping that references a secret directly. This approach keeps the secret encrypted at rest in Secrets Manager, makes it available to the build only when needed, and minimizes custom retrieval logic and operational complexity.

This solution also aligns with the requirement that the secret must not appear in the build logs. AWS CodeBuild is designed to handle environment variables sourced from supported secret stores in a way that avoids exposing plaintext secret values during normal build output. By granting the minimum necessary IAM permissions to the CodeBuild service role, access to the secret is tightly controlled according to least-privilege principles.

Option B is not the best answer because storing secrets in S3 and downloading them during the build adds unnecessary operational overhead and increases the chance of accidental exposure. NoEcho is associated with CloudFormation parameters, not with securely masking S3-downloaded secrets in CodeBuild logs. Option C can also work because Parameter Store integrates with CodeBuild, but for secrets specifically, Secrets Manager is the more direct AWS-managed secret storage service and is generally preferred for this use case. Option D is less efficient because custom CLI retrieval in pre-build steps adds more code and more operational work than native integration.

Therefore, the solution with the least operational overhead and strong security is to use Secrets Manager with the buildspec.yml secrets-manager mapping , making A the correct answer.

The standard best practice for Elastic Beanstalk is to externalize configuration using Environment Variables. By storing sensitive API keys in SSM Parameter Store as a SecureString , you gain encryption and rotation capabilities. You then reference the parameter in the Elastic Beanstalk environment. The application can retrieve the value at runtime, and if the key is updated in Parameter Store, the application can pick up the change without needing a full code redeployment.

S3 Event Notifications provide the lowest latency because the Lambda function is triggered immediately upon the object ' s creation. Because the application runs only 10 times a day for about 1 minute per run, AWS Lambda is significantly cheaper than an EC2 instance, which would incur costs even when idle. Scheduled events (Option C) would introduce latency because the function might not run immediately when data arrives.

Visibility Timeout: When an SQS message is processed by a consumer (here, the Lambda function), it ' s temporarily hidden from other consumers. Visibility timeout controls this duration.

How It Helps:

Increase the visibility timeout beyond the maximum processing time your Lambda might typically take for long videos.

This prevents the message from reappearing in the queue while Lambda is still working, avoiding premature timeouts.

The solution that will meet the requirements is to add a test phase to the amplify.yml build settings for the application. This way, the developer can run end-to-end tests on every code commit and catch any bugs before deploying to production. The other options either do not support end-to-end testing, or do not run tests automatically.

Scenario: Application needs to fetch songs and artists efficiently in a single operation.

BatchGetItem: This DynamoDB operation retrieves multiple items across different tables based on their primary keys in a single request.

Optimized for Request Batching: This approach reduces network traffic compared to performing multiple queries individually.

Data Modeling: The songs table is designed appropriately for this access pattern using artistName as the sort key.

Requirement Summary:

Users experience buffering/delay when starting video stream

Architecture:

CloudFront ? API Gateway ? Lambda ? DynamoDB

Need to identify root cause of performance issues

Evaluate Options:

A: Enable AWS X-Ray tracing

Ideal for end-to-end tracing

Visualizes latency across services (API Gateway, Lambda, DynamoDB)

Creates a service map for easy identification of bottlenecks or errors

Designed specifically for distributed tracing and performance monitoring

B: CloudWatch Logs Insights

?? Helpful for querying logs

But lacks the visual trace linkage across services like X-Ray

Does not identify where latency accumulates

C: AWS Config

Tracks configuration changes, not runtime performance

D: CloudTrail + CloudWatch Logs

More useful for audit/logging, not tracing performance or latency issues

X-Ray overview: https://docs.aws.amazon.com/xray/latest/devguide/aws-xray.html

Service map: https://docs.aws.amazon.com/xray/latest/devguide/xray-console-service-map.html

Tracing API Gateway: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-xray.html

Storing secrets in environment variables encrypted with AWS KMS is a standard secure practice for Lambda. By using a Customer Managed Key (CMK), you can audit every decryption request via CloudTrail. This ensures the keys are never in plaintext in the management console or code. Options B and C are highly insecure as they expose keys in URLs or client-side code. Tags (Option D) are not meant for sensitive secrets and are not encrypted.

To determine who deleted an Amazon RDS DB instance, the correct source of truth is AWS CloudTrail, which records API activity and includes the identity (IAM user, role, assumed role session) that made the call. Deleting an RDS instance is performed through the RDS API action DeleteDBInstance, and CloudTrail logs an event for this action that contains key fields such as userIdentity, eventTime, eventName, sourceIPAddress, and request parameters identifying the DB instance (for example, dBInstanceIdentifier).

Because the DB instance was deleted within the past 90 days, CloudTrail Event History is commonly sufficient (Event History typically retains 90 days of management events). If the company has a CloudTrail trail configured to deliver logs to S3/CloudWatch Logs, those logs can also be queried for the same event.

Option A directly matches this: retrieve CloudTrail events for DeleteDBInstance related to mysql-db and inspect the userIdentity section to identify the IAM principal that performed the deletion.

Option B is not reliable because RDS log groups (when enabled) capture database engine logs (slow query log, error log, general log) and do not record control-plane actions like who deleted the instance.

Option C is incorrect because X-Ray traces application-level request flows; it does not audit administrative actions like RDS deletion.

Option D is not applicable: Systems Manager inventory does not provide authoritative records of RDS deletions or the IAM principal responsible.

Therefore, CloudTrail lookup for DeleteDBInstance events is the correct solution.

Why Option A is Correct:Auto-scaling with a target utilization ensures the DynamoDB table dynamically adjusts capacity based on workload, maintaining high performance while optimizing cost. Setting a reasonable target utilization minimizes overprovisioning and throttling risks.

Why Other Options are Incorrect:

Option B: On-demand capacity is costlier than provisioned throughput for predictable workloads.

Option C: Using manual CloudWatch alarms and Lambda for scaling is less efficient and adds operational overhead.

Option D: DAX accelerates read performance but does not improve write performance.

AWS Documentation References:

DynamoDB Auto Scaling

Why Option A is Correct:Creating a CloudWatch metric filter with " ERROR " as the search term ensures that occurrences of the word " ERROR " in logs are counted. An alarm can then be set to notify the SNS topic when the count exceeds 1. This is the standard approach to monitor specific patterns in CloudWatch Logs.

Why Other Options are Incorrect:

Option B: CloudWatch Logs Insights is used for querying logs manually and does not integrate directly with alarms for automated notifications.

Option C: SNS subscription filters are not a feature for filtering log patterns in CloudWatch Logs.

Option D: CloudWatch alarms do not directly include log filter patterns; a metric filter is needed to create the metric first.

AWS Documentation References:

Creating CloudWatch Metric Filters

Using Amazon ElastiCache for Memcached to store and manage the session data will reduce the memory load and improve the performance of the web server. Using Amazon RDS for MySQL DB instance to store the application data will provide a scalable, reliable, and managed database service. Option A is not optimal because it does not address the memory issue of the web server. Option C is not optimal because it does not provide a persistent storage for the application data. Option D is not optimal because it does not provide a high availability and durability for the session data.

The issue occurs because the SSM Parameter Store parameters are managed by CloudFormation as stack resources. When CloudFormation performs a stack update, it will attempt to ensure the deployed resources match the template. If the template includes a parameter value, CloudFormation can overwrite the current value during updates, which explains why the application’s runtime modifications are lost.

The developer’s requirement is to continue deploying the stack (including adding resources/tags) without resetting parameter values that are modified outside CloudFormation. The lowest-effort way to do this is to prevent CloudFormation from updating those specific Parameter Store resources during stack updates.

A CloudFormation stack policy can explicitly deny update actions on selected resources (in this case, the SSM parameters). Stack policies are designed to protect critical resources from being unintentionally modified during stack updates. With an update-deny policy applied to the SSM parameter resources, CloudFormation can still update other resources (such as adding tags or creating new components), but it will not overwrite the parameter values that the application has changed.

Option A (DeletionPolicy: Retain) only affects what happens when a resource is deleted or replaced, not whether CloudFormation updates the resource in place. It will not reliably prevent stack updates from resetting values.

Options B and C are larger architecture changes and require migrating configuration storage to DynamoDB or RDS—much more development effort and operational overhead.

Therefore, applying a stack policy to deny updates on Parameter Store parameters is the best and least-effort solution.

Global Secondary Index (GSI): GSIs enable alternative query patterns on a DynamoDB table by using different partition and sort keys.

Addressing Query Bottleneck: By making the slow-query attribute the GSI ' s partition key, you optimize queries on that attribute.

Scalability: GSIs automatically scale to handle increasing data volumes.

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html

The requirement is specifically encryption at rest for messages stored in Amazon SQS. The AWS-native way to accomplish this is to enable server-side encryption (SSE) on the SQS queue . When SSE is enabled, SQS encrypts messages as they are stored and decrypts them when they are retrieved, using keys from AWS Key Management Service (AWS KMS) (either an AWS managed key for SQS or a customer managed KMS key). This provides transparent encryption at rest without requiring application-level cryptography changes.

Option C correctly states to enable SSE on the queue. Once enabled, any message content placed in the message body will be protected at rest in SQS. (Message attributes are also stored by SQS; however, the key requirement is to ensure the messages are encrypted at rest, and enabling SSE at the queue level is the control that enforces this.)

Option A (aws:SecureTransport) enforces encryption in transit by requiring HTTPS/TLS, not encryption at rest. It is a good security control, but it does not satisfy the at-rest requirement by itself. Option B is incorrect because SSE is not something the sender “sets within the message”; SSE is configured on the queue, not per-message by the microservices. Option D suggests putting sensitive data in attributes, which does not add security; it can actually increase exposure because attributes are often used for routing/filters and may be logged or surfaced in monitoring. The right pattern is to keep sensitive data where intended and rely on queue-level SSE to encrypt stored messages.

Therefore, enabling SQS SSE on the queue (C) meets the requirement to ensure messages are encrypted at rest while stored in SQS.

Amazon S3 is a service that provides highly scalable, durable, and secure object storage. The developer can create an S3 bucket to host the repository and migrate the existing .xml files to the S3 bucket. The developer can update the application code to use the AWS SDK to read and write configuration files from S3. This solution will meet the requirement of high availability for the repository in a cost-effective way.

DynamoDB Streams: Capture near real-time changes to DynamoDB tables, triggering downstream actions.

Lambda for Processing: Lambda functions provide a serverless way to execute code in response to events like DynamoDB Stream updates.

Minimal Code Changes: This solution requires the least modifications to the existing application.

This solution will ensure that the repository package’s unit tests run in the new deployment environment with the least overhead because it uses AWS CodeBuild to build and test the code in a fully managed service, and AWS CodePipeline to orchestrate the deployment stages and actions. Option A is not optimal because it will use AWS CodeCommit instead of AWS CodeBuild, which is a source control service, not a build and test service. Option C is not optimal because it will use AWS CodeDeploy instead of AWS CodeBuild, which is a deployment service, not a build and test service. Option D is not optimal because it will add an action to the source stage instead of creating a new stage, which will not follow the best practice of separating different deployment phases.

By default, an Auto Scaling group uses EC2 status checks to determine instance health. EC2 status checks confirm that an instance is running and reachable at the infrastructure level, but they do not validate that the application is healthy behind the load balancer. In this scenario, the ALB is returning HTTP 502 errors and the target group shows instances as unhealthy, meaning the application is failing health checks (or not responding correctly). However, because the Auto Scaling group is using the default EC2 health check type, it does not consider these instances unhealthy for replacement.

AWS recommends configuring the Auto Scaling group to use ELB health checks when instances serve traffic behind an ALB or NLB. With ELB health checks enabled, Auto Scaling evaluates target health as reported by the load balancer target group. If the ALB marks an instance unhealthy, the Auto Scaling group will treat that instance as unhealthy and terminate and replace it automatically, restoring capacity with healthy targets.

Why the other options are insufficient:

Cooldown period (A) affects scaling timing, not health replacement logic.

Lifecycle hook changes (B) can help with initialization timing, but they do not cause Auto Scaling to replace instances based on ALB target health unless ELB health checks are enabled.

Health check grace period (D) delays health evaluation after launch, which can reduce premature replacement, but it still won’t replace instances based on ALB target group status unless the health check type is ELB.

Therefore, switching the Auto Scaling group health check type to Elastic Load Balancing (ELB) is the correct fix.

The solution that will meet the requirements is to create an Amazon EventBridge rule that runs on a regular schedule to invoke the Lambda function. This way, the developer can use an automated and serverless way to invoke the function every 10 minutes. The developer can also use a cron expression or a rate expression to specify the schedule for the rule. The other options either involve using an Amazon EC2 instance, which is not serverless, or using environment variables or query parameters, which do not trigger the function.

HTTP Status Codes: Each HTTP status code has a specific meaning in RESTful APIs.

HTTP 405 (Method Not Allowed): Indicates that the request method (e.g., POST) is not supported for the specified resource.

HTTP 401 (Unauthorized): Represents a failure to authenticate, which is the appropriate response for invalid login credentials.

Feature flags are a classic configuration-management use case: values change over time, multiple applications share them, and clients should retrieve updates efficiently with local caching. AWS AppConfig (part of AWS Systems Manager) is purpose-built to deploy and manage application configuration and feature flags. It provides controlled rollout, validation, and centralized configuration management. For operational efficiency, AWS offers the AWS AppConfig Agent for compute environments such as EC2.

With option C, the AppConfig Agent runs on each EC2 instance and polls AppConfig on a configured interval for updates. The agent maintains a local cache and exposes the current configuration through a localhost HTTP endpoint . The application then reads the feature flag values from the local endpoint, which is fast and reduces direct calls to AWS APIs. This meets both requirements: periodic polling for new values and caching once retrieved, while minimizing application changes and centralizing operational control in AppConfig.

Option D (Parameter Store + in-memory cache) can work, but it pushes more responsibility into each application: polling logic, caching behavior, error handling, and consistency. Option A misuses Secrets Manager (intended for secrets, not dynamic flags) and adds ElastiCache operational overhead. Option B similarly adds DAX and DynamoDB infrastructure and is not a standard feature-flag pattern; it also requires the app to implement polling and caching logic, reducing operational efficiency.

Therefore, C is the most operationally efficient solution: store flags in AWS AppConfig , run the AppConfig Agent on EC2 to handle polling and caching, and have the application read flags from the agent’s localhost endpoint.

The requirements are: (1) store an API key that a Lambda function will use, (2) ensure the secret is encrypted at rest using AWS KMS , and (3) the company must control key rotation , which implies using a customer managed KMS key (CMK) rather than an AWS managed key.

Option C meets the requirements by storing the API key in AWS Systems Manager Parameter Store as a SecureString parameter encrypted with a customer managed KMS key . SecureString is designed for sensitive configuration data and integrates with KMS so the organization can choose the CMK, manage its lifecycle, and control rotation policies. The Lambda function can retrieve the parameter at runtime using the AWS SDK, and IAM policies can tightly control access to the parameter and to the KMS key.

Option E also meets the requirements by storing the API key in a Lambda environment variable encrypted with a customer managed KMS key . Lambda encrypts environment variables at rest and allows you to specify a customer managed KMS key for encryption. This gives the company control over key rotation and key policy, satisfying the “must control key rotation” requirement. The function reads the value from the environment at runtime without additional network calls.

Why the other options fail:

A uses an AWS managed KMS key, which does not satisfy the requirement for the company to control rotation (you cannot manage rotation of AWS managed keys in the same way).

B is a plain String parameter, which is not encrypted as a secret and does not meet the at-rest encryption requirement.

D uses an AWS managed KMS key, again failing the company-controlled rotation requirement.

Therefore, the two valid solutions are C (Parameter Store SecureString with a customer managed CMK) and E (Lambda environment variable encrypted with a customer managed CMK).

This solution will meet the requirements by using AWS Secrets Manager, which is a service that helps protect secrets such as database credentials by encrypting them with AWS Key Management Service (AWS KMS) and enabling automatic rotation of secrets. The developer can use an AWS Secrets Manager resource in AWS CloudFormation template, which enables creating and managing secrets as part of a CloudFormation stack. The developer can use an AWS::SecretsManager::Secret resource type to generate and rotate the password for accessing RDS database during deployment. The developer can also specify a RotationSchedule property for the secret resource, which defines how often to rotate the secret and which Lambda function to use for rotation logic. Option A is not optimal because it will use an AWS Lambda function as a CloudFormation custom resource, which may introduce additional complexity and overhead for creating and managing a custom resource and implementing rotation logic. Option B is not optimal because it will use an AWS Systems Manager Parameter Store resource with the SecureString data type, which does not support automatic rotation of secrets. Option C is not optimal because it will use a cron daemon on the application’s host to generate and rotate the password, which may incur more costs and require more maintenance for running and securing a host.

Amazon API Gateway supports mock integration responses, which are predefined responses that can be returned without sending requests to a backend service. Mock integration responses can be used for testing or prototyping purposes, or for simulating different backend responses based on certain conditions. A request mapping template can be used to select a mock integration response based on an expression that evaluates some aspects of the request, such as headers, query strings, or body content. This solution does not require any additional resources or code changes and has the least operational overhead. Reference: Set up mock integrations for an API Gateway REST API

https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-mock-integration.html

AWS Lambda automatically integrates with Amazon CloudWatch Logs, but logging only works if the function’s execution role has the correct IAM permissions . AWS documentation states that Lambda functions require permissions for logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents to successfully publish log entries.

In this scenario, CloudWatch metrics show errors, which confirms that the function is executing. The absence of logs despite logging statements in the code strongly indicates a missing IAM permission issue , not a runtime or tracing issue.

CloudWatch Lambda Insights (Option B) provides performance metrics but does not enable basic logging. AWS X-Ray (Option C) provides distributed tracing but does not replace CloudWatch Logs. Option D is invalid because CloudWatch does not assume roles to collect logs.

AWS documentation explicitly identifies missing log permissions as the most common cause of absent Lambda logs. Therefore, granting the Lambda execution role the appropriate CloudWatch Logs permissions resolves the issue.

The CloudWatch PutMetricData API is the direct mechanism for publishing custom application metrics. For 1-second granularity, the metric must be published as a high-resolution metric by setting StorageResolution to 1. Dimensions provide name-value pairs that identify and organize metrics, such as service name, tenant, environment, or operation type. X-Ray is used for distributed tracing, not for storing CloudWatch custom metrics. ECS Container Insights provides container-level observability but is not the cleanest way to publish arbitrary custom metrics with 1-second resolution from application code. ECS Exec is for interactive command execution in containers and is not a monitoring pipeline. AWS CloudWatch documentation confirms that custom high-resolution metrics can be stored at 1-second resolution and published through PutMetricData. ( AWS Documentation )

===============

Option A is correct because DynamoDB uses cursor-style pagination through LastEvaluatedKey and ExclusiveStartKey. For an infinite scrolling feed, the application should request an initial page of results, then use the returned LastEvaluatedKey as the ExclusiveStartKey for the next query. AWS documentation explicitly states that the LastEvaluatedKey from a Query response should be used as the ExclusiveStartKey in the next Query request. This is the native DynamoDB pagination pattern and requires the least operational work. Full table scans to calculate offsets are inefficient and expensive at scale. Client-side pagination after retrieving all items is also inefficient and can break with large datasets. Storing page numbers manually recreates relational offset pagination and is fragile when feed data changes.

===============

To retrieve a secret’s value from AWS Secrets Manager, the calling principal must be authorized to call secretsmanager:GetSecretValue on the specified secret. This API returns the secret material (for example, SecretString or SecretBinary). Passing secret IDs through environment variables only tells the application which secret to request; it does not grant permission to access it.

Because the secret is encrypted with a customer managed AWS KMS key , the caller must also be allowed to use that key for decryption. Secrets Manager stores secret values encrypted at rest, and when a caller requests the secret value, KMS is used to decrypt the stored ciphertext under the configured CMK. Therefore, the principal needs kms:Decrypt permission on the CMK (and the CMK key policy must allow the principal, directly or via grants/conditions). Without kms:Decrypt, the GetSecretValue call will fail because Secrets Manager cannot return plaintext secret material.

secretsmanager:DescribeSecret (B) can be useful for reading metadata such as rotation configuration or tags, but it is not required to retrieve the secret value itself. secretsmanager:ListSecrets (C) is for discovery/enumeration and is not required when the application already knows the secret ID. kms:Encrypt (E) is not needed for reading a secret value; encryption permissions are relevant for write/update operations or client-side encryption flows, not for decrypting stored secrets.

Therefore, the required combination is A (secretsmanager:GetSecretValue) and D (kms:Decrypt) to successfully retrieve secret values encrypted with a customer managed KMS key.

Why Option D is Correct:When using a container-based AWS Lambda function, you are responsible for updating the base image for runtime patches. Rebuilding the container with the latest Node.js patch version ensures the function is updated with the required security patches. Publishing a new version of the Lambda function makes the updated image available for use.

Why Other Options are Incorrect:

Option A: The runtime update mode applies to functions using AWS-managed runtimes, not container-based runtimes.

Option B: Redeploying the same version of the Lambda function does not apply the security patch.

Option C: Rebuilding with the AWS OS base image does not guarantee that the latest Node.js patch version is included.

AWS Documentation References:

Lambda Function Container Images

Node.js Updates in AWS Lambda

The company already has SSM Agent deployed on all servers, which enables centralized, scalable fleet operations without logging in to each instance. The most operationally efficient solution is to automate key distribution using Systems Manager Run Command, executing a script across the entire fleet (or a targeted subset) in one action.

Option B uses S3 as a simple distribution source and Run Command to perform the update at scale. The developer can store the required key material in a controlled S3 location and write a script that places the key in the correct filesystem path (with correct permissions/ownership), updates authorized_keys if needed, and restarts any services if required. Run Command can target instances by tags, resource groups, or instance IDs and provides execution logging and status.

Option A is not operationally efficient because it requires logging into each server manually.

Option C and D push the distribution burden to humans (“grant team members permissions to download”), which is error-prone, slow, and not scalable. Also, distributing private keys broadly to individuals increases risk.

The application relies on shared file storage that behaves like NFS and must be accessible concurrently by multiple containers across Kubernetes nodes. AWS documentation clearly identifies Amazon EFS as the AWS-native, fully managed, NFS-compatible file system designed for this purpose.

Amazon EFS provides elastic scaling , high availability across multiple Availability Zones, and native integration with container orchestration platforms. It is the most direct replacement for on-premises NFS, requiring minimal architectural change.

To run Kubernetes workloads on AWS with high availability, AWS recommends Amazon EKS , a managed Kubernetes service that automatically handles control plane availability and upgrades. EKS integrates natively with EFS using the Amazon EFS CSI driver, allowing pods across multiple nodes to mount the same file system concurrently.

Amazon EBS (Options A, C, and D) is block storage that can be attached to only one EC2 instance at a time (except in limited Multi-Attach scenarios) and is therefore unsuitable for shared NFS-style access across a Kubernetes cluster.

Uploading container images to Amazon ECR ensures secure, scalable storage for container images and seamless integration with EKS.

Therefore, migrating the NFS data to Amazon EFS and running the workloads on Amazon EKS is the fastest, most scalable, and AWS-recommended solution.

A Lambda alias is a pointer to a specific Lambda function version or another alias1. A Lambda alias allows you to invoke different versions of a function using the same name1. You can also split traffic between two aliases by assigning weights to them1.

In this scenario, the developer needs to test their changes in production on a small percentage of all traffic without changing the API Gateway URL. To achieve this, the developer can follow these steps:

Define an alias on the $LATEST version of the Lambda function. This will create a new alias that points to the latest code of the function.

Update the API Gateway endpoint to reference the new Lambda function alias. This will make the API Gateway invoke the alias instead of a specific version of the function.

Upload and publish the optimized Lambda function code. This will update the $LATEST version of the function with the new code.

On the production API Gateway stage, define a canary release and set the percentage of traffic to direct to the canary release. This will enable API Gateway to perform a canary deployment on a new API2. A canary deployment is a software development strategy in which a new version of an API is deployed for testing purposes, and the base version remains deployed as a production release for normal operations on the same stage2. The canary release receives a small percentage of API traffic and the production release takes up the rest2.

Update the API Gateway endpoint to use the $LATEST version of the Lambda function. This will make the canary release invoke the latest code of the function, which contains the optimized changes.

Publish to the canary stage. This will deploy the changes to a subset of users for testing.

By using this solution, the developer can test their changes in production on a small percentage of all traffic without changing the API Gateway URL. The developer can also monitor and compare metrics between the canary and production releases, and promote or disable the canary as needed2.

The objects are “rarely accessed after 1 week” but must remain immediately available at all times. That means the storage class must support millisecond access without a restore process. S3 Standard-Infrequent Access (Standard-IA) is designed for exactly this: lower storage cost than S3 Standard, while still providing rapid access when needed.

With option B, an S3 Lifecycle rule transitions objects from S3 Standard to S3 Standard-IA after 7 days. This aligns perfectly with the usage pattern: frequent access initially, then infrequent access after a week, while keeping immediate availability.

Option C (S3 Glacier Flexible Retrieval) is not appropriate because Glacier classes are archival. Access typically requires a restore operation and retrieval time (minutes to hours), which violates “immediately available at all times.”

Option A expires objects, which deletes them after 7 days—this contradicts the requirement to keep objects available.

Option D is irrelevant because delete markers exist only when versioning is enabled. The bucket does not have versioning enabled, so this rule would not help.

Therefore, transitioning to S3 Standard-IA after 7 days is the correct cost-optimized solution while maintaining immediate availability.

Requirement Summary:

Lambda function accesses RDS for MySQL

Credentials are currently hardcoded in code (insecure)

Must enable automated credential rotation every 30 days

Option A: Use AWS Secrets Manager + automatic rotation

Best and secure option

Secrets Manager allows:

Secure storage of secrets

Integration with RDS for automatic rotation

Scheduled rotation every X days (e.g., 30 days)

Lambda can fetch credentials via SDK (GetSecretValue)

Option B: Use SSM Parameter Store + rotation

SSM does not support automatic rotation of secrets.

You ' d need to build custom rotation logic = higher operational overhead.

Option C: Encrypted S3 + Object Lambda rotation

Not intended for credential storage.

S3 is not a secrets management system, and Object Lambda does not perform rotation.

Option D: SSM + EventBridge rotation

No native integration between Parameter Store and EventBridge for secret rotation.

You’d need to build custom Lambda functions = higher maintenance.

Secrets Manager rotation for RDS: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

Secure retrieval in Lambda: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html

Integration with RDS MySQL: https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_rds_config.html

The workload is explicitly very I/O intensive and requires reading the same file multiple times. Reading repeatedly from S3 across the network will introduce latency and repeated network I/O. For best performance, the function should download the file once to fast local storage and perform all repeated reads locally.

AWS Lambda provides ephemeral storage mounted at /tmp. AWS allows increasing this ephemeral storage beyond the default size. Because the files are at most 2 GB, the developer can configure the Lambda function’s ephemeral storage to 2 GB and copy each S3 object into /tmp before processing. This converts repeated network reads into repeated local filesystem reads, which is significantly faster and more consistent for I/O-heavy workloads.

Option D (read directly from S3) is the least optimized because each pass over the file requires additional network I/O and S3 GET requests.

Option A is not feasible: Lambda cannot directly attach and manage an EBS volume like an EC2 instance can.

Option B is not applicable: ENA is an EC2 networking feature; Lambda networking is managed by the service and does not allow attaching ENAs for performance tuning in that way.

Because the files are disposable after processing, using ephemeral /tmp storage is also cost-effective and operationally simple, and it is aligned with the “process once per file” pattern.

Therefore, increase Lambda ephemeral storage and copy the video into /tmp for repeated reads.

IAM Roles for EC2 (A): The most secure way to provide AWS permissions from EC2.

Create a role with a policy allowing s3:GetObject on the specific bucket.

Attach the role to an instance profile and associate that profile with your instances.

Pre-signed URLs (C): Temporary, authenticated URLs for specific S3 actions.

Modify the app to use the AWS SDK to call GeneratePresignedUrl.

Embed these URLs when a user is properly logged in, allowing download access.

This benefit occurs when initializing the AWS SDK outside of the Lambda handler function because it allows the SDK instance to be reused across multiple invocations of the same function. This can improve performance and reduce latency by avoiding unnecessary initialization overhead. If the SDK is initialized inside the handler function, it will create a new SDK instance for each invocation, which can increase memory usage and execution time.

Amazon Elastic Block Store (Amazon EBS) provides block level storage volumes for use with Amazon EC2 instances1. Amazon EBS encryption offers a straight-forward encryption solution for your EBS resources associated with your EC2 instances1. When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted: Data at rest inside the volume, all data moving between the volume and the instance, all snapshots created from the volume, and all volumes created from those snapshots1. Therefore, option A is correct.