DVA-C02 Exam Dumps - AWS Certified Developer - Associate

AWS X-Ray SDK: The primary way to enable X-Ray tracing within applications. The SDK sends data about requests and subsegments to the X-Ray daemon for service map generation.

Instrumenting All Services: To visualize a complete microservice architecture on the service map, each relevant service must include the X-Ray SDK.

For rapid prototyping with the least operational overhead, Lambda function URLs are the best fit. A Lambda function URL provides a built-in HTTPS endpoint directly in front of a Lambda function, allowing the frontend team to invoke each endpoint without requiring additional infrastructure. This is ideal when the overall architecture is not finalized and the team needs a quick way to test.

AWS describes Lambda function URLs as a simple way to “add an HTTPS endpoint to your Lambda function” without requiring API Gateway, load balancers, or custom proxy layers. This substantially reduces setup time and avoids the operational tasks associated with provisioning, configuring, and managing an API layer during early-stage development.

Option B (API Gateway REST API) introduces more operational overhead: creating resources, methods, integrations, deployments, stages, and potentially authorization and throttling configuration. API Gateway is powerful, but it is more than needed for quick endpoint testing.

Option C (AppSync) is designed for GraphQL-based APIs and requires schema design and resolvers. That is unnecessary complexity for simply testing three Lambda-backed endpoints.

Option D (ECS proxy) adds the most operational burden because it requires container orchestration, networking, scaling, and patching—completely misaligned with “least operational overhead.”

Therefore, the fastest and simplest approach is to create a function URL per Lambda endpoint, allowing immediate testing from the frontend with minimal additional AWS configuration.

Requirement Summary:

Secrets managed in AWS Secrets Manager

DB: Amazon RDS for PostgreSQL

Need automated password rotation

Must maintain high availability

Least development effort

Rotation Strategies:

Single-user rotation strategy

Simplest to implement

The secret contains one set of credentials used by app and rotation logic

Supports automated rotation

AWS provides built-in Lambda rotation templates for RDS

A. Alternating-users strategy

⚠️ More complex

Requires application to switch users during rotation window

B. Manual secret + CLI rotation

Too much manual work

Not scalable or reliable

C. Multivalue answer rotation

Not a valid strategy in this context

Doesn’t apply to Secrets Manager

Secrets Manager rotation strategies: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

RDS PostgreSQL secret rotation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-single-user

This solution will meet the requirements by storing the Root CA Cert as a Secure String parameter in AWS Systems Manager Parameter Store, which is a secure and scalable service for storing and managing configuration data and secrets. The resource-based policy will allow IAM users in different AWS accounts and environments to access the parameter without requiring cross-account roles or permissions. The Lambda code will be refactored to load the Root CA Cert from the parameter store and modify the runtime trust store outside the Lambda function handler, which will improve performance and reduce latency by avoiding repeated calls to Parameter Store and trust store modifications for each invocation of the Lambda function. Option A is not optimal because it will use AWS Secrets Manager instead of AWS Systems Manager Parameter Store, which will incur additional costs and complexity for storing and managing a non-secret configuration data such as Root CA Cert. Option C is not optimal because it will deactivate the application secrets and monitor the application error logs temporarily, which will cause application downtime and potential data loss. Option D is not optimal because it will modify the runtime trust store inside the Lambda function handler, which will degrade performance and increase latency by repeating unnecessary operations for each invocation of the Lambda function.

To give the frontend team immediate access to stable endpoints without waiting for a real backend implementation, the simplest approach is to use API Gateway MOCK integration . A MOCK integration lets API Gateway generate a response directly, without invoking Lambda or any other backend. This is ideal for early UI development because you can return consistent, predefined payloads and status codes for each method.

With MOCK integration, you configure an integration request (often using a static mapping template) to produce a dummy request payload that triggers a response, and then you configure integration responses to return specific HTTP status codes (such as 200, 400, 500) along with predefined JSON bodies. You can also set response headers (for example, Content-Type: application/json) and use mapping templates to shape the returned JSON. This satisfies the requirement to “return predefined HTTP status codes and JSON responses” while minimizing development effort and avoiding the need to deploy placeholder Lambda functions.

Option A (AWS_PROXY with Lambda) can work, but it requires creating and deploying Lambda functions and IAM permissions just to return static data—more effort than necessary. Option C (HTTP PROXY) depends on an external placeholder service, which adds another system to build and maintain. Option D is incorrect because HTTP status codes are not defined in the method request ; they are defined through method responses and realized through integration responses in API Gateway’s integration configuration.

Therefore, B is the best solution: MOCK integration with integration request/response mappings provides quick, code-free stubs that unblock frontend development.

Comprehensive and Detailed Explanation (250–300 words):

AWS Secrets Manager supports cross-Region secret replication , which allows secrets to be automatically copied to other Regions and kept in sync during rotation. AWS documentation recommends secret replication for multi-Region applications to ensure local access and reduce dependency on cross-Region calls.

In this scenario, the primary Region continues to retrieve credentials from the original secret (Option A). The secondary Region retrieves credentials from the replica secret (Option B), ensuring low latency and resilience during Regional failures.

Promoting the replica to a standalone secret (Option C) breaks automatic rotation synchronization and increases operational overhead. Environment variables (Option E) are not suitable for rotating credentials. Option D is vague and does not address multi-Region availability.

Thus, using the primary secret and a replicated secret is the correct approach.

Requirement Summary:

Simple REST endpoint for weather data

Light backend usage (POC, testing)

Wants caching support to reduce backend calls

Must be cost-effective

Evaluate Options:

B: Lambda + API Gateway + SAM

Serverless = No idle costs

API Gateway can enable caching (response caching at endpoint level)

SAM makes deployment simple and repeatable

Perfect for low-traffic testing

A: EKS + API Gateway

High overhead

Not cost-effective for POC/testing

C: ECS + API Gateway

Similar to A: Container orchestration not needed for light REST endpoint

D: Elastic Beanstalk + ALB + Lambda

Overly complex and does not directly expose Lambda

Beanstalk better suited for full apps, not small REST functions

ï‚· AWS SAM: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-sam.html

ï‚· API Gateway caching: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html

ï‚· Serverless Best Practices: https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html

Requirement Summary:

WebSocket-based messaging app using API Gateway WebSocket APIs

Need to:

Identify clients repeatedly connecting/disconnecting

Be able to remove problematic clients

Evaluate Options:

A. Switch to HTTP APIs

HTTP APIs don’t support WebSocket connections

B. Switch to REST APIs

REST APIs are not compatible with WebSockets

C. Use the callback URL to disconnect clients

⚠️ Possible, but not a direct option

Callback URLs are used for sending messages to connected clients, not for disconnecting

D. Track client status in ElastiCache

Good solution: Store and update connection state (connected, disconnected, timestamps)

Helps track abuse or reconnections

E. Implement $connect and $disconnect routes

Required to capture connection lifecycle events

These can be used to log/store client behavior and decide on removal

WebSocket routes in API Gateway: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-route-selection.html

Managing WebSocket connections: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-mapping-template-reference.html