DVA-C02 Exam Dumps - AWS Certified Developer - Associate

The solution that will meet the requirements is to use the AWS SDK ssm PutParameter operation in the Lambda function from the existing custom resource to store the credentials as a parameter. Set the parameter value to reference the new credentials. Set the parameter type to SecureString. This way, the developer can store the API credentials with minimal operational overhead, as AWS Systems Manager Parameter Store provides secure and scalable storage for configuration data. The SecureString parameter type encrypts the parameter value with AWS Key Management Service (AWS KMS). The other options either involve adding additional resources to the CloudFormation template, which increases complexity and cost, or do not encrypt the parameter value, which reduces security.

To retrieve a secret’s value from AWS Secrets Manager, the calling principal must be authorized to call secretsmanager:GetSecretValue on the specified secret. This API returns the secret material (for example, SecretString or SecretBinary). Passing secret IDs through environment variables only tells the application which secret to request; it does not grant permission to access it.

Because the secret is encrypted with a customer managed AWS KMS key, the caller must also be allowed to use that key for decryption. Secrets Manager stores secret values encrypted at rest, and when a caller requests the secret value, KMS is used to decrypt the stored ciphertext under the configured CMK. Therefore, the principal needs kms:Decrypt permission on the CMK (and the CMK key policy must allow the principal, directly or via grants/conditions). Without kms:Decrypt, the GetSecretValue call will fail because Secrets Manager cannot return plaintext secret material.

secretsmanager:DescribeSecret (B) can be useful for reading metadata such as rotation configuration or tags, but it is not required to retrieve the secret value itself. secretsmanager:ListSecrets (C) is for discovery/enumeration and is not required when the application already knows the secret ID. kms:Encrypt (E) is not needed for reading a secret value; encryption permissions are relevant for write/update operations or client-side encryption flows, not for decrypting stored secrets.

Therefore, the required combination is A (secretsmanager:GetSecretValue) and D (kms:Decrypt) to successfully retrieve secret values encrypted with a customer managed KMS key.

Comprehensive and Detailed Step-by-Step Explanation:

Option C: Use AWS CodePipeline for CI/CD Workflow:

AWS CodePipeline automates the entire CI/CD pipeline, including build, deploy, and test stages. This minimizes manual effort and integrates well with AWS services.

API Gateway Stages: Represent different environments, such as dev, test, and prod, allowing isolated deployment and testing.

AWS CloudFormation Templates: Ensure that the infrastructure for Lambda and API Gateway is consistent across environments.

AWS CodeBuild for Automated Tests: Validates the deployments in each stage, ensuring integration and functionality are tested post-deployment.

Why Other Options Are Incorrect:

Option A and B: While using AWS SAM or CloudFormation for infrastructure management is valid, these options lack the fully automated CI/CD pipeline provided by CodePipeline.

Option D: Manually invoking Lambda functions using the AWS CLI introduces operational overhead and lacks the automation provided by CodePipeline.

Amazon S3 Glacier storage classes are designed for cost-effective archival with varying retrieval times. S3 Glacier Instant Retrieval provides millisecond access, making it suitable for workloads that require immediate access but at a lower cost than S3 Standard.

For the first 90 days, instant access is required, which rules out S3 Glacier Deep Archive and S3 Glacier Flexible Retrieval as primary storage because they have minutes-to-hours retrieval times. After 90 days, the requirement allows retrieval times exceeding 10 minutes, making S3 Glacier Flexible Retrieval appropriate.

Option D uses Instant Retrieval initially and transitions to Flexible Retrieval, optimizing both performance and cost. EFS and EBS (Options A and C) are significantly more expensive for large objects and are not intended for massive archival workloads. Option B reverses the access requirements and is invalid.

AWS documentation explicitly recommends using S3 lifecycle policies to transition objects between Glacier storage classes based on access requirements.

Therefore, Option D is the most cost-effective and AWS-aligned solution.

This solution will most likely solve the issues because it will grant the IAM user the necessary permission to access the DynamoDB table using the AWS CLI command. The error message indicates that the IAM user does not have sufficient access rights to perform the scan operation on the table. Option A is not optimal because it will change the command to use put-item instead of scan, which will not achieve the desired result of getting data from the table. Option B is not optimal because it will involve contacting AWS Support, which may not be necessary or efficient for this issue. Option C is not optimal because it will state that DynamoDB cannot be accessed from the AWS CLI, which is incorrect as DynamoDB supports AWS CLI commands.