DVA-C02 Exam Dumps - AWS Certified Developer - Associate

CloudWatch for Log Analysis: CloudWatch is the best fit here because logs are already centralized. Here's the process:

Metric Filter: Create a metric filter on the CloudWatch Logs log group. Design a pattern to specifically identify application error messages.

Custom Metric: This filter generates a new custom CloudWatch metric (e.g., ApplicationErrors). This metric tracks the error count.

CloudWatch Alarm: Create an alarm on the ApplicationErrors metric. Configure the alarm with your desired threshold and a 5-minute evaluation period.

SNS Action: Set the alarm to trigger an SNS notification when it enters the alarm state.

This solution will meet the requirements by allowing the Lambda functions to access the DB cluster securely within the same VPC without crossing the public internet. The developer can configure a VPC endpoint for RDS in a private subnet and assign it to the Lambda functions. The developer can also configure a security group for the Lambda functions that allows inbound traffic from the DB cluster on port 3306 (MySQL). Option A is not optimal because it will expose the DB cluster to public access, which may compromise its security and data integrity. Option B is not optimal because it will introduce additional latency and complexity to use an RDS database proxy for accessing the DB cluster from Lambda functions within the same VPC. Option C is not optimal because it will require additional costs and configuration to use a NAT gateway for accessing resources in private subnets from Lambda functions.

AWS CloudFormation is a service that allows developers to model and provision AWS resources using templates. A CloudFormation template can define the load test resources, such as EC2 instances, load balancers, and Auto Scaling groups. A CloudFormation stack set is a collection of stacks that can be created and managed from a single template in multiple Regions and accounts. The AWS CLI create-stack-set command can be used to create a stack set from a template and specify the Regions where the stacks should be created. Reference: Working with AWS CloudFormation stack sets

“Encryption in transit” for S3 means requiring requests to use HTTPS (TLS) rather than HTTP. AWS provides a standard policy condition key, aws:SecureTransport, that evaluates to true when the request is made over SSL/TLS and false when it is not. To enforce TLS for all cross-account GetObject requests, the most reliable control point is the S3 bucket resource-based policy, because the bucket is the resource being accessed and the bucket owner can enforce conditions regardless of which external account is calling.

Option A is the established pattern: add an explicit Deny statement in the bucket policy that denies all S3 actions (or at least s3:GetObject) when aws:SecureTransport is false. An explicit deny overrides any allows, ensuring that even if another account’s IAM policy allows access, the request will still be blocked if it is not using HTTPS.

Option B is backwards because it would allow insecure transport rather than deny it.

Option C is weaker because you cannot reliably enforce policies in other accounts (and principals could change roles or permissions). The bucket owner should enforce transport security at the bucket level.

Option D is not the right layer: the KMS key policy controls key usage, but the S3 GetObject transport requirement is best enforced by the S3 bucket policy. Also, S3 access can be denied before KMS is even involved.

Therefore, enforce HTTPS by adding a bucket policy Deny when aws:SecureTransport is false.

Requirement Summary:

Customer credit card data may be exposed

Data is stored in Amazon S3

Developer must identify all exposure risks

Tool to Use:

Amazon Macie is designed to:

Automatically scan S3 for sensitive data

Detect financial information, PII, credentials, etc.

Finding Type Mapping:

Credit card data maps to: SensitiveData:S3Object/Financial

Evaluate Options:

A. Athena + filtering

Athena is a query engine; it doesn’t detect sensitive data automatically

B. Macie + Financial finding type

Correct

Designed for this use case

C. Macie + Personal finding type

Personal maps to names, addresses, etc., not credit cards

D. Athena + Financial

Again, Athena can’t classify data – it only queries structured data

Macie Overview: https://docs.aws.amazon.com/macie/latest/userguide/what-is-macie.html

Finding Types: https://docs.aws.amazon.com/macie/latest/user/findings-types.html

Financial finding type: SensitiveData:S3Object/Financial

Store the credentials in AWS Secrets Manager and enable rotation. Configure the API to have Secrets Manager access. This is correct. This solution will meet the requirements most securely, because it uses a service that is designed to store and manage secrets such as API credentials. AWS Secrets Manager helps you protect access to your applications, services, and IT resources by enabling you to rotate, manage, and retrieve secrets throughout their lifecycle1. You can store secrets such as passwords, database strings, API keys, and license codes as encrypted values2. You can also configure automatic rotation of your secrets on a schedule that you specify3. You can use the AWS SDK or CLI to retrieve secrets from Secrets Manager when you need them4. This way, you can avoid storing credentials in plaintext files or hardcoding them in your code.