DVA-C02 Exam Dumps - AWS Certified Developer - Associate

The goal is near-real-time propagation of changes from one DynamoDB table (Accounts) to another service’s datastore (Payments) while keeping services decoupled. The simplest and most reliable DynamoDB-native change feed is Amazon DynamoDB Streams.

DynamoDB Streams captures item-level modifications (inserts, updates, deletes) in time order and makes them available as a stream of change records. A consumer (commonly an AWS Lambda function) can process stream records and apply the necessary updates to the Payments database/table (or publish events for downstream processing). This provides near-real-time updates with minimal operational overhead, strong integration, and a decoupled architecture because the Accounts service simply emits changes and does not need to call Payments synchronously.

Option A (Glue ETL) is batch-oriented and adds heavy operational complexity; it’s not the simplest nor near-real-time.

Option B introduces a cache as a synchronization mechanism, which complicates consistency and durability; caches are not ideal as the primary propagation channel.

Option C (Firehose) is designed for delivering streaming data to destinations like S3, Redshift, OpenSearch, etc., and is not the standard approach for DynamoDB-to-DynamoDB change replication.

Therefore, DynamoDB Streams is the best fit for near-real-time, decoupled updates between DynamoDB-backed microservices.

IAM instance profiles are containers for IAM roles that can be associated with EC2 instances. An IAM role is a set of permissions that grant access to AWS resources. An IAM role can be used to allow an EC2 instance to access an S3 bucket by including the appropriate permissions in the role’s policy. The S3:ListBucket permission allows listing the objects in an S3 bucket. By updating the IAM instance profile with this permission, the application on the EC2 instance can retrieve the objects from the S3 bucket and display them to the user. Reference: Using an IAM role to grant permissions to applications running on Amazon EC2 instances

This solution will meet the requirements with the least operational overhead because it uses Amazon S3 as a scalable, secure, and durable storage service for the reports. The presigned URL will allow customers to access their reports for a limited time (8 hours) without requiring additional authentication. The S3 Lifecycle configuration rules will automatically delete the reports that are older than 2 days, reducing storage costs and complying with the data retention policy. Option A is not optimal because it will incur additional costs and complexity to store the reports as DynamoDB items, which have a size limit of 400 KB. Option B is not optimal because it will not provide customers with access to their reports within one hour, as Amazon SNS email delivery is not guaranteed. Option D is not optimal because it will require more operational overhead to manage an RDS database and a Lambda function for storing and deleting the reports.

Amazon API Gateway supports mock integration responses, which are predefined responses that can be returned without sending requests to a backend service. Mock integration responses can be used for testing or prototyping purposes, or for simulating different backend responses based on certain conditions. A request mapping template can be used to select a mock integration response based on an expression that evaluates some aspects of the request, such as headers, query strings, or body content. This solution does not require any additional resources or code changes and has the least operational overhead. Reference: Set up mock integrations for an API Gateway REST API

https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-mock-integration.html

On Amazon ECS, the fundamental scheduling unit is a task , which is launched from a task definition . A single task definition can include multiple containers that are intended to run together (often called a “sidecar” pattern). When two containers must share data locally —such as an application container writing log files and a separate log/metrics collector container reading those files—the recommended approach is to place both containers in the same task definition and use a shared task volume .

ECS supports defining volumes at the task level (for example, a Docker volume or bind mount depending on the launch type and configuration), and then mounting that volume into multiple containers inside the same task. Because the containers are co-located by ECS scheduling (same task, same underlying host or Fargate environment), they can safely share the mounted directory for file-based handoff. This design keeps the containers tightly coupled for lifecycle management (start/stop together) and avoids cross-task coordination complexity.

Options A and D refer to “pod specifications,” which are Kubernetes concepts, not ECS-native constructs (unless using ECS with EKS/Kubernetes, which is not stated). Option B is not feasible because ECS does not mount a single shared local volume across two separate tasks in the general case; separate tasks can be placed on different hosts, and task-scoped volumes are not shared between tasks by default. If cross-task sharing were required, you would typically use a network filesystem (like EFS) or an external log pipeline (CloudWatch Logs, FireLens, etc.), but the requirement explicitly says each application container needs to share data with another container, which aligns with the sidecar-in-same-task pattern.

Therefore, the correct solution is C : define both containers in one ECS task definition and mount a shared volume into both containers.

The key security requirement is to limit both scope and duration of credentials used by an external application (running outside AWS). The most secure AWS-native way to do this is to use temporary security credentials issued by AWS Security Token Service (STS), rather than long-term IAM user access keys. Temporary credentials have a short, configurable lifetime and are tied to permissions defined by an IAM role and (optionally) session policies, which enforces least privilege.

With STS AssumeRole , the application requests temporary credentials for a specific IAM role . The role’s permission policy strictly defines what AWS actions and resources the session can access. The resulting credentials automatically expire, reducing the blast radius if the credentials are exposed. This approach also supports best practices such as rotating session credentials frequently and using external IDs and condition keys (where applicable) to reduce confused-deputy risks.

Options A and B rely on long-term IAM user credentials . Even if stored in environment variables or AWS Secrets Manager, these are still persistent credentials that do not inherently meet the “limit duration” requirement and are higher risk if leaked. Secrets Manager improves storage and rotation workflows, but it does not change the fact that IAM user access keys are long-lived by default.

Option C (GetFederationToken) is not the best fit here. Federation tokens are typically used to obtain temporary credentials for a federated user session and are commonly associated with IAM users (or scenarios like providing temporary access to third parties) rather than the standard, role-based pattern for an application assuming permissions. The most direct and widely recommended method for applications needing scoped, time-bound AWS access is AssumeRole .

Therefore, D is the most secure solution: create an IAM role with least-privilege permissions and have the application call STS AssumeRole to obtain short-lived credentials for AWS API calls.

This solution will meet the requirements by using AWS X-Ray to enable tracing of application requests to debug performance issues in the code. AWS X-Ray is a service that collects data about requests that the applications serve, and provides tools to view, filter, and gain insights into that data. The developer can install the AWS X-Ray daemon on the EC2 instances, which is a software that listens for traffic on UDP port 2000, gathers raw segment data, and relays it to the X-Ray API. The developer can also install and configure the AWS X-Ray SDK for Python in the application, which is a library that enables instrumenting Python code to generate and send trace data to the X-Ray daemon. Option A is not optimal because it will install the Amazon CloudWatch agent on the EC2 instances, which is a software that collects metrics and logs from EC2 instances and on-premises servers, not application performance data. Option C is not optimal because it will configure the application to write JSON-formatted logs to /var/log/cloudwatch, which is not a valid path or destination for CloudWatch logs. Option D is not optimal because it will configure the application to write trace data to /var/log/xray, which is also not a valid path or destination for X-Ray trace data.

Comprehensive and Detailed Step-by-Step Explanation:

Option D: Set up Amazon S3 Caching for CodeBuild:

CodeBuild supports S3 caching to store intermediate build artifacts and dependencies. This reduces the time required to download dependencies during subsequent builds, effectively lowering costs and improving build performance.

By using S3 caching, developers can optimize costs without changing the compute type or adding complexity.

Why Other Options Are Incorrect:

Option A: CodeBuild does not have a " reserved capacity fleet " option.

Option B: AWS Lambda cannot be used as the compute mode for CodeBuild projects. CodeBuild uses its own managed build environments.

Option C: CodeBuild already operates on an on-demand basis, so this does not address the need for optimization or reduced provisioning time.