DVA-C02 Exam Dumps - AWS Certified Developer - Associate

This is a cross-account access pattern using STS AssumeRole. Account A owns the DynamoDB table and has created an IAM role (AccessPII) with permissions to access the table. Account A also configured a trust policy that allows principals from Account B to assume the role. That trust policy alone is not enough; the caller in Account B must also be allowed to call sts:AssumeRole.

Therefore, in Account B, the EC2 instance profile role (the role attached to the EC2 instances running the app) must have permission to assume the role in Account A. That is Option A.

Next, the application must actually obtain temporary credentials for the Account A role. The standard way is to call STS AssumeRole in the application logic (or use an SDK credential provider that assumes a role). This yields temporary credentials that have the permissions of the AccessPII role, allowing DynamoDB access in Account A. That is Option D.

Option B is not correct because granting direct DynamoDB table permissions in Account B does not grant access to a table owned by Account A unless Account A also grants access via a resource policy (DynamoDB resource policies exist but the scenario already sets up role assumption; the intended solution is AssumeRole).

Option C is incomplete/wrong: getting temporary credentials from the EC2 role alone gives permissions of the EC2 role in Account B, not the permissions in Account A. You must assume the cross-account role.

Option E is for IAM user MFA session tokens, not cross-account role assumption for an EC2 role.

Therefore, grant sts:AssumeRole to the EC2 role and call AssumeRole in code.

HTTP Status Codes: Each HTTP status code has a specific meaning in RESTful APIs.

HTTP 405 (Method Not Allowed): Indicates that the request method (e.g., POST) is not supported for the specified resource.

HTTP 401 (Unauthorized): Represents a failure to authenticate, which is the appropriate response for invalid login credentials.

The correct answer is D because the error is occurring when the Lambda function calls the third-party fulfillment service , and the log message clearly states “Rate limit exceeded from fulfillment service.” This indicates the downstream system is throttling requests. In AWS best practices for integrating with external services, developers should use retries with exponential backoff to handle transient throttling and service rate-limit responses gracefully.

API Gateway showing 5XX errors instead of 4XX errors also makes sense in this design. The client request reaches API Gateway successfully, and API Gateway invokes Lambda. The failure happens inside the backend processing path when Lambda calls the external fulfillment API. Because the backend integration fails, API Gateway surfaces a server-side error rather than a client-side error.

Option A is incorrect because increasing API Gateway throttling limits would allow even more requests to reach Lambda, which could worsen the rate-limit issue against the external fulfillment service. Option B is incorrect because provisioned concurrency helps with cold starts and startup latency, not downstream rate limiting. Option C is incorrect because increasing Lambda memory might improve CPU performance, but it does not solve an external API returning rate-limit responses.

By implementing exponential backoff and retry logic , the Lambda function can reduce the frequency of immediate repeated requests to the third-party service, give the service time to recover, and improve overall request success. This approach aligns with AWS guidance for fault tolerance and resilient service integration patterns when working with throttled downstream dependencies.

The correct answer is C because for an in-place deployment on Amazon EC2 instances, AWS CodeDeploy automatic rollback works by redeploying the last known good revision when a deployment fails or when a configured monitoring alarm is triggered. AWS documentation explains that when automatic rollback is enabled, CodeDeploy creates a new deployment that uses the most recent successfully deployed application revision. This rollback deployment receives its own new deployment ID , because it is treated as a separate deployment event rather than a simple undo operation.

Option A is incorrect because CodeDeploy does not restore an Amazon S3 snapshot of the previous deployment state for EC2 in-place deployments. It redeploys the last successful revision instead. Option B describes behavior associated with blue/green deployment patterns , not in-place deployments . Route 53 alias switching and blue/green environment replacement are not how CodeDeploy handles failed validation during an EC2 in-place deployment. Option D is incorrect because CodePipeline orchestrates stages in a delivery pipeline, but it is not the service that performs the rollback behavior described here.

This distinction is important in AWS deployment design. In-place deployments update the same EC2 instances already serving the application. If validation fails, CodeDeploy does not roll traffic back through DNS or infrastructure replacement. Instead, it launches a rollback deployment of the previously successful application revision across those same instances. That behavior directly aligns with AWS CodeDeploy automatic rollback functionality for EC2/On-Premises in-place deployments.

Therefore, the correct result is that CodeDeploy redeploys the last known stable version as a new deployment , which makes C the right answer.

This solution is the most efficient method to grant users access to AWS resources without requiring them to log in. Amazon Cognito is a service that provides user sign-up, sign-in, and access control for web and mobile applications. Amazon Cognito identity pools support both authenticated and unauthenticated users. Unauthenticated users receive access to your AWS resources even if they aren’t logged in with any of your identity providers (IdPs). You can use Amazon Cognito to associate unauthenticated users with an IAM role that has limited access to resources, such as Amazon S3 buckets or DynamoDB tables. This degree of access is useful to display content to users before they log in or to allow them to perform certain actions without signing up. Using an identity provider to securely authenticate with the application will require users to log in, which does not meet the requirement. Creating an AWS Lambda function to create an IAM user when a user accesses the application will incur unnecessary costs and complexity, and may pose security risks if not implemented properly. Creating credentials using AWS KMS and applying them to users when using the application will also incur unnecessary costs and complexity, and may not provide fine-grained access control for resources.

This solution allows the developer to overcome the limit for the combined maximum of characters for environment variables in AWS CodeBuild. AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. The developer can store large numbers of environment variables as parameters in Parameter Store and reference them in the buildspec file using parameter references. Adding export LC_ALL=“en_US.utf8” command to the pre_build section will not affect the environment variables limit. Using Amazon Cognito or an Amazon S3 bucket to store key-value pairs for environment variables will require additional configuration and integration.