DVA-C02 Exam Dumps - AWS Certified Developer - Associate

Comprehensive and Detailed Explanation (AWS Verified – 250–300 Words)

When an Amazon S3 bucket is configured with default encryption using SSE-KMS, AWS Key Management Service (KMS) plays an active role in every PutObject request. Although the IAM user already has the s3:PutObject permission, this alone is not sufficient when SSE-KMS is enabled.

According to AWS documentation, when a client uploads an object to an S3 bucket encrypted with SSE-KMS, Amazon S3 must call AWS KMS on behalf of the caller to generate a unique data encryption key. This operation requires the kms:GenerateDataKey permission on the KMS key used for encryption. If this permission is missing, the PutObject request fails with an Access Denied error—even though S3 permissions appear correct.

AWS explicitly states that IAM principals uploading objects to SSE-KMS–encrypted buckets must be allowed to use the KMS key. At a minimum, the following KMS permissions are required:

kms:GenerateDataKey

(Implicitly) access allowed by the KMS key policy

Option C correctly resolves the issue by granting the IAM user permission to generate a data key via AWS KMS, enabling successful encryption during the upload process.

Option A is invalid because s3:EncryptionConfiguration is not required for object uploads.

Option B is unnecessary because the IAM user already has s3:PutObject.

Option D is incorrect because ACLs are not used to control KMS encryption permissions and are discouraged by AWS best practices.

Step-by-Step Breakdown:

Requirement Summary:

Encrypt S3 objects using KMS keys

Cross-account read access to another AWS account

Minimize operational overhead

Option A: Use a customer managed key + key policy granting kms:Decrypt to second account

Correct: Customer managed keys allow full control of key policy.

You can add a statement to allow cross-account access using the second account’s IAM principal.

Option B: Use AWS managed key + key policy granting access to second account

Incorrect: AWS-managed KMS keys (aws/s3) cannot be modified to add cross-account access in key policies.

Option C: SCP that grants s3:GetObject to second account

Incorrect: SCPs are used to restrict or allow permissions across AWS Organizations, not to grant S3 or KMS access directly.

Option D: Create a bucket policy granting s3:GetObject to second account

Correct: Bucket policies can grant cross-account access to specific IAM users or roles in the second account.

Option E: Gateway endpoint for S3 with cross-account access

Incorrect: Gateway endpoints only apply within the same VPC/account. Cross-account use with endpoint policies is not the correct pattern for this use case.

Cross-account S3 access with KMS: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html

KMS cross-account key policy: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html

Bucket Policy for cross-account access: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

Why Option A is Correct:DynamoDB supports incremental exports to Amazon S3 natively, making data analytics-ready with minimal operational overhead.

Why Other Options are Incorrect:

Option B: DynamoDB Streams require additional processing logic to write to S3, increasing complexity.

Option C & D: Using EMR for data movement adds unnecessary operational overhead compared to native exports.

AWS Documentation References:

DynamoDB Exports to S3

The GenerateDataKey API returns a data key that is encrypted under a symmetric encryption KMS key that you specify, and a plaintext copy of the same data key1. The data key is a random byte string that can be used with any standard encryption algorithm, such as AES or SM42. The plaintext data key can be used to encrypt or decrypt data outside of AWS KMS, while the encrypted data key can be stored with the encrypted data and later decrypted by AWS KMS1.

In this scenario, the developer needs to use the GenerateDataKey API to encrypt the PDF file so that it can be decrypted later. The developer also needs to use an AWS KMS symmetric customer managed key for encryption. To achieve this, the developer can follow these steps:

Call the GenerateDataKey API with the symmetric customer managed key ID and the desired length or specification of the data key. The API will return an encrypted data key and a plaintext data key.

Write the encrypted data key to disk for later use. This will allow the developer to decrypt the data key and the PDF file later by using AWS KMS.

Use the plaintext data key and a symmetric encryption algorithm to encrypt the PDF file. The developer can use any standard encryption library or tool to perform this operation, such as OpenSSL or AWS Encryption SDK.

Discard the plaintext data key from memory as soon as possible after using it. This will prevent unauthorized access or leakage of the data key.

This solution will meet the requirements by using AWS Serverless Application Model (AWS SAM) templates and gradual deployments to automatically test the Lambda functions. AWS SAM templates are configuration files that define serverless applications and resources such as Lambda functions. Gradual deployments are a feature of AWS SAM that enable deploying new versions of Lambda functions incrementally, shifting traffic gradually, and performing validation tests during deployment. The developer can enable gradual deployments through AWS SAM templates by adding a DeploymentPreference property to each Lambda function resource in the template. The developer can set the deployment preference type to Canary10Percent30Minutes, which means that 10 percent of traffic will be shifted to the new version of the Lambda function for 30 minutes before shifting 100 percent of traffic. The developer can also use hooks to test the deployment, which are custom Lambda functions that run before or after traffic shifting and perform validation tests or rollback actions.