DVA-C02 Exam Dumps - AWS Certified Developer - Associate

The symptoms point to a missing event source mapping between Amazon SQS and the processing Lambda function. The parsing function successfully sends messages to SQS (the queue depth increases), but the processing function is not running for production events—evidenced by no CloudWatch logs during those runs. If Lambda is not being invoked, it will not generate any logs. In an SQS-based architecture, Lambda does not “pull” messages from a queue unless the queue is configured as a Lambda trigger (an event source mapping). The event source mapping tells Lambda to poll the queue, batch messages, and invoke the function with those messages.

In isolated tests, the developer likely invoked the processing function manually with mock events (for example, via the Lambda console or sam local invoke), which would create logs. But in production, because the function is supposed to be driven by SQS, it must have an SQS trigger configured; otherwise, messages will accumulate indefinitely and the function will never execute.

Option C (grant permissions) is necessary in many cases, but it does not explain the absence of logs and growing queue depth by itself if the trigger is missing. With the standard SQS→Lambda integration, Lambda’s service polls the queue using the function’s execution role permissions (sqs:ReceiveMessage, sqs:DeleteMessage, sqs:GetQueueAttributes, etc.), but the polling does not occur without the event source mapping. Option D is not the root cause because the function isn’t being invoked; and if it were invoked, AWS-managed logging typically works unless the execution role lacks logging permissions. Option B is incorrect because the parsing function is not supposed to be triggered by SQS; it produces messages to SQS.

Therefore, configuring the SQS queue as a trigger for the processing Lambda function (A) resolves the issue and ensures production S3 events flow through parsing to SQS and then into processing automatically.

To meet the requirement that developers cannot view credit card numbers while the fraud detection account can , the solution must (1) ensure the sensitive data is masked at ingestion/storage in CloudWatch Logs, and (2) allow only an authorized principal to view unmasked values .

First, the developers must attach the data protection policy to the CloudWatch log group that receives the API Gateway HTTP API access logs (and/or the Lambda log group if credit card numbers can appear there). A CloudWatch Logs data protection policy is applied at the log group level and instructs CloudWatch Logs to identify sensitive data using managed data identifiers (for example, CreditCardNumber ) and then apply the configured de-identification action (here, masking). Without attaching the policy to the log group, the masking/redaction behavior will not be enforced for newly ingested log events, and developers could still see raw request parameters.

Second, to permit only the fraud detection account to reveal the masked values when necessary, the IAM role that the fraud detection account assumes must have the specific CloudWatch Logs permission to unmask protected data. Granting logs:Unmask to that role enables authorized access to view the sensitive values while keeping them masked for everyone else who lacks that permission (such as developer accounts assuming other roles).

Options A and E are not required for CloudWatch Logs data protection enforcement; the core controls are log-group policy attachment (to perform masking) and IAM authorization (to permit unmasking only for the fraud role). Therefore, the correct combination is C (apply the policy to the log group that captures the HTTP API logs) and B (grant logs:Unmask to the fraud detection role).

The standard best practice for Elastic Beanstalk is to externalize configuration using Environment Variables. By storing sensitive API keys in SSM Parameter Store as a SecureString , you gain encryption and rotation capabilities. You then reference the parameter in the Elastic Beanstalk environment. The application can retrieve the value at runtime, and if the key is updated in Parameter Store, the application can pick up the change without needing a full code redeployment.

This solution allows the API to invoke the Lambda function asynchronously, which means that the API will return an immediate response without waiting for the function to complete. The X-Amz-Invocation-Type header specifies the invocation type of the Lambda function, and setting it to ‘Event’ means that the function will be invoked asynchronously. The function can then use Amazon Simple Email Service (SES) to send an email message when the report processing is complete.

Amazon S3 is a service that provides highly scalable, durable, and secure object storage. Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. AWS Lambda is a service that lets developers run code without provisioning or managing servers. The developer can configure an S3 event to invoke a Lambda function that inserts records into DynamoDB whenever a new file is added to the S3 bucket. This solution will meet the requirement of inserting a record into DynamoDB as soon as a new file is added to S3.

The correct answer is B because messages in an Amazon SQS queue become temporarily hidden from other consumers only for the duration of the queue’s visibility timeout . If the Lambda function is still processing a message when that visibility timeout expires, the message becomes visible again and can be received another time, which looks like the message is reappearing during processing.

AWS documentation explains that when Lambda polls SQS, the queue’s visibility timeout must be configured long enough to allow the function to finish processing and for Lambda to delete the message successfully. If the visibility timeout is too short, duplicate processing can occur even when the function is working correctly.

Option A is not the best answer because increasing the Lambda timeout alone does not prevent the message from reappearing if the SQS visibility timeout remains shorter than the processing duration. Option C could improve performance in some cases, but it does not directly address the root cause of message visibility. Option D changes how many messages are processed together, but it does not solve the issue of messages becoming visible again before processing is complete.

The key operational principle is that the SQS visibility timeout should exceed the Lambda processing time , with enough buffer for retries and deletion. This ensures that while Lambda is processing the message, other consumers do not see it again. Therefore, the correct fix is to increase the visibility timeout of the SQS queue , making B the correct answer.

API Gateway mock integration is designed for exactly this situation: generating API responses directly from API Gateway without requiring a working backend. This lets dependent teams test immediately while the real backend is still being developed. The developer can configure the integration request and integration response mapping to return specific payloads and status codes. Request validators check incoming requests but do not generate backend responses. Gateway responses customize API Gateway-generated error responses, not normal business responses for application testing. A Lambda authorizer controls access and would require a Lambda function, which adds unnecessary implementation work. AWS documentation confirms that mock integrations let API developers generate responses directly from API Gateway and unblock teams before backend development is complete. ( AWS Documentation )

===============