DVA-C02 AWS Certified Developer - Associate Questions and Answers

In AWS Lambda, CPU power scales proportionally with the memory configuration. Lambda does not let you directly set “CPU cores” as a standalone setting in the general case; instead, increasing the function’s configured memory increases the CPU allocation (and other resources such as network throughput) available to the function. Therefore, to reduce latency caused by insufficient CPU, the developer should increase the function’s memory setting.

Option B directly addresses the CPU limitation in the supported Lambda configuration model. This is a common performance tuning approach: raise memory, benchmark, and find the optimal cost/performance point.

Option A is not the right lever for most Lambda functions because Lambda compute is configured via memory (and architecture), not by directly raising a “vCPU quota” per function in a typical tuning workflow.

Option C increases /tmp storage capacity and helps when dealing with large temporary files, not CPU availability.

Option D increases the maximum runtime allowed per invocation, but it does not give the function more CPU and will not reduce latency caused by CPU starvation.

Therefore, increasing the allocated memory is the correct way to increase CPU for a Lambda function.

The correct answer is A because AWS Lambda requires permissions in the function’s execution role to create log groups, create log streams, and put log events into Amazon CloudWatch Logs . If the Lambda function is throwing errors but there are no CloudWatch log entries, the most likely cause is that the execution role does not include the necessary logging permissions. AWS documentation states that Lambda automatically sends logs from function code and the execution environment to CloudWatch Logs, but this behavior depends on the function’s IAM role having permissions such as logs:CreateLogGroup , logs:CreateLogStream , and logs:PutLogEvents .

This aligns with the scenario because the source code already attempts to write logs before saving data to DynamoDB. If the function is invoked and errors are visible in CloudWatch metrics, but logs never appear, then logging is failing before or during delivery to CloudWatch Logs. Assigning the proper IAM permissions resolves that problem directly.

Option B is incorrect because CloudWatch Lambda Insights provides enhanced monitoring and performance telemetry, but it does not replace the basic permissions required for CloudWatch Logs delivery. Option C is incorrect because AWS X-Ray helps trace requests and diagnose latency or service interactions, but it does not solve missing log stream permissions. Option D is incorrect because CloudWatch does not need to be added as a trusted principal to the Lambda execution role; the trusted entity for that role is the Lambda service .

Therefore, the developer should update the Lambda execution role to include the required CloudWatch Logs permissions.

Requirement Summary:

NLP Lambda function with a large pre-trained model

Lambda layer became 8.7 GB → Exceeds AWS limits

Function returns RequestEntityTooLargeException

Need: High-performing, portable, low initialization time

Important AWS Limits:

Lambda Layers size limit (combined across all layers): 250 MB (unzipped)

Deployment package size (unzipped): 250 MB

Lambda container image support allows up to 10 GB image size

Evaluate Options:

A: Store model in S3 and load during execution

Leads to cold start latency every time

Model loading from S3 is slower and not suitable for real-time NLP

Not optimal for performance

B: Use EFS mounted to Lambda

⚠️ Valid for large models, but adds latency during cold start as model loads from EFS

Requires EFS setup, VPC, and has added network I/O overhead

Still slower than bundling in container image

C: Split into five Lambda layers

Still violates the total layer size limit of 250 MB (unzipped)

You cannot exceed that even with multiple layers

D: Use Docker container image

Allows bundling up to 10 GB of dependencies and models

High portability and performance

Avoids latency of downloading models at runtime

Ideal for scientific/NLP models

Lambda container image support: https://docs.aws.amazon.com/lambda/latest/dg/images-create.html

Lambda limits: https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-limits.html

Using large models with Lambda: https://aws.amazon.com/blogs/machine-learning/deploying-large-machine-learning-models-on-aws-lambda-with-container-images/

This solution will meet the requirements by storing the Root CA Cert as a Secure String parameter in AWS Systems Manager Parameter Store, which is a secure and scalable service for storing and managing configuration data and secrets. The resource-based policy will allow IAM users in different AWS accounts and environments to access the parameter without requiring cross-account roles or permissions. The Lambda code will be refactored to load the Root CA Cert from the parameter store and modify the runtime trust store outside the Lambda function handler, which will improve performance and reduce latency by avoiding repeated calls to Parameter Store and trust store modifications for each invocation of the Lambda function. Option A is not optimal because it will use AWS Secrets Manager instead of AWS Systems Manager Parameter Store, which will incur additional costs and complexity for storing and managing a non-secret configuration data such as Root CA Cert. Option C is not optimal because it will deactivate the application secrets and monitor the application error logs temporarily, which will cause application downtime and potential data loss. Option D is not optimal because it will modify the runtime trust store inside the Lambda function handler, which will degrade performance and increase latency by repeating unnecessary operations for each invocation of the Lambda function.

Using Amazon ElastiCache for Memcached to store and manage the session data will reduce the memory load and improve the performance of the web server. Using Amazon RDS for MySQL DB instance to store the application data will provide a scalable, reliable, and managed database service. Option A is not optimal because it does not address the memory issue of the web server. Option C is not optimal because it does not provide a persistent storage for the application data. Option D is not optimal because it does not provide a high availability and durability for the session data.

This solution will meet the requirements by using AWS X-Ray to analyze and debug the performance issues with the distributed Lambda applications. AWS X-Ray is a service that collects data about requests that the applications serve, and provides tools to view, filter, and gain insights into that data. The developer can use AWS X-Ray to identify the root cause of the performance issues by examining the segments and errors that show the details of each request and the components that make up the applications. Option A is not optimal because it will use logging statements and Amazon CloudWatch, which may not provide enough information or visibility into the distributed applications. Option B is not optimal because it will use AWS CloudTrail, which is a service that records API calls and events for AWS services, not application performance data. Option D is not optimal because it will use Amazon Inspector, which is a service that helps improve the security and compliance of applications on Amazon EC2 instances, not Lambda functions.

Comprehensive and Detailed 250 to 300 words of Explanation (AWS-doc-aligned):

The most operationally efficient way to share and patch common dependencies across multiple Lambda functions is to use AWS Lambda layers . A Lambda layer is an independently managed deployment artifact that can contain libraries and other dependencies. Multiple functions can reference the same layer, which avoids packaging identical open source modules into each function bundle.

When a vulnerability or bug is found in a shared module, you patch it once by publishing a new layer version that contains the updated dependencies. Then you update each Lambda function configuration to reference the new layer version. This centralizes dependency management, reduces duplicated artifacts, and makes rollouts and rollbacks cleaner (you can switch layer versions quickly). It also keeps function deployment packages smaller, which often improves deployment speed and can reduce cold-start overhead associated with larger bundles.

The other options introduce unnecessary operational burden:

Downloading modules at cold start (CloudFront/S3) increases latency and adds failure modes at runtime.

Hosting a private registry on EC2 requires patching, scaling, availability management, and security hardening—high operational overhead.

A CloudFormation registry extension and daily scans are not a standard or efficient mechanism for packaging runtime Node.js dependencies into Lambda functions.

Lambda layers are a documented AWS-native feature intended for precisely this use case: sharing common code and libraries across functions while enabling controlled versioning. Therefore, creating a layer for the open source modules and updating the functions to consume the layer is the most efficient and maintainable approach.

Comprehensive and Detailed Step-by-Step Explanation:

Option A: Amazon Cognito Identity Pool with Unauthenticated Role

Cognito identity pools can generate temporary AWS credentials for both authenticated and unauthenticated users.

For guest users, Cognito assigns an unauthenticated role with limited permissions, ensuring secure access to only their resources.

This is the most secure and efficient solution for managing AWS credentials dynamically without hardcoding or storing them.

Why Other Options Are Incorrect:

Option B: Hardcoding IAM credentials in the application is insecure and violates best practices.

Option C and D: Temporary keys stored in KMS or Secrets Manager require additional implementation overhead and do not inherently manage user-specific access.

An SQS FIFO queue is a type of queue that preserves the order of messages and ensures that each message is delivered and processed only once1. This is suitable for the scenario where the developer wants to ensure that there are no out-of-order updates in the legacy system.

The visibility timeout value is the amount of time that a message is invisible in the queue after a consumer receives it2. This prevents other consumers from processing the same message simultaneously. If the consumer does not delete the message before the visibility timeout expires, the message becomes visible again and another consumer can receive it2.

In this scenario, the developer needs to configure the visibility timeout value to be longer than the maximum processing time of the legacy system, which is 5 minutes. This will ensure that the message remains invisible in the queue until the legacy system finishes processing it and deletes it. This will prevent duplicate or out-of-order processing of messages by the legacy system.

Comprehensive Detailed and Lengthy Step-by-Step Explanation with All AWS Developer References:

1. Understanding the Use Case:

The API needs to:

Generate responses without backend integrations: This indicates the use of mock responses for testing.

Be used by multiple internal teams during development.

Minimize operational overhead.

2. Key Features of Amazon API Gateway:

REST APIs: Fully managed API Gateway option that supports advanced capabilities like mock integrations, request/response transformation, and more.

HTTP APIs: Lightweight option for building APIs quickly. It supports fewer features but has lower operational complexity and cost.

Mock Integration: Allows API Gateway to return pre-defined responses without requiring backend integration.

3. Explanation of the Options:

Option A: " Create an Amazon API Gateway REST API. Set up a proxy resource that has the HTTP proxy integration type. " A proxy integration requires a backend service for handling requests. This does not meet the requirement of " no backend integrations. "

Option B: " Create an Amazon API Gateway HTTP API. Provision a VPC link, and set up a private integration on the API to connect to a VPC. " This requires setting up a VPC and provisioning resources, which increases operational overhead and is unnecessary for this use case.

Option C: " Create an Amazon API Gateway HTTP API. Enable mock integration on the method of the API resource. " While HTTP APIs can enable mock integrations, they have limited support for advanced features compared to REST APIs, such as detailed request/response customization. REST APIs are better suited for development environments requiring mock responses.

Option D: " Create an Amazon API Gateway REST API. Enable mock integration on the method of the API resource. " This is the correct answer. REST APIs with mock integration allow defining pre-configured responses directly within API Gateway, making them ideal for scenarios where backend services are unavailable. It provides flexibility for testing while minimizing operational overhead.

4. Implementation Steps:

To enable mock integration with REST API:

Create a REST API in API Gateway:

Open the API Gateway Console.

Choose Create API > REST API.

Define the API Resource and Methods:

Add a resource and method (e.g., GET or POST).

Set Up Mock Integration:

Select the method, and in the Integration Type, choose Mock Integration.

Configure the Mock Response:

Define a 200 OK response with the desired response body and headers.

Deploy the API:

Deploy the API to a stage (e.g., dev) to make it accessible.

5. Why REST API Over HTTP API?

REST APIs support detailed request/response transformations and robust mock integration features, which are ideal for development and testing scenarios.

While HTTP APIs offer lower cost and simplicity, they lack some advanced features required for fine-tuned mock integrations.

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. The developer can store each employee’s contact information in a DynamoDB table along with the object keys for the photos stored in Amazon S3. Amazon S3 is an object storage service that offers industry-leading scalability, data availability, security, and performance. The developer can use AWS APIs to search and retrieve the employee details and photos from DynamoDB and S3.

To begin using AWS X-Ray, the team must (1) instrument the application to emit trace segments/subsegments and (2) ensure there is a component that can send trace data to the X-Ray service.

Instrumenting code is typically done with the AWS X-Ray SDK (language-specific). This adds tracing to inbound requests and downstream calls, creates segments/subsegments, and attaches annotations/metadata. That corresponds to Option C.

For many compute environments (especially EC2, ECS on EC2, and on-prem servers), the application sends trace data via the X-Ray daemon/agent running locally. The daemon batches segments and forwards them to the X-Ray service endpoint. That corresponds to Option D.

Option B is helpful after traces exist (using the X-Ray console or CloudWatch ServiceLens), but it is not a prerequisite to “begin using” X-Ray.

Option A is unrelated. X-Ray does not require SQS for instrumentation output.

Option E is incorrect because X-Ray stores trace data in its managed backend; you do not create a DynamoDB table for trace logs.

Therefore, the team needs to instrument the code with the X-Ray SDK and install/run the X-Ray agent/daemon on the servers where the application runs.

This solution allows the Lambda function to be invoked by the DynamoDB stream whenever updates are made to items in the DynamoDB table. Event source mapping is a feature of Lambda that enables a function to be triggered by an event source, such as a DynamoDB stream, an Amazon Kinesis stream, or an Amazon Simple Queue Service (SQS) queue. The developer can configure event source mapping for the Lambda function using the AWS Management Console, the AWS CLI, or the AWS SDKs. Changing the StreamViewType parameter value to NEW_AND_OLD_IMAGES for the DynamoDB table will not affect the invocation of the Lambda function, but only change the information that is written to the stream record. Mapping an Amazon Simple Notification Service (Amazon SNS) topic to the DynamoDB stream will not invoke the Lambda function directly, but require an additional subscription from the Lambda function to the SNS topic. Increasing the maximum runtime (timeout) setting of the Lambda function will not affect the invocation of the Lambda function, but only change how long the function can run before it is terminated.

When using AWS SAM local (sam local invoke, sam local start-api), the Lambda code runs in a local container on the developer’s machine. If that code uses the AWS SDK to call AWS services, it needs AWS credentials available in the local environment. The recommended way is to rely on the AWS SDK’s standard credential provider chain, which includes credentials stored by the AWS CLI in ~/.aws/credentials and selected via a named profile .

By running aws configure --profile < profileName > , the developer creates a dedicated set of access keys (and optionally a session token/region) for the test account. Then, running SAM with sam local invoke --profile < profileName > causes SAM to supply those credentials to the local container so the function can authenticate to AWS and make real API calls in the intended test account. This approach is clean, repeatable, and avoids hardcoding secrets into templates or source code.

Option A is insecure and not the intended use of SAM templates; templates are infrastructure definitions, not secret stores. Option C sets the Lambda execution role for deployed functions in AWS, but it does not automatically grant credentials to code running locally on a laptop. Option D misuses --parameter-overrides, which is meant for overriding template parameters at deployment/build time, not for securely injecting AWS access keys into local execution.

Therefore, the correct approach is B : configure an AWS CLI profile and run SAM local with the --profile option so the Lambda code can call AWS APIs in the test account using standard credential handling.

Comprehensive and Detailed Step-by-Step Explanation:

Option D: Use Lambda with Container Images

AWS Lambda supports container images up to 10 GB in size, making it suitable for applications with large dependencies, such as a video codec library larger than 250 MB.

By creating separate container images for video compression and decompression, the application can efficiently isolate functionality while ensuring that each function includes the required dependencies.

The container images are stored in Amazon ECR and used to create the Lambda functions.

Why Other Options Are Incorrect:

Option A: A single Lambda function with all functionalities and dependencies in one zip file is not feasible due to the 250 MB deployment package size limit for zip files.

Option B: Including the library in two separate zip files still exceeds the size limit for Lambda zip deployment packages.

Option C: While using a Lambda layer can reduce redundancy, the combined size of the layer and the zip files would exceed the limit of 250 MB.

Amazon DynamoDB throttling during peak periods is commonly caused by hot partitions . In this scenario, using order_date as the partition key results in a large number of writes targeting the same partition during peak ordering times. Even in on-demand mode, DynamoDB enforces per-partition limits, which leads to throttling when traffic is unevenly distributed.

AWS best practices emphasize designing partition keys that provide high cardinality and uniform access patterns . Using customerId as the partition key distributes write traffic across many partitions because customer IDs naturally vary and scale with the number of users.

Switching to provisioned capacity (Option B) does not solve the root cause and can still result in throttling due to uneven access patterns. Sequential partition keys (Option A) worsen the hot partition problem. Migrating to Aurora (Option C) is unnecessary and does not address DynamoDB design issues.

AWS documentation clearly states that access pattern design is critical , and changing the partition key to better distribute workload is the correct solution. Therefore, using customerId as the partition key resolves throttling and aligns with DynamoDB best practices.

Step-by-Step Breakdown:

Requirement Summary:

AWS AppSync API needs to invoke Lambda functions

Some Lambda functions are long-running

AppSync should return immediately, minimizing operational overhead

**Option A: AppSync + Lambda as data source using Event Mode

Correct: AWS AppSync supports asynchronous (event) invocation of Lambda data sources using Event Mode.

Event Mode means:

AppSync invokes Lambda asynchronously

Immediately returns a response to the client (typically a predefined payload or null)

Ideal for fire-and-forget workloads or when the response is not immediately needed

Option B: Increase Lambda timeout

Incorrect: This keeps AppSync waiting.

Even with increased timeout, synchronous invocations would block AppSync responses.

Option C: SQS queue + polling Lambda

Possible but too complex for this use case.

Requires additional infrastructure: queue + mapping + custom logic.

Higher operational overhead compared to built-in AppSync Event Mode.

Option D: Enable caching in AppSync

Irrelevant: AppSync cache is for optimizing repeated read queries, not for async workflows.

Asynchronous Lambda with AppSync: https://docs.aws.amazon.com/appsync/latest/devguide/resolver-mapping-template-reference-lambda.html#async-lambda-invocation

Lambda as AppSync Data Source: https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-lambda-resolvers.html

Event Mode Docs: https://docs.aws.amazon.com/appsync/latest/devguide/lambda-resolvers.html#event-invocation-mode

The objects are “rarely accessed after 1 week” but must remain immediately available at all times. That means the storage class must support millisecond access without a restore process. S3 Standard-Infrequent Access (Standard-IA) is designed for exactly this: lower storage cost than S3 Standard, while still providing rapid access when needed.

With option B, an S3 Lifecycle rule transitions objects from S3 Standard to S3 Standard-IA after 7 days. This aligns perfectly with the usage pattern: frequent access initially, then infrequent access after a week, while keeping immediate availability.

Option C (S3 Glacier Flexible Retrieval) is not appropriate because Glacier classes are archival. Access typically requires a restore operation and retrieval time (minutes to hours), which violates “immediately available at all times.”

Option A expires objects, which deletes them after 7 days—this contradicts the requirement to keep objects available.

Option D is irrelevant because delete markers exist only when versioning is enabled. The bucket does not have versioning enabled, so this rule would not help.

Therefore, transitioning to S3 Standard-IA after 7 days is the correct cost-optimized solution while maintaining immediate availability.

To rotate database credentials without downtime, Secrets Manager recommends the alternating users (dual user) rotation strategy. With a single-user strategy, Secrets Manager changes the password for the same database user that the application is actively using. If the application continues using cached/old credentials during rotation, authentication failures and downtime can occur.

With the alternating users strategy, two database users exist (often named something like appuser and appuser_clone). Secrets Manager alternates which user is “active” in the secret. During rotation, Secrets Manager updates the inactive user’s password, verifies it, updates the secret to point to the newly updated user, and then (optionally) retires the old credentials. This approach minimizes disruption because there is always one known-good credential set while the other is being updated.

The question specifically requires regular rotation using Secrets Manager. That is achieved by enabling automatic rotation on the secret with a schedule (for example, every 30/60/90 days). Automatic rotation invokes the rotation Lambda (AWS-provided or configured) and performs the workflow without manual intervention.

Option D combines both requirements: automatic rotation plus the alternating users strategy for high availability and no downtime.

Option B mentions alternating users but “managed rotation” is not the standard term used in these choices as the primary differentiator—automatic rotation is the necessary capability to rotate regularly without manual effort.

Options A and C (single user) are more likely to cause downtime during rotation.

Therefore, configure automatic rotation with the alternating users rotation strategy.

SNS as a Fan-out Mechanism: SNS is perfect for triggering multiple actions from a single event (here, the image upload).

Workflow:

SNS Topic: Create an SNS topic that will be the central notification point.

S3 Event Notification: Configure the S3 bucket to send ' Object Created ' event notifications to the SNS topic.

Lambda Subscription: Subscribe your thumbnail-creating Lambda function to the SNS topic.

Email Subscription: Subscribe an email address to the SNS topic to trigger notifications.

The correct policy condition ensures that:

The LeadingKeys condition restricts operations to the authenticated user ' s user_id.

The Attributes condition limits the updatable attributes to user_name.

Explanation of Choices:

Option A: Correctly enforces both the key restriction (dynamodb:LeadingKeys) and ensures only the user_name attribute can be updated.

Option B, C, D: Use incorrect conditions, such as referencing user_name in the LeadingKeys or including other attributes like user_id in updatable fields.

The solution that will meet the requirements is to write data to Amazon ElastiCache. This way, the application can write session data to a fast, scalable, and reliable in-memory data store that can be served reliably across multiple requests. The other options either involve writing data to persistent storage, which is slower and more expensive than in-memory storage, or writing data to the root filesystem, which is not shared among multiple EC2 instances.

Problem: Large bundle size increases Lambda deployment time.

Lambda Layers: Layers let you package dependencies separately from your function code. This optimizes the deployment package, making updates faster.

Modularization: Breaking down dependencies into layers improves code organization and reusability.

Why Option B is Correct:A customer-managed AWS Key Management Service (KMS) key allows for encryption at rest and provides the ability to rotate the key on demand. This ensures compliance with security requirements for key management and database encryption.

RDS integrates natively with AWS KMS, allowing the use of a customer-managed key for encrypting data at rest.

Key rotation can be managed directly in AWS KMS without needing custom solutions.

Why Other Options are Incorrect:

Option A: AWS KMS managed encryption keys (AWS-owned keys) do not support key rotation on demand.

Option C & D: Storing keys in AWS Secrets Manager with custom rotation is not a recommended approach for database encryption. AWS KMS is designed specifically for secure key management and encryption.

AWS Documentation References:

Encrypting Amazon RDS Resources

AWS Key Management Service (KMS)

The requirement has two parts: (1) authenticate users with a third-party SAML IdP , and (2) after authentication, allow those users to access AWS services like Amazon S3 and DynamoDB. The AWS pattern for this is to federate the external identity into AWS and then exchange that identity for temporary AWS credentials .

Amazon Cognito identity pools are designed to provide AWS credentials to authenticated users (via AWS STS) so the users can call AWS services directly or through an application backend. Identity pools support federation with external identity providers, including SAML 2.0 . When a user authenticates with the third-party SAML IdP, the identity pool can accept the SAML assertion, map the user to an IAM role, and return temporary, scoped credentials (AccessKeyId/SecretAccessKey/SessionToken) associated with that role. Those credentials can be restricted using IAM policies to only the required S3 buckets, DynamoDB tables, and actions, satisfying least privilege.

Option A is incorrect because a Cognito user pool is primarily a user directory and OIDC/OAuth provider for application authentication; while user pools can integrate with SAML IdPs for federation, user pools alone do not directly issue AWS service credentials. The key requirement here is access to S3/DynamoDB, which is the role of an identity pool . Option C is not appropriate because IAM is not intended to provide end-user sign-up/sign-in for external users; it is for AWS identities and permissions. Option D is unrelated: CloudFront signed URLs control access to CloudFront-distributed content and do not authenticate users with SAML or provide AWS credentials.

Therefore, B meets both requirements: federate SAML authentication through a Cognito identity pool and provide temporary AWS credentials for accessing S3 and DynamoDB.

AWS Secrets Manager supports multi-Region secret replication, which is designed specifically for redundancy, disaster recovery, and multi-Region applications. With this feature, the primary secret resides in one Region (here, us-west-1) and Secrets Manager automatically maintains a replica in another Region (us-east-1). This provides local read access and resilience if one Region is impaired.

Option A accurately describes the standard configuration: enable secret replication and add us-east-1 as the replica Region. Because encryption keys are Region-scoped, the replica secret in us-east-1 should be encrypted with a KMS key in us-east-1 (either the default Secrets Manager key for that Region or a customer managed key), satisfying encryption requirements and proper key locality.

Option B is incorrect because you don’t configure replication “from the destination.” Replication is configured on the primary secret, and the replica uses a KMS key in the replica Region, not in the source Region.

Option C is not how Secrets Manager replication works. Replication is not only during rotation; it maintains replicas continuously. The “replication rule during rotation” framing is not the standard mechanism.

Option D is inappropriate and insecure/operationally complex: exporting secrets to S3 for replication is not the recommended pattern and introduces unnecessary exposure.

Therefore, enable Secrets Manager multi-Region replication and encrypt replicas with a KMS key in the destination Region.

For rapid prototyping with the least operational overhead, Lambda function URLs are the best fit. A Lambda function URL provides a built-in HTTPS endpoint directly in front of a Lambda function, allowing the frontend team to invoke each endpoint without requiring additional infrastructure. This is ideal when the overall architecture is not finalized and the team needs a quick way to test.

AWS describes Lambda function URLs as a simple way to “add an HTTPS endpoint to your Lambda function” without requiring API Gateway, load balancers, or custom proxy layers. This substantially reduces setup time and avoids the operational tasks associated with provisioning, configuring, and managing an API layer during early-stage development.

Option B (API Gateway REST API) introduces more operational overhead: creating resources, methods, integrations, deployments, stages, and potentially authorization and throttling configuration. API Gateway is powerful, but it is more than needed for quick endpoint testing.

Option C (AppSync) is designed for GraphQL-based APIs and requires schema design and resolvers. That is unnecessary complexity for simply testing three Lambda-backed endpoints.

Option D (ECS proxy) adds the most operational burden because it requires container orchestration, networking, scaling, and patching—completely misaligned with “least operational overhead.”

Therefore, the fastest and simplest approach is to create a function URL per Lambda endpoint, allowing immediate testing from the frontend with minimal additional AWS configuration.

The most secure way to handle database credentials for a CodeBuild stage—especially with a company requirement for automatic rotation—is to store credentials in AWS Secrets Manager and reference the secret securely from the CodeBuild environment. Secrets Manager is purpose-built to store, retrieve, and rotate secrets such as database credentials, API keys, and tokens. It encrypts secrets at rest (using AWS KMS), supports fine-grained IAM access control, and integrates with services like CodeBuild through environment variables and runtime retrieval.

With CodeBuild, the developer can configure environment variables to reference a Secrets Manager secret (rather than embedding credentials in buildspec.yml). This ensures that the build process retrieves the latest rotated credentials at runtime, reducing exposure risk and eliminating manual credential updates.

Option B is weaker because Systems Manager Parameter Store (SecureString) is a secure storage mechanism, but automatic rotation is not a native Parameter Store feature in the same way it is in Secrets Manager for database credentials. Secrets Manager provides managed rotation workflows (often via Lambda rotation functions) and scheduling that directly matches the requirement.

Options A and D violate secure handling practices by hardcoding credentials or storing plaintext connection strings. Both approaches significantly increase risk of exposure through source control, build logs, or environment inspection. Additionally, bolting on rotation via Lambda or EventBridge does not address the primary weakness of hardcoded/plaintext secret distribution.

Therefore, AWS Secrets Manager with automatic rotation, referenced securely from CodeBuild environment variables, is the most secure solution.

Increasing the number of shards of the Kinesis data stream will increase the throughput and parallelism of the data processing. Increasing the memory that is allocated to the Lambda function will also increase the CPU and network performance of the function, which will reduce the run duration and improve the processing speed. Option B is not correct because decreasing the timeout of the Lambda function will not affect the processing speed, but may cause some records to fail if they exceed the timeout limit. Option D is not correct because decreasing the number of shards of the Kinesis data stream will decrease the throughput and parallelism of the data processing, which will slow down the processing speed. Option E is not correct because increasing the timeout of the Lambda function will not affect the processing speed, but may increase the cost of running the function.

AWS Lambda layers are specifically designed to share common code and dependencies across multiple Lambda functions. A layer is a ZIP archive that contains libraries, a custom runtime, or other function dependencies. Layers are versioned, so the developer can publish a new layer version when libraries change and then update functions to reference the new version. This directly meets the requirements to centralize libraries, update conveniently, and keep libraries versioned—while requiring minimal development work.

Using a single shared layer significantly reduces duplication across function deployment packages. It also simplifies CI/CD because the developer can build and publish the layer independently and reuse it across many functions.

Option A (CodeArtifact) is useful for dependency management, but it still requires each Lambda deployment to package dependencies or download them during build. It’s more moving parts than a layer for this use case.

Option B (container images) can centralize dependencies but typically requires more effort: building, scanning, versioning container images, and updating function image URIs. It’s heavier operationally than layers for “shared custom libraries.”

Option D (EFS) can be mounted by Lambda, but introduces networking considerations (VPC config), EFS lifecycle/permissions, and is unnecessary for simply sharing libraries. Also, cold start and operational overhead can increase.

Therefore, creating a Lambda layer for the shared libraries is the least-effort, most standard approach.

Amazon ElastiCache for Memcached is a fully managed, multithreaded, and scalable in-memory key-value store that can be used to cache frequently accessed data and improve application performance1. By using Amazon ElastiCache for Memcached, the developer can reduce the load on the main database and handle high traffic surges more efficiently.

To use Amazon ElastiCache for Memcached, the developer needs to create a cache cluster with one or more nodes, and configure the application to store and retrieve data from the cache cluster2. The developer can use any of the supported Memcached clients to interact with the cache cluster3. The developer can also use Auto Discovery to dynamically discover and connect to all cache nodes in a cluster4.

Amazon ElastiCache for Memcached is compatible with the Memcached protocol, which means that the developer can use existing tools and libraries that work with Memcached1. Amazon ElastiCache for Memcached also supports data partitioning, which allows the developer to distribute data among multiple nodes and scale out the cache cluster as needed.

Using Amazon ElastiCache for Memcached is a simple and effective solution that meets the requirements with the least complexity. The developer does not need to change the database schema, migrate data to a different service, or use a different caching model. The developer can leverage the existing Memcached ecosystem and easily integrate it with the application.

IAM Roles for EC2 (A): The most secure way to provide AWS permissions from EC2.

Create a role with a policy allowing s3:GetObject on the specific bucket.

Attach the role to an instance profile and associate that profile with your instances.

Pre-signed URLs (C): Temporary, authenticated URLs for specific S3 actions.

Modify the app to use the AWS SDK to call GeneratePresignedUrl.

Embed these URLs when a user is properly logged in, allowing download access.

Step 1: Problem Understanding

Asymmetric Encryption Requirement: Users encrypt data with a public key, and only the company can decrypt it using a private key.

Data Encryption at Rest and In Transit: The data must be encrypted during upload (in transit) and when stored in Amazon S3 (at rest).

Step 2: Solution Analysis

Option A: Server-side encryption with Amazon S3 managed keys (SSE-S3).

Amazon S3 manages the encryption and decryption keys.

This does not meet the requirement for asymmetric encryption, where the company uses a private key.

Not suitable.

Option B: Server-side encryption with customer-provided keys (SSE-C).

Requires the user to supply encryption keys during the upload process.

Does not align with the asymmetric encryption requirement.

Not suitable.

Option C: Client-side encryption with a data key.

Data key encryption is symmetric, not asymmetric.

Does not satisfy the requirement for a public-private key pair.

Not suitable.

Option D: Client-side encryption with a customer-managed encryption key.

Data is encrypted on the client side using the public key.

Only the company can decrypt the data using the corresponding private key.

Data remains encrypted during upload (in transit) and in S3 (at rest).

Correct option.

Step 3: Implementation Steps for Option D

Generate Key Pair:

The company generates an RSA key pair (public/private) for encryption and decryption.

Encrypt Data on Client Side:

Use the public key to encrypt the data before uploading to S3.

S3 Upload:

Upload the encrypted data to S3 over an HTTPS connection.

Decrypt Data on the Server:

Use the private key to decrypt data when needed.

AWS Developer References:

Amazon S3 Encryption Options

Asymmetric Key Cryptography in AWS

To provide login functionality with branded sign-in pages and minimal custom code, the best solution is Amazon Cognito Hosted UI. Cognito User Pools include a managed authentication service that can handle sign-up/sign-in, MFA options, password resets, and OAuth/OpenID Connect flows. The Hosted UI provides ready-to-use authentication pages and endpoints, which removes the need to build and maintain custom authentication pages and backend logic.

AWS allows customization of the Hosted UI to match company branding (for example, logo, colors, and CSS styling). This directly meets the requirement that “all pages must match branding” while minimizing development effort. The application can integrate with Cognito using standard authorization flows and tokens, which works well with Lambda-based architectures (for example, API Gateway authorizers with Cognito user pools).

Option A (S3 static pages) would still require implementing authentication flows, session handling, token management, and secure integration with the backend—significantly more custom code.

Option B requires writing and maintaining custom sign-in page serving logic plus authentication handlers, which increases code and operational overhead.

Option C (Lambda@Edge) is even more complex, introducing edge execution and additional deployment/versioning considerations, and still requires custom auth logic.

Therefore, using Amazon Cognito User Pools with the Hosted UI and branding customization is the lowest-code, most maintainable solution.

Visibility Timeout: When an SQS message is processed by a consumer (here, the Lambda function), it ' s temporarily hidden from other consumers. Visibility timeout controls this duration.

How It Helps:

Increase the visibility timeout beyond the maximum processing time your Lambda might typically take for long videos.

This prevents the message from reappearing in the queue while Lambda is still working, avoiding premature timeouts.

Lambda Layers: These are designed to package dependencies that you can share across functions.

How to Use:

Create a layer, upload your 100MB library as a zip.

Attach the layer to your function.

In your function code, import the library from the standard layer path.

TTL for Automatic Deletion: DynamoDB ' s Time-to-Live effortlessly deletes expired items without manual intervention.

DynamoDB Stream: Captures changes to the table, including deletions of expired items, triggering downstream actions.

Lambda for Processing: A Lambda function connected to the stream provides custom logic for handling the deleted items.

Code Efficiency: This solution leverages native DynamoDB features and stream-based processing, minimizing the need for custom code.

https://aws.amazon.com/premiumsupport/knowledge-center/secrets-manager-share-between-accounts/ https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples_cross.html

This solution allows the environment variables to be passed to the container when it is launched by AWS Fargate using Amazon ECS. The task definition is a text file that describes one or more containers that form an application. It contains various parameters for configuring the containers, such as CPU and memory requirements, network mode, and environment variables. The environment parameter is an array of key-value pairs that specify environment variables to pass to a container. Defining an array that includes the environment variables under the entryPoint parameter within the task definition will not pass them to the container, but use them as command-line arguments for overriding the default entry point of a container. Defining an array that includes the environment variables under the environment or entryPoint parameter within the service definition will not pass them to the container, but cause an error because these parameters are not valid for a service definition.

Amazon DynamoDB performance depends heavily on partition key design . AWS documentation warns against access patterns that repeatedly target the same partition key, as this causes hot partitions , even in on-demand mode.

In this scenario, most reads focus on the current day’s forecast for a small number of large cities. Using CityId alone as the partition key would cause hot partitions for those cities. Adding a calculated suffix (such as a hash or modulo value) to CityId spreads read requests across multiple partitions while still allowing efficient querying.

Using ForecastDate as the partition key (Options C and D) would concentrate traffic on a single value (today’s date), creating severe hot partition issues. Option B lacks a meaningful access pattern and complicates queries.

AWS documentation explicitly recommends key-suffix techniques for workloads with skewed access patterns to distribute traffic evenly. Therefore, using CityId with a calculated suffix as the partition key is the correct design.

IAM Roles for EC2: IAM roles are the recommended way to provide AWS credentials to applications running on EC2 instances. Here ' s how this works:

You create an IAM role with the necessary permissions to access the target S3 bucket.

You create an instance profile and associate the IAM role with this profile.

When launching the EC2 instance, you attach this instance profile.

Temporary Security Credentials: When the application on the EC2 instance needs to access S3, it doesn ' t directly use access keys. Instead, the AWS SDK running on the instance retrieves temporary security credentials associated with the role. These are rotated automatically by AWS.

A canary deployment best matches the requirement to test a new feature with a small group of users while the current version remains deployed for everyone else. In a canary approach, a new application revision is released to a limited portion of traffic/users first . This allows the team to collect real user feedback and validate behavior under production-like conditions without exposing the full user base to risk.

AWS deployment guidance for progressive delivery aligns with this concept: you start by directing a small percentage of requests to the new version, monitor results (such as error rates, latency, and business outcomes), and keep the stable version handling the majority of traffic during the evaluation period. This directly satisfies the requirement that the “current software version remains deployed” while testing occurs.

Once the feature is validated, the canary strategy supports promoting the new revision to the remaining population by shifting traffic from the old version to the new version—commonly ending with a transition to 100% of users on the new version. This satisfies the requirement to deploy to “all other users at the same time” after the small-group validation step is complete.

Why the other options are less suitable:

All-at-once exposes all users immediately, so there is no limited-user validation phase.

In-place replaces the existing version on the same infrastructure, typically without maintaining a parallel stable path for a subset of users.

Linear gradually shifts traffic in fixed increments over time, rather than validating with a small group and then moving the remainder in one step.

The solution that will meet the requirements with the least development effort is to set the image resize Lambda function as a destination of the avatar generator Lambda function for the events that fail processing. This way, the fallback mechanism is automatically triggered by the Lambda service without requiring any additional components or configuration. The other options involve creating and managing additional resources such as queues, topics, state machines, or rules, which would increase the complexity and cost of the solution.

This solution will meet the requirements by using AWS Serverless Application Model (AWS SAM) templates and gradual deployments to automatically test the Lambda functions. AWS SAM templates are configuration files that define serverless applications and resources such as Lambda functions. Gradual deployments are a feature of AWS SAM that enable deploying new versions of Lambda functions incrementally, shifting traffic gradually, and performing validation tests during deployment. The developer can enable gradual deployments through AWS SAM templates by adding a DeploymentPreference property to each Lambda function resource in the template. The developer can set the deployment preference type to Canary10Percent30Minutes, which means that 10 percent of traffic will be shifted to the new version of the Lambda function for 30 minutes before shifting 100 percent of traffic. The developer can also use hooks to test the deployment, which are custom Lambda functions that run before or after traffic shifting and perform validation tests or rollback actions.

Requirement Summary:

Customer credit card data may be exposed

Data is stored in Amazon S3

Developer must identify all exposure risks

Tool to Use:

Amazon Macie is designed to:

Automatically scan S3 for sensitive data

Detect financial information, PII, credentials, etc.

Finding Type Mapping:

Credit card data maps to: SensitiveData:S3Object/Financial

Evaluate Options:

A. Athena + filtering

Athena is a query engine; it doesn’t detect sensitive data automatically

B. Macie + Financial finding type

Correct

Designed for this use case

C. Macie + Personal finding type

Personal maps to names, addresses, etc., not credit cards

D. Athena + Financial

Again, Athena can’t classify data – it only queries structured data

Macie Overview: https://docs.aws.amazon.com/macie/latest/userguide/what-is-macie.html

Finding Types: https://docs.aws.amazon.com/macie/latest/user/findings-types.html

Financial finding type: SensitiveData:S3Object/Financial

This solution will meet the requirements by using AWS Config to monitor and evaluate whether Secrets Manager secrets are unused or have been deleted, based on specified time periods. The secrets manager-secret-unused managed rule is a predefined rule that checks whether Secrets Manager secrets have been rotated within a specified number of days or have been deleted within a specified number of days after last accessed date. The Amazon EventBridge rule will trigger a notification when the AWS Config managed rule is met, alerting the developer about unused secrets that can be removed without causing application downtime. Option A is not optimal because it will use AWS CloudTrail log file delivery to an Amazon S3 bucket, which will incur additional costs and complexity for storing and analyzing log files that may not contain relevant information about secret usage. Option C is not optimal because it will deactivate the application secrets and monitor the application error logs temporarily, which will cause application downtime and potential data loss. Option D is not optimal because it will use AWS X-Ray to trace secret usage, which will introduce additional overhead and latency for instrumenting and sampling requests that may not be related to secret usage.

Secrets Management: AWS Secrets Manager is designed specifically for storing and managing sensitive credentials.

Environment Isolation: Creating separate secrets for each environment (development, staging, etc.) ensures clear separation and prevents accidental leaks.

Automatic Rotation: Secrets Manager provides built-in rotation capabilities, enhancing security posture.

Versioning: Tracking changes to secrets is essential for auditing and compliance.

Comprehensive and Detailed Explanation (250–300 words):

AWS best practices for multi-tenant isolation recommend session-based access control using IAM session tags . Session tags allow temporary credentials to be scoped dynamically based on tenant context.

First, the data access role must allow sts:TagSession (Option A) so tenant identifiers can be passed securely at runtime. The Lambda function assumes this role and includes the tenant name as a session tag (Option F).

Next, IAM policies on the data access role restrict access to S3 object prefixes and DynamoDB partition keys by evaluating the session tag (Option C). This ensures that even if a bug occurs, the role cannot access data belonging to another tenant.

Resource-based DynamoDB policies and RCPs are unnecessary here and add complexity.

This approach follows AWS’s recommended attribute-based access control (ABAC) model and provides strong tenant isolation with minimal operational overhead.

The immutable deployment method is the best option for this scenario, because it meets the requirements of maintaining full capacity, avoiding service interruption, and minimizing the cost of additional resources.

The immutable deployment method creates a new set of instances in a separate Auto Scaling group and deploys the new version of the application to them. Then, it swaps the new instances with the old ones and terminates the old instances. This way, the application maintains full capacity during the deployment and avoids any downtime. The cost of additional resources is also minimized, because the new instances are only created for a short time and then replaced by the old ones.

The other deployment methods do not meet all the requirements:

The all at once method deploys the new version to all instances simultaneously, which causes a short period of downtime and reduced capacity.

The rolling with additional batch method deploys the new version in batches, but for the first batch it creates new instances instead of using the existing ones. This increases the cost of additional resources and reduces the capacity of the original environment.

The blue/green method creates a new environment with a new set of instances and deploys the new version to them. Then, it swaps the URLs between the old and new environments. This method maintains full capacity and avoids service interruption, but it also increases the cost of additional resources significantly, because it duplicates the entire environment.

Step-by-Step Breakdown:

Requirement Summary:

Get notified when EC2 CPU Utilization > 80%

Option A: CloudWatch Alarm with SNS

Correct and standard AWS practice

CloudWatch automatically collects EC2 metrics, including CPUUtilization.

You can set a CloudWatch Alarm with a threshold (80% in this case).

Then, trigger an SNS notification to email, SMS, Lambda, etc.

Option B: AWS CloudTrail alarm

Incorrect: CloudTrail logs API activity, not performance metrics.

It doesn’t track metrics like CPU utilization.

Option C: Cron job on EC2 running --describe-instance-information

Incorrect: This doesn’t give CPU usage.

Also inefficient, and polling is bad practice when CloudWatch already monitors this natively.

Option D: Lambda function querying CloudTrail for CPU usage

Incorrect and conceptually flawed.

CloudTrail does not store performance metrics; CloudWatch does.

CloudWatch Alarms for EC2: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html

EC2 Metrics in CloudWatch: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/viewing_metrics_with_cloudwatch.html

Amazon SNS Notification Setup: https://docs.aws.amazon.com/sns/latest/dg/sns-email-notifications.html

Step-by-Step Breakdown:

Requirement Summary:

Use AWS SAM to deploy:

1 Lambda Function

1 S3 Bucket

Lambda needs read-only access to the S3 bucket

Solution must be expressed via AWS SAM template

Option A: Reference a second Lambda authorizer function

Incorrect: Lambda authorizers are used in API Gateway for authentication, not for granting S3 permissions.

Option B: Add a custom S3 bucket policy to the Lambda function

Incorrect: Bucket policies control who can access the bucket, not what the Lambda function can do.

The permission must be granted to the Lambda’s IAM execution role.

Option C: Create an Amazon SQS topic for only S3 object reads

Incorrect: SQS cannot read objects from S3 and is not relevant to this scenario.

Option D: Add the S3ReadPolicy template to the Lambda function ' s execution role

Correct: AWS SAM provides managed policy templates like AmazonS3ReadOnlyAccess and shortcuts like S3ReadPolicy.

You can apply these to the Lambda’s execution role using the Policies: section in your SAM template.

Example SAM YAML:

yaml

CopyEdit

Resources:

MyFunction:

Type: AWS::Serverless::Function

Properties:

CodeUri: my-code/

Handler: app.handler

Runtime: python3.11

Policies:

- S3ReadPolicy:

BucketName: !Ref MyBucket

MyBucket:

Type: AWS::S3::Bucket

Properties:

BucketName: my-personal-bucket-name

SAM Policy Templates: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html

Example using S3ReadPolicy: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html#s3-readpolicy

This solution allows the CloudFormation service role to access the S3 bucket from any account, as long as it has the S3 GetObject permission. The bucket policy grants access to any principal with the GetObject permission, which is the least privilege needed to deploy the Lambda code. This is more secure than granting ListBucket permission, which is not required for deploying Lambda code, or using a service-based link, which is not supported for Lambda functions.

AWS Serverless Application Model (AWS SAM) is an open-source framework that enables developers to build and deploy serverless applications on AWS. AWS SAM uses a template specification that extends AWS CloudFormation to simplify the definition of serverless resources such as API Gateway, DynamoDB, and Lambda. The developer can use AWS SAM to define serverless resources in YAML and deploy them using the AWS SAM CLI.

The correct answer is A because AWS CodeBuild natively integrates with AWS Secrets Manager for securely injecting secrets into build environments. In the env section of buildspec.yml , CodeBuild supports a secrets-manager mapping that references a secret directly. This approach keeps the secret encrypted at rest in Secrets Manager, makes it available to the build only when needed, and minimizes custom retrieval logic and operational complexity.

This solution also aligns with the requirement that the secret must not appear in the build logs. AWS CodeBuild is designed to handle environment variables sourced from supported secret stores in a way that avoids exposing plaintext secret values during normal build output. By granting the minimum necessary IAM permissions to the CodeBuild service role, access to the secret is tightly controlled according to least-privilege principles.

Option B is not the best answer because storing secrets in S3 and downloading them during the build adds unnecessary operational overhead and increases the chance of accidental exposure. NoEcho is associated with CloudFormation parameters, not with securely masking S3-downloaded secrets in CodeBuild logs. Option C can also work because Parameter Store integrates with CodeBuild, but for secrets specifically, Secrets Manager is the more direct AWS-managed secret storage service and is generally preferred for this use case. Option D is less efficient because custom CLI retrieval in pre-build steps adds more code and more operational work than native integration.

Therefore, the solution with the least operational overhead and strong security is to use Secrets Manager with the buildspec.yml secrets-manager mapping , making A the correct answer.

The company already has SSM Agent deployed on all servers, which enables centralized, scalable fleet operations without logging in to each instance. The most operationally efficient solution is to automate key distribution using Systems Manager Run Command, executing a script across the entire fleet (or a targeted subset) in one action.

Option B uses S3 as a simple distribution source and Run Command to perform the update at scale. The developer can store the required key material in a controlled S3 location and write a script that places the key in the correct filesystem path (with correct permissions/ownership), updates authorized_keys if needed, and restarts any services if required. Run Command can target instances by tags, resource groups, or instance IDs and provides execution logging and status.

Option A is not operationally efficient because it requires logging into each server manually.

Option C and D push the distribution burden to humans (“grant team members permissions to download”), which is error-prone, slow, and not scalable. Also, distributing private keys broadly to individuals increases risk.

AWS CodeBuild supports parallel test execution through batch builds and multiple compute environments. This feature allows a single CodeBuild project to divide test workloads across multiple isolated environments that run concurrently. Each environment executes a subset of the test suite, significantly reducing total build time.

AWS documentation emphasizes using native CodeBuild capabilities to minimize operational complexity. Parallel execution eliminates the need to manually manage infrastructure, test orchestration logic, or EC2 fleets. CodeBuild automatically provisions and terminates build environments, scales as needed, and integrates seamlessly with CI/CD pipelines.

Options A and D require manual coordination and infrastructure management, increasing operational overhead. Option C does not address the performance problem.

Therefore, using CodeBuild’s parallel compute environments is the most efficient and AWS-recommended approach.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_lambda-access-dynamodb.html

HTTP 429 errors indicate throttling (“Too Many Requests”). In this architecture, throttling can occur at multiple layers (API Gateway rate limits, downstream AWS service API throttles, or dependency throttling). Regardless of which service is throttling, the correct resilience pattern is to implement retries with exponential backoff and jitter for retryable failures. AWS SDKs and AWS best practices recommend backoff to reduce contention and allow the system to recover, while ensuring requests eventually succeed.

Option C directly addresses the problem and the requirement “ensure that all of the application ingests all files.” With a retry + backoff pattern, transient throttling is handled gracefully: failed operations are retried after increasing delays, avoiding immediate retry storms that worsen throttling. This increases successful completion rate without requiring major architectural changes.

Option A (Transfer Acceleration) can improve upload latency from geographically distributed clients, but it does not resolve request throttling (429) caused by API limits.

Option B (multipart upload) helps with large object uploads and can improve throughput/reliability for big files, but it does not inherently prevent 429 throttling at API Gateway or other throttled calls.

Option D (Intelligent-Tiering) affects storage cost optimization, not ingestion throttling.

Requirement Summary:

Simple REST endpoint for weather data

Light backend usage (POC, testing)

Wants caching support to reduce backend calls

Must be cost-effective

Evaluate Options:

B: Lambda + API Gateway + SAM

Serverless = No idle costs

API Gateway can enable caching (response caching at endpoint level)

SAM makes deployment simple and repeatable

Perfect for low-traffic testing

A: EKS + API Gateway

High overhead

Not cost-effective for POC/testing

C: ECS + API Gateway

Similar to A: Container orchestration not needed for light REST endpoint

D: Elastic Beanstalk + ALB + Lambda

Overly complex and does not directly expose Lambda

Beanstalk better suited for full apps, not small REST functions

 AWS SAM: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-sam.html

 API Gateway caching: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html

 Serverless Best Practices: https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html

Amazon CloudWatch is a service that monitors AWS resources and applications. The developer can use CloudWatch to monitor and troubleshoot all applications from one place. To do so, the developer needs to download the CloudWatch agent to the on-premises server and configure the agent to use IAM user credentials with permissions for CloudWatch. The agent will collect logs and metrics from the on-premises server and send them to CloudWatch.

The symptoms point to a missing event source mapping between Amazon SQS and the processing Lambda function. The parsing function successfully sends messages to SQS (the queue depth increases), but the processing function is not running for production events—evidenced by no CloudWatch logs during those runs. If Lambda is not being invoked, it will not generate any logs. In an SQS-based architecture, Lambda does not “pull” messages from a queue unless the queue is configured as a Lambda trigger (an event source mapping). The event source mapping tells Lambda to poll the queue, batch messages, and invoke the function with those messages.

In isolated tests, the developer likely invoked the processing function manually with mock events (for example, via the Lambda console or sam local invoke), which would create logs. But in production, because the function is supposed to be driven by SQS, it must have an SQS trigger configured; otherwise, messages will accumulate indefinitely and the function will never execute.

Option C (grant permissions) is necessary in many cases, but it does not explain the absence of logs and growing queue depth by itself if the trigger is missing. With the standard SQS→Lambda integration, Lambda’s service polls the queue using the function’s execution role permissions (sqs:ReceiveMessage, sqs:DeleteMessage, sqs:GetQueueAttributes, etc.), but the polling does not occur without the event source mapping. Option D is not the root cause because the function isn’t being invoked; and if it were invoked, AWS-managed logging typically works unless the execution role lacks logging permissions. Option B is incorrect because the parsing function is not supposed to be triggered by SQS; it produces messages to SQS.

Therefore, configuring the SQS queue as a trigger for the processing Lambda function (A) resolves the issue and ensures production S3 events flow through parsing to SQS and then into processing automatically.

When multiple Lambda functions must execute in a defined sequence as part of a workflow (order processing → payment → inventory → fulfillment, etc.), the AWS service designed to coordinate and orchestrate serverless workflows is AWS Step Functions.

Option C is the least operational overhead because Step Functions provides a managed state machine that invokes Lambda functions in an explicit order with built-in support for retries, timeouts, error handling, branching, and state passing between steps. The developer defines the workflow declaratively (Amazon States Language) and Step Functions ensures the sequence is enforced consistently.

Option A (SQS) is not a workflow orchestrator. Ensuring strict sequencing would require custom coordination logic, state tracking, and careful handling of retries and ordering—more code and complexity (and standard SQS does not guarantee strict order).

Option B (SNS) fans out events and is not designed for sequential orchestration.

Option D (EventBridge Scheduler) can schedule invocations at times, but it does not coordinate multi-step workflows with dependencies and conditional transitions.

AWS AppConfig , a capability of AWS Systems Manager, is specifically designed to manage feature flags , configuration changes, and application toggles safely and dynamically. AWS documentation highlights AppConfig as the recommended service for enabling and disabling application features without redeploying code.

Feature flags in AppConfig allow developers to control visibility, rollout strategies, and gradual releases across environments. AppConfig supports validation, monitoring, and rollback to prevent misconfigurations from impacting users.

Option A is incorrect because AWS AppSync is a GraphQL service and does not manage feature flags. Options B and D misuse data storage and synchronization services for configuration management, introducing unnecessary complexity and risk.

Using AWS AppConfig enables developers to hide features , activate them instantly when ready, and manage them centrally with minimal operational overhead.

Therefore, AWS AppConfig feature flags are the correct and AWS-recommended solution.

Step-by-Step Breakdown:

Requirement Summary:

Encrypt S3 objects using KMS keys

Cross-account read access to another AWS account

Minimize operational overhead

Option A: Use a customer managed key + key policy granting kms:Decrypt to second account

Correct: Customer managed keys allow full control of key policy.

You can add a statement to allow cross-account access using the second account’s IAM principal.

Option B: Use AWS managed key + key policy granting access to second account

Incorrect: AWS-managed KMS keys (aws/s3) cannot be modified to add cross-account access in key policies.

Option C: SCP that grants s3:GetObject to second account

Incorrect: SCPs are used to restrict or allow permissions across AWS Organizations, not to grant S3 or KMS access directly.

Option D: Create a bucket policy granting s3:GetObject to second account

Correct: Bucket policies can grant cross-account access to specific IAM users or roles in the second account.

Option E: Gateway endpoint for S3 with cross-account access

Incorrect: Gateway endpoints only apply within the same VPC/account. Cross-account use with endpoint policies is not the correct pattern for this use case.

Cross-account S3 access with KMS: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html

KMS cross-account key policy: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html

Bucket Policy for cross-account access: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

The requirement is to redact PII before the object content reaches the consumer, while the analytics service continues to use standard S3 GET requests. The most operationally efficient way is Amazon S3 Object Lambda.

S3 Object Lambda lets you add your own code to process and transform data as it is retrieved from S3. Instead of the analytics service reading directly from the bucket, it reads through an S3 Object Lambda Access Point. When the service performs a GET request, S3 invokes the associated Lambda function, which can modify the object payload on the fly—for example, by calling an external or internal PII redaction API and returning a redacted version of the report. The original object remains unchanged in the bucket, while consumers receive the transformed (redacted) response.

This approach is operationally efficient because it avoids:

duplicating and storing redacted copies of every report,

refactoring the analytics service to use a different datastore or ingestion path,

building a separate proxy service layer.

Option A requires significant refactoring and ongoing ETL/warehouse ops.

Option C provides confidentiality via encryption but does not perform redaction (analytics would still see PII after decryption).

Option D changes the access pattern completely (analytics no longer uses GET) and adds messaging complexity without directly returning redacted object content.

Therefore, S3 Object Lambda + Object Lambda Access Point is the most efficient solution to redact data at retrieval time.

The requirement is to search for partial matches of email_address but scoped to a specific customer_type. In DynamoDB, efficient partial matching is performed with a Query on a sort key using the begins_with() condition. However, Query requires that the partition key be specified exactly, so we need an index where customer_type can be used as the partition key, and email_address can be used as the sort key for prefix matching.

A Global Secondary Index (GSI) can be added to an existing table without recreating it, and it can use a different partition key and sort key from the base table. Option A correctly proposes a GSI with:

Partition key: customer_type

Sort key: email_address

Then the Lambda can run a Query on the GSI like: customer_type = :ct AND begins_with(email_address, :prefix) which returns emails that start with the typed prefix for that customer type.

Option B is wrong because it keeps email_address as the partition key. That would require an exact email value (not a prefix) to Query, and you cannot do begins_with on a partition key; begins_with is for sort keys.

Options C and D are invalid because Local Secondary Indexes (LSIs) must share the same partition key as the base table (here, email_address). You cannot create an LSI with customer_type or job_title as the partition key when the table partition key is email_address.

Therefore, adding a GSI (customer_type PK, email_address SK) and querying it with begins_with is the correct solution.

Amazon API Gateway has a hard integration timeout that determines how long it waits for a backend response. If the backend (Lambda) does not respond within this time, API Gateway returns an HTTP 504 error to the client.

In this scenario, the Lambda function timeout is longer (20 seconds) than the API Gateway integration timeout (15 seconds). AWS documentation states that API Gateway will terminate the request once its timeout is exceeded, even if Lambda continues executing successfully. This explains why there are no Lambda errors despite 504 responses.

Increasing the Lambda timeout (Option B) does not help because API Gateway times out first. Reserved concurrency (Option A) and throttling limits (Option D) are unrelated to request duration.

The correct solution is to increase the API Gateway integration timeout so that it exceeds the maximum expected Lambda execution time. This ensures API Gateway waits long enough for the Lambda response.

Therefore, increasing the API Gateway timeout prevents HTTP 504 errors.

Requirement Summary:

Store customer orders in DynamoDB

Must encrypt data at rest

Company wants to use a key it generates (i.e., customer managed key)

Evaluate Options:

A. Set encryption to None, manually encrypt/decrypt in code

Overhead and error-prone

Also non-compliant with AWS encryption best practices

B. Use customer managed KMS key

Exactly meets the requirement: customer generates and controls the key

During table creation, you can specify a KMS CMK ARN

C. Default encryption + kms:Encrypt in SDK

Misunderstanding: DynamoDB handles encryption automatically

You don’t need to call kms:Encrypt manually in SDK

D. Use AWS managed key

Does not meet the requirement of using custom company-generated key

DynamoDB encryption: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html

KMS customer managed keys: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk

This solution will meet the requirements by allowing the Lambda functions to access the DB cluster securely within the same VPC without crossing the public internet. The developer can configure a VPC endpoint for RDS in a private subnet and assign it to the Lambda functions. The developer can also configure a security group for the Lambda functions that allows inbound traffic from the DB cluster on port 3306 (MySQL). Option A is not optimal because it will expose the DB cluster to public access, which may compromise its security and data integrity. Option B is not optimal because it will introduce additional latency and complexity to use an RDS database proxy for accessing the DB cluster from Lambda functions within the same VPC. Option C is not optimal because it will require additional costs and configuration to use a NAT gateway for accessing resources in private subnets from Lambda functions.

Mocking API Responses: API Gateway ' s Mock integration type enables simulating API behavior without invoking backend services.

Testing with Sample Data: Using captured responses from the real third-party API ensures realistic testing of the integration code.

Focus on Integration Logic: This solution allows the developer to isolate and test the application ' s interaction with the payment APIs, even without a test environment from the third-party providers.

The correct answer is D because the current DynamoDB table design is causing a hot partition problem. The table uses order_date as the partition key, which means that during peak ordering periods, a very large number of writes are likely targeting the same partition key value for the current date. In DynamoDB, write throttling often occurs when traffic is not evenly distributed across partition keys, even when the table uses on-demand mode . On-demand capacity can automatically scale, but it still depends on proper key distribution to avoid concentrated activity on a small number of partitions.

By changing the partition key to customer_id and using order_id as the sort key, writes will be spread across many customers instead of being concentrated on a small number of date values. This creates a more balanced write pattern and better aligns with DynamoDB best practices for high-scale workloads. DynamoDB documentation emphasizes choosing partition keys with high cardinality and even request distribution to avoid throttling and improve performance.

Option A is not a good design because a sequential partition key can still create uneven access patterns and usually does not support meaningful access requirements. Option B is not the best answer because simply increasing capacity does not fix a poor partition key design; hot partitions can still throttle. Option C is unnecessary because the issue is not that DynamoDB is the wrong service, but that the table schema needs redesign.

Therefore, the best solution is to refactor the key schema so that writes distribute more evenly across partitions, which is exactly what D achieves.

A Lambda alias is a pointer to a specific Lambda function version or another alias1. A Lambda alias allows you to invoke different versions of a function using the same name1. You can also split traffic between two aliases by assigning weights to them1.

In this scenario, the developer needs to test their changes in production on a small percentage of all traffic without changing the API Gateway URL. To achieve this, the developer can follow these steps:

Define an alias on the $LATEST version of the Lambda function. This will create a new alias that points to the latest code of the function.

Update the API Gateway endpoint to reference the new Lambda function alias. This will make the API Gateway invoke the alias instead of a specific version of the function.

Upload and publish the optimized Lambda function code. This will update the $LATEST version of the function with the new code.

On the production API Gateway stage, define a canary release and set the percentage of traffic to direct to the canary release. This will enable API Gateway to perform a canary deployment on a new API2. A canary deployment is a software development strategy in which a new version of an API is deployed for testing purposes, and the base version remains deployed as a production release for normal operations on the same stage2. The canary release receives a small percentage of API traffic and the production release takes up the rest2.

Update the API Gateway endpoint to use the $LATEST version of the Lambda function. This will make the canary release invoke the latest code of the function, which contains the optimized changes.

Publish to the canary stage. This will deploy the changes to a subset of users for testing.

By using this solution, the developer can test their changes in production on a small percentage of all traffic without changing the API Gateway URL. The developer can also monitor and compare metrics between the canary and production releases, and promote or disable the canary as needed2.

The customer must be able to download the generated video for at least 3 hours, which requires durable storage that persists beyond the Lambda execution environment. The best fit is Amazon S3 with a presigned URL.

Lambda’s /tmp storage (Option A) is ephemeral and scoped to the execution environment. It is not intended for durable customer downloads and can be deleted when the execution environment is recycled. A Lambda function URL also does not solve durable file hosting and would require the function to serve the content itself.

Option C uses S3 to store the video object durably and then issues a presigned URL that grants time-limited access to that specific object. Presigned URLs are designed for exactly this scenario: allow unauthenticated users temporary access to a private S3 object without making the bucket public. The developer can set the URL expiration to 3 hours (or longer), meeting the access requirement cleanly.

Option B is incorrect because S3 presigned URLs are for S3 objects, not EFS files. EFS does not natively use S3-style presigned URLs for external downloads.

Option D is not the right model: CloudFront can distribute S3 content and supports signed URLs/cookies, but CloudFront is a distribution layer, not an origin storage solution by itself. You would still need to store the video in S3 (or another origin). For the stated requirement, S3 + presigned URL is simpler and has less overhead.

Therefore, store videos in Amazon S3 and provide presigned URLs with a 3-hour expiration.

For cross-account access from EC2 in Account A to a Kinesis data stream in Account B , the recommended secure pattern is to use STS AssumeRole into a role in the resource-owning account (Account B). This ensures Account B retains control over what permissions are granted to external principals and allows Account A workloads to obtain temporary credentials scoped to the required actions.

First, create an IAM role in Account B that has the necessary Kinesis read permissions (such as kinesis:GetRecords, kinesis:GetShardIterator, kinesis:DescribeStream, and related read actions as required). That corresponds to option B . This role represents the permission boundary controlled by Account B for accessing its stream.

Second, configure the role’s trust policy in Account B to allow the instance profile role (or another IAM principal) from Account A to assume it. In practice, the trust relationship is defined on the Account B role and specifies the Account A role as the trusted principal, enabling sts:AssumeRole. This corresponds to option C (the intent is “allow the instance profile role to assume the IAM role in Account B”).

Option A alone is insufficient because permissions in Account A do not grant access to resources owned by Account B without an explicit cross-account authorization path. Option D is incorrect because trust policies do not “allow reads from the stream”; they allow principals to assume roles , and permissions policies allow service actions. Option E (resource-based policy) is not the primary mechanism for Kinesis Data Streams cross-account access in this scenario compared with the standard role assumption model; the secure and common approach is to assume a role in the owning account.

Therefore, the correct actions are B (create the role with read permissions in Account B) and C (configure trust to allow Account A’s instance role to assume it).

Why Option A is Correct:Converting a Lambda function to use a container image involves packaging the function code into a container image, storing the image in Amazon Elastic Container Registry (ECR), and updating the function to use the ECR repository URI.

Why Other Options are Incorrect:

Option B: SAM templates support container-based Lambda deployment, but storing the image in S3 is not applicable.

Option C: CloudFormation does not natively support specifying Lambda container images in S3.

Option D: While partially correct, it omits the need to specify the image tag for the deployment.

AWS Documentation References:

Lambda Container Images

Comprehensive Detailed and Lengthy Step-by-Step Explanation with All AWS Developer References:

1. Understanding the Use Case:

The developer needs to export DynamoDB table data into Amazon S3 buckets using the AWS CLI, and some exports are failing. Proper credentials and permissions have already been configured.

2. Key Conditions to Check:

Region Consistency:DynamoDB exports require that the target S3 bucket and the DynamoDB table reside in the same AWS Region. If they are not in the same Region, the export process will fail.

Point-in-Time Recovery (PITR):PITR is not required for exporting data from DynamoDB to S3. Enabling PITR allows recovery of table states at specific points in time but does not directly influence export functionality.

DynamoDB Streams:Streams allow real-time capture of data modifications but are unrelated to the bulk export feature.

DAX (DynamoDB Accelerator):DAX is a caching service that speeds up read operations for DynamoDB but does not affect the export functionality.

3. Explanation of the Options:

Option A: " Ensure that point-in-time recovery is enabled on the DynamoDB tables. " While PITR is useful for disaster recovery and restoring table states, it is not required for exporting data to S3. This option does not address the export failure.

Option B: " Ensure that the target S3 bucket is in the same AWS Region as the DynamoDB table. " This is the correct answer. DynamoDB export functionality requires the target S3 bucket to reside in the same AWS Region as the DynamoDB table. If the S3 bucket is in a different Region, the export will fail.

Option C: " Ensure that DynamoDB streaming is enabled for the tables. " Streams are useful for capturing real-time changes in DynamoDB tables but are unrelated to the export functionality. This option does not resolve the issue.

Option D: " Ensure that DynamoDB Accelerator (DAX) is enabled. " DAX accelerates read operations but does not influence the export functionality. This option is irrelevant to the issue.

4. Resolution Steps:

To ensure successful exports:

Verify the Region of the DynamoDB tables:

Check the Region where each table is located.

Verify the Region of the target S3 buckets:

Confirm that the target S3 bucket for each export is in the same Region as the corresponding DynamoDB table.

If necessary, create new S3 buckets in the appropriate Regions.

Run the export command again with the correct setup:

aws dynamodb export-table-to-point-in-time \

--table-name < TableName > \

--s3-bucket < BucketName > \

--s3-prefix < Prefix > \

--export-time < ExportTime > \

--region < Region >

This solution meets the requirements because it provides a caching layer that can store and retrieve encrypted data from multiple nodes. Amazon ElastiCache for Redis supports encryption at rest and in transit, and can scale horizontally to increase the cache capacity and availability. Amazon ElastiCache for Memcached does not support encryption, Amazon CloudFront is a content delivery network that is not suitable for caching database queries, and Amazon DynamoDB Accelerator (DAX) is a caching service that only works with DynamoDB tables.

Why Option C is Correct:SQL Server Always On availability groups require a shared storage solution. Amazon FSx for Windows File Server provides the shared storage necessary to implement Always On availability groups in a highly available configuration.

Why Other Options are Incorrect:

Option A: A single EBS volume cannot provide shared storage for Always On availability groups.

Option B: RDS does not support SQL Server Always On availability groups.

Option D: S3 is not a suitable storage tier for SQL Server database operations.

AWS Documentation References:

Amazon FSx for Windows File Server

CodeDeploy Predefined Configurations: CodeDeploy offers built-in deployment configurations for common scenarios.

Canary Deployment: Canary deployments gradually shift traffic to a new version, ideal for controlled rollouts like this requirement.

CodeDeployDefault.ECSCanary10Percent15Minutes: This configuration matches the company ' s requirements, shifting 10% of traffic initially and then completing the rollout after 15 minutes.

The correct answer is B because Amazon S3 event notifications can directly invoke an AWS Lambda function whenever a supported event occurs, such as ObjectCreated . This is the simplest and most infrastructure-efficient design for processing files that are uploaded to an S3 bucket. Since the requirement is to invoke the function with the least amount of AWS infrastructure , using the native direct integration between S3 and Lambda is the best choice.

AWS documentation explains that S3 can publish event notifications for object-level operations and send those notifications directly to Lambda. This allows the developer to build an event-driven workflow in which each newly uploaded project status file automatically triggers processing logic. There is no need for polling, scheduled scans, or intermediary messaging services unless there are additional requirements such as buffering, fan-out, or decoupling.

Option A is incorrect because polling the bucket every 5 minutes with EventBridge is less efficient and adds unnecessary delay and complexity. Option C is incorrect because introducing an SNS topic adds another infrastructure component when direct invocation is already supported. Option D is also incorrect because using SQS introduces a queue and polling behavior, which increases operational overhead and infrastructure count.

The direct S3-to-Lambda pattern is a common AWS serverless best practice for file processing workloads. It minimizes moving parts, reduces latency, and simplifies permissions and maintenance. Therefore, the developer should configure an S3 event notification for object creation events to invoke the Lambda function directly.

So, B is the correct answer.

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. DynamoDB Streams is a feature that captures data modification events in DynamoDB tables. The developer can enable DynamoDB Streams on the table and create a trigger to connect the DynamoDB stream to the Lambda function. This solution will enable the Lambda function to detect changes to the DynamoDB table in near real time.

This solution will meet the requirements by using AWS Secrets Manager, which is a service that helps protect secrets such as database credentials by encrypting them with AWS Key Management Service (AWS KMS) and enabling automatic rotation of secrets. The developer can create an AWS Lambda function by using the SecretsManagerRotationTemplate template in the AWS Secrets Manager console, which provides a sample code for rotating secrets for RDS DB instances, Amazon DocumentDB clusters, and Amazon Aurora DB instances. The developer can also create secrets for the database credentials in Secrets Manager, which encrypts them at rest and provides secure access to them. The developer can set up secrets rotation on a schedule, which changes the database credentials periodically according to a specified interval or event. Option A is not optimal because it will set up IAM database authentication for token-based access, which may not be compatible with all database engines and may require additional configuration and management of IAM roles or users. Option B is not optimal because it will create parameters for the database credentials in AWS Systems Manager Parameter Store, which does not support automatic rotation of secrets. Option C is not optimal because it will store the database access credentials as an encrypted Amazon S3 object in an S3 bucket, which may introduce additional costs and complexity for accessing and securing the data.

AWS STS AssumeRole: The central operation for assuming temporary security credentials, commonly used for cross-account access.

MFA Integration: The AssumeRole call can include MFA information to enforce multi-factor authentication.

Credentials for S3 Access: The returned temporary credentials would provide the necessary permissions to access the S3 bucket in the other account.

CloudFormation and Dynamic References: The DefinitionSubstitutions property in CloudFormation allows you to pass values into Step Functions state machines at runtime.

Cost-Effectiveness: This solution is cost-effective as it leverages CloudFormation ' s built-in capabilities, avoiding the need for additional services like Secrets Manager or AppConfig.

This solution will most likely solve the issues because it will grant the IAM user the necessary permission to access the DynamoDB table using the AWS CLI command. The error message indicates that the IAM user does not have sufficient access rights to perform the scan operation on the table. Option A is not optimal because it will change the command to use put-item instead of scan, which will not achieve the desired result of getting data from the table. Option B is not optimal because it will involve contacting AWS Support, which may not be necessary or efficient for this issue. Option C is not optimal because it will state that DynamoDB cannot be accessed from the AWS CLI, which is incorrect as DynamoDB supports AWS CLI commands.

To give the frontend team immediate access to stable endpoints without waiting for a real backend implementation, the simplest approach is to use API Gateway MOCK integration . A MOCK integration lets API Gateway generate a response directly, without invoking Lambda or any other backend. This is ideal for early UI development because you can return consistent, predefined payloads and status codes for each method.

With MOCK integration, you configure an integration request (often using a static mapping template) to produce a dummy request payload that triggers a response, and then you configure integration responses to return specific HTTP status codes (such as 200, 400, 500) along with predefined JSON bodies. You can also set response headers (for example, Content-Type: application/json) and use mapping templates to shape the returned JSON. This satisfies the requirement to “return predefined HTTP status codes and JSON responses” while minimizing development effort and avoiding the need to deploy placeholder Lambda functions.

Option A (AWS_PROXY with Lambda) can work, but it requires creating and deploying Lambda functions and IAM permissions just to return static data—more effort than necessary. Option C (HTTP PROXY) depends on an external placeholder service, which adds another system to build and maintain. Option D is incorrect because HTTP status codes are not defined in the method request ; they are defined through method responses and realized through integration responses in API Gateway’s integration configuration.

Therefore, B is the best solution: MOCK integration with integration request/response mappings provides quick, code-free stubs that unblock frontend development.

The solution that will solve this problem is to create and inspect the Lambda dead-letter queue. Troubleshoot the failed functions. Reprocess the events. This way, the developer can identify and fix any issues that caused the Lambda function to fail when invoked asynchronously by API Gateway. The developer can also reprocess any orders that were not processed due to failures. The other options either do not address the root cause of the problem, or do not help recover from failures.

The Secrets Manager Agent provides an out-of-the-box solution for securely caching secrets locally, reducing latency and operational overhead.

Why Option B is Correct:

Caching: The agent securely caches secrets locally, minimizing Secrets Manager API calls.

Security: Secrets remain secure during retrieval and storage.

Low Operational Overhead: Managed solution eliminates the need for custom logic.

Why Not Other Options:

Option A: Custom scripts introduce complexity and require ongoing maintenance.

Option C: Using Redis requires managing an additional service, increasing overhead.

Option D: Storing secrets in S3 lacks the fine-grained security controls of Secrets Manager.

Caching Secrets in AWS Secrets Manager

DynamoDB access control operates at the table and item level , not at individual attribute deny rules in IAM or resource-based policies. Therefore, Option A is not supported. Encrypting the entire table with KMS (Option B) protects data at rest but does not prevent the Lambda function from reading sensitive attributes once access is granted.

To ensure the Lambda function cannot access PII, AWS documentation recommends controlling which attributes are returned from queries and scans. Using a projection expression (Option E) ensures that only non-PII attributes are returned to the function, even if PII exists in the item. This is a standard DynamoDB best practice for limiting data exposure.

For additional protection, client-side or application-level encryption should be used for sensitive fields. Option C uses envelope encryption with AWS KMS to encrypt only PII attributes. Even if the function retrieves the encrypted attribute, it cannot decrypt the data without KMS permissions. This ensures strong isolation of sensitive data.

ABAC (Option D) controls access to resources, not attributes, and therefore does not satisfy the requirement.

Thus, combining attribute-level encryption with projection expressions meets the security requirement.

API Gateway Mocking: This feature is built for decoupling development dependencies. Here ' s the process:

Create resources and methods in your API Gateway.

Set the integration type to ' MOCK ' .

Define Integration Responses, mapping HTTP status codes to desired mocked responses (JSON, etc.).

Deployment and Use:

Create a deployment stage for the API.

Frontend teams can call this API and get the mocked responses without a real backend.

The correct answer is A because the requirement is to encrypt data in transit and data at rest while ensuring that the developer can manage encryption keys . AWS Key Management Service (AWS KMS) is the AWS-managed service specifically designed for creating, controlling, and auditing cryptographic keys. When used with the AWS Encryption SDK , it supports envelope encryption , a recommended pattern for protecting sensitive application data.

In this model, the application uses data keys to encrypt the actual sensitive data, while AWS KMS protects and manages the master keys that encrypt those data keys. This provides strong security and centralized key management, including access control through IAM, key rotation options, and auditability through AWS logging integrations. For data in transit , the application should also use TLS/HTTPS , which is standard AWS guidance for secure communications.

Option B is incorrect because Parameter Store is not the correct mechanism for directly managing application encryption keys in this way. SecureString protects stored values, but it is not a substitute for using KMS as the primary managed key service for encryption architecture. Option C is incorrect because Secrets Manager is intended for storing secrets such as passwords and tokens, not as the main key management system for application encryption design. Option D is incorrect because SSE-S3 uses Amazon S3-managed keys, not customer-managed KMS keys, so it does not satisfy the requirement that the developer be able to manage encryption keys.

Therefore, AWS KMS with envelope encryption through the AWS Encryption SDK is the most appropriate and secure solution.

Requirement Summary:

Multi-tier app on EC2 + Aurora PostgreSQL

Must comply with least privilege and security policies

Need to manage credentials and API keys securely

Must support key rotation on demand

Evaluate Options:

A. Secrets Manager + AWS managed KMS keys

Best practice for secure secret storage

Supports auto rotation

Uses AWS SDK to fetch at runtime (secure, avoids hardcoding)

AWS managed keys are rotated automatically and easier to manage

B. Secrets Manager + customer managed keys

Also valid, but adds complexity

Since the question asks for LEAST development effort, AWS-managed keys are preferred

C. Store secrets in code

Violates all security best practices

D. Use SSM Parameter Store + AWS managed keys

Possible, but Secrets Manager is preferred when rotation is needed

Parameter Store does not natively rotate secrets

Secrets Manager: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

Automatic key rotation: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

Best practices for secret management: https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html

This workload is overwhelmingly read-heavy and repeatedly queries the same relatively static reference data (postal codes mapped to coordinates). The best way to reduce latency and offload Amazon RDS is to introduce an application-side cache using a lazy loading (cache-aside) pattern and choose a TTL that reflects how often the underlying data changes.

With lazy loading , the application first checks the cache for the postal code. If the value is present (a cache hit), the application returns the coordinates immediately with low latency and without querying the database. If the value is absent (a cache miss), the application reads from RDS, returns the result, and then populates the cache for subsequent requests. This pattern is operationally simple and widely used because the application controls what is cached and when.

A large TTL is appropriate here because postal-code-to-coordinate mappings typically do not change frequently. A longer TTL maximizes cache hit ratio, which is critical because each postal code is requested thousands of times per day. High cache hit rates reduce database read load, decrease query contention, and substantially improve response times. In contrast, a small TTL would cause frequent expirations and repeated database lookups, reducing the performance benefit and increasing database load.

Write-through and write-behind caching (options C and B) are designed to coordinate caching with writes . They are useful when write consistency and write performance are central concerns. Here, writes are rare; the performance issue is repeated reads. Write-behind can also introduce consistency delays, which is unnecessary for this scenario.

Therefore, the best change is D : implement a lazy loading (cache-aside) caching strategy with a large TTL to keep hot, rarely changing postal code lookups in cache and dramatically reduce read latency and database load.

The correct answer is C because for an in-place deployment on Amazon EC2 instances, AWS CodeDeploy automatic rollback works by redeploying the last known good revision when a deployment fails or when a configured monitoring alarm is triggered. AWS documentation explains that when automatic rollback is enabled, CodeDeploy creates a new deployment that uses the most recent successfully deployed application revision. This rollback deployment receives its own new deployment ID , because it is treated as a separate deployment event rather than a simple undo operation.

Option A is incorrect because CodeDeploy does not restore an Amazon S3 snapshot of the previous deployment state for EC2 in-place deployments. It redeploys the last successful revision instead. Option B describes behavior associated with blue/green deployment patterns , not in-place deployments . Route 53 alias switching and blue/green environment replacement are not how CodeDeploy handles failed validation during an EC2 in-place deployment. Option D is incorrect because CodePipeline orchestrates stages in a delivery pipeline, but it is not the service that performs the rollback behavior described here.

This distinction is important in AWS deployment design. In-place deployments update the same EC2 instances already serving the application. If validation fails, CodeDeploy does not roll traffic back through DNS or infrastructure replacement. Instead, it launches a rollback deployment of the previously successful application revision across those same instances. That behavior directly aligns with AWS CodeDeploy automatic rollback functionality for EC2/On-Premises in-place deployments.

Therefore, the correct result is that CodeDeploy redeploys the last known stable version as a new deployment , which makes C the right answer.

This solution meets the requirements because it uses a PostgreSQL-compatible database that can secure and regularly rotate database credentials without requiring additional programming overhead. Amazon Aurora PostgreSQL is a relational database service that is compatible with PostgreSQL and offers high performance, availability, and scalability. AWS Secrets Manager is a service that helps you protect secrets needed to access your applications, services, and IT resources. You can store database credentials in AWS Secrets Manager and use them to access your Aurora PostgreSQL database. You can also enable automatic rotation of your secrets according to a schedule or an event. AWS Secrets Manager handles the complexity of rotating secrets for you, such as generating new passwords and updating your database with the new credentials. Using Amazon DynamoDB for the database will not meet the requirements because it is a NoSQL database that is not compatible with PostgreSQL. Using AWS Systems Manager Parameter Store for storing and rotating database credentials will require additional programming overhead to integrate with your database.

Browsers enforce the Same-Origin Policy, which restricts web pages from requesting resources (like JavaScript files, fonts, and other assets) from a different domain/origin unless the target explicitly allows it. When the developer moved shared JavaScript and web fonts into a separate “central” S3 bucket, the applications likely began fetching these assets from a different origin than the app’s primary origin (for example, different domain, subdomain, or CloudFront distribution). As a result, the browser blocks those requests unless the response includes the appropriate CORS headers.

AWS documentation for Amazon S3 explains that to allow cross-origin requests from browsers, you must configure Cross-Origin Resource Sharing (CORS) on the S3 bucket that serves the resources. A CORS configuration defines allowed origins, methods (such as GET), and headers. For fonts in particular, browsers are strict and commonly require CORS headers to load fonts across origins.

Option C directly addresses this by adding a CORS policy to the central bucket, allowing the subsidiary application origins to retrieve JS and font files without being blocked.

Option B (bucket policy) controls authorization at the AWS request level, but it does not instruct browsers to allow cross-origin access. Even if the request is authorized, the browser can still block it if CORS headers are missing.

Option A (access points) is also about access management and does not solve browser CORS enforcement.

Option D (Content-MD5) is for integrity checking and is unrelated to cross-origin browser blocking.

Amazon DynamoDB is a fully managed NoSQL database service that can store and retrieve any amount of data with high availability and performance. DynamoDB can handle concurrent requests from multiple IoT devices without throttling or data loss. To prevent duplicate requests from causing inconsistencies or data loss, the Lambda function can use DynamoDB conditional writes to check if the unique identifier for each request already exists in the table before processing the request. If the identifier exists, the function can skip or abort the request; otherwise, it can process the request and store the identifier in the table. Reference: Using conditional writes

Secrets Management: AWS Secrets Manager is designed specifically for storing and managing sensitive credentials.

Built-in Rotation: Secrets Manager provides automatic secret rotation functionality, enhancing security posture significantly.

IAM Integration: IAM policies and roles grant fine-grained access to ECS Fargate, ensuring the principle of least privilege.

Reduced Overhead: This solution centralizes secrets management and automates rotation, reducing operational overhead compared to the other options.

A common performance issue for Lambda functions that access relational databases is the overhead of establishing a new database connection on every invocation . In the provided pseudocode, each call to lambda_handler opens a connection, executes one statement, and closes the connection. When the function runs hundreds of times per hour , repeatedly creating and tearing down connections adds latency (TCP handshake, TLS negotiation if used, authentication, database session setup), and can also increase load on the database connection manager.

AWS guidance for Lambda execution environments explains that the runtime environment may be reused across multiple invocations of the same function (a “warm” execution environment). Code that is initialized outside the handler runs once per execution environment lifecycle and can be reused on subsequent invocations in that environment. By moving database.connect() into the global scope (module-level initialization), the function can reuse an existing connection when the execution environment is warm, reducing per-invocation latency and improving overall throughput.

This change directly targets the slow part of the flow (connection setup) without changing the database engine, resizing the database, or adding unrelated concurrency settings. Increasing reserved concurrency (A) controls scaling limits but does not reduce the per-invocation connection overhead; it can even amplify connection storms. Resizing the database (B) might help capacity, but it does not address the repeated connection establishment cost and is not the first optimization. Replacing RDS with DynamoDB (D) is a major redesign and unnecessary for the stated issue.

So the best improvement, with minimal code change and aligned with Lambda best practices, is option C : create the connection outside the handler and reuse it when possible, while still handling retries and reconnect logic if the connection becomes stale.

Step Functions Retriers: Retriers provide a built-in way to gracefully handle transient errors within State Machines. Here ' s how to use them:

Directly attach a retrier to the problematic ' GetResource ' task.

Configure the retrier:

ErrorEquals: Set this to [ ' TooManyRequestsException ' ] to target the specific error.

IntervalSeconds: Set to 10 for the desired retry delay.

MaxAttempts: Set to 1, as you want only one retry attempt.

Error Handling:

Upon ' TooManyRequestsException ' , the retrier triggers the task again after 10 seconds.

On a second failure, Step Functions moves to the next state or fails the workflow, as per your design.

' IllegalArgumentException ' causes error propagation as intended.

The requirement is encryption in transit for sensitive data sent in API calls between two Apache-based EC2 fleets in peered VPCs . The most operationally efficient approach is to restrict network access and rely on standard TLS at the application layer. Among the provided options, the only operationally simple and directly relevant network control is security group referencing across VPC peering within the same account and Region.

By creating security groups that allow inbound traffic only from the other fleet’s security group , the developer ensures that only the intended instances can communicate over the required ports (for example, 443 for HTTPS). This is operationally efficient because it avoids managing IP allowlists that change with Auto Scaling and keeps the trust boundary tied to instance membership rather than addresses. It also supports least privilege by limiting which sources can reach the service.

Why the other options are not the best fit:

B (Site-to-Site VPN) is unnecessary for VPC peering in the same account/Region and adds significant operational overhead. It also does not replace the need for TLS at the application layer to guarantee encryption to the endpoint.

C (EBS encryption) addresses encryption at rest on volumes, not encryption in transit between fleets.

D (Nitro Enclaves) is heavy and unrelated to the core requirement; enclaves protect data-in-use and do not replace standard TLS for network encryption.

Important nuance: Security groups alone do not encrypt traffic; encryption is achieved by using HTTPS/TLS between the Apache services. However, option A is the most operationally efficient control offered here to implement secure connectivity between the fleets (paired with using HTTPS on Apache, which is the standard for encrypting API calls).

Therefore, A best meets the requirement with the least operational complexity.

This solution will meet the requirements by using Amazon CloudFront, which is a content delivery network (CDN) service that speeds up the delivery of web content and APIs to end users. The developer can configure the CloudFront cache, which is a set of edge locations that store copies of popular or recently accessed content close to the viewers. The developer can also update the application to return cached content based upon the default request headers, which are a set of HTTP headers that CloudFront automatically forwards to the origin server and uses to determine whether an object in an edge location is still valid. By caching the POST requests, the developer can optimize the API resources and reduce the latency for repeated queries. Option B is not optimal because it will override the cache method in the selected stage of API Gateway, which is not possible or effective as API Gateway does not support caching for POST methods by default. Option C is not optimal because it will save the latest request response in Lambda /tmp directory, which is a local storage space that is available for each Lambda function invocation, not a cache that can be shared across multiple invocations or requests. Option D is not optimal because it will save the latest request in AWS Systems Manager Parameter Store, which is a service that provides secure and scalable storage for configuration data and secrets, not a cache for API responses.

For asynchronous Lambda invocations, AWS provides Lambda Destinations , which can route the result of every invocation to different targets based on outcome. Destinations support separate configuration for on-success and on-failure , and they send a structured payload that includes metadata and the function response (or error information). This payload is delivered as a JSON document , satisfying the requirement to record function responses in JSON format while also capturing every invocation record.

Option B matches this pattern directly: configure an on-failure destination (S3) and an on-success destination (SNS). With this configuration, each async invocation that succeeds results in a JSON record being delivered to the SNS topic, enabling downstream processing, notifications, or fan-out to other services. Each async invocation that fails results in a JSON record being delivered to S3, which provides durable, cost-effective storage for later analysis or replay workflows. This design requires minimal code changes because the routing is handled by Lambda’s destination configuration rather than custom logic in the function.

Option C relies on a DLQ for failures but then requires custom code to store success records in DynamoDB, increasing development effort and operational complexity. Option A is not aligned: canary deployments and log groups do not provide “multiple destinations per invocation outcome,” and CloudWatch Logs do not natively separate success/failure records as destinations with structured invocation payloads. Option D proposes OpenSearch as a success destination, but Lambda Destinations do not use OpenSearch directly as a destination target; the supported destination types are typically SQS, SNS, EventBridge, and Lambda , and you can store records in S3 through other integrations. Therefore, the best match that uses built-in destinations and records JSON invocation results is B .

Lambda Destinations on Failure: Allow routing asynchronous function invocations to specified resources (like another Lambda function) upon failure.

Error Handling: The error-handling Lambda receives details about the failure, enabling logging and custom actions.

Direct Integration: This solution leverages native Lambda functionality for a simpler implementation.

AWS Secrets Manager is a service that helps you protect secrets needed to access your applications, services, and IT resources. Secrets Manager enables you to store, retrieve, and rotate secrets such as database credentials, API keys, and passwords. Secrets Manager supports a secret type for RDS databases, which allows you to select an existing RDS database instance and generate credentials for it. Secrets Manager encrypts the secret using AWS Key Management Service (AWS KMS) keys and enables automatic rotation of the secret at a specified interval. A Lambda function can use the AWS SDK or CLI to retrieve the secret from Secrets Manager and use it to connect to the database. Reference: Rotating your AWS Secrets Manager secrets

Comprehensive and Detailed Step-by-Step Explanation:

Option D: Set up Amazon S3 Caching for CodeBuild:

CodeBuild supports S3 caching to store intermediate build artifacts and dependencies. This reduces the time required to download dependencies during subsequent builds, effectively lowering costs and improving build performance.

By using S3 caching, developers can optimize costs without changing the compute type or adding complexity.

Why Other Options Are Incorrect:

Option A: CodeBuild does not have a " reserved capacity fleet " option.

Option B: AWS Lambda cannot be used as the compute mode for CodeBuild projects. CodeBuild uses its own managed build environments.

Option C: CodeBuild already operates on an on-demand basis, so this does not address the need for optimization or reduced provisioning time.

The key constraint is no changes to the Lambda code, while still fanning out notifications so that each department receives only its relevant file locations in its existing SQS queue. The cleanest “plumbing-only” pattern is S3 → SNS → SQS with SNS subscription filter policies.

Amazon S3 event notifications can publish events to an SNS topic. SNS then delivers messages to multiple subscribers, including SQS queues. By subscribing each department’s SQS queue to the SNS topic, the system can fan out the event to all queues. To ensure each department receives only its relevant events, the developer can configure SNS subscription filter policies (for example, based on object key prefixes like /deptA/, /deptB/). This routes messages without requiring any change to the Lambda function.

Option D is not ideal because S3 event notifications do not provide the same flexible filtering/routing to multiple SQS queues as SNS filter policies do (and configuring many direct notifications becomes harder to manage).

Options B and C require Lambda code changes, which violates the requirement.

Therefore, use S3 event notifications to SNS, subscribe each department SQS queue, and use filter policies for routing.

This solution will meet the requirements by using a rolling with additional batch deployment method, which deploys the new version of the application to a separate group of instances and then shifts traffic to those instances in batches. This way, the application maintains full capacity and avoids service interruption during deployment, as well as minimizes the cost of additional resources that support the deployment. Option A is not optimal because it will use an all at once deployment method, which deploys the new version of the application to all instances simultaneously, which may cause service interruption or downtime during deployment. Option C is not optimal because it will use a blue/green deployment method, which deploys the new version of the application to a separate environment and then swaps URLs with the original environment, which may incur more costs for additional resources that support the deployment. Option D is not optimal because it will use an immutable deployment method, which deploys the new version of the application to a fresh group of instances and then redirects traffic to those instances, which may also incur more costs for additional resources that support the deployment.

By default, an Auto Scaling group uses EC2 status checks to determine instance health. EC2 status checks confirm that an instance is running and reachable at the infrastructure level, but they do not validate that the application is healthy behind the load balancer. In this scenario, the ALB is returning HTTP 502 errors and the target group shows instances as unhealthy, meaning the application is failing health checks (or not responding correctly). However, because the Auto Scaling group is using the default EC2 health check type, it does not consider these instances unhealthy for replacement.

AWS recommends configuring the Auto Scaling group to use ELB health checks when instances serve traffic behind an ALB or NLB. With ELB health checks enabled, Auto Scaling evaluates target health as reported by the load balancer target group. If the ALB marks an instance unhealthy, the Auto Scaling group will treat that instance as unhealthy and terminate and replace it automatically, restoring capacity with healthy targets.

Why the other options are insufficient:

Cooldown period (A) affects scaling timing, not health replacement logic.

Lifecycle hook changes (B) can help with initialization timing, but they do not cause Auto Scaling to replace instances based on ALB target health unless ELB health checks are enabled.

Health check grace period (D) delays health evaluation after launch, which can reduce premature replacement, but it still won’t replace instances based on ALB target group status unless the health check type is ELB.

Therefore, switching the Auto Scaling group health check type to Elastic Load Balancing (ELB) is the correct fix.

Requirement Summary:

Secrets managed in AWS Secrets Manager

DB: Amazon RDS for PostgreSQL

Need automated password rotation

Must maintain high availability

Least development effort

Rotation Strategies:

Single-user rotation strategy

Simplest to implement

The secret contains one set of credentials used by app and rotation logic

Supports automated rotation

AWS provides built-in Lambda rotation templates for RDS

A. Alternating-users strategy

⚠️ More complex

Requires application to switch users during rotation window

B. Manual secret + CLI rotation

Too much manual work

Not scalable or reliable

C. Multivalue answer rotation

Not a valid strategy in this context

Doesn’t apply to Secrets Manager

Secrets Manager rotation strategies: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

RDS PostgreSQL secret rotation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-single-user

AWS X-Ray SDK: The primary way to enable X-Ray tracing within applications. The SDK sends data about requests and subsegments to the X-Ray daemon for service map generation.

Instrumenting All Services: To visualize a complete microservice architecture on the service map, each relevant service must include the X-Ray SDK.

AWS best practice is to store sensitive values like database passwords, OAuth tokens, and API keys in a dedicated secrets service rather than in source code or configuration files. AWS Secrets Manager is specifically designed for this use case: secure storage, retrieval through APIs/SDKs, fine-grained IAM access control, encryption at rest, auditing through CloudTrail, and—critically—built-in secret rotation.

AWS documentation describes Secrets Manager rotation as an automated process that uses a rotation schedule and typically invokes a Lambda function to update the secret in both Secrets Manager and the target system (for example, a database). The rotation schedule can be configured to a custom interval, including every 6 months, satisfying the requirement.

Option A is incorrect because AWS KMS manages encryption keys, not application secrets. KMS key rotation rotates KMS keys, not database credentials or API tokens.

Option B is incorrect because ACM manages TLS certificates, not arbitrary secrets like API keys and OAuth tokens.

Option C is incorrect because EventBridge can schedule events, but it is not a secrets storage service and does not provide secure secret lifecycle management and integrated rotation workflows by itself.

Therefore, storing secrets in AWS Secrets Manager and enabling automatic rotation with a 6-month schedule is the correct solution.

The application relies on shared file storage that behaves like NFS and must be accessible concurrently by multiple containers across Kubernetes nodes. AWS documentation clearly identifies Amazon EFS as the AWS-native, fully managed, NFS-compatible file system designed for this purpose.

Amazon EFS provides elastic scaling , high availability across multiple Availability Zones, and native integration with container orchestration platforms. It is the most direct replacement for on-premises NFS, requiring minimal architectural change.

To run Kubernetes workloads on AWS with high availability, AWS recommends Amazon EKS , a managed Kubernetes service that automatically handles control plane availability and upgrades. EKS integrates natively with EFS using the Amazon EFS CSI driver, allowing pods across multiple nodes to mount the same file system concurrently.

Amazon EBS (Options A, C, and D) is block storage that can be attached to only one EC2 instance at a time (except in limited Multi-Attach scenarios) and is therefore unsuitable for shared NFS-style access across a Kubernetes cluster.

Uploading container images to Amazon ECR ensures secure, scalable storage for container images and seamless integration with EKS.

Therefore, migrating the NFS data to Amazon EFS and running the workloads on Amazon EKS is the fastest, most scalable, and AWS-recommended solution.

Amazon DynamoDB supports conditional writes , which allow developers to enforce data integrity rules directly at the database layer. AWS documentation states that conditional expressions are the recommended way to prevent accidental overwrites and ensure idempotent writes.

Using a PutItem operation with the condition expression

attribute_not_exists(transactionId) ensures that the write succeeds only if the item does not already exist . If a duplicate transaction is received, DynamoDB rejects the request without modifying the existing record.

This approach is highly cost-effective because it avoids additional read operations. Option A doubles request cost by performing a read before every write. TTL (Option B) is unrelated to overwrite prevention. Option C does the opposite of the requirement by ensuring the attribute exists.

AWS explicitly recommends conditional writes for handling duplicates and enforcing uniqueness with minimal cost and latency.

Therefore, implementing a conditional put with attribute_not_exists(transactionId) is the correct solution.

The best solution for this requirement is option A. Creating an Amazon EventBridge rule that has a rate expression that will run the rule every 15 minutes and adding the Lambda function as the target of the EventBridge rule is the most efficient way to invoke the Lambda function periodically. This solution does not require any additional resources or development effort, and it leverages the built-in scheduling capabilities of EventBridge1.

AWS Systems Manager Parameter Store is a service that provides secure, hierarchical storage for configuration data management and secrets management. The developer can update the application to retrieve the variables from Parameter Store by using the AWS SDK or the AWS CLI. The developer can use unique paths in Parameter Store for each variable in each environment, such as /dev/api-url, /test/api-url, and /prod/api-url. The developer can also store the credentials in AWS Secrets Manager, which is integrated with Parameter Store and provides additional features such as automatic rotation and encryption.

Comprehensive and Detailed Step-by-Step Explanation:

The requirement is to query records by CustomerID, which is not the current partition key (OrderID). To achieve this efficiently:

Option A: Create a GSI with CustomerID as the Partition Key:

A Global Secondary Index (GSI) allows developers to create a different partition key and optional sort key for querying the data.

By creating a GSI with CustomerID as the partition key, the developer can query the table efficiently using CustomerID as the primary lookup key.

This avoids scanning the entire table and matches the requirement.

Why Other Options Are Incorrect:

Option B: Using CustomerID as a sort key for the GSI and performing a scan operation is inefficient. Queries are optimized, but scans are not.

Option C and D: Local Secondary Indexes (LSI) are only valid when the partition key remains the same as the base table. Since OrderID is the base table’s partition key, using CustomerID as the partition key or sort key in an LSI is not valid.

The goal is to identify performance bottlenecks across a Lambda function that calls a database (DocumentDB). The most operationally efficient way to pinpoint where time is being spent—without building custom logging/metrics pipelines—is to use distributed tracing . AWS X-Ray provides end-to-end request traces, timing breakdowns, and service maps that help identify whether latency is dominated by Lambda initialization, downstream calls, or database queries.

By enabling X-Ray tracing on the Lambda function, the developer can capture traces for report-generation requests and examine segments that show duration spent inside the function and in downstream dependencies. To specifically diagnose database time, the developer can add custom subsegments around DocumentDB operations (query execution, connection acquisition, cursor iteration). This produces precise timing data for each step, making it straightforward to identify slow queries, excessive connection setup time, or serialization overhead. Because X-Ray aggregates and visualizes traces, the developer can quickly compare “fast” and “slow” traces and isolate the bottleneck.

Option B focuses on errors and generic metrics dashboards; it’s useful for monitoring, but it won’t precisely attribute the extra 22+ seconds to a particular downstream call path. Option C proposes performance improvements (pooling/async), but the question asks to identify bottlenecks first, and it also requires code changes and validation without confirming the root cause. Option D requires adding detailed logging statements and then querying logs; this is more development effort and more ongoing log volume/cost than turning on X-Ray and using trace analysis, especially when the intent is bottleneck identification rather than permanent instrumentation.

Therefore, A is the best choice: enable AWS X-Ray for the Lambda function and trace DocumentDB interactions with custom subsegments to quickly and efficiently identify the specific source(s) of increased latency.

The requirement emphasizes collaboration , frequent code changes , and deploying from source control with the fewest manual steps. This aligns with a CI/CD pipeline approach where commits or merges automatically trigger builds and deployments. Using AWS CodePipeline orchestrates the stages (source, build, deploy), and AWS CodeBuild performs the build/package steps for the Lambda/serverless application. When integrated with a repository (such as CodeCommit, GitHub, or another supported provider), CodePipeline can automatically start when changes are merged into specific branches, enabling consistent, repeatable deployments.

Option C provides the least operational overhead for teams: developers push code and merge pull requests; the pipeline automatically builds artifacts, runs tests (if configured), packages dependencies, and deploys updates to Lambda (often via AWS SAM/CloudFormation under the hood). This removes manual “build on my laptop” drift, prevents inconsistent deployments between developers, and supports frequent iteration safely.

Option B (SAM CLI from a local machine) requires a developer to manually run build/deploy commands and assumes each developer’s environment is configured correctly. That increases manual steps and the risk of differences across machines. Option D (uploading zip in the console) is highly manual and not suitable for frequent changes or team collaboration. Option A is also suboptimal because storing built artifacts in source control is an anti-pattern; builds should be reproducible and produced by CI, not committed binaries.

Therefore, C is the best choice: set up CodePipeline + CodeBuild so merges to controlled branches automatically trigger builds and deployments to AWS Lambda with minimal manual intervention.

The correct answer is D because Amazon CloudFront is the AWS content delivery network (CDN) designed to improve performance for users who access content globally. In this scenario, the application serves millions of video clips from Amazon S3 to users around the world, and the main problem is poor streaming quality as traffic scales. CloudFront addresses this by caching content at edge locations that are geographically closer to users, reducing latency and improving throughput.

AWS documentation emphasizes that CloudFront works especially well with Amazon S3 as an origin for static and streaming content. Instead of every viewer retrieving video data directly from the S3 bucket’s Region, CloudFront serves cached objects from nearby edge locations. This provides a major performance boost for global audiences and helps absorb large traffic spikes more efficiently.

Option A is incorrect because Route 53 geolocation routing directs DNS queries based on location, but it does not cache or accelerate video delivery. Option B can improve regional redundancy, but simply replicating objects across Regions does not automatically provide fast global delivery or edge caching. Option C is about storage cost optimization, not delivery performance.

CloudFront is also well suited for sudden spikes in traffic because AWS’s edge network is built for high-scale distribution. For video streaming workloads, the reduction in latency and the ability to serve content from nearby cached locations usually provide the largest performance improvement compared to the other options.

Therefore, the best solution is to create an Amazon CloudFront distribution with Amazon S3 as the origin , making D the correct answer.

Amazon API Gateway supports mock integration responses, which are predefined responses that can be returned without sending requests to a backend service. Mock integration responses can be used for testing or prototyping purposes, or for simulating different backend responses based on certain conditions. A request mapping template can be used to select a mock integration response based on an expression that evaluates some aspects of the request, such as headers, query strings, or body content. This solution does not require any additional resources or code changes and has the least operational overhead. Reference: Set up mock integrations for an API Gateway REST API

https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-mock-integration.html

AWS Lambda is a service that lets developers run code without provisioning or managing servers. Lambda provides a local file system that can be used to store temporary files during invocation. The local file system is mounted under the /tmp directory and has a limit of 512 MB. The temporary files are accessible only by the Lambda function that created them and are deleted after the function execution ends. The developer can store temporary files that are less than 10 MB in the /tmp directory and access and modify them multiple times during invocation.

The issue is write throttling during peak login surges. In DynamoDB provisioned capacity mode, throttling happens when the workload exceeds the table’s configured write capacity units (WCU) (or a partition becomes “hot”). To resolve throttling and reduce latency, the table must have sufficient write capacity available when the surge occurs.

Option B directly addresses this by increasing the table’s provisioned throughput (WCU). With more write capacity, DynamoDB can accept more writes per second without returning throttling errors, which reduces retries and improves end-user latency during peak usage.

Option E is also effective: switching the table to on-demand capacity mode automatically accommodates traffic spikes without the team needing to forecast and pre-provision capacity. On-demand is designed for unpredictable workloads and can scale to handle sudden surges, reducing the risk of throttling caused by under-provisioning. For many teams, this is the fastest operational fix because it removes manual capacity planning and reactive scaling steps.

Why the other options are not the best fit:

A (DAX) improves read performance and reduces read latency, but it does not fix write throttling .

C (retries and exponential backoff) is a best practice for handling throttling gracefully, but it does not “resolve” throttling; it reduces contention and improves success rates at the cost of higher latency, and it does not increase available capacity.

D focuses on control plane operations (schema/index/table management) which are unrelated to data plane write throttling during login surges.

Therefore, the two solutions that meet the requirements to resolve write throttling and reduce latency are B (increase provisioned throughput) and E (switch to on-demand capacity mode for automatic scaling).

The AWS Serverless Application Model Command Line Interface (AWS SAM CLI) is a command-line tool for local development and testing of Serverless applications2. The sam local start-api subcommand of AWS SAM CLI is used to simulate a REST API by starting a new local endpoint3. Therefore, option D is correct.

The requirement is for a single secret value to be available in multiple AWS Regions while remaining consistent across those Regions, with the least operational overhead . AWS Secrets Manager provides a managed capability for this use case: secret replication (also referred to as multi-Region secrets). When replication is enabled from a primary Region, Secrets Manager automatically creates and maintains synchronized replicas of the secret in the selected secondary Regions. Updates to the primary secret are propagated to the replicas so the secret value remains consistent across Regions.

This approach (option C) minimizes operational effort because AWS manages the replication workflow, consistency, and the lifecycle of replicas. The application in each Region can retrieve the secret from the local Region endpoint of Secrets Manager by referencing the Region-appropriate secret ARN, improving latency and reducing cross-Region dependency. It also improves resilience: if a Region has issues, workloads in another Region can still read the replicated secret locally.

Option A recreates managed replication with custom glue (Lambda + EventBridge), which adds code, scheduling, error handling, permissions, retries, and monitoring—higher operational overhead and more failure modes. Option B introduces a cross-Region runtime dependency on the primary Region and increases latency; local caching also risks stale secret values during rotations/updates unless carefully managed, and it reduces resilience if the primary Region is impaired. Option D (independent secrets per Region) increases operational overhead and directly risks inconsistency, because keeping values synchronized becomes a manual or custom automated process.

Therefore, C is the best solution: enable Secrets Manager replication in the primary Region and have applications in each Region read from their local replicated secret ARN to achieve consistent, multi-Region availability with minimal operational work.

DynamoDB Streams: Capture near real-time changes to DynamoDB tables, triggering downstream actions.

Lambda for Processing: Lambda functions provide a serverless way to execute code in response to events like DynamoDB Stream updates.

Minimal Code Changes: This solution requires the least modifications to the existing application.

The requirements describe a real-time streaming use case where multiple processing applications must read the same stream in parallel, each must be able to resume processing after interruptions without data loss, and the system should support adding new processors with minimal duplication. Amazon Kinesis Data Streams (KDS) is purpose-built for this pattern.

With Kinesis Data Streams, producers write records to a stream that is split into shards. Multiple consumer applications can independently read from the stream using separate consumer groups (for example, using Kinesis Client Library). Each consumer maintains its own checkpoint (sequence number position), which allows it to resume from the last processed record after a restart or failure. This directly meets the “resume without losing data” requirement.

KDS also supports a configurable retention period (commonly 24 hours by default, extendable), enabling replay and recovery without forcing producers to re-send data or duplicating messages for each processor. Adding new consumers is straightforward: a new processor can begin reading the existing stream (from latest or from a trim horizon), which minimizes duplication compared to fan-out duplication patterns.

Why the others don’t fit:

SQS is a queue, not a stream. Multiple consumers typically compete for messages rather than all consuming the same messages independently, and duplication is required if multiple apps must process the same data.

Kinesis Data Firehose is primarily for delivery to destinations (S3, Redshift, OpenSearch) and not designed for multiple real-time parallel consumers with replay semantics.

EventBridge is event routing with limited replay/resume semantics compared to KDS and is not intended for high-throughput stream processing with per-consumer checkpoints.

Therefore, Amazon Kinesis Data Streams satisfies all requirements.

SQS Delivery Behavior: Standard SQS queues guarantee at-least-once delivery, meaning messages may be processed more than once. This can lead to duplicate emails in this scenario.

Visibility Timeout: If the visibility timeout on the SQS queue is too short, a message might become visible for another consumer before the first Lambda function finishes processing it. This can also lead to duplicates.

This solution meets the requirements in the most operationally efficient manner because it does not require any infrastructure provisioning or management. The developer can create a Lambda function that makes the API call and configure an EventBridge rule that triggers the function once a day at a designated time. This is a serverless solution that scales automatically and only charges for the execution time of the function.

This solution will meet the requirements by using AWS X-Ray to enable tracing of application requests to debug performance issues in the code. AWS X-Ray is a service that collects data about requests that the applications serve, and provides tools to view, filter, and gain insights into that data. The developer can install the AWS X-Ray daemon on the EC2 instances, which is a software that listens for traffic on UDP port 2000, gathers raw segment data, and relays it to the X-Ray API. The developer can also install and configure the AWS X-Ray SDK for Python in the application, which is a library that enables instrumenting Python code to generate and send trace data to the X-Ray daemon. Option A is not optimal because it will install the Amazon CloudWatch agent on the EC2 instances, which is a software that collects metrics and logs from EC2 instances and on-premises servers, not application performance data. Option C is not optimal because it will configure the application to write JSON-formatted logs to /var/log/cloudwatch, which is not a valid path or destination for CloudWatch logs. Option D is not optimal because it will configure the application to write trace data to /var/log/xray, which is also not a valid path or destination for X-Ray trace data.

Amazon API Gateway supports multiple stages , allowing developers to deploy and test different versions of an API independently. By creating a new test stage , the developer can route traffic to an updated Lambda function without impacting production users.

AWS documentation recommends using stage variables to dynamically reference different Lambda function versions or aliases. This approach enables safe testing while reusing the same API configuration.

Canary deployments (Option A) expose a portion of production users to the new code, which violates the requirement. Changing the endpoint type (Option B) disrupts production. Duplicating the entire stack (Option D) introduces unnecessary complexity and overhead.

Using a separate test stage is the most efficient, low-risk, and AWS-recommended solution.

This is a classic cross-account S3 access requirement: EC2 instances in Account A must read from a private S3 bucket in Account B without making the bucket public.

The correct pattern is to grant access using IAM + S3 bucket policy while keeping the bucket private. In Account B, you create an IAM role that has the necessary S3 read permissions (such as s3:GetObject and potentially s3:ListBucket depending on access needs). That is Option A.

However, permissions on the role alone are not sufficient, because the S3 bucket is in a different account and is private by default. AWS requires that the bucket owner explicitly grants access to the external principal. This is done by adding a bucket policy in Account B that allows the principal (either the role in Account A or a role session via STS) to access the bucket objects. That is Option D.

Option B is not correct in the “select two” sense because adding permissions to Account A’s instance profile role does not, by itself, grant access to a bucket owned by Account B. You still need the bucket policy or another resource-based policy from the bucket owner.

Option C violates the requirement (“without exposing the S3 bucket to anyone else”). Making the bucket public is unnecessary and insecure.

Option E is incorrect because a trust policy controls who can assume a role (sts:AssumeRole), not what S3 permissions the role has. Also, trust policies do not grant s3:Get* access.

Therefore, create an IAM role with S3 read permissions in Account B and grant access via the Account B bucket policy.

The AWS Serverless Application Model (AWS SAM) comes built-in with CodeDeploy to provide gradual AWS Lambda deployments1. The DeploymentPreference property in AWS SAM allows you to specify the type of deployment that you want. The Canary10Percent10Minutes option means that 10 percent of your customer traffic is immediately shifted to your new version. After 10 minutes, all traffic is shifted to the new version1. The AutoPublishAlias property in AWS SAM allows AWS SAM to automatically create an alias that points to the updated version of the Lambda function1. Therefore, option A is correct.

The correct answers are B and E .

The existing platform already runs on Kubernetes , so the fastest and most compatible migration path is to use Amazon EKS , which is AWS’s managed Kubernetes service. This preserves the application’s orchestration model and minimizes refactoring. Because the clusters must be highly available , EKS is a strong fit since it is designed to run Kubernetes workloads across multiple Availability Zones.

For shared storage, the on-premises application currently depends on a common NFS share that all containers can access. On AWS, the service that most closely matches this requirement is Amazon EFS , which provides a managed, elastic, shared file system that supports NFS access and can be mounted concurrently from multiple compute nodes. By contrast, Amazon EBS is block storage that is generally attached to a single instance and is not the right replacement for a shared multi-node NFS workload.

Therefore, B is correct because it moves the shared NFS data to Amazon EFS and stores the container images in Amazon ECR , which is the proper AWS managed registry for container images. E is correct because it runs the applications on Amazon EKS and uses Amazon EFS as the shared mounted file system across the Kubernetes worker nodes.

Option C is wrong because it uses ECS , not Kubernetes. Option D is wrong because EBS does not meet the requirement for a shared NFS-like file system across highly available Kubernetes nodes. Option A is wrong for the same storage reason.

So, the best migration combination is Amazon EFS + Amazon EKS , which makes B and E correct.

Amazon S3 event notifications can invoke AWS Lambda functions at very high rates during traffic spikes. In this scenario, up to 500 objects per minute can result in hundreds of concurrent Lambda invocations. By default, Lambda functions share the account’s unreserved concurrency pool , which can cause throttling if the pool is exhausted by sudden bursts.

AWS Lambda reserved concurrency guarantees a specific number of concurrent executions for a function. By configuring reserved concurrency, the developer ensures that sufficient execution capacity is always available for this specific function, regardless of other Lambda workloads in the account. This prevents throttling during high-volume S3 event bursts.

Increasing the timeout (Option A) does not address concurrency limits. Adding a layer (Option B) does not solve invocation throttling. Decreasing memory (Option D) can actually worsen performance and increase execution time.

AWS documentation explicitly recommends reserved concurrency when workloads experience unpredictable or bursty invocation patterns and must run reliably. Therefore, reserving concurrency is the correct and AWS-recommended solution.

The safest way to prevent cross-tenant data leakage during processing is to enforce tenant isolation at the authorization layer , not only in application logic. AWS supports this with ABAC (attribute-based access control) using IAM principal/session tags and policy condition keys. The goal is to ensure that, for each invocation, the function can access only the S3 prefix and DynamoDB items that match the tenant being processed.

First, the Lambda execution role should be permitted to assume a dedicated data access role (B). This creates a clear separation: the execution role has minimal base permissions and can obtain tenant-scoped permissions only by assuming the data role.

Second, the Lambda function should assume that data access role with the tenant name as a session tag and then use the temporary credentials for all S3/DynamoDB calls (F). Session tagging ties the caller’s identity attributes (tenant) to the credentials used for data access.

Third, attach policies to the data access role that restrict access using conditions that compare the session tag to the requested resource attributes (C). For S3, policies can restrict access to object ARNs like arn:aws:s3:::bucket/${aws:PrincipalTag/tenant}/*. For DynamoDB, policies can restrict access by partition key using dynamodb:LeadingKeys so the role can read/write only items whose partition key equals the tenant tag. This ensures that even if the function code has a bug or receives unexpected input, AWS authorization prevents it from reading or writing another tenant’s data.

Option A is not required as stated; you typically need permission to pass session tags (and the trust/policy must allow tagging), but the key actions here are: enable assume role (B), enforce tag-based data policies (C), and actually assume the role with tenant tag (F). Option D is not generally the primary control for DynamoDB; the standard enforcement is via IAM identity policies (and dynamodb:LeadingKeys). Option E (RCP) is an AWS Organizations guardrail and is not necessary for this single-application isolation pattern.

The correct answer is C. The developer did not update the Docker image tag to a new version.

C. The developer did not update the Docker image tag to a new version. This is correct. When deploying an application to Amazon EKS, the developer needs to specify the Docker image tag that contains the application code and configuration. If the developer does not update the Docker image tag to a new version after making changes to the application, the EKS cluster will continue to use the old Docker image tag that references the original backend resources. To fix this issue, the developer should update the Docker image tag to a new version and redeploy the application to the EKS cluster.

A. The developer did not successfully create the new AWS account. This is incorrect. The creation of a new AWS account is not related to the application’s connection to the backend resources. The developer can use any AWS account to host the EKS cluster and the backend resources, as long as they have the proper permissions and configurations.

B. The developer added a new tag to the Docker image. This is incorrect. Adding a new tag to the Docker image is not enough to deploy the changes to the application. The developer also needs to update the Docker image tag in the EKS cluster configuration, so that the EKS cluster can pull and run the new Docker image.

D. The developer pushed the changes to a new Docker image tag. This is incorrect. Pushing the changes to a new Docker image tag is not enough to deploy the changes to the application. The developer also needs to update the Docker image tag in the EKS cluster configuration, so that the EKS cluster can pull and run the new Docker image.