Hard DVA-C02 practice questions
Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 11 hard questions available — no sign-up, always free.
A company keeps its CI/CD tooling in a central 'Tools' AWS account. A CodePipeline in this account builds artifacts with CodeBuild and must deploy a CloudFormation stack into a separate 'Production' AWS account. The pipeline's CloudFormation deploy action fails with an access-denied error when it tries to create resources in the Production account. What is the correct way to enable this cross-account deployment?
A developer is designing a DynamoDB table that ingests high-volume IoT sensor readings. All devices report using the same 'metric-type' value (temperature), which the team initially chose as the partition key. During load tests, they observe severe write throttling on a single partition even though total provisioned write capacity is far from being fully consumed. Which change to the table design will best distribute the write load?
A developer builds a DynamoDB table for an IoT platform that ingests telemetry from thousands of sensors. The table uses 'deviceType' as the partition key and a timestamp as the sort key. Only three device types exist. During load testing, the application experiences frequent ProvisionedThroughputExceededException errors even though total consumed capacity is far below the provisioned capacity. What is the MOST likely cause and the best remediation?
A developer is building a Lambda function that must decrypt data using a customer managed KMS key owned by the same AWS account. The function's execution role has an IAM policy that allows kms:Decrypt on the specific key ARN. However, calls to Decrypt fail with an AccessDeniedException. The KMS key policy contains only the default statement granting the account root full access. What is the MOST likely cause and correct fix?
A developer is building a document-processing service where each customer's files are encrypted with a shared KMS customer managed key. A downstream Lambda function must be able to decrypt only files belonging to a specific tenant, identified by a tenant ID that is passed as encryption context during encryption. The team wants to grant the Lambda's execution role temporary decrypt permission that is scoped so it can only decrypt data encrypted with that tenant's encryption context, without editing the key policy. Which approach meets these requirements?
A developer maintains a document-processing microservice that runs under an IAM role. The service must temporarily allow a short-lived worker process (running under a different IAM role) to encrypt documents using a specific customer managed KMS key, but only for the duration of a single processing job. The security team requires that no changes be made to the KMS key policy and that the delegated permission can be programmatically revoked when the job completes. Which approach best meets these requirements?
A developer builds a Lambda function that must decrypt objects using a specific customer managed KMS key in the same account. The function's execution role already has an identity-based policy granting kms:Decrypt on that key ARN. However, invocations fail with an AccessDeniedException when calling Decrypt. The KMS key's key policy contains only the default statement granting the root account 'kms:*' but no other statements. What is the MOST likely cause and the correct fix?
A developer configures an AWS Lambda function with a DynamoDB Streams event source mapping to process changes to an orders table. During load testing, the team notices that updates to the same order item are occasionally processed out of order, causing incorrect final states. The function is configured with a batch size of 100 and a parallelization factor of 10. What is the MOST likely cause and the correct fix?
A company stores a third-party API key in AWS Secrets Manager in Account A (the security account). A Lambda function running in Account B (the workloads account) must retrieve this secret at runtime. The secret is encrypted with a customer managed KMS key in Account A. What combination of configurations is required to allow the Lambda function to read the secret?
A developer configures an AWS Lambda function to process messages from a standard Amazon SQS queue using an event source mapping. The Lambda function normally completes in about 45 seconds, but during peak traffic some invocations take up to 90 seconds. Customers report that the same order is occasionally processed more than once. What is the MOST likely cause and the correct fix?
A SaaS monitoring company needs to access resources in your AWS account to collect CloudWatch metrics. Your security team wants to grant the third party cross-account access via an IAM role while preventing the 'confused deputy' problem, where another of the vendor's customers could trick the vendor into accessing your account. What should you configure on the role's trust policy?