AWS Certified Developer - Associate · Domain 2 · 26% of exam

Security

Drill 20 practice questions focused entirely on Security for the AWS DVA-C02 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A developer is deploying a customer-facing web application behind an Application Load Balancer (ALB). The security team requires that all traffic between clients and the application be encrypted in transit using TLS, and that the TLS certificate be automatically renewed before expiration to avoid outages. The developer wants the least amount of operational overhead. What should the developer do?

Reviewed for accuracy · Report an issue
Question 2 of 20

A photo-sharing mobile app uses an Amazon Cognito identity pool to grant users temporary AWS credentials so they can upload images directly to an S3 bucket. Each user must be able to read and write ONLY objects under a prefix that matches their own Cognito identity ID (for example, private/${cognito-identity.amazonaws.com:sub}/). The developer wants to enforce this isolation without creating a separate IAM role per user. What is the MOST appropriate way to implement this?

Reviewed for accuracy · Report an issue
Question 3 of 20

A mobile app authenticates users through an Amazon Cognito user pool. After sign-in, the app must let each authenticated user upload files directly to Amazon S3, but only to a folder prefix matching that user's identity. The developer wants users to receive temporary, scoped AWS credentials without embedding any long-term IAM access keys in the app. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 4 of 20

A mobile photo-sharing app lets visitors browse public galleries stored in an Amazon S3 bucket before they sign up. Once users create an account, they can upload their own photos. The developer wants browsing visitors to read the public bucket without any login, while requiring a signed-in identity to upload. Which approach correctly grants the appropriate AWS permissions to each user type?

Reviewed for accuracy · Report an issue
Question 5 of 20

A developer is building a mobile app that uses an Amazon Cognito user pool for authentication. A user reports they cannot sign in because their account is stuck in the FORCE_CHANGE_PASSWORD state after being created by an administrator. The developer needs to programmatically confirm the user with a permanent password so the user can immediately sign in without being prompted to change it. Which action should the developer take?

Reviewed for accuracy · Report an issue
Question 6 of 20

A developer is building a confidential server-side web application (running on a backend host) that authenticates users through an Amazon Cognito user pool using the OAuth 2.0 authorization code grant. During setup, the developer must decide how to configure the Cognito app client so that token exchange requests from the backend are properly authenticated. Which configuration is the MOST appropriate for this backend application?

Reviewed for accuracy · Report an issue
Question 7 of 20

A developer is building a document management web app that authenticates users with an Amazon Cognito user pool. Users belong to either an 'editors' or 'viewers' group in the user pool. After authentication, the app uses an identity pool to obtain temporary AWS credentials so users can access an S3 bucket directly. Editors must be able to upload objects, while viewers must only be able to read objects. What is the most effective way to enforce these different permission levels?

Reviewed for accuracy · Report an issue
Question 8 of 20

A developer builds a single-page application (SPA) that must let users sign in and then call a custom REST API secured behind Amazon API Gateway. The team uses an Amazon Cognito user pool with the hosted UI and defines a resource server with custom scopes (for example, orders/read and orders/write). The developer must ensure the SPA receives a token that carries the granted OAuth 2.0 scopes so that API Gateway can authorize access to specific API operations. Which token issued by Cognito should the application send to API Gateway for scope-based authorization?

Reviewed for accuracy · Report an issue
Question 9 of 20

A developer is building a serverless REST API using Amazon API Gateway backed by AWS Lambda. Users sign in through an Amazon Cognito user pool, and the mobile app receives tokens after successful authentication. The API must reject any request that does not carry a valid, non-expired user identity, and the solution should require minimal custom code. Which approach should the developer implement?

Reviewed for accuracy · Report an issue
Question 10 of 20

A developer builds a mobile app that authenticates users with an Amazon Cognito user pool. The app receives ID, access, and refresh tokens after login. Users complain that they are forced to log in again every hour, which harms the user experience. The developer wants users to stay signed in for up to 30 days without re-entering credentials, while keeping short-lived access tokens for API calls. What is the correct approach?

Reviewed for accuracy · Report an issue
Question 11 of 20

A developer is building a mobile app that requires users to sign up and sign in with an email and password. After authentication, the app must call a backend API and also let users upload files directly to an Amazon S3 bucket using temporary AWS credentials scoped to their identity. Which combination of Amazon Cognito features correctly satisfies both requirements?

Reviewed for accuracy · Report an issue
Question 12 of 20

A developer builds a Lambda function in Account A that must read objects from an S3 bucket owned by Account B. The Lambda execution role already has an identity-based policy allowing s3:GetObject on the target bucket ARN. However, calls still fail with AccessDenied. The bucket is not using default encryption or ACL restrictions. What must the developer do to grant access following AWS cross-account best practices?

Reviewed for accuracy · Report an issue
Question 13 of 20

A developer is building an application that runs on an on-premises server (not in AWS) and needs to call the Amazon S3 API. The security team prohibits storing long-lived IAM access keys anywhere on the server. Which approach provides temporary AWS credentials to the application while meeting this requirement?

Reviewed for accuracy · Report an issue
Question 14 of 20

A developer builds a Java application that runs on an EC2 instance and needs to read objects from an Amazon S3 bucket. During development, the code used long-term IAM user access keys stored in a properties file. Before deploying to production, the developer must eliminate the hardcoded credentials while granting the application least-privilege S3 read access. What is the recommended approach?

Reviewed for accuracy · Report an issue
Question 15 of 20

A developer is building a Lambda function that must decrypt data using a customer managed KMS key owned by the same AWS account. The function's execution role has an IAM policy that allows kms:Decrypt on the specific key ARN. However, calls to Decrypt fail with an AccessDeniedException. The KMS key policy contains only the default statement granting the account root full access. What is the MOST likely cause and correct fix?

Reviewed for accuracy · Report an issue
Question 16 of 20

A developer is building a document management service that encrypts tenant files using AWS KMS. Each file belongs to a specific tenant, and the security team requires that a decryption request must fail if it does not specify the same tenant identifier that was used at encryption time, without creating a separate KMS key per tenant. Which approach satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 17 of 20

A developer builds a Lambda function that stores encrypted customer records in DynamoDB using envelope encryption. When writing, the function calls KMS GenerateDataKey to get a plaintext data key and an encrypted data key, encrypts the record locally with the plaintext key, and stores both the ciphertext and the encrypted data key in DynamoDB. To later read a record, what must the function do to recover the plaintext?

Reviewed for accuracy · Report an issue
Question 18 of 20

A developer needs to encrypt several 500 MB files client-side before uploading them to Amazon S3. The application uses an AWS KMS customer managed key. The developer wants to minimize the number of KMS API calls and avoid sending the large file contents to the KMS service (KMS request payloads are limited to 4 KB). Which approach should the developer implement?

Reviewed for accuracy · Report an issue
Question 19 of 20

A developer is building a Lambda function that must encrypt payment records that are typically 1–2 MB in size before storing them in Amazon S3. The team wants to use a customer managed KMS key but has learned that the KMS Encrypt API rejects the payloads. What is the recommended approach to encrypt the large records using KMS?

Reviewed for accuracy · Report an issue
Question 20 of 20

A company runs a data processing pipeline where a batch Lambda function must temporarily decrypt objects using a customer managed KMS key. The security team wants to grant this specific Lambda execution role decrypt permission on the key for the duration of the job without editing the KMS key policy and without granting broad, permanent access. The team also wants the ability to programmatically revoke the permission immediately when the job completes. What should the developer implement?

Reviewed for accuracy · Report an issue

More DVA-C02 practice

Keep going with the other AWS Certified Developer - Associate domains, or take a full timed mock exam.

← Back to DVA-C02 overview