View DVA-C02 Exam Questions

Q: 1

A company has an Amazon S3 bucket that contains sensitive dat a. The data must be encrypted in transit and at rest. The company encrypts the data in the S3 bucket by using an AWS Key Management Service (AWS KMS) key. A developer needs to grant several other AWS accounts the permission to use the S3 GetObject operation to retrieve the data from the S3 bucket. How can the developer enforce that all requests to retrieve the data provide encryption in transit?

Options

Discussion

Taylor J. Feb 24, 2026 12:06 pm

Saw something like this reported on practice exams and it's always A. Only the S3 bucket policy with aws:SecureTransport can force HTTPS. Not totally sure if KMS can, but pretty certain it's not D.

Sofia N. Feb 16, 2026 4:39 pm

A Had something like this in a mock, definitely a resource-based policy on the S3 bucket using aws:SecureTransport is the way AWS recommends to force HTTPS. Not 100 percent but fits official docs.

Ben S. Feb 11, 2026 9:24 pm

I always thought D could work since KMS is part of the encryption story, so D.

Ava Feb 12, 2026 6:48 am

A for sure

Sara T. Feb 22, 2026 7:20 pm

Has anyone checked the AWS documentation for S3 bucket policy conditions? I remember seeing aws:SecureTransport enforced in official guides and some practice tests, but just want to confirm it's always bucket-level not KMS.

Taylor Z. Mar 1, 2026 9:03 am

Nah, not D. KMS policy can't enforce HTTPS, that's handled at the S3 bucket with aws:SecureTransport. A's the right move.

Cameron Z. Feb 24, 2026 10:06 pm

A not D. KMS policy doesn't enforce transport encryption, that's handled at the S3 bucket policy level with aws:SecureTransport.

FocusedNeteng415 Feb 28, 2026 7:39 pm

Yeah I get why D looks tempting but it's really A here.

Ben C. Feb 24, 2026 2:27 pm

Its A, resource-based bucket policy is the right way, D's a common trap since KMS can't enforce S3 API usage.

Owen F. Feb 27, 2026 3:32 pm

Feels like A is right for S3 bucket policy, but I'm still thinking about D too.

Be respectful. No spam.

Correct Answer:

Explanation

The most direct and effective method to enforce encryption in transit for all requests to an Amazon S3 bucket is by using a resource-based policy attached to the bucket itself. The aws:SecureTransport global condition key is specifically designed for this purpose. By creating a bucket policy with a Deny effect for all actions (s3:) when the aws:SecureTransport condition is false, you explicitly block any request made over an unencrypted channel (HTTP). This single policy ensures that all principals, including those from other AWS accounts, must use HTTPS to access the objects, fulfilling the security requirement centrally and authoritatively.

Why Incorrect

B. This policy would explicitly allow insecure (HTTP) requests, which is the direct opposite of the stated security requirement.

C. Managing individual IAM policies in multiple external accounts is not scalable, is prone to error, and violates the principle of the resource owner controlling access.

D. The policy should be on the S3 bucket because the s3:GetObject request is made to the S3 service endpoint; the aws:SecureTransport key evaluates the user's connection to S3, not the backend connection from S3 to KMS.

References

1. Amazon S3 User Guide: Under the section "Security best practices for Amazon S3

" the guide provides a specific example of a bucket policy to enforce encryption in transit. It states

"To enforce encryption in transit

you can use the aws:SecureTransport condition key in your S3 bucket policies... The following example bucket policy denies access to any HTTP request..." This directly validates option A.

Source: AWS Documentation

Amazon S3 User Guide

"Security best practices for Amazon S3

" section "Enforce encryption in transit."

2. AWS IAM User Guide: This guide documents the aws:SecureTransport key as a global condition context key. It explains that this key checks "whether the request was sent using SSL" and can be used in policies to allow actions only when the request is made using HTTPS.

Source: AWS Documentation

IAM User Guide

"AWS global condition context keys

" section for aws:SecureTransport.

3. AWS Security Blog: The post "How to Use New S3 Features to Bolster the Security of Your S3 Buckets" details using the aws:SecureTransport condition in a bucket policy as a primary method to enforce HTTPS.

Source: AWS Security Blog

"How to Use New S3 Features to Bolster the Security of Your S3 Buckets

" July 26

2017.

Q: 2

An application that runs on AWS receives messages from an Amazon Simple Queue Service (Amazon SQS) queue and processes the messages in batches. The application sends the data to another SQS queue to be consumed by another legacy application. The legacy system can take up to 5 minutes to process some transaction dat a. A developer wants to ensure that there are no out-of-order updates in the legacy system. The developer cannot alter the behavior of the legacy system. Which solution will meet these requirements?

Options

Discussion

Hannah V. Feb 27, 2026 10:28 am

Option A is the way to go. Setting the API Gateway integration type to MOCK lets the API return test responses without any backend, so frontend teams can keep developing. Pretty sure this is exactly what AWS recommends for this use-case. Anyone see a better method?

Leo Feb 19, 2026 7:27 pm

Seen almost this exact setup in a practice exam, so I'd go with D. You get FIFO for order and DelaySeconds to hold back processing just long enough. Not 100% if DelaySeconds alone solves all timing issues but sounds close for what the question asks. Agree or not?

Jason H. Mar 2, 2026 8:34 pm

Probably A . FIFO with visibility timeout is the combo that handles ordering and avoids duplicate processing for slow consumers.

Maya T. Feb 27, 2026 4:20 pm

Makes sense to me, A.

Sofia U. Feb 21, 2026 9:05 am

A , FIFO queue plus visibility timeout is what keeps the order and prevents double processing.

Jordan D. Feb 11, 2026 7:29 pm

This kind of AWS question always trips people up, but the exam wants you to catch the visibility timeout thing. A

Liam Q. Feb 20, 2026 1:02 am

Why not just use a standard queue if batching is needed? FIFO feels required only for strict ordering.

SkylerE Feb 27, 2026 3:33 pm

Pretty sure A is what AWS expects here. FIFO keeps message order and the visibility timeout stops other consumers from grabbing the same job before the legacy app finishes. Saw similar in exam reports, but open to pushback.

Nora R. Feb 16, 2026 11:16 am

Nah, I think A is right here. Standard queues (B or C) can’t guarantee order at all, and DelaySeconds in D doesn’t stop early reprocessing-visibility timeout does. Saw similar on practice, pretty sure A is less of a trap. Disagree?

Daniel S. Feb 24, 2026 10:07 am

A is wrong, D. FIFO with DelaySeconds should keep the order and lets you manage delivery time. I saw a similar question in some practice tests, pretty sure D fits unless I'm missing something about visibility timeout. Official guide covers this.

Be respectful. No spam.

Correct Answer:

Explanation

The core requirement is to ensure messages are processed in order, which is the specific function of an Amazon SQS FIFO (First-In, First-Out) queue. Standard queues provide best-effort ordering and are therefore unsuitable. The second requirement is to handle the legacy system's 5-minute processing time. The SQS visibility timeout feature prevents a message from being redelivered to another consumer while the first consumer is processing it. By setting the visibility timeout to 5 minutes (or slightly longer), the developer ensures the legacy system has enough time to process and delete the message before it becomes visible again in the queue, thus preventing duplicate processing and potential out-of-order updates.

Why Incorrect

B. An SQS standard queue does not guarantee message order. DelaySeconds postpones a message's initial delivery, which does not solve the processing time issue.

C. An SQS standard queue does not guarantee message order, failing to meet the primary requirement of preventing out-of-order updates.

D. DelaySeconds is the wrong mechanism. It delays a message's initial delivery, whereas the visibility timeout is required to manage the consumer's processing window.

References

1. Amazon SQS Developer Guide

"Amazon SQS FIFO (First-In-First-Out) queues": This document states

"FIFO queues are designed to enhance messaging between applications when the order of operations and events is critical

or where duplicates can't be tolerated." It explicitly confirms that FIFO queues preserve the order in which messages are sent and received.

2. Amazon SQS Developer Guide

"Visibility timeout": This section explains

"When a consumer receives and processes a message from a queue

the message remains in the queue... To prevent other consumers from processing the message again

Amazon SQS sets a visibility timeout

a period of time during which Amazon SQS prevents other consumers from receiving and processing the message." This directly addresses the need to handle the 5-minute processing time.

3. Amazon SQS Developer Guide

"Message timers": This page clarifies the function of DelaySeconds: "To postpone the delivery of new messages to a queue

use a message timer... The default (minimum) delay for a message is 0 seconds. The maximum is 15 minutes." This confirms DelaySeconds is for initial delivery

not for managing in-flight processing.

Q: 3

A developer has an application that is composed of many different AWS Lambda functions. The Lambda functions all use some of the same dependencies. To avoid security issues the developer is constantly updating the dependencies of all of the Lambda functions. The result is duplicated effort to reach function. How can the developer keep the dependencies of the Lambda functions up to date with the LEAST additional complexity?

Options

Discussion

Riley Y. Mar 2, 2026 7:20 am

Makes sense to pick B here. Macie is built for scanning S3 buckets for sensitive data like credit card info, and "Financial" is the right finding type for that. Saw a similar question in some practice tests.

Maya D. Feb 17, 2026 12:47 pm

Saw this kind of question in some practice before and I thought D makes sense since CodeCommit would let you centralize the dependencies. It feels like less extra setup than layers, right? Anyone else go this way?

Liam G. Feb 25, 2026 6:16 pm

D here. Storing all dependencies in CodeCommit sounds practical since you get everything in one spot, so updates are easier to roll out across functions. Managing a repo feels less AWS-specific but still kinda centralized. Not positive this is what AWS wants for least complexity, but it seems like a reasonable way to avoid updating each Lambda separately. Agree?

Zoe Feb 16, 2026 5:57 pm

Has anyone seen official exam questions lean toward D? Practice test books sometimes suggest centralizing via CodeCommit instead of Lambda layers too.

Morgan H. Feb 28, 2026 10:07 pm

Probably D, since CodeCommit centralizes dependencies and feels less involved than layers to me.

Skyler R. Feb 25, 2026 4:19 pm

Had something like this in a mock, went with D.

Liam W. Mar 2, 2026 1:23 am

Its C, since Lambda layers are designed to share dependencies between multiple functions. You just update the layer and all attached functions get the change. Pretty sure that's the least complicated way AWS wants you to solve this.

Logan D. Feb 11, 2026 8:46 am

CodeCommit isn't really helping with Lambda dependency management here. C.

Leo J. Feb 27, 2026 12:19 am

C all the way. Lambda layers let you update shared dependencies once and attach to all functions, so you avoid duplicating updates everywhere. Saw a similar question on practice exams, pretty sure that's what AWS expects here. Anyone disagree?

Olivia O. Feb 28, 2026 9:19 am

I see why people are picking D, since using CodeCommit feels simple for centralizing code. D.

Be respectful. No spam.

Correct Answer:

Explanation

AWS Lambda Layers are the designated feature for managing and sharing common dependencies across multiple functions. A layer is a .zip archive containing libraries or other dependencies. By creating a layer with the shared dependencies, the developer can attach it to all relevant Lambda functions. To update a dependency, the developer only needs to create a new version of the layer and update the functions to use it. This centralizes dependency management, eliminates redundant packaging efforts for each function, and simplifies the update process, directly addressing the problem with the least additional complexity.

Why Incorrect

A. Lambda does not have a "maintenance window" feature for function code updates; this approach does not solve the core problem of duplicated dependency packaging.

B. Upgrading the Lambda runtime updates the execution environment (e.g., Python version) but does not manage the application-specific dependencies packaged with the function code.

D. Using CodeCommit centralizes the source code but does not solve the problem of packaging and deploying the dependencies into each individual Lambda function's deployment artifact.

References

1. AWS Lambda Developer Guide

"Using Lambda layers": The documentation states

"You can use layers to keep your deployment packages small

which makes it easier to develop your function code. A layer is a .zip file archive that can contain additional code or data. A layer can contain libraries

a custom runtime

data

or configuration files." This directly supports using layers for shared libraries.

2. AWS Lambda Developer Guide

"Creating and sharing layers": This section explains the core benefit: "By separating common components into layers

you can make it easier to update your functions and share these components across multiple functions." This aligns perfectly with the scenario of updating dependencies for many functions.

3. AWS Well-Architected Framework

Serverless Applications Lens

"Operational Excellence Pillar - OPS 4": The guide recommends

"Separate the business logic from the dependencies... You can use Lambda Layers to separate dependencies from your function code. This simplifies the process of updating dependencies because you don't need to redeploy your function code." This identifies layers as a best practice for the exact problem described.

Q: 4

A company wants to migrate applications from its on-premises servers to AWS. As a first step, the company is modifying and migrating a non-critical application to a single Amazon EC2 instance. The application will store information in an Amazon S3 bucket. The company needs to follow security best practices when deploying the application on AWS. Which approach should the company take to allow the application to interact with Amazon S3?

Options

Discussion

Aisha J. Feb 23, 2026 9:46 am

C , but if this was a legacy workload needing static keys, D would flip to correct. Small details totally change it.

Ravi B. Feb 26, 2026 7:03 am

Its C, D tricks you into thinking it's okay but AWS best practices say use roles for EC2 access not static keys.

AveryX Feb 17, 2026 6:47 pm

Every AWS exam seems to hammer this scenario. You'd think by now AWS would make it even clearer that IAM roles on EC2 (C) is the way, but they keep giving you A and D to trip people up. Roles give you temporary creds so no hardcoding, and you only grant S3 access not admin. I think C fits best practices here, but wouldn't mind hearing if anyone's ever seen a valid use for B or D lately.

Vikram Mar 2, 2026 1:17 am

Maybe C-using an IAM role with only the needed S3 permissions sticks to least privilege and avoids putting access keys in code. Admin access (A) works technically but isn't best practice, so that's why I think C is the way to go here. Open to other thoughts if I missed a scenario.

ZoeH Feb 25, 2026 9:09 am

A is wrong, C. Pretty sure that's from the official guide and practice tests too.

Mia M. Feb 15, 2026 3:24 pm

A or C? If it's just about getting S3 access with minimal setup, A works too since admin is enough for all actions. But I think C is usually better practice because you avoid over-permission. Not sure the question strictly rules out A.

Nathan T. Feb 24, 2026 12:43 pm

Option C makes sense since AWS IAM roles let the EC2 use S3 without any static credentials, which fits best practices. I think that's what they're after, but if the app was legacy maybe D would work. Anyone else see it differently?

Anita V. Mar 3, 2026 1:27 am

Honestly, C is the way AWS wants you to do it. Attaching an IAM role with only S3 permissions to the EC2 instance keeps creds off the server and sticks with least privilege. D always tempts people but hardcoded keys are a trap for best practices. Pretty sure C wins for exam safety, but I'd hear arguments if someone has a real world edge case.

Taylor G. Feb 22, 2026 7:40 pm

Gotta be C, that's standard AWS best practice for EC2-to-S3. IAM role with scoped permissions, no hardcoded keys at all.

Zoe F. Feb 12, 2026 3:13 am

Feels like C, Had something like this in a mock, and C is the only one using an IAM role with just the S3 permissions needed. Avoids hardcoding keys, lines up with AWS best practices for EC2 access. I think that's what they're looking for here but open if anyone sees it differently.

Be respectful. No spam.

Correct Answer:

Explanation

The most secure and recommended method for an application running on an Amazon EC2 instance to access other AWS services is to use an IAM role. By attaching an IAM role to the EC2 instance, the application can acquire temporary security credentials automatically through the instance metadata service. This avoids the need to store long-lived credentials, such as an access key and secret key, within the application or on the instance itself. Furthermore, the policy attached to the role should grant only the specific permissions required (least privilege), which in this case is access to Amazon S3. This approach aligns with AWS security best practices by using temporary credentials and enforcing the principle of least privilege.

Why Incorrect

A. Granting administrative access violates the principle of least privilege. The role should only have the permissions necessary to interact with Amazon S3, not manage the entire AWS account.

B. Using an IAM user with long-lived access keys is a significant security risk. It also violates the principle of least privilege by granting administrative access.

D. While this option correctly scopes permissions to S3, it relies on storing long-lived IAM user access keys on the instance, which is a security anti-pattern and less secure than using IAM roles.

References

1. AWS IAM User Guide

"IAM roles for Amazon EC2": "We strongly recommend that you use IAM roles with your applications. They provide temporary credentials that your application can use to sign requests

and you don't have to manage long-term credentials. Using roles is more secure than sharing access keys..."

2. AWS Whitepaper

"AWS Security Best Practices" (August 2023): Under the "Manage identities for workloads and applications" section (p. 19)

it states

"Use temporary credentials with IAM roles instead of long-term credentials like access keys. For workloads that run on AWS compute services

such as Amazon EC2

you can use IAM roles to provide temporary credentials to your workloads."

3. AWS IAM User Guide

"Security best practices in IAM": Under the "Grant least privilege" section

it advises

"When you set permissions with IAM policies

grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions..." This directly contradicts options A and B which grant administrative access.

Q: 5

A developer is creating a mobile app that calls a backend service by using an Amazon API Gateway REST API. For integration testing during the development phase, the developer wants to simulate different backend responses without invoking the backend service. Which solution will meet these requirements with the LEAST operational overhead?

Options

Discussion

Jordan L. Feb 28, 2026 1:05 pm

D . Mock integration with mapping templates is way less overhead than spinning up Lambda or EC2.

Quinn H. Feb 23, 2026 12:38 pm

Mock integration is literally what API Gateway built for stuff like this. D

LiamB Feb 19, 2026 7:56 pm

D , mock integration with request mapping template is exactly what you use to simulate backend responses with barely any setup. No Lambda or EC2 to manage, just config in API Gateway. Pretty sure AWS designed it for this. Disagree?

QuickAnalyst5371 Feb 23, 2026 8:02 pm

D imo. C's a bit of a trap since customizing the stage won't simulate backend responses by itself, it's mostly for deployment settings. Mock integration with mapping templates in D is the low-effort way AWS wants you to do this for testing. Always seen D picked in similar practice sets.

Jack Feb 23, 2026 6:38 am

D , mock integration lets you return static/mock data directly from API Gateway-no Lambda or EC2 needed. Bare minimum ops effort and built for this exact testing use case. Way easier than customizing a stage or spinning up resources. Anyone see a scenario where C would work better?

RaviX Feb 14, 2026 6:36 am

Its D here, mapping template with mock integration keeps it simple, no backend, minimal setup. Not totally sure if C is ever used alone for this, but D matches what I've seen in AWS docs.

Meera Feb 21, 2026 6:36 pm

D , but I think it's a trap-sort key doesn't impact partition throughput like hash key does. B is probably correct here based on exam reports, open to corrections.

Liam Feb 24, 2026 9:16 pm

D . Both the AWS official guide and sample exams mention using mock integration with mapping templates for simulating backend responses in API Gateway, pretty sure that's the least overhead option here. If I'm missing something let me know.

Adam C. Feb 19, 2026 5:24 am

Had something like this in a mock, I picked A. Lambda proxy lets you customize responses and could simulate various outputs during integration tests. I thought this was less overhead than spinning up EC2 or customizing stages. Might be off here, correct me if I missed something.

Luna C. Feb 13, 2026 10:39 pm

A is out, D is what I've seen in exam reports for simulating responses with minimal setup.

Be respectful. No spam.

Correct Answer:

Explanation

Amazon API Gateway provides a built-in mock integration feature specifically for testing purposes. This allows developers to configure an API method to return a response directly from API Gateway without invoking any backend service. By using a request mapping template with the mock integration, a developer can define a static response, including the status code, headers, and body. This approach perfectly satisfies the requirement to simulate different backend responses for testing with the absolute minimum operational overhead, as it requires no additional compute resources like AWS Lambda or Amazon EC2.

Why Incorrect

A. This solution introduces unnecessary operational overhead by requiring the creation, deployment, and management of an AWS Lambda function, which is not needed when a built-in mock feature exists.

B. This is the highest overhead option, as it involves provisioning and managing an entire Amazon EC2 instance and deploying a mock service, which is complex and costly for simple response simulation.

C. API Gateway stages are for managing deployment lifecycles (e.g., dev, prod), not for simulating backend responses. Gateway responses handle API Gateway-level errors, not mock integration logic.

References

1. AWS API Gateway Developer Guide - Setting up mock integrations in Amazon API Gateway: "With mock integration

you can have API Gateway return a response without sending the request to the backend. Mock integrations are useful for testing an API without requiring a configured backend... You can also have the method integration return a response based on the request parameters by using a mapping template." This directly supports the use of mock integrations for the described scenario.

2. AWS API Gateway Developer Guide - Tutorial: Create a REST API with a mock integration: This tutorial provides a step-by-step guide on how to "create an API with a mock integration. A mock integration responds to any request that reaches it by returning a hardcoded response

which you configure in API Gateway." This demonstrates the low operational overhead of the feature.

3. AWS API Gateway Developer Guide - API Gateway mapping template and access logging variable reference: This document explains how mapping templates are used to transform data. For mock integrations

a response mapping template is configured to define the exact response returned by API Gateway. Section: "Mapping template overview".

Q: 6

A developer is creating a template that uses AWS CloudFormation to deploy an application. The application is serverless and uses Amazon API Gateway, Amazon DynamoDB, and AWS Lambda. Which AWS service or tool should the developer use to define serverless resources in YAML?

Options

Discussion

ChrisK Feb 11, 2026 8:51 pm

Option C seems right since SAM is basically CloudFormation's serverless extension for YAML templates. CDK (D) is also used to define serverless stuff, but it's mainly in code (Python, TS). If the question was less strict about YAML, maybe D could work too. Pretty sure C is what they're looking for, but open to debate.

Robin S. Feb 16, 2026 9:41 am

Its C, since SAM lets you define serverless setups (Lambda, API Gateway, DynamoDB) in YAML. D is close but CDK is about writing infra as code, not editing YAML directly. I think C is what the exam wants but if anyone thinks D fits better, open to hearing why.

Parker R. Feb 19, 2026 6:09 am

Likely it's C here. AWS SAM is made specifically for defining serverless resources like Lambda, API Gateway, and DynamoDB using YAML in CloudFormation templates. D (CDK) is for writing infrastructure as code in languages like Python or TypeScript, not straight YAML editing-easy to mix up if you miss the format detail. If anyone disagrees let me know, but I think C fits best.

Nathan Q. Feb 16, 2026 1:58 pm

C vs D, had something like this in a mock. Picking D this time.

Morgan I. Feb 26, 2026 4:03 pm

Pretty clear to me it's C. AWS SAM is purpose-built for defining serverless resources like Lambda, API Gateway, and DynamoDB directly in YAML templates for CloudFormation. D (CDK) is tempting but it's all about writing code in languages like Python or Typescript, not editing YAML. Easy to mix those up, but "YAML" in the question tips it toward C. Anyone disagree?

Jack I. Feb 26, 2026 7:29 am

Maybe C . SAM is what you'd use for YAML serverless resources.

Ivy R. Feb 13, 2026 1:51 pm

D for me. CDK supports serverless resources and you write your logic in code, but it does synthesize YAML/JSON CloudFormation templates on deploy, right? If the question just needs to "define" resources and not author YAML directly, I think D could make sense. Not totally sure though if they want only YAML editing.

Logan Q. Feb 12, 2026 11:16 am

Maybe C here, since SAM is all about defining serverless resources with YAML in CloudFormation. CDK (D) is cool but it’s code-driven, not really YAML templates. Not 100 percent sure but feels like C matches the question’s wording best. Anyone think otherwise?

Ravi W. Feb 22, 2026 2:06 pm

Nah, I think C. SAM is built for YAML-based serverless resources in CloudFormation. D (CDK) is code-first, not really meant for direct YAML authoring, so that's a common trap.

Owen S. Mar 1, 2026 12:52 pm

D or C? CDK (D) lets you use code to define infra, and it does support serverless, but it's not native YAML like CloudFormation/SAM. Kinda feels like you *could* use D for this, but YAML isn't its main thing. Anybody else think D is valid here?

Be respectful. No spam.

Correct Answer:

Explanation

The AWS Serverless Application Model (AWS SAM) is an open-source framework specifically designed for building serverless applications. It provides a simplified, shorthand syntax as an extension of AWS CloudFormation to define serverless resources like AWS Lambda functions, Amazon API Gateway APIs, and Amazon DynamoDB tables. Developers use a YAML or JSON template file (template.yaml) to model their application. During deployment, the AWS SAM CLI transforms this simplified template into a standard, more verbose AWS CloudFormation template, which is then used to provision the resources. This directly matches the developer's need to define serverless resources in YAML for a CloudFormation-based deployment.

Why Incorrect

A. CloudFormation serverless intrinsic functions: This is not a recognized AWS term. While CloudFormation has intrinsic functions, there is no specific category named "serverless intrinsic functions."

B. AWS Elastic Beanstalk: This is a Platform as a Service (PaaS) for deploying and scaling web applications, not a framework for defining serverless infrastructure in a YAML template.

D. AWS Cloud Development Kit (AWS CDK): The AWS CDK uses familiar programming languages (like Python, TypeScript, or Java) to define cloud infrastructure, not YAML directly. It synthesizes a CloudFormation template from the code.

References

1. AWS Serverless Application Model (AWS SAM) Developer Guide: In the section "What is the AWS Serverless Application Model (AWS SAM)?"

it states

"The AWS Serverless Application Model (AWS SAM) is an open-source framework that you can use to build serverless applications on AWS... With SAM

you define your application resources in a YAML or JSON template."

2. AWS CloudFormation User Guide: The "Intrinsic function reference" section lists all available intrinsic functions. It does not include a category or specific functions called "serverless intrinsic functions."

3. AWS Cloud Development Kit (AWS CDK) Developer Guide: The "What is the AWS CDK?" section clarifies

"The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define your cloud application resources using familiar programming languages."

4. AWS Elastic Beanstalk Developer Guide: The "What is AWS Elastic Beanstalk?" section describes it as a service to "deploy and manage applications in the AWS Cloud without worrying about the infrastructure that runs those applications

" highlighting its role as a PaaS

not a templating tool.

Q: 7

A developer is monitoring an application that runs on an Amazon EC2 Instance. The developer has configured a custom Amazon CloudWatch metric with data granularity of 1 second. It any issues occur, the developer wants to be notified within 30 seconds by Amazon Simple Notification Service (Amazon SNS). What should the developer do to meet this requirement?

Options

Discussion

Nathan M. Feb 17, 2026 3:40 pm

Option A

Jamie E. Feb 14, 2026 7:16 am

A is right here, not B. Only high-resolution CloudWatch alarms can work with 1-second granularity and trigger SNS within 30 seconds. The others won’t get alerts out fast enough. Pretty sure on this but open to other takes.

Parker D. Feb 18, 2026 2:30 am

A imo . Default alarms can only check every 60 seconds, so you need high-res for that fast notification.

BenT Feb 22, 2026 10:43 pm

Probably A since only a high-res CloudWatch alarm supports sub-minute intervals like 30 seconds. The rest wouldn't notify that fast, if I'm reading it right. Pretty sure about this, but open to other opinions if I missed something.

QuietConsultant9322 Feb 19, 2026 5:31 pm

C or D, not confident here because both seem off for the 30 sec part.

Riley B. Mar 1, 2026 1:07 am

Nah, it's not B. High-res alarm is the only one that supports 30 sec notifications, so A.

Arjun A. Feb 27, 2026 9:44 pm

Nah, I think A is the way to go here. High-resolution alarms are needed for that sub-minute alerting, since default CloudWatch metrics like D cap you at a 60 second minimum and wouldn't notify fast enough. Anyone disagree?

Chloe Q. Feb 27, 2026 2:51 pm

My vote is A, saw a similar scenario in practice exams and high-res alarms were required for sub-minute alerts.

Noah I. Feb 12, 2026 2:48 am

OliviaW Feb 16, 2026 6:52 pm

A for sure here. High-res alarms let you trigger notifications within 30 seconds which is what the question wants, none of the others support that quick of a response. If I've missed something about custom metrics let me know, but pretty sure this is the best fit.

Be respectful. No spam.

Correct Answer:

Explanation

The question requires a notification within 30 seconds based on a custom metric with 1-second data granularity. This type of metric is known as a high-resolution metric. To trigger an alarm based on such a metric in under a minute, a high-resolution CloudWatch alarm is necessary. High-resolution alarms can evaluate metrics with periods of 10 or 30 seconds, allowing for rapid state change detection and notification, thereby meeting the 30-second notification requirement. Standard alarms have a minimum evaluation period of 60 seconds and would not be sufficient.

Why Incorrect

A custom CloudWatch dashboard is a visualization tool for monitoring metrics and logs; it does not actively trigger notifications.

Amazon CloudWatch Logs Insights is a service for interactively querying and analyzing log data, not for setting alarms on existing custom metrics.

Changing to a default CloudWatch metric would be counterproductive, as standard EC2 metrics have a minimum granularity of one minute, which cannot meet the 30-second notification requirement.

References

1. Amazon CloudWatch User Guide. "High-resolution alarms". This section states

"If you set an alarm on a high-resolution metric

you can specify a high-resolution alarm that has a period of 10 seconds or 30 seconds... High-resolution metrics are custom metrics that you can publish with a storage resolution of 1 second."

2. Amazon CloudWatch User Guide. "Publishing custom metrics". This page details how custom metrics can be published with a StorageResolution of 1

which designates them as high-resolution metrics

suitable for high-resolution alarms.

3. Amazon CloudWatch User Guide. "Using Amazon CloudWatch dashboards". This section describes dashboards as customizable pages for monitoring resources in a single view

confirming their purpose is visualization

not alerting.

Q: 8

A developer is creating an AWS Serverless Application Model (AWS SAM) template. The AWS SAM template contains the definition of multiple AWS Lambda functions, an Amazon S3 bucket, and an Amazon CtoudFront distribution. One of the Lambda functions runs on Lambda@Edge in the CloudFront distribution. The S3 bucket is configured as an origin for the CloudFront distribution. When the developer deploys the AWS SAM template in the eu-west-1 Region, the creation of the stack fails. Which of the following could be the reason for this issue?

Options

Discussion

Daniel X. Feb 27, 2026 7:07 am

B vs D? I think it's B because Lambda@Edge functions have to be in us-east-1, and SAM tries to create everything in the region you pick. But D threw me off for a sec since S3 and CloudFront are global-ish. Not totally sure though, AWS quirks get me sometimes.

ThoughtfulConsultant8522 Feb 18, 2026 7:11 pm

Probably A, seen similar on practice tests. Official AWS docs and whitepapers on Lambda async invocation would help for stuff like this.

Alex F. Feb 24, 2026 8:51 am

I don’t think it’s A. B for sure, Lambda@Edge functions must be created in us-east-1 or stack fails deploying elsewhere.

Emma N. Feb 16, 2026 10:01 am

If anything, B: Had something like this in a mock exam, and Lambda@Edge always needed the function to be created in us-east-1 or you'd get deployment errors. Creating it in eu-west-1 fails for that reason. Pretty sure that's still current, correct me if AWS changed recently.

Parker A. Feb 15, 2026 4:53 pm

Its B

Adam F. Feb 19, 2026 8:17 pm

Was anyone else confused by A at first? CloudFront itself can be created in any region, but Lambda@Edge always has to go via us-east-1. Just making sure I’m not missing some recent update here.

Chris B. Feb 27, 2026 1:48 pm

I'd check on option B here, since Lambda@Edge functions always have to be created in us-east-1. When you try deploying a SAM stack in another region like eu-west-1 with Lambda@Edge, it fails because of that requirement. All other resources (CloudFront, S3) can be defined anywhere but Lambda@Edge is the gotcha. Pretty sure that's still the current behavior, unless AWS recently changed it-anyone seen an update?

MiaU Mar 1, 2026 5:43 pm

Its B, classic AWS gotcha with Lambda@Edge stuck to us-east-1. Running this in eu-west-1 always fails. Seen this trip people up.

PracticalDev1703 Feb 28, 2026 2:56 pm

Not convinced by C, that's a common trap with API Gateway timeouts. A

Liam I. Feb 17, 2026 7:07 pm

B for sure, Lambda@Edge needs to be deployed in us-east-1 or CloudFormation will fail the stack. S3 and CloudFront can be in any region but the edge function is the blocker here. Pretty sure that's the gotcha, but correct me if AWS changed this.

Be respectful. No spam.

Correct Answer:

Explanation

The deployment fails because AWS Lambda@Edge functions have a strict regional requirement. To be associated with an Amazon CloudFront distribution, a Lambda function must be created in the US East (N. Virginia) Region, which has the region code us-east-1. The developer is attempting to deploy the AWS SAM stack, including the Lambda@Edge function, in the eu-west-1 Region. The AWS CloudFormation service, which underlies AWS SAM, will attempt to create the Lambda function in the same region as the stack (eu-west-1), causing the deployment to fail due to this service constraint.

Why Incorrect

A. Amazon CloudFront is a global service, not a regional one. While its API endpoint is global, you can create and manage distributions from any AWS Region using tools like the AWS CLI or CloudFormation.

C. AWS SAM is designed to manage serverless applications, which often consist of multiple functions and other resources. A single SAM template explicitly supports the definition of multiple AWS::Serverless::Function resources.

D. There is no restriction that prevents an S3 bucket and a CloudFront distribution from being defined in a stack created in the same AWS Region. An S3 bucket in any region can serve as an origin for the global CloudFront service.

References

1. AWS Lambda Developer Guide: In the section on setting up Lambda@Edge

it explicitly states the regional requirement.

Source: AWS Lambda Developer Guide

"Setting up Lambda@Edge".

Reference: Under the "To create a Lambda@Edge function" section

the guide notes: "Note that you must create Lambda@Edge functions in the US East (N. Virginia) Region."

2. Amazon CloudFront Developer Guide: This guide reiterates the same constraint for functions used with CloudFront.

Source: Amazon CloudFront Developer Guide

"Requirements and restrictions on Lambda functions".

Reference: The first requirement listed is: "The Lambda function must be in the US East (N. Virginia) Region."

3. AWS CloudFormation User Guide: This guide explains how CloudFormation handles resources

and service-specific constraints like this apply.

Source: AWS CloudFormation User Guide

"AWS::Lambda::Version".

Reference: In the documentation for associating a Lambda function version with a CloudFront distribution

it notes the function must be in us-east-1. This underlying CloudFormation constraint is what causes the SAM deployment to fail.

Q: 9

A developer is building a serverless application by using AWS Serverless Application Model (AWS SAM) on multiple AWS Lambda functions. When the application is deployed, the developer wants to shift 10% of the traffic to the new deployment of the application for the first 10 minutes after deployment. If there are no issues, all traffic must switch over to the new version. Which change to the AWS SAM template will meet these requirements?

Options

Discussion

Logan O. Feb 19, 2026 8:46 am

D . Adding a GSI with OrderSource as the partition key lets you query just for MobileApp, much faster than Scan. Makes sense for a big table like this. Disagree?

Emma E. Feb 22, 2026 1:11 am

Yep, A. Canary is the single 10 percent to start, then full cutover after 10 minutes.

Rowan O. Feb 27, 2026 1:58 am

Probably A, linear does increments but not a fixed 10 percent for 10 minutes like canary. B is a trap.

Casey J. Feb 22, 2026 2:00 am

Probably A. Canary10Percent10Minutes matches exactly what the question asks, just 10 percent for 10 minutes then full cutover. Linear would split traffic up in steps which isn't needed here. Pretty sure this is correct but open if someone sees a catch.

Anita Z. Feb 27, 2026 2:34 am

A No extra steps needed if it just wants a single canary shift then go all-in after 10 min. Linear's for multiple steps so wouldn't fit here. Someone correct me if I'm missing a CodeDeploy nuance.

Riley R. Mar 1, 2026 9:51 pm

Ugh, these deployment types are worded so AWS-y. Probably A, since canary actually does the single 10% then full cutover instead of incremental increases. Linear's for step-ups, not what they want here. Anyone see a trick I'm missing?

Mia Q. Feb 13, 2026 6:27 am

Yeah this is classic canary deployment so A fits. Canary10Percent10Minutes gives exactly the 10 percent traffic for 10 min, then full switch. Linear would mean gradual increases, which isn't what they're asking here. Pretty sure it's A but open to other takes.

Ava G. Mar 1, 2026 2:02 pm

Why does B use Linear instead of Canary here when the requirement is just a one-time 10% before full switch?

Ava E. Feb 18, 2026 3:09 am

These CodeDeploy deployment types feel way too vendor-specific, B tbh, since linear sounds like it matches the 10 percent then all switch.

Adam C. Mar 3, 2026 8:42 am

Its A, saw a similar question on practice exams. Canary10Percent10Minutes matches that exact rollout pattern.

Be respectful. No spam.

Correct Answer:

Explanation

The requirement describes a canary deployment pattern: shifting a small percentage of traffic (10%) to the new version for a fixed time (10 minutes) before a full rollout. In AWS SAM, this is configured using the DeploymentPreference property on an AWS::Serverless::Function resource. The Type Canary10Percent10Minutes precisely matches this requirement. To enable any form of gradual deployment (Canary or Linear), the AutoPublishAlias property must be set. This property instructs AWS SAM to create a Lambda alias and manage traffic shifting between function versions through AWS CodeDeploy.

Why Incorrect

B: Linear10PercentEvery10Minutes implements a linear deployment, which would gradually increase traffic by 10% every 10 minutes, not the single 10% shift for a fixed duration as required.

C: The PreTraffic and PostTraffic properties are for specifying validation Lambda functions (hooks) that run before and after traffic shifting, not for enabling the deployment itself. The required AutoPublishAlias property is missing.

D: This option is incorrect for two reasons: it uses the wrong deployment type (Linear) and misuses the PreTraffic and PostTraffic properties instead of the required AutoPublishAlias.

References

1. AWS Serverless Application Model (SAM) Developer Guide: Under the AWS::Serverless::Function resource documentation

the DeploymentPreference object is detailed. It states

"To enable traffic shifting

you must specify an alias name in the AutoPublishAlias property."

Source: AWS Documentation

AWS SAM Developer Guide

"AWS::Serverless::Function"

section "Properties > DeploymentPreference".

2. AWS Serverless Application Model (SAM) Developer Guide: The same section lists the available predefined deployment preference types. It explicitly defines Canary10Percent10Minutes as a type that "Shifts 10 percent of traffic in the first increment. The remaining 90 percent is shifted 10 minutes later."

Source: AWS Documentation

AWS SAM Developer Guide

"AWS::Serverless::Function"

section "Properties > DeploymentPreference > Type".

3. AWS Serverless Application Model (SAM) Developer Guide: The documentation clarifies the purpose of the Hooks property

which contains PreTraffic and PostTraffic. It describes them as

"A Lambda function that is run before traffic is shifted to the new version... A Lambda function that is run after traffic is shifted to the new version." This confirms they are for validation

not for enabling the deployment.

Source: AWS Documentation

AWS SAM Developer Guide

"AWS::Serverless::Function"

section "Properties > DeploymentPreference > Hooks".

Q: 10

A company has a serverless application that uses Amazon API Gateway and AWS Lambda functions to expose a RESTful API. The company uses a continuous integration and continuous delivery (CI/CD) workflow to deploy the application to multiple environments. The company wants to implement automated integration tests after deployment. A developer needs to set up the necessary infrastructure and processes to automate the deployment and integration tests for the serverless application.

Options

Discussion

Priya A. Feb 17, 2026 11:10 pm

C . Had something like this in a mock, CodePipeline is key for full CI/CD and integration tests across environments.

Chris V. Feb 24, 2026 7:02 am

Nah, I think C. B is tempting but doesn't include full CI/CD orchestration with CodePipeline, which the question hints at for automation.

NoraF Feb 21, 2026 8:16 pm

Yep, C is the way to go. CodePipeline handles the whole CI/CD process, not just infra or tests by themselves. With API Gateway stages, CloudFormation for IAC and CodeBuild for integration testing, everything’s covered end to end. Pretty sure that’s what AWS expects but let me know if anyone disagrees.

Olivia Feb 18, 2026 5:36 pm

Gotta be C for this scenario.

Noah L. Feb 13, 2026 12:23 pm

Serverless CI/CD automation questions like this usually show up in practice tests and the official AWS study guide, worth reviewing both.

PreciseConsultant8387 Feb 13, 2026 4:16 am

Pretty sure C is right since CodePipeline gives you full CI/CD automation, not just infra. I checked some practice exams and official guide, both show this pattern as best practice for serverless apps. Correct me if I'm missing something with B or D.

Riley Feb 17, 2026 9:34 pm

B for me, since CloudFormation plus CodeBuild seems solid for infra and test automation. Official docs and practice exams mention this combo a lot. I might be missing something subtle about orchestration though, open to corrections.

Robin M. Mar 2, 2026 8:32 pm

C tbh, because CodePipeline actually manages the whole CI/CD flow here, not just infra setup. B misses the orchestration bit and that's pretty key for proper automated deployment + testing after deploys to each API Gateway stage. I think C matches real exam setups I've seen but open if someone thinks B actually covers CI/CD end-to-end.

Avery N. Mar 2, 2026 11:13 am

C vs B. Pretty sure C is better since CodePipeline ties the whole CI/CD flow together, not just infra or tests. B skips the orchestration part, which is kind of a trap here. Correct me if I'm missing a catch.

Amelia M. Feb 26, 2026 5:25 am

A for sure. SQS acts as a buffer so sudden spikes get smoothed before Lambda tries writing to DynamoDB. Seen similar in other AWS exam practice sets, so pretty confident here. Let me know if you read it differently.

Be respectful. No spam.

Correct Answer:

Explanation

This option presents the most complete and robust solution for automating a CI/CD workflow for a serverless application on AWS. AWS CodePipeline is the service designed to orchestrate the entire workflow, from source control to deployment and testing. Using AWS CloudFormation (or AWS SAM, which is an extension of CloudFormation) is the standard for defining infrastructure as code. API Gateway stages are the correct mechanism for managing different environments (e.g., dev, test, prod). Finally, AWS CodeBuild is the appropriate service to integrate into the pipeline to run automated builds and integration tests against the newly deployed API Gateway stage, providing a fully automated process.

Why Incorrect

A: This option is incomplete. While it lists correct components like API Gateway stages, SAM, and CodeBuild, it omits AWS CodePipeline, which is essential for orchestrating the CI/CD workflow.

B: Similar to option A, this option is incomplete. It correctly identifies CloudFormation, API Gateway stages, and CodeBuild but fails to include the AWS CodePipeline service needed to automate and connect these steps.

D: This is a less robust and less automated solution. It lacks a pipeline orchestrator (CodePipeline) and suggests using the AWS CLI for testing, which is less manageable and scalable than using a dedicated service like AWS CodeBuild.

References

1. AWS CodePipeline User Guide: The "Tutorial: Create a pipeline that deploys an AWS SAM application" demonstrates the standard architecture. It shows a pipeline with a source stage

a build stage using AWS CodeBuild

and a deploy stage using an AWS CloudFormation action. This confirms that CodePipeline is the orchestrator for the workflow. (See: AWS CodePipeline User Guide

Tutorials

"Tutorial: Create a pipeline that deploys an AWS SAM application").

2. AWS API Gateway Developer Guide: The section on "Setting up stages for a REST API" states

"An API stage is a logical reference to a lifecycle state of your API (for example

dev

prod

beta

v2)." This validates the use of stages to represent different application environments. (See: API Gateway Developer Guide

"Develop a REST API"

"Deploy a REST API"

"Setting up stages for a REST API").

3. AWS CodeBuild User Guide: The "How CodeBuild works" section explains that a build project contains the commands to run

which can include compiling code

running tests

and packaging software. This confirms its role in running automated tests within a pipeline. (See: AWS CodeBuild User Guide

"What Is CodeBuild?"

"How CodeBuild works").

4. AWS CloudFormation User Guide: The "What is AWS CloudFormation?" section describes it as the service for modeling and setting up your AWS resources (infrastructure as code)

which is the standard for managing the Lambda and API Gateway resources in a repeatable way. (See: AWS CloudFormation User Guide

"Introduction"

"What is AWS CloudFormation?").

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE