An AWS Lambda event source mapping is the essential component that connects a stream-based event source, such as an Amazon DynamoDB stream, to a Lambda function. This mapping is a resource managed by the Lambda service that reads records from the stream and invokes the target function synchronously with a batch of items. Although DynamoDB Streams are enabled on the table and the function's execution role has permissions, the Lambda service will not poll the stream and invoke the function until this explicit mapping is created. This is the missing step required to establish the trigger.

A. The StreamViewType parameter determines the content of the stream records (e.g., new image, old image). It does not affect the invocation mechanism itself.

C. Amazon DynamoDB Streams cannot be directly mapped to an Amazon SNS topic. This is not a supported integration pattern for triggering the function.

D. The function timeout setting is relevant only after a function has been invoked. The problem described is a failure to invoke, not a failure during execution.

1. AWS Lambda Developer Guide: In the section "Using AWS Lambda with Amazon DynamoDB

" it states

"To associate a function with a stream from Amazon DynamoDB

you first create a Lambda function... Then

you create an event source mapping to tell Lambda to send records from your stream to the Lambda function."

Source: AWS Lambda Developer Guide

"Using AWS Lambda with Amazon DynamoDB

" section on "Event source mapping."

2. Amazon DynamoDB Developer Guide: The documentation on triggers explains the architecture: "AWS Lambda polls the shard for records and invokes your Lambda function synchronously when records are detected in the shard. The event source mapping passes the stream records to the Lambda function as an event payload."

Source: Amazon DynamoDB Developer Guide

"Processing new items with DynamoDB Streams and Lambda

" section on "DynamoDB Streams and AWS Lambda Triggers."

3. AWS Lambda API Reference: The CreateEventSourceMapping API action is used to create the trigger. Its description confirms its purpose: "Creates a mapping between an event source and an AWS Lambda function. Lambda reads items from the event source and invokes the function."

Source: AWS Lambda API Reference

CreateEventSourceMapping action documentation.

The goal is to enhance the responsiveness of a popular, unauthenticated, read-heavy API where the underlying data changes infrequently (daily). Enabling API caching in API Gateway is the most effective solution. When caching is enabled, API Gateway stores responses from the backend Lambda function for a specified Time-To-Live (TTL). Subsequent identical requests are served directly from the cache, bypassing the Lambda invocation. This significantly reduces latency and improves responsiveness for end-users, while also lowering the load on the backend service.

B. Configure API Gateway to use an interface VPC endpoint.

This provides private access to an API from within a VPC. The scenario specifies the service is offered over the public internet, making this option irrelevant for external users.

C. Enable cross-origin resource sharing (CORS) for the APIs.

CORS is a browser security mechanism that allows or denies cross-origin requests. It is a functional requirement for certain clients, not a performance enhancement to reduce latency.

D. Configure usage plans and API keys in API Gateway.

Usage plans and API keys are for managing and authenticating access, including throttling and quotas. The API is unauthenticated, and these features are for control, not for improving general responsiveness.

1. Amazon API Gateway Developer Guide: Enabling API caching to enhance responsiveness. This document states

"You can enable API caching in Amazon API Gateway to cache your endpoint's responses. With caching

you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API."

2. Amazon API Gateway Developer Guide: Create and attach an interface VPC endpoint for API Gateway. This guide explains

"To provide your private API clients in a VPC access to your API without using public IPs or exposing traffic to the public internet

you can use an interface VPC endpoint." This confirms its use for private

not public

access.

3. Amazon API Gateway Developer Guide: Creating and using usage plans with API keys. This section details that "After you create

test

and deploy your APIs

you can use API Gateway usage plans to make them available as a product offering for your customers." This highlights its purpose for access control and monetization

not latency reduction.

4. Amazon API Gateway Developer Guide: Enabling CORS for a REST API resource. This page clarifies

"Cross-origin resource sharing (CORS) is a browser security feature that restricts cross-origin HTTP requests that are initiated from scripts running in the browser." This confirms CORS is a security feature

not a performance tool.

Amazon CloudWatch Logs is the primary AWS service for centralizing application and system logs. For containerized microservices, the standard and most effective approach is to configure a log driver (e.g., awslogs for Amazon ECS) to forward container logs to CloudWatch. Creating a distinct log stream for each microservice instance within a shared log group provides a scalable and organized method for aggregation. This structure allows developers to easily isolate, search, and analyze logs from specific microservices while maintaining a central repository, directly addressing the need for a scalable, central logging solution for application logs.

B: AWS CloudTrail is used for auditing AWS API calls and account activity, not for capturing logs generated by the application's internal code.

C: VPC Flow Logs capture metadata about IP network traffic (source/destination IP, ports, etc.) within a VPC, not the content of application logs.

D: AWS Cloud Map is a service discovery tool that helps microservices find and connect to each other; it is not a logging solution.

1. Amazon CloudWatch Logs User Guide: Under "Concepts

" it defines a log stream as "a sequence of log events that share the same source." It further explains

"Each separate source of logs in CloudWatch Logs makes up a separate log stream." This supports the practice of using a separate stream for each microservice. (Source: AWS Documentation

Amazon CloudWatch Logs User Guide

"Logs concepts"

Section: "Log groups and log streams").

2. Amazon Elastic Container Service Developer Guide: The documentation for the awslogs log driver specifies its behavior: "The awslogs log driver sends container logs to Amazon CloudWatch Logs. In Amazon CloudWatch Logs

log events from each container instance are sent to different log streams in a log group." This directly validates the pattern described in the correct answer for containerized microservices. (Source: AWS Documentation

Amazon Elastic Container Service Developer Guide

"Logging and monitoring in Amazon ECS"

Section: "Using the awslogs log driver").

3. AWS CloudTrail User Guide: The introduction states

"AWS CloudTrail is an AWS service that helps you enable operational and risk auditing

governance

and compliance of your AWS account. Actions taken by a user

role

or an AWS service are recorded as events in CloudTrail." This confirms its purpose is unrelated to application logging. (Source: AWS Documentation

AWS CloudTrail User Guide

"What Is AWS CloudTrail?").

The simplest and most efficient method to automatically delete old items from a DynamoDB table is by using the built-in Time To Live (TTL) feature. This feature allows you to define a specific attribute that stores an expiration timestamp in Unix epoch time format. Once TTL is enabled on the table for that attribute, DynamoDB continuously evaluates items and deletes those that have expired, typically within 48 hours of expiration. This is a fully managed, no-cost feature that eliminates the need for custom application logic, provisioned throughput consumption for deletes, or managing separate compute resources, making it the ideal solution for ephemeral data like session information.

A. This is a valid but overly complex solution. It introduces operational overhead for managing the EC2 instance, the script, and potential costs for scan operations.

C. This architectural pattern is inefficient and complex, requiring application-level changes to manage multiple tables and risking data loss for active sessions during table deletion.

D. Merely adding an attribute is insufficient. The Time To Live (TTL) feature must be explicitly enabled on the table and configured to use that attribute.

1. AWS DynamoDB Developer Guide

"Using DynamoDB Time to Live (TTL)": This document states

"Time to Live (TTL) for Amazon DynamoDB automates the process of deleting expired items from your tables... TTL is provided at no extra cost... It is a low-impact

background process that doesn’t affect your table’s performance." (Section: Time To Live)

2. AWS DynamoDB Developer Guide

"How it works: Time to Live": This section explains the process: "You can set a specific timestamp for an item to expire. Once the timestamp expires

the item is marked for deletion... DynamoDB deletes expired items on a best-effort basis." (Section: How it works: Time to Live)

3. AWS API Reference

UpdateTimeToLive: The documentation for this API call confirms the required steps: specifying the attribute name and enabling the TimeToLiveSpecification. This shows that simply adding an attribute (as in option D) is not enough. (Action: UpdateTimeToLive

Request Parameters: TimeToLiveSpecification)

This solution correctly implements the centralized event bus pattern, which is the best practice for aggregating events from multiple AWS accounts. The process involves three key steps:

1. The main (receiving) account applies a resource-based policy to its event bus, granting permission for other specific accounts to send events to it.

2. Each source (sending) account creates an EventBridge rule to capture the desired EC2 lifecycle events and sets the target of that rule to be the event bus in the main account.

3. The main account creates a final rule on its event bus to process these aggregated events and forward them to the SQS queue. This architecture is scalable, manageable, and decouples event producers from the final consumer.

Why Incorrect Options are Wrong

A. This option misrepresents how cross-account event delivery works. EC2 instances publish events to their local account's event bus, not directly to an event bus in another account.

B. While technically possible to target a cross-account SQS queue directly from each source account, this creates tight coupling and is harder to manage. The central event bus pattern (Option D) is superior.

C. This describes an inefficient polling mechanism. An event-driven approach using Amazon EventBridge is the standard, real-time, and more cost-effective method for reacting to AWS service events like EC2 lifecycle changes.

---

References

1. AWS Documentation, Amazon EventBridge User Guide: "Sending and receiving Amazon EventBridge events between AWS accounts". This document explicitly details the recommended pattern. It states, "To send events to another account, you create a rule with the event bus in the other account as a target... The receiving account must grant permission to the sending account to send events to an event bus in the receiving account." This directly supports the steps outlined in option D.

2. AWS Documentation, Amazon EventBridge User Guide: "Tutorial: Route events to a different account". This tutorial provides a step-by-step guide that mirrors the solution in option D: "Step 1: Add permissions to the event bus in the receiving account," "Step 2: Create a rule in the sending account," and "Step 3: Create a rule in the receiving account."

3. AWS Documentation, Amazon EventBridge User Guide: "Amazon EventBridge resource-based policies". This section explains how to configure the permissions on the receiving event bus, which is the first step in option D. It provides policy examples for granting events:PutEvents permissions to other accounts.

4. AWS Documentation, Amazon EventBridge User Guide: "EC2 instance state-change events". This page confirms that EC2 instance state changes generate events that are sent to the default EventBridge event bus, making them available for rules to process.

The AWS SDKs and Command Line Interface (CLI) use a specific order of precedence to find credentials, known as the credential provider chain. By default, the shared credentials file (~/.aws/credentials) is checked before the IAM role attached to the EC2 instance. In this scenario, the application will find and use the IAM user's access keys from the credentials file. Since these keys grant full administrative access, the EC2 instance will be able to perform all S3 actions. The IAM role and its explicit deny policy are never evaluated because credentials were found earlier in the provider chain.

A. The EC2 instance will only be able to list the S3 buckets.

This is incorrect because the credentials being used provide full administrative access, not just the permission to list buckets.

B. The EC2 instance will only be able to list the contents of one S3 bucket at a time.

This is incorrect. The credentials used grant full administrative permissions, which are far more extensive than just listing bucket contents.

D. The EC2 instance will not be able to perform any S3 action on any S3 bucket.

This is incorrect because the IAM role with the explicit deny policy is not used. The credential provider chain selects the user credentials from the file first.

1. AWS SDK and Tools Reference Guide

"Configuration and credential settings": This document outlines the order of precedence for credentials. It states

"When you configure your credentials

you can use any of the methods described in this topic. The SDK or tool works through them in a specific order of precedence... 3. Shared credentials file (~/.aws/credentials and ~/.aws/config)... 5. IAM role for Amazon EC2". This confirms the credentials file is checked before the instance role.

2. AWS Identity and Access Management User Guide

"IAM roles for Amazon EC2": This guide explains how applications on an EC2 instance can use the credentials from an attached IAM role. However

it operates as part of the broader credential provider chain

which prioritizes other sources like the credentials file.

3. AWS Command Line Interface User Guide

Version 2

"Configuration and credential file settings": Under the section "Order of precedence for AWS CLI options and settings

" the documentation confirms the credential provider chain order

placing the shared credential file (awsaccesskeyid

awssecretaccesskey) before instance profile credentials.

To transition an AWS Lambda function from a .zip package to a container image, the container image must be stored in Amazon Elastic Container Registry (ECR). The process involves creating an ECR repository in the same AWS Region as the function, packaging the function code into a container image using a Dockerfile, and pushing this image to the ECR repository. Finally, the existing Lambda function's configuration must be updated to change the package type from .zip to image and to specify the full ECR image URI, which includes the repository URI and a specific image tag or digest. Option A accurately describes this complete, standard procedure.

B: This is incorrect because Lambda container images must be stored in Amazon ECR, not Amazon S3. S3 is used for .zip file deployments and storing IaC templates.

C: This is incorrect for the same reason as option B. AWS CloudFormation requires the container image to be located in an Amazon ECR repository, not an S3 bucket.

D: This option is incomplete. Simply specifying the repository URI is insufficient. Lambda requires the full image URI, which must include a specific image tag or digest to identify the exact version to deploy.

1. AWS Lambda Developer Guide

"Deploying Lambda functions as container images": This document explicitly states

"You upload your container images to Amazon Elastic Container Registry (Amazon ECR)." It then outlines the workflow: create a repository

build the image

push to ECR

and then create or update the function to use the image URI. This supports the entire process described in option A.

2. AWS Lambda Developer Guide

"Creating Lambda functions defined as container images": Under the "Prerequisites" section

it lists

"A container image uploaded to an Amazon ECR repository in the same AWS Region as your function." This confirms the ECR and same-region requirements.

3. AWS CLI Command Reference

update-function-code: The documentation for this command shows the --image-uri parameter. The required format is ECR-URI:TAG (e.g.

123456789012.dkr.ecr.us-east-1.amazonaws.com/my-repo:my-tag)

demonstrating the necessity of including both the repository URI and a tag

which makes option A more complete than option D.

Amazon ElastiCache is a fully managed in-memory caching service designed to improve application performance by providing a low-latency data store. For an application using Amazon RDS, implementing ElastiCache (with Redis or Memcached) is the standard AWS solution for a caching layer. The application logic is updated to first query the ElastiCache cluster for frequently accessed data, such as the most viewed products. If the data is not in the cache (a cache miss), the application then retrieves it from the RDS database and populates the cache for future requests. This cache-aside strategy significantly reduces latency and lessens the load on the primary database.

A. Amazon RDS for MySQL does not have a feature to "add a cache node" to a cluster. This describes a non-existent capability.

C. Amazon DynamoDB Accelerator (DAX) is a caching service exclusively for Amazon DynamoDB and is not compatible with Amazon RDS for MySQL.

D. A standby instance in an RDS Multi-AZ configuration is for high availability and automatic failover; it does not serve read traffic and is not a cache.

1. Amazon ElastiCache User Guide

"Database caching": This section explicitly details the use case for ElastiCache as an in-memory cache to reduce latency associated with querying a disk-based database like Amazon RDS. It states

"An in-memory cache can be put in front of a database... to improve the performance of your application."

2. AWS Documentation

"In-Memory Acceleration with DynamoDB Accelerator (DAX)": The introductory paragraph clearly states

"Amazon DynamoDB Accelerator (DAX) is a fully managed

highly available

in-memory cache for Amazon DynamoDB..." This confirms its exclusivity to DynamoDB.

3. Amazon RDS User Guide

"High availability (Multi-AZ) for Amazon RDS": Under the section for Multi-AZ DB instance deployments

the documentation clarifies the role of the standby instance: "You can't use the standby replica to serve read traffic." This confirms the standby is for failover

not read operations or caching.

This solution represents a standard, serverless, and scalable architecture for this use case, minimizing operational overhead. Amazon Cognito is the appropriate managed service for handling user sign-up, sign-in, and identity management for tens of thousands of application users. Integrating Cognito with an API Gateway authorizer provides a secure and managed way to control API access. Storing large binary objects like photos (up to 5 MB) in Amazon S3 is the correct approach, as DynamoDB has a 400 KB item size limit. Storing the S3 object key (metadata) in DynamoDB allows for efficient querying and retrieval of photo details.

A. Storing photos directly in DynamoDB is not feasible. DynamoDB has a maximum item size of 400 KB, while the photos can be up to 5 MB.

C. Creating an IAM user for each application user is an anti-pattern. IAM is for managing access to AWS resources, not for application end-users. This approach has high operational overhead and does not scale effectively.

D. Building a custom user management system in DynamoDB with a Lambda authorizer creates significant development and operational overhead for features like password hashing, session management, and password resets, which Amazon Cognito provides as a managed service.

1. Amazon Cognito for User Management: The AWS Documentation for Amazon Cognito states

"Amazon Cognito provides authentication

authorization

and user management for your web and mobile apps. Your users can sign in directly with a user name and password

or through a third party such as Facebook

Amazon

Google or Apple." This confirms Cognito is the correct choice for managing application users with low overhead.

Source: AWS Documentation

Amazon Cognito Developer Guide

"What Is Amazon Cognito?".

2. Amazon S3 for Object Storage: The AWS Documentation highlights S3's suitability for user-generated content. Storing large objects in S3 and metadata in DynamoDB is a common and recommended pattern.

Source: AWS Documentation

Amazon S3 User Guide

"Use cases for Amazon S3".

3. Amazon DynamoDB Item Size Limit: The official DynamoDB documentation explicitly states the service limit for item size

making option A technically impossible. "The maximum item size in DynamoDB is 400 KB

which includes both attribute name binary length (UTF-8 length) and attribute value lengths (again

binary length)."

Source: AWS Documentation

Amazon DynamoDB Developer Guide

"Service

account

and table quotas in Amazon DynamoDB".

4. IAM Users vs. Application Users: The AWS Identity and Access Management (IAM) best practices advise against using IAM users for application-level authentication. "Don't use IAM users for application access. Instead

your application should assume a role... For mobile or consumer-facing applications

we recommend that you use Amazon Cognito."

Source: AWS Documentation

IAM User Guide

"Security best practices in IAM".

The core issue identified is the latency caused by Lambda "cold starts," which is the time it takes to initialize a new execution environment. Provisioned Concurrency is a feature specifically designed to solve this problem for latency-sensitive applications. It works by initializing a specified number of execution environments and keeping them "warm" and ready to respond instantly to incoming requests. By routing invocations to these pre-initialized environments, the cold start latency is completely eliminated for those requests, directly addressing the performance issue.

A. Reserved concurrency guarantees that a certain number of concurrent executions are available for a function, preventing it from being throttled, but it does not keep execution environments pre-initialized or "warm."

B. Increasing the function's timeout allows it to run for a longer duration before being terminated. It has no impact on the initial startup time or cold start latency.

C. Increasing memory allocation also increases CPU power, which can reduce the duration of a cold start. However, it does not prevent the cold start from occurring in the first place.

1. AWS Lambda Developer Guide

"Configuring provisioned concurrency": "For latency-sensitive applications

you can use provisioned concurrency to keep your functions initialized and warm

ready to respond in double-digit milliseconds. Provisioned concurrency is the number of pre-initialized execution environments that you allocate to your function."

2. AWS Lambda Developer Guide

"Lambda function scaling": This section contrasts the different concurrency controls. It explains that on-demand functions scale from zero

incurring a cold start

while "for functions with provisioned concurrency

Lambda pre-initializes the requested number of execution environments."

3. AWS Lambda Operator Guide

"Performance optimization - Function initialization": "To reduce the duration of initialization

we recommend that you... configure provisioned concurrency for any function that has strict cold start latency requirements." This explicitly recommends provisioned concurrency as the solution for the problem described.