DVA-C02 AWS Certified Developer - Associate Questions and Answers

The command that will meet the requirements is sam sync -watch. This command enables AWS SAM Accelerate mode, which allows the developer to only redeploy the Lambda functions that have changed. The -watch flag enables file watching, which automatically detects changes in the source code and triggers a redeployment. The other commands either do not enable AWS SAM Accelerate mode, or do not redeploy the Lambda functions automatically.

To monitor memory usage in Amazon Elastic Beanstalk environments, it's important to understand that default Elastic Beanstalk monitoring capabilities in Amazon CloudWatch do not track memory usage, as memory metrics are not collected by default. Instead, the Amazon CloudWatch agent must be configured to collect memory usage metrics.

Why Option C is Correct:

The Amazon CloudWatch agent can be installed and configured to monitor system-level metrics such as memory and disk utilization.

To enable memory tracking, developers need to install the CloudWatch agent on the Amazon Elastic Compute Cloud (EC2) instances associated with the Elastic Beanstalk environment.

After installation, the agent can be configured to collect memory metrics, which can then be sent to CloudWatch for further analysis.

How to Implement This Solution:

Install the CloudWatch Agent:Use .ebextensions or AWS Systems Manager to install and configure the CloudWatch agent on the EC2 instances running in the Elastic Beanstalk environment.

Modify CloudWatch Agent Configuration:Create a config.json file that specifies memory usage tracking and other desired metrics.

Enable Metrics Reporting:The CloudWatch agent can push the metrics to CloudWatch, where they can be monitored.

Why Other Options are Incorrect:

Option A: Configuring the agent to push logs is not sufficient to track memory metrics. This option addresses logging but not system-level metrics like memory usage.

Option B: The .ebextensions directory is used to customize Elastic Beanstalk environments but does not directly track memory metrics without additional configuration of the CloudWatch agent.

Option D: Configuring a CloudWatch dashboard will only visualize the metrics that are already being collected. It will not enable memory usage tracking.

AWS Documentation References:

Amazon CloudWatch Agent Overview

Elastic Beanstalk Customization Using .ebextensions

Monitoring Custom Metrics

This solution will meet the requirements by using AWS Secrets Manager, which is a service that helps protect secrets such as database credentials by encrypting them with AWS Key Management Service (AWS KMS) and enabling automatic rotation of secrets. The developer can use an AWS Secrets Manager resource in AWS CloudFormation template, which enables creating and managing secrets as part of a CloudFormation stack. The developer can use an AWS::SecretsManager::Secret resource type to generate and rotate the password for accessing RDS database during deployment. The developer can also specify a RotationSchedule property for the secret resource, which defines how often to rotate the secret and which Lambda function to use for rotation logic. Option A is not optimal because it will use an AWS Lambda function as a CloudFormation custom resource, which may introduce additional complexity and overhead for creating and managing a custom resource and implementing rotation logic. Option B is not optimal because it will use an AWS Systems Manager Parameter Store resource with the SecureString data type, which does not support automatic rotation of secrets. Option C is not optimal because it will use a cron daemon on the application’s host to generate and rotate the password, which may incur more costs and require more maintenance for running and securing a host.

Step-by-Step Breakdown:

Requirement Summary:

Encrypt S3 objects using KMS keys

Cross-account read access to another AWS account

Minimize operational overhead

Option A: Use a customer managed key + key policy granting kms:Decrypt to second account

Correct: Customer managed keys allow full control of key policy.

You can add a statement to allow cross-account access using the second account’s IAM principal.

Option B: Use AWS managed key + key policy granting access to second account

Incorrect: AWS-managed KMS keys (aws/s3) cannot be modified to add cross-account access in key policies.

Option C: SCP that grants s3:GetObject to second account

Incorrect: SCPs are used to restrict or allow permissions across AWS Organizations, not to grant S3 or KMS access directly.

Option D: Create a bucket policy granting s3:GetObject to second account

Correct: Bucket policies can grant cross-account access to specific IAM users or roles in the second account.

Option E: Gateway endpoint for S3 with cross-account access

Incorrect: Gateway endpoints only apply within the same VPC/account. Cross-account use with endpoint policies is not the correct pattern for this use case.

Cross-account S3 access with KMS: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html

KMS cross-account key policy: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html

Bucket Policy for cross-account access: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

To add a caching layer for frequently requested data (such as “most viewed products”), the AWS-native choice is Amazon ElastiCache, commonly using Redis for low-latency key/value caching, counters, sorted sets, and leaderboard-like patterns. Redis is particularly well-suited for ecommerce “top N” or popularity queries because it supports atomic increments and sorted sets, enabling efficient ranking updates.

Option B correctly introduces an ElastiCache (Redis OSS) cluster and updates the application to read from Redis first (cache-aside or write-through patterns) instead of hitting the RDS MySQL cluster for every request. This offloads read pressure from the database, reduces latency, and improves overall throughput.

Option A is not a valid RDS feature: you do not add a “cache node” to an RDS MySQL cluster as part of RDS itself.

Option C is incorrect because DAX is a caching layer specifically for DynamoDB, not for RDS MySQL.

Option D improves availability via Multi-AZ standby, but the standby is not for read scaling in standard RDS Multi-AZ (it’s primarily for failover). It does not provide a cache and does not solve the performance needs for hot reads.

By default, an Auto Scaling group uses EC2 status checks to determine instance health. EC2 status checks confirm that an instance is running and reachable at the infrastructure level, but they do not validate that the application is healthy behind the load balancer. In this scenario, the ALB is returning HTTP 502 errors and the target group shows instances as unhealthy, meaning the application is failing health checks (or not responding correctly). However, because the Auto Scaling group is using the default EC2 health check type, it does not consider these instances unhealthy for replacement.

AWS recommends configuring the Auto Scaling group to use ELB health checks when instances serve traffic behind an ALB or NLB. With ELB health checks enabled, Auto Scaling evaluates target health as reported by the load balancer target group. If the ALB marks an instance unhealthy, the Auto Scaling group will treat that instance as unhealthy and terminate and replace it automatically, restoring capacity with healthy targets.

Why the other options are insufficient:

Cooldown period (A) affects scaling timing, not health replacement logic.

Lifecycle hook changes (B) can help with initialization timing, but they do not cause Auto Scaling to replace instances based on ALB target health unless ELB health checks are enabled.

Health check grace period (D) delays health evaluation after launch, which can reduce premature replacement, but it still won’t replace instances based on ALB target group status unless the health check type is ELB.

Therefore, switching the Auto Scaling group health check type to Elastic Load Balancing (ELB) is the correct fix.

Comprehensive and Detailed Step-by-Step Explanation:

Option D: AWS AppConfig with CloudWatch Application Signals

AWS AppConfig is designed for managing and deploying application configurations dynamically, without redeployment.

CloudWatch Application Signals provide automatic rollback mechanisms in case of an unhealthy application state due to bad configuration changes.

This solution meets the requirements with minimal operational overhead by ensuring both dynamic updates and rollback functionality.

Why Other Options Are Incorrect:

Option A and B: AWS Secrets Manager is designed for secrets management, not dynamic application configuration. Custom Config rules add unnecessary complexity.

Option C: While CloudWatch alarms can monitor application changes, using alarms for rollback requires manual setup and lacks the automatic rollback provided by Application Signals.

Lambda Concurrency: The 'maximum concurrency' setting in event source mappings controls the maximum number of simultaneous invocations Lambda allows for that specific source.

Prioritizing Queues: Setting a lower maximum concurrency for the 'high priority queue' ensures it's processed first while allowing more concurrent invocations from the 'low priority queue'.

Batching: Batch size settings affect the number of messages Lambda retrieves from a queue per invocation, which is less relevant to the prioritization requirement.

AWS Secrets Manager: Built for managing secrets, providing encryption, automatic rotation, and access control.

Customer Master Key (CMK): Provides an extra layer of control over encryption through AWS KMS.

Automatic Rotation: Enhances security by regularly changing the secret.

User Data Script: Allows secrets retrieval at instance startup and sets them as environment variables for seamless use within the application.

Comprehensive Detailed Step by Step Explanation with All AWS Developer References:

To redact PII from S3 objects before they are accessed by the analytics service, the most efficient solution is to use S3 Object Lambda. S3 Object Lambda allows you to add your own code (Lambda function) to process and transform data when it is retrieved from Amazon S3. You can attach a Lambda function to an S3 Object Lambda Access Point, which in this case would run a redaction API to remove PII from the reports.

Operational Efficiency: S3 Object Lambda handles data processing on the fly, without requiring the data to be permanently transformed or moved to another service (like Amazon Redshift).

Alternatives:

Option A: Loading the data into Amazon Redshift would require refactoring the analytics service and maintaining an additional data pipeline, increasing complexity.

Option C: Using AWS KMS for encryption protects data at rest and in transit, but it does not address PII redaction.

Option D: SNS is a messaging service and does not support direct data transformation.

Comprehensive Detailed and Lengthy Step-by-Step Explanation with All AWS Developer References:

1. Understanding the Use Case:

The API needs to:

Generate responses without backend integrations: This indicates the use of mock responses for testing.

Be used by multiple internal teams during development.

Minimize operational overhead.

2. Key Features of Amazon API Gateway:

REST APIs: Fully managed API Gateway option that supports advanced capabilities like mock integrations, request/response transformation, and more.

HTTP APIs: Lightweight option for building APIs quickly. It supports fewer features but has lower operational complexity and cost.

Mock Integration: Allows API Gateway to return pre-defined responses without requiring backend integration.

3. Explanation of the Options:

Option A:"Create an Amazon API Gateway REST API. Set up a proxy resource that has the HTTP proxy integration type."A proxy integration requires a backend service for handling requests. This does not meet the requirement of "no backend integrations."

Option B:"Create an Amazon API Gateway HTTP API. Provision a VPC link, and set up a private integration on the API to connect to a VPC."This requires setting up a VPC and provisioning resources, which increases operational overhead and is unnecessary for this use case.

Option C:"Create an Amazon API Gateway HTTP API. Enable mock integration on the method of the API resource."While HTTP APIs can enable mock integrations, they have limited support for advanced features compared to REST APIs, such as detailed request/response customization. REST APIs are better suited for development environments requiring mock responses.

Option D:"Create an Amazon API Gateway REST API. Enable mock integration on the method of the API resource."This is the correct answer. REST APIs with mock integration allow defining pre-configured responses directly within API Gateway, making them ideal for scenarios where backend services are unavailable. It provides flexibility for testing while minimizing operational overhead.

4. Implementation Steps:

To enable mock integration with REST API:

Create a REST API in API Gateway:

Open the API Gateway Console.

Choose Create API > REST API.

Define the API Resource and Methods:

Add a resource and method (e.g., GET or POST).

Set Up Mock Integration:

Select the method, and in the Integration Type, choose Mock Integration.

Configure the Mock Response:

Define a 200 OK response with the desired response body and headers.

Deploy the API:

Deploy the API to a stage (e.g., dev) to make it accessible.

5. Why REST API Over HTTP API?

REST APIs support detailed request/response transformations and robust mock integration features, which are ideal for development and testing scenarios.

While HTTP APIs offer lower cost and simplicity, they lack some advanced features required for fine-tuned mock integrations.

The simplest and most efficient way to avoid hardcoding configuration such as a DynamoDB table name is to use Lambda environment variables. Environment variables are designed for runtime configuration and allow changing values without updating application code logic. The developer can store the table name in an environment variable (for example, TABLE_NAME) and read it from the runtime environment using the standard language method (such as os.environ in Python, process.env in Node.js, etc.).

This approach has very low operational overhead: updating the table name becomes a configuration change (in the Lambda console, IaC templates, or CI/CD pipeline) rather than a code change. It also keeps deployment packages stable and avoids unnecessary dependencies.

Option B is not suitable because /tmp is ephemeral storage that can be cleared between invocations and is not intended for configuration management.

Option C is heavier than necessary. Lambda layers are great for shared libraries and dependencies, but using a layer to store a single changing table name is awkward and forces a layer update and function reconfiguration when the value changes.

Option D does not solve the problem because a global variable is still set in the code. If the table name changes, the code must still be modified and redeployed.

Therefore, storing the table name in a Lambda environment variable is the most efficient solution.

The requirement is to search for partial matches of email_address but scoped to a specific customer_type. In DynamoDB, efficient partial matching is performed with a Query on a sort key using the begins_with() condition. However, Query requires that the partition key be specified exactly, so we need an index where customer_type can be used as the partition key, and email_address can be used as the sort key for prefix matching.

A Global Secondary Index (GSI) can be added to an existing table without recreating it, and it can use a different partition key and sort key from the base table. Option A correctly proposes a GSI with:

Partition key: customer_type

Sort key: email_address

Then the Lambda can run a Query on the GSI like: customer_type = :ct AND begins_with(email_address, :prefix) which returns emails that start with the typed prefix for that customer type.

Option B is wrong because it keeps email_address as the partition key. That would require an exact email value (not a prefix) to Query, and you cannot do begins_with on a partition key; begins_with is for sort keys.

Options C and D are invalid because Local Secondary Indexes (LSIs) must share the same partition key as the base table (here, email_address). You cannot create an LSI with customer_type or job_title as the partition key when the table partition key is email_address.

Therefore, adding a GSI (customer_type PK, email_address SK) and querying it with begins_with is the correct solution.

AWS SAM provides built-in tooling to generate realistic event payloads that match the structure of events produced by AWS services (such as S3, SNS, SQS, API Gateway, EventBridge, and others). The command designed specifically for this purpose is sam local generate-event. It produces sample event JSON that mirrors the format AWS services deliver to Lambda, which meets the requirement that payload structures match real service events.

This approach also requires the least development effort because the developer does not need to manually craft and maintain JSON payload files. Instead, the developer can generate the appropriate event type with SAM, optionally tweak values (bucket name, object key, request parameters), and then run sam local invoke using the generated payload. This significantly reduces mistakes and saves time, especially when testing multiple event sources.

Why other options are less suitable:

A (shareable test events) is vague and typically still requires manual creation/maintenance.

B requires manually creating payloads, which is error-prone and higher effort.

C adds unnecessary operational overhead (S3 storage) and still relies on manual payload creation.

Therefore, using sam local generate-event is the quickest and lowest-effort way to generate accurate AWS-service-like test payloads for local Lambda testing.

Amazon RDS for MySQL supports read replicas, which are copies of the primary database instance that can handle read-only queries. Read replicas can improve the read performance of the database by offloading the read workload from the primary instance and distributing it across multiple replicas. To use read replicas, the application code needs to be modified to direct read queries to the URL of the read replicas, while write queries still go to the URL of the primary instance. This solution requires less current and future effort than using a multi-AZ deployment, which does not provide read scaling benefits, or using open source replication software, which requires additional configuration and maintenance. Reference: Working with read replicas

Amazon API Gateway is a service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. The developer can enable API caching in API Gateway to cache responses from the backend integration point for a specified time-to-live (TTL) period. This can improve the responsiveness of the APIs by reducing the number of calls made to the backend service.

Comprehensive and Detailed Explanation (AWS Verified – 250–300 Words)

When an Amazon S3 bucket is configured with default encryption using SSE-KMS, AWS Key Management Service (KMS) plays an active role in every PutObject request. Although the IAM user already has the s3:PutObject permission, this alone is not sufficient when SSE-KMS is enabled.

According to AWS documentation, when a client uploads an object to an S3 bucket encrypted with SSE-KMS, Amazon S3 must call AWS KMS on behalf of the caller to generate a unique data encryption key. This operation requires the kms:GenerateDataKey permission on the KMS key used for encryption. If this permission is missing, the PutObject request fails with an Access Denied error—even though S3 permissions appear correct.

AWS explicitly states that IAM principals uploading objects to SSE-KMS–encrypted buckets must be allowed to use the KMS key. At a minimum, the following KMS permissions are required:

kms:GenerateDataKey

(Implicitly) access allowed by the KMS key policy

Option C correctly resolves the issue by granting the IAM user permission to generate a data key via AWS KMS, enabling successful encryption during the upload process.

Option A is invalid because s3:EncryptionConfiguration is not required for object uploads.

Option B is unnecessary because the IAM user already has s3:PutObject.

Option D is incorrect because ACLs are not used to control KMS encryption permissions and are discouraged by AWS best practices.

This solution will ensure that all orders and updates are stored to Amazon S3 with the least development effort because it uses DynamoDB Streams to capture changes in the DynamoDB table and trigger a Lambda function to write those changes to the S3 bucket. This way, the original Lambda function and API Gateway API endpoint do not need to be modified, and no additional services are required. Option A is not optimal because it will require more development effort to create a new Lambda function and a new API Gateway API endpoint, and to modify the original Lambda function to post updates to the new API endpoint. Option B is not optimal because it will introduce additional costs and complexity to use Amazon Kinesis Data Streams to create a new data stream, and to modify the Lambda function to publish orders to the data stream. Option D is not optimal because it will require more development effort to modify the Lambda function to publish to a new Amazon SNS topic, and to create and subscribe a new Lambda function to the topic.

The AWS Serverless Application Model Command Line Interface (AWS SAM CLI) is a command-line tool for local development and testing of Serverless applications2. The sam local start-api subcommand of AWS SAM CLI is used to simulate a REST API by starting a new local endpoint3. Therefore, option D is correct.

Why Option B is Correct:

Amazon S3 Standard provides immediate access to files and is cost-effective for files that need to be accessed within 5 minutes.

By adding the S3 location to the SQS queue, you avoid transferring large files directly, which is both more efficient and scalable.

Why Other Options are Incorrect:

Option A: S3 Glacier Deep Archive is designed for archival storage with retrieval times ranging from minutes to hours, which does not meet the 5-minute requirement.

Option C: Amazon EBS is designed for block storage attached to EC2 instances, which adds unnecessary complexity and cost.

Option D: SQS is not designed to handle large file content directly and has message size limits (256 KB).

AWS Documentation References:

Amazon S3 Overview

Amazon SQS Best Practices

The AWS Serverless Application Model (AWS SAM) comes built-in with CodeDeploy to provide gradual AWS Lambda deployments1. The DeploymentPreference property in AWS SAM allows you to specify the type of deployment that you want. The Canary10Percent10Minutes option means that 10 percent of your customer traffic is immediately shifted to your new version. After 10 minutes, all traffic is shifted to the new version1. The AutoPublishAlias property in AWS SAM allows AWS SAM to automatically create an alias that points to the updated version of the Lambda function1. Therefore, option A is correct.

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html

Requirement Summary:

Developer uses AWS IAM Identity Center (SSO) with AWS CLI / SDKs

Initially working fine

Now receiving AccessDenied errors

No changes to config or scripts

Key Understanding:

IAM Identity Center credentials are temporary and time-limited. When you use SSO-based access via the AWS CLI (aws sso login), it obtains temporary credentials stored in the local cache.

By default, these expire in 1 hour (can be extended).

Evaluate Options:

A. Permissions to CLI binary changed

Unlikely – this would produce execution errors, not AccessDenied from AWS API

B. Permission set lacks required permissions

Then the error would have occurred from the beginning, not after time

C. IAM Identity Center credentials expired

Most likely – user hasn't refreshed credentials using aws sso login again

After expiration, API calls fail with AccessDenied

D. Developer is calling the wrong AWS account

Would likely show different types of errors (AccountNotFound, etc.)

SSO and AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

Troubleshooting SSO CLI: https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html

This solution will meet the requirements by using AWS Serverless Application Model (AWS SAM) templates and gradual deployments to automatically test the Lambda functions. AWS SAM templates are configuration files that define serverless applications and resources such as Lambda functions. Gradual deployments are a feature of AWS SAM that enable deploying new versions of Lambda functions incrementally, shifting traffic gradually, and performing validation tests during deployment. The developer can enable gradual deployments through AWS SAM templates by adding a DeploymentPreference property to each Lambda function resource in the template. The developer can set the deployment preference type to Canary10Percent30Minutes, which means that 10 percent of traffic will be shifted to the new version of the Lambda function for 30 minutes before shifting 100 percent of traffic. The developer can also use hooks to test the deployment, which are custom Lambda functions that run before or after traffic shifting and perform validation tests or rollback actions.

The X-Ray daemon is a software that collects trace data from the X-Ray SDK and relays it to the X-Ray service. The X-Ray daemon can run on any platform that supports Go, including Linux, Windows, and macOS. The developer can install and run the X-Ray daemon on the on-premises servers to capture and relay the data to the X-Ray service with minimal configuration. The X-Ray SDK is used to instrument the application code, not to capture and relay data. The Lambda function solutions are more complex and require additional configuration.

The most secure and AWS-recommended way for a Lambda function to access other AWS services is to use an IAM execution role. Lambda assumes this role at runtime and receives temporary credentials that are automatically rotated by AWS. The developer attaches the necessary permissions (the existing IAM policy) to that role, and then configures the Lambda function to use the role.

Option B follows least privilege and avoids long-term credentials. It also integrates with AWS security tooling: IAM Access Analyzer, CloudTrail, and policy boundaries can all be applied cleanly. Because the policy already exists, this requires minimal extra work: create/choose the execution role, attach the policy, and assign the role to the function.

Option A is not correct because IAM policies are attached to IAM identities (users, groups, roles) — not directly to Lambda functions as standalone entities. Lambda permissions are granted through the function’s execution role.

Option C is insecure because it uses long-term IAM user access keys embedded in environment variables. Even if encrypted, this expands the blast radius, complicates rotation, and contradicts AWS best practices for avoiding static credentials inside code/runtime.

Option D is extremely insecure and noncompliant. Root user access keys should not be used for applications and should generally not exist.

Therefore, create and attach the existing policy to a Lambda execution IAM role and assign that role to the function.

This solution allows the fastest response for the query because it enables the query to use a single partition key value (the Product ID) and a range of sort key values (the Product Rating) to find the matching items. A global secondary index (GSI) is an index that has a partition key and an optional sort key that are different from those on the base table. A GSI can be created at any time and can be queried or scanned independently of the base table. A local secondary index (LSI) is an index that has the same partition key as the base table, but a different sort key. An LSI can only be created when the base table is created and must be queried together with the base table partition key. Using a GSI with Product ID as the partition key and Review ID as the sort key will not allow the query to use a range of sort key values to find the highest ratings. Using an LSI with Product ID as the partition key and Product Rating as the sort key will not work because Product ID is not the partition key of the base table. Using an LSI with Review ID as the partition key and Product ID as the sort key will not allow the query to use a single partition key value to find the matching items.

Comprehensive and Detailed Step-by-Step Explanation:

Option A: Use Amazon S3 for Shared Test Events:

Storing JSON test event files in an S3 bucket provides a centralized, cost-effective, and highly available solution.

Granular IAM policies can restrict access to specific developers or roles, ensuring security while maintaining consistency for shared test events.

This solution has minimal operational overhead and integrates easily with existing workflows.

Why Other Options Are Incorrect:

Option B: Using DynamoDB and a Lambda function introduces unnecessary complexity for a relatively simple requirement. S3 provides a simpler and more cost-efficient solution.

Option C: AWS Lambda test events are not inherently shareable across developers, making this option invalid.

Option D: Using a Git repository adds operational overhead and requires developers to clone/update repositories for access, which is more cumbersome compared to S3.

CloudWatch for Log Analysis: CloudWatch is the best fit here because logs are already centralized. Here's the process:

Metric Filter: Create a metric filter on the CloudWatch Logs log group. Design a pattern to specifically identify application error messages.

Custom Metric: This filter generates a new custom CloudWatch metric (e.g., ApplicationErrors). This metric tracks the error count.

CloudWatch Alarm: Create an alarm on the ApplicationErrors metric. Configure the alarm with your desired threshold and a 5-minute evaluation period.

SNS Action: Set the alarm to trigger an SNS notification when it enters the alarm state.

To meet the requirement:

Users must be able to upload (PutObject) and read (GetObject) files but not delete them.

Option D ensures users cannot delete files by omitting the s3:DeleteObject action while allowing s3:GetObject and s3:PutObject.

Option A: Includes s3:DeleteObject, which allows users to delete files and does not meet the requirement.

Option B: Contains unrelated actions like CreateBucket, which is not relevant here.

Option C: Adds s3:PutObjectRetention, which is unnecessary and does not restrict DeleteObject.

The requirement is to redact PII before the object content reaches the consumer, while the analytics service continues to use standard S3 GET requests. The most operationally efficient way is Amazon S3 Object Lambda.

S3 Object Lambda lets you add your own code to process and transform data as it is retrieved from S3. Instead of the analytics service reading directly from the bucket, it reads through an S3 Object Lambda Access Point. When the service performs a GET request, S3 invokes the associated Lambda function, which can modify the object payload on the fly—for example, by calling an external or internal PII redaction API and returning a redacted version of the report. The original object remains unchanged in the bucket, while consumers receive the transformed (redacted) response.

This approach is operationally efficient because it avoids:

duplicating and storing redacted copies of every report,

refactoring the analytics service to use a different datastore or ingestion path,

building a separate proxy service layer.

Option A requires significant refactoring and ongoing ETL/warehouse ops.

Option C provides confidentiality via encryption but does not perform redaction (analytics would still see PII after decryption).

Option D changes the access pattern completely (analytics no longer uses GET) and adds messaging complexity without directly returning redacted object content.

Therefore, S3 Object Lambda + Object Lambda Access Point is the most efficient solution to redact data at retrieval time.

This solution will meet the requirements by using AWS Secrets Manager and AWS Systems Manager Parameter Store to securely store the parameter values outside the code in an encrypted format. AWS Secrets Manager is a service that helps protect secrets such as database credentials by encrypting them with AWS Key Management Service (AWS KMS) and enabling automatic rotation of secrets. The developer can create an RDS database secret in AWS Secrets Manager and set the user name, password, database, host, and port for accessing the RDS database. The developer can also turn on secret rotation, which will change the database credentials periodically according to a specified schedule or event. AWS Systems Manager Parameter Store is a service that provides secure and scalable storage for configuration data and secrets. The developer can create Secure String parameters in AWS Systems Manager Parameter Store for the DynamoDB table, S3 bucket, and SNS topic, which will encrypt them with AWS KMS. The developer can also reuse the parameter values from other applications and update them without modifying code. Option A is not optimal because it will create encrypted Lambda environment variables for the DynamoDB table, S3 bucket, and SNS topic, which may not be reusable or updatable without modifying code. Option C is not optimal because it will create RDS database parameters in AWS Systems Manager Parameter Store, which does not support automatic rotation of secrets. Option D is not optimal because it will store the DynamoDB table, S3 bucket, and SNS topic in Amazon S3, which may introduce additional costs and complexity for accessing configuration data.

Amazon API Gateway allows you to create, deploy, and manage a RESTful API to expose backend HTTP endpoints, AWS Lambda functions, or other AWS services1. You can use API Gateway to perform basic validation of an API request before proceeding with the integration request1. When the validation fails, API Gateway immediately fails the request, returns a 400 error response to the caller, and publishes the validation results in CloudWatch Logs1.

To test changes before deploying to a production environment, you can modify the existing API to add request validation and deploy the updated API to a new API Gateway stage1. This allows you to perform tests without affecting the production environment. Once testing is complete and successful, you can then deploy the updated API to the API Gateway production stage1.

This approach has the least operational overhead as it avoids unnecessary creation of new APIs or exporting and importing of APIs. It leverages the existing infrastructure and only requires changes in the configuration of the existing API1.

The solution that will meet the requirements with the least development effort is to set the image resize Lambda function as a destination of the avatar generator Lambda function for the events that fail processing. This way, the fallback mechanism is automatically triggered by the Lambda service without requiring any additional components or configuration. The other options involve creating and managing additional resources such as queues, topics, state machines, or rules, which would increase the complexity and cost of the solution.

DynamoDB already supports encryption at rest by default (with AWS owned keys or AWS managed/customer managed KMS keys). However, the requirement here is stronger and explicit: patient data must be encrypted before it is stored in DynamoDB, meaning the encryption must occur client-side / application-side so that the data remains encrypted as it traverses the stack and is still encrypted when written to the table. This is often required for highly sensitive PII/PHI where administrators or downstream systems should not see plaintext.

Option A meets this requirement by encrypting the payload inside the Lambda function before making the PutItem call to DynamoDB, using KMS-backed envelope encryption via the AWS Encryption SDK (the option names it “Database Encryption SDK,” but the intent is client-side encryption). The encrypted fields remain ciphertext in transit to DynamoDB and at rest inside DynamoDB, satisfying both “in transit” and “at rest” with encryption happening prior to storage.

Option B only ensures DynamoDB encryption at rest at the service level, but the data would still be plaintext in the item attributes as seen by the application and anyone with DynamoDB read permissions (even though stored encrypted on disk). It does not guarantee “encrypted before stored.”

Option C encrypting after the write via streams is too late: plaintext would already be stored (and potentially accessed) before post-processing.

Option D adds unnecessary workflow complexity. Encrypting in a queue still requires encryption before DynamoDB, but it does not inherently simplify compared to encrypting directly in the Lambda that writes to DynamoDB.

Therefore, client-side encryption in Lambda using KMS-backed encryption is the correct solution.

Why Option C is Correct:

Amazon ElastiCache (Memcached) provides low-latency, in-memory caching suitable for session storage. It ensures stateless web tier operations and supports the high throughput of 5000 requests per minute.

Why Other Options are Incorrect:

Option A: RDS has higher latency compared to in-memory caching solutions like ElastiCache.

Option B: Shared file systems introduce additional complexity and are not ideal for low-latency session data storage.

Option D: DynamoDB has low latency but is less performant than ElastiCache for in-memory session management.

AWS Documentation References:

Amazon ElastiCache for Session State Management

Comprehensive and Detailed Step-by-Step Explanation:

Option D: Use Lambda with Container Images

AWS Lambda supports container images up to 10 GB in size, making it suitable for applications with large dependencies, such as a video codec library larger than 250 MB.

By creating separate container images for video compression and decompression, the application can efficiently isolate functionality while ensuring that each function includes the required dependencies.

The container images are stored in Amazon ECR and used to create the Lambda functions.

Why Other Options Are Incorrect:

Option A: A single Lambda function with all functionalities and dependencies in one zip file is not feasible due to the 250 MB deployment package size limit for zip files.

Option B: Including the library in two separate zip files still exceeds the size limit for Lambda zip deployment packages.

Option C: While using a Lambda layer can reduce redundancy, the combined size of the layer and the zip files would exceed the limit of 250 MB.

Requirement Summary:

DynamoDB table Orders

Partition key: OrderID

No sort key

100,000+ records

Need to efficiently retrieve all records where:

OrderSource = "MobileApp"

Must optimize for user experience (i.e., performance)

Evaluate Options:

Option A: Scan with FilterExpression

Inefficient for large tables

A Scan reads every item in the table and then applies a filter condition.

This is slow, expensive, and not scalable as the dataset grows.

Option B: Create a Local Secondary Index (LSI) with OrderSource

Invalid: LSIs require the same partition key (OrderID) as the base table.

Since OrderSource is not part of the primary key, and we want to query based on it, LSI won’t help.

Option C: Create a GSI with OrderSource as the sort key

Misuse of sort key: Querying by sort key alone is not allowed in DynamoDB.

You must specify a partition key in a Query.

This design is not valid for the use case.

Option D: Create a GSI with OrderSource as the partition key

BEST CHOICE: With a GSI on OrderSource, you can query efficiently for all items where OrderSource = "MobileApp".

DynamoDB GSIs allow an alternative access pattern for queries not supported by the base table schema.

GSI Design: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GSI.html

Querying a GSI: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Query.html

Scan vs Query: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/bp-query-scan.html

Requirement Summary:

Orders are being processed more than once

Need to prevent duplicate processing

Looking for least implementation effort

Key Concept:

Lambda + Event-driven patterns can occasionally result in duplicate invocations (at-least-once delivery model)

You need idempotency (i.e., prevent repeated processing of same event)

Evaluate Options:

A. Use DynamoDB for de-duplication

Simple and widely used approach

Store a unique orderId as the primary key

Before processing, check if order exists

If yes → skip

If no → process and store the ID

Minimal code changes required

B. ECS + Step Functions

Overkill for basic de-duplication

Adds significant complexity

C. Retry logic with fixed delay

Doesn't prevent duplication — makes it worse

Retrying might trigger the same message again

D. Athena to identify duplicates

Reactive solution, not preventative

Not suitable for real-time event de-duplication

Lambda idempotency: https://docs.aws.amazon.com/lambda/latest/dg/invocation-retries.html

Using DynamoDB for idempotent design: https://aws.amazon.com/blogs/compute/how-to-design-idempotent-APIs-on-aws/

Amazon S3 supports server-side encryption, which encrypts data at rest on the server that stores the data. One of the encryption options is SSE-S3, which uses keys managed by S3. To use SSE-S3, the x-amz-server-side-encryption header must be set to AES256 when invoking the PutObject API operation. This instructs S3 to encrypt the object data with SSE-S3 before saving it on disks in its data centers and decrypt it when it is downloaded. Reference: Protecting data using server-side encryption with Amazon S3-managed encryption keys (SSE-S3)

Requirement Summary:

NLP Lambda function with a large pre-trained model

Lambda layer became 8.7 GB → Exceeds AWS limits

Function returns RequestEntityTooLargeException

Need: High-performing, portable, low initialization time

Important AWS Limits:

Lambda Layers size limit (combined across all layers): 250 MB (unzipped)

Deployment package size (unzipped): 250 MB

Lambda container image support allows up to 10 GB image size

Evaluate Options:

A: Store model in S3 and load during execution

Leads to cold start latency every time

Model loading from S3 is slower and not suitable for real-time NLP

Not optimal for performance

B: Use EFS mounted to Lambda

⚠️ Valid for large models, but adds latency during cold start as model loads from EFS

Requires EFS setup, VPC, and has added network I/O overhead

Still slower than bundling in container image

C: Split into five Lambda layers

Still violates the total layer size limit of 250 MB (unzipped)

You cannot exceed that even with multiple layers

D: Use Docker container image

Allows bundling up to 10 GB of dependencies and models

High portability and performance

Avoids latency of downloading models at runtime

Ideal for scientific/NLP models

Lambda container image support: https://docs.aws.amazon.com/lambda/latest/dg/images-create.html

Lambda limits: https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-limits.html

Using large models with Lambda: https://aws.amazon.com/blogs/machine-learning/deploying-large-machine-learning-models-on-aws-lambda-with-container-images/

Amazon API Gateway is a service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. The developer can define a development stage on the API Gateway API and instruct the other developers to point the endpoints to the development stage. This way, the developer can provide beta access to the new version of the API without affecting customers who use the production stage. This solution will meet the requirements with the least operational overhead.

Requirement Summary:

Lambda function accesses RDS for MySQL

Credentials are currently hardcoded in code (insecure)

Must enable automated credential rotation every 30 days

Option A: Use AWS Secrets Manager + automatic rotation

Best and secure option

Secrets Manager allows:

Secure storage of secrets

Integration with RDS for automatic rotation

Scheduled rotation every X days (e.g., 30 days)

Lambda can fetch credentials via SDK (GetSecretValue)

Option B: Use SSM Parameter Store + rotation

SSM does not support automatic rotation of secrets.

You'd need to build custom rotation logic = higher operational overhead.

Option C: Encrypted S3 + Object Lambda rotation

Not intended for credential storage.

S3 is not a secrets management system, and Object Lambda does not perform rotation.

Option D: SSM + EventBridge rotation

No native integration between Parameter Store and EventBridge for secret rotation.

You’d need to build custom Lambda functions = higher maintenance.

Secrets Manager rotation for RDS: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

Secure retrieval in Lambda: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html

Integration with RDS MySQL: https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_rds_config.html

Amazon Machine Images (AMIs) are encrypted snapshots of EC2 instances that can be used to launch new instances. The developer can create new AMIs from the existing instances and specify encryption parameters. The developer can copy the encrypted AMIs to the destination Region and use them to create a new application stack. The developer can delete the unencrypted AMIs after the encryption process is complete. This solution will meet the encryption requirement and allow the developer to expand the application to run in the destination Region.

AWS Secrets Manager is a service that helps you protect secrets needed to access your applications, services, and IT resources. Secrets Manager enables you to store, retrieve, and rotate secrets such as database credentials, API keys, and passwords. Secrets Manager supports a secret type for RDS databases, which allows you to select an existing RDS database instance and generate credentials for it. Secrets Manager encrypts the secret using AWS Key Management Service (AWS KMS) keys and enables automatic rotation of the secret at a specified interval. A Lambda function can use the AWS SDK or CLI to retrieve the secret from Secrets Manager and use it to connect to the database. Reference: Rotating your AWS Secrets Manager secrets

The solution that will meet the requirements is to create an Amazon EventBridge rule that runs on a regular schedule to invoke the Lambda function. This way, the developer can use an automated and serverless way to invoke the function every 10 minutes. The developer can also use a cron expression or a rate expression to specify the schedule for the rule. The other options either involve using an Amazon EC2 instance, which is not serverless, or using environment variables or query parameters, which do not trigger the function.

The solution that will meet the requirements is to use an AWS Step Functions state machine to monitor API failures. Use the Wait state to delay calling the Lambda function. This way, the developer can refactor the serverless application to accommodate the change in a way that is automated and scalable. The developer can use Step Functions to orchestrate the Lambda function and handle any errors or retries. The developer can also use the Wait state to pause the execution for a specified duration or until a specified timestamp, which can help avoid exceeding the API limits. The other options either involve using additional services that are not necessary or appropriate for this scenario, or do not address the issue of API failures.

This solution will meet the requirements by using Amazon RDS Proxy, which is a fully managed, highly available database proxy for Amazon RDS that makes applications more scalable, more resilient to database failures, and more secure. The developer can create a proxy in Amazon RDS Proxy, which sits between the application and the DB instance and handles connection management, pooling, and routing. The developer can query the proxy instead of the DB instance, which reduces the number of open connections to the DB instance and avoids errors for too many connections. Option A is not optimal because it will create a read replica for the DB instance, which may not solve the problem of too many connections as read replicas also have connection limits and may incur additional costs. Option B is not optimal because it will migrate the data to an Amazon DynamoDB database, which may introduce additional complexity and overhead for migrating and accessing data from a different database service. Option C is not optimal because it will configure the Amazon Aurora MySQL DB instance for Multi-AZ deployment, which may improve availability and durability of the DB instance but not reduce the number of connections.

To monitor end-to-end requests and debug issues across microservices, you need distributed tracing. Among AWS tools, AWS X-Ray is specifically built for this use case.

Step-by-Step Breakdown:

Step 1: Understand the Requirement

The developer needs:

End-to-end request tracing across microservices

Debugging capability for performance issues or failures

This points directly to a distributed tracing solution rather than just logs or metrics.

Step 2: Evaluate the Options

Option A: Amazon CloudWatch

CloudWatch is powerful for metrics, logs, and alerts.

But it does not provide distributed tracing or request path visualization between microservices.

So, it's not sufficient alone for the requirement.

Option B: AWS CloudTrail

CloudTrail tracks API calls made through the AWS Management Console, CLI, SDKs.

It is meant for auditing and governance, not microservices request tracing.

Not suitable for debugging microservices interactions.

Option C: AWS X-Ray SDK with X-Ray service map

Purpose-built for distributed tracing

Automatically collects data about requests as they travel through your microservices

You can instrument your code with the AWS X-Ray SDK in Java, Node.js, Python, Go, .NET, etc.

Visualizes requests using a service map, showing latency, errors, and time spent in downstream services.

How it works:

Instrument each microservice using the AWS X-Ray SDK.

Use the SDK to trace requests, propagate trace headers across services.

The X-Ray daemon collects and sends trace data to the X-Ray service.

You can view the service map, see bottlenecks, error rates, etc.

Option D: AWS Health

AWS Health provides information on AWS service outages or account-level events.

It does not monitor your application or microservices health or request flows.

Correct Choice: C is the only option that meets the developer's requirement to monitor end-to-end request paths and debug issues in a microservices architecture.

AWS Developer References:

AWS X-Ray Documentation: https://docs.aws.amazon.com/xray/latest/devguide/aws-xray.html

Instrumenting your application: https://docs.aws.amazon.com/xray/latest/devguide/xray-sdk.html

Viewing the Service Map: https://docs.aws.amazon.com/xray/latest/devguide/xray-console-service-map.html

Tracing Microservices with AWS X-Ray: https://aws.amazon.com/blogs/compute/tracing-microservices-aws-x-ray/

The solution that will meet the requirements is to add a new stage to the pipeline. Use AWS CodeBuild as the provider. Add the new stage before the stage that deploys code revisions to the test environment. Write a buildspec that fails the CodeBuild stage if any test does not pass. Use the test reports feature of CodeBuild to integrate the report with the CodeBuild console. View the test results in CodeBuild. Resolve any issues. This way, the developer can run the unit tests automatically during the CI/CD process and catch any bugs before deploying to the test environment. The developer can also use the test reports feature of CodeBuild to view and analyze the test results in a graphical interface. The other options either involve running the tests manually, running them after deployment, or using a different provider that requires additional configuration and integration.

This solution meets the requirements because it provides a caching layer that can store and retrieve encrypted data from multiple nodes. Amazon ElastiCache for Redis supports encryption at rest and in transit, and can scale horizontally to increase the cache capacity and availability. Amazon ElastiCache for Memcached does not support encryption, Amazon CloudFront is a content delivery network that is not suitable for caching database queries, and Amazon DynamoDB Accelerator (DAX) is a caching service that only works with DynamoDB tables.

Why Option A is Correct:Running an AWS Lambda function within the same VPC ensures secure communication without exposing the API application to public IP addresses. The Lambda function can serve as a secure EventBridge target to send events to the API.

Why Other Options are Incorrect:

Option B & C: Internet-facing load balancers expose public IP addresses, which violates compliance requirements.

Option D: EventBridge cannot directly target an endpoint within a private VPC without intermediary services like Lambda.

AWS Documentation References:

EventBridge Targets

Comprehensive Detailed Step by Step Explanation with All AWS Developer References:

When you need to provide an AWS Lambda function access to private resources in a VPC, the most common and straightforward approach is to attach the Lambda function to a VPC via private subnets. Once the Lambda function is associated with the VPC, you need to configure appropriate security groups to control the access to the private resources.

Lambda with VPC Access: Lambda functions can be attached to private subnets in a VPC, allowing them to access resources like RDS, EC2, or internal services within that VPC.

Security Groups: A security group acts as a virtual firewall for the Lambda function, ensuring that it can access only the necessary resources and ports in the VPC.

Alternatives:

Option B involves routing traffic through a VPN, which adds unnecessary complexity and operational overhead compared to simply attaching the Lambda to the VPC.

Option C requires configuring a VPC endpoint and a NAT gateway, which can be complex and costly.

Option D refers to AWS PrivateLink, which is used to access services over private connections, but it's unnecessary in this scenario unless you need a cross-VPC connection.

Lambda functions in a VPC

This solution allows the developer to create and delete branches in AWS CodeCommit by granting the codecommit:CreateBranch and codecommit:DeleteBranch permissions. These are the minimum permissions required for this task, following the principle of least privilege. Option B grants too many permissions, such as codecommit:Put*, which allows the developer to create, update, or delete any resource in CodeCommit. Option C grants too few permissions, such as codecommit:Update*, which does not allow the developer to create or delete branches. Option D grants all permissions, such as codecommit:*, which is not secure or recommended.

Amazon S3 is a service that provides highly scalable, durable, and secure object storage. Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. AWS Lambda is a service that lets developers run code without provisioning or managing servers. The developer can configure an S3 event to invoke a Lambda function that inserts records into DynamoDB whenever a new file is added to the S3 bucket. This solution will meet the requirement of inserting a record into DynamoDB as soon as a new file is added to S3.

https://docs.aws.amazon.com/lambda/latest/dg/nodejs-context.html https://docs.aws.amazon.com/lambda/latest/dg/nodejs-logging.html

There is no explicit information for the runtime, the code is written in Node.js.

AWS Lambda is a service that lets developers run code without provisioning or managing servers. The developer can use the AWS request ID field in the context object to obtain a unique identifier for each function invocation. The developer can configure the application to write logs to standard output, which will be captured by Amazon CloudWatch Logs. This solution will meet the requirement of logging key events with a unique identifier.

This solution will meet the requirements by using Amazon CloudWatch Logs to capture and analyze the logs from API Gateway. Amazon CloudWatch Logs is a service that monitors, stores, and accesses log files from AWS resources. The developer can turn on execution logging and access logging in Amazon CloudWatch Logs for the API stage, which enables logging information about API execution and client access to the API. The developer can create a CloudWatch Logs log group, which is a collection of log streams that share the same retention, monitoring, and access control settings. The developer can specify the Amazon Resource Name (ARN) of the log group for the API stage, which instructs API Gateway to send the logs to the specified log group. The developer can then examine the logs to determine the cause of the HTTP 400 response errors. Option A is not optimal because it will create an Amazon Kinesis Data Firehose delivery stream to receive API call logs from API Gateway, which may introduce additional costs and complexity for delivering and processing streaming data. Option B is not optimal because it will turn on AWS CloudTrail Insights and create a trail, which is a feature that helps identify and troubleshoot unusual API activity or operational issues, not HTTP response errors. Option C is not optimal because it will turn on AWS X-Ray for the API stage, which is a service that helps analyze and debug distributed applications, not HTTP response errors.

To rotate database credentials without downtime, Secrets Manager recommends the alternating users (dual user) rotation strategy. With a single-user strategy, Secrets Manager changes the password for the same database user that the application is actively using. If the application continues using cached/old credentials during rotation, authentication failures and downtime can occur.

With the alternating users strategy, two database users exist (often named something like appuser and appuser_clone). Secrets Manager alternates which user is “active” in the secret. During rotation, Secrets Manager updates the inactive user’s password, verifies it, updates the secret to point to the newly updated user, and then (optionally) retires the old credentials. This approach minimizes disruption because there is always one known-good credential set while the other is being updated.

The question specifically requires regular rotation using Secrets Manager. That is achieved by enabling automatic rotation on the secret with a schedule (for example, every 30/60/90 days). Automatic rotation invokes the rotation Lambda (AWS-provided or configured) and performs the workflow without manual intervention.

Option D combines both requirements: automatic rotation plus the alternating users strategy for high availability and no downtime.

Option B mentions alternating users but “managed rotation” is not the standard term used in these choices as the primary differentiator—automatic rotation is the necessary capability to rotate regularly without manual effort.

Options A and C (single user) are more likely to cause downtime during rotation.

Therefore, configure automatic rotation with the alternating users rotation strategy.

Amazon API Gateway supports mock integration responses, which are predefined responses that can be returned without sending requests to a backend service. Mock integration responses can be used for testing or prototyping purposes, or for simulating different backend responses based on certain conditions. A request mapping template can be used to select a mock integration response based on an expression that evaluates some aspects of the request, such as headers, query strings, or body content. This solution does not require any additional resources or code changes and has the least operational overhead. Reference: Set up mock integrations for an API Gateway REST API

https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-mock-integration.html

The solution that will meet the requirements is to add a second cache behavior to the distribution with the same origin as the default cache behavior. Set the path pattern for the second cache behavior to the path of the login page, and make viewer access unrestricted. Keep the default cache behavior’s settings unchanged. This way, the login page can be accessed without authentication, while all other content remains secure and requires signed cookies. The other options either do not allow unauthenticated access to the login page, or expose private content to unauthorized users.

DynamoDB Accelerator (DAX) provides a managed caching layer specifically optimized for DynamoDB, reducing latency for repeated read requests.

Why Option A is Correct:

Purpose-Built: DAX is designed for DynamoDB, enabling sub-millisecond response times for frequently accessed items.

Operational Efficiency: No need for additional application-level caching logic.

Why Not Other Options:

Option B: Auto Scaling increases capacity but does not address repetitive reads.

Option C: API Gateway caching helps reduce request processing time but does not optimize DynamoDB reads.

Option D: ElastiCache is a general-purpose cache, adding unnecessary complexity for DynamoDB use cases.

DynamoDB Accelerator (DAX)

Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service that enables pub/sub communication between distributed systems. The developer can create an SNS topic and configure the Lambda function to publish messages with specific attributes to the topic. The developer can subscribe each partner to the SNS topic and apply the appropriate filter policy to the topic subscriptions. This way, each partner will receive updates for only their own orders based on the message attributes. This solution will meet the requirements in the most scalable way and allow adding new partners in the future with minimal code changes.

Requirement Summary:

Multi-tier app on EC2 + Aurora PostgreSQL

Must comply with least privilege and security policies

Need to manage credentials and API keys securely

Must support key rotation on demand

Evaluate Options:

A. Secrets Manager + AWS managed KMS keys

Best practice for secure secret storage

Supports auto rotation

Uses AWS SDK to fetch at runtime (secure, avoids hardcoding)

AWS managed keys are rotated automatically and easier to manage

B. Secrets Manager + customer managed keys

Also valid, but adds complexity

Since the question asks for LEAST development effort, AWS-managed keys are preferred

C. Store secrets in code

Violates all security best practices

D. Use SSM Parameter Store + AWS managed keys

Possible, but Secrets Manager is preferred when rotation is needed

Parameter Store does not natively rotate secrets

Secrets Manager: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

Automatic key rotation: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

Best practices for secret management: https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html

For rapid prototyping with the least operational overhead, Lambda function URLs are the best fit. A Lambda function URL provides a built-in HTTPS endpoint directly in front of a Lambda function, allowing the frontend team to invoke each endpoint without requiring additional infrastructure. This is ideal when the overall architecture is not finalized and the team needs a quick way to test.

AWS describes Lambda function URLs as a simple way to “add an HTTPS endpoint to your Lambda function” without requiring API Gateway, load balancers, or custom proxy layers. This substantially reduces setup time and avoids the operational tasks associated with provisioning, configuring, and managing an API layer during early-stage development.

Option B (API Gateway REST API) introduces more operational overhead: creating resources, methods, integrations, deployments, stages, and potentially authorization and throttling configuration. API Gateway is powerful, but it is more than needed for quick endpoint testing.

Option C (AppSync) is designed for GraphQL-based APIs and requires schema design and resolvers. That is unnecessary complexity for simply testing three Lambda-backed endpoints.

Option D (ECS proxy) adds the most operational burden because it requires container orchestration, networking, scaling, and patching—completely misaligned with “least operational overhead.”

Therefore, the fastest and simplest approach is to create a function URL per Lambda endpoint, allowing immediate testing from the frontend with minimal additional AWS configuration.

S3Bucket and S3Key: These properties in a CloudFormation AWS::Lambda::Function resource specify the location of the function's code in S3.

Least Development Effort: This solution minimizes code changes, relying on CloudFormation to reference the existing S3 deployment package.

Pseudo Parameters: CloudFormation provides pseudo parameters that reference runtime context, including the current AWS Region.

Operational Efficiency: The AWS::Region pseudo parameter offers the most direct and self-contained way to obtain the Region dynamically within the template.

IAM Roles for EC2 (A): The most secure way to provide AWS permissions from EC2.

Create a role with a policy allowing s3:GetObject on the specific bucket.

Attach the role to an instance profile and associate that profile with your instances.

Pre-signed URLs (C): Temporary, authenticated URLs for specific S3 actions.

Modify the app to use the AWS SDK to call GeneratePresignedUrl.

Embed these URLs when a user is properly logged in, allowing download access.

The solution that will meet the requirements is to use CloudFormation to create an AWS Secrets Manager secret. Use a CloudFormation dynamic reference to retrieve the secret’s value for the OpenSearch Service domain’s MasterUserOptions. Create an IAM role that has the secretsmanager:GetSecretValue permission. Assign the role to the Lambda function. Store the secret’s name as the Lambda function’s environment variable. Resolve the secret’s value at runtime. This way, the developer can pass the credentials to the Lambda function in a secure way, as AWS Secrets Manager encrypts and manages the secrets. The developer can also use a dynamic reference to avoid exposing the secret’s value in plain text in the CloudFormation template. The other options either involve passing the credentials as plain text parameters, which is not secure, or encrypting them with AWS KMS, which is less convenient than using AWS Secrets Manager.

In AWS Lambda, CPU power scales proportionally with the memory configuration. Lambda does not let you directly set “CPU cores” as a standalone setting in the general case; instead, increasing the function’s configured memory increases the CPU allocation (and other resources such as network throughput) available to the function. Therefore, to reduce latency caused by insufficient CPU, the developer should increase the function’s memory setting.

Option B directly addresses the CPU limitation in the supported Lambda configuration model. This is a common performance tuning approach: raise memory, benchmark, and find the optimal cost/performance point.

Option A is not the right lever for most Lambda functions because Lambda compute is configured via memory (and architecture), not by directly raising a “vCPU quota” per function in a typical tuning workflow.

Option C increases /tmp storage capacity and helps when dealing with large temporary files, not CPU availability.

Option D increases the maximum runtime allowed per invocation, but it does not give the function more CPU and will not reduce latency caused by CPU starvation.

Therefore, increasing the allocated memory is the correct way to increase CPU for a Lambda function.

Amazon API Gateway is a service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. Amazon CloudFront is a content delivery network (CDN) service that can improve the performance and security of web applications. The developer can use CloudFront and a custom domain name for the API Gateway REST API. To do so, the developer needs to import the SSL/TLS certificate into AWS Certificate Manager (ACM) in the us-east-1 Region. This is because CloudFront requires certificates from ACM to be in this Region. The developer also needs to create a DNS CNAME record for the custom domain that points to the CloudFront distribution.

The correct answer is C. Use an AWS Lambda function that is invoked by an Amazon EventBridge scheduled event.

C. Use an AWS Lambda function that is invoked by an Amazon EventBridge scheduled event. This is correct. AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers. Lambda runs your code on a high-availability compute infrastructure and performs all of the administration of the compute resources, including server and operating system maintenance, capacity provisioning and automatic scaling, and logging1. Amazon EventBridge is a serverless event bus service that enables you to connect your applications with data from a variety of sources2. EventBridge can create rules that run on a schedule, either at regular intervals or at specific times and dates, and invoke targets such as Lambda functions3. This solution meets the requirements of creating a small application that makes the same API call once each day at a designated time, without requiring any infrastructure in the AWS Cloud or any operational overhead.

A. Use a Kubernetes cron job that runs on Amazon Elastic Kubernetes Service (Amazon EKS). This is incorrect. Amazon EKS is a fully managed Kubernetes service that allows you to run containerized applications on AWS4. Kubernetes cron jobs are tasks that run periodically on a given schedule5. This solution could meet the functional requirements of creating a small application that makes the same API call once each day at a designated time, but it would not be the most operationally efficient manner. The company would need to provision and manage an EKS cluster, which would incur additional costs and complexity.

B. Use an Amazon Linux crontab scheduled job that runs on Amazon EC2. This is incorrect. Amazon EC2 is a web service that provides secure, resizable compute capacity in the cloud6. Crontab is a Linux utility that allows you to schedule commands or scripts to run automatically at a specified time or date7. This solution could meet the functional requirements of creating a small application that makes the same API call once each day at a designated time, but it would not be the most operationally efficient manner. The company would need to provision and manage an EC2 instance, which would incur additional costs and complexity.

D. Use an AWS Batch job that is submitted to an AWS Batch job queue. This is incorrect. AWS Batch enables you to run batch computing workloads on the AWS Cloud8. Batch jobs are units of work that can be submitted to job queues, where they are executed in parallel or sequentially on compute environments9. This solution could meet the functional requirements of creating a small application that makes the same API call once each day at a designated time, but it would not be the most operationally efficient manner. The company would need to configure and manage an AWS Batch environment, which would incur additional costs and complexity.

Because the Lambda function is successfully triggered by the S3 event notification, the invocation path (S3 → Lambda) is working correctly. The failure occurs specifically when the function tries to write to DynamoDB, which strongly indicates an authorization problem rather than an invocation, scaling, or infrastructure issue.

In AWS, a Lambda function interacts with other services by using its execution role (an IAM role). AWS documentation explains that a Lambda function must have explicit IAM permissions to call downstream services such as DynamoDB. To write items, the role typically needs actions like dynamodb:PutItem (and sometimes dynamodb:UpdateItem, dynamodb:BatchWriteItem, depending on code behavior) on the target table resource ARN. If these permissions are missing or scoped incorrectly, DynamoDB returns an AccessDeniedException (or similar) and the function fails at the write step.

Option A is unlikely because exceeding concurrency would typically prevent invocation or cause throttling at the Lambda service level, not selectively fail only at DynamoDB write time after the function begins executing.

Option B is incorrect: DynamoDB does not require a GSI to support writes. GSIs are for alternate query access patterns, not mandatory for write operations.

Option D is incorrect because DynamoDB is a regional service, not tied to a single Availability Zone, and Lambda does not need to be “in the same AZ” to access it.

Therefore, the most likely cause is that the Lambda execution role lacks the necessary IAM permissions to perform DynamoDB write operations.

AWS Lambda is a service that lets developers run code without provisioning or managing servers. Lambda provides a local file system that can be used to store temporary files during invocation. The local file system is mounted under the /tmp directory and has a limit of 512 MB. The temporary files are accessible only by the Lambda function that created them and are deleted after the function execution ends. The developer can store temporary files that are less than 10 MB in the /tmp directory and access and modify them multiple times during invocation.

API Gateway Stage Variables: These are designed for configuring dynamic values for your APIs in different deployment stages (dev, test, prod). Here's how to use them for third-party endpoints:

In the API Gateway console, access the "Stages" section of your API.

For each stage, create a stage variable named something like thirdPartyEndpoint.

Set the value of this variable to the actual endpoint URL for that specific environment.

When configuring API requests within your API Gateway method, reference this endpoint using ${stageVariables.thirdPartyEndpoint}.

Why Stage Variables Excel Here:

Environment Isolation: This approach keeps the endpoint configuration specific to each deployment stage, ensuring the right endpoints are used during development, testing, and production cycles.

Ease of Management: You manage the endpoints directly through the API Gateway console without additional infrastructure.

This is a classic cross-account S3 access requirement: EC2 instances in Account A must read from a private S3 bucket in Account B without making the bucket public.

The correct pattern is to grant access using IAM + S3 bucket policy while keeping the bucket private. In Account B, you create an IAM role that has the necessary S3 read permissions (such as s3:GetObject and potentially s3:ListBucket depending on access needs). That is Option A.

However, permissions on the role alone are not sufficient, because the S3 bucket is in a different account and is private by default. AWS requires that the bucket owner explicitly grants access to the external principal. This is done by adding a bucket policy in Account B that allows the principal (either the role in Account A or a role session via STS) to access the bucket objects. That is Option D.

Option B is not correct in the “select two” sense because adding permissions to Account A’s instance profile role does not, by itself, grant access to a bucket owned by Account B. You still need the bucket policy or another resource-based policy from the bucket owner.

Option C violates the requirement (“without exposing the S3 bucket to anyone else”). Making the bucket public is unnecessary and insecure.

Option E is incorrect because a trust policy controls who can assume a role (sts:AssumeRole), not what S3 permissions the role has. Also, trust policies do not grant s3:Get* access.

Therefore, create an IAM role with S3 read permissions in Account B and grant access via the Account B bucket policy.

Option B: The target group port in the ALB must match the port specified in the ECS task definition. If there is a mismatch, the ALB health check will fail since it cannot correctly route traffic to the container.

Option E: The ALB listener must have a default action that forwards requests to the correct target group associated with the ECS service. If this configuration is missing, the health check will fail as no traffic is routed to the service.

Option A is irrelevant to resolving health check issues since capacity providers relate to provisioning compute capacity.

Option C (hosted zone) is not directly related to ALB health checks.

Option D (redirecting traffic) is not related to ECS health check configurations.

Problem: Directory access without file names fails.

S3 Static Website Hosting:

Configuring S3 as a static website enables automatic serving of index.html for directory requests.

Bucket policies ensure correct access permissions.

Updating the CloudFront origin simplifies routing.

Avoiding Public Exposure: The S3 website endpoint allows CloudFront to access content without making the bucket public.

AWS Serverless Application Model (AWS SAM) is an open-source framework that enables developers to build and deploy serverless applications on AWS. AWS SAM uses a template specification that extends AWS CloudFormation to simplify the definition of serverless resources such as API Gateway, DynamoDB, and Lambda. The developer can use AWS SAM to define serverless resources in YAML and deploy them using the AWS SAM CLI.

DynamoDB distributes throughput across partitions based on the hash key. A hot partition (caused by high usage of a specific hash key) can result in a ProvisionedThroughputExceededException, even if overall usage is below the provisioned capacity.

Why Option B is Correct:

Partition-Level Limits: Each partition has a limit of 3,000 read capacity units or 1,000 write capacity units per second.

Hot Partition: Excessive use of a single hash key can overwhelm its partition.

Why Not Other Options:

Option A: DynamoDB storage size does not affect throughput.

Option C: Provisioned scaling operations are unrelated to throughput errors.

Option D: Sort keys do not impact partition-level throughput.

DynamoDB Partition Key Design Best Practices

AWS best practice is to store sensitive values like database passwords, OAuth tokens, and API keys in a dedicated secrets service rather than in source code or configuration files. AWS Secrets Manager is specifically designed for this use case: secure storage, retrieval through APIs/SDKs, fine-grained IAM access control, encryption at rest, auditing through CloudTrail, and—critically—built-in secret rotation.

AWS documentation describes Secrets Manager rotation as an automated process that uses a rotation schedule and typically invokes a Lambda function to update the secret in both Secrets Manager and the target system (for example, a database). The rotation schedule can be configured to a custom interval, including every 6 months, satisfying the requirement.

Option A is incorrect because AWS KMS manages encryption keys, not application secrets. KMS key rotation rotates KMS keys, not database credentials or API tokens.

Option B is incorrect because ACM manages TLS certificates, not arbitrary secrets like API keys and OAuth tokens.

Option C is incorrect because EventBridge can schedule events, but it is not a secrets storage service and does not provide secure secret lifecycle management and integrated rotation workflows by itself.

Therefore, storing secrets in AWS Secrets Manager and enabling automatic rotation with a 6-month schedule is the correct solution.

Amazon CloudWatch is a service that monitors AWS resources and applications. The developer can publish custom metrics to CloudWatch that record the failures of the external payment processing API calls. The developer can configure a CloudWatch alarm to notify the existing SNS topic when the error rate exceeds 5% of the total number of transactions in an hour. This solution will meet the requirements in a near real-time and scalable way.

IAM Roles for EC2: IAM roles are the recommended way to provide AWS credentials to applications running on EC2 instances. Here's how this works:

You create an IAM role with the necessary permissions to access the target S3 bucket.

You create an instance profile and associate the IAM role with this profile.

When launching the EC2 instance, you attach this instance profile.

Temporary Security Credentials: When the application on the EC2 instance needs to access S3, it doesn't directly use access keys. Instead, the AWS SDK running on the instance retrieves temporary security credentials associated with the role. These are rotated automatically by AWS.

Lambda Destinations on Failure: Allow routing asynchronous function invocations to specified resources (like another Lambda function) upon failure.

Error Handling: The error-handling Lambda receives details about the failure, enabling logging and custom actions.

Direct Integration: This solution leverages native Lambda functionality for a simpler implementation.

This solution meets the requirements in the most operationally efficient manner because it does not require any infrastructure provisioning or management. The developer can create a Lambda function that makes the API call and configure an EventBridge rule that triggers the function once a day at a designated time. This is a serverless solution that scales automatically and only charges for the execution time of the function.

A Lambda alias is a pointer to a specific Lambda function version or another alias1. A Lambda alias allows you to invoke different versions of a function using the same name1. You can also split traffic between two aliases by assigning weights to them1.

In this scenario, the developer needs to test their changes in production on a small percentage of all traffic without changing the API Gateway URL. To achieve this, the developer can follow these steps:

Define an alias on the $LATEST version of the Lambda function. This will create a new alias that points to the latest code of the function.

Update the API Gateway endpoint to reference the new Lambda function alias. This will make the API Gateway invoke the alias instead of a specific version of the function.

Upload and publish the optimized Lambda function code. This will update the $LATEST version of the function with the new code.

On the production API Gateway stage, define a canary release and set the percentage of traffic to direct to the canary release. This will enable API Gateway to perform a canary deployment on a new API2. A canary deployment is a software development strategy in which a new version of an API is deployed for testing purposes, and the base version remains deployed as a production release for normal operations on the same stage2. The canary release receives a small percentage of API traffic and the production release takes up the rest2.

Update the API Gateway endpoint to use the $LATEST version of the Lambda function. This will make the canary release invoke the latest code of the function, which contains the optimized changes.

Publish to the canary stage. This will deploy the changes to a subset of users for testing.

By using this solution, the developer can test their changes in production on a small percentage of all traffic without changing the API Gateway URL. The developer can also monitor and compare metrics between the canary and production releases, and promote or disable the canary as needed2.

Requirement Summary:

Deploy serverless application using:

API Gateway

AWS Lambda

Need dev, test, and prod environments

Want least development effort

Evaluate Options:

Option A: API Gateway stage variables + Lambda aliases

Most efficient and scalable

API Gateway supports stage variables (like env)

Lambda supports aliases (e.g., dev, test, prod)

You can configure each stage to point to a different alias of the same function version

Enables versioning, isolation, and low effort management

Option B: Use Amazon ECS

Overkill for a serverless setup

ECS is container-based, not serverless

Introduces unnecessary complexity

Option C: Duplicate code for each environment

High operational overhead and poor maintainability

Option D: Use Elastic Beanstalk

Not applicable: Elastic Beanstalk is for traditional app hosting, not optimal for Lambda + API Gateway

Lambda Aliases: https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html

API Gateway Stage Variables: https://docs.aws.amazon.com/apigateway/latest/developerguide/stage-variables.html

DynamoDB Streams: Capture near real-time changes to DynamoDB tables, triggering downstream actions.

Lambda for Processing: Lambda functions provide a serverless way to execute code in response to events like DynamoDB Stream updates.

Minimal Code Changes: This solution requires the least modifications to the existing application.

Comprehensive and Detailed Step-by-Step Explanation:

Issue Analysis:

The stream uses service name as the partition key. This can cause "hot partition" issues when a few service names generate significantly more logs compared to others, causing uneven distribution of data across shards.

Metrics show that the write capacity used is below provisioned capacity, which confirms that the throughput errors are due to shard-level limits and not overall capacity.

Option C: Change Partition Key to Creation Timestamp:

By changing the partition key to the creation timestamp (or a composite key including timestamp), the distribution of data across shards can be randomized, ensuring an even spread of records.

This resolves the shard overutilization issue and eliminates ProvisionedThroughputExceededException.

Why Other Options Are Incorrect:

Option A: Switching to on-demand capacity mode might temporarily alleviate the issue, but the root cause (hot partitioning) remains unresolved.

Option B: Adding shards increases capacity but does not fix the skewed data distribution caused by using the service name as the partition key.

Option D: Creating separate streams for each service adds unnecessary complexity and does not scale well as the number of services grows.

Amazon CloudWatch is the service that collects and stores logs from AWS Lambda functions. The developer can use CloudWatch Logs Insights to query and analyze the logs for errors and metrics. Option A is not correct because Amazon S3 is a storage service that does not store Lambda function logs. Option B is not correct because AWS CloudTrail is a service that records API calls and events for AWS services, not Lambda function logs. Option D is not correct because Amazon DynamoDB is a database service that does not store Lambda function logs.

AWS Systems Manager Parameter Store is a service that provides secure, hierarchical storage for configuration data and secrets. Parameter Store supports SecureString parameters, which are encrypted using AWS Key Management Service (AWS KMS) keys. SecureString parameters can be used to store license keys in AWS and retrieve them securely from automation scripts that run in EC2 instances or CloudFormation stacks. Parameter Store is a cost-effective solution because it does not charge for storing parameters or API calls. Reference: Working with Systems Manager parameters

This step should be completed prior to deploying the application because it prepares the application artifacts for deployment. The AWS Serverless Application Model (AWS SAM) is a framework that simplifies building and deploying serverless applications on AWS. The AWS SAM CLI is a command-line tool that helps you create, test, and deploy serverless applications using AWS SAM templates. The sam package command bundles the application artifacts, such as Lambda function code and API definitions, and uploads them to an Amazon S3 bucket. The command also returns a CloudFormation template that is ready to be deployed with the sam deploy command. Compressing the application to a zip file and uploading it to AWS Lambda will not work because it does not use AWS SAM templates or CloudFormation. Testing the new Lambda function by first tracing it in AWS X-Ray will not prepare the application for deployment, but only monitor its performance and errors. Creating the application environment using the eb create my-env command will not work because it is a command for AWS Elastic Beanstalk, not AWS SAM.

DynamoDB TTL (Time-to-Live): A native feature that automatically deletes items after a specified expiration time.

Efficiency: Eliminates the need for scheduled deletion jobs, optimizing write throughput by avoiding potential throttling conflicts.

Seamless Integration: TTL works directly within DynamoDB, requiring minimal development overhead.

This solution will meet the requirements with the least operational overhead because it uses Amazon S3 as a scalable, secure, and durable storage service for the reports. The presigned URL will allow customers to access their reports for a limited time (8 hours) without requiring additional authentication. The S3 Lifecycle configuration rules will automatically delete the reports that are older than 2 days, reducing storage costs and complying with the data retention policy. Option A is not optimal because it will incur additional costs and complexity to store the reports as DynamoDB items, which have a size limit of 400 KB. Option B is not optimal because it will not provide customers with access to their reports within one hour, as Amazon SNS email delivery is not guaranteed. Option D is not optimal because it will require more operational overhead to manage an RDS database and a Lambda function for storing and deleting the reports.

The requirement is application-level encryption (client-side) in addition to RDS encryption at rest, specifically to prevent database administrators from viewing PHI. Also, some PHI objects are large, so the solution must encrypt locally without size limitations.

AWS best practice for large data encryption with KMS is envelope encryption. With envelope encryption, the application generates a data encryption key (DEK) (typically obtained from KMS using GenerateDataKey). The application uses the plaintext DEK locally with a symmetric algorithm (such as AES-GCM) to encrypt the large PHI payload efficiently. The DEK itself is then protected by encrypting it with a KMS customer managed key (CMK), producing an encrypted data key that can be safely stored alongside the ciphertext. Only principals with permission to use the CMK can decrypt the DEK and then decrypt the PHI data. This ensures that even database administrators who can access the RDS data cannot read PHI without KMS authorization.

Option A is not suitable because the KMS Encrypt operation is intended for small payloads (KMS has size limits for direct encryption), making it inappropriate for large PHI files.

Option B is insecure because embedding encryption keys in source code violates key management best practices and makes rotation and compromise containment difficult.

Option C provides only storage-level encryption for the database volume; it does not ensure that PHI remains unreadable to administrators who can access the database content.

Therefore, using envelope encryption with a KMS customer managed key and storing the encrypted data key with the record is the most secure solution.

AWS Amplify is a set of tools and services that enables developers to build and deploy full-stack web and mobile applications that are powered by AWS. AWS Amplify supports hosting static websites on Amazon S3 and Amazon CloudFront, with HTTPS enabled by default. AWS Amplify also integrates with various version control systems, such as AWS CodeCommit, Bitbucket, and GitHub, and allows developers to connect different branches to different environments. AWS Amplify automatically builds and deploys the website whenever code changes are merged to a connected branch, enabling phased releases with minimal operational overhead. Reference: AWS Amplify Console

CodeDeploy Predefined Configurations: CodeDeploy offers built-in deployment configurations for common scenarios.

Canary Deployment: Canary deployments gradually shift traffic to a new version, ideal for controlled rollouts like this requirement.

CodeDeployDefault.ECSCanary10Percent15Minutes: This configuration matches the company's requirements, shifting 10% of traffic initially and then completing the rollout after 15 minutes.

Requirement Summary:

Lambda function:

Retrieves an item from DynamoDB

Updates its attributes or creates it if it does not exist

Has primary key

Needs minimum required IAM permissions

Analysis of Required Permissions:

To get an item and update it or create it if it doesn't exist, the Lambda function must use the **PutItem** or **UpdateItem** API, and read with **GetItem**.

Valid API options:

GetItem: Read the item from the table.

UpdateItem: Update existing item attributes or insert if it doesn't exist (with UpdateExpression and ConditionExpression).

When UpdateItem is used without a conditional check for existence, it can create a new item if it does not exist (acts like upsert).

DescribeTable: (Optional) Used if you need table metadata (not strictly required here).

Evaluate the Choices:

Option A:

DeleteItem – Not needed

GetItem –

PutItem – (can create/replace but not partial update)

Close, but PutItem overwrites the full item, not update-in-place. Acceptable, but UpdateItem is better suited.

Option B:

UpdateItem – Required to modify attributes or insert new item

GetItem – Required to check existence or read data

DescribeTable – Optional, but not harmful

BEST FIT – Matches the update-or-create logic.

Option C:

GetRecords – This is used for DynamoDB Streams, not standard GetItem

PutItem –

UpdateTable – Used to change table settings, not data manipulation

Incorrect usage context

Option D:

UpdateItem, GetItem, PutItem – all valid

But UpdateItem alone is sufficient; including PutItem might not be necessary Also, image is faded (possibly invalid), and it's redundant

UpdateItem API: https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateItem.html

PutItem vs UpdateItem: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithItems.html

IAM actions for DynamoDB: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodb.html