AWS Developer Associate (DVA-C02) Practice Exam — 65 Questions

A) Increase the Lambda function's memory B) Configure Provisioned Concurrency C) Use Lambda Layers D) Reduce the number of environment variables

Answer: B

Explanation: Lambda functions inside a VPC experience longer cold starts due to the creation of Elastic Network Interfaces (ENIs). Configuring Provisioned Concurrency maintains pre-initialized execution environments, eliminating cold starts. Increasing memory speeds up execution but does not eliminate cold starts themselves.

A) Create a new GSI with userId (partition key) and orderDate (sort key) B) Add an LSI with userId (partition key) and orderDate (sort key) C) Perform a Scan and sort results in the application D) Enable DynamoDB Streams

Answer: A

Explanation: LSIs can only be defined at table creation time, so for an existing table you must use a GSI. Creating a GSI with userId as partition key and orderDate as sort key allows efficient querying of a user's orders sorted by date. Scan is inefficient and expensive at scale.

def handler(event, context):
    for record in event['Records']:
        body = record['body']
        process_message(body)
    return {'statusCode': 200}

A) Synchronous invocation B) Asynchronous invocation C) Poll-based invocation D) Stream-based invocation

Answer: C

Explanation: Lambda triggered by SQS uses poll-based invocation (event source mapping). The Lambda service polls the SQS queue, retrieves messages, and invokes the function with a batch in event['Records']. Kinesis Data Streams and DynamoDB Streams also use poll-based invocation.

A) Include a Cache-Control: no-cache header in the request B) Use an X-Amz-Cache-Control: invalidate header C) Disable cache at the API Gateway stage level D) Call a cache invalidation API from the Lambda function

Answer: A

Explanation: When API Gateway caching is enabled, clients can bypass it by including Cache-Control: no-cache in the HTTP request. Note that you need to configure "Require authorization to invalidate cache" appropriately in API Gateway settings. Disabling the stage cache affects all requests.

A) 5 B) 8 C) 10 D) 15

Answer: C

Explanation: Each shard supports up to 1,000 records/s or 1 MB/s for writes.

Records-based: 5,000 / 1,000 = 5 shards Data-size-based: (5,000 × 2 KB) / 1,024 KB ≈ 9.77 MB/s → 10 shards

The larger of the two values applies, so 10 shards are required.

A) Increase the VisibilityTimeout B) Set a MessageDeduplicationId C) Set unique MessageGroupIds D) Configure a Dead-Letter Queue

Answer: B

Explanation: SQS FIFO queues use MessageDeduplicationId to deduplicate messages sent with the same ID within a 5-minute window. Enabling ContentBasedDeduplication automatically uses the SHA-256 hash of the message body. MessageGroupId is for ordering guarantees; VisibilityTimeout prevents reprocessing during processing time.

A) Upload with a single PUT request B) Use the Multipart Upload API C) Use S3 Transfer Acceleration D) Generate a Pre-signed URL

Answer: B

Explanation: While a single S3 PUT supports up to 5 GB, Multipart Upload is recommended for files over 100 MB. It splits the file into parts for parallel upload, and only failed parts need to be retried on failure. S3 Transfer Acceleration improves speed via Edge Locations but is separate from upload reliability.

A) GetItem B) Query C) Scan D) TransactGetItems

Answer: D

Explanation: DAX caches eventually consistent reads (GetItem, Query, Scan). TransactGetItems uses strongly consistent reads as part of a transaction, so DAX bypasses its cache and passes requests directly to DynamoDB. Strongly consistent reads (ConsistentRead=True) also bypass the DAX cache.

A) To improve security B) To optimize performance through execution context reuse C) To reduce memory usage D) To prevent timeouts

Answer: B

Explanation: Lambda execution environments can be reused (warm starts). Code initialized outside the handler (database connections, SDK clients) is not re-executed when the container is reused, improving performance. This is called Execution Context Reuse.

A) WebSocket API does not support serverless B) WebSocket API supports bidirectional communication between client and server C) REST API is better suited for real-time notifications D) WebSocket API supports caching

Answer: B

Explanation: WebSocket API maintains a persistent connection for bidirectional real-time communication. It is suitable for chat applications, real-time dashboards, and gaming. REST API follows a request-response pattern. WebSocket API also supports Lambda as a backend.

A) GSI cannot be added after table creation; LSI can B) LSI can only be added at table creation time; GSI can be added later C) GSI must use the same partition key as the table D) LSI limits the total table size to 10 GB

Answer: B

Explanation: LSIs (Local Secondary Indexes) can only be defined at table creation and cannot be added or removed afterwards. GSIs (Global Secondary Indexes) can be added or removed at any time after table creation. LSIs share the same partition key as the base table but use a different sort key.

A) Making an S3 bucket publicly accessible B) Temporarily granting access to a specific S3 object without authentication C) Bypassing S3 bucket policies D) Automatically encrypting S3 objects

Answer: B

Explanation: A Pre-signed URL allows time-limited access to a specific S3 object without requiring AWS credentials. Use cases include temporarily sharing a file download link or allowing clients to upload files directly to S3 (PUT) without making the bucket public.

A) Messages move to the Dead-Letter Queue B) The same message can be delivered to multiple consumers C) Messages are permanently deleted D) Queue capacity is exceeded

Answer: B

Explanation: VisibilityTimeout is the period during which a message is hidden from other consumers after being received. If set too short, the timeout may expire before the first consumer finishes processing, making the message visible again to other consumers and potentially causing duplicate processing. Set it longer than the expected processing time.

A) Unlimited concurrency is allowed B) Function invocations are completely throttled C) Cold starts are prevented D) Auto-scaling is activated

Answer: B

Explanation: Setting Reserved Concurrency to 0 completely throttles the function — all invocations return a throttling error. This can be used to temporarily disable a function or to preserve concurrency for other functions. To re-enable the function, either delete the reserved concurrency setting or set it to a value greater than 0.

A) Firehose requires manual shard management B) Firehose auto-scales and delivers data directly to destinations C) Firehose is better suited for real-time processing D) Firehose requires a consumer application

Answer: B

Explanation: Kinesis Data Firehose is a fully managed service with automatic scaling. It delivers data directly to S3, Redshift, OpenSearch Service, and Splunk. Data Streams requires manual shard management and consumer applications. Firehose buffers data (minimum 60 seconds or 1 MB), making it near-real-time rather than strictly real-time.

A) User Pools grant AWS service access; Identity Pools handle user authentication B) User Pools provide user authentication and a user directory; Identity Pools provide AWS credentials C) Identity Pools do not support social login D) User Pools and Identity Pools provide the same functionality

Answer: B

Explanation: Cognito User Pools provide user registration, login, MFA, and a user directory, issuing JWT tokens (ID Token, Access Token, Refresh Token). Identity Pools exchange authenticated identities (from User Pools, Google, Facebook, etc.) for temporary AWS credentials (IAM Role), allowing direct access to AWS services.

A) The data key is stored in KMS and encrypted with the CMK B) The data key encrypts the actual data; the data key itself is encrypted with the CMK and stored alongside the data C) The CMK encrypts data directly D) The data key is always stored in plaintext

Answer: B

Explanation: In envelope encryption: (1) KMS generates a Data Encryption Key (DEK), (2) the DEK encrypts the actual data, (3) the DEK is encrypted with the CMK. The encrypted DEK is stored with the encrypted data. The CMK never leaves KMS. This approach efficiently encrypts large amounts of data.

A) Resource-based policies can only be attached to EC2 B) Identity-based policies specify a Principal; resource-based policies are attached to IAM entities C) Resource-based policies specify a Principal; identity-based policies are attached to IAM entities D) Both policy types are identical

Answer: C

Explanation: Resource-based policies (S3 bucket policy, Lambda resource policy) are attached directly to a resource and explicitly specify a Principal (who can access). Identity-based policies (IAM User/Role/Group policies) are attached to IAM entities and define what actions can be performed without specifying a Principal. Cross-account access requires a resource-based policy or STS AssumeRole.

A) Parameter Store supports automatic rotation; Secrets Manager does not B) Secrets Manager supports automatic secret rotation and cross-account sharing, with an additional cost C) Both provide identical functionality D) Parameter Store does not support encryption

Answer: B

Explanation: Secrets Manager supports automatic rotation of database credentials and other secrets, cross-account access, and secret replication, with a per-secret monthly charge. Parameter Store offers free (Standard) or low-cost (Advanced) tiers but does not have built-in automatic rotation (custom Lambda rotation is possible). Use Secrets Manager when automatic rotation is important, such as for database credentials.

A) Sets the maximum session duration for the role B) Prevents the Confused Deputy attack C) Activates MFA authentication D) Allows cross-region access

Answer: B

Explanation: ExternalId prevents the Confused Deputy problem. When a third-party service assumes a customer's role, a malicious customer B could try to use customer A's ARN to access customer A's data from their own environment. ExternalId is set as a condition in the trust policy, preventing role assumption without the correct ExternalId.

A) Base64-encode the environment variables B) Encrypt environment variables with a KMS CMK and decrypt at runtime C) Hardcode environment variables directly in the code D) Store them in S3 and read at runtime

Answer: B

Explanation: Lambda environment variables are encrypted by default with an AWS-managed key. For stronger security, use a customer-managed CMK. Sensitive values (API keys, passwords) should be encrypted with KMS and decrypted using the SDK at runtime, or stored in Secrets Manager/Parameter Store and retrieved dynamically at runtime.

A) AWS IAM policies B) Username, email, and user group information C) AWS temporary credentials D) S3 bucket access permissions

Answer: B

Explanation: The Cognito User Pool ID Token (JWT) contains claims such as the username (sub), email, phone number, Cognito user groups (cognito:groups), and custom attributes. The Access Token contains OAuth 2.0 scopes for API access. Temporary AWS credentials are obtained by exchanging the ID Token at the Identity Pool.

A) SSE-S3 B) SSE-KMS C) SSE-C D) CSE (Client-Side Encryption)

Answer: C

Explanation: SSE-C (Server-Side Encryption with Customer-Provided Keys) requires the customer to provide the encryption key in each HTTPS request. AWS uses the key only for encryption/decryption and does not store it. SSE-S3 uses AWS-managed keys; SSE-KMS uses KMS-managed keys. CSE encrypts data before uploading on the client side.

A) Header authorizer, Body authorizer B) TOKEN authorizer, REQUEST authorizer C) JWT authorizer, API Key authorizer D) IAM authorizer, Cognito authorizer

Answer: B

Explanation: Lambda Authorizers have two types. TOKEN type extracts a Bearer token (JWT, OAuth) from the Authorization header for validation. REQUEST type uses the full request context — headers, query parameters, stage variables — for authorization. Both types return an IAM policy.

A) To reduce the number of KMS API calls and associated costs B) To increase encryption strength C) To enable automatic key rotation D) To create a CMK

Answer: A

Explanation: Requesting a new data key from KMS for every encryption operation increases API calls, costs, and latency. Data Key Caching reuses locally cached data keys to reduce KMS calls. This feature is provided by the AWS Encryption SDK. However, reusing a key for longer periods may increase security risk.

A) Server costs are halved B) Immediate rollback is possible if the deployment fails C) Build time is reduced D) A test environment is not required

Answer: B

Explanation: Blue/Green deployment creates a new identical environment (Green) and deploys the new version there. Traffic is switched to Green, and if problems occur, traffic can be instantly switched back to Blue. This enables zero-downtime deployment and fast rollback. However, running two environments simultaneously temporarily increases costs.

A) AWS::Lambda::Function only B) AWS::Lambda::Function, AWS::IAM::Role, AWS::Lambda::EventSourceMapping C) AWS::Lambda::Function, AWS::EC2::Instance D) AWS::Serverless::Function is not transformed

Answer: B

Explanation: SAM templates are transformed via a CloudFormation macro. AWS::Serverless::Function expands into multiple CloudFormation resources including a Lambda function (AWS::Lambda::Function), an execution role (AWS::IAM::Role), event source mappings (AWS::Lambda::EventSourceMapping), and event permissions (AWS::Lambda::Permission). Deployed with sam build && sam deploy.

A) Updates all instances at once for a fast deployment B) Maintains existing capacity by launching an additional batch before performing a rolling update C) Creates a new environment and swaps DNS D) Updates instances one at a time sequentially

Answer: B

Explanation: Rolling with Additional Batch launches an extra batch of instances first to maintain full capacity during the rolling update. Full service capacity is preserved throughout the deployment. Plain Rolling temporarily reduces capacity. It is suitable when availability is critical and the temporary cost increase is acceptable.

A) Fargate is a fixed cost; EC2 is usage-based B) Fargate requires no server management; EC2 Launch Type requires managing EC2 instances directly C) EC2 Launch Type is serverless D) Fargate does not support Windows containers

Answer: B

Explanation: Fargate is a serverless container execution environment — no need to provision or manage EC2 instances. You pay based on vCPU and memory usage. EC2 Launch Type requires you to manage the EC2 instances running ECS, but offers more flexibility for GPU workloads, specialized instance types, and cost optimization.

A) To speed up deployments B) To require human review and approval before production deployment C) To skip automated tests D) To reduce costs

Answer: B

Explanation: A Manual Approval step requires approval from designated reviewers before the pipeline proceeds to the next stage. It acts as a gate where QA teams or managers review changes before production deployment. SNS notifications can alert reviewers, who can approve or reject via the console, CLI, or API.

A) install → pre_build → build → post_build B) build → test → deploy → clean C) pre_build → build → post_build → install D) setup → build → verify → deploy

Answer: A

Explanation: The buildspec.yml phases are: install (install packages, set runtime) → pre_build (login, download dependencies) → build (actual build commands) → post_build (package, push to ECR, notifications). Each phase is optional; if a phase fails, subsequent phases are not executed.

A) Automatic image deletion B) Scanning of known CVE vulnerabilities in container images and reporting C) Automatic image updates D) Image encryption

Answer: B

Explanation: ECR image scanning (Enhanced Scanning with Inspector or Basic Scanning) scans OS packages and programming language packages in container images for CVEs. You can configure automatic scanning on push or manual scanning, and findings are reported by severity level.

A) Starts the new application version B) Gracefully stops the currently running application C) Rolls back the deployment D) Restarts the server

Answer: B

Explanation: CodeDeploy lifecycle event order: ApplicationStop → DownloadBundle → BeforeInstall → Install → AfterInstall → ApplicationStart → ValidateService. ApplicationStop runs scripts that gracefully shut down the currently running application. The scripts are defined in the previous deployment's appspec.yml.

A) Only configures environment variables B) Customizes AWS resource provisioning and EC2 instance configuration C) Stores application source code D) Manages SSL certificates

Answer: B

Explanation: .config files (YAML/JSON) in the .ebextensions directory allow customization of EC2 instance configuration, file creation, package installation, command execution, provisioning of AWS resources (RDS, SQS, etc.), and environment variable settings. CloudFormation syntax can be used to define additional resources.

A) Enable branch protection directly in CodeCommit settings B) Restrict direct pushes to specific branches using IAM policies C) Control pushes with CodePipeline D) Use S3 bucket policies

Answer: B

Explanation: CodeCommit does not have native branch protection like GitHub. You can restrict direct pushes to main/master branches using IAM policy conditions (StringNotEquals, codecommit:References). To enforce a Pull Request-based workflow, remove direct push permissions using IAM.

A) Segments provide more granular information than subsegments B) A Segment represents the entire Lambda function invocation; a Subsegment represents specific operations within it C) Subsegments only track external service calls D) Both concepts are the same

Answer: B

Explanation: In X-Ray, a Segment is the top-level unit of a trace for a single service or request — representing the entire Lambda function invocation. A Subsegment represents individual operations within the segment (DynamoDB queries, HTTP requests, etc.). AWS SDK calls are automatically captured as subsegments, and custom subsegments can also be added.

A) The table size exceeded its limit — delete data B) Read/write throughput exceeded provisioned RCU/WCU — enable Auto Scaling or increase capacity C) Internet connectivity issue — retry D) Missing IAM permissions — update the policy

Answer: B

Explanation: ProvisionedThroughputExceededException occurs when request throughput exceeds provisioned RCU or WCU. Solutions: (1) Enable Auto Scaling for automatic capacity adjustment, (2) Switch to On-Demand capacity mode, (3) Add DAX to reduce read load, (4) Retry with Exponential Backoff. If caused by a hot partition, reconsider the partition key design.

A) Create a CloudWatch Dashboard B) Create a Metric Filter and configure a CloudWatch Alarm C) Export logs to S3 D) Enable CloudTrail

Answer: B

Explanation: CloudWatch Logs Metric Filters filter specific patterns from log events and create custom metrics. For example, filtering "ERROR" creates an error count metric. Attaching a CloudWatch Alarm to this metric sends SNS notifications when a threshold is exceeded.

A) Lambda automatically scales down B) New requests receive a Throttle error C) Lambda switches to EC2 instances D) Requests are automatically stored in an SQS queue

Answer: B

Explanation: When the account's total concurrent executions limit (default 1,000) is reached, additional Lambda invocations receive throttle errors (HTTP 429). For synchronous invocations, the error is returned directly to the client. For asynchronous invocations, Lambda automatically retries. The limit can be increased via a Service Quota increase request.

A) Annotations are indexed and searchable; metadata is not indexed B) Metadata is indexed and searchable; annotations are not indexed C) Both concepts are identical D) Annotations support only numbers; metadata supports all types

Answer: A

Explanation: X-Ray Annotations are key-value pairs (strings, numbers, booleans) that are indexed and can be used to search and filter traces. Metadata can store any JSON-serializable value including objects and arrays, but is not indexed so cannot be used for filtering. Use Metadata for debugging information and Annotations for filterable information.

A) No retries B) Up to 2 retries (3 total attempts), then moves to DLQ on failure C) Infinite retries D) 1 retry then terminates regardless of success

Answer: B

Explanation: When a Lambda asynchronous invocation fails, Lambda automatically retries up to 2 times (3 total attempts). Retry intervals increase progressively. If all 3 attempts fail, the event is sent to the configured Dead-Letter Queue (SQS or SNS). Configuring a Lambda Destination routes success/failure events to other AWS services.

A) When you want to retain metrics for longer B) When you need granular monitoring at sub-minute intervals (1-59 seconds) C) When you want to reduce costs D) When aggregating metrics across multiple regions

Answer: B

Explanation: Standard resolution metrics are published in 1-minute intervals. High-resolution metrics support up to 1-second granularity for more detailed monitoring. However, high-resolution metrics cost more than standard metrics. Use them for scenarios requiring second-level precision, such as financial transactions or gaming events.

A) Backing up a DynamoDB table B) Triggering Lambda via data change events to propagate changes to other systems C) Improving DynamoDB read performance D) Creating global tables

Answer: B

Explanation: DynamoDB Streams records item-level changes (INSERT, MODIFY, REMOVE) in order. Using Lambda event source mapping to process stream records enables: propagating changes to other databases, sending email notifications, updating search indexes, and generating audit logs. Stream records are retained for 24 hours.

A) Malformed client request B) Lambda function or backend returned a malformed response or timed out C) Insufficient IAM permissions D) API Gateway cache is full

Answer: B

Explanation: API Gateway 502 Bad Gateway is a backend integration error. Common causes: (1) Lambda function returns a response in an unexpected format (missing statusCode, headers, body), (2) Lambda function throws an unhandled exception, (3) Lambda timeout (API Gateway timeout: 29 seconds). 401/403 are auth errors, 400 is a bad request, 500 is an internal server error.

A) Only invocation frequency B) Runtime type, deployment package size, VPC configuration, and initialization code execution time C) Only AWS region D) Only the number of Lambda Layers

Answer: B

Explanation: Factors affecting Lambda cold start: (1) Runtime type (Java/C# slower than Python/Node.js), (2) Deployment package size (larger packages take longer to download), (3) VPC configuration (extra latency for ENI creation), (4) Initialization code (code outside handler runs once), (5) Lambda Layers. To minimize cold starts: smaller packages, Provisioned Concurrency, lightweight runtimes.

A) When the message size exceeds 256 KB B) When the message has failed processing maxReceiveCount times C) When the queue capacity is full D) Every time the VisibilityTimeout expires

Answer: B

Explanation: The SQS DLQ automatically receives messages from the source queue that have been received (but not deleted) more than maxReceiveCount times. For example, with maxReceiveCount=3, a message moves to the DLQ after 3 failed processing attempts. Analyze DLQ messages to identify failure causes or move them to a reprocessing queue.

import boto3

def handler(event, context):
    dynamodb = boto3.resource('dynamodb')
    table = dynamodb.Table('MyTable')
    response = table.scan()
    return response['Items']

A) The boto3 import is incorrect B) The DynamoDB client is initialized inside the handler and cannot be reused C) The scan() method cannot be used in Lambda D) The return format is incorrect

Answer: B

Explanation: The DynamoDB resource object is initialized inside the handler function, so it is recreated on every invocation. This does not take advantage of execution context reuse. Initializing it outside the handler (at global scope) reuses the existing connection on warm executions, improving performance. Also, Scan reads the entire table and is expensive — consider replacing with Query.

A) SELECT * WHERE level = 'ERROR' B) fields @timestamp, @message | filter @message like /ERROR/ | sort @timestamp desc C) GET errors FROM lambda_logs D) SEARCH 'ERROR' IN CloudWatch

Answer: B

Explanation: CloudWatch Logs Insights uses its own query language. The fields command selects fields to display, filter filters for a specific pattern, and sort orders results. Use like /ERROR/ or like /Exception/ to find error logs. Use stats count(*) by bin(5m) to aggregate error counts over time.

A) Strengthening API security B) Limiting request counts and rates to prevent abuse and enable monetization C) API version management D) Enabling caching

Answer: B

Explanation: Usage Plans set throttling (requests per second: RPS, burst size) and quota (total requests per day/week/month) per API key. Issuing API keys and associating them with usage plans allows applying different limits per customer. Useful for API monetization, partner API provisioning, and abuse prevention.

A) 5 minutes B) 10 minutes C) 15 minutes D) 30 minutes

Answer: C

Explanation: The maximum execution timeout for a Lambda function is 15 minutes (900 seconds). The default is 3 seconds. For tasks exceeding 15 minutes, use Step Functions (state machines), ECS tasks, or EC2 instances. When a timeout occurs, Lambda forcibly terminates the function and retries for asynchronous invocations.

A) To reduce DynamoDB costs B) To store multiple entity types in a single table and support efficient queries without joins C) To improve data encryption D) To simplify backups

Answer: B

Explanation: DynamoDB does not support join operations. Storing related entities in a single table with overloaded partition and sort keys allows retrieval of related data with a single GetItem or Query. Example: PK=USER#123, SK=USER#123 (user info), SK=ORDER#456 (order info). This pattern is popularized by Rick Houlihan's design approach.

A) SNS delivers a message to a single SQS queue B) A message published to an SNS topic is simultaneously delivered to multiple SQS queues, Lambda functions, and HTTP endpoints C) SQS triggers multiple Lambda functions simultaneously D) A single Lambda publishes to multiple SNS topics

Answer: B

Explanation: In the SNS fan-out pattern, publishing one message to an SNS topic delivers it simultaneously to all subscribed endpoints (SQS queues, Lambda functions, HTTP/HTTPS, email, SMS). For example, an order completion event can simultaneously trigger email notifications, inventory updates, and shipping processing.

A) A web server handling internet traffic B) Polls an SQS queue and processes background tasks C) An environment specialized for database processing D) Runs only Fargate containers

Answer: B

Explanation: Elastic Beanstalk Worker environments include a built-in SQS daemon (sqsd) that polls the SQS queue and delivers messages to the application via HTTP POST requests. They work with Web Server Tier environments to process asynchronous background tasks (image processing, email sending, data processing, etc.).

A) Changing an EC2 instance's tags B) Upgrading an RDS instance's DB engine version C) Changing an S3 bucket name D) Changing a Lambda function's memory setting

Answer: C

Explanation: An S3 bucket name is an immutable property — changing it causes the existing bucket to be deleted and a new bucket with the new name to be created (replacement). Changing EC2 tags or Lambda memory are in-place updates. CloudFormation documents the update type for each property as 'Update requires: Replacement', 'Update requires: No interruption', or 'Update requires: Some interruptions'.

A) Synchronous invocation B) Asynchronous invocation C) Poll-based invocation D) Streaming invocation

Answer: B

Explanation: When S3 Event Notifications trigger Lambda, asynchronous (Event) invocation is used. S3 publishes the event to Lambda and does not wait for a response. Lambda automatically retries on failure, and DLQ or Lambda Destination configurations are available. SNS, SES, and CloudWatch Events also use asynchronous invocation.

A) Applies only to a single partition B) Supports atomic ACID transactions for up to 100 items C) Executes asynchronously only D) Used only for read-only operations

Answer: B

Explanation: TransactWriteItems performs atomic write operations across multiple tables for up to 100 items (or 4 MB). All operations succeed or all fail (ACID). You can combine Put, Update, Delete, and ConditionCheck operations. TransactGetItems supports read transactions. Transactional operations consume 2x the read/write capacity of standard operations.

A) 4 KB B) 8 KB C) 16 KB D) 32 KB

Answer: A

Explanation: The total size of all Lambda environment variables is limited to 4 KB. Values exceeding this limit should be stored in SSM Parameter Store or Secrets Manager and retrieved at runtime via API. Environment variables are separate from the function deployment package, allowing configuration updates without code changes.

A) Hardcode them directly in buildspec.yml B) Use Parameter Store or Secrets Manager references C) Store them in the source code repository D) Read from a plaintext file in an S3 bucket

Answer: B

Explanation: Sensitive environment variables (API keys, passwords) in CodeBuild should not be written directly in buildspec.yml. Instead, reference SSM Parameter Store SecureString parameters or Secrets Manager secrets. In buildspec.yml, use the parameter-store or secrets-manager fields to reference them — they are automatically decrypted and set as environment variables at build time.

A) 1 day B) 30 days C) 60 days D) 90 days

Answer: B

Explanation: The minimum period for transitioning from S3 Standard directly to S3 Glacier Flexible Retrieval is 30 days. From S3 Standard-IA to Glacier is also 30 days. For Glacier Instant Retrieval, the minimum transition period is 90 days. Misconfigured Lifecycle Policies can lead to unexpected costs.

A) Storing user authentication credentials B) Referencing different Lambda function ARNs or endpoints per environment (dev/staging/prod) C) Automatically incrementing the API version D) Storing cache settings

Answer: B

Explanation: Stage Variables are key-value pairs that can hold different values per API Gateway stage. For example, set a lambdaAlias variable to "dev" in the dev stage and "prod" in the prod stage, then reference it in the Lambda integration URI with stageVariables.lambdaAlias. This supports multiple environments with a single API definition.

A) To reduce costs B) To enable traffic splitting (Canary deployments) and provide stable ARN references C) To increase execution speed D) To activate logging

Answer: B

Explanation: Lambda Versions are immutable snapshots of deployed code and configuration. Aliases are named pointers to specific versions (or $LATEST). Attaching alias ARNs to API Gateway or event sources means only the alias needs updating when deploying a new version. Aliases also support routing configurations to split traffic between two versions (e.g., v1=90%, v2=10%) for Canary deployments.

A) For data encryption B) To implement optimistic locking or to insert an item only if it does not already exist C) To improve read performance D) To enable automatic indexing

Answer: B

Explanation: DynamoDB Conditional Writes perform write operations only when a specified condition is true. Examples: attribute_not_exists(pk) prevents duplicate inserts; checking a version attribute enables optimistic locking. A ConditionalCheckFailedException is thrown when the condition fails. WCUs consumed are the same regardless of whether the condition succeeds.

A) AWS cost information B) Service connections, response times, error rates, and request counts C) IAM permission information D) Network bandwidth usage

Answer: B

Explanation: The X-Ray Service Map visualizes the topology of your application. Each node represents a service (Lambda, DynamoDB, API Gateway, etc.) and displays average response time (latency), requests per minute, error rate (4xx), and fault rate (5xx). Arrows between nodes show call relationships. It helps visually identify performance bottlenecks and error-prone services.

A) Not shared between function invocations and cannot be used as persistent storage B) Provides up to 10 GB of temporary storage; data may persist when the same container is reused C) All Lambda functions share the same /tmp directory D) The /tmp directory is not encrypted

Answer: B

Explanation: Lambda's /tmp directory provides up to 10 GB of temporary storage (default 512 MB, configurable). Data stored in /tmp may persist when the same execution environment (container) is reused (warm execution). This can be leveraged for caching, but sensitive data must be cleaned up for security. It is not shared with other Lambda instances.

A) S3, SNS, API Gateway B) SQS, Kinesis Data Streams, DynamoDB Streams, MSK, MQ C) CloudWatch Events, EventBridge, SNS D) CodeCommit, CodePipeline, CodeDeploy

Answer: B

Explanation: Event Source Mapping is used for stream/queue-based services that Lambda actively polls: SQS, Kinesis Data Streams, DynamoDB Streams, Apache Kafka (MSK), and Amazon MQ. The Lambda service polls these sources directly and processes messages in batches. In contrast, S3, SNS, API Gateway, and EventBridge directly invoke Lambda (push model).