Amazon Web Services DVA-C02 Exam With Confidence Using Practice Dumps

The requirement in this scenario is encryption in transit for sensitive data exchanged between two EC2-based application fleets. AWS best practices clearly distinguish between network isolation and transport-layer encryption . Security groups (Option A) restrict traffic but do not encrypt it. EBS encryption (Option C) protects data at rest and does not affect data transmitted over the network.

Although a Site-to-Site VPN (Option B) would encrypt traffic, AWS documentation considers this approach unnecessary and operationally heavy when both workloads run inside AWS and application-level encryption is sufficient.

The most efficient and AWS-recommended approach is to use TLS (HTTPS) for application communication. AWS Certificate Manager (ACM) allows developers to provision and manage TLS certificates without manual certificate handling. Apache can be configured to use HTTPS with ACM-issued certificates, ensuring that all API traffic between the fleets is encrypted in transit using industry-standard TLS.

AWS documentation consistently recommends TLS for service-to-service communication within AWS when sensitive data is transmitted. This approach minimizes operational overhead, avoids additional networking infrastructure, and integrates natively with existing EC2-based applications.

Therefore, using ACM-issued certificates and HTTPS for Apache communication is the correct and most efficient solution.

The safest way to prevent cross-tenant data leakage during processing is to enforce tenant isolation at the authorization layer , not only in application logic. AWS supports this with ABAC (attribute-based access control) using IAM principal/session tags and policy condition keys. The goal is to ensure that, for each invocation, the function can access only the S3 prefix and DynamoDB items that match the tenant being processed.

First, the Lambda execution role should be permitted to assume a dedicated data access role (B). This creates a clear separation: the execution role has minimal base permissions and can obtain tenant-scoped permissions only by assuming the data role.

Second, the Lambda function should assume that data access role with the tenant name as a session tag and then use the temporary credentials for all S3/DynamoDB calls (F). Session tagging ties the caller’s identity attributes (tenant) to the credentials used for data access.

Third, attach policies to the data access role that restrict access using conditions that compare the session tag to the requested resource attributes (C). For S3, policies can restrict access to object ARNs like arn:aws:s3:::bucket/${aws:PrincipalTag/tenant}/*. For DynamoDB, policies can restrict access by partition key using dynamodb:LeadingKeys so the role can read/write only items whose partition key equals the tenant tag. This ensures that even if the function code has a bug or receives unexpected input, AWS authorization prevents it from reading or writing another tenant’s data.

Option A is not required as stated; you typically need permission to pass session tags (and the trust/policy must allow tagging), but the key actions here are: enable assume role (B), enforce tag-based data policies (C), and actually assume the role with tenant tag (F). Option D is not generally the primary control for DynamoDB; the standard enforcement is via IAM identity policies (and dynamodb:LeadingKeys). Option E (RCP) is an AWS Organizations guardrail and is not necessary for this single-application isolation pattern.

In AWS X-Ray, filter expressions can filter trace data based on indexed fields that X-Ray can query efficiently. Custom data can be added to segments in two main ways: annotations and metadata. The critical difference is that annotations are indexed and can be used for filtering, while metadata is not indexed and is intended for additional diagnostic context that you do not typically query on.

Therefore, if the developer wants user-specified custom attributes to be usable in X-Ray filter expressions, the developer should record those attributes as annotations in the segment document. Once recorded as annotations, the developer can write filter expressions that match annotation keys/values and return only the relevant traces.

Option B is incorrect because metadata is not indexed and cannot be used in filter expressions for trace search the same way annotations can.

Option C is incorrect because segment documents have a defined schema; adding arbitrary “new segment fields” is not the intended method for searchable custom attributes.

Option D is unrelated: sampling rules control which requests get traced in the first place. They are not used to filter returned results by custom attributes after traces are recorded.