DVA-C02 Exam Dumps : AWS Certified Developer - Associate

Comprehensive and Detailed 250 to 300 words of Explanation From AWS Developer Documents:

The key requirement in this scenario is that the data must be encrypted before it is uploaded to Amazon S3 , and the data is generated outside of AWS . This explicitly points to a client-side encryption requirement.

AWS documentation distinguishes clearly between server-side encryption and client-side encryption . Server-side encryption options for Amazon S3—including enabling default bucket encryption or specifying the x-amz-server-side-encryption request header—encrypt the data after it is received by Amazon S3. Therefore, options B and D do not satisfy the requirement because the plaintext data is transmitted to AWS before encryption occurs.

Option A, using the AWS KMS encrypt command, is not suitable for large binary objects. AWS KMS is designed to encrypt small pieces of data (up to 4 KB). AWS documentation explicitly states that for large payloads, customers should use envelope encryption instead of directly encrypting data with AWS KMS.

The AWS Encryption SDK is specifically designed for client-side encryption of large data objects. It implements envelope encryption , where a data encryption key (DEK) is generated locally to encrypt the data, and the DEK is then encrypted with an AWS KMS key. This approach allows efficient encryption of large binary files while maintaining strong key management and security controls.

AWS documentation recommends the AWS Encryption SDK for applications that need to encrypt data before sending it to AWS services , including Amazon S3. It supports multiple programming languages, handles key management automatically, and ensures data confidentiality even before transmission.

Therefore, using the AWS Encryption SDK for client-side encryption is the only solution that fully satisfies all requirements.

The correct answer is B because Amazon EventBridge is designed for building loosely coupled event-driven architectures . In this scenario, when an order is placed, the order processing system can publish a single event to an EventBridge event bus. Then, multiple independent consumers can react to that event through separate rules and targets . This matches the requirement to update inventory, send email, notify shipping, and update order history without tightly coupling those actions together.

EventBridge is especially well suited when the company wants to add new processing steps later . A new consumer can be added simply by creating another rule and target for the existing order event, without changing the original order submission code or the existing consumers. This supports extensibility and separation of concerns, which are key goals of event-driven design.

Option A is less appropriate because a single Lambda function that directly calls every downstream system becomes tightly coupled and harder to extend. Option C supports fan-out, but EventBridge provides richer routing, filtering, and event bus semantics for enterprise event-driven workflows. Option D is useful for workflow orchestration, but it creates a more centrally orchestrated pattern rather than the looser publish-and-subscribe model requested in the question.

AWS guidance for modern event-driven architectures emphasizes publishing events and allowing interested services to subscribe independently. EventBridge provides native routing and integration with many AWS services, making it easy to evolve the architecture over time. Therefore, B is the best answer for achieving loose coupling and future extensibility.

The requirement in this scenario is encryption in transit for sensitive data exchanged between two EC2-based application fleets. AWS best practices clearly distinguish between network isolation and transport-layer encryption . Security groups (Option A) restrict traffic but do not encrypt it. EBS encryption (Option C) protects data at rest and does not affect data transmitted over the network.

Although a Site-to-Site VPN (Option B) would encrypt traffic, AWS documentation considers this approach unnecessary and operationally heavy when both workloads run inside AWS and application-level encryption is sufficient.

The most efficient and AWS-recommended approach is to use TLS (HTTPS) for application communication. AWS Certificate Manager (ACM) allows developers to provision and manage TLS certificates without manual certificate handling. Apache can be configured to use HTTPS with ACM-issued certificates, ensuring that all API traffic between the fleets is encrypted in transit using industry-standard TLS.

AWS documentation consistently recommends TLS for service-to-service communication within AWS when sensitive data is transmitted. This approach minimizes operational overhead, avoids additional networking infrastructure, and integrates natively with existing EC2-based applications.

Therefore, using ACM-issued certificates and HTTPS for Apache communication is the correct and most efficient solution.