DVA-C02 Exam Dumps : AWS Certified Developer - Associate

The correct answer is C because Amazon SNS subscription filter policies are the native AWS feature for ensuring that only messages with matching attributes are delivered to a specific subscription. In this scenario, the Lambda function should process only refund messages from an SNS topic that contains multiple payment activity message types. By applying a subscription filter policy to the Lambda subscription, SNS delivers only the refund-related notifications to the function.

This is the most operationally efficient solution because filtering happens before invocation of the Lambda function. That means the Lambda function is not triggered for irrelevant payment events, which reduces unnecessary invocations, lowers compute cost, and simplifies the function code. AWS documentation recommends using subscription filter policies with SNS when subscribers should receive only a subset of messages based on message attributes.

Option A is incorrect because Lambda event filtering is available for some event sources, but for SNS-to-Lambda integration , the AWS-native filtering point is the SNS subscription itself. Option B is less efficient because it still invokes the Lambda function for every message and then discards non-refund messages in code. That increases operational overhead and cost. Option D is unrelated to the requirement because batching changes invocation behavior but does not filter by message type.

Therefore, the best design is to publish all payment activity events to SNS with appropriate message attributes and configure an SNS subscription filter policy so that only refund messages invoke the Lambda function. This approach is simple, scalable, and aligns with AWS event-driven architecture best practices.

This is a classic cross-account S3 access requirement: EC2 instances in Account A must read from a private S3 bucket in Account B without making the bucket public.

The correct pattern is to grant access using IAM + S3 bucket policy while keeping the bucket private. In Account B, you create an IAM role that has the necessary S3 read permissions (such as s3:GetObject and potentially s3:ListBucket depending on access needs). That is Option A.

However, permissions on the role alone are not sufficient, because the S3 bucket is in a different account and is private by default. AWS requires that the bucket owner explicitly grants access to the external principal. This is done by adding a bucket policy in Account B that allows the principal (either the role in Account A or a role session via STS) to access the bucket objects. That is Option D.

Option B is not correct in the “select two” sense because adding permissions to Account A’s instance profile role does not, by itself, grant access to a bucket owned by Account B. You still need the bucket policy or another resource-based policy from the bucket owner.

Option C violates the requirement (“without exposing the S3 bucket to anyone else”). Making the bucket public is unnecessary and insecure.

Option E is incorrect because a trust policy controls who can assume a role (sts:AssumeRole), not what S3 permissions the role has. Also, trust policies do not grant s3:Get* access.

Therefore, create an IAM role with S3 read permissions in Account B and grant access via the Account B bucket policy.

DynamoDB access control operates at the table and item level , not at individual attribute deny rules in IAM or resource-based policies. Therefore, Option A is not supported. Encrypting the entire table with KMS (Option B) protects data at rest but does not prevent the Lambda function from reading sensitive attributes once access is granted.

To ensure the Lambda function cannot access PII, AWS documentation recommends controlling which attributes are returned from queries and scans. Using a projection expression (Option E) ensures that only non-PII attributes are returned to the function, even if PII exists in the item. This is a standard DynamoDB best practice for limiting data exposure.

For additional protection, client-side or application-level encryption should be used for sensitive fields. Option C uses envelope encryption with AWS KMS to encrypt only PII attributes. Even if the function retrieves the encrypted attribute, it cannot decrypt the data without KMS permissions. This ensures strong isolation of sensitive data.

ABAC (Option D) controls access to resources, not attributes, and therefore does not satisfy the requirement.

Thus, combining attribute-level encryption with projection expressions meets the security requirement.