Amazon Web Services DVA-C02 Based on Real Exam Environment

To begin using AWS X-Ray, the team must (1) instrument the application to emit trace segments/subsegments and (2) ensure there is a component that can send trace data to the X-Ray service.

Instrumenting code is typically done with the AWS X-Ray SDK (language-specific). This adds tracing to inbound requests and downstream calls, creates segments/subsegments, and attaches annotations/metadata. That corresponds to Option C.

For many compute environments (especially EC2, ECS on EC2, and on-prem servers), the application sends trace data via the X-Ray daemon/agent running locally. The daemon batches segments and forwards them to the X-Ray service endpoint. That corresponds to Option D.

Option B is helpful after traces exist (using the X-Ray console or CloudWatch ServiceLens), but it is not a prerequisite to “begin using” X-Ray.

Option A is unrelated. X-Ray does not require SQS for instrumentation output.

Option E is incorrect because X-Ray stores trace data in its managed backend; you do not create a DynamoDB table for trace logs.

Therefore, the team needs to instrument the code with the X-Ray SDK and install/run the X-Ray agent/daemon on the servers where the application runs.

The requirements describe a real-time streaming use case where multiple processing applications must read the same stream in parallel, each must be able to resume processing after interruptions without data loss, and the system should support adding new processors with minimal duplication. Amazon Kinesis Data Streams (KDS) is purpose-built for this pattern.

With Kinesis Data Streams, producers write records to a stream that is split into shards. Multiple consumer applications can independently read from the stream using separate consumer groups (for example, using Kinesis Client Library). Each consumer maintains its own checkpoint (sequence number position), which allows it to resume from the last processed record after a restart or failure. This directly meets the “resume without losing data” requirement.

KDS also supports a configurable retention period (commonly 24 hours by default, extendable), enabling replay and recovery without forcing producers to re-send data or duplicating messages for each processor. Adding new consumers is straightforward: a new processor can begin reading the existing stream (from latest or from a trim horizon), which minimizes duplication compared to fan-out duplication patterns.

Why the others don’t fit:

SQS is a queue, not a stream. Multiple consumers typically compete for messages rather than all consuming the same messages independently, and duplication is required if multiple apps must process the same data.

Kinesis Data Firehose is primarily for delivery to destinations (S3, Redshift, OpenSearch) and not designed for multiple real-time parallel consumers with replay semantics.

EventBridge is event routing with limited replay/resume semantics compared to KDS and is not intended for high-throughput stream processing with per-consumer checkpoints.

Therefore, Amazon Kinesis Data Streams satisfies all requirements.

DynamoDB already supports encryption at rest by default (with AWS owned keys or AWS managed/customer managed KMS keys). However, the requirement here is stronger and explicit: patient data must be encrypted before it is stored in DynamoDB, meaning the encryption must occur client-side / application-side so that the data remains encrypted as it traverses the stack and is still encrypted when written to the table. This is often required for highly sensitive PII/PHI where administrators or downstream systems should not see plaintext.

Option A meets this requirement by encrypting the payload inside the Lambda function before making the PutItem call to DynamoDB, using KMS-backed envelope encryption via the AWS Encryption SDK (the option names it “Database Encryption SDK,” but the intent is client-side encryption). The encrypted fields remain ciphertext in transit to DynamoDB and at rest inside DynamoDB, satisfying both “in transit” and “at rest” with encryption happening prior to storage.

Option B only ensures DynamoDB encryption at rest at the service level, but the data would still be plaintext in the item attributes as seen by the application and anyone with DynamoDB read permissions (even though stored encrypted on disk). It does not guarantee “encrypted before stored.”

Option C encrypting after the write via streams is too late: plaintext would already be stored (and potentially accessed) before post-processing.

Option D adds unnecessary workflow complexity. Encrypting in a queue still requires encryption before DynamoDB, but it does not inherently simplify compared to encrypting directly in the Lambda that writes to DynamoDB.

Therefore, client-side encryption in Lambda using KMS-backed encryption is the correct solution.

DynamoDB access control operates at the table and item level , not at individual attribute deny rules in IAM or resource-based policies. Therefore, Option A is not supported. Encrypting the entire table with KMS (Option B) protects data at rest but does not prevent the Lambda function from reading sensitive attributes once access is granted.

To ensure the Lambda function cannot access PII, AWS documentation recommends controlling which attributes are returned from queries and scans. Using a projection expression (Option E) ensures that only non-PII attributes are returned to the function, even if PII exists in the item. This is a standard DynamoDB best practice for limiting data exposure.

For additional protection, client-side or application-level encryption should be used for sensitive fields. Option C uses envelope encryption with AWS KMS to encrypt only PII attributes. Even if the function retrieves the encrypted attribute, it cannot decrypt the data without KMS permissions. This ensures strong isolation of sensitive data.

ABAC (Option D) controls access to resources, not attributes, and therefore does not satisfy the requirement.

Thus, combining attribute-level encryption with projection expressions meets the security requirement.