AWS Certified Associate DVA-C02 Syllabus Exam Questions Answers

Requirement Summary:

Prevent unauthorized code changes in AWS Lambda

Ensure only trusted code is deployed

AWS Lambda supports Code Signing:

You can configure code signing in Lambda using AWS Signer

Packages must be digitally signed and verified against the signing profile

Rejects unauthorized/modified packages automatically

Evaluate Options:

A. Trusted code option in CodeDeploy

No such feature exists for Lambda

CodeDeploy is more for EC2/On-Prem/Containers, not Lambda code signing

B. Define code signing config + use AWS Signer

This is exactly how AWS enforces trusted code deployment

Attach a code signing configuration to the Lambda function

Use AWS Signer to digitally sign deployment packages

C. Link to KMS to sign code

KMS is not used to sign Lambda packages

KMS is for data encryption, not application code integrity

D. Set KmsKeyArn

This configures data encryption, not code signing

Lambda code signing:

AWS Signer overview:

The requirement in this scenario is encryption in transit for sensitive data exchanged between two EC2-based application fleets. AWS best practices clearly distinguish between network isolation and transport-layer encryption . Security groups (Option A) restrict traffic but do not encrypt it. EBS encryption (Option C) protects data at rest and does not affect data transmitted over the network.

Although a Site-to-Site VPN (Option B) would encrypt traffic, AWS documentation considers this approach unnecessary and operationally heavy when both workloads run inside AWS and application-level encryption is sufficient.

The most efficient and AWS-recommended approach is to use TLS (HTTPS) for application communication. AWS Certificate Manager (ACM) allows developers to provision and manage TLS certificates without manual certificate handling. Apache can be configured to use HTTPS with ACM-issued certificates, ensuring that all API traffic between the fleets is encrypted in transit using industry-standard TLS.

AWS documentation consistently recommends TLS for service-to-service communication within AWS when sensitive data is transmitted. This approach minimizes operational overhead, avoids additional networking infrastructure, and integrates natively with existing EC2-based applications.

Therefore, using ACM-issued certificates and HTTPS for Apache communication is the correct and most efficient solution.

The requirements describe a Git-driven workflow where each new branch automatically gets its own deployment with minimal setup and management. AWS Amplify is designed for exactly this use case for web (and supporting mobile backends): it integrates directly with Git providers and offers continuous deployment . Amplify’s feature branch deployments automatically create a separate deployment (and typically a distinct preview URL) for each connected branch, enabling developers to test and review changes per branch without manually provisioning environments.

With Amplify, the developer connects the repository once, selects the branches to deploy, and Amplify automatically builds and deploys the application whenever code changes are pushed. When a new branch is added, Amplify can be configured to deploy it as a separate environment, providing isolated testing, previewing, and validation. This dramatically reduces operational overhead because Amplify manages build settings, hosting, SSL, and branch-based environments without needing custom CI/CD wiring.

Option A (ECR + ECS + GitHub Actions) can support branch deployments, but it requires substantial operational work: container build pipelines, task/service management, networking, scaling, and environment isolation per branch. Option B (Elastic Beanstalk) can manage deployments, but branch-based automatic deployments are not as native; creating separate environments and managing application versions typically requires more manual steps or additional automation. Option C (Lambda aliases) is not a general-purpose web/mobile deployment approach and does not naturally map “new Git branch” to an isolated deployment environment without significant custom tooling.

Therefore, D is the best fit with the least operational overhead: use AWS Amplify with feature branch deployments to automatically create and manage separate deployments for Git branches.

CloudWatch for Log Analysis: CloudWatch is the best fit here because logs are already centralized. Here ' s the process:

Metric Filter: Create a metric filter on the CloudWatch Logs log group. Design a pattern to specifically identify application error messages.

Custom Metric: This filter generates a new custom CloudWatch metric (e.g., ApplicationErrors). This metric tracks the error count.

CloudWatch Alarm: Create an alarm on the ApplicationErrors metric. Configure the alarm with your desired threshold and a 5-minute evaluation period.

SNS Action: Set the alarm to trigger an SNS notification when it enters the alarm state.