Download Full Version DVA-C02 Amazon Web Services Exam

AWS AppConfig Feature Flags are designed to release features safely with minimal code changes. The lowest operational overhead approach is to use a single feature flag and configure it to deliver the feature to a percentage of users through built-in targeting rules and variants.

With option C, the developer creates one AppConfig feature flag and defines a variant that represents the new feature behavior (for example, enabled=true or a “newExperience” variant). Then the developer creates a rule in AppConfig to target 15% of users. AppConfig feature flags support rules that can evaluate attributes (such as user IDs or other contextual attributes supplied by the application) and apply percentage-based rollout. This avoids building and maintaining custom rollout logic in the application.

Option A and D both require implementing and maintaining custom traffic splitting in code, which increases complexity and operational burden, and risks inconsistent behavior across clients/services.

Option B adds extra configuration overhead and complexity by managing multiple feature flags for “groups” instead of using a single flag with a variant and rule. A single flag with variants is the clean, scalable pattern.

Therefore, create one AppConfig feature flag, define a variant, and configure a rule to target 15% of users.

Requirement Summary:

WebSocket-based messaging app using API Gateway WebSocket APIs

Need to:

Identify clients repeatedly connecting/disconnecting

Be able to remove problematic clients

Evaluate Options:

A. Switch to HTTP APIs

HTTP APIs don’t support WebSocket connections

B. Switch to REST APIs

REST APIs are not compatible with WebSockets

C. Use the callback URL to disconnect clients

⚠️ Possible, but not a direct option

Callback URLs are used for sending messages to connected clients, not for disconnecting

D. Track client status in ElastiCache

Good solution: Store and update connection state (connected, disconnected, timestamps)

Helps track abuse or reconnections

E. Implement $connect and $disconnect routes

Required to capture connection lifecycle events

These can be used to log/store client behavior and decide on removal

WebSocket routes in API Gateway:

Managing WebSocket connections:

Comprehensive and Detailed Explanation (250–300 words):

AWS best practices for multi-tenant isolation recommend session-based access control using IAM session tags. Session tags allow temporary credentials to be scoped dynamically based on tenant context.

First, the data access role must allow sts:TagSession (Option A) so tenant identifiers can be passed securely at runtime. The Lambda function assumes this role and includes the tenant name as a session tag (Option F).

Next, IAM policies on the data access role restrict access to S3 object prefixes and DynamoDB partition keys by evaluating the session tag (Option C). This ensures that even if a bug occurs, the role cannot access data belonging to another tenant.

Resource-based DynamoDB policies and RCPs are unnecessary here and add complexity.

This approach follows AWS’s recommended attribute-based access control (ABAC) model and provides strong tenant isolation with minimal operational overhead.