Helping Hand Questions for DVA-C02

The correct answer is C because reserved concurrency guarantees that a specific AWS Lambda function has access to a defined number of concurrent executions. In this scenario, the function normally runs correctly but occasionally receives a surge of up to 500 S3 object-created events per minute . Since each invocation runs for about 30 seconds , the function may need substantial concurrency during those bursts. Configuring reserved concurrency ensures that this function has dedicated execution capacity available during peak periods and is not affected by concurrency consumption from other functions in the account.

AWS documentation explains that reserved concurrency both sets the maximum concurrency for a function and reserves that capacity exclusively for the function. This is especially helpful when one function must continue operating reliably under burst traffic. Even though other functions are currently running as expected, reserved concurrency is the direct AWS mechanism to protect the processing function from account-level concurrency contention during spikes.

Option A is incorrect because the function already completes in about 30 seconds; changing timeout does not solve high-volume invocation scaling. Option B is not the best answer because adding a Lambda layer does not guarantee improved throughput or concurrency handling. Option D is incorrect because decreasing memory usually reduces available CPU and can make performance worse, which would increase the chance of delays or failures.

Therefore, the most effective approach is to configure reserved concurrency for the processing function so it can continue to run reliably during high-volume object upload periods.

The requirement has two parts: (1) authenticate users with a third-party SAML IdP , and (2) after authentication, allow those users to access AWS services like Amazon S3 and DynamoDB. The AWS pattern for this is to federate the external identity into AWS and then exchange that identity for temporary AWS credentials .

Amazon Cognito identity pools are designed to provide AWS credentials to authenticated users (via AWS STS) so the users can call AWS services directly or through an application backend. Identity pools support federation with external identity providers, including SAML 2.0 . When a user authenticates with the third-party SAML IdP, the identity pool can accept the SAML assertion, map the user to an IAM role, and return temporary, scoped credentials (AccessKeyId/SecretAccessKey/SessionToken) associated with that role. Those credentials can be restricted using IAM policies to only the required S3 buckets, DynamoDB tables, and actions, satisfying least privilege.

Option A is incorrect because a Cognito user pool is primarily a user directory and OIDC/OAuth provider for application authentication; while user pools can integrate with SAML IdPs for federation, user pools alone do not directly issue AWS service credentials. The key requirement here is access to S3/DynamoDB, which is the role of an identity pool . Option C is not appropriate because IAM is not intended to provide end-user sign-up/sign-in for external users; it is for AWS identities and permissions. Option D is unrelated: CloudFront signed URLs control access to CloudFront-distributed content and do not authenticate users with SAML or provide AWS credentials.

Therefore, B meets both requirements: federate SAML authentication through a Cognito identity pool and provide temporary AWS credentials for accessing S3 and DynamoDB.

AWS Secrets Manager is purpose-built for securely storing and managing sensitive information such as API keys, tokens, and credentials. It provides automatic secret rotation , fine-grained IAM access control, encryption at rest using AWS KMS, and audit logging through AWS CloudTrail. This makes it the most secure and scalable option for managing short-lived authentication keys.

AWS Lambda extensions enable efficient secret retrieval by caching secrets locally within the execution environment. This reduces repeated calls to Secrets Manager on every invocation, improving performance and lowering costs while maintaining up-to-date credentials. AWS documentation explicitly recommends using Lambda extensions or caching logic for secrets that are frequently accessed.

Storing secrets in S3 (Option B) or environment variables (Option C) lacks built-in rotation and increases exposure risk. Parameter Store (Option D) supports encryption but does not provide native rotation for secrets without custom automation, making it less suitable for this use case.

Therefore, Secrets Manager with Lambda extensions provides the most secure, automated, and operationally efficient solution.

An Application Load Balancer can invoke Lambda functions as targets, but ALB must be explicitly granted permission to invoke the function. This is done by adding a resource-based permission to the Lambda function policy that allows the Elastic Load Balancing service principal to call lambda:InvokeFunction, typically scoped to the specific target group ARN.

If the developer registers the function as a target but does not add the required permission, the ALB will not be able to invoke the function when requests arrive. This is a common integration oversight: the target registration succeeds, but invocation fails because Lambda denies the call.

Option A is incorrect because ALB does support Lambda targets.

Option B is incorrect because Lambda targets can be configured through the console, CLI, or APIs.

Option D is unrelated: cross-zone load balancing affects distribution of traffic across AZs for instance/IP targets, not whether Lambda invocation is authorized.