Selected DVA-C02 AWS Certified Associate Questions Answers

This solution allows the Lambda function to be invoked by the DynamoDB stream whenever updates are made to items in the DynamoDB table. Event source mapping is a feature of Lambda that enables a function to be triggered by an event source, such as a DynamoDB stream, an Amazon Kinesis stream, or an Amazon Simple Queue Service (SQS) queue. The developer can configure event source mapping for the Lambda function using the AWS Management Console, the AWS CLI, or the AWS SDKs. Changing the StreamViewType parameter value to NEW_AND_OLD_IMAGES for the DynamoDB table will not affect the invocation of the Lambda function, but only change the information that is written to the stream record. Mapping an Amazon Simple Notification Service (Amazon SNS) topic to the DynamoDB stream will not invoke the Lambda function directly, but require an additional subscription from the Lambda function to the SNS topic. Increasing the maximum runtime (timeout) setting of the Lambda function will not affect the invocation of the Lambda function, but only change how long the function can run before it is terminated.

This solution meets the requirements in the most operationally efficient manner because it does not require any infrastructure provisioning or management. The developer can create a Lambda function that makes the API call and configure an EventBridge rule that triggers the function once a day at a designated time. This is a serverless solution that scales automatically and only charges for the execution time of the function.

To meet the requirement that developers cannot view credit card numbers while the fraud detection account can , the solution must (1) ensure the sensitive data is masked at ingestion/storage in CloudWatch Logs, and (2) allow only an authorized principal to view unmasked values .

First, the developers must attach the data protection policy to the CloudWatch log group that receives the API Gateway HTTP API access logs (and/or the Lambda log group if credit card numbers can appear there). A CloudWatch Logs data protection policy is applied at the log group level and instructs CloudWatch Logs to identify sensitive data using managed data identifiers (for example, CreditCardNumber ) and then apply the configured de-identification action (here, masking). Without attaching the policy to the log group, the masking/redaction behavior will not be enforced for newly ingested log events, and developers could still see raw request parameters.

Second, to permit only the fraud detection account to reveal the masked values when necessary, the IAM role that the fraud detection account assumes must have the specific CloudWatch Logs permission to unmask protected data. Granting logs:Unmask to that role enables authorized access to view the sensitive values while keeping them masked for everyone else who lacks that permission (such as developer accounts assuming other roles).

Options A and E are not required for CloudWatch Logs data protection enforcement; the core controls are log-group policy attachment (to perform masking) and IAM authorization (to permit unmasking only for the fraud role). Therefore, the correct combination is C (apply the policy to the log group that captures the HTTP API logs) and B (grant logs:Unmask to the fraud detection role).

Comprehensive and Detailed Step-by-Step Explanation:

The requirement is to query records by CustomerID, which is not the current partition key (OrderID). To achieve this efficiently:

Option A: Create a GSI with CustomerID as the Partition Key:

A Global Secondary Index (GSI) allows developers to create a different partition key and optional sort key for querying the data.

By creating a GSI with CustomerID as the partition key, the developer can query the table efficiently using CustomerID as the primary lookup key.

This avoids scanning the entire table and matches the requirement.

Why Other Options Are Incorrect:

Option B: Using CustomerID as a sort key for the GSI and performing a scan operation is inefficient. Queries are optimized, but scans are not.

Option C and D: Local Secondary Indexes (LSI) are only valid when the partition key remains the same as the base table. Since OrderID is the base table’s partition key, using CustomerID as the partition key or sort key in an LSI is not valid.