Amazon Web Services Updated DVA-C02 Exam Questions and Answers by ishaaq

In CodePipeline, the service designed to run builds, execute unit/integration tests, and produce build artifacts (including test reports) is AWS CodeBuild. CodeBuild runs commands specified in a buildspec.yml file and supports reporting outputs such as test results (for example, JUnit XML), code coverage, and other build metadata.

Option A is correct because the developer can configure the CodeBuild project to run the test suite during the build phase and configure the buildspec to publish test report files. This integrates naturally into CodePipeline as a build stage, and the reports are generated consistently on each pipeline execution.

Option B is incorrect: CodeDeploy is for deploying applications (in-place/blue-green) and lifecycle hooks, not for standard build/test report generation.

Option C increases operational overhead by managing an EC2 build server, which is unnecessary when CodeBuild provides managed build environments.

Option D is unrelated: CodeArtifact is a package repository, not a test reporting solution.

Therefore, use CodeBuild and configure test reports via the buildspec.

For client-side encryption with AWS KMS, the documented pattern is envelope encryption: you use KMS to generate and protect a data encryption key (DEK), and you use that DEK locally to encrypt the actual data. This is the correct approach for large payloads (such as 10 MB documents), because the KMS Encrypt API is intended for encrypting small amounts of data (KMS is not designed to directly encrypt multi-megabyte application payloads).

With envelope encryption, the application calls GenerateDataKey on AWS KMS, specifying the KMS key (customer managed key) to use. KMS returns two versions of the DEK in the response:

a plaintext DEK (usable immediately by the application for local cryptographic operations), and

a ciphertext (encrypted) DEK that is encrypted under the specified KMS key.

The application then uses the plaintext DEK to encrypt the 10 MB document on the client side (for example, using an authenticated encryption mode such as AES-GCM via a standard crypto library). After encryption completes, the application must not persist the plaintext DEK; instead, it stores the encrypted document alongside the ciphertext DEK. Later, to decrypt, the application sends the ciphertext DEK to KMS using Decrypt to recover the plaintext DEK, and then decrypts the document locally.

Therefore, option D is correct because it explicitly uses GenerateDataKey and the plaintext DEK to encrypt the data, which is the required envelope-encryption flow. Options A, B, and C do not follow the correct KMS envelope-encryption process for large client-side payloads.

A common performance issue for Lambda functions that access relational databases is the overhead of establishing a new database connection on every invocation. In the provided pseudocode, each call to lambda_handler opens a connection, executes one statement, and closes the connection. When the function runs hundreds of times per hour, repeatedly creating and tearing down connections adds latency (TCP handshake, TLS negotiation if used, authentication, database session setup), and can also increase load on the database connection manager.

AWS guidance for Lambda execution environments explains that the runtime environment may be reused across multiple invocations of the same function (a “warm” execution environment). Code that is initialized outside the handler runs once per execution environment lifecycle and can be reused on subsequent invocations in that environment. By moving database.connect() into the global scope (module-level initialization), the function can reuse an existing connection when the execution environment is warm, reducing per-invocation latency and improving overall throughput.

This change directly targets the slow part of the flow (connection setup) without changing the database engine, resizing the database, or adding unrelated concurrency settings. Increasing reserved concurrency (A) controls scaling limits but does not reduce the per-invocation connection overhead; it can even amplify connection storms. Resizing the database (B) might help capacity, but it does not address the repeated connection establishment cost and is not the first optimization. Replacing RDS with DynamoDB (D) is a major redesign and unnecessary for the stated issue.

So the best improvement, with minimal code change and aligned with Lambda best practices, is option C: create the connection outside the handler and reuse it when possible, while still handling retries and reconnect logic if the connection becomes stale.