Amazon Web Services edusum aws Certified Associate Changed Dva-c02 Questions by Ishaaq q65 vce pdf

Page: 22 / 44

Exam Name:	AWS Certified Developer - Associate
Exam Code:	DVA-C02 Dumps
Vendor:	Amazon Web Services	Certification:	AWS Certified Associate
Questions:	600 Q&A's	Shared By:	ishaaq

Question 88

A company runs an application in a third-party cloud. The company wants to use the application to update data in AWS by using API calls to AWS services. The API calls require credentials.

The company ' s security policy requires the company to limit the scope and duration of any credentials used to make API calls to AWS services.

Which solution will meet these requirements in the MOST secure way?

Options:

Create an IAM user for the application. Configure the application to load the IAM user ' s credentials as environment variables. Use the IAM user ' s credentials to interact with AWS services.

Create an IAM user for the application. Populate an AWS Secrets Manager secret with the IAM user ' s AWS credentials. Use the secret to interact with AWS services.

Create an IAM role for the application. Configure the application to call the AWS STS GetFederationToken API. Use the STS credentials to interact with AWS services.

Create an IAM role for the application. Configure the application to call the AWS STS AssumeRole API. Use the STS credentials to interact with AWS services.

Discussion

Answer:

Explanation:

The key security requirement is to limit both scope and duration of credentials used by an external application (running outside AWS). The most secure AWS-native way to do this is to use temporary security credentials issued by AWS Security Token Service (STS), rather than long-term IAM user access keys. Temporary credentials have a short, configurable lifetime and are tied to permissions defined by an IAM role and (optionally) session policies, which enforces least privilege.

With STS AssumeRole , the application requests temporary credentials for a specific IAM role . The role’s permission policy strictly defines what AWS actions and resources the session can access. The resulting credentials automatically expire, reducing the blast radius if the credentials are exposed. This approach also supports best practices such as rotating session credentials frequently and using external IDs and condition keys (where applicable) to reduce confused-deputy risks.

Options A and B rely on long-term IAM user credentials . Even if stored in environment variables or AWS Secrets Manager, these are still persistent credentials that do not inherently meet the “limit duration” requirement and are higher risk if leaked. Secrets Manager improves storage and rotation workflows, but it does not change the fact that IAM user access keys are long-lived by default.

Option C (GetFederationToken) is not the best fit here. Federation tokens are typically used to obtain temporary credentials for a federated user session and are commonly associated with IAM users (or scenarios like providing temporary access to third parties) rather than the standard, role-based pattern for an application assuming permissions. The most direct and widely recommended method for applications needing scoped, time-bound AWS access is AssumeRole .

Therefore, D is the most secure solution: create an IAM role with least-privilege permissions and have the application call STS AssumeRole to obtain short-lived credentials for AWS API calls.

Question 89

A developer has written a distributed application that uses micro services. The microservices are running on Amazon EC2 instances. Because of message volume, the developer is unable to match log output from each microservice to a specific transaction. The developer needs to analyze the message flow to debug the application.

Which combination of steps should the developer take to meet this requirement? (Select TWO.)

Options:

Download the AWS X-Ray daemon. Install the daemon on an EC2 instance. Ensure that the EC2 instance allows UDP traffic on port 2000.

Configure an interface VPC endpoint to allow traffic to reach the global AWS X-Ray daemon on TCP port 2000.

Enable AWS X-Ray. Configure Amazon CloudWatch to push logs to X-Ray.

Add the AWS X-Ray software development kit (SDK) to the microservices. Use X-Ray to trace requests that each microservice makes.

Set up Amazon CloudWatch metric streams to collect streaming data from the microservices.

Discussion

Question 90

A company has an application that uses an Amazon S3 bucket for object storage. A developer needs to configure in-transit encryption for the S3 bucket. All the S3 objects containing personal data needs to be encrypted at rest with AWS KMS keys, which can be rotated on demand.

Which combination of steps will meet these requirements? (Select TWO.)

Options:

Write an S3 bucket policy to allow only encrypted connections over HTTPS by using permissions boundary.

Configure an S3 bucket policy to enable client-side encryption for the objects containing personal data by using an AWS KMS customer managed key

Configure the application to encrypt the objects by using an AWS KMS customer managed key before uploading the objects containing personal data to Amazon S3.

Write an S3 bucket policy to allow only encrypted connections over HTTPS by using the aws:SecureTransport condition.

Configure S3 Block Public Access settings for the S3 bucket to allow only encrypted connections over HTTPS.

Discussion

Answer:

C, D

Explanation:

Step-by-Step Breakdown:

Requirement Summary:

In-transit encryption (when data is moving between client and S3)

Encryption at rest using AWS KMS keys (which are rotatable on-demand)

Option A: Write an S3 bucket policy to allow only encrypted connections over HTTPS by using permissions boundary

Incorrect: Permissions boundaries are for IAM policy control, not S3 bucket policies.

Also, encryption enforcement in-transit is not achieved through permissions boundaries.

Option B: Configure an S3 bucket policy to enable client-side encryption

Incorrect: AWS does not enforce client-side encryption via S3 bucket policies.

Client-side encryption must be handled entirely by the application.

Also, KMS is for server-side encryption, not client-side.

Option C: Configure the application to encrypt the objects by using an AWS KMS customer managed key before uploading the objects

Correct: This fulfills the requirement of encrypting objects at rest using a KMS CMK, which can be rotated.

You can specify the KMS key using the SSE-KMS option when putting an object.

Option D: Write an S3 bucket policy to allow only encrypted connections over HTTPS by using the aws:SecureTransport condition

Correct: This enforces in-transit encryption, which ensures that only HTTPS connections are allowed.

This is the AWS-recommended way to enforce encryption in transit via bucket policy.

Option E: Configure S3 Block Public Access settings for the S3 bucket to allow only encrypted connections over HTTPS

Incorrect: Block Public Access is used to prevent public exposure of the bucket.

It has nothing to do with encryption enforcement, whether in transit or at rest.

Using SSE-KMS: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html

aws:SecureTransport condition in bucket policies: https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html

Server-side encryption with AWS KMS: https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html

Anaya

I found so many of the same questions on the real exam that I had already seen in the Cramkey Dumps. Thank you so much for making exam so easy for me. I passed it successfully!!!

Nina Mar 25, 2026

It's true! I felt so much more confident going into the exam because I had already seen and understood the questions.

Josephine

I want to ask about their study material and Customer support? Can anybody guide me?

Zayd Mar 19, 2026

Yes, the dumps or study material provided by them are authentic and up to date. They have a dedicated team to assist students and make sure they have a positive experience.

Mariam

Do anyone think Cramkey questions can help improve exam scores?

Katie Mar 10, 2026

Absolutely! Many people have reported improved scores after using Cramkey Dumps, and there are also success stories of people passing exams on the first try. I already passed this exam. I confirmed above questions were in exam.

Melody

My experience with Cramkey was great! I was surprised to see that many of the questions in my exam appeared in the Cramkey dumps.

Colby Mar 13, 2026

Yes, In fact, I got a score of above 85%. And I attribute a lot of my success to Cramkey's dumps.

Question 91

A developer is building a highly secure healthcare application using serverless components. This application requires writing temporary data to /Imp storage on an AWS Lambda function.

How should the developer encrypt this data?

Options:

Enable Amazon EBS volume encryption with an AWS KMS key in the Lambda function configuration so that all storage attached to the Lambda function is encrypted.

Set up the Lambda function with a role and key policy to access an AWS KMS key. Use the key to generate a data key used to encrypt all data prior to writing to Amp storage.

Use OpenSSL to generate a symmetric encryption key on Lambda startup. Use this key to encrypt the data prior to writing to /tmp.

Use an on-premises hardware security module (HSM) to generate keys, where the Lambda function requests a data key from the HSM and uses that to encrypt data on all requests to the function.

Discussion

Page: 22 / 44

Title

Questions

Posted

amazon web services.dumpskey.aws certified associate dva-c02 full course free.by constance.q52.vce.pdf

2026-02-27

amazon web services.examstopics.aws certified associate dva-c02 reddit questions.by kendall.q33.vce.pdf

2026-03-06

amazon web services.crack4sure.dva-c02 actual questions.by francisco.q65.vce.pdf

2026-03-21

amazon web services.pass4test.dva-c02 premium exam questions.by renee.q26.vce.pdf