Amazon Web Services Updated DVA-C02 Exam Questions and Answers by keyaan

Secrets Management: AWS Secrets Manager is designed specifically for storing and managing sensitive credentials.

Environment Isolation: Creating separate secrets for each environment (development, staging, etc.) ensures clear separation and prevents accidental leaks.

Automatic Rotation: Secrets Manager provides built-in rotation capabilities, enhancing security posture.

Versioning: Tracking changes to secrets is essential for auditing and compliance.

This solution will meet the requirements by using AWS Encryption SDK, which is a client-side encryption library that enables developers to encrypt and decrypt data using data encryption keys that are protected by AWS Key Management Service (AWS KMS). The SDK encrypts the data encryption key with a customer master key (CMK) that is managed by AWS KMS, and stores it (encrypted) as part of the returned ciphertext. The developer does not need to keep track of the data encryption keys used to encrypt data, as they are stored with the encrypted data and can be retrieved and decrypted by using AWS KMS when needed. Option A is not optimal because it will require manual tracking of the data encryption keys used for each data object, which is error-prone and inefficient. Option C is not optimal because it will store the data encryption keys automatically in Amazon S3, which is unnecessary and insecure as Amazon S3 is not designed for storing encryption keys. Option D is not optimal because it will store the data encryption key in the user data for the EC2 instance, which is also unnecessary and insecure as user data is not encrypted by default.

The hourly scheduled batch model is causing timeouts because the function must process an ever-growing backlog in a single invocation, which can exceed AWS Lambda’s maximum 15-minute runtime. A best-practice serverless refactor is to switch from “periodic polling” to an event-driven approach where work is split into smaller, independent units that can scale horizontally.

Configuring Amazon S3 Event Notifications to invoke Lambda on each object upload turns each file into its own discrete event. Instead of one long-running invocation that scans and processes many files, Lambda executes quickly per upload and automatically scales with incoming volume (subject to concurrency and downstream limits). This directly reduces processing time per run and eliminates the backlog buildup that leads to timeouts.

The remaining requirement is preventing duplicate processing. S3 event delivery is designed to be highly reliable, and applications should be built with idempotency in mind. Recording processed identifiers (such as a transaction ID, object key + version ID, or an application-level unique ID) in Amazon DynamoDB allows the function to check whether an item has already been processed before performing writes or downstream actions. Using DynamoDB with a conditional write (for example, “insert only if not exists”) is a common pattern to ensure exactly-once effect even when events are delivered more than once.

The other options do not meet the requirements as well: running more frequently (C) or continuously polling (D) still wastes time scanning and can still create duplicate work; moving to a single EC2 instance (B) reduces elasticity and increases operational overhead, and it doesn’t inherently solve deduplication or scaling.

Therefore, A provides scalable, event-driven processing and a straightforward deduplication mechanism.