Amazon Web Services Updated DVA-C02 Exam Questions and Answers by lula

Comprehensive and Detailed Step-by-Step Explanation:

Issue Analysis:

The stream uses service name as the partition key. This can cause "hot partition" issues when a few service names generate significantly more logs compared to others, causing uneven distribution of data across shards.

Metrics show that the write capacity used is below provisioned capacity, which confirms that the throughput errors are due to shard-level limits and not overall capacity.

Option C: Change Partition Key to Creation Timestamp:

By changing the partition key to the creation timestamp (or a composite key including timestamp), the distribution of data across shards can be randomized, ensuring an even spread of records.

This resolves the shard overutilization issue and eliminates ProvisionedThroughputExceededException.

Why Other Options Are Incorrect:

Option A: Switching to on-demand capacity mode might temporarily alleviate the issue, but the root cause (hot partitioning) remains unresolved.

Option B: Adding shards increases capacity but does not fix the skewed data distribution caused by using the service name as the partition key.

Option D: Creating separate streams for each service adds unnecessary complexity and does not scale well as the number of services grows.

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-overview.html#access-control-resource-ownership

This solution will meet the requirements by ensuring that all traffic between users and CloudFront, and all traffic between CloudFront and the web application, are encrypted using HTTPS protocol. The Origin Protocol Policy determines how CloudFront communicates with the origin server (the web application), and setting it to “HTTPS Only” will force CloudFront to use HTTPS for every request to the origin server. The Viewer Protocol Policy determines how CloudFront responds to HTTP or HTTPS requests from users, and setting it to “HTTPS Only” or “Redirect HTTP to HTTPS” will force CloudFront to use HTTPS for every response to users. Option A is not optimal because it will use AWS KMS to encrypt traffic between CloudFront and the web application, which is not necessary or supported by CloudFront. Option C is not optimal because it will set the origin’s HTTP port to 443, which is incorrect as port 443 is used for HTTPS protocol, not HTTP protocol. Option E is not optimal because it will enable the CloudFront option Restrict Viewer Access, which is used for controlling access to private content using signed URLs or signed cookies, not for encrypting traffic.

For a serverless web application that needs user registration and authentication with minimal configuration, the standard AWS solution is Amazon Cognito User Pools. User Pools provide managed user directories, sign-up/sign-in flows, MFA options, password reset, and token-based authentication (OAuth2/OIDC/JWT). This integrates naturally with API Gateway (Cognito authorizers) and Lambda.

Option A is best because it uses Cognito User Pools plus an app client and the Hosted UI, which provides ready-made sign-up/sign-in pages. Hosted UI minimizes custom UI and backend authentication code while still allowing branding customization and secure token issuance. The SPA can authenticate via Cognito, receive JWT tokens, and call API Gateway endpoints securely.

Option B (identity pool) is primarily for granting temporary AWS credentials to access AWS services directly (federation). It does not replace User Pools for user registration/login flows; typically identity pools are used in addition to user pools, not instead, and require more configuration.

Option C adds unnecessary infrastructure (EC2) and defeats the “minimize configuration” goal.

Option D is not appropriate for end-user authentication. IAM users/groups are for workforce/admin access, not for customer-facing apps.

Therefore, Cognito User Pool + Hosted UI is the minimal-configuration secure solution.