DVA-C02 Exam Dumps - AWS Certified Developer - Associate

To meet the requirement that developers cannot view credit card numbers while the fraud detection account can , the solution must (1) ensure the sensitive data is masked at ingestion/storage in CloudWatch Logs, and (2) allow only an authorized principal to view unmasked values .

First, the developers must attach the data protection policy to the CloudWatch log group that receives the API Gateway HTTP API access logs (and/or the Lambda log group if credit card numbers can appear there). A CloudWatch Logs data protection policy is applied at the log group level and instructs CloudWatch Logs to identify sensitive data using managed data identifiers (for example, CreditCardNumber ) and then apply the configured de-identification action (here, masking). Without attaching the policy to the log group, the masking/redaction behavior will not be enforced for newly ingested log events, and developers could still see raw request parameters.

Second, to permit only the fraud detection account to reveal the masked values when necessary, the IAM role that the fraud detection account assumes must have the specific CloudWatch Logs permission to unmask protected data. Granting logs:Unmask to that role enables authorized access to view the sensitive values while keeping them masked for everyone else who lacks that permission (such as developer accounts assuming other roles).

Options A and E are not required for CloudWatch Logs data protection enforcement; the core controls are log-group policy attachment (to perform masking) and IAM authorization (to permit unmasking only for the fraud role). Therefore, the correct combination is C (apply the policy to the log group that captures the HTTP API logs) and B (grant logs:Unmask to the fraud detection role).

The correct answer is B because Amazon EventBridge is designed for building loosely coupled event-driven architectures . In this scenario, when an order is placed, the order processing system can publish a single event to an EventBridge event bus. Then, multiple independent consumers can react to that event through separate rules and targets . This matches the requirement to update inventory, send email, notify shipping, and update order history without tightly coupling those actions together.

EventBridge is especially well suited when the company wants to add new processing steps later . A new consumer can be added simply by creating another rule and target for the existing order event, without changing the original order submission code or the existing consumers. This supports extensibility and separation of concerns, which are key goals of event-driven design.

Option A is less appropriate because a single Lambda function that directly calls every downstream system becomes tightly coupled and harder to extend. Option C supports fan-out, but EventBridge provides richer routing, filtering, and event bus semantics for enterprise event-driven workflows. Option D is useful for workflow orchestration, but it creates a more centrally orchestrated pattern rather than the looser publish-and-subscribe model requested in the question.

AWS guidance for modern event-driven architectures emphasizes publishing events and allowing interested services to subscribe independently. EventBridge provides native routing and integration with many AWS services, making it easy to evolve the architecture over time. Therefore, B is the best answer for achieving loose coupling and future extensibility.

The requirement is real-time UI updates “immediately” without refreshing the dashboard. The most operationally efficient AWS-native method is to use API Gateway WebSocket APIs to push updates from the backend to the browser.

With option A, the client establishes a WebSocket connection and receives a connection ID. The application can associate uploads (or job IDs) with that connection ID (commonly storing the mapping in DynamoDB or another datastore). When the long-running validation finishes, the backend uses the WebSocket management API to post a message to the specific connection ID, and the browser updates the UI dynamically. This eliminates polling/refresh and scales well without managing servers.

Option B requires running and maintaining an EC2-hosted WebSocket server (patching, scaling, uptime), which is more operational overhead.

Option C uses email, which is not immediate UI updating and doesn’t update the dashboard without user action.

Option D is not appropriate: SNS does not directly push notifications to a web browser in a standard way, and it adds unnecessary complexity.

Therefore, using API Gateway WebSocket to push validation results to connected clients is the most operationally efficient solution.

The solution that will meet the requirements is to use the AWS SDK ssm PutParameter operation in the Lambda function from the existing custom resource to store the credentials as a parameter. Set the parameter value to reference the new credentials. Set the parameter type to SecureString. This way, the developer can store the API credentials with minimal operational overhead, as AWS Systems Manager Parameter Store provides secure and scalable storage for configuration data. The SecureString parameter type encrypts the parameter value with AWS Key Management Service (AWS KMS). The other options either involve adding additional resources to the CloudFormation template, which increases complexity and cost, or do not encrypt the parameter value, which reduces security.

The requirements are: (1) store an API key that a Lambda function will use, (2) ensure the secret is encrypted at rest using AWS KMS , and (3) the company must control key rotation , which implies using a customer managed KMS key (CMK) rather than an AWS managed key.

Option C meets the requirements by storing the API key in AWS Systems Manager Parameter Store as a SecureString parameter encrypted with a customer managed KMS key . SecureString is designed for sensitive configuration data and integrates with KMS so the organization can choose the CMK, manage its lifecycle, and control rotation policies. The Lambda function can retrieve the parameter at runtime using the AWS SDK, and IAM policies can tightly control access to the parameter and to the KMS key.

Option E also meets the requirements by storing the API key in a Lambda environment variable encrypted with a customer managed KMS key . Lambda encrypts environment variables at rest and allows you to specify a customer managed KMS key for encryption. This gives the company control over key rotation and key policy, satisfying the “must control key rotation” requirement. The function reads the value from the environment at runtime without additional network calls.

Why the other options fail:

A uses an AWS managed KMS key, which does not satisfy the requirement for the company to control rotation (you cannot manage rotation of AWS managed keys in the same way).

B is a plain String parameter, which is not encrypted as a secret and does not meet the at-rest encryption requirement.

D uses an AWS managed KMS key, again failing the company-controlled rotation requirement.

Therefore, the two valid solutions are C (Parameter Store SecureString with a customer managed CMK) and E (Lambda environment variable encrypted with a customer managed CMK).