Amazon Web Services DVA-C02 Exam With Confidence Using Practice Dumps

Amazon S3 event notifications can invoke AWS Lambda functions at very high rates during traffic spikes. In this scenario, up to 500 objects per minute can result in hundreds of concurrent Lambda invocations. By default, Lambda functions share the account’s unreserved concurrency pool , which can cause throttling if the pool is exhausted by sudden bursts.

AWS Lambda reserved concurrency guarantees a specific number of concurrent executions for a function. By configuring reserved concurrency, the developer ensures that sufficient execution capacity is always available for this specific function, regardless of other Lambda workloads in the account. This prevents throttling during high-volume S3 event bursts.

Increasing the timeout (Option A) does not address concurrency limits. Adding a layer (Option B) does not solve invocation throttling. Decreasing memory (Option D) can actually worsen performance and increase execution time.

AWS documentation explicitly recommends reserved concurrency when workloads experience unpredictable or bursty invocation patterns and must run reliably. Therefore, reserving concurrency is the correct and AWS-recommended solution.

To rotate database credentials without downtime, Secrets Manager recommends the alternating users (dual user) rotation strategy. With a single-user strategy, Secrets Manager changes the password for the same database user that the application is actively using. If the application continues using cached/old credentials during rotation, authentication failures and downtime can occur.

With the alternating users strategy, two database users exist (often named something like appuser and appuser_clone). Secrets Manager alternates which user is “active” in the secret. During rotation, Secrets Manager updates the inactive user’s password, verifies it, updates the secret to point to the newly updated user, and then (optionally) retires the old credentials. This approach minimizes disruption because there is always one known-good credential set while the other is being updated.

The question specifically requires regular rotation using Secrets Manager. That is achieved by enabling automatic rotation on the secret with a schedule (for example, every 30/60/90 days). Automatic rotation invokes the rotation Lambda (AWS-provided or configured) and performs the workflow without manual intervention.

Option D combines both requirements: automatic rotation plus the alternating users strategy for high availability and no downtime.

Option B mentions alternating users but “managed rotation” is not the standard term used in these choices as the primary differentiator—automatic rotation is the necessary capability to rotate regularly without manual effort.

Options A and C (single user) are more likely to cause downtime during rotation.

Therefore, configure automatic rotation with the alternating users rotation strategy.

To securely grant temporary access to a specific S3 object, the best option is to use an Amazon S3 presigned URL . A presigned URL is created by an IAM principal (user or role) that already has permission to access the object. The URL includes a signature and an expiration time , allowing anyone who has the URL to perform the specified operation (typically GET to download, or PUT to upload) until the URL expires . This meets the requirement for temporary access without changing the bucket to be publicly accessible.

Presigned URLs are especially useful when the developer needs to share access with people who do not have AWS credentials or are not part of the same AWS account. The developer can set an expiration that matches the business need (minutes to hours, etc.). After expiration, the URL no longer works, which reduces security exposure compared with long-lived access keys or permanently permissive bucket policies.

Option C (bucket policy with time restriction) can enforce time-based access, but it is not a practical way to securely share with a “specific group of people” unless those people authenticate with identifiable principals (IAM roles/users, federated identities) and you scope the policy to those principals. Simply providing the bucket S3 URL would not grant access unless the recipients also have valid permissions. Option D (static website hosting) is generally for public web content and does not inherently provide secure, temporary, per-object access control. Option A is unrelated to access sharing; object retention and restore operations are for retention/compliance and archival retrieval, not temporary permission grants.

Therefore, generating and sharing a presigned URL (B) is the standard, secure mechanism for time-limited access to S3 objects.