Amazon Web Services DVA-C02 Exam With Confidence Using Practice Dumps

Amazon RDS for MySQL supports read replicas, which are copies of the primary database instance that can handle read-only queries. Read replicas can improve the read performance of the database by offloading the read workload from the primary instance and distributing it across multiple replicas. To use read replicas, the application code needs to be modified to direct read queries to the URL of the read replicas, while write queries still go to the URL of the primary instance. This solution requires less current and future effort than using a multi-AZ deployment, which does not provide read scaling benefits, or using open source replication software, which requires additional configuration and maintenance. Reference: Working with read replicas

The objects are “rarely accessed after 1 week” but must remain immediately available at all times. That means the storage class must support millisecond access without a restore process. S3 Standard-Infrequent Access (Standard-IA) is designed for exactly this: lower storage cost than S3 Standard, while still providing rapid access when needed.

With option B, an S3 Lifecycle rule transitions objects from S3 Standard to S3 Standard-IA after 7 days. This aligns perfectly with the usage pattern: frequent access initially, then infrequent access after a week, while keeping immediate availability.

Option C (S3 Glacier Flexible Retrieval) is not appropriate because Glacier classes are archival. Access typically requires a restore operation and retrieval time (minutes to hours), which violates “immediately available at all times.”

Option A expires objects, which deletes them after 7 days—this contradicts the requirement to keep objects available.

Option D is irrelevant because delete markers exist only when versioning is enabled. The bucket does not have versioning enabled, so this rule would not help.

Therefore, transitioning to S3 Standard-IA after 7 days is the correct cost-optimized solution while maintaining immediate availability.

The requirement is application-level encryption (client-side) in addition to RDS encryption at rest, specifically to prevent database administrators from viewing PHI. Also, some PHI objects are large, so the solution must encrypt locally without size limitations.

AWS best practice for large data encryption with KMS is envelope encryption. With envelope encryption, the application generates a data encryption key (DEK) (typically obtained from KMS using GenerateDataKey). The application uses the plaintext DEK locally with a symmetric algorithm (such as AES-GCM) to encrypt the large PHI payload efficiently. The DEK itself is then protected by encrypting it with a KMS customer managed key (CMK), producing an encrypted data key that can be safely stored alongside the ciphertext. Only principals with permission to use the CMK can decrypt the DEK and then decrypt the PHI data. This ensures that even database administrators who can access the RDS data cannot read PHI without KMS authorization.

Option A is not suitable because the KMS Encrypt operation is intended for small payloads (KMS has size limits for direct encryption), making it inappropriate for large PHI files.

Option B is insecure because embedding encryption keys in source code violates key management best practices and makes rotation and compromise containment difficult.

Option C provides only storage-level encryption for the database volume; it does not ensure that PHI remains unreadable to administrators who can access the database content.

Therefore, using envelope encryption with a KMS customer managed key and storing the encrypted data key with the record is the most secure solution.