Amazon Web Services DVA-C02 Exam With Confidence Using Practice Dumps

This is a cross-account access pattern using STS AssumeRole. Account A owns the DynamoDB table and has created an IAM role (AccessPII) with permissions to access the table. Account A also configured a trust policy that allows principals from Account B to assume the role. That trust policy alone is not enough; the caller in Account B must also be allowed to call sts:AssumeRole.

Therefore, in Account B, the EC2 instance profile role (the role attached to the EC2 instances running the app) must have permission to assume the role in Account A. That is Option A.

Next, the application must actually obtain temporary credentials for the Account A role. The standard way is to call STS AssumeRole in the application logic (or use an SDK credential provider that assumes a role). This yields temporary credentials that have the permissions of the AccessPII role, allowing DynamoDB access in Account A. That is Option D.

Option B is not correct because granting direct DynamoDB table permissions in Account B does not grant access to a table owned by Account A unless Account A also grants access via a resource policy (DynamoDB resource policies exist but the scenario already sets up role assumption; the intended solution is AssumeRole).

Option C is incomplete/wrong: getting temporary credentials from the EC2 role alone gives permissions of the EC2 role in Account B, not the permissions in Account A. You must assume the cross-account role.

Option E is for IAM user MFA session tokens, not cross-account role assumption for an EC2 role.

Therefore, grant sts:AssumeRole to the EC2 role and call AssumeRole in code.

The correct answer is C because AWS AppConfig provides built-in support for feature flags , allowing developers to enable or disable features dynamically without redeploying application code. This is exactly what the question requires: keeping features hidden from end users until the features are ready for release, and then selectively activating them when appropriate.

AWS documentation describes AppConfig as a service for managing application configuration in a safe and controlled way. Feature flags in AppConfig let teams separate deployment from release , which is a core best practice in modern application development. A developer can deploy code that contains unfinished or hidden functionality, while the actual visibility and activation of that functionality is controlled through feature flag values stored in an AppConfig configuration profile. When the feature is ready, the flag can be turned on without changing the application package.

Option A is incorrect because AWS AppSync is a managed GraphQL service and is not the AWS feature flag service for application configuration management. Option B is incorrect because DynamoDB Streams are used for capturing item-level changes and reacting to table updates, not for controlled feature activation. Option D is incorrect because Amplify DataStore is intended for client-side data synchronization and offline access patterns, not centralized production feature flag management.

Using AppConfig also provides operational benefits such as deployment strategies, configuration validation, and rollback support, which make it safer than building a custom feature toggle mechanism. For these reasons, AWS AppConfig feature flags are the most appropriate and AWS-recommended solution for hiding prerelease features and selectively enabling them later.

Therefore, C is the correct answer.