Amazon Web Services DVA-C02 Exam With Confidence Using Practice Dumps

This solution meets the requirements in the most operationally efficient manner because it does not require any infrastructure provisioning or management. The developer can create a Lambda function that makes the API call and configure an EventBridge rule that triggers the function once a day at a designated time. This is a serverless solution that scales automatically and only charges for the execution time of the function.

The EC2 instances are in private subnets with no public internet access, yet the CloudWatch agent must publish metrics to Amazon CloudWatch. To send metrics, the instances need: (1) network connectivity to CloudWatch APIs, and (2) IAM permissions that allow the agent to publish metrics and logs.

The most secure approach is to avoid opening outbound internet access via a NAT gateway (which increases the network attack surface) and instead use AWS PrivateLink through a VPC interface endpoint for CloudWatch. An interface endpoint provides private connectivity from the VPC to CloudWatch without traversing the public internet.

On the permissions side, AWS provides the managed IAM policy CloudWatchAgentServerPolicy, which is intended for the CloudWatch agent running on servers to publish metrics/logs. Attaching this policy to the EC2 instance profile role provides the needed permissions while keeping scope appropriate (unlike an admin policy).

Why the other options are not best:

A uses CloudWatchAgentAdminPolicy (broader permissions than needed) and a NAT gateway (public internet path). That is not “most secure.”

B is irrelevant here because the agent is already installed and running; the issue is publishing connectivity/permissions.

D grants read-only access, which cannot publish metrics, so it cannot fix the issue.

Therefore, attach CloudWatchAgentServerPolicy to the instance role and create a VPC interface endpoint for CloudWatch.

Using a dead-letter queue (DLQ) with Amazon SQS is the most operationally efficient solution for handling unprocessable messages.

Amazon SQS Dead-Letter Queue:

A DLQ is used to capture messages that fail processing after a specified number of attempts.

Allows the application to continue processing other messages without being blocked.

Messages in the DLQ can be analyzed later for debugging and resolution.

Why DLQ is the Best Option:

Operational Efficiency: Automatically defers messages with errors, ensuring the queue is not blocked.

Analysis Ready: Messages in the DLQ can be inspected to identify recurring issues.

Scalable: Works seamlessly with Lambda and SQS at scale.

Why Not Other Options:

Option A: Logs the messages but does not resolve the queue blockage issue.

Option C: FIFO queues and 0-second retention do not provide error handling or analysis capabilities.

Option D: Alerts administrators but does not handle or store the unprocessable messages.

Steps to Implement:

Create a new SQS queue to serve as the DLQ.

Attach the DLQ to the primary queue and configure the Maximum Receives setting.

Using Amazon SQS Dead-Letter Queues

Best Practices for Using Amazon SQS with AWS Lambda