Amazon Web Services DVA-C02 Exam With Confidence Using Practice Dumps

AWS Lambda automatically integrates with Amazon CloudWatch Logs, but logging only works if the function’s execution role has the correct IAM permissions . AWS documentation states that Lambda functions require permissions for logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents to successfully publish log entries.

In this scenario, CloudWatch metrics show errors, which confirms that the function is executing. The absence of logs despite logging statements in the code strongly indicates a missing IAM permission issue , not a runtime or tracing issue.

CloudWatch Lambda Insights (Option B) provides performance metrics but does not enable basic logging. AWS X-Ray (Option C) provides distributed tracing but does not replace CloudWatch Logs. Option D is invalid because CloudWatch does not assume roles to collect logs.

AWS documentation explicitly identifies missing log permissions as the most common cause of absent Lambda logs. Therefore, granting the Lambda execution role the appropriate CloudWatch Logs permissions resolves the issue.

When data access is skewed toward a specific date (today), using ForecastDate as the partition key results in a " hot partition. " To resolve this, " Write Sharding " or " Partition Key Sharding " is used. Adding a calculated suffix (like a random or calculated number 1..N ) to the partition key distributes the requests for a single date across multiple physical partitions. CityId is then used as the sort key to keep city-specific data organized within those partitions.

The most secure approach on Amazon EC2 is to avoid long-term static credentials entirely and rely on IAM roles for Amazon EC2 (instance profiles). When an EC2 instance is associated with an instance profile, AWS automatically provides temporary security credentials to the instance through the instance metadata service (IMDS) . The AWS SDK and CLI can retrieve and rotate these credentials automatically, eliminating the need to store an access key and secret key on disk. This reduces the risk of credential leakage and removes the operational burden of key rotation.

In this scenario, the EC2 instance is already configured with an IAM instance profile in the same account as the S3 bucket. Because the bucket is in the same account and the instance profile can be granted the required permissions, there is no security benefit to keeping a separate stored access key/secret key or performing an additional STS AssumeRole hop. The simplest and most secure design is to attach an IAM policy to the instance profile role that allows the required s3:PutObject (and any related actions such as s3:PutObjectAcl if needed) on the specific bucket/prefix. The application code can then call S3 directly using the AWS SDK, which will automatically use the instance profile credentials.

Option A continues to use long-lived static credentials stored on the server, which is less secure than instance profiles. Option D is the same problem with different keys: still long-lived credentials that must be protected and rotated. Option B removes stored keys but keeps an AssumeRole call; although AssumeRole uses temporary credentials, it adds complexity and is unnecessary here because the instance already has an IAM role and the S3 bucket is in the same account.

Therefore, the most secure solution is C : remove static keys and the AssumeRole code and use the instance profile role with least-privilege S3 permissions.