Pass DVA-C02 Exam Guide

Amazon API Gateway is a service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. The developer can define a development stage on the API Gateway API and instruct the other developers to point the endpoints to the development stage. This way, the developer can provide beta access to the new version of the API without affecting customers who use the production stage. This solution will meet the requirements with the least operational overhead.

AWS CodeBuild integrates natively with AWS Secrets Manager , allowing secrets to be securely injected into build environments without being exposed in logs. When referenced using the secrets-manager mapping in the env section of buildspec.yml, CodeBuild automatically retrieves and decrypts the secret at runtime.

AWS documentation states that Secrets Manager provides encryption at rest using AWS KMS, fine-grained IAM access control, and automatic rotation support. Secrets retrieved this way are masked in build logs by default, satisfying the requirement that secrets do not appear in logs.

Parameter Store (Option C) can store encrypted values, but Secrets Manager is AWS’s preferred service for managing secrets, especially when rotation and auditing are required. Options B and D introduce unnecessary steps and higher operational overhead.

Therefore, Secrets Manager with CodeBuild environment variables is the most secure and operationally efficient solution.

To meet the requirement that developers cannot view credit card numbers while the fraud detection account can , the solution must (1) ensure the sensitive data is masked at ingestion/storage in CloudWatch Logs, and (2) allow only an authorized principal to view unmasked values .

First, the developers must attach the data protection policy to the CloudWatch log group that receives the API Gateway HTTP API access logs (and/or the Lambda log group if credit card numbers can appear there). A CloudWatch Logs data protection policy is applied at the log group level and instructs CloudWatch Logs to identify sensitive data using managed data identifiers (for example, CreditCardNumber ) and then apply the configured de-identification action (here, masking). Without attaching the policy to the log group, the masking/redaction behavior will not be enforced for newly ingested log events, and developers could still see raw request parameters.

Second, to permit only the fraud detection account to reveal the masked values when necessary, the IAM role that the fraud detection account assumes must have the specific CloudWatch Logs permission to unmask protected data. Granting logs:Unmask to that role enables authorized access to view the sensitive values while keeping them masked for everyone else who lacks that permission (such as developer accounts assuming other roles).

Options A and E are not required for CloudWatch Logs data protection enforcement; the core controls are log-group policy attachment (to perform masking) and IAM authorization (to permit unmasking only for the fraud role). Therefore, the correct combination is C (apply the policy to the log group that captures the HTTP API logs) and B (grant logs:Unmask to the fraud detection role).

The correct answer is C because for an in-place deployment on Amazon EC2 instances, AWS CodeDeploy automatic rollback works by redeploying the last known good revision when a deployment fails or when a configured monitoring alarm is triggered. AWS documentation explains that when automatic rollback is enabled, CodeDeploy creates a new deployment that uses the most recent successfully deployed application revision. This rollback deployment receives its own new deployment ID , because it is treated as a separate deployment event rather than a simple undo operation.

Option A is incorrect because CodeDeploy does not restore an Amazon S3 snapshot of the previous deployment state for EC2 in-place deployments. It redeploys the last successful revision instead. Option B describes behavior associated with blue/green deployment patterns , not in-place deployments . Route 53 alias switching and blue/green environment replacement are not how CodeDeploy handles failed validation during an EC2 in-place deployment. Option D is incorrect because CodePipeline orchestrates stages in a delivery pipeline, but it is not the service that performs the rollback behavior described here.

This distinction is important in AWS deployment design. In-place deployments update the same EC2 instances already serving the application. If validation fails, CodeDeploy does not roll traffic back through DNS or infrastructure replacement. Instead, it launches a rollback deployment of the previously successful application revision across those same instances. That behavior directly aligns with AWS CodeDeploy automatic rollback functionality for EC2/On-Premises in-place deployments.

Therefore, the correct result is that CodeDeploy redeploys the last known stable version as a new deployment , which makes C the right answer.