Amazon EventBridge: A service that reacts to events from various AWS sources, including S3. Rules define which events trigger actions (like invoking Lambda functions).

S3 Object Created Events: EventBridge can detect these, providing seamless integration for automated CSV processing.

S3 Lifecycle Rules: Allow for actions based on object age or prefixes. These can directly trigger Lambda functions for file processing.

Why Option C is Correct:Ensuring that pipeline artifacts are encrypted with a customer-managed AWS KMS key involves configuring the S3 bucket policy to require encryption. This policy ensures all objects uploaded to the bucket are encrypted with the specified KMS key.

Why Other Options are Incorrect:

Option A: A gateway endpoint improves S3 access efficiency but does not enforce encryption.

Option B: Encrypting CloudWatch Logs is unrelated to securing pipeline artifacts.

Option D: Configuring SNS for encryption does not affect the artifacts stored in the S3 bucket.

AWS Documentation References:

Using Server-Side Encryption with S3 Bucket Policies

When IAM user credentials require MFA for API access, the correct approach is to obtain temporary security credentials from AWS Security Token Service (STS) that are validated with an MFA code. AWS documentation describes using STS to issue temporary credentials that applications can use instead of long-term access keys, especially when MFA is required.

The specific STS API operation used for an IAM user to obtain temporary credentials is GetSessionToken. This call supports MFA by accepting the user’s MFA device serial number and a time-based one-time password (TOTP) code. STS then returns a set of temporary credentials: AccessKeyId, SecretAccessKey, and SessionToken, which the SDK can use to sign subsequent API requests. This is the standard method for enabling MFA-protected API access for IAM users.

Why the other options are wrong:

GetFederationToken is used to obtain temporary credentials for a federated user, often for scenarios where you want to grant access to resources for users who do not have IAM users. It’s not the typical method for IAM-user MFA enforcement for all calls.

GetCallerIdentity simply returns identity details for the current credentials; it does not generate credentials.

DecodeAuthorizationMessage is used to decode encoded authorization failure messages returned by AWS, not to authenticate.

Therefore, to access an API protected by MFA requirements for an IAM user, the developer should call GetSessionToken and then use the returned temporary credentials in the AWS SDK.

API Gateway Mocking: This feature is built for decoupling development dependencies. Here ' s the process:

Create resources and methods in your API Gateway.

Set the integration type to ' MOCK ' .

Define Integration Responses, mapping HTTP status codes to desired mocked responses (JSON, etc.).

Deployment and Use:

Create a deployment stage for the API.

Frontend teams can call this API and get the mocked responses without a real backend.

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and consistent performance with seamless scalability. The developer can create a DynamoDB table and configure the table with a primary key that consists of the title as the partition key and the release year as the sort key. This will enable querying for a given title and release year efficiently. The developer can also create a global secondary index that uses the genre as the partition key and the title as the sort key. This will enable querying for a given genre efficiently. The developer can store additional properties about the cast and production crew as attributes in the DynamoDB table. These attributes can have different data types and structures, and they do not need to be consistent across items.

Requirement Summary:

Prevent unauthorized code changes in AWS Lambda

Ensure only trusted code is deployed

AWS Lambda supports Code Signing:

You can configure code signing in Lambda using AWS Signer

Packages must be digitally signed and verified against the signing profile

Rejects unauthorized/modified packages automatically

Evaluate Options:

A. Trusted code option in CodeDeploy

No such feature exists for Lambda

CodeDeploy is more for EC2/On-Prem/Containers, not Lambda code signing

B. Define code signing config + use AWS Signer

This is exactly how AWS enforces trusted code deployment

Attach a code signing configuration to the Lambda function

Use AWS Signer to digitally sign deployment packages

C. Link to KMS to sign code

KMS is not used to sign Lambda packages

KMS is for data encryption, not application code integrity

D. Set KmsKeyArn

This configures data encryption, not code signing

Lambda code signing: https://docs.aws.amazon.com/lambda/latest/dg/configuration-codesigning.html

AWS Signer overview: https://docs.aws.amazon.com/signer/latest/developerguide/what-is-signer.html

TTL for Automatic Deletion: DynamoDB ' s Time-to-Live effortlessly deletes expired items without manual intervention.

DynamoDB Stream: Captures changes to the table, including deletions of expired items, triggering downstream actions.

Lambda for Processing: A Lambda function connected to the stream provides custom logic for handling the deleted items.

Code Efficiency: This solution leverages native DynamoDB features and stream-based processing, minimizing the need for custom code.

Comprehensive and Detailed Step-by-Step Explanation:

Option A: Provisioned Capacity with Exponential Backoff:

Using provisioned capacity ensures sufficient throughput for the DynamoDB table.

Configuring the Lambda function to implement exponential backoff retries reduces the chance of exceeding capacity during peak usage.

This combination addresses the root cause (ProvisionedThroughputExceededException) and prevents errors without overprovisioning.

Why Other Options Are Incorrect:

Option B: Using SQS adds unnecessary latency and complexity. The issue lies in DynamoDB throughput, not request management.

Option C: A usage plan for the API does not address throughput issues in DynamoDB.

Option D: Invoking the Lambda function asynchronously does not resolve the DynamoDB capacity issue and might lead to delayed processing.

A function alias is a pointer to a specific Lambda function version. You can use aliases to create different environments for your function, such as development, testing, and production. You can also use aliases to perform blue/green deployments by shifting traffic between two versions of your function gradually. This way, you can easily roll back to a previous version if something goes wrong, without having to redeploy your code or change your configuration. Reference: AWS Lambda function aliases

Requirement Summary:

Deploy serverless application using:

API Gateway

AWS Lambda

Need dev, test, and prod environments

Want least development effort

Evaluate Options:

Option A: API Gateway stage variables + Lambda aliases

Most efficient and scalable

API Gateway supports stage variables (like env)

Lambda supports aliases (e.g., dev, test, prod)

You can configure each stage to point to a different alias of the same function version

Enables versioning, isolation, and low effort management

Option B: Use Amazon ECS

Overkill for a serverless setup

ECS is container-based, not serverless

Introduces unnecessary complexity

Option C: Duplicate code for each environment

High operational overhead and poor maintainability

Option D: Use Elastic Beanstalk

Not applicable: Elastic Beanstalk is for traditional app hosting, not optimal for Lambda + API Gateway

Lambda Aliases: https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html

API Gateway Stage Variables: https://docs.aws.amazon.com/apigateway/latest/developerguide/stage-variables.html

To run a containerized job hourly in ECS with minimal infrastructure management, the best choice is AWS Fargate. Fargate is a serverless compute engine for containers that runs ECS tasks without the developer needing to provision, patch, or scale EC2 instances.

With option C, the developer defines an ECS task definition using the Fargate launch type and schedules it (commonly via Amazon EventBridge Scheduler / EventBridge rule triggering RunTask). ECS handles the placement, networking, and execution of the task on managed infrastructure. This is the least operational overhead approach because there are no instances to manage and no capacity planning required, which fits an hourly job with small CPU/RAM needs.

Option A (capacity providers) is primarily for managing EC2 capacity for ECS and still requires underlying instances, which increases operational burden.

Option B runs the app on an EC2 instance, which requires instance lifecycle management, OS patching, scaling considerations, and failure handling.

Option D refers to managed node groups (an EKS concept) and does not apply cleanly to ECS. Even in a Kubernetes context, nodes still need management compared to Fargate.

Therefore, defining a Fargate task is the simplest and lowest-management solution.

Requirement Summary:

DynamoDB table Orders

Partition key: OrderID

No sort key

100,000+ records

Need to efficiently retrieve all records where:

OrderSource = " MobileApp "

Must optimize for user experience (i.e., performance)

Evaluate Options:

Option A: Scan with FilterExpression

Inefficient for large tables

A Scan reads every item in the table and then applies a filter condition.

This is slow, expensive, and not scalable as the dataset grows.

Option B: Create a Local Secondary Index (LSI) with OrderSource

Invalid: LSIs require the same partition key (OrderID) as the base table.

Since OrderSource is not part of the primary key, and we want to query based on it, LSI won’t help.

Option C: Create a GSI with OrderSource as the sort key

Misuse of sort key: Querying by sort key alone is not allowed in DynamoDB.

You must specify a partition key in a Query.

This design is not valid for the use case.

Option D: Create a GSI with OrderSource as the partition key

BEST CHOICE: With a GSI on OrderSource, you can query efficiently for all items where OrderSource = " MobileApp " .

DynamoDB GSIs allow an alternative access pattern for queries not supported by the base table schema.

GSI Design: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GSI.html

Querying a GSI: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Query.html

Scan vs Query: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/bp-query-scan.html

Amazon CloudWatch is the service that collects and stores logs from AWS Lambda functions. The developer can use CloudWatch Logs Insights to query and analyze the logs for errors and metrics. Option A is not correct because Amazon S3 is a storage service that does not store Lambda function logs. Option B is not correct because AWS CloudTrail is a service that records API calls and events for AWS services, not Lambda function logs. Option D is not correct because Amazon DynamoDB is a database service that does not store Lambda function logs.