Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For DVA-C02 candidates, the confusion often lies in how to configure Lambda observability enhancements using the AWS SAM framework without breaking deployment automation. In production, this is about knowing exactly which Lambda extensions or tracing modes activate the right CloudWatch Logs Insights functionality. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
DevZone Solutions is building a serverless application deployed via AWS Serverless Application Model (SAM). Their application architecture includes multiple AWS Lambda functions defined in the SAM template. To improve operational visibility, the engineering team wants to enable Amazon CloudWatch Logs Insights for these Lambda functions to analyze log data efficiently. The SAM template currently includes a logical resource named CloudWatchLogGroup.
The Requirement: #
How should the lead developer modify the existing SAM template to properly activate CloudWatch Logs Insights for the Lambda functions?
The Options #
- A) Add an output named
CloudWatchInsightRulethat contains a value of the Amazon Resource Name (ARN) for theCloudWatchLogGroupresource. - B) Add a parameter named
CloudWatchLogGroupNamePrefixthat contains a value of the application name. Reference the new parameter in theCloudWatchLogGroupresource. - C) For each Lambda function, add the layer for the Lambda Insights extension and attach the
CloudWatchLambdaInsightsExecutionRolePolicyAWS managed policy. - D) For each Lambda function, set Tracing mode to Active and attach the
CloudWatchLambdaInsightsExecutionRolePolicyAWS managed policy.
Google adsense #
leave a comment:
Correct Answer #
C
Quick Insight: The Developer Imperative #
To fully activate CloudWatch Logs Insights for Lambda functions, simply deploying log groups or tweaking tracing isn’t enough. You must explicitly add the Lambda Insights extension as a layer and grant the function the correct permissions via the managed execution role policy. This is the only option that bundles the required runtime monitoring capabilities and entitlements together.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option C
The Winning Logic #
The AWS Lambda Insights feature requires two key components to be enabled correctly:
-
Attach the Lambda Insights extension as a Lambda layer: This layer includes agents and monitoring binaries that collect enhanced metrics, logs, and traces sent to CloudWatch Logs and CloudWatch Logs Insights.
-
Grant the IAM permission
CloudWatchLambdaInsightsExecutionRolePolicyto the Lambda execution role: This managed policy provides the function with necessary permissions to publish enhanced telemetry.
These additions are explicitly required to activate CloudWatch Logs Insights capabilities for Lambda, beyond just creating log groups or configuring X-Ray tracing.
The Trap (Distractor Analysis) #
-
Why not Option A?
Outputs of ARNs are useful for referencing resources but do not automatically enable monitoring features or instrumentation of Lambda functions. -
Why not Option B?
Parameters to prefix log group names only affect naming conventions and do not activate Insights or install the required Lambda layer. -
Why not Option D?
Setting tracing mode to Active enables AWS X-Ray tracing—not CloudWatch Lambda Insights. While the managed policy helps permissions, without the Lambda Insights extension layer, Insights monitoring won’t be activated.
The Technical Blueprint #
# Example SAM snippet to add Lambda Insights Layer and Policy
Resources:
MyLambdaFunction:
Type: AWS::Serverless::Function
Properties:
...
Layers:
- arn:aws:lambda:<region>::layer:AWSLambdaInsights:<version>
Role: !GetAtt LambdaExecutionRole.Arn
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
The Comparative Analysis #
| Option | API Complexity | Performance Impact | Use Case / Outcome |
|---|---|---|---|
| A | Low | None | Only ARN output; no monitoring activated |
| B | Low | None | Naming change; no instrumentation |
| C | Moderate (layer & policy) | Enables enhanced monitoring | Correctly activates CloudWatch Lambda Insights |
| D | Moderate (tracing + policy) | Enables X-Ray tracing only | Does not activate CloudWatch Lambda Insights |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick adding Lambda Insights layer and execution role policy when you see “Activate CloudWatch Logs Insights” in a Lambda SAM deployment context.
Real World #
In production, you might use Infrastructure as Code pipelines to automate attaching the Lambda Insights layer and managed policy to hundreds of functions for consistent, scalable monitoring.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS DVA-C02 exam.