A developer maintains a legacy ecommerce application that sends logs to an Amazon CloudWatch Logs...

Amazon Web Services DVA-C02 Question Answer

A developer maintains a legacy ecommerce application that sends logs to an Amazon CloudWatch Logs log group. During an audit, the developer discovers that the application sends credit card numbers and credit card verification codes to the log group.

The developer needs a solution to give support staff the ability to view the logs. However, the support staff must not be able to view the sensitive credit card information. Application administrators must be able to view the logs and must have access to the sensitive credit card data. The developer cannot modify the application code.

Which solution will meet these requirements?

Enable a data protection policy on the log group. Specify the sensitive credit card data to mask. Assign the logs:Unmask IAM permission to the application administrators.

Create an AWS KMS key and associate it with the log group. Assign the kms:Decrypt permission to application administrators.

Create an AWS Lambda function to redact the sensitive credit card information. Configure Amazon Macie to scan the log group for sensitive information and to run the Lambda function.

Configure a WAF for the application. Create a WAF rule to inspect and sanitize log data before it reaches CloudWatch.

Explanation:

Because the developer cannot change the legacy application code, the solution must apply controls at the logging layer. CloudWatch Logs provides data protection policies that can automatically detect sensitive data using managed data identifiers (including credit card data) and apply masking (de-identification) as log events are ingested. This ensures that sensitive values such as card numbers and verification codes are not displayed in plaintext to general viewers of the log group.

With option A, enabling a data protection policy on the log group and configuring it to mask the relevant credit card data ensures that when support staff query or view logs, the sensitive fields appear redacted. CloudWatch Logs also supports controlled access to view the original unmasked values through an explicit permission: users who have the appropriate IAM authorization (such as logs:Unmask) can retrieve or view the sensitive data, while everyone else sees only the masked version. Granting logs:Unmask to application administrators satisfies the requirement that administrators can access the sensitive data, while withholding it from support staff enforces the restriction.

Option B (KMS encryption) provides encryption at rest for the log group but does not prevent authorized readers from seeing sensitive data once decrypted. Support staff who can read logs would still see plaintext card data. Option C is not a standard or operationally efficient pattern for CloudWatch Logs redaction; Macie is primarily for discovering sensitive data in S3 and does not serve as the native masking mechanism for CloudWatch Logs ingestion. Option D is not applicable: AWS WAF inspects HTTP requests/responses at the edge or load balancer/API layer, not application log streams already being emitted to CloudWatch.

Therefore, A is the correct solution: use CloudWatch Logs data protection to mask sensitive data by default and grant logs:Unmask only to administrators.

Amazon Web Services DVA-C02 View All Questions

Amazon Web Services DVA-C02 Summary

Vendor: Amazon Web Services
Product: DVA-C02
Update on: Mar 11, 2026
Questions: 519

Price: $52.5 ~~$149.99~~

Buy Now DVA-C02 PDF + Testing Engine Pack

A developer is migrating an application to Amazon Elastic Kubernetes Service (Amazon EKS).

A developer is building an application that uses Amazon DynamoDB.

Spring Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmasmnth

A developer maintains a legacy ecommerce application that sends logs to an Amazon CloudWatch Logs...

The Answer Is:

Explanation:

Amazon Web Services DVA-C02 Summary

Payments We Accept

Contact Us