Cert-Pass
Log in Sign up
arrow_back Cert

AWS AWS Certified Data Engineer – Associate DEA-C01

🔥 0 streak
0%
timer Mock Exam lock Pro menu_book Course description 3-Page download Free
menu_book

AWS Certified Data Engineer – Associate DEA-C01

Compressed Course

AWS Certified Data Engineer – Associate DEA-C01 Exam Course

A compressed, exam-focused course built from the improved 1,040-question DEA-C01 practice bank and aligned to the current AWS exam guide. Use it as a start-to-finish learning path, a decision guide, and a final revision sheet.


1. Exam Overview

What the certification validates

The AWS Certified Data Engineer – Associate (DEA-C01) exam tests whether you can implement data pipelines and data stores on AWS, then monitor, troubleshoot, secure, govern, and optimize them. The exam is not only about naming services. Most questions describe a workload and ask for the best fit based on latency, scale, replayability, operational effort, cost, access pattern, security, or governance.

Current exam format

Item Details
Exam code DEA-C01
Level Associate
Duration 130 minutes
Questions 65 total
Question styles Multiple choice and multiple response
Scored questions 50
Unscored evaluation questions 15, not identified during the exam
Passing score 720 on a 100–1,000 scaled-score model
Scoring model Compensatory: pass the exam overall; you do not need to pass every domain separately

Blueprint version note

The current AWS documentation includes DEA-C01 guide Version 1.1, published on December 12, 2025. The revision consolidates skills and adds or emphasizes newer areas such as:

  • Amazon Aurora use cases
  • Amazon MemoryDB for Redis for fast key/value access
  • Apache Iceberg and Amazon S3 Tables
  • Vector indexes such as HNSW and IVF
  • Amazon Bedrock knowledge-base and LLM-assisted processing concepts
  • Amazon SageMaker Catalog lineage and governed-access concepts
  • Amazon SageMaker Unified Studio domains, domain units, and projects
  • Amazon Q, Amazon Kendra, and AWS Data Exchange as in-scope services

AWS removed AWS Cloud9, AWS CodeCommit, and AWS Schema Conversion Tool (AWS SCT) from the current in-scope services list. However, the current Domain 2 task page still references schema conversion examples such as AWS SCT and AWS DMS Schema Conversion. Know the migration concept, prioritize DMS Schema Conversion, and do not overinvest in old SCT-specific details.

How to think during the exam

For each scenario, identify the requirement that controls the answer:

  1. Data movement: streaming, micro-batch, batch, CDC, file transfer, or API.
  2. Latency: seconds, minutes, hourly, nightly, or ad hoc.
  3. Replay: must consumers re-read events after a defect or outage?
  4. Processing model: per-event, distributed batch, stateful stream, warehouse SQL, or containerized custom workload.
  5. Storage access pattern: object lake, analytical warehouse, relational transactions, low-latency key/value, search, graph, document, Cassandra-compatible, or vector similarity.
  6. Operations: managed/serverless preference versus configuration control.
  7. Security and governance: least privilege, encryption, catalog, lineage, audit, PII, sovereignty, and cross-account access.
  8. Failure handling: retries, backoff, queue buffering, dead-letter queue, quarantine, alarms, and logs.

The wrong answers are often real AWS services used at the wrong layer. Eliminate options that solve a different problem.


2. Exam Domains

Domain Official weighting What to master
Content Domain 1: Data Ingestion and Transformation 34% Streaming and batch ingestion, APIs, scheduling, event triggers, transformation engines, orchestration, programming and deployment concepts
Content Domain 2: Data Store Management 26% Choosing stores, catalogs, lifecycle controls, migrations, Redshift access patterns, Iceberg, vector indexes, schemas, lineage, partitioning and optimization
Content Domain 3: Data Operations and Support 22% Automation, querying, visualization, SQL analytics, observability, troubleshooting, logging, alerting, data quality, skew and sampling
Content Domain 4: Data Security and Governance 18% IAM, VPC access, secrets, Lake Formation, masking, KMS, cross-account encryption, audit logs, PII, AWS Config, sovereignty and governed sharing

Recommended study-time distribution

Spend roughly the same percentage of your preparation time as the exam weight, but give additional review time to cross-domain topics:

  • Amazon S3, AWS Glue, Amazon Redshift, DynamoDB, Athena, Lambda
  • Kinesis Data Streams, Kinesis Data Firehose, Amazon MSK, DMS
  • SQS, SNS, EventBridge, Step Functions, MWAA
  • Glue Data Catalog, Lake Formation, SageMaker Catalog, Unified Studio
  • CloudWatch, CloudTrail, CloudTrail Lake, AWS Config
  • IAM, KMS, Secrets Manager, Parameter Store, PrivateLink

3. Start-to-Finish Study Path

Phase 1 — Build the data-engineering mental model

Learn to map a requirement to a layer:

Layer Typical questions Main services
Source and ingestion How does data enter AWS? Is replay required? S3, Kinesis Data Streams, Firehose, MSK, DMS, AppFlow, DataSync, Transfer Family, API Gateway
Processing Is processing event-driven, distributed, stateful, or SQL-based? Lambda, Glue, EMR, Managed Service for Apache Flink, Redshift, ECS, EKS, AWS Batch
Orchestration and decoupling How do tasks run in order, on schedule, or after an event? EventBridge, Step Functions, MWAA, Glue workflows, SQS, SNS
Storage What is the access pattern and data model? S3, S3 Tables, Redshift, DynamoDB, Aurora/RDS, MemoryDB, OpenSearch, Neptune, DocumentDB, Keyspaces
Catalog and governance Who can find and use the data? Glue Data Catalog, Lake Formation, SageMaker Catalog, Unified Studio
Operations How do you detect, investigate, and recover? CloudWatch, CloudWatch Logs, Logs Insights, CloudTrail, CloudTrail Lake, Config, OpenSearch, SNS
Security Who authenticates, who is authorized, and how is data protected? IAM, Secrets Manager, Parameter Store, KMS, VPC, PrivateLink, Macie

Phase 2 — Master the highest-frequency service decisions

Prioritize these comparisons:

  1. Kinesis Data Streams vs Firehose vs MSK
  2. Glue vs EMR vs Lambda vs Flink vs Redshift SQL
  3. EventBridge vs Step Functions vs MWAA vs Glue workflow
  4. SQS vs SNS
  5. S3 vs Redshift vs DynamoDB vs Aurora/RDS
  6. Glue Data Catalog vs crawler vs Lake Formation vs SageMaker Catalog
  7. CloudWatch vs CloudTrail vs AWS Config
  8. Redshift Spectrum vs federated query vs data sharing vs materialized view
  9. S3 Lifecycle vs S3 Versioning vs Object Lock-style retention protections
  10. Bucket permission vs KMS-key permission for cross-account encrypted data

Phase 3 — Study each blueprint task methodically

Use Section 4 as your main course. Do not memorize only the service names. For every service, learn:

  • the workload it is designed for;
  • the signal words that suggest it;
  • the strongest competing service;
  • why the competitor fails in that specific scenario.

Phase 4 — Practice architecture elimination

Before choosing an answer, remove options that:

  • solve notification when the question asks for buffering;
  • solve delivery when the question asks for replay;
  • solve storage when the question asks for orchestration;
  • solve schema discovery when the question asks for authorization;
  • solve durability when the question asks for encryption;
  • solve API auditing when the question asks for configuration history;
  • solve batch analytics when the question asks for millisecond operational access.

Phase 5 — Revise current-version additions

Give targeted review time to:

  • Apache Iceberg and Amazon S3 Tables
  • HNSW and IVF vector indexes
  • Aurora PostgreSQL vector use cases
  • MemoryDB for Redis
  • Bedrock knowledge bases and LLM-assisted processing
  • SageMaker Catalog lineage and project-based access
  • SageMaker Unified Studio domains, domain units, and projects

Phase 6 — Final simulation strategy

When practicing:

  • complete mixed-domain sets;
  • justify why the best wrong answer fails;
  • flag questions where two answers look possible;
  • identify the requirement word that breaks the tie;
  • revisit weak decisions, not only wrong questions.

4. Core Concepts by Domain

Domain 1: Data Ingestion and Transformation — 34%

This is the largest domain. Expect scenarios that combine source type, latency, replay, processing choice, scheduling, failure recovery, and deployment.

Task 1.1 — Perform data ingestion

Streaming ingestion

Service or pattern Choose it when Do not choose it when
Amazon Kinesis Data Streams Multiple consumers need a retained stream, replay, ordered records within a shard, shard-based throughput, or enhanced fan-out The only requirement is managed delivery to S3 with low operational effort
Amazon Kinesis Data Firehose You need managed near-real-time delivery to destinations such as S3 with buffering and optional lightweight transformation Consumers must replay records from a durable stream or use custom stream-processing semantics
Amazon MSK Existing Kafka applications, partitions, consumer groups, Kafka client compatibility, or Kafka ecosystem tools must be preserved A simple managed delivery stream is enough
DynamoDB Streams You need item-level change events from a DynamoDB table You need general-purpose ingestion from arbitrary producers
AWS DMS with CDC You need ongoing inserts, updates, and deletes replicated from a database with low source impact You only need one static full extract or a SaaS connector

Replayability rule

Replay requirement → think Kinesis Data Streams or Kafka/MSK, not Firehose.

Firehose is excellent for managed destination delivery. It is not the default answer when the scenario explicitly says consumers need to re-read the last several hours after fixing processing logic.

Fan-in and fan-out

  • Fan-in: many producers write into a shared ingestion path.
  • Fan-out: multiple consumers read the same stream for different purposes.
  • Kinesis enhanced fan-out is relevant when consumers need dedicated read throughput and low-latency delivery without competing for shared stream read throughput.
  • An SQS queue distributes messages among competing consumers. It does not automatically give every independent analytics application its own copy of every record.

Throttling and rate limits

Recognize these signals:

  • HTTP 429 responses from APIs
  • Kinesis ProvisionedThroughputExceeded
  • DynamoDB hot partitions or throttled requests
  • RDS connection exhaustion
  • downstream systems overloaded by Lambda concurrency

Use:

  • exponential backoff with jitter;
  • bounded retries;
  • appropriate stream capacity or shard scaling;
  • well-distributed partition keys;
  • controlled Lambda concurrency;
  • buffering with SQS when bursts must be absorbed.

Do not retry immediately in a tight loop. That amplifies the failure.

Batch and file ingestion

Service Best fit
Amazon S3 Durable landing zone for files and raw lake data
Amazon AppFlow Low-code transfer between supported SaaS sources and AWS destinations, such as Salesforce to S3
AWS DataSync Managed movement between supported file systems and object-storage locations
AWS Transfer Family Managed SFTP, FTPS, and FTP-style transfer access into AWS storage
AWS Snow Family Large offline or edge transfer when network transfer is impractical
AWS DMS Database migration, full load, CDC, or both

Events versus schedules

Requirement Best tool
Run when an object arrives in S3 S3 Event Notifications or EventBridge event routing
Run every day at 02:00 even if no object arrives EventBridge Scheduler or a time-based scheduler
Run crawlers or jobs according to a DAG schedule MWAA or a workflow-specific scheduler

Trap: An S3 event cannot guarantee a daily run when no object arrives. A time schedule cannot provide immediate object-by-object responsiveness without polling.

APIs and connectivity

Know these concepts:

  • consuming external data APIs;
  • building data APIs for downstream consumers;
  • Amazon API Gateway as an API front door;
  • JDBC and ODBC connectivity to data sources;
  • IP allowlists where a source requires them;
  • retries, rate limits, authentication, and secret storage.

Task 1.2 — Transform and process data

Select the processing engine

Requirement Best starting choice Why
Small, short, event-driven transformation AWS Lambda Low operational overhead for bounded per-event work
Serverless Spark ETL over S3 data AWS Glue ETL Managed Spark, catalog integration, job scheduling and serverless operations
Highly customized distributed Spark or Hadoop workload Amazon EMR More control over clusters, frameworks, bootstrap actions and packages
Stateful streaming windows, sessions, rolling aggregates Amazon Managed Service for Apache Flink Continuous stateful stream processing
SQL transformations on warehouse staging tables Amazon Redshift SQL Efficient set-based transformations where the data already lives
Containerized custom workload Amazon ECS or Amazon EKS Useful when packaging, runtime control, dependencies, or Kubernetes requirements matter
Large parallel batch jobs AWS Batch Batch scheduling and compute provisioning for containerized jobs

Glue versus EMR versus Lambda

Use this elimination rule:

  • Choose Lambda for a small event handler.
  • Choose Glue for managed serverless ETL, especially Spark over S3 and catalog-integrated workflows.
  • Choose EMR when you need distributed open-source frameworks with deeper cluster-level control.
  • Choose Flink when the computation is continuously stateful over streams.

Trap: Do not choose EMR merely because the word “data” appears. Do not choose Lambda for a massive distributed join. Do not choose Glue for a requirement that explicitly demands detailed cluster bootstrap control.

File formats and partitioning

CSV is readable but expensive for repeated analytics scans. Apache Parquet is columnar and typically reduces scanned bytes when queries read only a subset of columns.

For Athena and data-lake analytics:

  • convert large analytical datasets to Parquet;
  • compress appropriately;
  • partition by common selective filters such as date, region, or source;
  • avoid excessive tiny files;
  • avoid partitioning by extremely high-cardinality fields when it creates too many small partitions.

Volume, velocity, and variety

Characteristic Question to ask
Volume How much data must be stored or processed?
Velocity How quickly does data arrive and how quickly must it be processed?
Variety Is the data structured, semi-structured, unstructured, tabular, text, logs, images, or events?

These dimensions help decide batch versus streaming, storage layout, processing engine, and cost model.

LLM-assisted processing

The revised guide includes integrating LLMs for data processing. The expected reasoning is practical:

  • use Amazon Bedrock models in a controlled workflow for tasks such as summarization, categorization, enrichment, or extraction from unstructured text;
  • validate generated output before downstream use;
  • store prompts, outputs, metadata, and quality signals where traceability matters;
  • do not assume a custom model must be trained from scratch.

Task 1.3 — Orchestrate data pipelines

Service Choose it when Closest wrong answer
AWS Step Functions Serverless sequence, branching, retries, wait states, error handling, and service integrations EventBridge can trigger the workflow but is not the detailed state machine
Amazon MWAA Existing or complex Apache Airflow DAGs, backfills, dependencies, scheduling Step Functions is excellent for AWS-native state machines but is not an Airflow migration target
AWS Glue workflows and triggers Glue-native crawler and ETL-job dependency chain S3 Lifecycle changes storage classes; it does not orchestrate jobs
Amazon EventBridge and Scheduler Event routing or time-based triggering SQS buffers work but is not the time scheduler
Amazon SQS Buffer bursts, decouple producer and consumer, retry messages, use DLQ SNS is pub/sub notification fan-out, not durable queue buffering for workers
Amazon SNS Fan out alerts or notifications to subscribers SQS is better when workers must consume queued tasks

Dead-letter queue and quarantine pattern

Use a DLQ or quarantine store when records repeatedly fail processing. Preserve:

  • original payload or reference;
  • failure reason;
  • timestamp;
  • pipeline stage;
  • retry count;
  • correlation identifier.

This allows investigation and controlled replay without blocking valid records.

Task 1.4 — Apply programming concepts

Know the following:

  • use AWS SDKs and APIs instead of scraping the console;
  • use AWS SAM for serverless application packaging;
  • use AWS CloudFormation or AWS CDK for repeatable IaC deployment;
  • use CI/CD services such as CodeBuild, CodeDeploy, and CodePipeline;
  • use Lambda layers for shared dependencies when appropriate;
  • mount EFS from Lambda when shared file-system access is required and properly configured;
  • do not attach EBS volumes directly to Lambda;
  • tune Lambda memory, timeout, concurrency, event-source batch size, and retry behavior;
  • use logs and metrics during debugging;
  • consider EC2 when unmanaged compute control is required;
  • consider ECS/EKS for containerized processing.

Lambda concurrency rule

If a downstream database has limited connections, unlimited Lambda concurrency can create a failure storm. Configure a reasonable concurrency limit and tune the event-source behavior. Optimize the entire path, not only Lambda throughput.


Domain 2: Data Store Management — 26%

Domain 2 is about selecting the correct store and configuring it for the access pattern. The exam often gives several technically possible services, but only one is purpose-built for the requirement.

Task 2.1 — Choose a data store

Core data-store map

Workload Prefer Why
Raw durable lake storage in many formats Amazon S3 Scalable object storage and broad analytics integration
Managed tabular storage on S3 with open table semantics Amazon S3 Tables and Apache Iceberg concepts Table metadata, transactional patterns, schema and partition evolution
Analytical SQL warehouse Amazon Redshift Complex analytical joins, aggregations, BI workloads
Operational key/value or document access with known keys Amazon DynamoDB Scalable low-latency access patterns
Relational transactions and SQL constraints Amazon Aurora or Amazon RDS Managed relational database capabilities
Durable Redis-compatible fast key/value access Amazon MemoryDB for Redis Low-latency in-memory-compatible access with durability
Text search, log analytics and inverted-index search Amazon OpenSearch Service Purpose-built distributed search and dashboards
Relationship traversal Amazon Neptune Graph use cases such as fraud paths or dependency graphs
MongoDB-compatible document workload Amazon DocumentDB Document-oriented API compatibility
Cassandra-compatible workload Amazon Keyspaces Managed Cassandra-compatible access patterns

Amazon S3 and data-lake design

Use S3 as the default durable landing zone for raw files. Design for:

  • clear prefixes and partitions;
  • immutable raw zones where appropriate;
  • curated zones with optimized formats;
  • lifecycle rules;
  • encryption;
  • access controls;
  • catalog registration;
  • versioning or retention protections where recovery or auditability matters.

DynamoDB partition-key reasoning

A DynamoDB design starts from access patterns. Choose a partition key that distributes traffic well.

Hot partition warning: If most reads or writes use one value, throughput concentrates on one partition. Consider higher-cardinality keys, composite patterns, or controlled write sharding.

Do not choose DynamoDB for complex ad hoc analytical joins. Do not choose Redshift for customer-facing single-digit-millisecond operational lookups.

Amazon Redshift access patterns

Feature Use it for Common confusion
COPY Efficient bulk load from S3 into Redshift Row-by-row inserts are usually inefficient for bulk loading
UNLOAD Export query results from Redshift to S3 DELETE removes rows; it does not export results
Redshift Spectrum Query S3 external data from Redshift SQL It is not the same as querying a live relational database
Federated query Query supported operational databases such as Aurora PostgreSQL from Redshift It is not the same as Spectrum over S3
Materialized view Precompute repeated expensive query results when controlled staleness is acceptable A standard view does not materialize results
Data sharing Governed access to Redshift data without copying the full dataset Sharing administrator credentials is never the answer

Also understand distribution styles, sort keys, compression, and workload-driven table design. Optimize based on joins, filters, and scan patterns.

Locks

The blueprint includes managing locks to prevent access to data in services such as Redshift and RDS. Understand the purpose:

  • preserve consistency during concurrent operations;
  • identify blocking sessions;
  • avoid unnecessary long-running transactions;
  • troubleshoot lock contention rather than scaling unrelated resources.

Open table formats: Apache Iceberg and S3 Tables

Apache Iceberg is an open table format for large analytical tables. Think beyond “files in folders.” Iceberg adds table-level metadata and supports capabilities such as:

  • schema evolution;
  • partition evolution;
  • transactional table operations;
  • snapshot-oriented management;
  • improved table maintenance patterns.

Amazon S3 Tables is a current in-scope service for managed tabular-storage patterns in S3. Exam questions may test when ordinary raw S3 objects are sufficient versus when managed table semantics are beneficial.

Vector indexes: HNSW and IVF

The updated blueprint expects recognition of vector indexes and vectorization concepts.

Index concept General strength General tradeoff
HNSW Strong approximate nearest-neighbor search performance and high-recall retrieval patterns Index build and memory cost can be higher
IVF Partitions vectors into clusters and searches selected clusters Recall and latency depend on tuning; broader probing can improve recall at additional cost

Use the requirement to reason about recall, latency, memory, build time, and scale. B-tree indexes are not the default solution for embedding similarity search.

A current example is vector indexing with Aurora PostgreSQL. Amazon Bedrock knowledge-base scenarios may involve chunking content, generating embeddings, and storing them in a vector-capable index for semantic retrieval.

Task 2.2 — Understand data cataloging systems

Catalog components

Component Purpose
AWS Glue Data Catalog Technical metadata repository for tables, columns, partitions, and data locations
AWS Glue crawler Inspects data and creates or updates catalog metadata
Partition synchronization Makes new partitions visible to query engines such as Athena
Glue connections Store connectivity metadata for sources or targets
Apache Hive metastore Technical metastore concept that may appear in data-platform scenarios
Amazon SageMaker Catalog Business-oriented catalog, lineage, discovery, and governed data-product concepts

Catalog traps

  • A crawler discovers schema. It does not authorize users.
  • Lake Formation governs permissions. It is not simply a crawler.
  • A folder structure is not automatically an Athena partition. Catalog metadata or partition projection must align with the layout.
  • New S3 partitions might exist physically but remain invisible to queries until catalog metadata is synchronized.

Task 2.3 — Manage the lifecycle of data

Requirement Feature
Move older S3 objects to a cheaper tier S3 Lifecycle transition
Delete S3 objects after a retention period S3 Lifecycle expiration
Recover overwritten or deleted S3 objects S3 Versioning
Expire DynamoDB items by age DynamoDB TTL
Bulk load from S3 into Redshift COPY
Export Redshift results to S3 UNLOAD
Meet legal deletion requirements Explicit deletion and verified governance workflow
Improve resilience and availability Design appropriate storage redundancy, backups, replication and recovery controls

Important lifecycle distinctions

  • Lifecycle transition changes storage class.
  • Lifecycle expiration deletes according to age-based policy.
  • Versioning preserves recoverable object versions.
  • DynamoDB TTL marks items for automatic expiration; do not treat it as an immediate synchronous deletion guarantee.
  • Retention protection prevents inappropriate deletion; use appropriate controls and tightly scoped permissions for audit archives.

Task 2.4 — Design data models and schema evolution

Schema evolution

Design for compatible change:

  • additive optional fields are often easier to support than breaking changes;
  • historical records may not contain newly introduced fields;
  • preserve backward compatibility where possible;
  • version schemas when changes are significant;
  • test readers and writers independently;
  • keep lineage and catalog metadata current.

Schema conversion

Recognize migration scenarios that require converting a source schema for a target database. The current blueprint task page references AWS DMS Schema Conversion and legacy AWS SCT examples. Focus on the migration purpose:

  • assess compatibility;
  • convert supported schema objects;
  • identify manual remediation;
  • combine schema work with data migration or CDC when required.

Data lineage

Lineage answers questions such as:

  • Where did this dataset originate?
  • Which transformation generated this field?
  • Which pipelines depend on this table?
  • What will break if a schema changes?
  • Which approved data product is the trusted source?

Amazon SageMaker Catalog and SageMaker lineage capabilities are relevant current concepts.


Domain 3: Data Operations and Support — 22%

Domain 3 tests whether you can keep pipelines useful after deployment. Expect automation, SQL analysis, dashboards, logs, metrics, alerts, debugging, and data-quality questions.

Task 3.1 — Automate data processing by using AWS services

Use:

  • EventBridge Scheduler for recurring invocations;
  • EventBridge events for event routing;
  • Lambda for event-driven automation;
  • Step Functions or MWAA for orchestration;
  • Glue, EMR, and Redshift features for processing;
  • SDK calls for supported programmatic control;
  • Athena for serverless SQL over S3;
  • Glue DataBrew for visual preparation and profiling;
  • SageMaker Unified Studio for governed data and analytics workspaces;
  • APIs for reusable data access paths.

Console-scraping trap

When a service API or SDK exists, use it. Scraping console HTML is brittle and unsupported.

Task 3.2 — Analyze data by using AWS services

SQL analysis

Understand:

  • filtering;
  • grouping;
  • aggregation;
  • joins;
  • window functions;
  • rolling averages;
  • pivoting;
  • reusable views;
  • materialized results versus logical views.

A seven-day rolling average normally requires a window function over an ordered date range, not only GROUP BY.

Athena versus Redshift analysis

Requirement Prefer
Ad hoc serverless SQL directly over S3 Athena
Repeatable warehouse analytics and complex SQL over managed warehouse tables Redshift
Reusable logical SQL abstraction Athena view or Redshift view, depending on data location
Interactive Spark exploration without provisioning a separate cluster Athena notebook for Apache Spark

Provisioned versus serverless

Workload shape General preference
Sporadic, ad hoc, unpredictable querying Serverless can reduce idle-resource cost and operations
Stable, high-volume, predictable workload requiring tuned capacity Provisioned or carefully managed capacity may be more appropriate

Avoid assuming serverless is always cheaper or provisioned is always faster. Match the workload.

Visualization and preparation

Know the role of:

  • Glue DataBrew for visual profiling and preparation;
  • QuickSight-style business visualization concepts;
  • notebooks for exploration;
  • SageMaker Data Wrangler where data-preparation scenarios reference it;
  • SageMaker Unified Studio for governed collaborative workflows.

The current AWS documentation may show Amazon QuickSuite in the in-scope service list while domain skill examples still reference Amazon QuickSight. Focus on visualization and analytics decision-making rather than product-name trivia.

Task 3.3 — Maintain and monitor data pipelines

Observability map

Question asks for Use first
Operational metric, threshold, alarm Amazon CloudWatch metrics and alarms
Application log storage Amazon CloudWatch Logs
Interactive query over CloudWatch logs CloudWatch Logs Insights
Who changed an AWS resource by calling an API AWS CloudTrail
SQL-based centralized query of CloudTrail events AWS CloudTrail Lake
How a resource configuration changed over time AWS Config
Full-text operational log search and dashboards Amazon OpenSearch Service
Query archived logs stored in S3 Amazon Athena; consider EMR for very large big-data processing cases
Notify an operations channel or email list Amazon SNS integrated with alarms

CloudTrail versus AWS Config versus CloudWatch

  • CloudTrail: API activity — who called what and when.
  • AWS Config: configuration state and change history.
  • CloudWatch metrics and alarms: operational conditions.
  • CloudWatch Logs: application and service logs.
  • Logs Insights: search and aggregate CloudWatch Logs.

This distinction appears repeatedly in realistic exam scenarios.

Spark and Glue troubleshooting

When a distributed job slows down or fails:

  1. inspect logs and metrics;
  2. locate the slow stage;
  3. check skewed keys and partition sizes;
  4. inspect executor memory and shuffle behavior;
  5. check tiny files, serialization, retries, and downstream throttling;
  6. verify source and destination connectivity;
  7. tune resources only after identifying the bottleneck.

Data skew

A skewed join key sends a disproportionate amount of data to a subset of workers. Symptoms include:

  • one or a few tasks running much longer than the rest;
  • uneven shuffle partitions;
  • executor memory pressure;
  • a slow final stage despite many idle workers.

Mitigation depends on the workload: repartitioning, key salting, broadcast joins for suitable small tables, pre-aggregation, filtering earlier, or redesigning the operation.

Task 3.4 — Ensure data quality

Quality dimensions

Dimension Example failure
Completeness Required customer ID is missing
Validity Negative order total where only non-negative values are allowed
Consistency Conflicting representations of the same attribute
Referential integrity or consistency Order refers to a customer ID absent from the customer dimension
Timeliness Data arrives too late for its SLA
Uniqueness Duplicate business key appears unexpectedly

Quality patterns

  • validate during processing;
  • define explicit rules;
  • quarantine malformed or invalid records;
  • preserve error context;
  • alert on threshold breaches;
  • sample large datasets for fast initial assessment;
  • run full checks for critical controls where required;
  • reconcile counts and aggregates between stages;
  • track quality trends over time.

Trap: S3 Versioning preserves object history but does not validate field values. A DLQ or quarantine path is better than silently dropping invalid records.


Domain 4: Data Security and Governance — 18%

Domain 4 is smaller but highly scoreable if you master the distinctions. Security questions often test two permission layers, least privilege, or the difference between authentication, authorization, encryption, and auditing.

Task 4.1 — Apply authentication mechanisms

IAM roles first

Use roles with temporary credentials for AWS workloads:

  • Lambda execution role;
  • Glue job role;
  • Step Functions execution role;
  • EC2 instance profile;
  • service role for managed integrations;
  • cross-account role when appropriate.

Do not embed long-lived administrator access keys in code. Do not share root credentials.

Secrets

Requirement Prefer
Store and rotate database credentials AWS Secrets Manager
Store configuration values or secure parameters when advanced rotation workflows are not required AWS Systems Manager Parameter Store

Network access

  • Use VPC security groups to allow only required ports and sources.
  • Use private subnets and controlled routing where appropriate.
  • Use AWS PrivateLink interface VPC endpoints for private access to supported services without traversing the public internet.
  • Use S3 Access Points where they simplify controlled access patterns.
  • Use IP allowlists only when required by the source or partner; do not treat them as a replacement for IAM and encryption.

Managed versus unmanaged services

A managed service reduces operational responsibility but may reduce low-level control. Choose according to the requirement. If a scenario repeatedly says “minimal operational overhead,” prefer the managed or serverless fit that still meets the technical need.

SageMaker Unified Studio governance concepts

Understand:

  • domains;
  • domain units;
  • projects;
  • governed collaboration boundaries;
  • controlled access to data assets.

Task 4.2 — Apply authorization mechanisms

Least privilege

Grant only:

  • the necessary actions;
  • on the necessary resources;
  • for the necessary principals;
  • under the necessary conditions.

Example: A Lambda function that reads one S3 landing prefix should receive scoped s3:GetObject permissions for that prefix, not AdministratorAccess.

Lake Formation

Use AWS Lake Formation for centralized fine-grained permissions over governed data-lake access. It can manage access patterns involving services such as Athena, Redshift, EMR, and S3-backed data.

Authorization models

Model Use
Role-based access control (RBAC) Permissions based on job function or role
Tag-based or attribute-based access control (ABAC) Scalable policy decisions based on attributes such as department, environment, or classification
Database users, groups and roles Database-native privileges, such as read access to selected Redshift schemas

Task 4.3 — Ensure data encryption and masking

Encryption at rest

For controlled S3 encryption with key-policy and audit requirements, use SSE-KMS with an appropriate AWS KMS key design.

Encryption in transit

Use TLS for sensitive data moving across networks. Durability, versioning, and lifecycle rules do not encrypt network traffic.

Cross-account SSE-KMS access

Encrypted cross-account access usually requires permissions at both layers:

  1. access to the data resource, such as S3 object permissions;
  2. permission to use the KMS key for the required cryptographic action.

Trap: A bucket policy alone is insufficient when the receiving principal cannot decrypt the object.

Masking and anonymization

Use masking, tokenization, or anonymization when non-production or analytical consumers do not need direct identifiers. Do not copy raw production identifiers into lower-trust environments without justification.

Task 4.4 — Prepare logs for audit

Use:

  • CloudTrail for API-call evidence;
  • CloudWatch Logs for application logs;
  • CloudTrail Lake for centralized CloudTrail event queries;
  • Athena for SQL over archived logs in S3;
  • Logs Insights for CloudWatch-log exploration;
  • OpenSearch for indexed full-text search and dashboards;
  • EMR for large-scale log-processing cases;
  • controlled S3 log archives with retention protections and tightly scoped permissions.

Task 4.5 — Understand data privacy and governance

PII identification

Use Amazon Macie to discover sensitive data in S3. Lake Formation can complement this by governing access to cataloged lake data.

Data sovereignty

Data sovereignty means controlling where regulated data is stored, copied, backed up, and replicated. Check:

  • primary Region;
  • backup Region;
  • replication destination;
  • disaster-recovery copies;
  • cache or edge behavior where relevant;
  • cross-account shares;
  • export workflows.

Do not casually introduce copies in disallowed Regions.

AWS Config

Use AWS Config to review configuration changes over time, such as when an S3 encryption setting changed. Use CloudTrail when the key question is which API call or principal performed the action.

Governed sharing

Recognize:

  • Redshift data sharing;
  • Lake Formation permissions;
  • SageMaker Catalog projects;
  • ownership and approval workflows;
  • business catalog discovery;
  • lineage;
  • explicit data-sharing patterns.

5. Service Selection Guide

Ingestion and transport

Need Choose Why not the closest alternative?
Retained stream with replay and custom consumers Kinesis Data Streams Firehose is managed delivery, not the default replay log
Managed delivery of streaming events to S3 with minimal operations Kinesis Data Firehose Kinesis Data Streams needs consumer logic
Kafka compatibility and consumer groups Amazon MSK Firehose and Kinesis do not preserve Kafka APIs
Database CDC AWS DMS with CDC Repeated full exports waste resources and increase source load
SaaS connector such as Salesforce to S3 Amazon AppFlow DataSync is for supported file and object storage movement
Managed file transfer AWS DataSync AppFlow is SaaS integration, not general file-system transfer
Managed SFTP/FTPS/FTP endpoint AWS Transfer Family DataSync does not expose a partner-facing transfer protocol endpoint
Offline bulk migration AWS Snow Family Network transfer may be impractical
Worker buffering and retry SQS SNS is pub/sub fan-out rather than worker-queue buffering
Alert fan-out SNS SQS queues work items rather than broadcasting alerts

Processing

Need Choose Common trap
Per-event bounded transformation Lambda Do not launch EMR for each record
Serverless Spark ETL Glue Do not manage a cluster unless control is needed
Configurable big-data framework cluster EMR Do not choose Glue when detailed bootstrap and cluster control are explicit
Stateful streaming windows Managed Service for Apache Flink Lambda alone is not a stateful streaming engine
Set-based transformation in a warehouse Redshift SQL Do not export rows to Lambda for large joins
Custom container runtime ECS or EKS Choose EKS only when Kubernetes requirements justify it

Orchestration

Need Choose Common trap
Stateful serverless workflow with branching and retries Step Functions EventBridge can trigger but does not model the workflow states
Airflow DAG migration or complex Airflow operations MWAA Step Functions is not managed Airflow
Glue crawler and Glue job dependencies Glue workflow and triggers Lifecycle rules do not orchestrate jobs
Time-based run EventBridge Scheduler S3 events do not fire when no object arrives
Event routing EventBridge Scheduler is for time; SQS is for buffering

Storage and analytics

Need Choose Common trap
Data lake S3 Lambda ephemeral storage is not durable storage
Open table format on lake data Apache Iceberg concepts and S3 Tables Plain unversioned CSV objects lack table semantics
Warehouse Redshift DynamoDB is not an analytical-join warehouse
Operational millisecond key lookup DynamoDB Athena and Redshift are analytical services
Relational transactions Aurora or RDS S3 is object storage, not a transactional relational engine
Redis-compatible fast durable key/value MemoryDB Redshift Spectrum is unrelated
Search and log analytics OpenSearch RDS is not a distributed search engine by default
Graph traversal Neptune DynamoDB can store relationships but is not the graph-specialist answer
Document API compatibility DocumentDB Neptune solves graph traversal
Cassandra compatibility Keyspaces Aurora requires a relational redesign

Catalog, governance and observability

Need Choose
Discover table schema Glue crawler
Store technical table metadata Glue Data Catalog
Synchronize partitions Update the Glue catalog or use an appropriate projection strategy
Central fine-grained lake permissions Lake Formation
Business discovery, lineage and governed data products SageMaker Catalog
Governed workspace boundaries SageMaker Unified Studio domains, domain units and projects
API-call audit CloudTrail
Configuration change history AWS Config
Metrics and alarms CloudWatch
Application log storage CloudWatch Logs
Search CloudWatch logs Logs Insights
Central SQL query of CloudTrail events CloudTrail Lake
PII discovery in S3 Macie

6. Architecture Patterns

Pattern 1 — Cost-efficient batch lake pipeline

Scenario: Daily CSV extracts must be analyzed with Athena at lower cost.

Pattern:

  1. Land raw CSV files in an S3 raw prefix.
  2. Trigger a Glue workflow on schedule or after object arrival.
  3. Use Glue ETL to clean and convert CSV to Parquet.
  4. Partition curated data by common filters such as date.
  5. Update the Glue Data Catalog.
  6. Query with Athena.
  7. Add data-quality rules and quarantine invalid records.
  8. Apply S3 Lifecycle rules to older raw objects.

Exam tie-breaker: Parquet plus useful partitioning reduces scanned bytes. Folder depth alone is insufficient if query metadata does not use the layout.

Pattern 2 — Replayable streaming pipeline

Scenario: Clickstream consumers must reprocess events after a code defect.

Pattern:

  1. Producers write to Kinesis Data Streams.
  2. Set retention according to replay needs.
  3. Use multiple consumers; consider enhanced fan-out for dedicated throughput.
  4. Process with Lambda for simple event logic or Flink for stateful windows.
  5. Send unrecoverable records to a DLQ or quarantine path.
  6. Monitor throughput and throttling with CloudWatch.

Exam tie-breaker: Replay requirement favors Kinesis Data Streams over Firehose.

Pattern 3 — Managed streaming delivery

Scenario: Operational logs need near-real-time delivery to S3, and no custom consumer is needed.

Pattern:

  1. Send events to Kinesis Data Firehose.
  2. Configure buffering and delivery destination.
  3. Optionally use a lightweight transformation.
  4. Store data in S3 and catalog it for Athena.

Exam tie-breaker: Minimal-operations destination delivery favors Firehose.

Pattern 4 — Database CDC into analytics

Scenario: Inserts and updates from an RDS database must appear in a lake with minimal source impact.

Pattern:

  1. Configure AWS DMS source and target endpoints.
  2. Run full load if initial history is needed.
  3. Continue with CDC.
  4. Land changes in the analytical destination.
  5. Transform, reconcile, and monitor lag.

Exam tie-breaker: CDC is better than frequent full exports for ongoing changes.

Pattern 5 — Serverless event-driven processing

Scenario: Each incoming S3 object needs validation and downstream processing.

Pattern:

  1. S3 object-created event routes work.
  2. Use SQS when burst buffering and retry isolation matter.
  3. Invoke Lambda for bounded validation.
  4. Send poison records to a DLQ.
  5. Start Glue for larger transformations if required.
  6. Notify operations through SNS on failure thresholds.

Exam tie-breaker: SQS decouples and buffers; SNS broadcasts notifications.

Pattern 6 — Governed data lake

Scenario: Analysts need controlled Athena access to curated datasets with business discovery and lineage.

Pattern:

  1. Store curated data in S3.
  2. Register metadata in Glue Data Catalog.
  3. Govern table and column access with Lake Formation.
  4. Use SageMaker Catalog for business discovery and lineage concepts.
  5. Use Unified Studio projects and domain boundaries for governed collaboration where relevant.
  6. Use Macie for PII discovery.
  7. Audit API activity with CloudTrail.

Exam tie-breaker: Catalog discovery and authorization are separate responsibilities.

Pattern 7 — Hybrid Redshift analytics

Scenario: Analysts need warehouse data, S3 historical data, and selected live Aurora data.

Pattern:

  1. Use Redshift warehouse tables for curated analytical data.
  2. Use Spectrum for S3 historical data.
  3. Use federated queries for supported live relational sources when appropriate.
  4. Use materialized views for repeated expensive aggregations with acceptable staleness.
  5. Use data sharing for governed reuse without copying full datasets.

Exam tie-breaker: Spectrum = S3; federated query = supported operational database; data sharing = reuse of Redshift data without full copy.

Pattern 8 — Vectorized retrieval workflow

Scenario: Internal documents must support semantic retrieval.

Pattern:

  1. Ingest source documents.
  2. Chunk and clean content.
  3. Generate embeddings, potentially through a Bedrock knowledge-base workflow.
  4. Store embeddings in a suitable vector-capable index.
  5. Evaluate HNSW versus IVF according to latency, recall, memory, and build-cost requirements.
  6. Preserve lineage and quality checks.

Exam tie-breaker: Similarity search needs vector indexing concepts, not an ordinary scalar B-tree answer.

Pattern 9 — Audit-ready operational logging

Scenario: A team must detect pipeline failures and prove who changed resources.

Pattern:

  1. Emit application logs to CloudWatch Logs.
  2. Use CloudWatch metrics and alarms for operational thresholds.
  3. Publish notifications through SNS.
  4. Use CloudTrail for API-call evidence.
  5. Use CloudTrail Lake for centralized SQL queries of CloudTrail events where needed.
  6. Use AWS Config for resource-configuration history.
  7. Archive required logs in controlled S3 storage with retention protections.

Exam tie-breaker: CloudTrail and Config answer different questions.

Pattern 10 — Quality-controlled pipeline

Scenario: Most records are valid, but malformed records must not block the pipeline.

Pattern:

  1. Validate schema and field rules during processing.
  2. Route invalid records to quarantine with error context.
  3. Continue processing valid records.
  4. Alert when invalid-rate thresholds are exceeded.
  5. Reconcile counts and totals between stages.
  6. Replay corrected records in a controlled way.

Exam tie-breaker: Do not silently drop errors and do not stop the entire pipeline for one poison record unless the business rule explicitly requires it.


7. Exam Traps

Trap 1 — Choosing a service from the wrong layer

A technically real AWS service is not automatically a plausible answer. Ask what layer the requirement targets.

Requirement Wrong-layer answer Why it fails
Trigger a job after a file arrives S3 Lifecycle rule Lifecycle manages storage aging, not processing triggers
Broadcast a failure alert Athena view A view is a SQL abstraction, not a notification channel
Protect data in transit S3 Versioning Versioning protects object history, not network traffic
Register new query partitions Increase retention Retention does not update catalog metadata

Trap 2 — Firehose when replay is required

Choose Firehose for managed delivery. Choose Kinesis Data Streams when consumers need retained records and replay. MSK is the Kafka-compatible option.

Trap 3 — SNS versus SQS

  • SNS broadcasts.
  • SQS buffers work for consumers.
  • An event-driven worker pipeline often uses SQS and a DLQ.
  • An alarm notification often uses SNS.

Trap 4 — Event versus schedule

  • Object arrives → event notification.
  • Run every day regardless of arrivals → scheduler.

Trap 5 — Glue versus EMR versus Lambda versus Flink

  • Lambda: small bounded event work.
  • Glue: managed serverless Spark ETL.
  • EMR: configurable distributed frameworks.
  • Flink: stateful continuous stream analytics.

Trap 6 — Athena optimization by folder structure alone

Use columnar format and meaningful partitions. A deeper folder tree alone does not guarantee scan reduction.

Trap 7 — Redshift feature confusion

  • Spectrum queries S3.
  • Federated query reaches supported live relational databases.
  • Materialized view stores precomputed results.
  • Data sharing enables governed warehouse reuse without full copies.
  • COPY loads; UNLOAD exports.

Trap 8 — DynamoDB hot partitions

Do not accept a low-cardinality partition key that concentrates traffic. Scale is not magic if the access pattern creates a hot key.

Trap 9 — Lifecycle versus versioning versus TTL

  • Lifecycle transition: cheaper tier.
  • Lifecycle expiration: age-based delete.
  • Versioning: recover prior S3 versions.
  • DynamoDB TTL: age-based item expiration, not an exact immediate delete timer.

Trap 10 — Catalog versus authorization

  • Crawler discovers schema.
  • Glue Data Catalog stores technical metadata.
  • Lake Formation manages governed lake permissions.
  • SageMaker Catalog supports business discovery, lineage, and governed data-product concepts.

Trap 11 — CloudWatch versus CloudTrail versus Config

  • Operational alarm → CloudWatch.
  • API caller evidence → CloudTrail.
  • Resource configuration history → Config.
  • Central SQL query of CloudTrail events → CloudTrail Lake.

Trap 12 — Bucket policy alone for cross-account encrypted data

Cross-account SSE-KMS access requires data permission and KMS-key usage permission.

Trap 13 — Hardcoded credentials

Use IAM roles for workloads and Secrets Manager or Parameter Store for secret/configuration needs. Do not embed long-lived administrator keys.

Trap 14 — Treating distributed-processing skew as a capacity-only issue

If one key dominates a join, blindly adding workers might not solve the bottleneck. Inspect skew, shuffles, partitions, and slow tasks.

Trap 15 — Ignoring invalid-record preservation

Silently dropping bad records weakens reconciliation and auditability. Use quarantine or a DLQ with context.

Trap 16 — Assuming every newer in-scope service is heavily tested

Recognize newer services, but focus effort according to blueprint task relevance. Be able to identify Bedrock, S3 Tables, Aurora, MemoryDB, SageMaker Catalog, Unified Studio, Kendra, Amazon Q, and Data Exchange without sacrificing the core services.

How to eliminate bad options quickly

  1. Identify the layer: ingestion, processing, orchestration, store, operations, or security.
  2. Remove answers from unrelated layers.
  3. Check the decisive requirement: replay, latency, operational overhead, compatibility, or governance.
  4. Prefer purpose-built services over improvised custom infrastructure when both meet requirements.
  5. Reject answers that grant excessive permissions.
  6. Reject answers that destroy evidence, silently drop records, disable logs, or expose data publicly.
  7. For multi-response questions, verify that every selected component is required.

8. Quick Memory Rules

Ingestion

  • Replay stream → Kinesis Data Streams.
  • Managed streaming delivery → Firehose.
  • Existing Kafka ecosystem → MSK.
  • Database changes → DMS CDC.
  • SaaS connector → AppFlow.
  • File-system transfer → DataSync.
  • Partner SFTP endpoint → Transfer Family.
  • Absorb bursts → SQS.
  • Broadcast alerts → SNS.

Processing

  • Small event function → Lambda.
  • Serverless Spark ETL → Glue.
  • Custom big-data cluster → EMR.
  • Stateful streaming windows → Flink.
  • Warehouse transformations → Redshift SQL.
  • Kubernetes requirement → EKS.
  • General container orchestration without Kubernetes requirement → ECS.

Orchestration

  • AWS-native state machine → Step Functions.
  • Airflow DAGs → MWAA.
  • Glue crawlers and jobs → Glue workflow.
  • Recurring clock schedule → EventBridge Scheduler.
  • Event routing → EventBridge.

Storage

  • Raw lake → S3.
  • Tabular lake with open table semantics → Iceberg / S3 Tables concepts.
  • Warehouse → Redshift.
  • Millisecond key lookup → DynamoDB.
  • Relational transactions → Aurora / RDS.
  • Fast durable Redis-compatible key/value → MemoryDB.
  • Search → OpenSearch.
  • Graph → Neptune.
  • MongoDB-compatible document workload → DocumentDB.
  • Cassandra-compatible workload → Keyspaces.

Catalog and governance

  • Technical metadata → Glue Data Catalog.
  • Schema discovery → Glue crawler.
  • Fine-grained lake permissions → Lake Formation.
  • Business catalog and lineage → SageMaker Catalog.
  • Governed workspace organization → Unified Studio domains, domain units, projects.

Operations

  • Metrics and alarms → CloudWatch.
  • App logs → CloudWatch Logs.
  • Query CloudWatch logs → Logs Insights.
  • API caller → CloudTrail.
  • Query centralized CloudTrail events → CloudTrail Lake.
  • Configuration history → AWS Config.
  • Full-text indexed log analytics → OpenSearch.

Security

  • Temporary workload credentials → IAM role.
  • Rotating secret → Secrets Manager.
  • Secure parameter/configuration value → Parameter Store.
  • Encryption keys → KMS.
  • Private service path → PrivateLink endpoint.
  • PII discovery in S3 → Macie.
  • Cross-account encrypted object → S3 permission + KMS permission.

Redshift

  • Load → COPY.
  • Export → UNLOAD.
  • Query S3 from Redshift → Spectrum.
  • Query supported live operational database → Federated query.
  • Repeated expensive result with acceptable staleness → Materialized view.
  • Share Redshift data without full copy → Data sharing.

Vector concepts

  • Semantic retrieval → embeddings plus vector-capable index.
  • HNSW and IVF → approximate nearest-neighbor index concepts with different recall, latency, memory, and build-cost tradeoffs.
  • B-tree → not the default answer for embedding similarity search.

9. Final Revision Notes

Domain 1 final review

Confirm that you can answer:

  • Why is Kinesis Data Streams better than Firehose for replay?
  • When does MSK beat Kinesis?
  • When does DMS CDC beat repeated exports?
  • When is AppFlow more appropriate than DataSync?
  • How do S3 events differ from scheduled runs?
  • Why does exponential backoff with jitter matter?
  • What is fan-out and when is enhanced fan-out useful?
  • When should you choose Lambda, Glue, EMR, Flink, ECS, or EKS?
  • Why do Parquet and good partitions reduce Athena costs?
  • When should you use Step Functions, MWAA, Glue workflows, SQS, and SNS?
  • How do IaC, SAM, CI/CD, Lambda concurrency, layers, and EFS fit into reliable deployment?
  • What is a realistic Bedrock-assisted data-processing workflow?

Domain 2 final review

Confirm that you can answer:

  • Why is S3 the default raw landing zone?
  • When should data move from ordinary S3 objects to table-format concepts such as Iceberg?
  • What problem do S3 Tables address?
  • What makes DynamoDB partition-key design succeed or fail?
  • When do Aurora/RDS, MemoryDB, OpenSearch, Neptune, DocumentDB, and Keyspaces fit?
  • How do Spectrum, federated queries, materialized views, and data sharing differ?
  • What does a Glue crawler do, and what does it not do?
  • Why might Athena not see a newly added S3 partition?
  • How do lifecycle transition, expiration, versioning, and TTL differ?
  • What are HNSW and IVF?
  • How do schema evolution, schema conversion, lineage, compression, and partitioning support maintainable data platforms?

Domain 3 final review

Confirm that you can answer:

  • Which service schedules recurring automation?
  • When should code call SDK APIs?
  • When is Athena a better query option than a provisioned warehouse?
  • What SQL pattern computes a rolling average?
  • What is the difference between a logical view and a materialized view?
  • Which tool stores app logs, queries logs, tracks API calls, and records configuration history?
  • How do you investigate slow Spark tasks?
  • What symptoms indicate data skew?
  • When should you sample data?
  • Why quarantine invalid records instead of silently dropping them?

Domain 4 final review

Confirm that you can answer:

  • Why are IAM roles better than embedded access keys?
  • When should Secrets Manager or Parameter Store be used?
  • What is the role of security groups and PrivateLink?
  • When should you create a custom IAM policy?
  • What does Lake Formation govern?
  • How do RBAC and ABAC differ?
  • Why are both S3 and KMS permissions required for cross-account encrypted objects?
  • What is masking or anonymization used for?
  • How do CloudTrail, CloudTrail Lake, CloudWatch Logs, Logs Insights, OpenSearch, Athena, and Config fit into audit workflows?
  • When should Macie be used?
  • What does data sovereignty require?
  • What are SageMaker Catalog projects and Unified Studio domains used for?

Lower-frequency in-scope service awareness

Do not spend most of your study time here, but recognize the role of:

Service Recognition-level purpose
Amazon Q AWS assistant capabilities; current in-scope recognition
Amazon Kendra Enterprise search concepts
AWS Data Exchange Third-party data discovery and subscription concepts
AWS Cost Explorer and AWS Budgets Cost analysis and budget alerts
Amazon Managed Grafana Dashboarding and monitoring visualization
AWS Backup Backup policy and centralized backup concepts
EBS and EFS Block and shared file storage patterns
CloudFront, Route 53, AWS WAF, AWS Shield Supporting network, delivery, and protection concepts; usually not the primary answer to core ETL questions
AWS Application Discovery Service and Application Migration Service Migration-awareness services
Amazon ECR Container-image registry for ECS/EKS workloads
AWS CLI Scripted service interaction and administration

Last-hour priority list

  1. Kinesis Data Streams vs Firehose vs MSK
  2. Lambda vs Glue vs EMR vs Flink
  3. EventBridge vs Step Functions vs MWAA vs SQS vs SNS
  4. S3, Parquet, partitions, Glue Catalog, crawler and Lake Formation
  5. Redshift COPY, UNLOAD, Spectrum, federated query, materialized view and data sharing
  6. DynamoDB key design and TTL
  7. CloudWatch, CloudTrail, CloudTrail Lake, Config and Logs Insights
  8. IAM roles, least privilege, Secrets Manager, KMS and cross-account encryption
  9. Iceberg, S3 Tables, HNSW, IVF, Bedrock, SageMaker Catalog and Unified Studio
  10. Quarantine, DLQ, retries, backoff, monitoring and skew

10. Exam-Day Checklist

Before starting

  • Confirm the exam code is DEA-C01.
  • Use the first minutes to settle into the pace.
  • Remember that unanswered questions are incorrect, so answer every question.
  • Expect unscored questions that are not identified; treat every question seriously.

For each question

  1. Read the final sentence first: what exactly is requested?
  2. Identify the decisive requirement: replay, latency, cost, operational effort, compatibility, security, or governance.
  3. Classify the layer: ingestion, processing, orchestration, storage, operations, or security.
  4. Eliminate unrelated services.
  5. Compare the two strongest remaining answers.
  6. Ask why the best wrong answer fails.
  7. For multi-response questions, verify that each selected option is independently necessary.
  8. Do not overengineer when the requirement asks for the simplest managed solution.
  9. Do not select broad permissions when scoped access is possible.
  10. Flag uncertain questions and move forward.

Time management

  • Aim for a steady first pass.
  • Do not spend too long proving one difficult question while leaving easier questions unanswered.
  • Reserve time to revisit flagged items.
  • Guess rather than leave a question unanswered.

Final mental reminders

  • Replay is not the same as delivery.
  • Buffering is not the same as broadcasting.
  • A catalog is not the same as authorization.
  • Versioning is not encryption.
  • CloudTrail is not AWS Config.
  • Spectrum is not federated query.
  • A bucket policy is not enough for SSE-KMS cross-account decryption.
  • Scaling does not fix a bad partition key or severe data skew.
  • Managed simplicity wins only when it still meets the requirement.
  • Purpose-built service beats an improvised architecture.

Source and alignment note

This course was synthesized from the improved DEA-C01 practice bank rather than copied question-by-question. Repeated scenarios and wrong-answer patterns were consolidated into service-selection rules, architecture patterns, and exam traps. It was checked against the current AWS Certified Data Engineer – Associate DEA-C01 guide, including the Version 1.1 revision published on December 12, 2025. AWS states that the guide is not a comprehensive list of everything that can appear on the exam and that the in-scope services list is non-exhaustive and subject to change. Recheck the official AWS exam guide close to your exam date.

lock_open

Unlock the full course

All 30 modules with detailed explanations, code examples, and exam tips.

workspace_premium
You've answered 0 of 35 free questions 1005 questions locked : these will appear on exam day.
0/35
rocket_launch Unlock All
event_available
Day 1 of 15 72 questions/day Finish by Jul 29, 2026
Question 17 of 1040
Content Domain 1: Data Ingestion and Transformation · 34%

A travel-booking platform is redesigning a data pipeline. It must start an ingestion workflow at 02:00 UTC every day even if no new object event occurs. The design should avoid unnecessary custom infrastructure. The requirement is straightforward and the team prefers the simplest managed approach. Which approach most directly meets the requirement?

0 correct
0 wrong
1040 left
2% done