AWS Certified Data Engineer – Associate DEA-C01
Compressed Course
AWS Certified Data Engineer – Associate DEA-C01 Exam Course
A compressed, exam-focused course built from the improved 1,040-question DEA-C01 practice bank and aligned to the current AWS exam guide. Use it as a start-to-finish learning path, a decision guide, and a final revision sheet.
1. Exam Overview
What the certification validates
The AWS Certified Data Engineer – Associate (DEA-C01) exam tests whether you can implement data pipelines and data stores on AWS, then monitor, troubleshoot, secure, govern, and optimize them. The exam is not only about naming services. Most questions describe a workload and ask for the best fit based on latency, scale, replayability, operational effort, cost, access pattern, security, or governance.
Current exam format
| Item | Details |
|---|---|
| Exam code | DEA-C01 |
| Level | Associate |
| Duration | 130 minutes |
| Questions | 65 total |
| Question styles | Multiple choice and multiple response |
| Scored questions | 50 |
| Unscored evaluation questions | 15, not identified during the exam |
| Passing score | 720 on a 100–1,000 scaled-score model |
| Scoring model | Compensatory: pass the exam overall; you do not need to pass every domain separately |
Blueprint version note
The current AWS documentation includes DEA-C01 guide Version 1.1, published on December 12, 2025. The revision consolidates skills and adds or emphasizes newer areas such as:
- Amazon Aurora use cases
- Amazon MemoryDB for Redis for fast key/value access
- Apache Iceberg and Amazon S3 Tables
- Vector indexes such as HNSW and IVF
- Amazon Bedrock knowledge-base and LLM-assisted processing concepts
- Amazon SageMaker Catalog lineage and governed-access concepts
- Amazon SageMaker Unified Studio domains, domain units, and projects
- Amazon Q, Amazon Kendra, and AWS Data Exchange as in-scope services
AWS removed AWS Cloud9, AWS CodeCommit, and AWS Schema Conversion Tool (AWS SCT) from the current in-scope services list. However, the current Domain 2 task page still references schema conversion examples such as AWS SCT and AWS DMS Schema Conversion. Know the migration concept, prioritize DMS Schema Conversion, and do not overinvest in old SCT-specific details.
How to think during the exam
For each scenario, identify the requirement that controls the answer:
- Data movement: streaming, micro-batch, batch, CDC, file transfer, or API.
- Latency: seconds, minutes, hourly, nightly, or ad hoc.
- Replay: must consumers re-read events after a defect or outage?
- Processing model: per-event, distributed batch, stateful stream, warehouse SQL, or containerized custom workload.
- Storage access pattern: object lake, analytical warehouse, relational transactions, low-latency key/value, search, graph, document, Cassandra-compatible, or vector similarity.
- Operations: managed/serverless preference versus configuration control.
- Security and governance: least privilege, encryption, catalog, lineage, audit, PII, sovereignty, and cross-account access.
- Failure handling: retries, backoff, queue buffering, dead-letter queue, quarantine, alarms, and logs.
The wrong answers are often real AWS services used at the wrong layer. Eliminate options that solve a different problem.
2. Exam Domains
| Domain | Official weighting | What to master |
|---|---|---|
| Content Domain 1: Data Ingestion and Transformation | 34% | Streaming and batch ingestion, APIs, scheduling, event triggers, transformation engines, orchestration, programming and deployment concepts |
| Content Domain 2: Data Store Management | 26% | Choosing stores, catalogs, lifecycle controls, migrations, Redshift access patterns, Iceberg, vector indexes, schemas, lineage, partitioning and optimization |
| Content Domain 3: Data Operations and Support | 22% | Automation, querying, visualization, SQL analytics, observability, troubleshooting, logging, alerting, data quality, skew and sampling |
| Content Domain 4: Data Security and Governance | 18% | IAM, VPC access, secrets, Lake Formation, masking, KMS, cross-account encryption, audit logs, PII, AWS Config, sovereignty and governed sharing |
Recommended study-time distribution
Spend roughly the same percentage of your preparation time as the exam weight, but give additional review time to cross-domain topics:
- Amazon S3, AWS Glue, Amazon Redshift, DynamoDB, Athena, Lambda
- Kinesis Data Streams, Kinesis Data Firehose, Amazon MSK, DMS
- SQS, SNS, EventBridge, Step Functions, MWAA
- Glue Data Catalog, Lake Formation, SageMaker Catalog, Unified Studio
- CloudWatch, CloudTrail, CloudTrail Lake, AWS Config
- IAM, KMS, Secrets Manager, Parameter Store, PrivateLink
3. Start-to-Finish Study Path
Phase 1 — Build the data-engineering mental model
Learn to map a requirement to a layer:
| Layer | Typical questions | Main services |
|---|---|---|
| Source and ingestion | How does data enter AWS? Is replay required? | S3, Kinesis Data Streams, Firehose, MSK, DMS, AppFlow, DataSync, Transfer Family, API Gateway |
| Processing | Is processing event-driven, distributed, stateful, or SQL-based? | Lambda, Glue, EMR, Managed Service for Apache Flink, Redshift, ECS, EKS, AWS Batch |
| Orchestration and decoupling | How do tasks run in order, on schedule, or after an event? | EventBridge, Step Functions, MWAA, Glue workflows, SQS, SNS |
| Storage | What is the access pattern and data model? | S3, S3 Tables, Redshift, DynamoDB, Aurora/RDS, MemoryDB, OpenSearch, Neptune, DocumentDB, Keyspaces |
| Catalog and governance | Who can find and use the data? | Glue Data Catalog, Lake Formation, SageMaker Catalog, Unified Studio |
| Operations | How do you detect, investigate, and recover? | CloudWatch, CloudWatch Logs, Logs Insights, CloudTrail, CloudTrail Lake, Config, OpenSearch, SNS |
| Security | Who authenticates, who is authorized, and how is data protected? | IAM, Secrets Manager, Parameter Store, KMS, VPC, PrivateLink, Macie |
Phase 2 — Master the highest-frequency service decisions
Prioritize these comparisons:
- Kinesis Data Streams vs Firehose vs MSK
- Glue vs EMR vs Lambda vs Flink vs Redshift SQL
- EventBridge vs Step Functions vs MWAA vs Glue workflow
- SQS vs SNS
- S3 vs Redshift vs DynamoDB vs Aurora/RDS
- Glue Data Catalog vs crawler vs Lake Formation vs SageMaker Catalog
- CloudWatch vs CloudTrail vs AWS Config
- Redshift Spectrum vs federated query vs data sharing vs materialized view
- S3 Lifecycle vs S3 Versioning vs Object Lock-style retention protections
- Bucket permission vs KMS-key permission for cross-account encrypted data
Phase 3 — Study each blueprint task methodically
Use Section 4 as your main course. Do not memorize only the service names. For every service, learn:
- the workload it is designed for;
- the signal words that suggest it;
- the strongest competing service;
- why the competitor fails in that specific scenario.
Phase 4 — Practice architecture elimination
Before choosing an answer, remove options that:
- solve notification when the question asks for buffering;
- solve delivery when the question asks for replay;
- solve storage when the question asks for orchestration;
- solve schema discovery when the question asks for authorization;
- solve durability when the question asks for encryption;
- solve API auditing when the question asks for configuration history;
- solve batch analytics when the question asks for millisecond operational access.
Phase 5 — Revise current-version additions
Give targeted review time to:
- Apache Iceberg and Amazon S3 Tables
- HNSW and IVF vector indexes
- Aurora PostgreSQL vector use cases
- MemoryDB for Redis
- Bedrock knowledge bases and LLM-assisted processing
- SageMaker Catalog lineage and project-based access
- SageMaker Unified Studio domains, domain units, and projects
Phase 6 — Final simulation strategy
When practicing:
- complete mixed-domain sets;
- justify why the best wrong answer fails;
- flag questions where two answers look possible;
- identify the requirement word that breaks the tie;
- revisit weak decisions, not only wrong questions.
4. Core Concepts by Domain
Domain 1: Data Ingestion and Transformation — 34%
This is the largest domain. Expect scenarios that combine source type, latency, replay, processing choice, scheduling, failure recovery, and deployment.
Task 1.1 — Perform data ingestion
Streaming ingestion
| Service or pattern | Choose it when | Do not choose it when |
|---|---|---|
| Amazon Kinesis Data Streams | Multiple consumers need a retained stream, replay, ordered records within a shard, shard-based throughput, or enhanced fan-out | The only requirement is managed delivery to S3 with low operational effort |
| Amazon Kinesis Data Firehose | You need managed near-real-time delivery to destinations such as S3 with buffering and optional lightweight transformation | Consumers must replay records from a durable stream or use custom stream-processing semantics |
| Amazon MSK | Existing Kafka applications, partitions, consumer groups, Kafka client compatibility, or Kafka ecosystem tools must be preserved | A simple managed delivery stream is enough |
| DynamoDB Streams | You need item-level change events from a DynamoDB table | You need general-purpose ingestion from arbitrary producers |
| AWS DMS with CDC | You need ongoing inserts, updates, and deletes replicated from a database with low source impact | You only need one static full extract or a SaaS connector |
Replayability rule
Replay requirement → think Kinesis Data Streams or Kafka/MSK, not Firehose.
Firehose is excellent for managed destination delivery. It is not the default answer when the scenario explicitly says consumers need to re-read the last several hours after fixing processing logic.
Fan-in and fan-out
- Fan-in: many producers write into a shared ingestion path.
- Fan-out: multiple consumers read the same stream for different purposes.
- Kinesis enhanced fan-out is relevant when consumers need dedicated read throughput and low-latency delivery without competing for shared stream read throughput.
- An SQS queue distributes messages among competing consumers. It does not automatically give every independent analytics application its own copy of every record.
Throttling and rate limits
Recognize these signals:
- HTTP 429 responses from APIs
- Kinesis
ProvisionedThroughputExceeded - DynamoDB hot partitions or throttled requests
- RDS connection exhaustion
- downstream systems overloaded by Lambda concurrency
Use:
- exponential backoff with jitter;
- bounded retries;
- appropriate stream capacity or shard scaling;
- well-distributed partition keys;
- controlled Lambda concurrency;
- buffering with SQS when bursts must be absorbed.
Do not retry immediately in a tight loop. That amplifies the failure.
Batch and file ingestion
| Service | Best fit |
|---|---|
| Amazon S3 | Durable landing zone for files and raw lake data |
| Amazon AppFlow | Low-code transfer between supported SaaS sources and AWS destinations, such as Salesforce to S3 |
| AWS DataSync | Managed movement between supported file systems and object-storage locations |
| AWS Transfer Family | Managed SFTP, FTPS, and FTP-style transfer access into AWS storage |
| AWS Snow Family | Large offline or edge transfer when network transfer is impractical |
| AWS DMS | Database migration, full load, CDC, or both |
Events versus schedules
| Requirement | Best tool |
|---|---|
| Run when an object arrives in S3 | S3 Event Notifications or EventBridge event routing |
| Run every day at 02:00 even if no object arrives | EventBridge Scheduler or a time-based scheduler |
| Run crawlers or jobs according to a DAG schedule | MWAA or a workflow-specific scheduler |
Trap: An S3 event cannot guarantee a daily run when no object arrives. A time schedule cannot provide immediate object-by-object responsiveness without polling.
APIs and connectivity
Know these concepts:
- consuming external data APIs;
- building data APIs for downstream consumers;
- Amazon API Gateway as an API front door;
- JDBC and ODBC connectivity to data sources;
- IP allowlists where a source requires them;
- retries, rate limits, authentication, and secret storage.
Task 1.2 — Transform and process data
Select the processing engine
| Requirement | Best starting choice | Why |
|---|---|---|
| Small, short, event-driven transformation | AWS Lambda | Low operational overhead for bounded per-event work |
| Serverless Spark ETL over S3 data | AWS Glue ETL | Managed Spark, catalog integration, job scheduling and serverless operations |
| Highly customized distributed Spark or Hadoop workload | Amazon EMR | More control over clusters, frameworks, bootstrap actions and packages |
| Stateful streaming windows, sessions, rolling aggregates | Amazon Managed Service for Apache Flink | Continuous stateful stream processing |
| SQL transformations on warehouse staging tables | Amazon Redshift SQL | Efficient set-based transformations where the data already lives |
| Containerized custom workload | Amazon ECS or Amazon EKS | Useful when packaging, runtime control, dependencies, or Kubernetes requirements matter |
| Large parallel batch jobs | AWS Batch | Batch scheduling and compute provisioning for containerized jobs |
Glue versus EMR versus Lambda
Use this elimination rule:
- Choose Lambda for a small event handler.
- Choose Glue for managed serverless ETL, especially Spark over S3 and catalog-integrated workflows.
- Choose EMR when you need distributed open-source frameworks with deeper cluster-level control.
- Choose Flink when the computation is continuously stateful over streams.
Trap: Do not choose EMR merely because the word “data” appears. Do not choose Lambda for a massive distributed join. Do not choose Glue for a requirement that explicitly demands detailed cluster bootstrap control.
File formats and partitioning
CSV is readable but expensive for repeated analytics scans. Apache Parquet is columnar and typically reduces scanned bytes when queries read only a subset of columns.
For Athena and data-lake analytics:
- convert large analytical datasets to Parquet;
- compress appropriately;
- partition by common selective filters such as date, region, or source;
- avoid excessive tiny files;
- avoid partitioning by extremely high-cardinality fields when it creates too many small partitions.
Volume, velocity, and variety
| Characteristic | Question to ask |
|---|---|
| Volume | How much data must be stored or processed? |
| Velocity | How quickly does data arrive and how quickly must it be processed? |
| Variety | Is the data structured, semi-structured, unstructured, tabular, text, logs, images, or events? |
These dimensions help decide batch versus streaming, storage layout, processing engine, and cost model.
LLM-assisted processing
The revised guide includes integrating LLMs for data processing. The expected reasoning is practical:
- use Amazon Bedrock models in a controlled workflow for tasks such as summarization, categorization, enrichment, or extraction from unstructured text;
- validate generated output before downstream use;
- store prompts, outputs, metadata, and quality signals where traceability matters;
- do not assume a custom model must be trained from scratch.
Task 1.3 — Orchestrate data pipelines
| Service | Choose it when | Closest wrong answer |
|---|---|---|
| AWS Step Functions | Serverless sequence, branching, retries, wait states, error handling, and service integrations | EventBridge can trigger the workflow but is not the detailed state machine |
| Amazon MWAA | Existing or complex Apache Airflow DAGs, backfills, dependencies, scheduling | Step Functions is excellent for AWS-native state machines but is not an Airflow migration target |
| AWS Glue workflows and triggers | Glue-native crawler and ETL-job dependency chain | S3 Lifecycle changes storage classes; it does not orchestrate jobs |
| Amazon EventBridge and Scheduler | Event routing or time-based triggering | SQS buffers work but is not the time scheduler |
| Amazon SQS | Buffer bursts, decouple producer and consumer, retry messages, use DLQ | SNS is pub/sub notification fan-out, not durable queue buffering for workers |
| Amazon SNS | Fan out alerts or notifications to subscribers | SQS is better when workers must consume queued tasks |
Dead-letter queue and quarantine pattern
Use a DLQ or quarantine store when records repeatedly fail processing. Preserve:
- original payload or reference;
- failure reason;
- timestamp;
- pipeline stage;
- retry count;
- correlation identifier.
This allows investigation and controlled replay without blocking valid records.
Task 1.4 — Apply programming concepts
Know the following:
- use AWS SDKs and APIs instead of scraping the console;
- use AWS SAM for serverless application packaging;
- use AWS CloudFormation or AWS CDK for repeatable IaC deployment;
- use CI/CD services such as CodeBuild, CodeDeploy, and CodePipeline;
- use Lambda layers for shared dependencies when appropriate;
- mount EFS from Lambda when shared file-system access is required and properly configured;
- do not attach EBS volumes directly to Lambda;
- tune Lambda memory, timeout, concurrency, event-source batch size, and retry behavior;
- use logs and metrics during debugging;
- consider EC2 when unmanaged compute control is required;
- consider ECS/EKS for containerized processing.
Lambda concurrency rule
If a downstream database has limited connections, unlimited Lambda concurrency can create a failure storm. Configure a reasonable concurrency limit and tune the event-source behavior. Optimize the entire path, not only Lambda throughput.
Domain 2: Data Store Management — 26%
Domain 2 is about selecting the correct store and configuring it for the access pattern. The exam often gives several technically possible services, but only one is purpose-built for the requirement.
Task 2.1 — Choose a data store
Core data-store map
| Workload | Prefer | Why |
|---|---|---|
| Raw durable lake storage in many formats | Amazon S3 | Scalable object storage and broad analytics integration |
| Managed tabular storage on S3 with open table semantics | Amazon S3 Tables and Apache Iceberg concepts | Table metadata, transactional patterns, schema and partition evolution |
| Analytical SQL warehouse | Amazon Redshift | Complex analytical joins, aggregations, BI workloads |
| Operational key/value or document access with known keys | Amazon DynamoDB | Scalable low-latency access patterns |
| Relational transactions and SQL constraints | Amazon Aurora or Amazon RDS | Managed relational database capabilities |
| Durable Redis-compatible fast key/value access | Amazon MemoryDB for Redis | Low-latency in-memory-compatible access with durability |
| Text search, log analytics and inverted-index search | Amazon OpenSearch Service | Purpose-built distributed search and dashboards |
| Relationship traversal | Amazon Neptune | Graph use cases such as fraud paths or dependency graphs |
| MongoDB-compatible document workload | Amazon DocumentDB | Document-oriented API compatibility |
| Cassandra-compatible workload | Amazon Keyspaces | Managed Cassandra-compatible access patterns |
Amazon S3 and data-lake design
Use S3 as the default durable landing zone for raw files. Design for:
- clear prefixes and partitions;
- immutable raw zones where appropriate;
- curated zones with optimized formats;
- lifecycle rules;
- encryption;
- access controls;
- catalog registration;
- versioning or retention protections where recovery or auditability matters.
DynamoDB partition-key reasoning
A DynamoDB design starts from access patterns. Choose a partition key that distributes traffic well.
Hot partition warning: If most reads or writes use one value, throughput concentrates on one partition. Consider higher-cardinality keys, composite patterns, or controlled write sharding.
Do not choose DynamoDB for complex ad hoc analytical joins. Do not choose Redshift for customer-facing single-digit-millisecond operational lookups.
Amazon Redshift access patterns
| Feature | Use it for | Common confusion |
|---|---|---|
| COPY | Efficient bulk load from S3 into Redshift | Row-by-row inserts are usually inefficient for bulk loading |
| UNLOAD | Export query results from Redshift to S3 | DELETE removes rows; it does not export results |
| Redshift Spectrum | Query S3 external data from Redshift SQL | It is not the same as querying a live relational database |
| Federated query | Query supported operational databases such as Aurora PostgreSQL from Redshift | It is not the same as Spectrum over S3 |
| Materialized view | Precompute repeated expensive query results when controlled staleness is acceptable | A standard view does not materialize results |
| Data sharing | Governed access to Redshift data without copying the full dataset | Sharing administrator credentials is never the answer |
Also understand distribution styles, sort keys, compression, and workload-driven table design. Optimize based on joins, filters, and scan patterns.
Locks
The blueprint includes managing locks to prevent access to data in services such as Redshift and RDS. Understand the purpose:
- preserve consistency during concurrent operations;
- identify blocking sessions;
- avoid unnecessary long-running transactions;
- troubleshoot lock contention rather than scaling unrelated resources.
Open table formats: Apache Iceberg and S3 Tables
Apache Iceberg is an open table format for large analytical tables. Think beyond “files in folders.” Iceberg adds table-level metadata and supports capabilities such as:
- schema evolution;
- partition evolution;
- transactional table operations;
- snapshot-oriented management;
- improved table maintenance patterns.
Amazon S3 Tables is a current in-scope service for managed tabular-storage patterns in S3. Exam questions may test when ordinary raw S3 objects are sufficient versus when managed table semantics are beneficial.
Vector indexes: HNSW and IVF
The updated blueprint expects recognition of vector indexes and vectorization concepts.
| Index concept | General strength | General tradeoff |
|---|---|---|
| HNSW | Strong approximate nearest-neighbor search performance and high-recall retrieval patterns | Index build and memory cost can be higher |
| IVF | Partitions vectors into clusters and searches selected clusters | Recall and latency depend on tuning; broader probing can improve recall at additional cost |
Use the requirement to reason about recall, latency, memory, build time, and scale. B-tree indexes are not the default solution for embedding similarity search.
A current example is vector indexing with Aurora PostgreSQL. Amazon Bedrock knowledge-base scenarios may involve chunking content, generating embeddings, and storing them in a vector-capable index for semantic retrieval.
Task 2.2 — Understand data cataloging systems
Catalog components
| Component | Purpose |
|---|---|
| AWS Glue Data Catalog | Technical metadata repository for tables, columns, partitions, and data locations |
| AWS Glue crawler | Inspects data and creates or updates catalog metadata |
| Partition synchronization | Makes new partitions visible to query engines such as Athena |
| Glue connections | Store connectivity metadata for sources or targets |
| Apache Hive metastore | Technical metastore concept that may appear in data-platform scenarios |
| Amazon SageMaker Catalog | Business-oriented catalog, lineage, discovery, and governed data-product concepts |
Catalog traps
- A crawler discovers schema. It does not authorize users.
- Lake Formation governs permissions. It is not simply a crawler.
- A folder structure is not automatically an Athena partition. Catalog metadata or partition projection must align with the layout.
- New S3 partitions might exist physically but remain invisible to queries until catalog metadata is synchronized.
Task 2.3 — Manage the lifecycle of data
| Requirement | Feature |
|---|---|
| Move older S3 objects to a cheaper tier | S3 Lifecycle transition |
| Delete S3 objects after a retention period | S3 Lifecycle expiration |
| Recover overwritten or deleted S3 objects | S3 Versioning |
| Expire DynamoDB items by age | DynamoDB TTL |
| Bulk load from S3 into Redshift | COPY |
| Export Redshift results to S3 | UNLOAD |
| Meet legal deletion requirements | Explicit deletion and verified governance workflow |
| Improve resilience and availability | Design appropriate storage redundancy, backups, replication and recovery controls |
Important lifecycle distinctions
- Lifecycle transition changes storage class.
- Lifecycle expiration deletes according to age-based policy.
- Versioning preserves recoverable object versions.
- DynamoDB TTL marks items for automatic expiration; do not treat it as an immediate synchronous deletion guarantee.
- Retention protection prevents inappropriate deletion; use appropriate controls and tightly scoped permissions for audit archives.
Task 2.4 — Design data models and schema evolution
Schema evolution
Design for compatible change:
- additive optional fields are often easier to support than breaking changes;
- historical records may not contain newly introduced fields;
- preserve backward compatibility where possible;
- version schemas when changes are significant;
- test readers and writers independently;
- keep lineage and catalog metadata current.
Schema conversion
Recognize migration scenarios that require converting a source schema for a target database. The current blueprint task page references AWS DMS Schema Conversion and legacy AWS SCT examples. Focus on the migration purpose:
- assess compatibility;
- convert supported schema objects;
- identify manual remediation;
- combine schema work with data migration or CDC when required.
Data lineage
Lineage answers questions such as:
- Where did this dataset originate?
- Which transformation generated this field?
- Which pipelines depend on this table?
- What will break if a schema changes?
- Which approved data product is the trusted source?
Amazon SageMaker Catalog and SageMaker lineage capabilities are relevant current concepts.
Domain 3: Data Operations and Support — 22%
Domain 3 tests whether you can keep pipelines useful after deployment. Expect automation, SQL analysis, dashboards, logs, metrics, alerts, debugging, and data-quality questions.
Task 3.1 — Automate data processing by using AWS services
Use:
- EventBridge Scheduler for recurring invocations;
- EventBridge events for event routing;
- Lambda for event-driven automation;
- Step Functions or MWAA for orchestration;
- Glue, EMR, and Redshift features for processing;
- SDK calls for supported programmatic control;
- Athena for serverless SQL over S3;
- Glue DataBrew for visual preparation and profiling;
- SageMaker Unified Studio for governed data and analytics workspaces;
- APIs for reusable data access paths.
Console-scraping trap
When a service API or SDK exists, use it. Scraping console HTML is brittle and unsupported.
Task 3.2 — Analyze data by using AWS services
SQL analysis
Understand:
- filtering;
- grouping;
- aggregation;
- joins;
- window functions;
- rolling averages;
- pivoting;
- reusable views;
- materialized results versus logical views.
A seven-day rolling average normally requires a window function over an ordered date range, not only GROUP BY.
Athena versus Redshift analysis
| Requirement | Prefer |
|---|---|
| Ad hoc serverless SQL directly over S3 | Athena |
| Repeatable warehouse analytics and complex SQL over managed warehouse tables | Redshift |
| Reusable logical SQL abstraction | Athena view or Redshift view, depending on data location |
| Interactive Spark exploration without provisioning a separate cluster | Athena notebook for Apache Spark |
Provisioned versus serverless
| Workload shape | General preference |
|---|---|
| Sporadic, ad hoc, unpredictable querying | Serverless can reduce idle-resource cost and operations |
| Stable, high-volume, predictable workload requiring tuned capacity | Provisioned or carefully managed capacity may be more appropriate |
Avoid assuming serverless is always cheaper or provisioned is always faster. Match the workload.
Visualization and preparation
Know the role of:
- Glue DataBrew for visual profiling and preparation;
- QuickSight-style business visualization concepts;
- notebooks for exploration;
- SageMaker Data Wrangler where data-preparation scenarios reference it;
- SageMaker Unified Studio for governed collaborative workflows.
The current AWS documentation may show Amazon QuickSuite in the in-scope service list while domain skill examples still reference Amazon QuickSight. Focus on visualization and analytics decision-making rather than product-name trivia.
Task 3.3 — Maintain and monitor data pipelines
Observability map
| Question asks for | Use first |
|---|---|
| Operational metric, threshold, alarm | Amazon CloudWatch metrics and alarms |
| Application log storage | Amazon CloudWatch Logs |
| Interactive query over CloudWatch logs | CloudWatch Logs Insights |
| Who changed an AWS resource by calling an API | AWS CloudTrail |
| SQL-based centralized query of CloudTrail events | AWS CloudTrail Lake |
| How a resource configuration changed over time | AWS Config |
| Full-text operational log search and dashboards | Amazon OpenSearch Service |
| Query archived logs stored in S3 | Amazon Athena; consider EMR for very large big-data processing cases |
| Notify an operations channel or email list | Amazon SNS integrated with alarms |
CloudTrail versus AWS Config versus CloudWatch
- CloudTrail: API activity — who called what and when.
- AWS Config: configuration state and change history.
- CloudWatch metrics and alarms: operational conditions.
- CloudWatch Logs: application and service logs.
- Logs Insights: search and aggregate CloudWatch Logs.
This distinction appears repeatedly in realistic exam scenarios.
Spark and Glue troubleshooting
When a distributed job slows down or fails:
- inspect logs and metrics;
- locate the slow stage;
- check skewed keys and partition sizes;
- inspect executor memory and shuffle behavior;
- check tiny files, serialization, retries, and downstream throttling;
- verify source and destination connectivity;
- tune resources only after identifying the bottleneck.
Data skew
A skewed join key sends a disproportionate amount of data to a subset of workers. Symptoms include:
- one or a few tasks running much longer than the rest;
- uneven shuffle partitions;
- executor memory pressure;
- a slow final stage despite many idle workers.
Mitigation depends on the workload: repartitioning, key salting, broadcast joins for suitable small tables, pre-aggregation, filtering earlier, or redesigning the operation.
Task 3.4 — Ensure data quality
Quality dimensions
| Dimension | Example failure |
|---|---|
| Completeness | Required customer ID is missing |
| Validity | Negative order total where only non-negative values are allowed |
| Consistency | Conflicting representations of the same attribute |
| Referential integrity or consistency | Order refers to a customer ID absent from the customer dimension |
| Timeliness | Data arrives too late for its SLA |
| Uniqueness | Duplicate business key appears unexpectedly |
Quality patterns
- validate during processing;
- define explicit rules;
- quarantine malformed or invalid records;
- preserve error context;
- alert on threshold breaches;
- sample large datasets for fast initial assessment;
- run full checks for critical controls where required;
- reconcile counts and aggregates between stages;
- track quality trends over time.
Trap: S3 Versioning preserves object history but does not validate field values. A DLQ or quarantine path is better than silently dropping invalid records.
Domain 4: Data Security and Governance — 18%
Domain 4 is smaller but highly scoreable if you master the distinctions. Security questions often test two permission layers, least privilege, or the difference between authentication, authorization, encryption, and auditing.
Task 4.1 — Apply authentication mechanisms
IAM roles first
Use roles with temporary credentials for AWS workloads:
- Lambda execution role;
- Glue job role;
- Step Functions execution role;
- EC2 instance profile;
- service role for managed integrations;
- cross-account role when appropriate.
Do not embed long-lived administrator access keys in code. Do not share root credentials.
Secrets
| Requirement | Prefer |
|---|---|
| Store and rotate database credentials | AWS Secrets Manager |
| Store configuration values or secure parameters when advanced rotation workflows are not required | AWS Systems Manager Parameter Store |
Network access
- Use VPC security groups to allow only required ports and sources.
- Use private subnets and controlled routing where appropriate.
- Use AWS PrivateLink interface VPC endpoints for private access to supported services without traversing the public internet.
- Use S3 Access Points where they simplify controlled access patterns.
- Use IP allowlists only when required by the source or partner; do not treat them as a replacement for IAM and encryption.
Managed versus unmanaged services
A managed service reduces operational responsibility but may reduce low-level control. Choose according to the requirement. If a scenario repeatedly says “minimal operational overhead,” prefer the managed or serverless fit that still meets the technical need.
SageMaker Unified Studio governance concepts
Understand:
- domains;
- domain units;
- projects;
- governed collaboration boundaries;
- controlled access to data assets.
Task 4.2 — Apply authorization mechanisms
Least privilege
Grant only:
- the necessary actions;
- on the necessary resources;
- for the necessary principals;
- under the necessary conditions.
Example: A Lambda function that reads one S3 landing prefix should receive scoped s3:GetObject permissions for that prefix, not AdministratorAccess.
Lake Formation
Use AWS Lake Formation for centralized fine-grained permissions over governed data-lake access. It can manage access patterns involving services such as Athena, Redshift, EMR, and S3-backed data.
Authorization models
| Model | Use |
|---|---|
| Role-based access control (RBAC) | Permissions based on job function or role |
| Tag-based or attribute-based access control (ABAC) | Scalable policy decisions based on attributes such as department, environment, or classification |
| Database users, groups and roles | Database-native privileges, such as read access to selected Redshift schemas |
Task 4.3 — Ensure data encryption and masking
Encryption at rest
For controlled S3 encryption with key-policy and audit requirements, use SSE-KMS with an appropriate AWS KMS key design.
Encryption in transit
Use TLS for sensitive data moving across networks. Durability, versioning, and lifecycle rules do not encrypt network traffic.
Cross-account SSE-KMS access
Encrypted cross-account access usually requires permissions at both layers:
- access to the data resource, such as S3 object permissions;
- permission to use the KMS key for the required cryptographic action.
Trap: A bucket policy alone is insufficient when the receiving principal cannot decrypt the object.
Masking and anonymization
Use masking, tokenization, or anonymization when non-production or analytical consumers do not need direct identifiers. Do not copy raw production identifiers into lower-trust environments without justification.
Task 4.4 — Prepare logs for audit
Use:
- CloudTrail for API-call evidence;
- CloudWatch Logs for application logs;
- CloudTrail Lake for centralized CloudTrail event queries;
- Athena for SQL over archived logs in S3;
- Logs Insights for CloudWatch-log exploration;
- OpenSearch for indexed full-text search and dashboards;
- EMR for large-scale log-processing cases;
- controlled S3 log archives with retention protections and tightly scoped permissions.
Task 4.5 — Understand data privacy and governance
PII identification
Use Amazon Macie to discover sensitive data in S3. Lake Formation can complement this by governing access to cataloged lake data.
Data sovereignty
Data sovereignty means controlling where regulated data is stored, copied, backed up, and replicated. Check:
- primary Region;
- backup Region;
- replication destination;
- disaster-recovery copies;
- cache or edge behavior where relevant;
- cross-account shares;
- export workflows.
Do not casually introduce copies in disallowed Regions.
AWS Config
Use AWS Config to review configuration changes over time, such as when an S3 encryption setting changed. Use CloudTrail when the key question is which API call or principal performed the action.
Governed sharing
Recognize:
- Redshift data sharing;
- Lake Formation permissions;
- SageMaker Catalog projects;
- ownership and approval workflows;
- business catalog discovery;
- lineage;
- explicit data-sharing patterns.
5. Service Selection Guide
Ingestion and transport
| Need | Choose | Why not the closest alternative? |
|---|---|---|
| Retained stream with replay and custom consumers | Kinesis Data Streams | Firehose is managed delivery, not the default replay log |
| Managed delivery of streaming events to S3 with minimal operations | Kinesis Data Firehose | Kinesis Data Streams needs consumer logic |
| Kafka compatibility and consumer groups | Amazon MSK | Firehose and Kinesis do not preserve Kafka APIs |
| Database CDC | AWS DMS with CDC | Repeated full exports waste resources and increase source load |
| SaaS connector such as Salesforce to S3 | Amazon AppFlow | DataSync is for supported file and object storage movement |
| Managed file transfer | AWS DataSync | AppFlow is SaaS integration, not general file-system transfer |
| Managed SFTP/FTPS/FTP endpoint | AWS Transfer Family | DataSync does not expose a partner-facing transfer protocol endpoint |
| Offline bulk migration | AWS Snow Family | Network transfer may be impractical |
| Worker buffering and retry | SQS | SNS is pub/sub fan-out rather than worker-queue buffering |
| Alert fan-out | SNS | SQS queues work items rather than broadcasting alerts |
Processing
| Need | Choose | Common trap |
|---|---|---|
| Per-event bounded transformation | Lambda | Do not launch EMR for each record |
| Serverless Spark ETL | Glue | Do not manage a cluster unless control is needed |
| Configurable big-data framework cluster | EMR | Do not choose Glue when detailed bootstrap and cluster control are explicit |
| Stateful streaming windows | Managed Service for Apache Flink | Lambda alone is not a stateful streaming engine |
| Set-based transformation in a warehouse | Redshift SQL | Do not export rows to Lambda for large joins |
| Custom container runtime | ECS or EKS | Choose EKS only when Kubernetes requirements justify it |
Orchestration
| Need | Choose | Common trap |
|---|---|---|
| Stateful serverless workflow with branching and retries | Step Functions | EventBridge can trigger but does not model the workflow states |
| Airflow DAG migration or complex Airflow operations | MWAA | Step Functions is not managed Airflow |
| Glue crawler and Glue job dependencies | Glue workflow and triggers | Lifecycle rules do not orchestrate jobs |
| Time-based run | EventBridge Scheduler | S3 events do not fire when no object arrives |
| Event routing | EventBridge | Scheduler is for time; SQS is for buffering |
Storage and analytics
| Need | Choose | Common trap |
|---|---|---|
| Data lake | S3 | Lambda ephemeral storage is not durable storage |
| Open table format on lake data | Apache Iceberg concepts and S3 Tables | Plain unversioned CSV objects lack table semantics |
| Warehouse | Redshift | DynamoDB is not an analytical-join warehouse |
| Operational millisecond key lookup | DynamoDB | Athena and Redshift are analytical services |
| Relational transactions | Aurora or RDS | S3 is object storage, not a transactional relational engine |
| Redis-compatible fast durable key/value | MemoryDB | Redshift Spectrum is unrelated |
| Search and log analytics | OpenSearch | RDS is not a distributed search engine by default |
| Graph traversal | Neptune | DynamoDB can store relationships but is not the graph-specialist answer |
| Document API compatibility | DocumentDB | Neptune solves graph traversal |
| Cassandra compatibility | Keyspaces | Aurora requires a relational redesign |
Catalog, governance and observability
| Need | Choose |
|---|---|
| Discover table schema | Glue crawler |
| Store technical table metadata | Glue Data Catalog |
| Synchronize partitions | Update the Glue catalog or use an appropriate projection strategy |
| Central fine-grained lake permissions | Lake Formation |
| Business discovery, lineage and governed data products | SageMaker Catalog |
| Governed workspace boundaries | SageMaker Unified Studio domains, domain units and projects |
| API-call audit | CloudTrail |
| Configuration change history | AWS Config |
| Metrics and alarms | CloudWatch |
| Application log storage | CloudWatch Logs |
| Search CloudWatch logs | Logs Insights |
| Central SQL query of CloudTrail events | CloudTrail Lake |
| PII discovery in S3 | Macie |
6. Architecture Patterns
Pattern 1 — Cost-efficient batch lake pipeline
Scenario: Daily CSV extracts must be analyzed with Athena at lower cost.
Pattern:
- Land raw CSV files in an S3 raw prefix.
- Trigger a Glue workflow on schedule or after object arrival.
- Use Glue ETL to clean and convert CSV to Parquet.
- Partition curated data by common filters such as date.
- Update the Glue Data Catalog.
- Query with Athena.
- Add data-quality rules and quarantine invalid records.
- Apply S3 Lifecycle rules to older raw objects.
Exam tie-breaker: Parquet plus useful partitioning reduces scanned bytes. Folder depth alone is insufficient if query metadata does not use the layout.
Pattern 2 — Replayable streaming pipeline
Scenario: Clickstream consumers must reprocess events after a code defect.
Pattern:
- Producers write to Kinesis Data Streams.
- Set retention according to replay needs.
- Use multiple consumers; consider enhanced fan-out for dedicated throughput.
- Process with Lambda for simple event logic or Flink for stateful windows.
- Send unrecoverable records to a DLQ or quarantine path.
- Monitor throughput and throttling with CloudWatch.
Exam tie-breaker: Replay requirement favors Kinesis Data Streams over Firehose.
Pattern 3 — Managed streaming delivery
Scenario: Operational logs need near-real-time delivery to S3, and no custom consumer is needed.
Pattern:
- Send events to Kinesis Data Firehose.
- Configure buffering and delivery destination.
- Optionally use a lightweight transformation.
- Store data in S3 and catalog it for Athena.
Exam tie-breaker: Minimal-operations destination delivery favors Firehose.
Pattern 4 — Database CDC into analytics
Scenario: Inserts and updates from an RDS database must appear in a lake with minimal source impact.
Pattern:
- Configure AWS DMS source and target endpoints.
- Run full load if initial history is needed.
- Continue with CDC.
- Land changes in the analytical destination.
- Transform, reconcile, and monitor lag.
Exam tie-breaker: CDC is better than frequent full exports for ongoing changes.
Pattern 5 — Serverless event-driven processing
Scenario: Each incoming S3 object needs validation and downstream processing.
Pattern:
- S3 object-created event routes work.
- Use SQS when burst buffering and retry isolation matter.
- Invoke Lambda for bounded validation.
- Send poison records to a DLQ.
- Start Glue for larger transformations if required.
- Notify operations through SNS on failure thresholds.
Exam tie-breaker: SQS decouples and buffers; SNS broadcasts notifications.
Pattern 6 — Governed data lake
Scenario: Analysts need controlled Athena access to curated datasets with business discovery and lineage.
Pattern:
- Store curated data in S3.
- Register metadata in Glue Data Catalog.
- Govern table and column access with Lake Formation.
- Use SageMaker Catalog for business discovery and lineage concepts.
- Use Unified Studio projects and domain boundaries for governed collaboration where relevant.
- Use Macie for PII discovery.
- Audit API activity with CloudTrail.
Exam tie-breaker: Catalog discovery and authorization are separate responsibilities.
Pattern 7 — Hybrid Redshift analytics
Scenario: Analysts need warehouse data, S3 historical data, and selected live Aurora data.
Pattern:
- Use Redshift warehouse tables for curated analytical data.
- Use Spectrum for S3 historical data.
- Use federated queries for supported live relational sources when appropriate.
- Use materialized views for repeated expensive aggregations with acceptable staleness.
- Use data sharing for governed reuse without copying full datasets.
Exam tie-breaker: Spectrum = S3; federated query = supported operational database; data sharing = reuse of Redshift data without full copy.
Pattern 8 — Vectorized retrieval workflow
Scenario: Internal documents must support semantic retrieval.
Pattern:
- Ingest source documents.
- Chunk and clean content.
- Generate embeddings, potentially through a Bedrock knowledge-base workflow.
- Store embeddings in a suitable vector-capable index.
- Evaluate HNSW versus IVF according to latency, recall, memory, and build-cost requirements.
- Preserve lineage and quality checks.
Exam tie-breaker: Similarity search needs vector indexing concepts, not an ordinary scalar B-tree answer.
Pattern 9 — Audit-ready operational logging
Scenario: A team must detect pipeline failures and prove who changed resources.
Pattern:
- Emit application logs to CloudWatch Logs.
- Use CloudWatch metrics and alarms for operational thresholds.
- Publish notifications through SNS.
- Use CloudTrail for API-call evidence.
- Use CloudTrail Lake for centralized SQL queries of CloudTrail events where needed.
- Use AWS Config for resource-configuration history.
- Archive required logs in controlled S3 storage with retention protections.
Exam tie-breaker: CloudTrail and Config answer different questions.
Pattern 10 — Quality-controlled pipeline
Scenario: Most records are valid, but malformed records must not block the pipeline.
Pattern:
- Validate schema and field rules during processing.
- Route invalid records to quarantine with error context.
- Continue processing valid records.
- Alert when invalid-rate thresholds are exceeded.
- Reconcile counts and totals between stages.
- Replay corrected records in a controlled way.
Exam tie-breaker: Do not silently drop errors and do not stop the entire pipeline for one poison record unless the business rule explicitly requires it.
7. Exam Traps
Trap 1 — Choosing a service from the wrong layer
A technically real AWS service is not automatically a plausible answer. Ask what layer the requirement targets.
| Requirement | Wrong-layer answer | Why it fails |
|---|---|---|
| Trigger a job after a file arrives | S3 Lifecycle rule | Lifecycle manages storage aging, not processing triggers |
| Broadcast a failure alert | Athena view | A view is a SQL abstraction, not a notification channel |
| Protect data in transit | S3 Versioning | Versioning protects object history, not network traffic |
| Register new query partitions | Increase retention | Retention does not update catalog metadata |
Trap 2 — Firehose when replay is required
Choose Firehose for managed delivery. Choose Kinesis Data Streams when consumers need retained records and replay. MSK is the Kafka-compatible option.
Trap 3 — SNS versus SQS
- SNS broadcasts.
- SQS buffers work for consumers.
- An event-driven worker pipeline often uses SQS and a DLQ.
- An alarm notification often uses SNS.
Trap 4 — Event versus schedule
- Object arrives → event notification.
- Run every day regardless of arrivals → scheduler.
Trap 5 — Glue versus EMR versus Lambda versus Flink
- Lambda: small bounded event work.
- Glue: managed serverless Spark ETL.
- EMR: configurable distributed frameworks.
- Flink: stateful continuous stream analytics.
Trap 6 — Athena optimization by folder structure alone
Use columnar format and meaningful partitions. A deeper folder tree alone does not guarantee scan reduction.
Trap 7 — Redshift feature confusion
- Spectrum queries S3.
- Federated query reaches supported live relational databases.
- Materialized view stores precomputed results.
- Data sharing enables governed warehouse reuse without full copies.
- COPY loads; UNLOAD exports.
Trap 8 — DynamoDB hot partitions
Do not accept a low-cardinality partition key that concentrates traffic. Scale is not magic if the access pattern creates a hot key.
Trap 9 — Lifecycle versus versioning versus TTL
- Lifecycle transition: cheaper tier.
- Lifecycle expiration: age-based delete.
- Versioning: recover prior S3 versions.
- DynamoDB TTL: age-based item expiration, not an exact immediate delete timer.
Trap 10 — Catalog versus authorization
- Crawler discovers schema.
- Glue Data Catalog stores technical metadata.
- Lake Formation manages governed lake permissions.
- SageMaker Catalog supports business discovery, lineage, and governed data-product concepts.
Trap 11 — CloudWatch versus CloudTrail versus Config
- Operational alarm → CloudWatch.
- API caller evidence → CloudTrail.
- Resource configuration history → Config.
- Central SQL query of CloudTrail events → CloudTrail Lake.
Trap 12 — Bucket policy alone for cross-account encrypted data
Cross-account SSE-KMS access requires data permission and KMS-key usage permission.
Trap 13 — Hardcoded credentials
Use IAM roles for workloads and Secrets Manager or Parameter Store for secret/configuration needs. Do not embed long-lived administrator keys.
Trap 14 — Treating distributed-processing skew as a capacity-only issue
If one key dominates a join, blindly adding workers might not solve the bottleneck. Inspect skew, shuffles, partitions, and slow tasks.
Trap 15 — Ignoring invalid-record preservation
Silently dropping bad records weakens reconciliation and auditability. Use quarantine or a DLQ with context.
Trap 16 — Assuming every newer in-scope service is heavily tested
Recognize newer services, but focus effort according to blueprint task relevance. Be able to identify Bedrock, S3 Tables, Aurora, MemoryDB, SageMaker Catalog, Unified Studio, Kendra, Amazon Q, and Data Exchange without sacrificing the core services.
How to eliminate bad options quickly
- Identify the layer: ingestion, processing, orchestration, store, operations, or security.
- Remove answers from unrelated layers.
- Check the decisive requirement: replay, latency, operational overhead, compatibility, or governance.
- Prefer purpose-built services over improvised custom infrastructure when both meet requirements.
- Reject answers that grant excessive permissions.
- Reject answers that destroy evidence, silently drop records, disable logs, or expose data publicly.
- For multi-response questions, verify that every selected component is required.
8. Quick Memory Rules
Ingestion
- Replay stream → Kinesis Data Streams.
- Managed streaming delivery → Firehose.
- Existing Kafka ecosystem → MSK.
- Database changes → DMS CDC.
- SaaS connector → AppFlow.
- File-system transfer → DataSync.
- Partner SFTP endpoint → Transfer Family.
- Absorb bursts → SQS.
- Broadcast alerts → SNS.
Processing
- Small event function → Lambda.
- Serverless Spark ETL → Glue.
- Custom big-data cluster → EMR.
- Stateful streaming windows → Flink.
- Warehouse transformations → Redshift SQL.
- Kubernetes requirement → EKS.
- General container orchestration without Kubernetes requirement → ECS.
Orchestration
- AWS-native state machine → Step Functions.
- Airflow DAGs → MWAA.
- Glue crawlers and jobs → Glue workflow.
- Recurring clock schedule → EventBridge Scheduler.
- Event routing → EventBridge.
Storage
- Raw lake → S3.
- Tabular lake with open table semantics → Iceberg / S3 Tables concepts.
- Warehouse → Redshift.
- Millisecond key lookup → DynamoDB.
- Relational transactions → Aurora / RDS.
- Fast durable Redis-compatible key/value → MemoryDB.
- Search → OpenSearch.
- Graph → Neptune.
- MongoDB-compatible document workload → DocumentDB.
- Cassandra-compatible workload → Keyspaces.
Catalog and governance
- Technical metadata → Glue Data Catalog.
- Schema discovery → Glue crawler.
- Fine-grained lake permissions → Lake Formation.
- Business catalog and lineage → SageMaker Catalog.
- Governed workspace organization → Unified Studio domains, domain units, projects.
Operations
- Metrics and alarms → CloudWatch.
- App logs → CloudWatch Logs.
- Query CloudWatch logs → Logs Insights.
- API caller → CloudTrail.
- Query centralized CloudTrail events → CloudTrail Lake.
- Configuration history → AWS Config.
- Full-text indexed log analytics → OpenSearch.
Security
- Temporary workload credentials → IAM role.
- Rotating secret → Secrets Manager.
- Secure parameter/configuration value → Parameter Store.
- Encryption keys → KMS.
- Private service path → PrivateLink endpoint.
- PII discovery in S3 → Macie.
- Cross-account encrypted object → S3 permission + KMS permission.
Redshift
- Load → COPY.
- Export → UNLOAD.
- Query S3 from Redshift → Spectrum.
- Query supported live operational database → Federated query.
- Repeated expensive result with acceptable staleness → Materialized view.
- Share Redshift data without full copy → Data sharing.
Vector concepts
- Semantic retrieval → embeddings plus vector-capable index.
- HNSW and IVF → approximate nearest-neighbor index concepts with different recall, latency, memory, and build-cost tradeoffs.
- B-tree → not the default answer for embedding similarity search.
9. Final Revision Notes
Domain 1 final review
Confirm that you can answer:
- Why is Kinesis Data Streams better than Firehose for replay?
- When does MSK beat Kinesis?
- When does DMS CDC beat repeated exports?
- When is AppFlow more appropriate than DataSync?
- How do S3 events differ from scheduled runs?
- Why does exponential backoff with jitter matter?
- What is fan-out and when is enhanced fan-out useful?
- When should you choose Lambda, Glue, EMR, Flink, ECS, or EKS?
- Why do Parquet and good partitions reduce Athena costs?
- When should you use Step Functions, MWAA, Glue workflows, SQS, and SNS?
- How do IaC, SAM, CI/CD, Lambda concurrency, layers, and EFS fit into reliable deployment?
- What is a realistic Bedrock-assisted data-processing workflow?
Domain 2 final review
Confirm that you can answer:
- Why is S3 the default raw landing zone?
- When should data move from ordinary S3 objects to table-format concepts such as Iceberg?
- What problem do S3 Tables address?
- What makes DynamoDB partition-key design succeed or fail?
- When do Aurora/RDS, MemoryDB, OpenSearch, Neptune, DocumentDB, and Keyspaces fit?
- How do Spectrum, federated queries, materialized views, and data sharing differ?
- What does a Glue crawler do, and what does it not do?
- Why might Athena not see a newly added S3 partition?
- How do lifecycle transition, expiration, versioning, and TTL differ?
- What are HNSW and IVF?
- How do schema evolution, schema conversion, lineage, compression, and partitioning support maintainable data platforms?
Domain 3 final review
Confirm that you can answer:
- Which service schedules recurring automation?
- When should code call SDK APIs?
- When is Athena a better query option than a provisioned warehouse?
- What SQL pattern computes a rolling average?
- What is the difference between a logical view and a materialized view?
- Which tool stores app logs, queries logs, tracks API calls, and records configuration history?
- How do you investigate slow Spark tasks?
- What symptoms indicate data skew?
- When should you sample data?
- Why quarantine invalid records instead of silently dropping them?
Domain 4 final review
Confirm that you can answer:
- Why are IAM roles better than embedded access keys?
- When should Secrets Manager or Parameter Store be used?
- What is the role of security groups and PrivateLink?
- When should you create a custom IAM policy?
- What does Lake Formation govern?
- How do RBAC and ABAC differ?
- Why are both S3 and KMS permissions required for cross-account encrypted objects?
- What is masking or anonymization used for?
- How do CloudTrail, CloudTrail Lake, CloudWatch Logs, Logs Insights, OpenSearch, Athena, and Config fit into audit workflows?
- When should Macie be used?
- What does data sovereignty require?
- What are SageMaker Catalog projects and Unified Studio domains used for?
Lower-frequency in-scope service awareness
Do not spend most of your study time here, but recognize the role of:
| Service | Recognition-level purpose |
|---|---|
| Amazon Q | AWS assistant capabilities; current in-scope recognition |
| Amazon Kendra | Enterprise search concepts |
| AWS Data Exchange | Third-party data discovery and subscription concepts |
| AWS Cost Explorer and AWS Budgets | Cost analysis and budget alerts |
| Amazon Managed Grafana | Dashboarding and monitoring visualization |
| AWS Backup | Backup policy and centralized backup concepts |
| EBS and EFS | Block and shared file storage patterns |
| CloudFront, Route 53, AWS WAF, AWS Shield | Supporting network, delivery, and protection concepts; usually not the primary answer to core ETL questions |
| AWS Application Discovery Service and Application Migration Service | Migration-awareness services |
| Amazon ECR | Container-image registry for ECS/EKS workloads |
| AWS CLI | Scripted service interaction and administration |
Last-hour priority list
- Kinesis Data Streams vs Firehose vs MSK
- Lambda vs Glue vs EMR vs Flink
- EventBridge vs Step Functions vs MWAA vs SQS vs SNS
- S3, Parquet, partitions, Glue Catalog, crawler and Lake Formation
- Redshift COPY, UNLOAD, Spectrum, federated query, materialized view and data sharing
- DynamoDB key design and TTL
- CloudWatch, CloudTrail, CloudTrail Lake, Config and Logs Insights
- IAM roles, least privilege, Secrets Manager, KMS and cross-account encryption
- Iceberg, S3 Tables, HNSW, IVF, Bedrock, SageMaker Catalog and Unified Studio
- Quarantine, DLQ, retries, backoff, monitoring and skew
10. Exam-Day Checklist
Before starting
- Confirm the exam code is DEA-C01.
- Use the first minutes to settle into the pace.
- Remember that unanswered questions are incorrect, so answer every question.
- Expect unscored questions that are not identified; treat every question seriously.
For each question
- Read the final sentence first: what exactly is requested?
- Identify the decisive requirement: replay, latency, cost, operational effort, compatibility, security, or governance.
- Classify the layer: ingestion, processing, orchestration, storage, operations, or security.
- Eliminate unrelated services.
- Compare the two strongest remaining answers.
- Ask why the best wrong answer fails.
- For multi-response questions, verify that each selected option is independently necessary.
- Do not overengineer when the requirement asks for the simplest managed solution.
- Do not select broad permissions when scoped access is possible.
- Flag uncertain questions and move forward.
Time management
- Aim for a steady first pass.
- Do not spend too long proving one difficult question while leaving easier questions unanswered.
- Reserve time to revisit flagged items.
- Guess rather than leave a question unanswered.
Final mental reminders
- Replay is not the same as delivery.
- Buffering is not the same as broadcasting.
- A catalog is not the same as authorization.
- Versioning is not encryption.
- CloudTrail is not AWS Config.
- Spectrum is not federated query.
- A bucket policy is not enough for SSE-KMS cross-account decryption.
- Scaling does not fix a bad partition key or severe data skew.
- Managed simplicity wins only when it still meets the requirement.
- Purpose-built service beats an improvised architecture.
Source and alignment note
This course was synthesized from the improved DEA-C01 practice bank rather than copied question-by-question. Repeated scenarios and wrong-answer patterns were consolidated into service-selection rules, architecture patterns, and exam traps. It was checked against the current AWS Certified Data Engineer – Associate DEA-C01 guide, including the Version 1.1 revision published on December 12, 2025. AWS states that the guide is not a comprehensive list of everything that can appear on the exam and that the in-scope services list is non-exhaustive and subject to change. Recheck the official AWS exam guide close to your exam date.
Unlock the full course
All 30 modules with detailed explanations, code examples, and exam tips.
A public-sector agency is implementing a new analytics workflow. It wants automated unit tests, build steps, and promotion of pipeline code after approved commits. Operational simplicity is important after deployment. Which option directly satisfies the requirement? Which solution should the data engineer recommend?
Get Your Personalized Results
Enter your email to receive your score, weak-topic analysis, and a personalized revision plan.
Results sent! Check your inbox.
This Question is Locked
You're viewing 35 of 1040 free questions.
trending_up Certified pros earn 20-30% more
Higher salary: IT certifications add $12,000-$25,000/year on average to your paycheck
Job security: 87% of hiring managers prefer candidates with certifications : you become irreplaceable
More opportunities: Freelance gigs, remote roles, and promotions open up instantly
Practice all questions: Comprehensive practice is the #1 predictor of passing
Mock Exam : Upgrade to Unlock
Available in Q&A + Course + Mock Exam package
You've already started : one exam away from a career upgrade.