AWS Certified Developer – Associate DVA-C02 Exam Course
Purpose: A compressed, start-to-finish course for the AWS Certified Developer – Associate (DVA-C02) exam.
Alignment: Built from the supplied practice bank and organized against the current AWS DVA-C02 exam guide, including guide revision 2.1 topics.
How to use this file: Learn the decision rules first, then revisit the comparison tables and exam traps during final revision.
1. Exam Overview
The AWS Certified Developer – Associate (DVA-C02) exam validates the ability to develop, secure, deploy, troubleshoot, and optimize AWS Cloud applications. It is a developer-focused exam: scenarios usually ask for the best application-level implementation choice, not a full enterprise architecture redesign.
Exam format
| Item |
Current exam format |
| Exam code |
DVA-C02 |
| Duration |
130 minutes |
| Total questions |
65 |
| Scored questions |
50 |
| Unscored questions |
15 |
| Question styles |
Multiple choice and multiple response |
| Passing scaled score |
720 out of 1,000 |
What the exam rewards
The exam favors solutions that are:
- Managed: use an AWS feature instead of unnecessary custom code.
- Loosely coupled: avoid synchronous dependencies when asynchronous processing fits.
- Least privilege: grant only the actions and resources required.
- Observable: use metrics, structured logs, traces, alarms, and health checks.
- Repeatable: deploy immutable artifacts and infrastructure as code.
- Resilient: design for retries, duplicate messages, partial failures, and rollback.
- Access-pattern driven: choose a data store and index design from the query pattern.
How to read exam scenarios
Before comparing answers, identify four things:
- Primary requirement: security, latency, ordering, durability, isolation, deployment safety, or troubleshooting?
- Scope: application code, AWS service configuration, IAM permissions, data store design, or release pipeline?
- Constraint words: MOST secure, least operational overhead, near real time, ordered, temporary, without changing code, before invoking the backend.
- Failure model: transient error, poison message, duplicate delivery, hot partition, missing permission, bad deployment, or downstream outage?
A correct answer usually solves the main requirement directly with the smallest appropriate AWS-native mechanism.
2. Exam Domains
| Domain |
Weight |
Main focus |
| Domain 1: Development with AWS Services |
32% |
Application patterns, AWS SDK use, messaging, Lambda, data stores, caching, streaming |
| Domain 2: Security |
26% |
Authentication, authorization, IAM roles, KMS, encryption, secrets, masking, multi-tenancy |
| Domain 3: Deployment |
24% |
Packaging, configuration, testing, IaC, CI/CD, aliases, rollout strategies, rollback |
| Domain 4: Troubleshooting and Optimization |
18% |
Logs, metrics, traces, alarms, integration debugging, caching, concurrency, profiling |
Blueprint task map
| Domain |
Official task groups |
| Domain 1 |
Develop code for applications hosted on AWS; develop code for AWS Lambda; use data stores in application development |
| Domain 2 |
Implement authentication and/or authorization; implement encryption; manage sensitive data in application code |
| Domain 3 |
Prepare artifacts; test in development environments; automate deployment testing; deploy with CI/CD services |
| Domain 4 |
Assist in root cause analysis; instrument code for observability; optimize applications |
Revision 2.1 topics to know
The current guide explicitly emphasizes several skills that older study notes may underweight:
- Amazon Q Developer for development assistance and test generation
- Amazon EventBridge event-driven patterns
- Retry logic, circuit breakers, and error handling for third-party integrations
- Lambda real-time processing and transformation
- Specialized stores such as Amazon OpenSearch Service
- Fine-grained application authorization
- Cross-service authentication in microservices
- Data masking and sanitization
- Multi-tenant access patterns
- AWS AppConfig for environment configuration
- Testing event-driven applications
- Structured logging
- Health checks and readiness probes
- Application-level caching and performance analysis
3. Start-to-Finish Study Path
Use this order because each stage supports the next one.
Stage 1: Learn the application building blocks
Focus first on:
- Lambda configuration and invocation behavior
- API Gateway request flow
- SQS, SNS, EventBridge, Step Functions, and Kinesis
- DynamoDB keys, Query vs Scan, consistency, indexes, and TTL
- AWS SDK retries and idempotency
Checkpoint: Given a scenario, you should quickly decide whether the answer is synchronous API, queue, pub/sub fanout, event routing, orchestration, or streaming.
Stage 2: Add security to every pattern
Study:
- IAM roles and temporary credentials
- STS AssumeRole for cross-account access
- Cognito and bearer-token authorization
- KMS and envelope encryption
- Secrets Manager, Parameter Store, and AppConfig
- Multi-tenant authorization and log sanitization
Checkpoint: When credentials appear in an answer, reject long-lived embedded keys unless the scenario explicitly requires something unusual.
Stage 3: Make releases repeatable
Study:
- ZIP and container-image Lambda packaging
- AWS SAM and CloudFormation
- API Gateway stages and Lambda aliases
- CodePipeline, CodeBuild, and CodeDeploy roles
- Canary, blue/green, rolling, and rollback
- Test fixtures, mocks, event-driven tests, and immutable artifacts
Checkpoint: You should know which service orchestrates, which builds, and which deploys.
Stage 4: Operate and optimize
Study:
- CloudWatch metrics, logs, Logs Insights, alarms, and dashboards
- AWS X-Ray traces and annotations
- CloudTrail for AWS API auditing
- Correlation IDs and structured logging
- Readiness probes
- Cache design, hot-key analysis, and Lambda performance tuning
Checkpoint: For each incident, identify whether the first evidence source is logs, metrics, traces, CloudTrail, or deployment output.
Suggested revision cycle
| Pass |
What to do |
| First pass |
Read Sections 4–6 slowly and make service-choice flashcards |
| Second pass |
Study Sections 7–8 and explain why each trap fails |
| Practice pass |
Answer scenario questions and mark the decision rule used |
| Final pass |
Read Sections 8–10 within 24 hours of the exam |
4. Core Concepts by Domain
Domain 1: Development with AWS Services
4.1 Application architecture decisions
Synchronous vs asynchronous
| Pattern |
Use when |
Strength |
Main risk |
| Synchronous request/response |
Caller needs an immediate response |
Simple client interaction |
Tight coupling; downstream latency propagates |
| Asynchronous queue |
Work can be processed later |
Durable buffering and independent scaling |
Must handle retries and duplicates |
| Pub/sub fanout |
Multiple independent consumers need the same event |
Loose coupling and independent consumers |
Requires delivery and filtering design |
| Event routing |
Consumers depend on event attributes |
Flexible routing without producer awareness |
Event schema and rule matching matter |
| Workflow orchestration |
Steps, branches, retries, and state must be visible |
Explicit control flow |
Can be unnecessary for a simple one-step event |
Choreography vs orchestration
- Choreography: services react to events independently. Use EventBridge, SNS, or queues where no central workflow state machine is needed.
- Orchestration: a workflow explicitly controls sequence, branching, retries, and state. Use Step Functions.
Decision rule:
If the question says “multiple services react independently”, think events and queues.
If it says “run A, then B, branch on result, retry C”, think Step Functions.
4.2 Messaging and integration services
SQS, SNS, EventBridge, Step Functions, and Kinesis
| Service |
Best use |
Important behavior |
Common exam trap |
| Amazon SQS standard queue |
Durable work queue, decoupling, buffering |
At-least-once delivery; best-effort ordering |
Assuming exactly-once processing |
| Amazon SQS FIFO queue |
Ordered processing with deduplication requirements |
Ordering within message groups |
Assuming a standard queue provides strict order |
| Amazon SNS |
Pub/sub fanout |
Pushes a message to subscribers |
Using one SNS topic where each worker needs durable independent buffering without queues |
| SNS + SQS |
Fanout with durable independent consumers |
One queue per subscriber |
Using one shared queue when every consumer must receive every event |
| Amazon EventBridge |
Attribute-based event routing and loosely coupled integration |
Rules route events to targets |
Using API Gateway or a database polling table for internal event routing |
| AWS Step Functions |
Stateful orchestration |
Branching, retries, visible execution state |
Using SNS or SQS as a workflow engine |
| Amazon Kinesis Data Streams |
High-volume, near-real-time ordered streams |
Shards, partition keys, multiple consumers |
Using SQS when stream processing and ordered records are required |
SQS rules you must know
Visibility timeout
After a consumer receives an SQS message, the message is hidden temporarily. If processing takes longer than the visibility timeout, another consumer may receive it and process it again.
Use: Set the visibility timeout longer than normal processing time. Extend it when required.
Dead-letter queue (DLQ)
A DLQ isolates messages that repeatedly fail.
Use when: A malformed or poison message is retried repeatedly and delays useful work.
Do not confuse:
- Visibility timeout controls how long a received message stays hidden.
- Retention period controls how long an unprocessed message remains stored.
- DLQ max receive count controls when repeated failures are isolated.
Long polling
Long polling reduces empty receives and unnecessary API calls. It does not solve duplicate processing or poison messages.
Idempotency
SQS and many event-driven patterns can deliver more than once. Consumers must be safe to retry.
A common pattern:
- Receive an event with a unique business or idempotency key.
- Check whether the operation has already been applied.
- Apply the side effect only once.
- Record completion atomically when possible.
Exam rule: Never assume a standard queue gives exactly-once processing.
Third-party dependency resilience
For unreliable external APIs:
- Set timeouts.
- Use bounded retries.
- Apply exponential backoff with jitter.
- Add a circuit breaker after repeated failures.
- Handle partial failure without cascading across the application.
- Consider asynchronous buffering when immediate completion is unnecessary.
Reject: infinite immediate retries. They amplify outages.
4.3 AWS Lambda
Lambda configuration map
| Setting |
What it controls |
Exam clue |
| Memory |
Memory and proportional CPU allocation |
CPU-bound function is slow |
| Timeout |
Maximum invocation duration |
Function legitimately needs more time, after root cause review |
| Reserved concurrency |
Capacity reserved for and capped on a function |
Protect a critical function from a noisy neighbor |
| Environment variables |
Runtime configuration |
Keep non-secret settings outside code |
| Layers |
Shared libraries or dependencies |
Reuse compatible libraries |
| Extensions |
Integrate monitoring, security, or operational tooling |
Add runtime capabilities |
| Destinations |
Route async invocation outcomes |
Send success or failure records after retries |
| DLQ |
Store failed async event records in supported patterns |
Investigate failures |
| Trigger |
Source that invokes the function |
API, queue, event bus, stream, storage event |
Lambda in a VPC
A Lambda function attached to private subnets can reach private resources such as RDS. If it also needs outbound public internet access, provide the appropriate outbound route, commonly through a NAT gateway.
Trap: Putting a Lambda function in a public subnet does not automatically give it a public IP address.
Lambda errors and event lifecycle
| Invocation pattern |
What matters |
| Synchronous invocation |
Caller receives the response or error |
| Asynchronous invocation |
Lambda retries according to the async model; destinations can route outcomes |
| SQS event source mapping |
Queue controls redelivery behavior; visibility timeout and DLQ design matter |
| Stream event source |
Batch behavior, checkpointing, and failed-record handling matter |
Lambda performance tuning
For CPU-bound Lambda workloads, test larger memory values because CPU increases with memory. Measure both duration and cost. Do not simply increase the timeout and ignore the bottleneck.
For slow Lambda functions, ask:
- Is the code CPU-bound?
- Is initialization expensive?
- Is a downstream call slow?
- Is the function waiting on network or database I/O?
- Is concurrency limited?
- Would caching reduce repeated work?
4.4 API Gateway
API Gateway commonly appears with Lambda or HTTP integrations.
Features to recognize
| Requirement |
Feature |
| Reject invalid requests before backend invocation |
Request validation with models |
| Transform payload shape for a legacy backend |
Mapping transformations |
| Create test and production API environments |
Stages |
| Use environment-specific values |
Stage variables or managed configuration where appropriate |
| Validate bearer tokens |
Appropriate authorizer |
| Protect public HTTP traffic patterns |
AWS WAF association where supported |
Trap: Do not invoke Lambda just to reject a structurally invalid request when API Gateway can validate it first.
4.5 DynamoDB and data stores
Start from the access pattern
DynamoDB design begins with questions:
- What values do callers know at request time?
- Which queries must be fast?
- What item collections belong together?
- Is ordering needed?
- Is the partition key high-cardinality?
- Is an alternate access pattern required?
Partition key and sort key
| Key |
Purpose |
| Partition key |
Determines partition placement and primary access path |
| Sort key |
Groups and orders related items within a partition-key value |
| Composite primary key |
Partition key + sort key |
A good partition key distributes load. A poor key concentrates requests on a small number of values.
Query vs Scan
| Operation |
Use when |
Efficiency |
| Query |
You know the partition key and optionally a sort-key condition |
Efficient targeted access |
| Scan |
You truly need to examine the whole table |
Expensive and usually a distractor |
Exam rule: If the scenario gives the partition key, prefer Query. A filter expression on Scan does not make the read efficient because the scan still reads items before filtering.
Secondary indexes
| Index |
Use |
| Global secondary index (GSI) |
Alternate partition-key and optional sort-key access pattern |
| Local secondary index (LSI) |
Same partition key, alternate sort key; designed at table creation |
Example: Table primary key is OrderId; application now needs efficient lookup by CustomerId. Add a GSI.
Consistency
| Read model |
Use |
| Eventually consistent |
Default-style choice when slightly stale reads are acceptable |
| Strongly consistent |
Verification must immediately see the latest successful write, where supported |
Hot partitions and write sharding
If one tenant, reseller, celebrity account, or region dominates a partition-key value, aggregate capacity may look adequate while a partition still throttles.
Remedy: Add calculated suffixes or another distribution strategy, then query shards when necessary.
TTL
Use DynamoDB TTL for records that should expire automatically, such as sessions or temporary data. Store an expiration timestamp in the configured attribute.
Caching and specialized stores
| Requirement |
Better fit |
| Reduce repeated low-latency reads |
Amazon ElastiCache |
| Full-text search, filters, relevance ranking |
Amazon OpenSearch Service |
| High-volume ordered streaming |
Kinesis Data Streams |
| Key-value and document access patterns at scale |
DynamoDB |
| Relational transactions and SQL patterns |
Amazon RDS or Aurora, where appropriate |
Trap: Do not force DynamoDB Scan into a search-engine use case.
4.6 AWS SDK use
Prefer AWS SDKs for service calls. SDKs handle details such as credentials and request signing.
For transient throttling:
- Use exponential backoff.
- Add jitter.
- Limit retries.
- Preserve idempotency.
- Distinguish retryable from non-retryable errors.
Amazon Q Developer
Amazon Q Developer can assist with development work and generating candidate tests. It does not remove the need to review, execute, and validate generated code or tests.
Domain 2: Security
4.7 IAM roles and temporary credentials
Core rule
Prefer IAM roles and temporary credentials. Avoid embedded long-lived access keys.
| Workload |
Preferred credential mechanism |
| EC2 application |
Instance role |
| Lambda function |
Execution role |
| Cross-account workload |
STS AssumeRole into a trusted role |
| AWS SDK application |
Default credential provider chain with role-based credentials |
| Human federated user |
Identity provider and appropriate federation flow |
Least privilege
Grant:
- Only required actions
- Only required resources
- Only required prefixes or conditions
- Only required duration and trust relationships
Example: A function reads objects only under s3://reports-bucket/daily/. Allow s3:GetObject only for the needed prefix objects, not s3:* on every bucket.
Cross-account access
Typical pattern:
- Account B defines a role with required permissions.
- The role trust policy allows an approved principal from Account A.
- The caller in Account A has permission to call
sts:AssumeRole.
- The workload receives temporary credentials.
Trap: Do not create permanent IAM-user keys in the destination account and copy them into the source account.
4.8 Authentication vs authorization
| Concept |
Question answered |
| Authentication |
Who is the caller? |
| Authorization |
What is the caller allowed to do? |
Cognito and bearer tokens
Use Amazon Cognito user pools for application-user sign-up, sign-in, and token issuance.
For protected APIs:
- Client obtains a token.
- API layer validates the token with an appropriate authorizer.
- Backend enforces fine-grained authorization where business rules require it.
Fine-grained authorization
A valid token does not automatically mean the user can perform every action.
Validate:
- Signature
- Expiration
- Issuer and audience where relevant
- Role, scope, or group claims
- Tenant claim
- Resource ownership
- Requested action
Multi-tenant applications
For tenant isolation:
- Derive tenant context from trusted identity claims.
- Enforce tenant scoping in data access and authorization checks.
- Prevent callers from selecting arbitrary tenant IDs without validation.
- Do not return broad result sets to the client and rely on client-side filtering.
- Mask sensitive fields appropriately.
Exam trap: A request-body tenant ID is not trusted just because the user is authenticated.
Cross-service authentication
Microservices should use roles and temporary credentials rather than shared permanent keys. For authenticated AWS API calls, use the AWS SDK or Signature Version 4 signing.
4.9 Encryption
At rest vs in transit
| Requirement |
Control |
| Protect stored objects or records |
Encryption at rest |
| Protect traffic between systems |
TLS/HTTPS |
| Encrypt locally before sending data |
Client-side encryption |
| Let the managed service encrypt stored data |
Server-side encryption |
Trap: Server-side encryption at rest does not replace TLS in transit.
AWS KMS
KMS commonly appears when you need:
- Controlled key policies
- Encryption and decryption permissions
- Auditability
- Key rotation
- Cross-account key use
- Envelope encryption
Envelope encryption
Use envelope encryption for application data:
- Generate or obtain a data key.
- Encrypt the payload locally with the plaintext data key.
- Protect the data key with a KMS key.
- Store the encrypted payload and encrypted data key.
- Discard the plaintext data key after use.
Why: KMS is used to protect the data key, not to encrypt arbitrarily large payloads directly.
SSE-KMS for S3
Use S3 server-side encryption with AWS KMS keys (SSE-KMS) when objects require KMS-backed control and auditability.
KMS cross-account rule
Cross-account KMS use typically requires both:
- Permission in the KMS key policy in the owning account
- IAM permission for the calling principal
Key rotation
Know when automatic rotation is supported for eligible customer managed symmetric KMS keys. Rotation changes backing key material without forcing applications to change the key ARN.
4.10 Secrets and configuration
| Service |
Best fit |
| AWS Secrets Manager |
Sensitive values, database credentials, managed rotation |
| AWS Systems Manager Parameter Store |
Central parameters, including configuration values |
| AWS AppConfig |
Runtime configuration and feature flags with validation and controlled rollout |
| Environment variables |
Inject runtime configuration; protect sensitive values and avoid logging them |
| Hard-coded source values |
Usually wrong for secrets or environment-specific settings |
Secrets Manager vs Parameter Store vs AppConfig
| Scenario |
Best first choice |
| Database password requiring rotation |
Secrets Manager |
| Non-sensitive runtime parameter |
Parameter Store |
| Feature flag with validators and gradual rollout |
AppConfig |
| Static value that differs between staging and production |
Externalized configuration, not compiled code |
Sanitization, masking, and classification
Sensitive data includes categories such as personally identifiable information and protected health information.
Before writing logs:
- Redact secrets
- Mask payment identifiers
- Avoid full tokens
- Avoid plaintext credentials
- Keep only diagnostic fields needed for troubleshooting
Exam trap: Log retention and encryption do not justify writing unnecessary plaintext sensitive data.
4.11 S3 presigned URLs and WAF
S3 presigned URL
Use a presigned URL when a client needs temporary, scoped access to upload or download a specific S3 object without receiving AWS credentials.
AWS WAF
Use AWS WAF rules to inspect and block HTTP request patterns associated with common web exploits or defined malicious traffic.
Domain 3: Deployment
4.12 Deployment artifacts and dependency management
Lambda packaging options
| Option |
Use when |
| ZIP package |
Handler and dependencies fit the ZIP workflow |
| Lambda layer |
Share compatible libraries or dependencies |
| Container image in Amazon ECR |
Container-image workflow or larger packaged application needs |
A Lambda ZIP artifact must include the handler and required dependencies unless dependencies come from compatible layers or the runtime.
Immutable artifact rule
Build once, test once, promote the same artifact.
For containers, use:
- Immutable image digests, or
- Controlled version tags
Reject: Rebuilding an unversioned latest image separately for production.
4.13 Infrastructure as code and environment configuration
Use AWS SAM or AWS CloudFormation for repeatable deployments.
Typical pattern
- Define resources in a template.
- Parameterize values that differ by environment.
- Deploy stack updates instead of creating manual drift.
- Store runtime configuration outside compiled code.
- Use AppConfig where controlled runtime rollout matters.
Trap: If the environment is managed as code, do not manually create the missing queue and leave the template outdated.
4.14 API Gateway stages and Lambda aliases
API Gateway stages
Use stages for separate deployed API environments such as development, test, staging, and production.
Lambda aliases
A Lambda alias is a stable pointer to a published function version.
Use aliases to:
- Test approved versions
- Promote versions without changing callers
- Support weighted routing for rollout
- Avoid depending directly on mutable
$LATEST
Trap: Automated integration tests should not target $LATEST if code can change underneath them.
4.15 Testing
Test layers
| Layer |
Purpose |
| Unit tests |
Validate isolated logic quickly |
| Integration tests |
Validate interactions with dependencies and AWS services |
| End-to-end tests |
Validate representative full flows |
| Event-driven tests |
Validate realistic payloads, edge cases, retries, and malformed events |
Mock external dependencies
Mock paid or unreliable third-party APIs for repeatable automated testing. Keep a smaller controlled set of end-to-end tests for real integrations.
Test fixtures
Create representative JSON payloads for:
- Lambda events
- API Gateway requests
- EventBridge events
- SQS messages
- Stream records
- Failure paths and malformed payloads
Amazon Q Developer can assist in proposing tests, but generated tests still require review and execution.
4.16 CI/CD service responsibilities
| Service |
Primary job |
| AWS CodePipeline |
Orchestrate source, build, test, approval, and deployment stages |
| AWS CodeBuild |
Compile code, run commands and tests, produce artifacts |
| AWS CodeDeploy |
Control application deployment behavior and rollout |
| AWS SAM / CloudFormation |
Define and deploy infrastructure as code |
| Amazon ECR |
Store container images |
| Elastic Beanstalk |
Deploy versioned application bundles while AWS manages common environment tasks |
Frequent exam trap
- If the question asks who orchestrates stages, choose CodePipeline.
- If it asks who runs build commands, choose CodeBuild.
- If it asks who shifts application traffic or manages rollout, choose CodeDeploy where applicable.
4.17 Deployment strategies
| Strategy |
Behavior |
Best use |
| All-at-once |
Replace quickly |
Lower-risk environments or acceptable outage risk |
| Rolling |
Replace subsets progressively |
Reduce simultaneous impact |
| Canary |
Send a small percentage of traffic first |
Validate health before full promotion |
| Linear |
Shift traffic incrementally |
Gradual exposure |
| Blue/green |
Run old and new environments, then switch traffic |
Fast rollback and environment isolation |
Canary example
A new Lambda version should receive 10% of traffic initially, then all traffic only if alarms remain healthy.
Use:
- Published Lambda version
- Alias
- Weighted traffic shift
- CodeDeploy deployment configuration
- CloudWatch alarms
- Automatic rollback
Rollback rule
When a release clearly increases errors and a last known-good version exists, rollback first to restore service. Preserve logs and traces for later root cause analysis.
Domain 4: Troubleshooting and Optimization
4.18 Choose the right evidence source
| Need |
First service to consider |
| Search application events and error details |
CloudWatch Logs |
| Aggregate and query log fields |
CloudWatch Logs Insights |
| Alert on a metric threshold |
CloudWatch alarm |
| Track a business-specific signal |
Custom CloudWatch metric or embedded metric format |
| Trace latency across services |
AWS X-Ray |
| Filter traces by indexed fields |
X-Ray annotations |
| Audit who changed AWS configuration |
AWS CloudTrail |
| Inspect a failing build command |
CodeBuild build logs |
| Debug failed event delivery |
Event rule, target configuration, permissions, metrics, and logs |
Logging vs monitoring vs observability
| Concept |
Meaning |
| Logging |
Record application events and state |
| Monitoring |
Track known metrics and thresholds |
| Observability |
Use logs, metrics, and traces to understand system behavior, including unexpected problems |
4.19 Structured logging and correlation IDs
Emit structured JSON logs with consistent fields, for example:
{
"timestamp": "2026-06-03T10:15:00Z",
"level": "ERROR",
"requestId": "req-123",
"correlationId": "order-987",
"tenantId": "tenant-a",
"operation": "CreateOrder",
"errorCode": "PAYMENT_TIMEOUT"
}
Benefits:
- Search by
errorCode
- Group by tenant or operation
- Trace a transaction across services
- Build metrics from log fields
- Avoid unreliable free-text parsing
For asynchronous flows, propagate a correlation ID through message attributes or event fields.
4.20 AWS X-Ray
Use X-Ray when the scenario asks:
- Which downstream segment is slow?
- Where is latency added?
- Which service returns errors in a distributed request path?
- How can traces be filtered by tenant tier or operation?
Use annotations for indexed trace-filter fields. Use metadata for extra context that does not require indexed filtering.
4.21 CloudTrail
Use CloudTrail for AWS API activity:
- Who changed a Lambda configuration?
- Which identity modified a resource?
- When was an AWS API call made?
Do not use CloudTrail as a replacement for application logs or distributed traces.
4.22 Metrics, alarms, and health checks
Custom metrics
Emit a custom metric when the business signal exists only in application events, such as checkout failures or order-processing latency.
Alarms
Use CloudWatch alarms and SNS notifications when operations needs alerts for:
- Error-rate thresholds
- Quota risk
- Deployment health
- Latency thresholds
- Resource utilization
Readiness probes
A readiness probe should report ready only after the service is actually able to serve traffic. This prevents traffic from reaching a container that has started but has not initialized dependencies.
4.23 Optimization patterns
Lambda optimization
- Benchmark memory settings for CPU-bound work.
- Measure duration and cost together.
- Review concurrency limits.
- Profile expensive code paths.
- Investigate downstream latency.
- Use caching where appropriate.
Messaging optimization
Use SNS subscription filter policies so a subscriber receives only relevant messages. Avoid delivering everything and discarding most records in consumers.
CloudFront cache key optimization
Include only request headers, cookies, and query strings that actually affect the response. Unnecessary cache-key variation lowers cache-hit ratio.
Application-level caching
Use a cache-aside strategy with ElastiCache for frequently requested, low-volatility records:
- Read cache.
- On miss, read database.
- Store value with suitable TTL.
- Return value.
- Invalidate or refresh appropriately when data changes.
Performance investigation rule
Do not blindly add capacity. First:
- Inspect metrics.
- Query logs.
- Trace cross-service latency.
- Profile code.
- Identify the bottleneck.
- Optimize the cause.
- Re-measure.
5. Service Selection Guide
Application integration
| Requirement |
Choose |
Avoid as first answer |
| One durable worker queue |
SQS |
SNS alone |
| Every consumer needs its own durable copy |
SNS topic + one SQS queue per consumer |
One shared SQS queue |
| Attribute-based event routing |
EventBridge |
Database polling |
| Ordered queue processing and deduplication |
SQS FIFO |
SQS standard with assumed strict ordering |
| Stateful sequence, retries, and branches |
Step Functions |
SNS as workflow engine |
| High-throughput ordered stream |
Kinesis Data Streams |
SQS for stream analytics |
Security
| Requirement |
Choose |
Avoid |
| EC2 accesses AWS services |
Instance role |
Embedded access keys |
| Lambda accesses AWS services |
Execution role |
Administrator credentials |
| Temporary cross-account access |
STS AssumeRole |
Copied permanent IAM-user keys |
| Application user sign-in |
Cognito user pool |
IAM user per customer |
| Database secret with rotation |
Secrets Manager |
Source-code constant |
| Feature flag with gradual rollout |
AppConfig |
Compiled flag |
| KMS-backed S3 encryption |
SSE-KMS |
Base64 encoding |
| Temporary browser S3 upload |
Presigned URL |
Public bucket |
Data
| Requirement |
Choose |
Avoid |
| Read items by known DynamoDB partition key |
Query |
Scan with filter |
| Alternate DynamoDB lookup key |
GSI |
Full table Scan |
| Automatic DynamoDB expiration |
TTL |
Periodic full-table scan from request path |
| Hot-read cache |
ElastiCache |
Repeated database reads |
| Full-text relevance search |
OpenSearch Service |
DynamoDB Scan |
| SQL and relational access pattern |
RDS or Aurora |
Forcing DynamoDB into relational joins |
Deployment
| Requirement |
Choose |
Avoid |
| Orchestrate release stages |
CodePipeline |
CodeBuild only |
| Run compile and test commands |
CodeBuild |
CodeDeploy |
| Manage rollout and traffic shifting |
CodeDeploy where supported |
Manual code edits |
| Repeatable serverless stack |
SAM / CloudFormation |
Console-only drift |
| Stable Lambda target |
Alias to published version |
$LATEST |
| Gradual feature-flag rollout |
AppConfig |
Code release for every flag |
Observability
| Requirement |
Choose |
Avoid |
| Search log records |
CloudWatch Logs Insights |
CloudTrail |
| End-to-end latency path |
X-Ray |
Logs alone |
| AWS configuration audit |
CloudTrail |
X-Ray |
| Threshold notification |
CloudWatch alarm + SNS |
Manual inspection |
| Indexed trace filtering |
X-Ray annotations |
Unindexed metadata only |
| Ready-to-serve gating |
Readiness probe |
Returning healthy before initialization |
6. Architecture Patterns
6.1 Durable fanout
Scenario: Billing, analytics, and notifications must independently process the same order event.
Producer
|
v
SNS topic
|-------------------|-------------------|
v v v
SQS billing queue SQS analytics queue SQS notification queue
| | |
Billing worker Analytics worker Notification worker
Why it works:
- Every consumer receives a copy.
- Each queue buffers independently.
- Each consumer retries independently.
- A slow consumer does not block others.
Wrong design: One shared SQS queue. That load-balances messages between workers instead of delivering every event to every consumer.
6.2 EventBridge routing
Scenario: Producers publish business events. Consumers subscribe only to matching event types or attributes.
Producer -> EventBridge event bus -> Rule: order.created -> Fulfillment
-> Rule: region=EU -> Compliance
-> Rule: highValue -> Review workflow
Use EventBridge when the question emphasizes event-bus rules, attribute-based routing, loosely coupled consumers, or producers that should not know their subscribers.
6.3 Idempotent queue consumer
SQS message -> Read idempotency key -> Check persistence store
-> If already completed: acknowledge safely
-> If new: apply side effect + record completion
Use this for payments, order creation, provisioning, and any side effect that must not happen twice.
6.4 Serverless API with validation and authorization
Client
|
HTTPS
|
API Gateway
|-- Validate request model
|-- Validate token with authorizer
|
Lambda
|-- Enforce business authorization
|-- Use execution role
|
DynamoDB / downstream services
Key lesson: Different layers enforce different responsibilities.
- API Gateway: structural validation and token validation
- Lambda: business authorization and tenant rules
- IAM role: permission to call AWS services
- DynamoDB design: efficient data access
6.5 Safe Lambda release
Code commit
|
CodePipeline
|
CodeBuild -> tests -> packaged artifact
|
CodeDeploy
|
Lambda alias
|-- 10% -> new version
|-- 90% -> previous version
|
CloudWatch alarms -> promote or rollback
6.6 Multi-tenant access pattern
Validated token claims
|
Trusted tenantId
|
Backend authorization
|
Tenant-scoped query
|
Only allowed records returned
Never accept the tenant boundary solely from an untrusted request-body field.
6.7 Troubleshooting workflow
User symptom
|
Check metrics and alarms
|
Query structured logs by requestId / correlationId
|
Inspect X-Ray traces for cross-service latency
|
Check CloudTrail only when AWS configuration changes are suspected
|
Fix root cause and re-measure
7. Exam Traps
Trap 1: Scan with a filter expression
A filtered Scan still reads broadly before filtering. If the partition key is known, use Query. If an alternate lookup is required, consider a GSI.
Trap 2: One shared SQS queue for fanout
One queue distributes work among consumers. It does not give every consumer a copy. Use SNS plus separate SQS queues.
Trap 3: SNS when durable independent buffering is required
SNS provides fanout, but queues provide durable buffering and independent retries. Combine them.
Trap 4: Standard SQS queue with strict-order assumptions
Standard queues do not guarantee strict ordering. Use FIFO when ordered processing and deduplication requirements justify it.
Trap 5: Infinite retries
Immediate unlimited retries create retry storms. Use bounded exponential backoff with jitter and a circuit breaker for failing external services.
Trap 6: Increasing timeout as a performance fix
Timeout changes maximum execution duration; it does not optimize CPU-bound code. For Lambda, benchmark memory and inspect the root cause.
Trap 7: Putting Lambda in a public subnet for internet access
A VPC-attached Lambda function does not receive a public IP just because it uses a public subnet. Use correct private-subnet routing and outbound access.
Trap 8: Long-lived credentials in code
Reject embedded IAM access keys. Prefer roles, temporary credentials, and STS.
Trap 9: Authentication without authorization
A valid token identifies a caller. It does not prove the caller can access another tenant's data or perform every action.
Trap 10: Confusing Secrets Manager, Parameter Store, and AppConfig
- Secret with rotation: Secrets Manager
- Parameter: Parameter Store
- Controlled feature-flag rollout: AppConfig
Trap 11: Sending large plaintext payloads directly to KMS
Use envelope encryption. Encrypt payloads with a data key; use KMS to protect the data key.
Trap 12: Trusting HTTPS to solve at-rest encryption
TLS protects transit. Use at-rest encryption separately.
Trap 13: Rebuilding artifacts per environment
Build once and promote the tested artifact. Inject environment configuration externally.
Trap 14: Confusing CI/CD services
- CodePipeline orchestrates.
- CodeBuild executes build commands.
- CodeDeploy manages rollout.
Trap 15: Testing against $LATEST
Use a published Lambda version through an alias for stable integration testing.
Trap 16: Using logs when traces are required
Logs help inspect events. X-Ray reveals end-to-end request paths and segment latency.
Trap 17: Using CloudTrail for application debugging
CloudTrail records AWS API activity. Use application logs for application behavior and X-Ray for distributed tracing.
Trap 18: Adding capacity before measuring
Use metrics, logs, traces, and profiling to find the bottleneck first.
Trap 19: Logging sensitive values because logs are encrypted
Sanitize before logging. Encryption does not justify collecting unnecessary secrets or personal data.
Trap 20: Returning all tenant records and filtering in the browser
Enforce tenant scope on the trusted backend before data is returned.
How to eliminate bad options quickly
Reject answers that:
- Embed credentials
- Grant administrator access unnecessarily
- Poll a database when an event service fits
- Use Scan when Query or an index fits
- Treat SQS as exactly-once
- Treat SNS as a workflow orchestrator
- Increase timeout without investigating
- Rebuild artifacts instead of promoting immutable ones
- Depend on
$LATEST
- Expose sensitive values in logs
- Fix an application concern with an unrelated service
8. Quick Memory Rules
Messaging
- Queue = buffer work.
- Topic = fan out.
- Event bus = route events by rules.
- State machine = coordinate steps.
- Stream = process ordered high-volume records.
- At-least-once delivery = design idempotently.
- Poison message = DLQ.
- Duplicate processing before completion = inspect visibility timeout.
Lambda
- Slow CPU-bound Lambda = test more memory.
- Critical Lambda capacity = reserved concurrency.
- Private RDS + public API call = VPC private access plus outbound route.
- Async failure routing = destination or DLQ, depending on pattern.
- Reusable libraries = layer.
- Stable release target = alias to version.
DynamoDB
- Known partition key = Query.
- Unknown alternate lookup = GSI.
- Hot key = redesign or shard.
- Immediate latest read = strongly consistent read where supported.
- Auto-expiring item = TTL.
- Full-text relevance search = OpenSearch, not Scan.
Security
- Workload credential = IAM role.
- Cross-account temporary access = STS AssumeRole.
- App-user login = Cognito.
- Temporary object upload = S3 presigned URL.
- Secret with rotation = Secrets Manager.
- Feature flag rollout = AppConfig.
- Payload encryption at scale = envelope encryption.
- Transit protection = TLS.
- Tenant boundary = trusted claim + backend enforcement.
Deployment
- Orchestrate stages = CodePipeline.
- Run build commands = CodeBuild.
- Shift rollout traffic = CodeDeploy.
- Repeatable stack = SAM / CloudFormation.
- Safe promotion = immutable artifact.
- Fast environment rollback = blue/green.
- Small initial exposure = canary.
Troubleshooting
- Search application events = CloudWatch Logs Insights.
- Business threshold = custom metric + alarm.
- Cross-service latency = X-Ray.
- Indexed trace filters = annotations.
- Who changed AWS config = CloudTrail.
- Container started but not ready = readiness probe.
- Cache misses from unnecessary header variation = simplify cache key.
9. Final Revision Notes
Highest-priority services
Spend extra revision time on:
- AWS Lambda
- Amazon DynamoDB
- Amazon SQS
- Amazon SNS
- Amazon EventBridge
- Amazon API Gateway
- IAM and AWS STS
- AWS KMS
- Secrets Manager, Parameter Store, and AppConfig
- AWS SAM and CloudFormation
- CodePipeline, CodeBuild, and CodeDeploy
- CloudWatch, Logs Insights, X-Ray, and CloudTrail
Five comparison sets to master
SQS vs SNS vs EventBridge vs Step Functions vs Kinesis
Know whether the requirement is:
- buffering
- fanout
- routing
- orchestration
- streaming
IAM role vs Cognito vs STS
Know whether the caller is:
- an AWS workload
- an application user
- a cross-account principal
Secrets Manager vs Parameter Store vs AppConfig
Know whether the value is:
- a rotatable secret
- a central parameter
- a controlled runtime configuration or feature flag
CloudWatch Logs vs X-Ray vs CloudTrail
Know whether you need:
- application records
- distributed request traces
- AWS API audit events
CodePipeline vs CodeBuild vs CodeDeploy
Know whether you need:
- stage orchestration
- build execution
- deployment rollout
Rapid scenario drills
| Scenario phrase |
First answer to consider |
| “Every consumer needs its own durable retry behavior” |
SNS + separate SQS queues |
| “Route internal events by attributes” |
EventBridge rules |
| “Sequence with branches and retries” |
Step Functions |
| “Messages appear again before processing finishes” |
Visibility timeout |
| “Malformed messages repeatedly fail” |
DLQ |
| “Efficient lookup by another DynamoDB attribute” |
GSI |
| “One tenant causes DynamoDB throttling” |
Hot key redesign or sharding |
| “CPU-bound Lambda is slow” |
Benchmark increased memory |
| “Cross-account temporary access” |
STS AssumeRole |
| “Database password must rotate” |
Secrets Manager |
| “Feature flag with gradual deployment” |
AppConfig |
| “Reject bad JSON before Lambda” |
API Gateway request validation |
| “Promote tested Lambda build safely” |
Version + alias + canary deployment |
| “Which service changed configuration?” |
CloudTrail |
| “Which service adds latency?” |
X-Ray |
| “Query common error codes” |
CloudWatch Logs Insights |
| “Container should not receive traffic yet” |
Readiness probe |
Last-minute caution list
- Read whether the question asks for one answer or two or more.
- Prefer the answer that solves the stated constraint, not a broader redesign.
- Do not over-engineer a simple queue or validation scenario.
- Do not under-engineer resilience: retries require idempotency and limits.
- Treat security answers with embedded credentials as suspicious.
- Separate configuration, secret, and feature rollout concerns.
- Separate logs, metrics, traces, and audit events.
- Remember that scored performance is compensatory across domains: maximize total correct answers.
10. Exam-Day Checklist
Before starting
- Confirm whether each question is single-answer or multiple-response.
- Budget time so you can revisit flagged questions.
- Expect plausible distractors based on incomplete knowledge.
- Answer every question; unanswered questions are incorrect and guessing has no additional penalty.
For each question
- Underline the main requirement mentally.
- Identify the application layer involved.
- Match the requirement to the smallest appropriate managed feature.
- Eliminate insecure answers first.
- Eliminate answers that solve a different problem.
- Compare the final two options against the exact wording.
- Flag time-consuming questions and return later.
Final review
Before submitting, recheck questions containing:
MOST secure
least operational overhead
ordered
temporary
cross-account
before invoking the backend
near real time
without changing code
independent retries
fine-grained authorization
root cause
rollback
Official Alignment References