Cert-Pass
Log in Sign up
arrow_back Cert

AWS AWS Certified Developer – Associate DVA-C02

🔥 0 streak
0%
timer Mock Exam lock Pro menu_book Course description 3-Page download Free
menu_book

AWS Certified Developer – Associate DVA-C02

Compressed Course

AWS Certified Developer – Associate DVA-C02 Exam Course

Purpose: A compressed, start-to-finish course for the AWS Certified Developer – Associate (DVA-C02) exam.
Alignment: Built from the supplied practice bank and organized against the current AWS DVA-C02 exam guide, including guide revision 2.1 topics.
How to use this file: Learn the decision rules first, then revisit the comparison tables and exam traps during final revision.


1. Exam Overview

The AWS Certified Developer – Associate (DVA-C02) exam validates the ability to develop, secure, deploy, troubleshoot, and optimize AWS Cloud applications. It is a developer-focused exam: scenarios usually ask for the best application-level implementation choice, not a full enterprise architecture redesign.

Exam format

Item Current exam format
Exam code DVA-C02
Duration 130 minutes
Total questions 65
Scored questions 50
Unscored questions 15
Question styles Multiple choice and multiple response
Passing scaled score 720 out of 1,000

What the exam rewards

The exam favors solutions that are:

  1. Managed: use an AWS feature instead of unnecessary custom code.
  2. Loosely coupled: avoid synchronous dependencies when asynchronous processing fits.
  3. Least privilege: grant only the actions and resources required.
  4. Observable: use metrics, structured logs, traces, alarms, and health checks.
  5. Repeatable: deploy immutable artifacts and infrastructure as code.
  6. Resilient: design for retries, duplicate messages, partial failures, and rollback.
  7. Access-pattern driven: choose a data store and index design from the query pattern.

How to read exam scenarios

Before comparing answers, identify four things:

  • Primary requirement: security, latency, ordering, durability, isolation, deployment safety, or troubleshooting?
  • Scope: application code, AWS service configuration, IAM permissions, data store design, or release pipeline?
  • Constraint words: MOST secure, least operational overhead, near real time, ordered, temporary, without changing code, before invoking the backend.
  • Failure model: transient error, poison message, duplicate delivery, hot partition, missing permission, bad deployment, or downstream outage?

A correct answer usually solves the main requirement directly with the smallest appropriate AWS-native mechanism.


2. Exam Domains

Domain Weight Main focus
Domain 1: Development with AWS Services 32% Application patterns, AWS SDK use, messaging, Lambda, data stores, caching, streaming
Domain 2: Security 26% Authentication, authorization, IAM roles, KMS, encryption, secrets, masking, multi-tenancy
Domain 3: Deployment 24% Packaging, configuration, testing, IaC, CI/CD, aliases, rollout strategies, rollback
Domain 4: Troubleshooting and Optimization 18% Logs, metrics, traces, alarms, integration debugging, caching, concurrency, profiling

Blueprint task map

Domain Official task groups
Domain 1 Develop code for applications hosted on AWS; develop code for AWS Lambda; use data stores in application development
Domain 2 Implement authentication and/or authorization; implement encryption; manage sensitive data in application code
Domain 3 Prepare artifacts; test in development environments; automate deployment testing; deploy with CI/CD services
Domain 4 Assist in root cause analysis; instrument code for observability; optimize applications

Revision 2.1 topics to know

The current guide explicitly emphasizes several skills that older study notes may underweight:

  • Amazon Q Developer for development assistance and test generation
  • Amazon EventBridge event-driven patterns
  • Retry logic, circuit breakers, and error handling for third-party integrations
  • Lambda real-time processing and transformation
  • Specialized stores such as Amazon OpenSearch Service
  • Fine-grained application authorization
  • Cross-service authentication in microservices
  • Data masking and sanitization
  • Multi-tenant access patterns
  • AWS AppConfig for environment configuration
  • Testing event-driven applications
  • Structured logging
  • Health checks and readiness probes
  • Application-level caching and performance analysis

3. Start-to-Finish Study Path

Use this order because each stage supports the next one.

Stage 1: Learn the application building blocks

Focus first on:

  • Lambda configuration and invocation behavior
  • API Gateway request flow
  • SQS, SNS, EventBridge, Step Functions, and Kinesis
  • DynamoDB keys, Query vs Scan, consistency, indexes, and TTL
  • AWS SDK retries and idempotency

Checkpoint: Given a scenario, you should quickly decide whether the answer is synchronous API, queue, pub/sub fanout, event routing, orchestration, or streaming.

Stage 2: Add security to every pattern

Study:

  • IAM roles and temporary credentials
  • STS AssumeRole for cross-account access
  • Cognito and bearer-token authorization
  • KMS and envelope encryption
  • Secrets Manager, Parameter Store, and AppConfig
  • Multi-tenant authorization and log sanitization

Checkpoint: When credentials appear in an answer, reject long-lived embedded keys unless the scenario explicitly requires something unusual.

Stage 3: Make releases repeatable

Study:

  • ZIP and container-image Lambda packaging
  • AWS SAM and CloudFormation
  • API Gateway stages and Lambda aliases
  • CodePipeline, CodeBuild, and CodeDeploy roles
  • Canary, blue/green, rolling, and rollback
  • Test fixtures, mocks, event-driven tests, and immutable artifacts

Checkpoint: You should know which service orchestrates, which builds, and which deploys.

Stage 4: Operate and optimize

Study:

  • CloudWatch metrics, logs, Logs Insights, alarms, and dashboards
  • AWS X-Ray traces and annotations
  • CloudTrail for AWS API auditing
  • Correlation IDs and structured logging
  • Readiness probes
  • Cache design, hot-key analysis, and Lambda performance tuning

Checkpoint: For each incident, identify whether the first evidence source is logs, metrics, traces, CloudTrail, or deployment output.

Suggested revision cycle

Pass What to do
First pass Read Sections 4–6 slowly and make service-choice flashcards
Second pass Study Sections 7–8 and explain why each trap fails
Practice pass Answer scenario questions and mark the decision rule used
Final pass Read Sections 8–10 within 24 hours of the exam

4. Core Concepts by Domain

Domain 1: Development with AWS Services

4.1 Application architecture decisions

Synchronous vs asynchronous

Pattern Use when Strength Main risk
Synchronous request/response Caller needs an immediate response Simple client interaction Tight coupling; downstream latency propagates
Asynchronous queue Work can be processed later Durable buffering and independent scaling Must handle retries and duplicates
Pub/sub fanout Multiple independent consumers need the same event Loose coupling and independent consumers Requires delivery and filtering design
Event routing Consumers depend on event attributes Flexible routing without producer awareness Event schema and rule matching matter
Workflow orchestration Steps, branches, retries, and state must be visible Explicit control flow Can be unnecessary for a simple one-step event

Choreography vs orchestration

  • Choreography: services react to events independently. Use EventBridge, SNS, or queues where no central workflow state machine is needed.
  • Orchestration: a workflow explicitly controls sequence, branching, retries, and state. Use Step Functions.

Decision rule:
If the question says “multiple services react independently”, think events and queues.
If it says “run A, then B, branch on result, retry C”, think Step Functions.

4.2 Messaging and integration services

SQS, SNS, EventBridge, Step Functions, and Kinesis

Service Best use Important behavior Common exam trap
Amazon SQS standard queue Durable work queue, decoupling, buffering At-least-once delivery; best-effort ordering Assuming exactly-once processing
Amazon SQS FIFO queue Ordered processing with deduplication requirements Ordering within message groups Assuming a standard queue provides strict order
Amazon SNS Pub/sub fanout Pushes a message to subscribers Using one SNS topic where each worker needs durable independent buffering without queues
SNS + SQS Fanout with durable independent consumers One queue per subscriber Using one shared queue when every consumer must receive every event
Amazon EventBridge Attribute-based event routing and loosely coupled integration Rules route events to targets Using API Gateway or a database polling table for internal event routing
AWS Step Functions Stateful orchestration Branching, retries, visible execution state Using SNS or SQS as a workflow engine
Amazon Kinesis Data Streams High-volume, near-real-time ordered streams Shards, partition keys, multiple consumers Using SQS when stream processing and ordered records are required

SQS rules you must know

Visibility timeout

After a consumer receives an SQS message, the message is hidden temporarily. If processing takes longer than the visibility timeout, another consumer may receive it and process it again.

Use: Set the visibility timeout longer than normal processing time. Extend it when required.

Dead-letter queue (DLQ)

A DLQ isolates messages that repeatedly fail.

Use when: A malformed or poison message is retried repeatedly and delays useful work.

Do not confuse:

  • Visibility timeout controls how long a received message stays hidden.
  • Retention period controls how long an unprocessed message remains stored.
  • DLQ max receive count controls when repeated failures are isolated.

Long polling

Long polling reduces empty receives and unnecessary API calls. It does not solve duplicate processing or poison messages.

Idempotency

SQS and many event-driven patterns can deliver more than once. Consumers must be safe to retry.

A common pattern:

  1. Receive an event with a unique business or idempotency key.
  2. Check whether the operation has already been applied.
  3. Apply the side effect only once.
  4. Record completion atomically when possible.

Exam rule: Never assume a standard queue gives exactly-once processing.

Third-party dependency resilience

For unreliable external APIs:

  • Set timeouts.
  • Use bounded retries.
  • Apply exponential backoff with jitter.
  • Add a circuit breaker after repeated failures.
  • Handle partial failure without cascading across the application.
  • Consider asynchronous buffering when immediate completion is unnecessary.

Reject: infinite immediate retries. They amplify outages.

4.3 AWS Lambda

Lambda configuration map

Setting What it controls Exam clue
Memory Memory and proportional CPU allocation CPU-bound function is slow
Timeout Maximum invocation duration Function legitimately needs more time, after root cause review
Reserved concurrency Capacity reserved for and capped on a function Protect a critical function from a noisy neighbor
Environment variables Runtime configuration Keep non-secret settings outside code
Layers Shared libraries or dependencies Reuse compatible libraries
Extensions Integrate monitoring, security, or operational tooling Add runtime capabilities
Destinations Route async invocation outcomes Send success or failure records after retries
DLQ Store failed async event records in supported patterns Investigate failures
Trigger Source that invokes the function API, queue, event bus, stream, storage event

Lambda in a VPC

A Lambda function attached to private subnets can reach private resources such as RDS. If it also needs outbound public internet access, provide the appropriate outbound route, commonly through a NAT gateway.

Trap: Putting a Lambda function in a public subnet does not automatically give it a public IP address.

Lambda errors and event lifecycle

Invocation pattern What matters
Synchronous invocation Caller receives the response or error
Asynchronous invocation Lambda retries according to the async model; destinations can route outcomes
SQS event source mapping Queue controls redelivery behavior; visibility timeout and DLQ design matter
Stream event source Batch behavior, checkpointing, and failed-record handling matter

Lambda performance tuning

For CPU-bound Lambda workloads, test larger memory values because CPU increases with memory. Measure both duration and cost. Do not simply increase the timeout and ignore the bottleneck.

For slow Lambda functions, ask:

  1. Is the code CPU-bound?
  2. Is initialization expensive?
  3. Is a downstream call slow?
  4. Is the function waiting on network or database I/O?
  5. Is concurrency limited?
  6. Would caching reduce repeated work?

4.4 API Gateway

API Gateway commonly appears with Lambda or HTTP integrations.

Features to recognize

Requirement Feature
Reject invalid requests before backend invocation Request validation with models
Transform payload shape for a legacy backend Mapping transformations
Create test and production API environments Stages
Use environment-specific values Stage variables or managed configuration where appropriate
Validate bearer tokens Appropriate authorizer
Protect public HTTP traffic patterns AWS WAF association where supported

Trap: Do not invoke Lambda just to reject a structurally invalid request when API Gateway can validate it first.

4.5 DynamoDB and data stores

Start from the access pattern

DynamoDB design begins with questions:

  • What values do callers know at request time?
  • Which queries must be fast?
  • What item collections belong together?
  • Is ordering needed?
  • Is the partition key high-cardinality?
  • Is an alternate access pattern required?

Partition key and sort key

Key Purpose
Partition key Determines partition placement and primary access path
Sort key Groups and orders related items within a partition-key value
Composite primary key Partition key + sort key

A good partition key distributes load. A poor key concentrates requests on a small number of values.

Query vs Scan

Operation Use when Efficiency
Query You know the partition key and optionally a sort-key condition Efficient targeted access
Scan You truly need to examine the whole table Expensive and usually a distractor

Exam rule: If the scenario gives the partition key, prefer Query. A filter expression on Scan does not make the read efficient because the scan still reads items before filtering.

Secondary indexes

Index Use
Global secondary index (GSI) Alternate partition-key and optional sort-key access pattern
Local secondary index (LSI) Same partition key, alternate sort key; designed at table creation

Example: Table primary key is OrderId; application now needs efficient lookup by CustomerId. Add a GSI.

Consistency

Read model Use
Eventually consistent Default-style choice when slightly stale reads are acceptable
Strongly consistent Verification must immediately see the latest successful write, where supported

Hot partitions and write sharding

If one tenant, reseller, celebrity account, or region dominates a partition-key value, aggregate capacity may look adequate while a partition still throttles.

Remedy: Add calculated suffixes or another distribution strategy, then query shards when necessary.

TTL

Use DynamoDB TTL for records that should expire automatically, such as sessions or temporary data. Store an expiration timestamp in the configured attribute.

Caching and specialized stores

Requirement Better fit
Reduce repeated low-latency reads Amazon ElastiCache
Full-text search, filters, relevance ranking Amazon OpenSearch Service
High-volume ordered streaming Kinesis Data Streams
Key-value and document access patterns at scale DynamoDB
Relational transactions and SQL patterns Amazon RDS or Aurora, where appropriate

Trap: Do not force DynamoDB Scan into a search-engine use case.

4.6 AWS SDK use

Prefer AWS SDKs for service calls. SDKs handle details such as credentials and request signing.

For transient throttling:

  • Use exponential backoff.
  • Add jitter.
  • Limit retries.
  • Preserve idempotency.
  • Distinguish retryable from non-retryable errors.

Amazon Q Developer

Amazon Q Developer can assist with development work and generating candidate tests. It does not remove the need to review, execute, and validate generated code or tests.


Domain 2: Security

4.7 IAM roles and temporary credentials

Core rule

Prefer IAM roles and temporary credentials. Avoid embedded long-lived access keys.

Workload Preferred credential mechanism
EC2 application Instance role
Lambda function Execution role
Cross-account workload STS AssumeRole into a trusted role
AWS SDK application Default credential provider chain with role-based credentials
Human federated user Identity provider and appropriate federation flow

Least privilege

Grant:

  • Only required actions
  • Only required resources
  • Only required prefixes or conditions
  • Only required duration and trust relationships

Example: A function reads objects only under s3://reports-bucket/daily/. Allow s3:GetObject only for the needed prefix objects, not s3:* on every bucket.

Cross-account access

Typical pattern:

  1. Account B defines a role with required permissions.
  2. The role trust policy allows an approved principal from Account A.
  3. The caller in Account A has permission to call sts:AssumeRole.
  4. The workload receives temporary credentials.

Trap: Do not create permanent IAM-user keys in the destination account and copy them into the source account.

4.8 Authentication vs authorization

Concept Question answered
Authentication Who is the caller?
Authorization What is the caller allowed to do?

Cognito and bearer tokens

Use Amazon Cognito user pools for application-user sign-up, sign-in, and token issuance.

For protected APIs:

  1. Client obtains a token.
  2. API layer validates the token with an appropriate authorizer.
  3. Backend enforces fine-grained authorization where business rules require it.

Fine-grained authorization

A valid token does not automatically mean the user can perform every action.

Validate:

  • Signature
  • Expiration
  • Issuer and audience where relevant
  • Role, scope, or group claims
  • Tenant claim
  • Resource ownership
  • Requested action

Multi-tenant applications

For tenant isolation:

  • Derive tenant context from trusted identity claims.
  • Enforce tenant scoping in data access and authorization checks.
  • Prevent callers from selecting arbitrary tenant IDs without validation.
  • Do not return broad result sets to the client and rely on client-side filtering.
  • Mask sensitive fields appropriately.

Exam trap: A request-body tenant ID is not trusted just because the user is authenticated.

Cross-service authentication

Microservices should use roles and temporary credentials rather than shared permanent keys. For authenticated AWS API calls, use the AWS SDK or Signature Version 4 signing.

4.9 Encryption

At rest vs in transit

Requirement Control
Protect stored objects or records Encryption at rest
Protect traffic between systems TLS/HTTPS
Encrypt locally before sending data Client-side encryption
Let the managed service encrypt stored data Server-side encryption

Trap: Server-side encryption at rest does not replace TLS in transit.

AWS KMS

KMS commonly appears when you need:

  • Controlled key policies
  • Encryption and decryption permissions
  • Auditability
  • Key rotation
  • Cross-account key use
  • Envelope encryption

Envelope encryption

Use envelope encryption for application data:

  1. Generate or obtain a data key.
  2. Encrypt the payload locally with the plaintext data key.
  3. Protect the data key with a KMS key.
  4. Store the encrypted payload and encrypted data key.
  5. Discard the plaintext data key after use.

Why: KMS is used to protect the data key, not to encrypt arbitrarily large payloads directly.

SSE-KMS for S3

Use S3 server-side encryption with AWS KMS keys (SSE-KMS) when objects require KMS-backed control and auditability.

KMS cross-account rule

Cross-account KMS use typically requires both:

  • Permission in the KMS key policy in the owning account
  • IAM permission for the calling principal

Key rotation

Know when automatic rotation is supported for eligible customer managed symmetric KMS keys. Rotation changes backing key material without forcing applications to change the key ARN.

4.10 Secrets and configuration

Service Best fit
AWS Secrets Manager Sensitive values, database credentials, managed rotation
AWS Systems Manager Parameter Store Central parameters, including configuration values
AWS AppConfig Runtime configuration and feature flags with validation and controlled rollout
Environment variables Inject runtime configuration; protect sensitive values and avoid logging them
Hard-coded source values Usually wrong for secrets or environment-specific settings

Secrets Manager vs Parameter Store vs AppConfig

Scenario Best first choice
Database password requiring rotation Secrets Manager
Non-sensitive runtime parameter Parameter Store
Feature flag with validators and gradual rollout AppConfig
Static value that differs between staging and production Externalized configuration, not compiled code

Sanitization, masking, and classification

Sensitive data includes categories such as personally identifiable information and protected health information.

Before writing logs:

  • Redact secrets
  • Mask payment identifiers
  • Avoid full tokens
  • Avoid plaintext credentials
  • Keep only diagnostic fields needed for troubleshooting

Exam trap: Log retention and encryption do not justify writing unnecessary plaintext sensitive data.

4.11 S3 presigned URLs and WAF

S3 presigned URL

Use a presigned URL when a client needs temporary, scoped access to upload or download a specific S3 object without receiving AWS credentials.

AWS WAF

Use AWS WAF rules to inspect and block HTTP request patterns associated with common web exploits or defined malicious traffic.


Domain 3: Deployment

4.12 Deployment artifacts and dependency management

Lambda packaging options

Option Use when
ZIP package Handler and dependencies fit the ZIP workflow
Lambda layer Share compatible libraries or dependencies
Container image in Amazon ECR Container-image workflow or larger packaged application needs

A Lambda ZIP artifact must include the handler and required dependencies unless dependencies come from compatible layers or the runtime.

Immutable artifact rule

Build once, test once, promote the same artifact.

For containers, use:

  • Immutable image digests, or
  • Controlled version tags

Reject: Rebuilding an unversioned latest image separately for production.

4.13 Infrastructure as code and environment configuration

Use AWS SAM or AWS CloudFormation for repeatable deployments.

Typical pattern

  1. Define resources in a template.
  2. Parameterize values that differ by environment.
  3. Deploy stack updates instead of creating manual drift.
  4. Store runtime configuration outside compiled code.
  5. Use AppConfig where controlled runtime rollout matters.

Trap: If the environment is managed as code, do not manually create the missing queue and leave the template outdated.

4.14 API Gateway stages and Lambda aliases

API Gateway stages

Use stages for separate deployed API environments such as development, test, staging, and production.

Lambda aliases

A Lambda alias is a stable pointer to a published function version.

Use aliases to:

  • Test approved versions
  • Promote versions without changing callers
  • Support weighted routing for rollout
  • Avoid depending directly on mutable $LATEST

Trap: Automated integration tests should not target $LATEST if code can change underneath them.

4.15 Testing

Test layers

Layer Purpose
Unit tests Validate isolated logic quickly
Integration tests Validate interactions with dependencies and AWS services
End-to-end tests Validate representative full flows
Event-driven tests Validate realistic payloads, edge cases, retries, and malformed events

Mock external dependencies

Mock paid or unreliable third-party APIs for repeatable automated testing. Keep a smaller controlled set of end-to-end tests for real integrations.

Test fixtures

Create representative JSON payloads for:

  • Lambda events
  • API Gateway requests
  • EventBridge events
  • SQS messages
  • Stream records
  • Failure paths and malformed payloads

Amazon Q Developer can assist in proposing tests, but generated tests still require review and execution.

4.16 CI/CD service responsibilities

Service Primary job
AWS CodePipeline Orchestrate source, build, test, approval, and deployment stages
AWS CodeBuild Compile code, run commands and tests, produce artifacts
AWS CodeDeploy Control application deployment behavior and rollout
AWS SAM / CloudFormation Define and deploy infrastructure as code
Amazon ECR Store container images
Elastic Beanstalk Deploy versioned application bundles while AWS manages common environment tasks

Frequent exam trap

  • If the question asks who orchestrates stages, choose CodePipeline.
  • If it asks who runs build commands, choose CodeBuild.
  • If it asks who shifts application traffic or manages rollout, choose CodeDeploy where applicable.

4.17 Deployment strategies

Strategy Behavior Best use
All-at-once Replace quickly Lower-risk environments or acceptable outage risk
Rolling Replace subsets progressively Reduce simultaneous impact
Canary Send a small percentage of traffic first Validate health before full promotion
Linear Shift traffic incrementally Gradual exposure
Blue/green Run old and new environments, then switch traffic Fast rollback and environment isolation

Canary example

A new Lambda version should receive 10% of traffic initially, then all traffic only if alarms remain healthy.

Use:

  • Published Lambda version
  • Alias
  • Weighted traffic shift
  • CodeDeploy deployment configuration
  • CloudWatch alarms
  • Automatic rollback

Rollback rule

When a release clearly increases errors and a last known-good version exists, rollback first to restore service. Preserve logs and traces for later root cause analysis.


Domain 4: Troubleshooting and Optimization

4.18 Choose the right evidence source

Need First service to consider
Search application events and error details CloudWatch Logs
Aggregate and query log fields CloudWatch Logs Insights
Alert on a metric threshold CloudWatch alarm
Track a business-specific signal Custom CloudWatch metric or embedded metric format
Trace latency across services AWS X-Ray
Filter traces by indexed fields X-Ray annotations
Audit who changed AWS configuration AWS CloudTrail
Inspect a failing build command CodeBuild build logs
Debug failed event delivery Event rule, target configuration, permissions, metrics, and logs

Logging vs monitoring vs observability

Concept Meaning
Logging Record application events and state
Monitoring Track known metrics and thresholds
Observability Use logs, metrics, and traces to understand system behavior, including unexpected problems

4.19 Structured logging and correlation IDs

Emit structured JSON logs with consistent fields, for example:

{
  "timestamp": "2026-06-03T10:15:00Z",
  "level": "ERROR",
  "requestId": "req-123",
  "correlationId": "order-987",
  "tenantId": "tenant-a",
  "operation": "CreateOrder",
  "errorCode": "PAYMENT_TIMEOUT"
}

Benefits:

  • Search by errorCode
  • Group by tenant or operation
  • Trace a transaction across services
  • Build metrics from log fields
  • Avoid unreliable free-text parsing

For asynchronous flows, propagate a correlation ID through message attributes or event fields.

4.20 AWS X-Ray

Use X-Ray when the scenario asks:

  • Which downstream segment is slow?
  • Where is latency added?
  • Which service returns errors in a distributed request path?
  • How can traces be filtered by tenant tier or operation?

Use annotations for indexed trace-filter fields. Use metadata for extra context that does not require indexed filtering.

4.21 CloudTrail

Use CloudTrail for AWS API activity:

  • Who changed a Lambda configuration?
  • Which identity modified a resource?
  • When was an AWS API call made?

Do not use CloudTrail as a replacement for application logs or distributed traces.

4.22 Metrics, alarms, and health checks

Custom metrics

Emit a custom metric when the business signal exists only in application events, such as checkout failures or order-processing latency.

Alarms

Use CloudWatch alarms and SNS notifications when operations needs alerts for:

  • Error-rate thresholds
  • Quota risk
  • Deployment health
  • Latency thresholds
  • Resource utilization

Readiness probes

A readiness probe should report ready only after the service is actually able to serve traffic. This prevents traffic from reaching a container that has started but has not initialized dependencies.

4.23 Optimization patterns

Lambda optimization

  • Benchmark memory settings for CPU-bound work.
  • Measure duration and cost together.
  • Review concurrency limits.
  • Profile expensive code paths.
  • Investigate downstream latency.
  • Use caching where appropriate.

Messaging optimization

Use SNS subscription filter policies so a subscriber receives only relevant messages. Avoid delivering everything and discarding most records in consumers.

CloudFront cache key optimization

Include only request headers, cookies, and query strings that actually affect the response. Unnecessary cache-key variation lowers cache-hit ratio.

Application-level caching

Use a cache-aside strategy with ElastiCache for frequently requested, low-volatility records:

  1. Read cache.
  2. On miss, read database.
  3. Store value with suitable TTL.
  4. Return value.
  5. Invalidate or refresh appropriately when data changes.

Performance investigation rule

Do not blindly add capacity. First:

  1. Inspect metrics.
  2. Query logs.
  3. Trace cross-service latency.
  4. Profile code.
  5. Identify the bottleneck.
  6. Optimize the cause.
  7. Re-measure.

5. Service Selection Guide

Application integration

Requirement Choose Avoid as first answer
One durable worker queue SQS SNS alone
Every consumer needs its own durable copy SNS topic + one SQS queue per consumer One shared SQS queue
Attribute-based event routing EventBridge Database polling
Ordered queue processing and deduplication SQS FIFO SQS standard with assumed strict ordering
Stateful sequence, retries, and branches Step Functions SNS as workflow engine
High-throughput ordered stream Kinesis Data Streams SQS for stream analytics

Security

Requirement Choose Avoid
EC2 accesses AWS services Instance role Embedded access keys
Lambda accesses AWS services Execution role Administrator credentials
Temporary cross-account access STS AssumeRole Copied permanent IAM-user keys
Application user sign-in Cognito user pool IAM user per customer
Database secret with rotation Secrets Manager Source-code constant
Feature flag with gradual rollout AppConfig Compiled flag
KMS-backed S3 encryption SSE-KMS Base64 encoding
Temporary browser S3 upload Presigned URL Public bucket

Data

Requirement Choose Avoid
Read items by known DynamoDB partition key Query Scan with filter
Alternate DynamoDB lookup key GSI Full table Scan
Automatic DynamoDB expiration TTL Periodic full-table scan from request path
Hot-read cache ElastiCache Repeated database reads
Full-text relevance search OpenSearch Service DynamoDB Scan
SQL and relational access pattern RDS or Aurora Forcing DynamoDB into relational joins

Deployment

Requirement Choose Avoid
Orchestrate release stages CodePipeline CodeBuild only
Run compile and test commands CodeBuild CodeDeploy
Manage rollout and traffic shifting CodeDeploy where supported Manual code edits
Repeatable serverless stack SAM / CloudFormation Console-only drift
Stable Lambda target Alias to published version $LATEST
Gradual feature-flag rollout AppConfig Code release for every flag

Observability

Requirement Choose Avoid
Search log records CloudWatch Logs Insights CloudTrail
End-to-end latency path X-Ray Logs alone
AWS configuration audit CloudTrail X-Ray
Threshold notification CloudWatch alarm + SNS Manual inspection
Indexed trace filtering X-Ray annotations Unindexed metadata only
Ready-to-serve gating Readiness probe Returning healthy before initialization

6. Architecture Patterns

6.1 Durable fanout

Scenario: Billing, analytics, and notifications must independently process the same order event.

Producer
   |
   v
SNS topic
   |-------------------|-------------------|
   v                   v                   v
SQS billing queue   SQS analytics queue  SQS notification queue
   |                   |                   |
Billing worker      Analytics worker     Notification worker

Why it works:

  • Every consumer receives a copy.
  • Each queue buffers independently.
  • Each consumer retries independently.
  • A slow consumer does not block others.

Wrong design: One shared SQS queue. That load-balances messages between workers instead of delivering every event to every consumer.

6.2 EventBridge routing

Scenario: Producers publish business events. Consumers subscribe only to matching event types or attributes.

Producer -> EventBridge event bus -> Rule: order.created -> Fulfillment
                                  -> Rule: region=EU     -> Compliance
                                  -> Rule: highValue     -> Review workflow

Use EventBridge when the question emphasizes event-bus rules, attribute-based routing, loosely coupled consumers, or producers that should not know their subscribers.

6.3 Idempotent queue consumer

SQS message -> Read idempotency key -> Check persistence store
            -> If already completed: acknowledge safely
            -> If new: apply side effect + record completion

Use this for payments, order creation, provisioning, and any side effect that must not happen twice.

6.4 Serverless API with validation and authorization

Client
  |
HTTPS
  |
API Gateway
  |-- Validate request model
  |-- Validate token with authorizer
  |
Lambda
  |-- Enforce business authorization
  |-- Use execution role
  |
DynamoDB / downstream services

Key lesson: Different layers enforce different responsibilities.

  • API Gateway: structural validation and token validation
  • Lambda: business authorization and tenant rules
  • IAM role: permission to call AWS services
  • DynamoDB design: efficient data access

6.5 Safe Lambda release

Code commit
   |
CodePipeline
   |
CodeBuild -> tests -> packaged artifact
   |
CodeDeploy
   |
Lambda alias
   |-- 10% -> new version
   |-- 90% -> previous version
   |
CloudWatch alarms -> promote or rollback

6.6 Multi-tenant access pattern

Validated token claims
   |
Trusted tenantId
   |
Backend authorization
   |
Tenant-scoped query
   |
Only allowed records returned

Never accept the tenant boundary solely from an untrusted request-body field.

6.7 Troubleshooting workflow

User symptom
   |
Check metrics and alarms
   |
Query structured logs by requestId / correlationId
   |
Inspect X-Ray traces for cross-service latency
   |
Check CloudTrail only when AWS configuration changes are suspected
   |
Fix root cause and re-measure

7. Exam Traps

Trap 1: Scan with a filter expression

A filtered Scan still reads broadly before filtering. If the partition key is known, use Query. If an alternate lookup is required, consider a GSI.

Trap 2: One shared SQS queue for fanout

One queue distributes work among consumers. It does not give every consumer a copy. Use SNS plus separate SQS queues.

Trap 3: SNS when durable independent buffering is required

SNS provides fanout, but queues provide durable buffering and independent retries. Combine them.

Trap 4: Standard SQS queue with strict-order assumptions

Standard queues do not guarantee strict ordering. Use FIFO when ordered processing and deduplication requirements justify it.

Trap 5: Infinite retries

Immediate unlimited retries create retry storms. Use bounded exponential backoff with jitter and a circuit breaker for failing external services.

Trap 6: Increasing timeout as a performance fix

Timeout changes maximum execution duration; it does not optimize CPU-bound code. For Lambda, benchmark memory and inspect the root cause.

Trap 7: Putting Lambda in a public subnet for internet access

A VPC-attached Lambda function does not receive a public IP just because it uses a public subnet. Use correct private-subnet routing and outbound access.

Trap 8: Long-lived credentials in code

Reject embedded IAM access keys. Prefer roles, temporary credentials, and STS.

Trap 9: Authentication without authorization

A valid token identifies a caller. It does not prove the caller can access another tenant's data or perform every action.

Trap 10: Confusing Secrets Manager, Parameter Store, and AppConfig

  • Secret with rotation: Secrets Manager
  • Parameter: Parameter Store
  • Controlled feature-flag rollout: AppConfig

Trap 11: Sending large plaintext payloads directly to KMS

Use envelope encryption. Encrypt payloads with a data key; use KMS to protect the data key.

Trap 12: Trusting HTTPS to solve at-rest encryption

TLS protects transit. Use at-rest encryption separately.

Trap 13: Rebuilding artifacts per environment

Build once and promote the tested artifact. Inject environment configuration externally.

Trap 14: Confusing CI/CD services

  • CodePipeline orchestrates.
  • CodeBuild executes build commands.
  • CodeDeploy manages rollout.

Trap 15: Testing against $LATEST

Use a published Lambda version through an alias for stable integration testing.

Trap 16: Using logs when traces are required

Logs help inspect events. X-Ray reveals end-to-end request paths and segment latency.

Trap 17: Using CloudTrail for application debugging

CloudTrail records AWS API activity. Use application logs for application behavior and X-Ray for distributed tracing.

Trap 18: Adding capacity before measuring

Use metrics, logs, traces, and profiling to find the bottleneck first.

Trap 19: Logging sensitive values because logs are encrypted

Sanitize before logging. Encryption does not justify collecting unnecessary secrets or personal data.

Trap 20: Returning all tenant records and filtering in the browser

Enforce tenant scope on the trusted backend before data is returned.

How to eliminate bad options quickly

Reject answers that:

  • Embed credentials
  • Grant administrator access unnecessarily
  • Poll a database when an event service fits
  • Use Scan when Query or an index fits
  • Treat SQS as exactly-once
  • Treat SNS as a workflow orchestrator
  • Increase timeout without investigating
  • Rebuild artifacts instead of promoting immutable ones
  • Depend on $LATEST
  • Expose sensitive values in logs
  • Fix an application concern with an unrelated service

8. Quick Memory Rules

Messaging

  • Queue = buffer work.
  • Topic = fan out.
  • Event bus = route events by rules.
  • State machine = coordinate steps.
  • Stream = process ordered high-volume records.
  • At-least-once delivery = design idempotently.
  • Poison message = DLQ.
  • Duplicate processing before completion = inspect visibility timeout.

Lambda

  • Slow CPU-bound Lambda = test more memory.
  • Critical Lambda capacity = reserved concurrency.
  • Private RDS + public API call = VPC private access plus outbound route.
  • Async failure routing = destination or DLQ, depending on pattern.
  • Reusable libraries = layer.
  • Stable release target = alias to version.

DynamoDB

  • Known partition key = Query.
  • Unknown alternate lookup = GSI.
  • Hot key = redesign or shard.
  • Immediate latest read = strongly consistent read where supported.
  • Auto-expiring item = TTL.
  • Full-text relevance search = OpenSearch, not Scan.

Security

  • Workload credential = IAM role.
  • Cross-account temporary access = STS AssumeRole.
  • App-user login = Cognito.
  • Temporary object upload = S3 presigned URL.
  • Secret with rotation = Secrets Manager.
  • Feature flag rollout = AppConfig.
  • Payload encryption at scale = envelope encryption.
  • Transit protection = TLS.
  • Tenant boundary = trusted claim + backend enforcement.

Deployment

  • Orchestrate stages = CodePipeline.
  • Run build commands = CodeBuild.
  • Shift rollout traffic = CodeDeploy.
  • Repeatable stack = SAM / CloudFormation.
  • Safe promotion = immutable artifact.
  • Fast environment rollback = blue/green.
  • Small initial exposure = canary.

Troubleshooting

  • Search application events = CloudWatch Logs Insights.
  • Business threshold = custom metric + alarm.
  • Cross-service latency = X-Ray.
  • Indexed trace filters = annotations.
  • Who changed AWS config = CloudTrail.
  • Container started but not ready = readiness probe.
  • Cache misses from unnecessary header variation = simplify cache key.

9. Final Revision Notes

Highest-priority services

Spend extra revision time on:

  1. AWS Lambda
  2. Amazon DynamoDB
  3. Amazon SQS
  4. Amazon SNS
  5. Amazon EventBridge
  6. Amazon API Gateway
  7. IAM and AWS STS
  8. AWS KMS
  9. Secrets Manager, Parameter Store, and AppConfig
  10. AWS SAM and CloudFormation
  11. CodePipeline, CodeBuild, and CodeDeploy
  12. CloudWatch, Logs Insights, X-Ray, and CloudTrail

Five comparison sets to master

SQS vs SNS vs EventBridge vs Step Functions vs Kinesis

Know whether the requirement is:

  • buffering
  • fanout
  • routing
  • orchestration
  • streaming

IAM role vs Cognito vs STS

Know whether the caller is:

  • an AWS workload
  • an application user
  • a cross-account principal

Secrets Manager vs Parameter Store vs AppConfig

Know whether the value is:

  • a rotatable secret
  • a central parameter
  • a controlled runtime configuration or feature flag

CloudWatch Logs vs X-Ray vs CloudTrail

Know whether you need:

  • application records
  • distributed request traces
  • AWS API audit events

CodePipeline vs CodeBuild vs CodeDeploy

Know whether you need:

  • stage orchestration
  • build execution
  • deployment rollout

Rapid scenario drills

Scenario phrase First answer to consider
“Every consumer needs its own durable retry behavior” SNS + separate SQS queues
“Route internal events by attributes” EventBridge rules
“Sequence with branches and retries” Step Functions
“Messages appear again before processing finishes” Visibility timeout
“Malformed messages repeatedly fail” DLQ
“Efficient lookup by another DynamoDB attribute” GSI
“One tenant causes DynamoDB throttling” Hot key redesign or sharding
“CPU-bound Lambda is slow” Benchmark increased memory
“Cross-account temporary access” STS AssumeRole
“Database password must rotate” Secrets Manager
“Feature flag with gradual deployment” AppConfig
“Reject bad JSON before Lambda” API Gateway request validation
“Promote tested Lambda build safely” Version + alias + canary deployment
“Which service changed configuration?” CloudTrail
“Which service adds latency?” X-Ray
“Query common error codes” CloudWatch Logs Insights
“Container should not receive traffic yet” Readiness probe

Last-minute caution list

  • Read whether the question asks for one answer or two or more.
  • Prefer the answer that solves the stated constraint, not a broader redesign.
  • Do not over-engineer a simple queue or validation scenario.
  • Do not under-engineer resilience: retries require idempotency and limits.
  • Treat security answers with embedded credentials as suspicious.
  • Separate configuration, secret, and feature rollout concerns.
  • Separate logs, metrics, traces, and audit events.
  • Remember that scored performance is compensatory across domains: maximize total correct answers.

10. Exam-Day Checklist

Before starting

  • Confirm whether each question is single-answer or multiple-response.
  • Budget time so you can revisit flagged questions.
  • Expect plausible distractors based on incomplete knowledge.
  • Answer every question; unanswered questions are incorrect and guessing has no additional penalty.

For each question

  1. Underline the main requirement mentally.
  2. Identify the application layer involved.
  3. Match the requirement to the smallest appropriate managed feature.
  4. Eliminate insecure answers first.
  5. Eliminate answers that solve a different problem.
  6. Compare the final two options against the exact wording.
  7. Flag time-consuming questions and return later.

Final review

Before submitting, recheck questions containing:

  • MOST secure
  • least operational overhead
  • ordered
  • temporary
  • cross-account
  • before invoking the backend
  • near real time
  • without changing code
  • independent retries
  • fine-grained authorization
  • root cause
  • rollback

Official Alignment References

lock_open

Unlock the full course

All 41 modules with detailed explanations, code examples, and exam tips.

workspace_premium
You've answered 0 of 35 free questions 1005 questions locked : these will appear on exam day.
0/35
rocket_launch Unlock All
event_available
Day 1 of 15 72 questions/day Finish by Jul 29, 2026
Question 1 of 1040
Content Domain 1: Development with AWS Services · 32%

The team is reducing operational risk in a mobile backend deployed to eu-west-1. Multiple consumers must react to the same business event, and producers must not know which consumers exist. Rules need to route events by attributes. Which solution is MOST appropriate?

0 correct
0 wrong
1040 left
0% done