AWS Developer Associate (DVA-C02) — Comprehensive Study Guide

Compiled from 6 practice exam sets — Concepts extracted from both correct and incorrect answers Goal: Understand the why behind every answer, not memorize Q&A pairs.

1. AWS Compute Services

1.1 AWS Lambda

Key Concepts

Concurrency & Scaling

Concurrent executions formula: concurrent executions = (invocations/sec) × (avg duration in sec)
- Example: 50 req/s × 100s = 5,000 concurrent executions
Default account-level limit: 1,000 concurrent executions (soft limit, can be increased via AWS Support)
Reserved concurrency: Deducted from the unreserved pool; guarantees capacity for a specific function. AWS keeps a minimum of 100 unreserved for other functions.
- Example: Account limit = 2,000, Function A = 400, Function B = 200 → 1,400 remaining shared among other functions; max you can reserve on a single additional function = 1,300 (to keep 100 unreserved).
Provisioned concurrency: Pre-initializes execution environments to eliminate cold starts.
Throttling: Occurs when concurrency limit is exceeded → returns throttling error (429). Solutions:
1. Configure reserved concurrency
2. Use exponential backoff in your application
3. Configure dead-letter queues (DLQ) for async invocations
4. Request a service quota increase

Memory & CPU

Memory range: 128 MB – 10 GB (proportionally scales CPU)
1,769 MB ≈ 1 vCPU
To improve performance of compute-heavy tasks → increase memory allocation (this is the ONLY way to increase CPU; you cannot configure CPU directly)
Timeout: max 15 minutes (900 seconds)

Invocation Types

RequestResponse (default): Synchronous — blocks until response
Event: Asynchronous — returns immediately, Lambda retries on failure (2 retries)
DryRun: Validates parameters and permissions without executing
The deprecated InvokeAsync API is NOT the same as InvocationType: Event

Dead Letter Queues (DLQ)

For asynchronous invocations that fail after retries
Targets: SQS queue or SNS topic
Configured via DeadLetterConfig parameter

Execution Context

Temporary runtime environment reused across invocations
Database connections initialized outside the handler persist across warm invocations
/tmp directory: Ephemeral storage (512 MB free, up to 10,240 MB), persists in same execution context — use for caching files, unzipping archives

Lambda Layers

Extracted to /opt directory
Max 5 layers per function
Total unzipped size (function + layers) ≤ 250 MB
Use layers for shared dependencies to keep deployment packages small

Lambda & VPC

Lambda runs outside VPC by default
Connect to VPC only when you need to access private resources (e.g., RDS in a private subnet)
When connected to VPC, Lambda creates ENIs (Elastic Network Interfaces), NOT Elastic IPs
Don’t put Lambda in a VPC unless necessary — adds cold start latency

Deployment with CloudFormation

ZipFile parameter (under AWS::Lambda::Function → Code): Inline source code for Node.js and Python only
- CloudFormation auto-zips it into a file named index
- Accepts source code, NOT a zip file path
S3 changes are NOT auto-detected on stack update → change object key or version
CodeUri is for AWS::Serverless::Function (SAM), not AWS::Lambda::Function

Custom Runtimes

For unsupported languages (C++, Rust, etc.): Create a custom runtime with an executable named bootstrap
Package as a Lambda Layer and attach to the function

Lambda Context Object

Provides log_stream_name — gives the CloudWatch log location of the function instance
Provides aws_request_id — unique request ID
The log stream name is from the Context object, NOT the Event object

Execution Role

IAM role granting Lambda permissions to access AWS services
AWSLambdaBasicExecutionRole: Provides logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents
AWSLambdaDynamoDBExecutionRole: Provides DynamoDB Streams permissions
If Lambda gets AccessDeniedException calling another service → fix the execution role, not the developer’s IAM role or resource-based policies

CloudWatch Metrics

ConcurrentExecutions: Number of simultaneous instances running — proxy for throughput
Use for monitoring SLA compliance

Common Pitfalls

❌ Confusing timeout errors with throttling errors (timeout = function runs too long; throttling = too many concurrent invocations)
❌ Thinking you can set concurrency to false — it’s a number, not a boolean (set to 0 to throttle all invocations)
❌ Installing X-Ray daemon on Lambda — just enable the checkbox; daemon installation is for EC2/ECS/Beanstalk
❌ Using InvokeAsync API instead of Invoke with InvocationType: Event
❌ Thinking Lambda creates Elastic IPs when connected to VPC (it creates ENIs)
❌ Deploying Lambda in VPC to fix throttling issues (irrelevant)

1.2 Amazon ECS (Elastic Container Service)

Key Concepts

Task Definitions

Required to run Docker containers — specifies Docker image, CPU/memory, port mappings, volumes, IAM roles, networking mode
Port mappings are configured in the task definition (not on container instances directly)
Can define multiple containers in a single task definition (e.g., app + sidecar)

Task Placement Strategies

Strategy	Behavior	Best For
binpack	Places tasks on fewest instances (least available CPU/memory)	Cost optimization — minimizes instance count
spread	Distributes tasks evenly by specified attribute	High availability — e.g., `attribute:ecs.availability-zone`
random	Random placement, still respects constraints	Least configuration needed; honors resource requirements

Default for CreateService: spread across AZs
Default for RunTask: random
spread by attribute:ecs.availability-zone: Balances across AZs (HA)
spread by instanceId: Distributes across instances (NOT AZs)

Task Placement Constraints

distinctInstance: Each task on a different instance
memberOf: Attribute-based expressions

Launch Types

EC2 launch type: You manage the underlying EC2 instances
Fargate: Serverless — AWS manages infrastructure
- Use IAM Roles per task for different permissions (not container instance roles)

Task Roles vs Execution Roles

Task role: IAM role the task itself uses to call AWS APIs (e.g., accessing S3, DynamoDB)
Execution role: IAM role ECS uses to pull images, push logs

X-Ray Integration on ECS

Deploy X-Ray daemon as a sidecar container in the task definition
Map UDP port 2000 (not TCP)
NOT configured via container agent or user-data script

Container Instance Lifecycle

Terminating an instance in RUNNING state → automatically deregistered from cluster
Terminating in STOPPED state → NOT automatically deregistered; must manually deregister via ECS Console

Multi-Container Docker (Elastic Beanstalk)

Configure containers in Dockerrun.aws.json file (placed at the root level, not in .ebextensions)

Common Pitfalls

❌ Using random when binpack is needed for cost optimization
❌ Confusing spread by instanceId (per instance) vs spread by attribute:ecs.availability-zone (per AZ)
❌ Using TCP port 2000 for X-Ray daemon (must be UDP)
❌ Mixing up task roles and execution roles

1.3 AWS Step Functions

Key Concepts

Coordinates multiple AWS services into serverless state machine workflows
Uses Amazon States Language (JSON-based) to define states
State types: Task, Choice, Wait, Succeed, Fail, Parallel, Map

Input/Output Processing

Field	Purpose
InputPath	Filters raw input to select what goes into the state
Parameters	Manipulates input further, adds static values
ResultPath	Controls how state result combines with input for output — the only one that can combine input + result
OutputPath	Filters the state output for the next state

Error Handling

Retry field: Built-in retry with configurable MaxAttempts, IntervalSeconds, BackoffRate, and target error types
- Use to handle Lambda timeouts: specify timeout error type as retry trigger
Catch field: Routes failed executions to a fallback state
- Contains ErrorEquals, Next, and ResultPath

Use Case: When Lambda functions invoke each other creating complex chains → refactor into Step Functions with individual Task states

Common Pitfalls

❌ Confusing TimeoutSeconds (max execution time for a state) with retry configuration
❌ Using a Fail state for retries (Fail is terminal — no retries)
❌ Choosing OutputPath when the question asks for combining input + result (use ResultPath)

2. AWS Storage Services

2.1 Amazon S3

Key Concepts

Server-Side Encryption

Type	Header	Key Management
SSE-S3	`x-amz-server-side-encryption: AES256`	AWS manages keys
SSE-KMS	`x-amz-server-side-encryption: aws:kms`	AWS KMS manages keys
SSE-KMS (specific key)	+ `x-amz-server-side-encryption-aws-kms-key-id`	Optional; if omitted, uses default KMS key
SSE-C	`x-amz-server-side-encryption-customer-algorithm: AES256` + `customer-key` + `customer-key-MD5`	Customer provides keys

To enforce SSE-KMS: Deny s3:PutObject unless x-amz-server-side-encryption-aws-kms-key-id header is present
To enforce any SSE: Deny s3:PutObject unless x-amz-server-side-encryption header is present
Note: The action is s3:PutObject, NOT s3:PostObject

KMS Throttling with S3

SSE-KMS calls GenerateDataKey (upload) or Decrypt (download) per object
High-volume uploads (100k+ objects/sec) can exceed KMS API quota (5,500–30,000/sec per region)
This is the most likely cause of performance degradation after enabling SSE-KMS

Bucket Policies & Least Privilege

Separate statements per role for granular control
Use specific actions (s3:GetObject) instead of wildcards (s3:*)
Restrict resources to specific prefixes (e.g., arn:aws:s3:::bucket/qa/*)

Cross-Region Replication (CRR)

Requirements: Versioning enabled on both source and destination buckets, different regions, proper IAM permissions
If CRR fails → most likely versioning is not enabled

S3 Transfer Acceleration

Uses CloudFront edge locations for faster long-distance uploads
Useful for global users uploading to a centralized bucket

CORS (Cross-Origin Resource Sharing)

Required when JavaScript from one domain accesses S3 via website endpoint
Configured on the S3 bucket with AllowedOrigin, AllowedMethod, AllowedHeader
MaxAgeSeconds: Cache duration for preflight OPTIONS request
ExposeHeader: Headers accessible from client applications (not constraints on requests)
NOT the same as authorization — CORS doesn’t grant permissions

S3 Event Notifications

Trigger Lambda, SQS, SNS, or EventBridge on events like ObjectCreated:Put
Use for automatic processing (e.g., watermarking images on upload)

S3 Object Lambda

Transform objects on retrieval (e.g., redact PII) — each role gets its own Object Lambda Access Point
Uses GetObject API to retrieve transformed data
Maintains a single copy of data

Storage Classes

S3 Glacier Deep Archive: Lowest cost (~$0.00099/GB-month), for long-term archival accessed 1-2 times/year

CloudFront + S3

Viewer Protocol Policy: HTTPS Only or Redirect HTTP to HTTPS for secure communication
Update cached objects: Use versioned file names (cost-free) instead of invalidation (paid)
Signed URLs/Cookies for restricting unauthorized access
CloudFront Functions: Lightweight edge functions for geo-redirection using CloudFront-Viewer-Country header
CloudFront does NOT have a default SSL certificate on ALB

Common Pitfalls

❌ Confusing SSE-S3 headers with SSE-C headers
❌ Using s3:PostObject instead of s3:PutObject
❌ Forgetting the optional x-amz-server-side-encryption-aws-kms-key-id header when using default KMS key
❌ Using self-signed certificates with CloudFront origins
❌ Thinking S3 Transfer Acceleration and CORS affect CRR

2.2 Amazon DynamoDB

Key Concepts

Capacity Units

Unit	Definition
1 RCU	1 strongly consistent read/sec for items ≤ 4 KB OR 2 eventually consistent reads/sec
1 WCU	1 write/sec for items ≤ 1 KB
Transactional	2× the cost (2 RCU for transactional read, 2 WCU for transactional write)

RCU Calculation Example:

Item size: 3.5 KB → rounds up to 4 KB
150 eventually consistent reads/sec
RCU = 150 × (4 KB / 8 KB) = 75 RCU
- Divide by 8 for eventually consistent; by 4 for strongly consistent; by 2 for transactional

Partition Key Design

Choose high-cardinality unique attributes (GUID, email, customer_id)
Avoid low-cardinality keys (department_id, status) — causes hot partitions
Hot partitions → throttling even if overall capacity isn’t exceeded

Query vs Scan

Query: Efficient — uses partition key; returns items matching key condition
Scan: Reads entire table — expensive, slow; avoid on large tables
Always prefer Query when you know the partition key
Reduce page size (Limit parameter) to minimize impact of scans

Secondary Indexes

Feature	LSI (Local)	GSI (Global)
Keys	Same partition key, different sort key	Different partition AND sort key
Creation	At table creation only	Anytime
Capacity	Shares table’s capacity	Has own provisioned capacity
Consistency	Eventual or strong	Eventual only
Max per table	5	20 (default)
Size limit	10 GB per partition key value	None

GSI writes consume additional WCU — set GSI WCU ≥ base table WCU to avoid throttling
ProvisionedThroughputExceededException on GSI → GSI write capacity < base table write capacity

DynamoDB Streams

Captures item-level changes with 24-hour retention
StreamViewType: NEW_IMAGE, OLD_IMAGE, NEW_AND_OLD_IMAGES, KEYS_ONLY
Lambda polls streams synchronously → use AWSLambdaDynamoDBExecutionRole
Create event source mapping in Lambda to process stream records
If Lambda consumer runs less frequently than 24 hours → data loss (stream data expires)

TTL (Time To Live)

Automatically deletes expired items — no extra cost, no throughput consumed
Perfect for session data, temporary records
Set a timestamp attribute on items

Conditional Writes

Succeed only if item attributes meet conditions
Use for concurrent modifications to prevent overwrites
Example: --condition-expression "Price = :currval"

Optimistic Locking

Add version attribute (@DynamoDBVersionAttribute)
SDK auto-checks version on write → prevents stale data overwrites

Transactions

TransactWriteItems: Up to 25 write actions in single all-or-nothing operation (Put, Update, Delete, ConditionCheck)
TransactGetItems: Up to 25 read actions atomically
BatchWriteItem is NOT atomic — some can succeed while others fail; does NOT support UpdateItem

Error Handling

ProvisionedThroughputExceededException → use error retries with exponential backoff
BatchGetItem with UnprocessedKeys → retry with exponential backoff (or use AWS SDK which handles this automatically)

DynamoDB Accelerator (DAX)

Fully managed in-memory cache for DynamoDB
Sub-millisecond reads for eventually consistent data
Adds cost — only use when caching benefits outweigh costs

ReturnConsumedCapacity

TOTAL: Total capacity consumed
INDEXES: Total + subtotals per index
NONE: Default

Fine-Grained Access Control

dynamodb:LeadingKeys: Restrict access to items by partition key value (e.g., user can only access their own data)
dynamodb:Attributes: Restrict access to specific attributes

Common Pitfalls

❌ Using Scan instead of Query for known partition keys
❌ Forgetting that GSI writes consume additional WCU → causes throttling
❌ Creating LSI on existing table (only at creation time)
❌ Processing DynamoDB Streams less frequently than 24 hours (data loss)
❌ Using DAX when exponential backoff + better key design solves the problem (unnecessary cost)
❌ Using BatchWriteItem when atomic transactions are needed (use TransactWriteItems)

3. AWS API & Integration Services

3.1 Amazon API Gateway

Key Concepts

Integration Types

Type	Behavior	Use Case
Lambda Proxy	Passes raw request to Lambda; expects specific JSON response format	Simple setup, most common
Lambda Custom	Full control over request/response mappings	When you need data transformations
HTTP Proxy	Passes request directly to HTTP backend	Simple passthrough
HTTP Custom	Configurable request/response mappings to HTTP backend	Complex backend integrations

Lambda Proxy Integration Requirements

Lambda must return this JSON format:

{
  "isBase64Encoded": true|false,
  "statusCode": httpStatusCode,
  "headers": { "headerName": "headerValue" },
  "body": "..."
}

Returning XML/other formats → 502 Bad Gateway
Timeout → 504 Gateway Timeout

Authentication Methods

Method	Use Case
AWS_IAM	IAM users/roles (cross-account via resource policy)
Lambda Authorizer (TOKEN)	Bearer tokens (OAuth, JWT, SAML)
Lambda Authorizer (REQUEST)	Headers + query strings + stage variables
Cognito User Pools	Cognito-managed user authentication

For cross-account IAM access: Set AWS_IAM auth + attach resource policy with execute-api:Invoke
API Keys are for identification, NOT authorization

Caching

Default TTL: 300 seconds, max 3600, TTL=0 disables caching
Cache invalidation: Send Cache-Control: max-age=0 header (requires execute-api:InvalidateCache permission)
CacheHitCount/CacheMissCount metrics only appear when caching is enabled

Stages & Stage Variables

Use different stages (Prod, Beta) to test new Lambda versions
Stage variables reference different Lambda aliases/versions
Create a Beta stage + stage variable → internal testing without impacting Prod

Endpoints

All API Gateway endpoints are HTTPS only (no HTTP support)
Format: https://{restapi_id}.execute-api.{region}.amazonaws.com/{stage_name}/
Integration timeout: 29 seconds

CORS

Enable CORS in API Gateway console for Lambda custom (non-proxy) integrations
For Lambda proxy integrations, CORS headers must be returned from the Lambda function itself

Import/Export

Import Swagger/OpenAPI v2.0 or v3.0 definitions directly via Console, CLI, or SDK
Easiest migration path for existing REST APIs

Method Request

Enforce required query parameters (e.g., courseType) in Method Request, not Integration Request

Common Pitfalls

❌ Confusing 502 (bad response format) with 504 (timeout)
❌ Using Lambda authorizer when IAM auth suffices (unnecessary complexity)
❌ Forgetting that API Keys don’t grant permissions to IAM roles
❌ Using Cache-Control: no-cache instead of max-age=0 for API Gateway cache invalidation
❌ Trying to use HTTP (not HTTPS) — Connection refused error

3.2 Amazon SQS

Key Concepts

Standard vs FIFO

Feature	Standard	FIFO
Throughput	Nearly unlimited	300 TPS (3,000 with batching)
Ordering	Best-effort	Guaranteed FIFO
Delivery	At-least-once (possible duplicates)	Exactly-once
Deduplication	Not supported	Content-based or Message Deduplication ID

Visibility Timeout

After a message is received, it becomes invisible for the timeout duration (default 30s, max 12h)
If consumer doesn’t delete before timeout → message reappears → duplicate processing
Set visibility timeout ≥ max processing time to prevent duplicates

Dead-Letter Queues (DLQ)

Collects messages that fail processing after configured number of retries
Prevents infinite retry loops
Use for failure analysis and reprocessing

Deduplication (FIFO)

Content-based deduplication: SHA-256 hash of message body
Message Deduplication ID: Explicit token; 5-minute deduplication interval
Standard queues don’t support deduplication — switch to FIFO for exactly-once

Delay Queues

Postpone delivery of NEW messages (hidden when first added)
Different from visibility timeout (hidden after consumed)

Long Polling vs Short Polling

Long polling: ReceiveMessageWaitTime > 0 → reduces empty responses, saves costs
Short polling: WaitTimeSeconds = 0 → queries subset of servers

SQS + Lambda Integration

Lambda polls SQS via event source mapping
Configure batch size, batch window
Failed messages → DLQ on the SQS queue
For partial batch failures: use partial batch responses

Common Pitfalls

❌ Using Standard queue when exactly-once processing is needed (use FIFO)
❌ Confusing delay queues with visibility timeout
❌ Setting Message Deduplication ID on Standard queues (only works on FIFO)
❌ FIFO queues have lower throughput — not suitable for all high-volume scenarios

3.3 Amazon SNS

Pub/sub messaging: publishers → topics → subscribers
Protocols: HTTP/S, Email, SQS, Lambda, SMS
Fan-out pattern: SNS → multiple SQS queues for parallel processing
Use SNS + SQS for decoupling microservices

3.4 Amazon Kinesis Data Streams

Key Concepts

Resharding

Action	Effect	When to Use
Split shard	Increases capacity (and cost)	Hot shards (high data rate)
Merge shards	Decreases capacity (and cost)	Cold shards (underutilized)

Data is re-routed to child shards (not lost)
Default retention: 24 hours (max 365 days)
If consumer runs less frequently than retention → data loss

Writing Records

PutRecord: Single record, supports SequenceNumberForOrdering for strict ordering
PutRecords: Batch (does NOT guarantee order)
For deduplication: Embed primary key within the record

Kinesis vs DynamoDB Streams

DynamoDB Streams: Item-level changes with 24h retention; best consumed via Lambda
Kinesis: General-purpose high-throughput streaming; use for IoT, real-time analytics

Common Pitfalls

❌ Merging hot shards (should split them)
❌ Splitting cold shards (should merge them)
❌ Using PutRecords when strict ordering is needed (use PutRecord)
❌ Not increasing retention when consumers process data infrequently

3.5 Amazon EventBridge

Serverless event bus for event-driven architectures
Receives events from AWS services, SaaS apps, custom applications
Rules route events to targets (Lambda, SQS, SNS, Step Functions)
CodePipeline integration: Monitor pipeline state changes via EventBridge rules
CodeArtifact integration: Detect new package versions → trigger CodePipeline builds
SSM Parameter Store: NoChangeNotification and ExpirationNotification policies emit EventBridge events

4. AWS Security & Identity

4.1 IAM (Identity and Access Management)

Key Concepts

Roles vs Policies vs Users vs Groups

IAM User: Long-term credentials (access keys)
IAM Role: Temporary credentials, assumed by services/users
IAM Policy: JSON document defining permissions (allow/deny)
IAM Group: Collection of users sharing policies

EC2 Instance Access

Best practice: IAM Role (instance profile) → temporary, auto-rotating credentials
NEVER store access keys on instances or in code
Instance profile = container for IAM role attached to EC2

CLI Profiles

Create a named profile in ~/.aws/config for different roles
Switch with --profile profile-name
Instance profiles ≠ CLI profiles

Policy Evaluation Logic

Explicit Deny always wins > Allow > Implicit Deny
Principle of least privilege: Grant only required permissions

Cross-Account Access

Use AssumeRole (most efficient)
API Gateway: AWS_IAM auth + resource policy for cross-account

STS APIs

API	Use Case
`AssumeRole`	Cross-account access, role switching
`AssumeRoleWithWebIdentity`	Federated users via OIDC (Facebook, Google)
`AssumeRoleWithSAML`	Federated users via SAML 2.0
`GetSessionToken`	MFA-protected programmatic calls
`GetFederationToken`	Proxy apps getting temp credentials for distributed apps
`DecodeAuthorizationMessage`	Decode `UnauthorizedOperation` error messages

Custom Identity Broker

Required when identity store is not SAML-compatible
Broker authenticates users → calls STS (AssumeRole or GetFederationToken) → provides temp credentials

CLI Dry-Run

--dry-run parameter: Checks permissions without making the actual request
Returns DryRunOperation if authorized, UnauthorizedOperation if not

IAM Identity Center (AWS SSO)

Temporary credentials expire → re-authenticate to get new ones
Access Denied after weeks → most likely expired temporary credentials

IAM Policy Simulator

Test policies before applying them — safest way to validate permissions

Common Pitfalls

❌ Confusing service-linked roles with custom service roles
❌ Storing access keys on EC2 instead of using instance profiles
❌ Using root user for daily tasks (delete root access keys)
❌ Confusing instance profiles (IAM) with CLI profiles (AWS CLI config)
❌ Not refreshing SSO temporary credentials → Access Denied errors

4.2 Amazon Cognito

Key Concepts

User Pools vs Identity Pools

Feature	User Pools	Identity Pools (Federated Identities)
Purpose	User directory (sign-up/sign-in)	Temporary AWS credentials
Authentication	Username/password, social IdPs	Federated (Amazon, Facebook, Google, SAML, OIDC)
Guest Access	❌	✅ Unauthenticated identities
AWS Service Access	❌ (tokens only)	✅ (temporary credentials)

For social login + guest access + S3 uploads → Identity Pool with unauthenticated identities enabled
Cognito ID: Returned after authentication, used to get temporary AWS credentials
Cognito Sync: Cross-device syncing of user data (key-value pairs, max 1MB per dataset, 20 datasets per identity)
- Push sync: Silent push notifications when data changes
- Local cache for offline access
AWS AppSync: Similar to Cognito Sync but supports multi-user real-time collaboration on shared data
Adaptive Authentication: Enable MFA only on risky/suspicious logins
Hosted UI: Customizable with logos via Cognito app settings

Common Pitfalls

❌ Using Identity Pools for user directory management (that’s User Pools)
❌ Using User Pools when you need AWS service credentials (that’s Identity Pools)
❌ Confusing Cognito Sync (single-user cross-device) with AppSync (multi-user real-time)

4.3 AWS KMS & Encryption

Key Concepts

Envelope Encryption

Call GenerateDataKey → returns plaintext + encrypted data key
Encrypt data with plaintext data key
Erase plaintext data key from memory
Store encrypted data key alongside encrypted data

Decryption

Call Decrypt → decrypts the encrypted data key → returns plaintext data key
Use plaintext data key to decrypt data
Erase plaintext data key from memory

KMS keys can only encrypt data up to 4 KB directly → use envelope encryption for larger data
Cannot encrypt with ciphertext data key (must decrypt it first)
Cannot mix symmetric and asymmetric encryption

CloudHSM

Dedicated HSMs under your exclusive control
Use when FIPS 140-2 Level 3 compliance is needed
Supports RSA asymmetric encryption
Use instead of KMS when you need keys in dedicated, third-party validated HSMs

CloudWatch Logs Encryption

Associate existing KMS key with log group: aws logs associate-kms-key --kms-key-id <ARN>
Encrypts all NEW log data automatically

Common Pitfalls

❌ Encrypting with the ciphertext version of data key (must use plaintext)
❌ Erasing encrypted data key instead of plaintext data key from memory
❌ Using KMS directly for large data (limited to 4 KB)
❌ Using AWS Encryption SDK when CloudHSM is needed for compliance

5. AWS Deployment & CI/CD

5.1 AWS CodeDeploy

Key Concepts

Deployment Types by Compute Platform

Platform	In-Place	Blue/Green
EC2/On-Premises	✅	✅ (EC2 only, not on-prem)
Lambda	❌	✅ (all Lambda deployments)
ECS	❌	✅ (all ECS deployments)

Traffic Shifting (Lambda/ECS)

Canary: Two increments (e.g., 10% immediately, 90% after 5 minutes)
Linear: Equal increments at regular intervals (e.g., 10% every 10 minutes)
All-at-once: All traffic shifted immediately

AppSpec File

ECS required properties: TaskDefinition, ContainerName, ContainerPort
Lambda: alias, targetversion
EC2: Lifecycle hooks (BeforeInstall, AfterInstall, etc.)
DownloadBundle errors → EC2 IAM profile lacks S3 permissions

CodeDeploy Agent

Required only for EC2/On-Premises (HTTPS port 443)
NOT required for Lambda or ECS deployments

Lifecycle Hooks

Lambda: BeforeAllowTraffic hook for validation
EC2: ApplicationStop, DownloadBundle, BeforeInstall, Install, AfterInstall, ApplicationStart, ValidateService

Common Pitfalls

❌ Using in-place deployment for Lambda (only blue/green)
❌ Blue/green deployments to on-premises servers (EC2 only)
❌ Confusing Canary with Linear deployment
❌ Rolling with additional batch is Elastic Beanstalk, NOT CodeDeploy

5.2 AWS CloudFormation & SAM

Key Concepts

CloudFormation

Transform: AWS::Serverless-2016-10-31 — required for SAM templates
StackSets: Create/update/delete stacks across multiple accounts and regions
Change Sets: Preview changes before applying (don’t deploy)
Cross-stack references: Export in Outputs + Fn::ImportValue in other templates
Fn::ImportValue retrieves exported values; Ref cannot cross templates
Dynamic references: {{resolve:ssm-secure:paramName:version}} for secure SSM parameters

Helper Scripts

Script	Purpose
`cfn-init`	Install packages, create files, start services
`cfn-signal`	Signal WaitCondition/CreationPolicy
`cfn-get-metadata`	Retrieve metadata
`cfn-hup`	Detect metadata changes, execute hooks

SAM (Serverless Application Model)

Extension of CloudFormation for serverless apps
SAM CLI: Build, test, debug locally
- sam init: Initialize project
- sam build: Install dependencies, create artifacts
- sam deploy: Package (zip + upload to S3) AND deploy via CloudFormation
- sam package: Package only (uploads to S3, generates template)
aws cloudformation package + aws cloudformation deploy: For CloudFormation CLI workflow
Local Lambda-like execution environment for debugging

SAM Resource Types

AWS::Serverless::Function: Lambda function
AWS::Serverless::Api: API Gateway
AWS::Serverless::Application: Nested applications
AWS::Serverless::LayerVersion: Lambda layers

CloudFormation Deploy from Local Code

Local artifacts → aws cloudformation package (uploads to S3) → aws cloudformation deploy
deploy alone won’t work if artifacts are local

Common Pitfalls

❌ Forgetting Transform: AWS::Serverless-2016-10-31 in SAM templates
❌ Using aws cloudformation deploy alone with local artifacts (must package first)
❌ Confusing Ref with Fn::ImportValue for cross-stack references
❌ Using StackSets terminology: Stack Instances are references, not standalone

5.3 AWS Elastic Beanstalk

Key Concepts

Deployment Policies

Policy	Downtime	Speed	Rollback
All-at-once	✅ Brief downtime	Fastest	Manual
Rolling	Reduced capacity	Moderate	Manual
Rolling with additional batch	Full capacity	Moderate	Manual
Immutable	Full capacity	Slower	Quick (terminate new)
Blue/Green	Full capacity	Variable	CNAME swap

Blue/Green Deployment Use Cases

Major platform changes (e.g., Java 7 → 8)
Decoupling RDS from Beanstalk (snapshot + deletion protection + new env)

Configuration Files

.ebextensions/*.config: Custom options (YAML/JSON)
env.yaml: Environment name, solution stack, links
Dockerrun.aws.json: Multi-container Docker definitions
cron.yaml: Periodic worker tasks

X-Ray on Elastic Beanstalk

Enable via xray-daemon.config in .ebextensions directory
OR toggle in Beanstalk console
Uses AWSXRayDaemonWriteAccess managed policy (included in default instance profile)
NOT via user data scripts (that’s for standalone EC2)

Deployment via CLI

Package as ZIP + eb deploy

Application Version Lifecycle

Set limits by count or age to avoid hitting version quota
Retention setting: Configure to retain source bundle in S3 (prevent deletion)

Resources Configurable in Beanstalk

EC2 instances, CloudWatch, ALB, Auto Scaling
NOT: Lambda, CloudFront, Athena

Common Pitfalls

❌ Using Rolling with additional batch in CodeDeploy (it’s a Beanstalk feature)
❌ Confusing .ebextensions config files with Dockerrun.aws.json
❌ Using user data script for X-Ray on Beanstalk (use .ebextensions config)

5.4 AWS CodePipeline, CodeBuild, CodeArtifact

CodePipeline

Automates build → test → deploy pipeline
Monitor via EventBridge rules (state changes)
Integrates with CodeCommit, CodeBuild, CodeDeploy, S3, GitHub

CodeBuild

buildspec.yml: Build specification file
- proxy element: Configure proxy server settings
- artifacts element: Build output configuration
- phases element: Build phases (install, pre_build, build, post_build)
AppSpec.yml is for CodeDeploy, NOT CodeBuild

CodeArtifact

Artifact management for npm, Maven, PyPI, etc.
EventBridge integration: Detect new package versions → trigger pipelines

6. AWS Monitoring & Observability

6.1 Amazon CloudWatch

Key Concepts

Custom namespaces: Separate metrics from multiple applications
CloudWatch Agent: For custom metrics (memory, disk, TCP connections)
- Attach CloudWatchAgentServerPolicy to IAM role
- Memory utilization is NOT available by default — requires CloudWatch Agent
CloudWatch Logs Insights: Query and analyze log data
Encrypt log groups with KMS: aws logs associate-kms-key

6.2 AWS X-Ray

Key Concepts

Segments: Represent a service/resource processing a request
Subsegments: Granular timing for downstream calls (AWS SDK, HTTP, SQL)
- Define arbitrary subsegments to instrument specific functions
- Namespace: aws for SDK calls, remote for external calls
Annotations: Key-value pairs indexed for search/filter
Metadata: Additional custom data (NOT indexed)
Service Maps: Visual representation of request flow and latency

X-Ray Daemon

Buffers segments and uploads to X-Ray API in batches
Alternative to direct PutTraceSegments API calls

Trace Analysis

GetTraceSummaries API: Retrieve trace IDs and annotations with filter expressions
BatchGetTraces API: Retrieve full traces by ID (no filtering)
Filter expressions: Search for specific annotations in X-Ray console

Sampling Rules

Control how many requests to record
Don’t disable sampling — it saves money

IAM Policies

Policy	Purpose
`AWSXrayReadOnlyAccess`	View service maps and segments
`AWSXRayDaemonWriteAccess`	Upload traces (used by EB, ECS)
`AWSXrayFullAccess`	Full access including sampling rules, encryption

X-Ray vs CloudWatch vs CloudTrail

X-Ray: Distributed tracing, performance bottlenecks, service maps
CloudWatch: Metrics, logs, alarms
CloudTrail: API activity auditing

AWS Distro for OpenTelemetry

Use when you need to send traces to multiple backends without re-instrumenting
X-Ray SDK: Single-vendor, tightly integrated

Client IP Behind ALB

X-Ray reads from X-Forwarded-For header (not packet source IP)

Common Pitfalls

❌ Installing X-Ray daemon on Lambda (just enable the checkbox)
❌ Using BatchGetTraces to filter traces (use GetTraceSummaries + filter expressions)
❌ Disabling sampling (increases costs without proportional benefit)
❌ Using CloudWatch for distributed tracing (use X-Ray)

7. High-Frequency Topic Deep Dives

7.1 SQS + Lambda Integration

Lambda event source mapping polls SQS
Batch size: Number of messages per invocation (up to 10 for standard, 10,000 for FIFO)
Batch window: Max time to gather messages before invoking
Partial batch responses: Report which messages failed; only failed messages return to queue
DLQ configuration: Set on the SQS queue (not Lambda) for event source mappings
Visibility timeout should be ≥ 6× Lambda timeout

7.2 DynamoDB Capacity Planning

RCU Formula:

RCU = (reads/sec) × ceil(item_size / 4 KB) / consistency_factor
  - Strongly consistent: factor = 1
  - Eventually consistent: factor = 2
  - Transactional: factor = 0.5 (double cost)

WCU Formula:

WCU = (writes/sec) × ceil(item_size / 1 KB)
  - Transactional: factor = 0.5 (double cost)

When to use On-Demand vs Provisioned:

On-Demand: Unpredictable traffic, new tables, pay-per-request
Provisioned: Predictable traffic, cost optimization with auto-scaling
Burst capacity: Short-term spikes accommodated, but not guaranteed

7.3 ECS Task Placement Deep Dive

// Cost optimization (binpack by memory)
"placementStrategy": [{"field": "memory", "type": "binpack"}]

// High availability (spread across AZs)
"placementStrategy": [{"field": "attribute:ecs.availability-zone", "type": "spread"}]

// Minimal config (random, honors constraints)
"placementStrategy": [{"type": "random"}]

7.4 Caching Strategies (ElastiCache)

Strategy	Data Freshness	Wasted Space	Use Case
Lazy Loading	Can be stale	Only requested data cached	Read-heavy, cache miss acceptable
Write-Through	Always current	Caches all writes (even unread data)	Data must always be current
Write-Through + TTL	Always current	Auto-expires unread data	Best combo — fresh data + minimal waste

Redis vs Memcached:

Redis: Supports replication (Multi-AZ), persistence, complex data types
Memcached: Simple key-value, multi-threaded, NO replication

7.5 Envelope Encryption Flow

ENCRYPT:
  GenerateDataKey → [plaintext key, encrypted key]
  Use plaintext key → encrypt data
  Erase plaintext key from memory
  Store encrypted key + encrypted data

DECRYPT:
  Decrypt API → encrypted key → plaintext key
  Use plaintext key → decrypt data
  Erase plaintext key from memory

7.6 API Gateway Authentication Decision Tree

Need IAM-based auth (same/cross account)?
  → AWS_IAM + Resource Policy

Need custom auth with bearer tokens?
  → Lambda Authorizer (TOKEN type)

Need custom auth with headers/query params?
  → Lambda Authorizer (REQUEST type)

Need Cognito user directory?
  → Cognito User Pool Authorizer

Just need to identify callers?
  → API Keys (identification, NOT authorization)

8. Quick Reference: Service Limits & Defaults

Service	Key Limit/Default	Exam Relevance
Lambda	15 min timeout, 10 GB memory, 1,000 concurrent (soft), 250 MB unzipped deployment, 512 MB–10 GB /tmp	Concurrency, timeout, memory questions
Lambda Layers	5 per function, 250 MB total unzipped	Package size optimization
SQS Standard	Nearly unlimited TPS, at-least-once, best-effort ordering	Ordering/deduplication scenarios
SQS FIFO	300 TPS (3,000 with batching), exactly-once, guaranteed order	Throughput limitation questions
SQS Visibility Timeout	Default 30s, max 12h	Duplicate processing scenarios
API Gateway	29s integration timeout, 10,000 req/s (account-level)	Timeout and throttling questions
API Gateway Cache	Default TTL 300s, max 3600s	Cache configuration questions
DynamoDB	400 KB max item size	Large item scenarios
DynamoDB RCU	1 RCU = 4 KB strongly consistent, 8 KB eventually consistent	Capacity calculation questions
DynamoDB WCU	1 WCU = 1 KB/s write	Capacity calculation questions
DynamoDB Streams	24-hour retention	Stream processing frequency
DynamoDB GSI	20 per table (default), eventual consistency only	Index design questions
DynamoDB LSI	5 per table, created at table creation only, 10 GB per partition key	Index limitation questions
Kinesis	Default 24h retention (max 365 days)	Data loss scenarios
KMS	4 KB direct encryption limit; 5,500–30,000 API ops/sec per region	Envelope encryption, throttling
S3	5 TB max object, 100 bucket-level rules for CORS	Storage and access scenarios
CloudFormation StackSets	Single operation across multiple accounts/regions	Multi-account management
Cognito Sync	1 MB per dataset, 20 datasets per identity	Cross-device sync limits
Step Functions	25,000 execution history events	Long-running workflow limits

9. Additional Services Quick Reference

AWS AppConfig

Feature flags: Gradually roll out features without code deployment
Configuration profiles: Enable/disable features based on development progress
Preferred over Lambda + Parameter Store for feature flags (less overhead)

AWS Systems Manager Parameter Store

Standard tier: Free, no policies, 4 KB max
Advanced tier: Paid, supports policies (Expiration, ExpirationNotification, NoChangeNotification), 8 KB max
NoChangeNotification: Alert when parameter hasn’t been modified in X days (rotation monitoring)
Secure String: Encrypted with KMS
Use ssm-secure dynamic reference in CloudFormation templates

AWS Secrets Manager

Automatic rotation of secrets (Lambda-based)
Best for database credentials that need periodic rotation
More expensive than Parameter Store

Secrets Manager vs Parameter Store:

Feature	Secrets Manager	Parameter Store
Auto-rotation	✅	❌
Cost	Per secret/month	Free (Standard)
Max size	64 KB	4 KB (Standard) / 8 KB (Advanced)
Best for	DB credentials needing rotation	Config values, encrypted strings

AWS WAF

Web application firewall for API Gateway, CloudFront, ALB
Protects against SQL injection, XSS
Rules: Allow, Block, Count
NOT: GuardDuty (threat detection), Firewall Manager (multi-account WAF management), NACLs (subnet-level)

Amazon Athena

Serverless SQL queries on S3 data
Supports JSON, CSV, ORC, Parquet
Pay-per-query — ideal for ad-hoc analysis without loading data into a database

AWS CDK (Cloud Development Kit)

Define cloud infrastructure using programming languages (Python, TypeScript, Java, C#)
Compiles to CloudFormation templates
Different from CloudFormation (JSON/YAML only)

AWS Amplify

Frontend web/mobile app development platform
Amplify Hosting: Git-based deployment with CI/CD
E2E testing: Configure Cypress in amplify.yml
NOT aws-exports.js or amplifyconfiguration.json for Cypress config

ALB (Application Load Balancer)

Layer 7, supports OIDC authentication natively on HTTPS port 443
X-Forwarded-For header: Contains client’s original IP address
NLB operates at Layer 4 and does NOT support OIDC

EC2 Instance Metadata

URL: http://169.254.169.254/latest/meta-data/
User data: http://169.254.169.254/latest/user-data/
IP: 169.254.169.254 (link-local, valid only from instance)
User data: Run scripts on launch, NOT for querying instance details

10. Exam Strategy: How to Eliminate Wrong Answers

Pattern Recognition

“Least effort” / “Least configuration”:

Look for managed services over custom solutions
Prefer built-in features (e.g., DynamoDB TTL over scheduled scans)
Choose random placement when question says “least configuration”

“Most secure”:

IAM roles > access keys (always)
Principle of least privilege (specific actions, not wildcards)
Encryption at rest + in transit
Temporary credentials > long-term credentials

“Cost-effective” / “Minimal cost”:

Query over Scan (DynamoDB)
Reduce page size before adding DAX
Binpack for ECS cost optimization
On-demand for unpredictable, provisioned for predictable workloads

“Without modifying code”:

ALB OIDC authentication (no code changes needed)
CloudFront Functions (edge processing)
API Gateway caching

Service Boundary Traps

If the question mentions…	Don’t confuse with…
Decoupling services	Kinesis (use SQS unless ordering/streaming is required)
Serverless deployment	CloudFormation alone (use SAM for serverless)
Multiple Lambda coordination	Direct invocation (use Step Functions)
Feature flags	Lambda + Parameter Store (use AppConfig)
Cross-device sync (single user)	AppSync (use Cognito Sync)
Multi-user real-time collaboration	Cognito Sync (use AppSync)
Distributed tracing	CloudWatch Logs (use X-Ray)
API auditing	X-Ray (use CloudTrail)
npm package management	ECR (use CodeArtifact)

Error Code Quick Reference

Error	Likely Cause
502 Bad Gateway (API GW)	Lambda returned wrong format (not JSON proxy format)
504 Gateway Timeout (API GW)	Integration exceeded 29s timeout
429 Too Many Requests (Lambda)	Throttling — concurrency limit exceeded
ProvisionedThroughputExceededException (DynamoDB)	Request rate too high → exponential backoff
AccessDeniedException (Lambda → other service)	Execution role missing permissions
UnauthorizedOperation (EC2)	IAM policy missing; decode with `sts:DecodeAuthorizationMessage`
RequestError timeout (CodeBuild)	Missing proxy config in `buildspec.yml`
UnknownError: not opened for reading (CodeDeploy)	EC2 IAM profile lacks S3 access

Security-First Thinking

Explicit deny ALWAYS wins
Least privilege: s3:GetObject not s3:*
Use roles, not access keys
Encrypt at rest (KMS, SSE) + in transit (HTTPS, TLS)
Rotate credentials (Secrets Manager for auto-rotation)
Delete root user access keys

Final Tip: When in doubt between two similar-sounding options, ask yourself:

Does this follow the principle of least privilege?

Does this use a managed/native AWS service over a custom solution?

Does this address the root cause or just a symptom?

Is this the simplest path that meets ALL requirements?

Study guide generated from DVA-C02 practice exams (Sets 1–6) — March 2026