AWS Study Guide

AWS DVA-C02: Developer Associate Study Guide

The AWS Certified Developer - Associate (DVA-C02) validates your ability to develop, deploy, secure, and troubleshoot cloud-native applications on AWS using core services, the SDKs/CLI, and CI/CD tooling. It targets developers with one or more years of hands-on experience building and maintaining AWS applications. The exam is 130 minutes, contains roughly 65 scored questions, and requires a scaled score of 720 out of 1000 to pass.

Domain 1 Domain 2 Domain 3 Domain 4

Practice AWS DVA-C02 questions free Create free account

Domain 1: Development with AWS Services

Key concepts you must know · 231 practice questions

AWS Lambda is event-driven serverless compute triggered by API Gateway, S3, SQS, SNS, DynamoDB Streams, EventBridge, and more; you pay per request and per GB-second of execution.
Lambda synchronous (RequestResponse) invocation returns the result to the caller; pass --invocation-type Event for asynchronous invocation, which queues the event and returns immediately.
Choose a high-cardinality DynamoDB partition key so requests spread evenly across partitions and avoid hot partitions that throttle on a single key's throughput.
A DynamoDB Global Secondary Index (GSI) lets you query on a non-key attribute with its own partition/sort key and its own provisioned/on-demand throughput; a Local Secondary Index (LSI) must share the table's partition key and be created at table creation.
DynamoDB Accelerator (DAX) is an in-memory cache that cuts read latency to microseconds for eventually consistent reads; ElastiCache (Redis or Memcached) is a general-purpose cache for session state and hot reads in front of databases.
Use AWS Step Functions to orchestrate multi-step workflows with built-in Retry and Catch states for error handling and a visual state machine; start runs with aws stepfunctions start-execution.
SQS standard queues offer best-effort ordering and at-least-once delivery; FIFO queues guarantee exactly-once processing and strict ordering and require a MessageGroupId and a MessageDeduplicationId (or content-based dedup).
SQS long polling (--wait-time-seconds up to 20) reduces empty responses and cost; ReceiveMessage can return up to 10 messages at a time with --max-number-of-messages 10.
Use SNS topic fan-out to push one published message to multiple subscribed SQS queues (one per consumer) so several services process the same event independently.
Use Amazon RDS Proxy to pool and share database connections, which prevents connection exhaustion when many concurrent Lambda invocations open connections to a relational database.
Lambda has an ephemeral /tmp of up to 10 GB; mount an Amazon EFS file system to a Lambda function (it must be VPC-attached) to share large files such as ML models across invocations.
Restrict an S3 origin to CloudFront using Origin Access Control (OAC), the recommended replacement for the older Origin Access Identity (OAI), so the bucket is not directly reachable.
Know the core CLI verbs: aws dynamodb put-item, aws lambda invoke, aws sqs send-message / receive-message, aws sns publish, and aws s3api put-object; DynamoDB items use typed attribute values like {"S":"123"} for string.
API Gateway integrates with Lambda (proxy or non-proxy), HTTP endpoints, and AWS services; HTTP APIs are cheaper and lower-latency, while REST APIs add features like request validation, API keys, and usage plans.

Domain 2: Security

Key concepts you must know · 132 practice questions

Lambda functions, EC2 instances, and ECS tasks should obtain AWS access through an IAM role (execution/instance/task role) that supplies temporary, auto-expiring credentials, never hard-coded access keys.
Apply least privilege: grant only the specific actions and resources required, and prefer scoping resources by ARN rather than using wildcards.
In IAM policy evaluation an explicit Deny always overrides any Allow; access is denied by default unless an Allow grants it and no Deny matches.
Identity-based policies attach to a user, group, or role; resource-based policies (such as an S3 bucket policy or Lambda resource policy) attach to the resource and can grant cross-account access.
Store secrets in AWS Secrets Manager or SSM Parameter Store (SecureString) encrypted with KMS, and have the application fetch them at runtime; never embed credentials in code or environment variables in plaintext.
AWS Secrets Manager supports automatic rotation via a rotation Lambda; the app should always fetch the current secret value at runtime so it picks up rotated credentials.
Retrieve secrets with aws secretsmanager get-secret-value --secret-id, and parameters with aws ssm get-parameter --name --with-decryption to decrypt SecureString values.
AWS KMS manages encryption keys for data at rest in S3, EBS, RDS, and more; use aws kms encrypt/decrypt for envelope encryption and rotate customer-managed keys as needed.
Generate an S3 pre-signed URL (aws s3 presign ... --expires-in 3600) to grant temporary, time-limited access to a private object without changing bucket permissions.
Use aws sts assume-role --role-arn ... --role-session-name to obtain short-lived credentials for cross-account access or role switching, reducing exposure if credentials leak.
For cross-account S3 access, have the resource owner's bucket policy grant the consumer account's role (for example a Lambda execution role) the needed action like s3:GetObject, and grant that role the matching permission.
Use AWS Certificate Manager (ACM) to provision and auto-renew free public TLS certificates for CloudFront, ALB, and API Gateway endpoints.
Protect APIs with an Amazon Cognito user pool authorizer that validates the caller's JWT, and add AWS WAF with managed rule groups to block common web exploits such as SQL injection and XSS.
Place resources that need outbound internet but no inbound access in private subnets with a route to a NAT gateway, and attach security groups (stateful) and NACLs (stateless) appropriately.

Domain 3: Deployment

Key concepts you must know · 127 practice questions

Lambda and CodeDeploy support three deployment strategies: all-at-once, linear (shift a fixed percentage on an interval), and canary (shift a small percentage, wait, then shift the rest).
AWS SAM is a CloudFormation extension for serverless apps; build with sam build then deploy with sam deploy, and SAM transforms shorthand resources into full CloudFormation.
In SAM, set AutoPublishAlias so a new Lambda version is published and an alias points to it, and add DeploymentPreference (for example Type: Canary10Percent5Minutes) to shift alias traffic gradually via CodeDeploy.
Lambda alias traffic shifting via CodeDeploy can auto-rollback when an associated CloudWatch alarm trips during the deployment.
AWS CloudFormation provisions infrastructure as code; update a stack with aws cloudformation update-stack, and create a change set first to preview exactly what will change before executing.
By default CloudFormation rolls a failed stack back to the last known good state; set OnFailure or disable rollback to retain resources for debugging.
Share values between CloudFormation stacks by declaring Outputs with Export in one stack and referencing them with Fn::ImportValue in another (cross-stack references).
AWS CodeBuild compiles, tests, and packages code according to a buildspec.yml file placed at the root of the source directory.
An AppSpec file drives CodeDeploy; lifecycle event hooks that run custom scripts are defined under the Hooks section, and the file is appspec.yml for EC2/on-prem or appspec.yaml/json for Lambda and ECS.
Store build artifacts and deployment packages in Amazon S3, and store and version application packages and dependencies in AWS CodeArtifact.
A Lambda deployment package is a .zip archive of code and dependencies (or a container image up to 10 GB); update code directly with aws lambda update-function-code --zip-file fileb://function.zip.
Publish an immutable Lambda version with aws lambda publish-version, then point a mutable alias at it; aliases can split traffic by weight between two versions.
Pass configuration to Lambda through environment variables (encrypted with KMS) and/or SSM Parameter Store, keeping config separate from code.
Add a manual approval action in a CodePipeline stage to require human sign-off before a deployment proceeds to production.
AWS Elastic Beanstalk handles provisioning, load balancing, and scaling for common platforms and supports deployment policies including rolling, rolling with additional batch, and immutable.

Domain 4: Troubleshooting and Optimization

Key concepts you must know · 172 practice questions

Handle throttling and transient errors by retrying with exponential backoff and jitter; the AWS SDKs implement this automatically for retryable errors.
Lambda cold starts add latency when a new execution environment initializes; configure Provisioned Concurrency to keep environments warm for latency-sensitive workloads.
Lambda CPU is allocated in proportion to the memory setting, so increasing memory can speed up CPU-bound functions and sometimes lower overall cost by reducing duration.
Reserved concurrency (aws lambda put-function-concurrency --reserved-concurrent-executions) caps and guarantees a function's concurrent executions; it is distinct from provisioned concurrency, which pre-warms environments.
Use AWS X-Ray for distributed tracing: enable it with aws lambda update-function-configuration --tracing-config Mode=Active, then inspect the service map and trace segments/subsegments to find latency.
Use Amazon CloudWatch for metrics, custom metrics, alarms, and dashboards; query metrics with aws cloudwatch get-metric-statistics using the correct namespace, dimensions, and time range.
Tail Lambda logs in real time with aws logs tail /aws/lambda/myFn --follow, and run CloudWatch Logs Insights queries with aws logs start-query for ad hoc analysis like sorting by @duration.
Configure an SQS dead-letter queue by setting a RedrivePolicy with deadLetterTargetArn and maxReceiveCount on the source queue so poison messages move aside after repeated failures.
For asynchronous Lambda invocations, configure a Lambda destination (on-success/on-failure) or a DLQ to capture events that fail after Lambda's automatic retries.
Reduce DynamoDB cost and throttling by using DAX for hot reads, choosing eventually consistent reads (half the read cost of strongly consistent) where strong consistency is not required, and retrying with backoff.
Match DynamoDB capacity mode to traffic: on-demand bills per request and absorbs unpredictable bursts, while provisioned (optionally with auto scaling) is cheaper for steady, predictable load.
Protect backends with API Gateway throttling (rate and burst limits) and per-client usage plans with API keys, and enable response caching to serve repeated requests without hitting the backend.
Set a client-side request timeout shorter than the downstream Lambda timeout and retry, so callers fail fast instead of waiting on a hung request, and check X-Ray/Logs to see where time is spent.
Create CloudWatch alarms on operational metrics (for example a Lambda Errors alarm or DynamoDB throttle metric) that notify an SNS topic so issues are detected and escalated automatically.

AWS DVA-C02 exam tips

Read each scenario for the deciding constraint (lowest cost, least operational overhead, fully managed, real-time vs batch, strong vs eventual consistency) and eliminate options that violate it before picking.
Memorize when to reach for each messaging service: SQS for decoupling and buffering, SNS for fan-out/pub-sub, EventBridge for event routing with rules, and Step Functions for multi-step orchestration with retries.
Default to IAM roles and temporary credentials plus Secrets Manager/Parameter Store; any answer that hard-codes keys or embeds plaintext secrets is almost always wrong.
Know the SAM/CodeDeploy traffic-shifting vocabulary cold (AutoPublishAlias, DeploymentPreference, Canary vs Linear vs AllAtOnce, alarm-based rollback) since these appear repeatedly in deployment questions.
When a question is about latency, errors, or cost, map the symptom to the right tool first: CloudWatch metrics/alarms, CloudWatch Logs Insights for log queries, and X-Ray for end-to-end tracing across services.

Study guide FAQ

How many questions are on the DVA-C02 and what score do I need to pass?

The exam contains about 65 questions (roughly 50 scored plus unscored pilot questions), you get 130 minutes, and you need a scaled score of 720 out of 1000 to pass. Questions are multiple choice (one correct answer) and multiple response (two or more correct).

Which AWS services should I focus on most?

Lambda, DynamoDB, API Gateway, S3, SQS, SNS, and IAM dominate the exam, followed by deployment tooling (CloudFormation, SAM, CodeBuild, CodeDeploy, CodePipeline) and observability tooling (CloudWatch and X-Ray). Be comfortable with how these services integrate and with their common CLI commands.

Do I need to write code or memorize CLI commands for the exam?

You will not write full programs, but you must recognize correct CLI commands and SDK behaviors, such as Lambda synchronous vs asynchronous invocation, DynamoDB key-condition expressions, SQS long polling, and pre-signed URL generation. Knowing the exact flags (for example --invocation-type Event or --with-decryption) helps you eliminate distractors.

How much hands-on experience is recommended before taking it?

AWS recommends at least one year of hands-on experience developing and maintaining applications on AWS, including using at least one high-level programming language with the AWS SDKs. Practical experience with serverless patterns, CI/CD, and debugging with CloudWatch and X-Ray maps directly to the question scenarios.

Test yourself: 662 AWS DVA-C02 practice questions