AWS Certified Developer Associate
Last reviewed: May 2026
A scannable reference of architectural patterns the DVA-C02 exam tests. Read top-to-bottom, or jump to a section.
Stable invocation target while you push new Lambda code.
Publish numbered, immutable versions; expose an alias that points to a version. Callers invoke the alias ARN.
Why: Versions are frozen snapshots of code + config; aliases provide indirection so callers never invoke `$LATEST` directly.
Gradual rollout of a new Lambda version with auto-rollback on errors.
Alias with weighted version routing (e.g. 90/10). CodeDeploy `LambdaCanary10Percent5Minutes` or `LambdaLinear*` shifts traffic and watches CloudWatch alarms.
Why: Built-in traffic shifting + alarm-driven rollback removes hand-coded canary logic.
Inject config (DB URL, feature flags) without redeploys.
Lambda environment variables. KMS-encrypted at rest; reference a custom CMK for additional encryption-in-transit at retrieval.
Share NumPy / pandas / common runtime across many Lambdas.
Package as a Lambda Layer; up to 5 layers per function, total 250 MB unzipped. Versioned ARN per layer.
Latency-sensitive synchronous Lambda — no cold starts allowed.
Provisioned Concurrency on the alias. Pre-initializes N execution environments; pay per GB-second.
Why: Eliminates cold start at predictable cost. Set application auto-scaling on the alias to flex with load.
Java or Python Lambda with heavy init code; need fast cold start without paying for Provisioned Concurrency.
Enable SnapStart on a published version. AWS snapshots the initialized runtime and resumes from it.
Why: Free for Java; charged per restore for Python/.NET. Cuts cold starts from seconds to <1s without idle cost.
Lambda needs to consume a Kinesis stream / DynamoDB Stream / SQS queue / MSK topic.
Event source mapping (pull-based). Lambda polls; batch size + maximum batching window tune throughput vs latency. Failure → DLQ via On-Failure destination.
Why: For pull sources, the service can't directly invoke Lambda; the mapping is Lambda's polling adapter.
Async Lambda success/failure routing without Lambda DLQ.
OnSuccess / OnFailure destinations on the function. Targets: SNS, SQS, EventBridge, another Lambda. Includes invocation context.
Why: Destinations capture the full event + response; legacy DLQ only captures the event payload.
Pick API Gateway type for a new REST API.
HTTP API: cheaper, faster, JWT auth built-in, simpler. REST API: full features (mapping templates, request validators, WAF, private endpoints, X-Ray, API caching).
Why: Default to HTTP API unless you need a REST-only feature. WebSocket APIs are a separate product for stateful real-time.
Promote API changes from dev → test → prod without redeploying separate APIs.
Stages on a single API. Deploy a stage to publish; stage variables hold environment-specific values like Lambda alias names.
Backend Lambda expects a different shape than what the client sends.
Request/response mapping template (REST API only). VTL with `$input`, `$context`, `$util` to transform JSON.
Why: Mapping templates run in API Gateway — no extra Lambda hop, no extra latency or cost.
Validate a custom token (not Cognito, not IAM) before routing the request.
Lambda authorizer. TOKEN type reads a header; REQUEST type reads full request context. Returns IAM policy + principalId. Cached per identity for TTL.
Validate a Cognito User Pool JWT on every request.
Cognito User Pool authorizer (REST) or JWT authorizer (HTTP). API Gateway validates the token; no Lambda needed.
Why: Native validation is cheaper and faster than a Lambda authorizer for the common JWT case.
Throttle/quota a partner API consumer.
Usage Plan + API Key. Plan ties keys to a stage with rate limit (req/sec) + burst + quota (req/day or month).
Reduce backend load for repeated GET requests.
Stage-level cache (REST API). TTL configurable; cache key derived from method + path + selected query/header params.
Update an item only if a precondition holds (e.g. status == "PENDING").
PutItem/UpdateItem with `ConditionExpression`. Failure raises `ConditionalCheckFailedException`.
Why: Server-side check avoids read-modify-write races without locking.
All-or-nothing across multiple DynamoDB items.
`TransactWriteItems` / `TransactGetItems`. Up to 100 items / 4 MB; 2× the WCU/RCU cost of normal writes/reads.
Increment a counter without read-modify-write.
UpdateExpression `ADD count :inc`. Server applies the delta atomically.
Iterate a large query/scan result set.
`LastEvaluatedKey` from response → `ExclusiveStartKey` on next call until absent. Limit via `Limit` parameter.
Need an additional access pattern beyond the primary key.
GSI: alternate partition + sort key, eventually consistent, separate capacity, can be added any time. LSI: same partition key, alternate sort key, strong-consistency option, must be created at table creation.
Index only items that have a particular attribute (e.g. only ACTIVE orders).
Sparse index: omit the attribute on items you want excluded. Items without the indexed attribute don't appear in the GSI/LSI.
Bulk read/write many items.
`BatchGetItem` (up to 100 items / 16 MB) and `BatchWriteItem` (up to 25 items / 16 MB). Not atomic; partial failures returned in `UnprocessedItems`.
Prevent lost updates from concurrent writers.
Version attribute + `ConditionExpression: version = :v`. Failed writes retry by re-reading.
Trigger downstream actions on every DynamoDB change.
DynamoDB Streams + Lambda event source mapping. Stream view: NEW_IMAGE / OLD_IMAGE / NEW_AND_OLD_IMAGES / KEYS_ONLY.
Browser uploads/downloads directly to S3 without your server proxying bytes.
SDK `getSignedUrl` for GET or PUT. Expiry up to 7 days when signed by IAM user (sigv4); shorter for role-derived sessions.
Why: Off-loads bandwidth from your backend; URL is a temporary capability scoped to one object + method.
Upload a large file (≫100 MB) reliably from the SDK.
`CreateMultipartUpload` → parallel `UploadPart` → `CompleteMultipartUpload`. SDK high-level transfer manager handles part sizing automatically.
Why: Required >5 GB; recommended ≥100 MB. Failed parts re-upload independently. Set lifecycle to abort incomplete multiparts to reclaim storage.
Run code when an object is created/deleted in S3.
S3 Event Notifications → Lambda / SNS / SQS / EventBridge. Filter by prefix and suffix.
Browser app fetches from S3 across origins (`fetch('https://bucket.s3...')`); CORS preflight fails.
Configure bucket CORS rules: allowed origins, methods (GET/PUT), headers, and exposed headers.
Filter rows from a 50 GB CSV/JSON/Parquet object without downloading it.
S3 Select with SQL. Returns matching rows only; pay for scan + return bytes.
Sign in a user from a public mobile/web client without sending the password.
Cognito User Pool with `USER_SRP_AUTH` flow. Client computes SRP proof; backend never sees the password. Returns ID + access + refresh tokens.
Federated user (Google/Apple/Cognito UP) needs temporary AWS credentials to call AWS APIs directly from a mobile app.
Cognito Identity Pool. Exchanges identity provider token → IAM role → temporary AWS credentials via STS.
Why: User Pools authenticate users; Identity Pools authorize them to AWS resources.
Pick a Step Functions workflow type.
Standard: long-running (≤1 year), exactly-once, $0.025/1k transitions, full history. Express: ≤5 min, at-least-once or at-most-once, billed per request + duration; for high-volume ETL/streaming.
Workflow step fails; want retry with backoff and route to a recovery state.
`Retry` array (per-state, with `BackoffRate` + `MaxAttempts`) and `Catch` for terminal failure routing. Match by `ErrorEquals` (e.g. `States.TaskFailed`, custom error names).
Apply the same workflow to each item in an array, with concurrency cap.
Map state with `ItemsPath` and `MaxConcurrency`. Distributed Map handles 10k+ items with S3-backed input.
Trigger Lambda on either a cron schedule or matching incoming events.
EventBridge rule. Schedule: `rate(...)` or `cron(...)`. Pattern: JSON event filter; match on source, detail-type, detail fields.
Route events from SQS / Kinesis / DynamoDB Streams / MSK to a target with optional filter + transform.
EventBridge Pipes. Source → Filter → Enrichment (Lambda/Step Functions) → Target. No Lambda needed for the simple cases.
Process messages strictly in order per customer, with deduplication.
SQS FIFO queue. `MessageGroupId` partitions ordering (parallelism per group); `MessageDeduplicationId` (or content-based dedup) drops duplicates within 5 minutes.
Consumer pulls a message but crashes before deleting it.
Message hidden for VisibilityTimeout seconds, then reappears for redelivery. Tune to longest expected processing time + buffer.
Why: Too short → duplicate processing. Too long → slow recovery on crash. ChangeMessageVisibility extends in-flight if needed.
One event must reach multiple consumers (Lambdas / SQS queues / HTTP endpoints).
SNS topic with multiple subscribers. Subscription filter policies route only matching messages per subscriber.
Tune Kinesis Data Streams capacity for write throughput.
Each shard = 1 MB/s or 1000 records/s in, 2 MB/s out. Add shards (split) or use On-Demand mode for auto-scaling.
Code on EC2 / ECS task / Lambda needs AWS access — no embedded keys.
Attach an IAM role via instance profile (EC2) or task/execution role (ECS/Lambda). SDK pulls temporary credentials from the metadata service; auto-rotates.
Cross-account access from app code or CLI.
`sts:AssumeRole` from caller principal. Target role's trust policy lists the caller as a `Principal`. Returns temporary creds (max 12 hours).
Cross-account AssumeRole is failing — permission seems correct.
Both must be set: trust policy on target role lists caller as Principal; caller's identity policy allows `sts:AssumeRole` on the target role ARN.
Why: Trust = who can assume. Permission = what they can do once assumed. Either missing → AccessDenied.
Policy that grants users access only to their own folder in S3.
Use `${aws:username}` or `${aws:PrincipalTag/X}` in resource ARNs: `arn:aws:s3:::bucket/${aws:username}/*`.
Let a team self-manage IAM roles, but cap what permissions they can grant.
Permission boundary policy on the team's creator role. Any role they create with the boundary has the intersection of identity policy + boundary as effective permissions.
Restrict an action by source IP / VPC / region / MFA.
Policy `Condition`: `aws:SourceIp`, `aws:SourceVpc`, `aws:SourceVpce`, `aws:RequestedRegion`, `aws:MultiFactorAuthPresent`.
SPA / mobile client vs server-side service calling Cognito.
Public clients (SPA, mobile) → app client without secret. Confidential clients (server) → app client with secret; client must include `SECRET_HASH` (HMAC of username + clientId).
Distinguish Cognito ID token vs Access token vs Refresh token.
ID = user identity claims (consume on client). Access = scoped authorization for APIs. Refresh = obtain new ID/access tokens. All JWTs except Refresh.
Drop-in sign-in/sign-up UI without building forms.
Cognito Hosted UI. OAuth2 authorization-code flow: redirect to `/oauth2/authorize` → callback URL with `code` → exchange at `/oauth2/token`.
Encrypt a small secret (≤4 KB) directly with KMS.
`kms:Encrypt` returns ciphertext blob containing the key ARN. `kms:Decrypt` recovers plaintext if caller has permission and (if specified) `EncryptionContext` matches.
Encrypt large data with KMS without hitting the 4 KB direct-encrypt limit.
Envelope encryption. `GenerateDataKey` returns plaintext + encrypted DEK; encrypt data locally with DEK, store encrypted DEK alongside, discard plaintext DEK.
Why: KMS enforces access control on the small DEK; bulk encryption happens locally at line speed.
Give another principal time-bound access to a CMK without editing key policy.
Create a `kms:CreateGrant` grant scoping operations + grantee. Revoke with `RetireGrant`.
Reference a KMS key indirectly so the underlying CMK can rotate without code changes.
Use `alias/my-key` (or `arn:aws:kms:region:acct:alias/my-key`). Update the alias to point to a new CMK; consumers continue working.
Pick a credential store.
Secrets Manager: built-in rotation, native RDS/Redshift/DocumentDB integration, $0.40/secret/mo. Parameter Store SecureString: free tier (Standard), no built-in rotation, stratified `/app/env/key` paths.
Rotate RDS credentials automatically.
Secrets Manager native rotation (managed Lambda) for Aurora/RDS/DocumentDB/Redshift. Master/user pattern uses a separate master secret to rotate the user secret.
Store a config value with KMS encryption at rest in Parameter Store.
SecureString parameter type. Specify `--key-id` for a custom CMK; otherwise uses `aws/ssm`. Decrypt requires `kms:Decrypt` on the CMK.
Restrict CloudFront access to authenticated users.
Signed URLs (single resource) or signed cookies (multiple resources, SPAs/streaming). Sign with a CloudFront key pair stored as a public key in CloudFront key group.
Pick S3 server-side encryption.
SSE-S3 (managed AES-256, default), SSE-KMS (CMK, audit via CloudTrail, key policy), SSE-C (customer-supplied keys, you manage), DSSE-KMS (double-layer for high-compliance).
Find roles/policies that grant access outside the account or are over-permissive.
IAM Access Analyzer. Findings on external access; policy generation from CloudTrail history for least-privilege right-sizing.
Lambda environment variable contains a sensitive value.
Lambda encrypts env vars at rest with KMS by default. For in-transit/at-decrypt control, configure a custom CMK and use the in-console Encryption helpers to ship pre-encrypted ciphertext.
Browser → API Gateway with `Authorization` header gets blocked by preflight.
Add OPTIONS method (mock integration). Allow `Authorization` in `Access-Control-Allow-Headers`; allow callers in `Access-Control-Allow-Origin`.
Sign a custom HTTP request to an AWS service from non-SDK code.
Sigv4: derive signing key from secret + date + region + service; canonicalize request; sign; add `Authorization`, `X-Amz-Date`, `X-Amz-Security-Token` headers.
Assume a broad role but scope down for a specific session.
`AssumeRole` with `Policy` (inline session policy) further restricts effective permissions: intersection of role + session policy.
S3 access denied even though IAM policy allows it.
Both bucket policy and identity policy are evaluated. Explicit deny anywhere wins. Block Public Access settings can also override allow.
Build a CI/CD pipeline: source → build → test → deploy with manual prod approval.
CodePipeline stages, each with one or more actions. Manual Approval action between Test and Deploy. Source = CodeCommit / GitHub / S3 / ECR.
Define build steps for CodeBuild.
`buildspec.yml` at repo root. Phases: `install`, `pre_build`, `build`, `post_build`. Outputs: `artifacts.files`, `cache.paths`. Env vars via `env.variables` or Parameter Store/Secrets Manager refs.
Shift Lambda traffic 10% then 100% with auto-rollback on alarms.
CodeDeploy with `LambdaCanary10Percent5Minutes` / `10Percent10Minutes` / `10Percent15Minutes` / `10Percent30Minutes`. Configure CloudWatch alarms in DeploymentGroup.
Gradual Lambda rollout in equal increments.
`LambdaLinear10PercentEvery1Minute` / `2Minutes` / `3Minutes` / `10Minutes`. Each increment shifts +10% until 100%.
Blue/green deployment for an ECS service behind an ALB.
CodeDeploy Compute Platform = ECS. Creates green task set; ALB shifts listener to green target group; optional manual approval before traffic switch and before terminating blue.
Update an EC2 fleet with no full-fleet downtime.
In-place deployment with `OneAtATime` / `HalfAtATime` / `AllAtOnce` configs. Auto Scaling Group hooks pause new instance launches during deploy.
Host Git repos inside AWS with IAM-controlled access.
CodeCommit. Auth: SSH keys per IAM user, HTTPS Git credentials per IAM user, or AWS CLI credential helper. Triggers via SNS / Lambda on push.
Pick an IaC tool for a serverless app.
CDK: programming languages (TS/Python/Java/Go/.NET), full app constructs, multi-resource patterns. SAM: YAML extension of CFN, focused on serverless, simpler. Both compile to CloudFormation.
Define a Lambda + API Gateway + DynamoDB stack with minimal YAML.
`Transform: AWS::Serverless-2016-10-31`. Resources: `AWS::Serverless::Function`, `Api`, `SimpleTable`. `sam build` → `sam deploy --guided`.
Author CDK code structure.
`App` contains one or more `Stack`s. Each Stack contains constructs (L1/L2/L3). `cdk synth` → CFN template. `cdk deploy` deploys via CFN.
Pick CDK construct level.
L1 = raw CFN (`CfnXxx`). L2 = curated wrappers with safe defaults (most common). L3 = patterns combining multiple resources for full architectures (e.g. `LambdaRestApi`).
Preview changes before applying to a CloudFormation stack.
`create-change-set` → review JSON of additions/modifications/replacements → `execute-change-set`. Replacement actions cause resource recreation.
Stack update fails midway.
CloudFormation auto-rolls back unless `DisableRollback` is true. Stuck in `UPDATE_ROLLBACK_FAILED`? Use `ContinueUpdateRollback` with `ResourcesToSkip`.
Prevent accidental update of a critical resource (e.g. RDS DB) during stack updates.
Stack policy: JSON denying `Update:Replace` and `Update:Delete` on the resource's logical ID. Bypass with explicit override on a specific update.
Reuse infrastructure across stacks.
Nested stacks (`AWS::CloudFormation::Stack` with `TemplateURL`) for reuse owned by one parent. Cross-stack via Outputs + `Fn::ImportValue` for tighter coupling between separate stacks.
Inject a Parameter Store value or Secrets Manager secret into a CFN template.
`{{resolve:ssm:/path/to/param}}`, `{{resolve:ssm-secure:/path}}`, `{{resolve:secretsmanager:secret-id:SecretString:json-key}}`. Resolved at deploy time.
Pick Elastic Beanstalk deploy policy.
All-at-once (fastest, downtime), Rolling (no extra instances, partial capacity), Rolling with additional batch (no capacity loss, extra cost), Immutable (new ASG, safest), Blue/Green (separate env, swap CNAMEs).
Customize Elastic Beanstalk environment (packages, files, container commands).
`.ebextensions/*.config` YAML in source bundle. Newer platforms: `.platform/hooks/...` shell scripts for prebuild/predeploy/postdeploy lifecycle.
Need a stable, never-mutating Lambda artifact.
Publish a numbered version. Code + most config (memory, timeout, env vars, layers) freeze. `$LATEST` is mutable; numbered versions are not.
Push a Docker image to ECR for ECS / EKS / Lambda.
`aws ecr get-login-password | docker login` → `docker tag` → `docker push`. Lambda container images: image pulled once at deploy; tagged image must be in same region.
Run a one-off batch vs a long-running web service on ECS.
RunTask = single task, completes and exits. Service = maintains N desired tasks, restarts failures, integrates with ALB/NLB.
Cut compute cost for fault-tolerant ECS workloads.
Fargate Spot capacity provider. Mix with regular Fargate via weights and base. Tasks may be interrupted with 2-minute warning.
Trace a request that fans out across Lambda → DynamoDB → external HTTP.
X-Ray segments per service hop, subsegments for downstream calls. Service map visualizes topology + latency. Sampling rules cap volume.
Attach searchable vs reference data to an X-Ray trace.
Annotations: indexed, filterable in console (e.g. `customerId`, `tier`). Metadata: not indexed, free-form (request body, response body for debug).
X-Ray cost is high in production.
Custom sampling rule. Default: first 1 req/s + 5% of additional. Rules match by service / URL path / method.
Query Lambda logs for errors in the last hour, grouped by 5-min bucket.
CloudWatch Logs Insights: `fields @timestamp, @message | filter @message like /ERROR/ | stats count() by bin(5m)`.
Generate a custom metric from a log pattern (e.g. count of `OutOfMemoryError`).
Metric filter on the log group. Pattern matches log events; filter creates a custom CloudWatch metric you can alarm on.
Emit custom metrics from Lambda without a separate `PutMetricData` API call.
Embedded Metric Format: write structured JSON to stdout; CloudWatch parses logs and creates metrics. Cheaper and async.
Why: Decouples the metric path from the request path; no API latency or extra IAM permission.
App emits high-resolution custom metrics every second.
`PutMetricData` with `StorageResolution=1` for 1-second granularity. Standard resolution is 60 seconds; high-resolution costs more.
Lambda cold starts hit p99 latency targets.
Provisioned Concurrency for predictable load. SnapStart for Java/Python init-heavy code. Slim deps, use ARM/Graviton, move heavy init outside the handler.
Pick Lambda memory for best cost/latency.
Memory also scales CPU + network. Use AWS Lambda Power Tuning state machine to sweep memory and find the sweet spot for your workload.
Long Lambda invocation hits 15-minute hard limit.
Decompose into Step Functions; offload to Fargate (long-running) or Batch (HPC). Lambda max is 900 seconds; not negotiable.
`TooManyRequestsException` from Lambda; concurrency limit hit.
Reserved concurrency per function (caps + reserves) or request account-level limit increase. Async invocations queue and retry; sync invocations error.
DynamoDB returns `ProvisionedThroughputExceededException`.
CloudWatch `WriteThrottleEvents` / `ReadThrottleEvents`. Switch to On-Demand mode, increase provisioned capacity, or fix a hot partition with better key design.
One partition key gets disproportionate traffic; throttling under low aggregate load.
Redesign partition key with high cardinality. For writes: prefix with random shard (e.g. `shard#user`); for reads: scatter-gather across shards.
Need microsecond DynamoDB read latency without changing app logic.
DAX cluster + DAX SDK as drop-in for DynamoDB SDK. Reads served from in-memory cache; writes write-through to table.
Pick caching strategy for ElastiCache / DAX.
Lazy loading (cache miss → DB → populate cache): only cache requested data, but stale-prone. Write-through (write to cache + DB on every write): always fresh, but writes have extra cost. TTL bounds staleness either way.
API Gateway returns 429 Too Many Requests.
Default account-level: 10,000 req/sec + 5,000 burst. Per-stage and per-method overrides; per-key throttle via Usage Plans for partner-tier control.
Transient AWS service errors during heavy traffic.
AWS SDK retries automatically with exponential backoff + jitter. Configure `RetryMode = adaptive` or `standard`; tune `maxAttempts`.
CloudFront serves stale content after a deploy.
Invalidate paths (`/index.html`, `/*`) — billed per path beyond 1000/month free. Better: versioned filenames (`app.abc123.js`) so cache is naturally bypassed.
