Examworthyexamworthy.comAWS Certified Developer - Associate cheat sheet
Amazon Web Services
Free to share. Examworthy is not affiliated with or endorsed by Amazon Web Services; DVA-C02 and related marks belong to their respective owners.
At a glance
Format: Multiple choice and multiple response
Domain weight map
Heaviest first - spend your time hereHow this exam thinks
DVA-C02 is a build-it-correctly exam: almost every question is a developer scenario where the right answer is the AWS service, API behaviour, or configuration that satisfies the stated requirement - idempotency, ordering, least privilege, latency, or a safe deploy - with the least operational overhead.
Spot the trap
Tempting wrong answers, and why they failTempting but wrong
A single shared Amazon SQS standard queue lets three consumers each receive every message published to it.
Why it fails
A standard SQS queue delivers each message to only one consumer, which then deletes it. Multiple pollers compete for messages rather than each getting a copy. To give every consumer every event you need SNS fan-out, where each subscriber receives its own copy.
Development with AWS Services
Tempting but wrong
An Amazon Cognito identity pool provides hosted sign-up and sign-in screens and stores each user's profile and password.
Why it fails
An identity pool only exchanges an existing authenticated identity for temporary AWS credentials. It stores no user profiles or passwords and offers no sign-up directory. Managed sign-up, sign-in, and password storage come from a Cognito user pool instead.
Security
Tempting but wrong
Uploading a .zip directly through the Lambda console accepts artifacts of any unzipped size without extra steps.
Why it fails
A direct console .zip upload is capped at 50 MB zipped, and zip packages have a 250 MB unzipped limit shared by the function and layers. A 900 MB dependency set far exceeds this, so it cannot be deployed as a console zip upload and needs a container image instead.
Deployment
Tempting but wrong
A CloudWatch Logs metric filter on an ERROR pattern can return the requestId values of the failing requests.
Why it fails
A metric filter only emits a numeric count to a CloudWatch metric. It tells you how many errors occurred, not which requests failed, because it cannot return field values such as requestId. Use CloudWatch Logs Insights to retrieve and project individual field values.
Troubleshooting and Optimization
Tempting but wrong
You can subscribe a consumer to an Amazon SNS topic by having it long poll the topic for messages.
Why it fails
Amazon SNS is push-based and cannot be polled. Consumers that need to pull messages must subscribe an SQS queue to the topic and poll that queue instead. Polling the topic directly is not possible and would lose the buffering the queues provide.
Development with AWS Services
Tempting but wrong
You should create one AWS IAM user per application end user to manage their sign-in and password resets.
Why it fails
IAM users are designed for workforce and service access, not large fluctuating end-user populations. AWS advises against an IAM user per application user. Use an Amazon Cognito user pool to manage end-user sign-in and password resets at scale.
Security
Tempting but wrong
Storing the .zip in Amazon S3 and pointing Lambda at the object raises the unzipped size limit enough for a 900 MB dependency set.
Why it fails
Loading the zip from S3 raises the allowed upload size, but the unzipped code plus layers still cannot exceed 250 MB. A 900 MB payload remains over the zip format limit regardless of where the archive is stored, so a container image is required.
Deployment
Tempting but wrong
A CloudWatch Logs subscription filter to Amazon Kinesis Data Firehose is the right way to gather ERROR requestIds for a one-hour investigation.
Why it fails
A subscription filter is built for continuous streaming delivery to another service, adding a Firehose plus storage hop. That is far heavier than needed for an ad hoc one-hour lookup. A CloudWatch Logs Insights query reads the log group in place with no extra infrastructure.
Troubleshooting and Optimization
Key terms
Exam-day rules
- Read the scenario for its requirement first - ordering, idempotency, least privilege, latency, no-downtime deploy - then choose the option built for it. The requirement, not the service's popularity, decides the answer.
- When two answers both work, pick the managed, least-operational-overhead one unless the scenario names a reason to go lower-level. An assumed role beats a stored key; a conditional write beats a read-then-write lock; an alias beats a redeploy.
- Treat any answer with a long-lived access key, a wildcard IAM policy, or the root user as the trap. Application identity is almost always an IAM role assumed with AWS STS.
- On DynamoDB questions, check the access pattern: if you know the key, it is a query, not a scan; a filter expression does not cut a scan's read cost; pick a GSI for a new key and an LSI for an alternate sort on the same key.
- Capitalise and obey negative words in stems (NOT, EXCEPT, LEAST). On multiple-response questions, the exam tells you how many to choose - select exactly that many.
Revision schedule
- Day 1Map the four domains to your real experience
- Week 1Drill the core build services until the APIs are reflexive
- Week 2Learn identity, encryption, and secrets as decision rules
- Week 3Build and ship with the deployment tooling
- Week 4Instrument, trace, and tune