The AWS Certified Developer - Associate (DVA-C02) exam validates your ability to develop, deploy, and debug cloud applications on the Amazon Web Services platform. This certification is ideal for developers with hands-on experience building AWS-based solutions who want to demonstrate their technical competency. This guide maps the exam syllabus, explains question formats, and outlines a focused preparation strategy to help you pass with confidence.
Use this topic map to guide your study for Amazon DVA-C02 (AWS Certified Developer - Associate) within the Amazon Associate, AWS Certified Developer Associate path.
The DVA-C02 exam uses multiple-choice and scenario-based questions to assess both theoretical knowledge and practical decision-making in real-world development contexts.
Questions progress in difficulty and emphasize practical application over memorization, reflecting challenges you will encounter in production environments.
An effective study plan breaks the four core domains into weekly milestones, combines hands-on labs with practice questions, and includes mock exams to build confidence and pacing. Allocate more time to domains where you have less professional experience.
Explore other Amazon certifications: view all Amazon exams.
Strengthen your preparation with up-to-date resources from validexamdumps.com. These materials align to DVA-C02 and cover practical scenarios with clear explanations.
Visit the exam page to download the PDF, Online Practice Test, or get a Bundle Discount offer for both formats: AWS Certified Developer - Associate.
Development with AWS Services and Security typically account for a larger portion of the exam. However, all four domains are tested, and weak performance in any area can impact your score. Focus on understanding how services integrate and how to implement secure, production-ready code.
In practice, you write code (Development with AWS Services) that follows security best practices (Security), automate its release (Deployment), and monitor it in production (Troubleshooting and Optimization). For example, a Lambda function must authenticate requests securely, be deployed via a pipeline, and have CloudWatch alarms configured to detect failures. Understanding these connections helps you answer scenario questions correctly.
AWS recommends at least one year of hands-on experience developing applications on AWS. If you have less, prioritize building a simple project that covers all four domains: deploy a Lambda function, secure it with IAM and encryption, set up a CodePipeline for deployment, and configure CloudWatch monitoring. This practical work fills gaps that study materials alone cannot.
Misunderstanding IAM policy evaluation, confusing similar services (e.g., CodeDeploy vs. CodePipeline), overlooking encryption requirements, and misinterpreting CloudWatch metrics are frequent errors. Review AWS documentation on these topics, and pay close attention to scenario details like compliance requirements or cost constraints that hint at the correct answer.
In your last week, take two full-length timed practice tests and review all incorrect answers thoroughly. Do not attempt to learn new topics; instead, reinforce weak areas and build confidence with familiar content. Get adequate sleep before the exam, and on exam day, read questions carefully and manage your time to avoid rushing through scenario-based items.
A developer must securely access a secret during a build process in an AWS CodeBuild project that has an IAM role. The secret must remain encrypted at rest and must be passed to the buildspec.yml file without appearing in the build logs. Which solution will meet these requirements with the LEAST operational overhead?
The correct answer is A because AWS CodeBuild natively integrates with AWS Secrets Manager for securely injecting secrets into build environments. In the env section of buildspec.yml, CodeBuild supports a secrets-manager mapping that references a secret directly. This approach keeps the secret encrypted at rest in Secrets Manager, makes it available to the build only when needed, and minimizes custom retrieval logic and operational complexity.
This solution also aligns with the requirement that the secret must not appear in the build logs. AWS CodeBuild is designed to handle environment variables sourced from supported secret stores in a way that avoids exposing plaintext secret values during normal build output. By granting the minimum necessary IAM permissions to the CodeBuild service role, access to the secret is tightly controlled according to least-privilege principles.
Option B is not the best answer because storing secrets in S3 and downloading them during the build adds unnecessary operational overhead and increases the chance of accidental exposure. NoEcho is associated with CloudFormation parameters, not with securely masking S3-downloaded secrets in CodeBuild logs. Option C can also work because Parameter Store integrates with CodeBuild, but for secrets specifically, Secrets Manager is the more direct AWS-managed secret storage service and is generally preferred for this use case. Option D is less efficient because custom CLI retrieval in pre-build steps adds more code and more operational work than native integration.
Therefore, the solution with the least operational overhead and strong security is to use Secrets Manager with the buildspec.yml secrets-manager mapping, making A the correct answer.
An ecommerce company uses a set of AWS Lambda functions to process orders. The Lambda functions send logs to an Amazon CloudWatch Logs log group. The company observes timeout issues for one recently deployed processing function. The company needs to debug and identify the root cause of the timeout issue. The Lambda function is already in production. The company wants to have a live feed of filtered logs that start with the word "ERROR" to identify the root cause of the issue. The company wants to review only relevant log lines in near real time. Which solution will meet these requirements?
The correct answer is C because the requirement is for a live feed of log events in near real time, filtered to show only lines that begin with ''ERROR.'' The live tail feature for AWS Lambda and CloudWatch Logs is specifically intended for this kind of operational debugging. It allows developers to watch logs as they are generated and apply filtering so they can focus only on relevant messages during active troubleshooting.
This is particularly suitable because the function is already in production, and the company wants immediate visibility into timeout-related issues without waiting for a full batch of logs to accumulate. With live tail and a filter expression for ERROR, the developer can observe only the important log lines as new invocations happen, which speeds up root-cause analysis.
Option A is not the best answer because CloudWatch Logs Insights is powerful for querying logs, but it is primarily used for searching and analyzing logs after they have been collected, not as a continuous near-real-time live stream. Option B is incorrect because a subscription filter is used to forward logs to another destination such as Lambda, Kinesis, or Firehose; it is not the simplest way to give an operator a live interactive filtered view. A metric filter also creates metrics from log patterns but does not present the actual live log lines for review. Option D is incorrect because Amazon Athena is not used directly for querying CloudWatch Logs in real-time operational troubleshooting.
Therefore, the best solution is to use live tail with an ERROR filter to inspect relevant Lambda log events as they occur.
A developer at a company needs to send email notifications to the company's application security team each time an object is deleted from an Amazon S3 bucket named amzn-s3-demo-bucket. The developer uses Amazon EventBridge and Amazon SNS to send the notifications. The developer creates the following EventBridge rule:
{ "source": ["aws.s3"], "detail-type": [{"suffix": "Deleted"}] }
The security team reports that it receives email notifications about objects being deleted from S3 buckets other than amzn-s3-demo-bucket. The security team also receives notifications when other S3 events happen across all buckets in the company's AWS account.
The developer needs to modify the EventBridge rule to ensure that the security team receives email notifications only when an object is deleted from the amzn-s3-demo-bucket S3 bucket.
Which solution will meet this requirement?
The EventBridge rule is too broad because source: aws.s3 matches S3 events generally, and the current detail-type pattern is malformed. To receive only deletion events from the specific bucket, the rule should match the correct S3 EventBridge detail type, Object Deleted, and should scope the event to the bucket by using the bucket ARN in the resources field. The source remains aws.s3; it should not be changed to the bucket name or bucket-specific pseudo-source. Specifying SNS in the event pattern is also wrong because SNS is the target, not the event source. AWS S3 EventBridge documentation describes S3 object deletion events and using EventBridge rules for specific bucket notifications. (AWS Documentation)
===============
A developer is building an event-driven application that uses AWS Lambda functions and an Amazon SQS queue to handle Amazon S3 events and to perform additional processing. A parsing Lambda function implements business logic to parse each S3 event. The parsing function sends events on to an SQS queue. A processing Lambda function retrieves messages from the SQS queue and processes them.
During an isolated test, the developer observes that both Lambda functions work as expected for mock test events. However, when the test presents production S3 events to the functions, the developer observes that the number of messages in the SQS queue increases. The developer does not find any Amazon CloudWatch logs for the processing Lambda function when the processing function is presented with production S3 events. The developer does find logs for test events.
The developer must resolve these issues and ensure that the Lambda functions process production S3 events correctly.
Which solution will meet these requirements?
The symptoms point to a missing event source mapping between Amazon SQS and the processing Lambda function. The parsing function successfully sends messages to SQS (the queue depth increases), but the processing function is not running for production events---evidenced by no CloudWatch logs during those runs. If Lambda is not being invoked, it will not generate any logs. In an SQS-based architecture, Lambda does not ''pull'' messages from a queue unless the queue is configured as a Lambda trigger (an event source mapping). The event source mapping tells Lambda to poll the queue, batch messages, and invoke the function with those messages.
In isolated tests, the developer likely invoked the processing function manually with mock events (for example, via the Lambda console or sam local invoke), which would create logs. But in production, because the function is supposed to be driven by SQS, it must have an SQS trigger configured; otherwise, messages will accumulate indefinitely and the function will never execute.
Option C (grant permissions) is necessary in many cases, but it does not explain the absence of logs and growing queue depth by itself if the trigger is missing. With the standard SQSLambda integration, Lambda's service polls the queue using the function's execution role permissions (sqs:ReceiveMessage, sqs:DeleteMessage, sqs:GetQueueAttributes, etc.), but the polling does not occur without the event source mapping. Option D is not the root cause because the function isn't being invoked; and if it were invoked, AWS-managed logging typically works unless the execution role lacks logging permissions. Option B is incorrect because the parsing function is not supposed to be triggered by SQS; it produces messages to SQS.
Therefore, configuring the SQS queue as a trigger for the processing Lambda function (A) resolves the issue and ensures production S3 events flow through parsing to SQS and then into processing automatically.
A banking company is building an application for users to create accounts, view balances, and review recent transactions. The company integrated an Amazon API Gateway REST API with AWS Lambda functions. The company wants to deploy a new version of a Lambda function that gives customers the ability to view their balances. The new version of the function displays customer transaction insights. The company wants to test the new version with a small group of users before deciding whether to make the feature available for all users. Which solution will meet these requirements with the LEAST disruption to users?
API Gateway's canary deployments allow gradual traffic shifting to a new version of a function, minimizing disruption while testing.
Why Option A is Correct:
Gradual Rollout: Reduces risk by incrementally increasing traffic.
Rollback Support: Canary deployments make it easy to revert to the previous version.
Why Not Other Options:
Option B: Redeploying the stage disrupts all users.
Option C & D: Managing new stages and weighted routing introduces unnecessary complexity.
Canary Deployments in API Gateway