The AWS Certified Developer - Associate (DVA-C02) is frequently underestimated. Candidates expect a coding exam and are surprised by how much of it covers deployment, monitoring, security, and AWS-specific developer services. This exam tests practical development knowledge — not just knowing what services exist, but understanding how to use them correctly in application code and CI/CD pipelines.
This guide focuses on what the exam actually tests, where candidates typically struggle, and how to allocate your study time.
Exam Overview
The DVA-C02 exam contains 65 questions (50 scored, 15 unscored) with a 130-minute time limit. The passing score is 720 out of 1000. It includes multiple choice and multiple response questions.
Domain Weights
| Domain | Weight |
|---|---|
| Domain 1: Development with AWS Services | 32% |
| Domain 2: Security | 26% |
| Domain 3: Deployment | 24% |
| Domain 4: Troubleshooting and Optimization | 18% |
Domain 1: Development with AWS Services (32%)
This domain tests whether you can build applications that use AWS services correctly from code. It covers Lambda, API Gateway, DynamoDB, SQS, SNS, and other developer-facing services.
AWS Lambda
Lambda is the most heavily tested service on this exam. You need to know it in depth.
Execution model:
- Lambda functions execute up to 15 minutes
- Memory: 128 MB to 10,240 MB; CPU scales proportionally with memory
- Concurrency: 1,000 concurrent executions per region by default (soft limit)
- Cold start: occurs when a new execution environment is initialized; reduced with Provisioned Concurrency
Event sources (triggers):
| Trigger | Invocation Model |
|---|---|
| API Gateway | Synchronous |
| ALB | Synchronous |
| S3 events | Asynchronous |
| SNS | Asynchronous |
| SQS | Polling (batch) |
| DynamoDB Streams | Polling (batch) |
| EventBridge | Asynchronous |
Understanding synchronous vs. asynchronous invocation matters for error handling. Synchronous invocations return errors to the caller. Asynchronous invocations send failures to a Dead Letter Queue (DLQ) or EventBridge.
Lambda versions and aliases:
- Versions are immutable snapshots of function code and configuration
- Aliases are mutable pointers to specific versions
- Traffic shifting: configure an alias to route a percentage of traffic to two versions (useful for canary deployments)
DynamoDB
DynamoDB is the second most tested service on DVA-C02.
Data model:
- Table: top-level container
- Item: equivalent to a row; up to 400 KB
- Attributes: key-value pairs within an item
- Partition key (required): determines the partition where the item is stored
- Sort key (optional): enables range queries within a partition
Read/write capacity modes:
- Provisioned mode: specify read capacity units (RCUs) and write capacity units (WCUs); supports Auto Scaling
- On-demand mode: pay per request; use when traffic is unpredictable
Read types:
- Eventually consistent read: default; may return stale data for up to ~1 second
- Strongly consistent read: always returns the most recent data; costs 2x RCUs
Common operations:
GetItem — retrieve a single item by primary key
PutItem — create or replace an item
UpdateItem — modify specific attributes; supports conditional updates
Query — retrieve items sharing a partition key, optionally filtered by sort key range
Scan — reads every item in a table; expensive, avoid at scale
Global Secondary Indexes (GSIs): Allow queries on non-primary key attributes. Have their own provisioned capacity and can be added after table creation.
DynamoDB Streams: Captures item-level changes in near real time. Consumed by Lambda for event-driven processing.
API Gateway
- REST API and HTTP API are the two main types
- HTTP API: lower cost, lower latency, fewer features
- REST API: more features including usage plans, API keys, request/response transformation
- Integration types: Lambda, HTTP backend, AWS service, mock
- Stages allow deployment of different versions (dev, staging, prod)
- Caching can be enabled per stage to reduce backend calls
SQS Message Patterns
Key concepts the exam tests:
- Visibility timeout: How long a message is hidden after being received. If processing fails and the timeout expires, the message becomes visible again for reprocessing
- Message retention: 1 minute to 14 days (default 4 days)
- Long polling: Wait up to 20 seconds for a message, reducing empty responses and API costs
- Dead-letter queue (DLQ): Receives messages that exceed the maximum receive count
Domain 2: Security (26%)
Security questions for developers focus on credential management, encryption, and authorizing access to AWS services from code.
IAM Roles for Applications
Applications running on AWS services should use IAM roles, not access keys. The correct patterns:
- EC2: Attach an instance profile (role) to the instance; credentials are automatically available via the metadata service
- Lambda: Assign an execution role; Lambda assumes it when the function runs
- ECS/EKS: Assign task roles to containers
The SDK automatically retrieves credentials from the instance metadata service. Never hardcode credentials in application code.
AWS STS and Temporary Credentials
AWS Security Token Service (STS) issues temporary credentials:
AssumeRole: Used for cross-account access or assuming a different role within the same accountAssumeRoleWithWebIdentity: Used for federating with web identity providers (Google, Facebook, Amazon Cognito)GetSessionToken: Used for MFA-based temporary credentials
Amazon Cognito
Cognito is heavily tested for user authentication and authorization.
- User Pools: User directory; handles sign-up, sign-in, MFA, and returns JWT tokens
- Identity Pools (Federated Identities): Exchanges third-party tokens (from User Pools, Google, SAML) for AWS temporary credentials via STS
A common exam pattern: "Mobile app users need to access S3 and DynamoDB directly without going through a backend." The answer uses Cognito Identity Pools to issue temporary AWS credentials.
KMS and Envelope Encryption
The exam tests how envelope encryption works:
- A data key is generated by KMS using a Customer Master Key (CMK)
- The data key encrypts the application data locally (never sent to KMS)
- The encrypted data key is stored alongside the encrypted data
- To decrypt: call KMS to decrypt the data key, then use it to decrypt the data
This pattern allows encrypting large amounts of data without transmitting all data to KMS.
Domain 3: Deployment (24%)
Deployment questions cover CI/CD pipelines, Elastic Beanstalk, CodeDeploy, and container deployment patterns.
AWS CI/CD Services
| Service | Purpose |
|---|---|
| AWS CodeCommit | Managed Git repository |
| AWS CodeBuild | Managed build service; runs buildspec.yml |
| AWS CodeDeploy | Automates application deployments to EC2, Lambda, ECS |
| AWS CodePipeline | Orchestrates CI/CD stages (Source, Build, Test, Deploy) |
buildspec.yml structure:
version: 0.2
phases:
install:
commands:
- npm install
build:
commands:
- npm run build
post_build:
commands:
- echo Build completed
artifacts:
files:
- '**/*'
CodeDeploy Deployment Types
- In-place: Updates the existing instances; causes downtime during deployment
- Blue/green: New instances are provisioned and traffic is shifted after validation; safer for production
For Lambda and ECS, CodeDeploy supports traffic shifting strategies:
- Canary: Shift a small percentage first (e.g., 10%), wait, then shift the rest
- Linear: Shift traffic in equal increments over time
- All-at-once: Shift all traffic immediately
Elastic Beanstalk
Elastic Beanstalk abstracts infrastructure management. Key deployment policies:
- All at once: Fastest, causes downtime
- Rolling: Deploys in batches, brief capacity reduction
- Rolling with additional batch: Launches extra instances before deploying; no capacity reduction
- Immutable: Deploys to new instances; safest, most expensive
- Blue/green: Uses DNS swap (Route 53 CNAME swap); not a native Beanstalk policy but achievable via swap environment URLs
Domain 4: Troubleshooting and Optimization (18%)
This domain tests observability and performance tuning for applications on AWS.
CloudWatch
- Metrics: Numerical data points over time. EC2 standard metrics update every 5 minutes; detailed monitoring every 1 minute (additional cost)
- Logs: Application log data; requires the CloudWatch Logs agent or Lambda to send logs
- Log Groups and Log Streams: Log group per application; log stream per instance or function invocation
- Metric Filters: Extract metric data from log entries (e.g., count occurrences of "ERROR")
- CloudWatch Alarms: Trigger SNS notifications or Auto Scaling actions based on metric thresholds
AWS X-Ray
X-Ray provides distributed tracing for applications:
- Traces requests as they travel through services
- Segments represent work done by a service; subsegments represent downstream calls
- The X-Ray SDK must be added to application code to instrument it
- Sampling rules control what percentage of requests are traced
X-Ray is the answer when the exam asks about tracing latency, identifying bottlenecks, or debugging microservice performance.
Lambda Performance Optimization
- Increase memory to increase CPU allocation and reduce execution time
- Use Provisioned Concurrency to eliminate cold starts for latency-sensitive functions
- Store SDK clients and database connections outside the handler function (in the initialization code) so they are reused across invocations
- Use Lambda Layers to share common libraries across functions without packaging them into every deployment artifact
"The Developer Associate exam tests whether you know how to build real applications on AWS, not just which services exist. Lambda invocation models, DynamoDB access patterns, and CI/CD pipeline structure are the areas that separate candidates who pass from those who need a second attempt." — Stephane Maarek, AWS Community Hero and author of top-rated DVA-C02 Udemy course with over 700,000 students
What to Skip
The DVA-C02 does not test:
- Specific programming language syntax or SDK method signatures in detail
- Low-level EC2 networking configuration
- CloudFormation template structure beyond basic resource declarations
- Deep Route 53 routing policy configuration
Study Timeline
Recommended: 5-7 weeks for developers with some AWS experience.
| Week | Focus |
|---|---|
| 1 | Lambda, API Gateway, DynamoDB data model |
| 2 | IAM roles, Cognito, KMS, STS |
| 3 | SQS, SNS, EventBridge, Kinesis basics |
| 4 | CI/CD: CodePipeline, CodeBuild, CodeDeploy, Elastic Beanstalk |
| 5 | CloudWatch, X-Ray, troubleshooting patterns |
| 6-7 | Practice exams, review missed topics |
Hands-on experience with Lambda, DynamoDB, and the CI/CD services significantly reduces study time. Build a small end-to-end application using these services.
See also: AWS Solutions Architect Associate (SAA-C03) Study Guide: Domains, Services, and Scenarios
References
- AWS. "AWS Certified Developer - Associate Exam Guide (DVA-C02)." https://d1.awsstatic.com/training-and-certification/docs-dev-associate/AWS-Certified-Developer-Associate_Exam-Guide.pdf
- AWS. "AWS Lambda Developer Guide." https://docs.aws.amazon.com/lambda/latest/dg/welcome.html
- AWS. "Amazon DynamoDB Developer Guide." https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html
- AWS. "AWS Security Token Service Documentation." https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html
- AWS. "Amazon Cognito Developer Guide." https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html
- Faye Ellis. "Ultimate AWS Certified Developer Associate DVA-C02." Udemy, 2023.
- AWS. "AWS X-Ray Developer Guide." https://docs.aws.amazon.com/xray/latest/devguide/aws-xray.html
- AWS. "AWS CodeDeploy User Guide." https://docs.aws.amazon.com/codedeploy/latest/userguide/welcome.html
Frequently Asked Questions
What is the biggest difference between the DVA-C02 and SAA-C03 exams?
DVA-C02 focuses on developer tools, code integration patterns, CI/CD pipelines, and application-level services like Lambda, DynamoDB, API Gateway, and Cognito. SAA-C03 focuses on architecture design, networking, and broad service selection.
What is the DynamoDB visibility timeout and why does it matter?
Visibility timeout is an SQS concept, not DynamoDB. In SQS, it controls how long a received message is hidden from other consumers. If processing fails before the timeout expires, the message reappears in the queue for retry.
How does envelope encryption work in AWS?
KMS generates a data key using a CMK. The data key encrypts the actual data locally. The encrypted data key is stored with the ciphertext. To decrypt, KMS decrypts the data key, which then decrypts the data. KMS never sees the plaintext data.
What is the difference between Cognito User Pools and Identity Pools?
User Pools handle user authentication and return JWT tokens. Identity Pools exchange those tokens (or tokens from other identity providers) for temporary AWS credentials via STS, allowing direct access to AWS services.
What CodeDeploy deployment type supports traffic shifting for Lambda?
CodeDeploy supports Canary (shift a small percentage first, then the rest after a waiting period), Linear (shift in equal increments), and All-at-once for Lambda deployments. Blue/green is supported for EC2 and ECS.