AWS CERTIFIED DEVELOPER – ASSOCIATE (DVA-C02) CERTIFICATION, Exams of Web Application Development

AWS CERTIFIED DEVELOPER – ASSOCIATE (DVA-C02) CERTIFICATION EACH QUESTION INCLUDES THE CORRECT ANSWER AND A DETAILED RATIONALE

Typology: Exams

2025/2026

Available from 05/16/2026

best-tutor-Jones
best-tutor-Jones 🇺🇸

1.2K documents

1 / 33

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
AWS CERTIFIED DEVELOPER
ASSOCIATE (DVA-C02) CERTIFICATION
EACH QUESTION INCLUDES THE CORRECT ANSWER AND
A DETAILED RATIONALE
Exam Domain 1: Code Development (Questions 1-25)
1. A developer is writing a Lambda function that needs to store temporary data
that is accessed frequently during the function's execution. The data does not
need to persist after the function terminates. Where should the developer store
this data?
A) Amazon S3
B) Amazon EFS
C) /tmp directory
D) Amazon RDS
Answer: C
*The /tmp directory provides ephemeral storage (512 MB to 10 GB) that is unique to
each Lambda instance. It is the ideal location for temporary, short-term data. S3, EFS,
and RDS are persistent storage solutions.*
2. A company uses AWS CodeCommit to host a private Git repository. A developer
needs to authenticate to push code from their local machine using the AWS CLI.
Which authentication method is recommended?
A) The Git username and password stored in IAM
B) An SSH key pair associated with the IAM user
C) An IAM access key ID and secret access key
D) A Git credential helper with an HTTPS Git password
Answer: D
The AWS CLI credential helper generates a temporary, Git-specific password when used
with git config --global credential.helper '!aws codecommit credential-helper $@'.
This is more secure than using static IAM user credentials directly in Git commands. SSH
keys (B) are also valid but not the CLI-based method described.
3. A developer is designing a serverless application using AWS Lambda. The
function must access a private Amazon RDS database in a VPC. What is the
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21

Partial preview of the text

Download AWS CERTIFIED DEVELOPER – ASSOCIATE (DVA-C02) CERTIFICATION and more Exams Web Application Development in PDF only on Docsity!

AWS CERTIFIED DEVELOPER –

ASSOCIATE (DVA-C02) CERTIFICATION

EACH QUESTION INCLUDES THE CORRECT ANSWER AND

A DETAILED RATIONALE

Exam Domain 1: Code Development (Questions 1 - 25)

1. A developer is writing a Lambda function that needs to store temporary data that is accessed frequently during the function's execution. The data does not need to persist after the function terminates. Where should the developer store this data? A) Amazon S B) Amazon EFS C) /tmp directory D) Amazon RDS Answer: C The /tmp directory provides ephemeral storage (512 MB to 10 GB) that is unique to each Lambda instance. It is the ideal location for temporary, short-term data. S3, EFS, and RDS are persistent storage solutions. 2. A company uses AWS CodeCommit to host a private Git repository. A developer needs to authenticate to push code from their local machine using the AWS CLI. Which authentication method is recommended? A) The Git username and password stored in IAM B) An SSH key pair associated with the IAM user C) An IAM access key ID and secret access key D) A Git credential helper with an HTTPS Git password Answer: D The AWS CLI credential helper generates a temporary, Git-specific password when used with git config --global credential.helper '!aws codecommit credential-helper $@'. This is more secure than using static IAM user credentials directly in Git commands. SSH keys (B) are also valid but not the CLI-based method described. 3. A developer is designing a serverless application using AWS Lambda. The function must access a private Amazon RDS database in a VPC. What is the

MINIMUM set of actions required to allow this? A) Place the Lambda function in the public subnet with an Internet Gateway. B) Place the Lambda function in the VPC, configure the function to use the VPC, and ensure the execution role has permissions to describe Elastic Network Interfaces (ENIs). C) Place the Lambda function in the VPC and set the RDS security group to allow traffic from 0.0.0.0/0. D) Enable VPC peering between the Lambda service and the VPC. Answer: B When a Lambda function is configured to access a VPC, it creates ENIs in the VPC subnets. The execution role must have the and permissions. The function should be placed in private subnets with a NAT gateway or VPC endpoints for internet access if needed, but the minimal requirement is the ENI permissions.

4. Which of the following is a best practice for managing secrets (e.g., database passwords, API keys) in AWS Lambda? A) Store them as plain text in the Lambda environment variables. B) Hardcode them directly in the function code. C) Store them in AWS Systems Manager Parameter Store (SecureString) or AWS Secrets Manager and retrieve them during function initialization. D) Store them in an Amazon S3 bucket with a bucket policy restricting access to the Lambda role. Answer: C SecureString parameters in Parameter Store or Secrets Manager provide encryption using AWS KMS. Retrieving them outside the handler (during initialization) allows for reuse across invocations, reducing latency and cost. Environment variables can be encrypted at rest, but storing them unencrypted (A) is a security risk. 5. A developer needs to update an item in an Amazon DynamoDB table. The update should only succeed if the item currently has a specific version number to prevent overwriting changes made by another process. Which DynamoDB operation should the developer use? A) UpdateItem with a condition expression B) PutItem with a condition expression C) BatchWriteItem D) TransactWriteItems Answer: A UpdateItem supports condition expressions. To implement optimistic locking, the condition ec2:CreateNetworkInterface ec2:DescribeNetworkInterfaces

install s3:GetObject distributed requests, CloudWatch is the primary tool for monitoring function performance and logs.

9. A developer needs to configure an Amazon S3 bucket to host a static website. The bucket contains HTML, CSS, and JavaScript files. What must be enabled for the website to be publicly accessible? A) Object ACLs set to public-read for all objects B) A bucket policy that allows public read access C) S3 Block Public Access turned off globally D) Versioning enabled on the bucket Answer: B To allow public access to static website content, a bucket policy must explicitly grant permission to Principal: "*". While ACLs (A) are legacy, a bucket policy is the modern standard. S3 Block Public Access (C) must not be blocking the policy, but enabling it (turning it off) is not a configuration setting for public access—it removes the block. 10. A developer is using AWS CodeBuild. The build requires a dependency that is not available in the standard AWS CodeBuild managed images. What is the MOST efficient way to include this dependency? A) Install the dependency manually in the buildspec.yml phase. B) Create a custom Docker image with the dependency pre-installed and specify it in the build project. C) Use an Amazon S3 bucket to download the dependency every time the build runs. D) Ask AWS Support to add the dependency to the managed image. Answer: B Creating a custom Docker image is the most efficient and reliable method for persistent custom dependencies. Installing manually (A) works but adds build time overhead. Managed images are standardized and not customized per customer request (D). 11. A developer is implementing an Amazon API Gateway REST API with a Lambda proxy integration. What is the responsibility of the Lambda function in this setup? A) To return an HTTP response in a specific format that API Gateway can parse. B) To manage the API keys and usage plans. C) To handle request throttling. D) To manage the SSL certificates for the API. Answer: A With proxy integration, API Gateway passes the entire request (headers, path, body) to

Lambda. Lambda must return a response formatted with a specific structure: statusCode , headers , and body_. API Gateway manages keys, throttling, and SSL._

12. A company stores configuration files in an Amazon S3 bucket. The developer wants to invalidate cached files in Amazon CloudFront after updating these files. What is the simplest way to achieve this? A) Wait for the Time To Live (TTL) to expire. B) Create a new CloudFront distribution. C) Create an invalidation path for the specific files in CloudFront. D) Update the S3 bucket policy to force a refresh. Answer: C CloudFront invalidations allow developers to explicitly remove objects from edge caches before their TTL expires. This is the simplest method to ensure new content is served immediately after an update. 13. A developer is using AWS Elastic Beanstalk to deploy a web application. The application requires a specific Amazon RDS database. How should the developer manage the database lifecycle to ensure the database is not deleted when the environment is terminated? A) Create the RDS database inside the Elastic Beanstalk environment using the console. B) Create the RDS database outside of Elastic Beanstalk and pass the connection string via environment properties. C) Use the configuration option in the folder. D) Create the RDS database with a termination protection flag enabled. Answer: B Creating a database within Elastic Beanstalk couples the database lifecycle to the environment. If the environment is terminated, the database is deleted. The best practice is to create the database externally and provide the connection string to the application via environment variables. 14. Which of the following is a characteristic of Amazon SQS FIFO queues compared to Standard queues? A) Higher throughput (unlimited transactions per second) B) Exactly-once processing and first-in, first-out delivery C) Lower cost per request D) Automatic retries for failed messages without a dead-letter queue Answer: B *FIFO queues guarantee that messages are processed exactly once, in the order they are sent. Standard queues offer "at-least-once" delivery and best-effort ordering. FIFO has db.snapshot .ebextensions

18. A developer has a Lambda function that processes CSV files uploaded to S3. The function fails intermittently with a timeout error. The function is configured with a 3-minute timeout. What should the developer do FIRST? A) Increase the memory allocation of the Lambda function. B) Increase the timeout to 5 minutes. C) Review the CloudWatch Logs to analyze the execution timeline. D) Convert the function to a container-based deployment. Answer: C Before changing configurations, the developer should review the logs to understand why the function is timing out. Is the code stuck? Is it waiting on a network call? Increasing timeout (B) or memory (A) might solve it, but analyzing the root cause first is the correct troubleshooting step. 19. In AWS CodeDeploy, what is the purpose of the A) To define the IAM roles for the deployment. file? B) To specify how to map source files to destination paths on the instance and define lifecycle hooks. C) To define the Auto Scaling group configuration. D) To store the environment variables for the application. Answer: B The appspec.yml file is the configuration file for CodeDeploy. It tells CodeDeploy which files to copy from the revision to the instance ( files section) and which scripts to run during deployment lifecycle events ( hooks section). 20. A developer needs to generate a pre-signed URL to allow a user to upload a file directly to S3. Which AWS SDK method should be used? A) B) C) D) Answer: B For browser-based uploads, (or in SDK v3) returns a URL and required form fields for a POST upload. For GET requests, is used. For uploads, is the correct method for form-based uploads. 21. A developer is using Amazon Cognito User Pools for authentication. The application needs to retrieve the user's profile attributes (e.g., email, phone number) after login. Which token contains this information? s3.generatePresignedPost() s3.createMultipartUpload() s3.putObjectAcl() s3.getPresignedUrl() getPresignedUrl generatePresignedPost generatePresignedPost createPresignedPost appspec.yml

xray:PutTraceSegments A) Access Token B) ID Token C) Refresh Token D) Authorization Code Answer: B The ID Token is a JWT that contains claims about the authenticated user, including profile attributes. The Access Token is used to authorize API calls to Cognito or other AWS services, but does not contain user attributes by default.

22. Which of the following MUST be configured to enable AWS X-Ray tracing for a Lambda function? A) The X-Ray daemon must be running in the Lambda environment. B) The function's execution role must have permissions to upload trace data to X-Ray. C) The function must be deployed in a VPC. D) The function must be invoked by an API Gateway endpoint. Answer: B The execution role must include a policy allowing and xray:PutTelemetryRecords_. Lambda does not require a separate daemon; the runtime handles it. Tracing is optional and not dependent on VPC or API Gateway._ 23. A developer is designing an application that uses SQS for decoupling. The application must ensure that messages are processed in order for a specific user ID, but not strictly across the entire queue. What is the optimal solution? A) Use a standard queue with message timers. B) Use a FIFO queue with the user ID as the Message Group ID. C) Use a FIFO queue with the user ID as the Message Deduplication ID. D) Use a standard queue with a dead-letter queue. Answer: B FIFO queues allow ordered processing based on the Message Group ID. If multiple Message Group IDs are used, messages with the same Group ID are processed in order, but messages with different Group IDs can be processed in parallel. 24. A developer needs to update an application deployed on EC2 behind a load balancer. They want to ensure zero downtime by spinning up new instances with the new version, waiting for them to be healthy, and then terminating the old instances. Which deployment method should they use? A) In-place deployment B) Rolling deployment

27. A developer needs to automate the creation of an S3 bucket, a DynamoDB table, and an IAM role. Which AWS service is best suited for this infrastructure orchestration? A) AWS OpsWorks B) AWS CloudFormation C) AWS Elastic Beanstalk D) AWS CodeDeploy Answer: B CloudFormation is Infrastructure as Code (IaC) that allows developers to define and provision AWS resources declaratively using templates. Elastic Beanstalk (C) is for application platforms (PaaS), not arbitrary resources. 28. A developer is using AWS SAM (Serverless Application Model) to define a serverless application. Which file is required to define the Lambda functions, APIs, and DynamoDB tables in a SAM template? A) buildspec.yml B) appspec.yml C) template.yml (or template.yaml) D) samconfig.yml Answer: C The SAM template ( template.yaml or template.yml ) extends CloudFormation with resource types like and AWS::Serverless::Api_. (D) stores deployment configuration parameters._ 29. A company has a monolithic application running on Elastic Beanstalk. The developer wants to refactor it into microservices. Which AWS service allows developers to run containerized applications without managing the underlying EC2 instances? A) Amazon ECS with Fargate launch type B) Amazon ECS with EC2 launch type C) Amazon EC2 Auto Scaling D) AWS Lambda Answer: A Fargate is a serverless compute engine for containers. It allows developers to run containers without provisioning or managing EC2 instances. ECS with EC2 (B) requires managing the cluster of instances. 30. A developer is deploying a revision using CodeDeploy to an Auto Scaling group. The deployment fails because the instances in the Auto Scaling group are AWS::Serverless::Function samconfig.yml

sam build sam validate ReplaceUnhealthy being terminated and replaced by the Auto Scaling group due to health checks during the deployment. How can this be prevented? A) Suspend the and resume after. process in the Auto Scaling group before deployment B) Increase the cooldown period of the Auto Scaling group. C) Use a rolling update policy in CloudFormation instead of CodeDeploy. D) Disable termination protection on the instances. Answer: A Auto Scaling groups have processes like and AZRebalance_. During deployment, suspending these processes prevents the Auto Scaling group from interfering with the instances that CodeDeploy is actively working on. After deployment, processes are resumed._

31. A developer wants to validate that their AWS SAM template is syntactically correct before deploying. Which command should they use? A) B) C) D) Answer: C checks the SAM template for syntax errors and compliance with the SAM specification. (D) processes the template and dependencies, but is specifically for syntax checking. 32. An application running on EC2 instances behind an Application Load Balancer (ALB) needs to support WebSocket connections. Which deployment strategy is the safest to ensure existing WebSocket connections are not abruptly terminated? A) Blue/Green deployment with new instances and a new ALB. B) Rolling deployment with connection draining enabled. C) In-place deployment with instance reboots. D) Canary deployment shifting 10% of traffic. Answer: B Connection draining (deregistration delay) allows the ALB to stop sending new requests to instances that are being deregistered while allowing existing connections (including WebSockets) to finish or gracefully close. Rolling updates respect this mechanism if configured correctly. 33. A developer has a Docker image stored in Amazon ECR. They want to deploy this image to AWS Lambda. What must the developer do to ensure Lambda can sam deploy sam validate sam package sam build sam validate ReplaceUnhealthy

configuration update-function-code

B) CAPABILITY_NAMED_IAM

C) CAPABILITY_AUTO_EXPAND

D) CAPABILITY_RESOURCE_POLICY

Answer: A CAPABILITY_IAM is required when a stack creates IAM resources (users, roles, policies) to acknowledge that the stack creator is granting permissions. CAPABILITY_NAMED_IAM (B) is a subset for resources with custom names.

37. A developer is deploying a Lambda function using the AWS CLI. They want to update the function code without changing the configuration. Which command should they use? A) B) C) D) Answer: B updates the code of an existing Lambda function. (C) updates settings like memory, timeout, and environment variables. 38. A developer needs to deploy an application that runs on EC2 instances. The application requires specific software (e.g., Node.js, Docker) to be installed on the instance at launch. What is the best way to automate this? A) Manually SSH into the instance and install the software. B) Use an EC2 User Data script to install the software on launch. C) Use a CodeDeploy hook to install software after deployment. D) Bake an Amazon Machine Image (AMI) with the software pre-installed. Answer: D Baking an AMI (creating a golden image) is the best practice for EC2 deployments as it reduces launch time and eliminates configuration drift. User Data scripts (B) work but add startup time and potential failure points. 39. A developer is using AWS CodeBuild. The build process needs to access a private repository in GitHub. How should the developer authenticate? A) Store the GitHub password in the CodeBuild environment variables. B) Use a GitHub personal access token stored in AWS Secrets Manager and retrieved during the build. C) Use the default CodeBuild service role to access GitHub. D) Add the CodeBuild IAM role as a collaborator in GitHub. aws lambda update-function-code aws lambda update-function-configuration aws lambda create-function aws lambda publish-version update-function-

/etc/codedeploy/ deployment-scripts sam deploy --guided appspec.yml appspec.yml Answer: B CodeBuild does not have a built-in IAM integration with GitHub for source access. The best practice is to store the access token in Secrets Manager and reference it in the buildspec or use the OAuth integration in the CodeBuild project configuration.

40. A developer wants to deploy a revision to an EC2 Auto Scaling group using CodeDeploy. The deployment fails because the file is not found. Where should the file be located in the revision? A) In the root of the revision bundle. B) In a folder named. C) In the directory on the instance. D) In an S3 bucket separate from the revision. Answer: A CodeDeploy expects the revision (ZIP or TAR archive). file to be located at the root of the application 41. A developer is moving from a monolithic application to a microservices architecture using containers. They want to orchestrate the containers, manage service discovery, and handle rolling updates. Which AWS service is best suited for this? A) AWS Batch B) Amazon ECS with Service Auto Scaling C) AWS Lambda D) Amazon Lightsail Answer: B Amazon ECS (Elastic Container Service) is a container orchestration service that manages clusters, service discovery (via Cloud Map or load balancers), and deployment strategies (rolling updates). 42. A developer uses the AWS Serverless Application Model (SAM) CLI to package a serverless application. What does the A) It deploys the application to AWS. command do? B) It uploads the local artifacts (code) to S3 and generates a transformed CloudFormation template. C) It runs unit tests against the Lambda functions. D) It creates a Docker container image for the Lambda function. Answer: B sam package (or which does it internally) uploads the code artifacts to sam package appspec.yml

46. A developer needs to roll back a failed CloudFormation stack creation. Which CloudFormation feature allows automatic rollback on failure? A) Stack Policies B) Termination Protection C) Rollback Configuration (default behavior) D) Change Sets Answer: C By default, CloudFormation rolls back the stack (deletes any resources created) if the stack creation fails. This is the default rollback configuration. For updates, you can configure a rollback trigger. 47. A developer is deploying a containerized application to Amazon ECS. The application requires a persistent storage volume that persists beyond the lifecycle of the container. Which storage option should be used? A) Amazon EFS B) Docker volumes stored on the EC2 instance (bind mounts) C) Amazon S D) Amazon EBS snapshots Answer: A Amazon EFS is a shared, persistent file system that can be mounted to multiple ECS tasks (Fargate or EC2). It persists independently of the container lifecycles. Bind mounts (B) die with the instance or container. 48. Which AWS service allows developers to manage the release of features to users using A/B testing with traffic splitting? A) AWS CloudTrail B) AWS AppConfig C) AWS CodeDeploy D) Amazon Route 53 Answer: B AWS AppConfig (a feature of Systems Manager) allows developers to deploy application configuration and feature flags. It supports controlled deployments with traffic splitting, monitors, and automatic rollbacks. 49. A developer is using CodeBuild and needs to cache dependencies to speed up build times. Which of the following can be cached? A) The Docker daemon B) The S3 bucket source code

C) Custom directories defined in the D) The CodeBuild runtime environment Answer: C section of CodeBuild allows caching of custom paths (e.g., node_modules , ~/.m2 ) to S3. The cache is stored in an S3 bucket and restored in subsequent builds.

50. A developer wants to deploy a new version of an application but only to a single instance in the Auto Scaling group to validate functionality before deploying to the entire fleet. Which CodeDeploy configuration is most suitable? A) AllAtOnce B) OneAtATime C) Canary D) Custom with a minimum healthy host count of 99% Answer: B deployment configuration deploys to one instance at a time. While it is a linear rollout, it allows the developer to test the first instance before proceeding. "Canary" (C) is typically a term for traffic shifting in Lambda or AppConfig, not CodeDeploy's built-in configurations (though CodeDeploy supports linear and canary via Traffic Routing for Blue/Green).

Exam Domain 3: Security (Questions 51-75)

51. A developer needs to grant an application running on an EC2 instance read- only access to a specific S3 bucket. What is the most secure way to do this? A) Create an IAM user with access keys and store them in the application code. B) Create an IAM role with the instance. policy and attach it to the EC C) Create a bucket policy granting access to the EC2 instance ID. D) Set the bucket ACL to public-read. Answer: B IAM roles provide temporary credentials to EC2 instances via the instance metadata service. This eliminates the need to manage long-term credentials (A). Bucket policies cannot grant access based on instance ID (C) but can grant access to IAM roles. AmazonS3ReadOnlyAccess OneAtATime cache buildspec.yml

AssumeRole encrypt B) Store them in a plaintext file in the Lambda deployment package. C) Use the flag in the Lambda CLI. D) Environment variables are always encrypted by default with an AWS managed key. Answer: A Lambda environment variables can be encrypted using a custom AWS KMS key. By default, they are encrypted at rest using an AWS managed KMS key, but for compliance, enabling encryption with a customer-managed key (CMK) provides better control. The default is encrypted, but the question implies ensuring encryption, which is default true.

56. A company has a policy that IAM users must use Multi-Factor Authentication (MFA) to perform privileged operations. A developer needs to write a script that deletes an S3 bucket. The script must assume an IAM role that requires MFA. How does the script satisfy the MFA requirement? A) The script cannot assume a role that requires MFA. B) The script must include the calling sts:AssumeRole. and parameters when C) The script must be run from an EC2 instance with a role attached. D) The script must use the root user credentials. Answer: B To assume a role that has an MFA requirement, the API call must include the MFA serial number (ARN of the MFA device) and the current OTP token code. The session inherits the MFA context. 57. A developer needs to allow an external vendor to upload files directly to an S bucket. The vendor does not have an AWS account. The uploads must be limited to a specific folder and expire after 1 hour. What should the developer generate? A) An IAM user for the vendor. B) A bucket policy allowing the vendor's IP address. C) A presigned URL with a PUT method. D) A CloudFront signed URL. Answer: C Presigned URLs allow temporary, limited-access to S3 objects. By generating a presigned URL for a PUT operation, the developer grants the vendor time-limited access to upload to a specific key path without requiring AWS credentials. IAM user (A) would require the vendor to have credentials. 58. Which of the following is a security best practice for managing access keys for an IAM user? A) Store them in a public GitHub repository for team access. SerialNumber TokenCode

x-amz-server-side-encryption-customer-key B) Rotate them regularly (e.g., every 90 days). C) Share them with all team members to avoid creating multiple users. D) Embed them directly in the application source code. Answer: B Regular rotation of access keys limits the window of exposure if a key is compromised. Best practices include never sharing keys (C), never storing them in code (D) or public repos (A).

59. A developer is using Amazon API Gateway. They need to control access to the API so that only authenticated users from the company's Amazon Cognito User Pool can invoke it. Which authorizer type should be used? A) IAM Authorizer B) Lambda Authorizer C) Cognito User Pools Authorizer D) Resource Policy Answer: C API Gateway supports Cognito User Pools as a native authorizer. It validates JWTs from Cognito. Lambda Authorizer (B) is for custom logic (e.g., OAuth providers not integrated natively). 60. A developer has a Node.js application that runs on EC2. The application needs to access a DynamoDB table. The developer has created an IAM role for EC2 with the necessary permissions. However, the application is throwing an "AccessDenied" error. What is the most likely cause? A) The IAM role is not attached to the EC2 instance. B) The Security Group is blocking outbound traffic to DynamoDB. C) The DynamoDB table is in a different region. D) The EC2 instance does not have a public IP address. Answer: A If the IAM role is not attached to the EC2 instance, the SDK will either fail to find credentials or fall back to other sources (like env vars) which might be missing. While a security group (B) could block traffic, AccessDenied is an IAM permissions issue, not a network connectivity issue (which would usually result in a timeout or connection error). 61. A developer wants to encrypt data stored in an Amazon S3 bucket using server-side encryption with customer-provided keys (SSE-C). How does the developer provide the encryption key? A) In the bucket policy. B) In the header in the PUT request.