AWS · DVA-C02

Containerization And Microservices Modernization — AWS Developer (DVA-C02)

4%of exam questions (8 of 200)

ECR, Task Definition, and Task Role Are Three Separate Controls

Container images, task execution, and application API permissions each map to a separate AWS control surface. ECR stores the image and enforces who can pull it via a repository policy that also supports cross-account access. The ECS task definition declares image, CPU, memory, and environment. The task execution role is what the ECS agent uses to pull the image from ECR, retrieve secrets from Secrets Manager, and write logs to CloudWatch. The task role is what the container's application code assumes when it calls DynamoDB or S3 at runtime. Execution role and task role are distinct IAM principals with different trust relationships.

What This Pattern Tests

The exam presents a monolithic application and tests decomposition strategy. The strangler fig pattern routes specific URL paths to new microservices while the monolith handles the rest — incremental, low-risk. Service boundaries follow domain boundaries (orders, inventory, payments), not technical layers. Each service owns its data store (no shared databases). Inter-service communication uses async messaging (SQS, Service Bus) for loose coupling or synchronous APIs for real-time needs. The trap is decomposing by technical layer (one "database service," one "API service") instead of by business domain.

Decision Axis

Decomposition by business domain boundaries vs. technical layers, and incremental extraction vs. full rewrite.

Associated Traps

Near-Right Architecture (4)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Security Default Assumption (4)S3 buckets block public access by default since 2023 — but the scenario describes a bucket created in 2019.

More Top Traps on This Exam

Operational Complexity Underestimation · 18%Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.

Decision Rules

Cross-account ECR image pull requires a resource-based repository policy attached to the ECR registry in Account A that explicitly trusts the Account B task execution role principal — granting IAM permissions only to the execution role in Account B is insufficient because the registry in Account A has not authorized the external account at the resource level.

Amazon Elastic Container RegistryAmazon Elastic Container ServiceAWS Identity and Access Management

Whether to attach an ECR repository policy in Account A explicitly granting the Account B task execution role principal pull permissions — versus relying solely on IAM identity-based permissions attached to the task execution role in Account B — given that cross-account ECR pulls require both the consuming-account IAM role permissions and a resource-based repository policy on the source registry.

Amazon Elastic Container RegistryAmazon Elastic Container ServiceAWS Identity and Access Management

Domain Coverage

Deployment

Difficulty Breakdown

Easy: 4Hard: 4

Build recognition speed →

See all DVA-C02 patterns →