AWS · DVA-C02

Near-Right Architecture — AWS Developer (DVA-C02)

Two options were architecturally valid — you picked the one that violates a constraint buried in the scenario. Read constraints before evaluating answers.

Redis as Cache vs Redis as Data-Structure Service

Candidates pick ElastiCache Redis as soon as they see 'read-heavy' and 'low latency'. The trap is that Redis satisfies the cache shape without satisfying the data-structure shape the scenario actually requires. An application needing atomic counters requires Redis INCR semantics. Fan-out to multiple subscribers requires Pub/Sub. A plain cache layer does not substitute for either. Matching Redis to a workload means matching the specific command family, not just picking the service with the lowest advertised read latency. Memcached supports simple key-value caching without the additional data-structure commands Redis exposes.

34%of exam questions affected (68 of 200)

The Scenario

A company needs a real-time analytics dashboard querying petabytes of log data. The question offers Athena with S3 and Redshift Serverless. Both query structured data at scale. But the scenario says "sub-second response times for repeated queries" — Athena scans S3 on every query (seconds to minutes), while Redshift caches results and returns sub-second on repeats. The constraint is latency on repeated queries, not raw query capability. You picked Athena because it is serverless and cheaper per query, but the access pattern eliminates it.

How to Spot It

•When both answers use real AWS services that address the primary use case, re-read for the performance constraint. "Sub-second," "real-time," "single-digit millisecond" each eliminate different services. Athena is not sub-second. DynamoDB is not for complex joins. Aurora is not for petabyte-scale analytics.
•Look for protocol-level constraints. If the scenario says TCP traffic with client IP preservation, that eliminates CloudFront (HTTP/HTTPS only) and points to Global Accelerator + NLB. If it says HTTP with caching, that eliminates Global Accelerator.
•If you find yourself thinking "both could work," the exam is testing constraint reading. Check for: latency target, protocol, data volume, ordering requirement, or compliance region restriction.

Decision Rules

Whether appspec.yml is placed at the root of the deployment bundle ZIP versus nested one directory level deep — only root placement satisfies CodeDeploy's artifact contract; all other positions are silently ignored at deploy time.

AWS CodePipelineAmazon Simple Storage ServiceAWS CodeDeploy

Cross-account ECR image pull requires a resource-based repository policy attached to the ECR registry in Account A that explicitly trusts the Account B task execution role principal — granting IAM permissions only to the execution role in Account B is insufficient because the registry in Account A has not authorized the external account at the resource level.

Amazon Elastic Container RegistryAmazon Elastic Container ServiceAWS Identity and Access Management

Whether to use an AWS-managed key (aws/s3) or a customer-managed KMS key (CMK) when the scenario adds explicit operational control requirements: a customer-defined rotation schedule and per-call CloudTrail audit visibility scoped to a specific key.

AWS Key Management ServiceAmazon S3AWS CloudTrail

When SQS is the event source (polling/event source mapping), DLQ ownership belongs to the SQS queue's redrive policy, not to the Lambda function's DLQ configuration, which is silent and ineffective for this invocation path.

AWS LambdaAmazon SQS

Select the secrets store that satisfies both the no-hardcoded-credentials requirement and the mandatory automatic-rotation capability boundary, distinguishing Secrets Manager's native rotation from Parameter Store's rotation gap.

AWS Secrets ManagerAWS Systems ManagerAWS Lambda

When automatic credential rotation is a hard compliance constraint, AWS Secrets Manager is required over Systems Manager Parameter Store SecureString because Parameter Store provides no native automatic rotation and any rotation requires a custom Lambda-based automation that the developer must own and operate.

AWS Secrets ManagerAWS Systems ManagerAWS Lambda

Which service owns the end-to-end external customer identity lifecycle—including social IdP federation, user directory, and JWT issuance for downstream API authorization—versus which service is scoped exclusively to workforce and enterprise SSO principals?

Amazon CognitoAWS IAM Identity CenterAmazon API Gateway

When exactly one consumer exists and messages must survive consumer downtime without loss, choose SQS over SNS because SNS provides no message retention and cannot retry delivery to an offline endpoint.

Amazon Simple Queue ServiceAmazon Simple Notification Service

When fan-out to multiple independent consumers is required AND each consumer must receive durable, retryable messages even if temporarily offline, SNS alone is insufficient — the correct architecture is SNS fan-out to per-consumer SQS queues, because SNS has no message retention and drops events for unavailable endpoints.

Amazon Simple Notification ServiceAmazon Simple Queue ServiceAWS Lambda

When the token source is Cognito User Pools and operational overhead must be minimized, choose the native Cognito User Pool authorizer over a Lambda authorizer because it validates JWTs natively with zero custom code, no deployment pipeline, and no custom failure surface.

Amazon API GatewayAmazon CognitoAWS Lambda

When the JWT source is a third-party IdP or requires custom claim evaluation, only a Lambda authorizer can perform the validation; the Cognito User Pool authorizer is hard-scoped to tokens it issued and cannot process externally issued JWTs.

Amazon API GatewayAWS LambdaAmazon Cognito

Whether to promote integration tests that depend on AWS-managed SQS semantics — partial-batch-failure handling, visibility timeout, and DLQ routing — from a local emulator to a live isolated AWS account, versus investing further in emulator configuration tuning.

AWS LambdaAmazon Simple Queue ServiceAWS CloudFormation

Whether attaching an ACM certificate to an HTTPS ALB listener is sufficient, or whether the target group backend protocol must independently be set to HTTPS to satisfy the end-to-end encryption requirement.

AWS Certificate ManagerElastic Load Balancing

Whether to anchor the root-cause investigation on the application tier (X-Ray segment duration) or the database tier (CloudWatch CPU utilization) when both signals are simultaneously available.

Amazon CloudWatchAWS X-RayAmazon RDS

Whether to cap Lambda throughput via reserved concurrency — which simultaneously limits concurrent writes to DynamoDB AND isolates account concurrency — or to increase DynamoDB write capacity to absorb the load, which removes the downstream bottleneck but leaves Lambda free to exhaust the shared account concurrency pool.

AWS LambdaAmazon SQSAmazon DynamoDB

Publish the shared library as a Lambda Layer artifact (AWS::Serverless::LayerVersion) staged in S3 via SAM rather than bundling the 45 MB library inside each function's individual deployment ZIP.

AWS LambdaAmazon Simple Storage ServiceAWS Serverless Application Model

When the data model requires variable or sparse attributes per item AND the only query shape is a single-key lookup at unpredictable write throughput, DynamoDB's schema-less design and key-based performance contract disqualify RDS as the near-right relational default.

Amazon DynamoDBAmazon RDS

Domain Coverage

Development with AWS ServicesSecurityDeploymentTroubleshooting and Optimization

Difficulty Breakdown

Medium: 32Easy: 28Hard: 8

Related Patterns

Multi-Service Tradeoff18% of exam Identity And Access Governance10% of exam Data Protection And Encryption Design10% of exam

Start training this trap →

See all DVA-C02 traps →