Operational Complexity Underestimation — AWS Developer (DVA-C02)
The answer is correct but operationally expensive. The exam prefers managed services over self-managed when both meet functional requirements.
Self-Managed Containers Hide Real Coordination Cost
Running containers on EC2 means owning the cluster: instance patching, task scheduling, capacity scaling, AMI updates, and ECS agent health. Fargate moves all of that to AWS. You define the task definition, CPU, and memory; AWS places the task, manages the underlying infrastructure, and handles bin-packing. Questions that pair 'minimize operational overhead' with a container workload are naming the axis on which Fargate wins, even when EC2 backed by Auto Scaling Groups looks cheaper on the invoice. Fargate tasks launch without any pre-existing instance fleet to maintain. Fargate Spot reduces task cost for interruption-tolerant container workloads without adding back the cluster management burden.
The Scenario
A team of 3 developers needs to run a containerized application with auto-scaling. You recommend Kubernetes on EC2 with kops for cluster management. The correct answer is ECS on Fargate. The scenario said "small team" and "minimize operational burden." Self-managed Kubernetes requires managing the control plane (etcd backups, API server upgrades, certificate rotation), node group updates, CNI plugin configuration, and ingress controller maintenance. ECS on Fargate eliminates all of that — AWS manages compute, scaling, and patching. The trade-off is less customization, but the scenario never asked for Kubernetes-specific features like custom operators or CRDs.
How to Spot It
- •"Minimize operational overhead," "small team," "reduce management burden" — these phrases are signals to choose the most managed option. ECS Fargate over EKS self-managed nodes. Aurora over self-managed PostgreSQL on EC2. Lambda over always-on containers for event-driven workloads.
- •EKS managed node groups reduce operational burden compared to self-managed nodes, but you still manage node AMI updates, pod scaling, and cluster upgrades. EKS with Fargate eliminates node management entirely but loses DaemonSet support and some storage options. The exam tests these operational trade-offs at each level.
- •Self-managed options (EC2, EKS self-managed, self-hosted databases, self-managed Kafka) are only correct when the scenario explicitly requires a capability that managed services cannot provide — custom kernel modules, specific OS versions, or unsupported database engines.
Decision Rules
Whether the cfn-changeset-review-gate-before-execute constraint is best satisfied by CodePipeline's native manual approval action placed between a CHANGE_SET_REPLACE action and an EXECUTE_CHANGE_SET action, or by a custom Lambda orchestrator that inspects changeset JSON and routes approval requests by resource type before allowing pipeline continuation.
Only a CodeBuild test action whose buildspec propagates a non-zero exit code on failure satisfies the automated-gate-before-deploy-stage constraint; a Manual Approval action blocks the pipeline but requires human input and cannot evaluate test results, failing the automated-testing requirement.
Whether to implement the CloudFormation changeset review gate using the native CodePipeline Manual Approval action between a CREATE_CHANGE_SET stage and an EXECUTE_CHANGE_SET stage, or to build a custom Lambda function that invokes the CloudFormation API, publishes changeset details, and waits for an external signal to resume the pipeline.
Whether automatic rotation capability—native to Secrets Manager—or encryption-at-rest equivalence—shared by both services via KMS—is the disqualifying axis when a hard compliance rotation interval is mandated.
Choose AWS Secrets Manager over Systems Manager Parameter Store SecureString when automatic credential rotation is mandatory, because Parameter Store cannot rotate natively and requires a custom Lambda orchestrator whose authoring, error handling, and scheduling constitute hidden operational burden that violates the no-custom-automation constraint.
When the token source is Cognito User Pools and the dominant constraint is least operational overhead, the Cognito User Pool authorizer is correct because it validates JWTs natively with zero custom code, eliminating the authoring, deployment, and failure-surface burden carried by a Lambda authorizer.
Whether to tune the local DynamoDB emulator to better approximate Streams behavior, or promote DynamoDB Streams integration tests to a live AWS isolated test account — where the governing constraint is that stream ordering and shard delivery semantics are AWS-managed service internals no third-party emulator can guarantee.
Whether the ALB-to-EC2 backend encryption leg requires a PKI-managed certificate issued by ACM Private CA, or whether a self-signed certificate on the EC2 HTTPS target satisfies the encryption-in-transit constraint without introducing certificate authority lifecycle overhead.
Whether the workload's bursty event-driven shape and the team's zero container expertise together disqualify Fargate and EC2 Auto Scaling in favour of Lambda, where idle cost is eliminated by the pay-per-invocation model and cluster management disappears entirely.
Domain Coverage
Difficulty Breakdown
Related Patterns