Scope Overreach — AWS Developer (DVA-C02)
You solved a broader problem than what was asked. The scenario had specific constraints — you addressed requirements that weren't there.
S3 Event Notifications Trigger Lambda Without Step Functions
S3 can invoke a Lambda function directly when an object is created in a bucket. No state machine, no workflow definition, no per-transition charges. Step Functions earns its place when the scenario coordinates multiple sequential or parallel steps, handles retries across services, or maintains state across a long-running process. A single post-upload transformation does not meet that bar. EventBridge earns its place when rule-based routing to multiple targets is required. For one trigger producing one downstream action, the direct S3-to-Lambda notification adds no orchestration layer the scenario never requested. S3 event notifications support filtering by key prefix and suffix, which limits invocations to specific object paths without extra routing logic.
The Scenario
A company needs to encrypt data at rest in an S3 bucket used for internal analytics reports. You recommend AWS CloudHSM with a custom key store, customer-managed KMS key with automatic rotation, and a key policy restricting access to specific IAM roles. The correct answer is SSE-S3 (Amazon S3-managed keys) — one setting, zero key management, meets the requirement. The scenario said "encrypt at rest." It did not say "FIPS 140-2 Level 3 compliance," "customer-managed key lifecycle," or "cross-account key sharing." CloudHSM is for organizations with regulatory requirements to control their own hardware security modules. You answered a compliance question that was not asked.
How to Spot It
- •Encryption at rest has three levels on S3: SSE-S3 (zero management), SSE-KMS (key policies and rotation control), SSE-C/client-side (you manage everything). The exam gives you a simple encryption requirement and tests whether you select the simplest option. Only escalate to KMS or CloudHSM when the scenario mentions compliance, audit requirements, or cross-account key access.
- •When your answer includes services the scenario never mentioned (CloudTrail for auditing, Config for compliance checking, GuardDuty for threat detection), verify the scenario asked for those capabilities. Solving adjacent problems is over-reaching.
- •VPC endpoints come in two types: Gateway (free, for S3 and DynamoDB) and Interface (costs $0.01/hour per AZ, for everything else). If the scenario asks for private access to S3, a Gateway endpoint is free. Recommending PrivateLink Interface endpoints for S3 is scope overreach and adds unnecessary cost.
Decision Rules
Whether to terminate TLS at CloudFront (scope overreach — adds an unjustified CDN layer and leaves the CloudFront-to-ALB leg unencrypted) or to attach an ACM certificate directly to the ALB HTTPS listener and configure the target group with the HTTPS protocol, satisfying both the zero-renewal and end-to-end encryption constraints in the minimal correct design.
Domain Coverage
Difficulty Breakdown
Related Patterns