AWS CERTIFIED DEVELOPER –
ASSOCIATE (DVA-C02) CERTIFICATION
EACH QUESTION INCLUDES THE CORRECT ANSWER AND
A DETAILED RATIONALE
Exam Domain 1: Code Development (Questions 1-25)
1. A developer is writing a Lambda function that needs to store temporary data
that is accessed frequently during the function's execution. The data does not
need to persist after the function terminates. Where should the developer store
this data?
A) Amazon S3
B) Amazon EFS
C) /tmp directory
D) Amazon RDS
Answer: C
*The /tmp directory provides ephemeral storage (512 MB to 10 GB) that is unique to
each Lambda instance. It is the ideal location for temporary, short-term data. S3, EFS,
and RDS are persistent storage solutions.*
2. A company uses AWS CodeCommit to host a private Git repository. A developer
needs to authenticate to push code from their local machine using the AWS CLI.
Which authentication method is recommended?
A) The Git username and password stored in IAM
B) An SSH key pair associated with the IAM user
C) An IAM access key ID and secret access key
D) A Git credential helper with an HTTPS Git password
Answer: D
The AWS CLI credential helper generates a temporary, Git-specific password when used
with git config --global credential.helper '!aws codecommit credential-helper $@'.
This is more secure than using static IAM user credentials directly in Git commands. SSH
keys (B) are also valid but not the CLI-based method described.
3. A developer is designing a serverless application using AWS Lambda. The
function must access a private Amazon RDS database in a VPC. What is the
,MINIMUM set of actions required to allow this?
A) Place the Lambda function in the public subnet with an Internet Gateway.
B) Place the Lambda function in the VPC, configure the function to use the VPC, and
ensure the execution role has permissions to describe Elastic Network Interfaces (ENIs).
C) Place the Lambda function in the VPC and set the RDS security group to allow traffic
from 0.0.0.0/0.
D) Enable VPC peering between the Lambda service and the VPC.
Answer: B
When a Lambda function is configured to access a VPC, it creates ENIs in the VPC subnets.
The execution role must have
the ec2:CreateNetworkInterface and ec2:DescribeNetworkInterfaces permissions. The
function should be placed in private subnets with a NAT gateway or VPC endpoints for
internet access if needed, but the minimal requirement is the ENI permissions.
4. Which of the following is a best practice for managing secrets (e.g., database
passwords, API keys) in AWS Lambda?
A) Store them as plain text in the Lambda environment variables.
B) Hardcode them directly in the function code.
C) Store them in AWS Systems Manager Parameter Store (SecureString) or AWS Secrets
Manager and retrieve them during function initialization.
D) Store them in an Amazon S3 bucket with a bucket policy restricting access to the
Lambda role.
Answer: C
SecureString parameters in Parameter Store or Secrets Manager provide encryption using
AWS KMS. Retrieving them outside the handler (during initialization) allows for reuse
across invocations, reducing latency and cost. Environment variables can be encrypted at
rest, but storing them unencrypted (A) is a security risk.
5. A developer needs to update an item in an Amazon DynamoDB table. The
update should only succeed if the item currently has a specific version number to
prevent overwriting changes made by another process. Which DynamoDB
operation should the developer use?
A) UpdateItem with a condition expression
B) PutItem with a condition expression
C) BatchWriteItem
D) TransactWriteItems
Answer: A
UpdateItem supports condition expressions. To implement optimistic locking, the condition
,expression can check an attribute (e.g., version = :expectedVersion) and increment it in
the update expression. TransactWriteItems (D) is for atomic transactions across multiple
tables or items, which is overkill for a single item optimistic lock.
6. A developer is writing a script to interact with AWS services using the AWS SDK
for Python (Boto3). The script is running on an EC2 instance that is part of an Auto
Scaling group. What is the MOST secure way to grant permissions to the script?
A) Store IAM user access keys in a configuration file on the instance.
B) Pass IAM user access keys to the script via environment variables.
C) Assign an IAM role to the EC2 instance with the required permissions.
D) Use the root user access keys for the AWS account.
Answer: C
IAM roles provide temporary credentials that are automatically rotated and retrieved by
the SDK via the instance metadata service. This is the most secure method because no
long-term credentials are stored on the instance or in code.
7. Which HTTP status code indicates that an Amazon API Gateway API request has
been successfully processed by the integration endpoint but the response is
intentionally empty?
A) 200 OK
B) 201 Created
C) 204 No Content
D) 202 Accepted
Answer: C
A 204 No Content status code indicates that the request was successful, but there is no
content to return in the response body. This is commonly used for DELETE operations or
updates that don't require a response payload.
8. A developer wants to debug a Lambda function by analyzing the duration,
memory usage, and logs. Which AWS service should the developer use to view this
information?
A) AWS CloudTrail
B) AWS X-Ray
C) Amazon CloudWatch Logs and CloudWatch Metrics
D) AWS Config
Answer: C
Lambda automatically logs output to CloudWatch Logs and publishes metrics (including
duration and memory usage) to CloudWatch Metrics. While X-Ray (B) helps with tracing
, distributed requests, CloudWatch is the primary tool for monitoring function performance
and logs.
9. A developer needs to configure an Amazon S3 bucket to host a static website.
The bucket contains HTML, CSS, and JavaScript files. What must be enabled for
the website to be publicly accessible?
A) Object ACLs set to public-read for all objects
B) A bucket policy that allows public read access
C) S3 Block Public Access turned off globally
D) Versioning enabled on the bucket
Answer: B
To allow public access to static website content, a bucket policy must explicitly
grant s3:GetObject permission to Principal: "*". While ACLs (A) are legacy, a bucket
policy is the modern standard. S3 Block Public Access (C) must not be blocking the policy,
but enabling it (turning it off) is not a configuration setting for public access—it removes
the block.
10. A developer is using AWS CodeBuild. The build requires a dependency that is
not available in the standard AWS CodeBuild managed images. What is the MOST
efficient way to include this dependency?
A) Install the dependency manually in the buildspec.yml install phase.
B) Create a custom Docker image with the dependency pre-installed and specify it in the
build project.
C) Use an Amazon S3 bucket to download the dependency every time the build runs.
D) Ask AWS Support to add the dependency to the managed image.
Answer: B
Creating a custom Docker image is the most efficient and reliable method for persistent
custom dependencies. Installing manually (A) works but adds build time overhead.
Managed images are standardized and not customized per customer request (D).
11. A developer is implementing an Amazon API Gateway REST API with a Lambda
proxy integration. What is the responsibility of the Lambda function in this setup?
A) To return an HTTP response in a specific format that API Gateway can parse.
B) To manage the API keys and usage plans.
C) To handle request throttling.
D) To manage the SSL certificates for the API.
Answer: A
With proxy integration, API Gateway passes the entire request (headers, path, body) to
ASSOCIATE (DVA-C02) CERTIFICATION
EACH QUESTION INCLUDES THE CORRECT ANSWER AND
A DETAILED RATIONALE
Exam Domain 1: Code Development (Questions 1-25)
1. A developer is writing a Lambda function that needs to store temporary data
that is accessed frequently during the function's execution. The data does not
need to persist after the function terminates. Where should the developer store
this data?
A) Amazon S3
B) Amazon EFS
C) /tmp directory
D) Amazon RDS
Answer: C
*The /tmp directory provides ephemeral storage (512 MB to 10 GB) that is unique to
each Lambda instance. It is the ideal location for temporary, short-term data. S3, EFS,
and RDS are persistent storage solutions.*
2. A company uses AWS CodeCommit to host a private Git repository. A developer
needs to authenticate to push code from their local machine using the AWS CLI.
Which authentication method is recommended?
A) The Git username and password stored in IAM
B) An SSH key pair associated with the IAM user
C) An IAM access key ID and secret access key
D) A Git credential helper with an HTTPS Git password
Answer: D
The AWS CLI credential helper generates a temporary, Git-specific password when used
with git config --global credential.helper '!aws codecommit credential-helper $@'.
This is more secure than using static IAM user credentials directly in Git commands. SSH
keys (B) are also valid but not the CLI-based method described.
3. A developer is designing a serverless application using AWS Lambda. The
function must access a private Amazon RDS database in a VPC. What is the
,MINIMUM set of actions required to allow this?
A) Place the Lambda function in the public subnet with an Internet Gateway.
B) Place the Lambda function in the VPC, configure the function to use the VPC, and
ensure the execution role has permissions to describe Elastic Network Interfaces (ENIs).
C) Place the Lambda function in the VPC and set the RDS security group to allow traffic
from 0.0.0.0/0.
D) Enable VPC peering between the Lambda service and the VPC.
Answer: B
When a Lambda function is configured to access a VPC, it creates ENIs in the VPC subnets.
The execution role must have
the ec2:CreateNetworkInterface and ec2:DescribeNetworkInterfaces permissions. The
function should be placed in private subnets with a NAT gateway or VPC endpoints for
internet access if needed, but the minimal requirement is the ENI permissions.
4. Which of the following is a best practice for managing secrets (e.g., database
passwords, API keys) in AWS Lambda?
A) Store them as plain text in the Lambda environment variables.
B) Hardcode them directly in the function code.
C) Store them in AWS Systems Manager Parameter Store (SecureString) or AWS Secrets
Manager and retrieve them during function initialization.
D) Store them in an Amazon S3 bucket with a bucket policy restricting access to the
Lambda role.
Answer: C
SecureString parameters in Parameter Store or Secrets Manager provide encryption using
AWS KMS. Retrieving them outside the handler (during initialization) allows for reuse
across invocations, reducing latency and cost. Environment variables can be encrypted at
rest, but storing them unencrypted (A) is a security risk.
5. A developer needs to update an item in an Amazon DynamoDB table. The
update should only succeed if the item currently has a specific version number to
prevent overwriting changes made by another process. Which DynamoDB
operation should the developer use?
A) UpdateItem with a condition expression
B) PutItem with a condition expression
C) BatchWriteItem
D) TransactWriteItems
Answer: A
UpdateItem supports condition expressions. To implement optimistic locking, the condition
,expression can check an attribute (e.g., version = :expectedVersion) and increment it in
the update expression. TransactWriteItems (D) is for atomic transactions across multiple
tables or items, which is overkill for a single item optimistic lock.
6. A developer is writing a script to interact with AWS services using the AWS SDK
for Python (Boto3). The script is running on an EC2 instance that is part of an Auto
Scaling group. What is the MOST secure way to grant permissions to the script?
A) Store IAM user access keys in a configuration file on the instance.
B) Pass IAM user access keys to the script via environment variables.
C) Assign an IAM role to the EC2 instance with the required permissions.
D) Use the root user access keys for the AWS account.
Answer: C
IAM roles provide temporary credentials that are automatically rotated and retrieved by
the SDK via the instance metadata service. This is the most secure method because no
long-term credentials are stored on the instance or in code.
7. Which HTTP status code indicates that an Amazon API Gateway API request has
been successfully processed by the integration endpoint but the response is
intentionally empty?
A) 200 OK
B) 201 Created
C) 204 No Content
D) 202 Accepted
Answer: C
A 204 No Content status code indicates that the request was successful, but there is no
content to return in the response body. This is commonly used for DELETE operations or
updates that don't require a response payload.
8. A developer wants to debug a Lambda function by analyzing the duration,
memory usage, and logs. Which AWS service should the developer use to view this
information?
A) AWS CloudTrail
B) AWS X-Ray
C) Amazon CloudWatch Logs and CloudWatch Metrics
D) AWS Config
Answer: C
Lambda automatically logs output to CloudWatch Logs and publishes metrics (including
duration and memory usage) to CloudWatch Metrics. While X-Ray (B) helps with tracing
, distributed requests, CloudWatch is the primary tool for monitoring function performance
and logs.
9. A developer needs to configure an Amazon S3 bucket to host a static website.
The bucket contains HTML, CSS, and JavaScript files. What must be enabled for
the website to be publicly accessible?
A) Object ACLs set to public-read for all objects
B) A bucket policy that allows public read access
C) S3 Block Public Access turned off globally
D) Versioning enabled on the bucket
Answer: B
To allow public access to static website content, a bucket policy must explicitly
grant s3:GetObject permission to Principal: "*". While ACLs (A) are legacy, a bucket
policy is the modern standard. S3 Block Public Access (C) must not be blocking the policy,
but enabling it (turning it off) is not a configuration setting for public access—it removes
the block.
10. A developer is using AWS CodeBuild. The build requires a dependency that is
not available in the standard AWS CodeBuild managed images. What is the MOST
efficient way to include this dependency?
A) Install the dependency manually in the buildspec.yml install phase.
B) Create a custom Docker image with the dependency pre-installed and specify it in the
build project.
C) Use an Amazon S3 bucket to download the dependency every time the build runs.
D) Ask AWS Support to add the dependency to the managed image.
Answer: B
Creating a custom Docker image is the most efficient and reliable method for persistent
custom dependencies. Installing manually (A) works but adds build time overhead.
Managed images are standardized and not customized per customer request (D).
11. A developer is implementing an Amazon API Gateway REST API with a Lambda
proxy integration. What is the responsibility of the Lambda function in this setup?
A) To return an HTTP response in a specific format that API Gateway can parse.
B) To manage the API keys and usage plans.
C) To handle request throttling.
D) To manage the SSL certificates for the API.
Answer: A
With proxy integration, API Gateway passes the entire request (headers, path, body) to
