DVA-C02 Syllabus — Objectives by Domain

Use this syllabus as your source of truth for DVA-C02. Work through each domain in order and drill targeted sets after every section.

What’s covered

• Domain 1: Development with AWS Services (32%)
• Domain 2: Security (26%)
• Domain 3: Deployment (24%)
• Domain 4: Troubleshooting and Optimization (18%)

Domain 1: Development with AWS Services (32%)

Practice this topic →

Task 1.1 - Build resilient, decoupled application components

• Differentiate between synchronous request/response and asynchronous event-driven communication and select the appropriate pattern for a given workload.
• Implement idempotent operations in application code using idempotency keys or conditional requests to safely handle retries.
• Apply retries with exponential backoff and full jitter using AWS SDK configuration and custom logic to reduce retry storms.
• Use dead-letter queues to capture and inspect failed asynchronous operations and design appropriate reprocessing strategies.
• Evaluate when to use choreography versus orchestration to coordinate microservices interactions.
• Compare tightly coupled versus loosely coupled components and refactor code to reduce direct dependencies through messaging or events.
• Design fault-tolerance in clients by setting timeouts, circuit breakers, and connection pools when calling AWS services.
• Choose stateless processing for scale-out compute and manage session data in external stores.
• Implement fan-out patterns with Amazon SNS topics, Amazon SQS queues, and AWS Lambda subscriptions to parallelize downstream work.
• Detect and handle partial failures across distributed components by propagating correlation IDs and consistent error contracts.
• Select the appropriate compute option (AWS Lambda, Amazon ECS, Amazon EC2, AWS Elastic Beanstalk) for a given execution model, startup time, and dependency profile.

Task 1.2 - Use AWS SDKs and service APIs effectively

• Initialize AWS SDK clients with least-privilege credentials and region-appropriate endpoints.
• Configure SDK retry behavior, timeouts, HTTP keep-alive, and connection limits to improve throughput and resiliency.
• Paginate over AWS API results using next tokens or continuation markers to retrieve complete datasets.
• Implement request throttling handling by inspecting error codes (for example, ThrottlingException and ProvisionedThroughputExceededException) and backing off.
• Use AWS Security Token Service (AWS STS) to assume roles programmatically and refresh short-lived session credentials in long-running processes.
• Securely load configuration and secrets for SDK clients from AWS Secrets Manager and AWS Systems Manager Parameter Store.
• Generate pre-signed URLs for Amazon S3 to provide time-limited direct access for uploads and downloads.
• Select consistent or eventual read options where available and implement read-after-write considerations in code.
• Employ service-specific SDK optimizations such as Amazon S3 Transfer Manager and Amazon DynamoDB batch APIs for high-throughput operations.
• Structure error handling by mapping AWS service exceptions to actionable outcomes and surfacing user-friendly messages.

Task 1.3 - Work with messaging services (Amazon SNS, Amazon SQS, Amazon EventBridge, AWS Step Functions)

• Choose between Amazon SQS Standard and FIFO queues based on ordering and exactly-once processing needs.
• Set appropriate visibility timeout, message retention, and long-polling settings for Amazon SQS to optimize throughput and cost.
• Implement Amazon SQS message batching for send and receive to reduce API calls and improve efficiency.
• Use Amazon SNS message attributes and subscription filter policies to route messages to specific subscribers.
• Implement Amazon SNS fan-out to multiple Amazon SQS queues and AWS Lambda functions for parallel downstream processing.
• Offload large message payloads to Amazon S3 and send Amazon SQS/Amazon SNS references while maintaining idempotency.
• Define Amazon EventBridge rules and event buses to route events across accounts and Regions for decoupled integrations.
• Create AWS Step Functions workflows to orchestrate multi-step tasks with retries, timeouts, and catch/finally handlers.
• Handle poison messages with per-queue dead-letter queues and redrive policies to prevent endless retries.
• Secure messaging with resource policies that grant least privilege to publishers and subscribers.
• Monitor queue depth, age of oldest message, and Lambda concurrency to anticipate backlogs and scale appropriately.

Task 1.4 - Develop code for AWS Lambda runtime and performance

• Configure memory size, timeout, and ephemeral storage for AWS Lambda to balance cost and performance.
• Choose appropriate runtime, handler signature, and package type (zip or container image) for a function.
• Reuse SDK clients and database connections outside the handler for connection pooling and faster subsequent invocations.
• Manage environment variables securely and decrypt secrets at initialization time when necessary.
• Use Lambda layers to share libraries and common code across multiple functions.
• Configure reserved concurrency and provisioned concurrency to control throughput and mitigate cold starts.
• Implement Lambda Destinations for asynchronous success and failure routes as part of error handling.
• Attach dead-letter queues to asynchronous Lambda invocations to capture failed events for later analysis.
• Access private resources in a VPC by configuring appropriate subnets, security groups, and VPC endpoints.
• Instrument Lambda functions with AWS X-Ray and structured logs to enable tracing and observability.
• Write unit tests and local integration tests using AWS Serverless Application Model (AWS SAM) CLI and provided test events.

Task 1.5 - Integrate AWS Lambda with event sources and services

• Configure event source mappings for Amazon SQS, Amazon DynamoDB Streams, and Amazon Kinesis with correct batch size and parallelization settings.
• Tune Amazon Kinesis and DynamoDB Streams iterator age and batch window to meet latency and throughput requirements.
• Implement partial batch response for Amazon SQS to acknowledge successful records while retrying failures.
• Build API backends with Amazon API Gateway and GraphQL APIs with AWS AppSync; map request or resolver context to function and data source inputs.
• Validate inputs with API Gateway request validators and models before invoking your AWS Lambda function.
• Use Lambda function URLs, API Gateway Lambda authorizers, or Amazon Cognito authorizers appropriately based on authentication needs.
• Set up file processing pipelines by integrating Amazon S3 event notifications with AWS Lambda and filtering by object key prefix or suffix.
• Invoke AWS Step Functions synchronously or asynchronously from Lambda and handle task tokens for callbacks.
• Configure Amazon EventBridge to trigger Lambda on schedule (rate or cron) and on specific service events.
• Manage concurrency for stream-based Lambdas using parallelization factor and maximum concurrency.
• Handle idempotency for Lambda-triggered events to ensure exactly-once side effects.

Task 1.6 - Use data stores and streaming services in application development

• Choose between relational databases (Amazon RDS or Amazon Aurora) and non-relational databases (Amazon DynamoDB) based on access patterns.
• Model Amazon DynamoDB tables with optimal partition keys and sort keys to distribute workload evenly.
• Compare query versus scan in DynamoDB and implement GSI or LSI indexing for efficient access.
• Apply optimistic concurrency control with DynamoDB ConditionExpression and version attributes.
• Implement caching strategies (write-through, read-through, lazy loading, TTL) with Amazon ElastiCache or Amazon MemoryDB for Redis.
• Serialize and deserialize payloads (JSON, Avro, Protobuf) efficiently to persist and retrieve from data stores.
• Use DynamoDB TTL and Amazon S3 lifecycle rules to manage data retention and archival.
• Select S3 storage classes based on access frequency and retrieval times for cost optimization.
• Implement transactions in DynamoDB and relational databases when atomic multi-item operations are required.
• Build producers and consumers for Amazon Kinesis Data Streams and scale shards based on throughput.
• Use AWS SDK clients with connection reuse and prepared statements to optimize Amazon RDS access patterns.

Domain 2: Security (26%)

Practice this topic →

Task 2.1 - IAM fundamentals for application developers

• Distinguish between identity-based policies, resource-based policies, and permission boundaries and when to use each.
• Write least-privilege AWS Identity and Access Management (IAM) policies with explicit actions, resources, and condition keys.
• Configure trust policies and assume-role flows for cross-account access in applications.
• Use AWS Security Token Service (AWS STS) AssumeRole and AssumeRoleWithWebIdentity to obtain temporary credentials securely.
• Implement role chaining and manage session duration to balance security and usability.
• Choose between AWS managed policies and customer-managed policies to control updates and blast radius.
• Apply role-based access control (RBAC) using IAM roles and groups mapped to application roles.
• Use IAM policy variables and tags to implement attribute-based access control (ABAC) patterns.
• Attach resource policies to Amazon S3, Amazon SQS, Amazon SNS, and Amazon EventBridge to allow cross-account access safely.
• Audit API calls and changes with AWS CloudTrail and filter by user identity to validate access paths.

Task 2.2 - Federated identity and Amazon Cognito

• Compare Amazon Cognito user pools and identity pools and map use cases to each.
• Configure OAuth 2.0 flows (Authorization Code, Implicit, Client Credentials) with Cognito user pools.
• Validate and verify JSON Web Tokens (JWTs) including signature, issuer, audience, and expiration in application backends.
• Use Cognito hosted UI, domains, and app clients to enable secure sign-in.
• Create Cognito groups and custom attributes to support RBAC and fine-grained authorization.
• Integrate Cognito with external identity providers via OpenID Connect (OIDC) or SAML and map claims to user pool attributes.
• Exchange Cognito tokens for AWS credentials through identity pools to call AWS services directly.
• Implement Cognito Lambda triggers (pre-signup, post-confirmation, pre-authentication) to customize authentication flows.
• Protect APIs with Amazon API Gateway Cognito authorizers versus Lambda authorizers and API keys.
• Refresh and revoke tokens securely and handle token expiration gracefully in clients.

Task 2.3 - Encryption in transit and at rest

• Choose between client-side and server-side encryption and implement each where appropriate.
• Use AWS Key Management Service (AWS KMS) customer managed keys for S3 (SSE-KMS), EBS, RDS, DynamoDB, and SQS when encryption at rest is required.
• Generate, use, and rotate data keys with KMS envelope encryption for application-level protection.
• Enable and verify TLS for SDK calls and enforce minimum TLS versions for endpoints.
• Request and manage public certificates with AWS Certificate Manager (ACM) for CloudFront, Application Load Balancer (ALB), and API Gateway custom domains.
• Enable automatic and manual rotation for customer managed KMS keys and evaluate rotation impact.
• Share KMS keys across accounts using key policies and grants to permit cross-account encryption.
• Implement mutual TLS (mTLS) on API Gateway or ALB when mutual authentication is needed.
• Evaluate performance and cost impacts of different encryption strategies and mitigate with caching.

Task 2.4 - Secrets and sensitive data handling

• Classify data types (PII, PHI, secrets) and choose appropriate storage and access controls.
• Store application secrets in AWS Secrets Manager with automatic rotation for supported services.
• Use AWS Systems Manager Parameter Store (standard vs. advanced) for configuration parameters with KMS encryption.
• Avoid hardcoding credentials; load secrets securely via environment variables or runtime fetch.
• Encrypt AWS Lambda environment variables with KMS and decrypt only when needed in code.
• Implement least-privilege IAM roles for applications that read secrets and parameters.
• Redact sensitive values from logs and traces using structured logging fields.
• Use resource policies on Secrets Manager to permit cross-account read with audit controls.
• Cache secrets in memory and handle rotation events without service interruption.
• Validate that build and deployment artifacts do not leak secrets using automated scanners.
• Apply secure handling of Amazon S3 presigned URLs and restrict actions, bucket, and expiration appropriately.

Task 2.5 - Application authorization patterns

• Build authorization middleware that interprets JWT scopes and claims to enforce access control.
• Map application-level roles to IAM roles or policies for calls to AWS services.
• Use Amazon S3 bucket policies, ACLs, and Block Public Access to secure object data.
• Protect APIs with AWS WAF rate-based and IP match rules to mitigate common attacks.
• Implement fine-grained access to DynamoDB items using IAM condition keys such as dynamodb:LeadingKeys.
• Leverage AWS STS session tags to pass user context to downstream resource authorization.
• Secure WebSocket APIs with Cognito authorizers or IAM-based authentication as required.
• Apply presigned POST policies for direct S3 uploads with minimal permissions.
• Use service-linked roles safely when AWS services act on behalf of your application.
• Review and test policy evaluation using IAM Policy Simulator and IAM Access Analyzer.
• Design token propagation and revocation strategies for microservices that rely on bearer tokens.

Domain 3: Deployment (24%)

Practice this topic →

Task 3.1 - Prepare deployment artifacts and configuration

• Structure AWS Lambda zip packages with correct handler paths and dependency folders for each runtime.
• Build and publish Lambda container images to Amazon ECR with minimal base layers and multi-stage Dockerfiles.
• Create and version Lambda layers for shared libraries across functions.
• Externalize configuration using AWS AppConfig, Parameter Store, and environment variables.
• Package static assets to Amazon S3 with cache-control headers and content hashing for cache busting.
• Define runtime resource needs (memory, CPU, storage) and encode them in infrastructure as code templates.
• Use AWS CodeArtifact to manage private package repositories and upstream connections.
• Implement semantic versioning for application artifacts and image tags.
• Prepare database migration scripts and roll-forward or rollback plans for Amazon RDS and Amazon DynamoDB changes.
• Configure build-time versus runtime feature flags and fetch strategies.
• Create IAM roles and permissions required by applications as part of deployment packages.
• Harden container images by scanning for CVEs and removing unnecessary tools and shells.

Task 3.2 - Test applications in development environments

• Run AWS Lambda functions locally with AWS SAM CLI using event JSONs and environment overrides.
• Mock service integrations with Amazon API Gateway using mapping templates and mock integration responses.
• Use DynamoDB Local for offline testing of table interactions and transactions.
• Write unit, integration, and contract tests that validate API schemas and error codes.
• Deploy to a dev stage using separate API Gateway stages and stage variables.
• Use Amazon CloudWatch Logs and AWS X-Ray in non-production accounts to debug integration issues.
• Employ test doubles for Amazon S3 and Amazon SNS or Amazon SQS using libraries or local emulators where appropriate.
• Isolate environment resources using unique prefixes, tags, and stack names for parallel testing.
• Validate IAM permissions in development by using restrictive policies and least privilege from the start.
• Use AWS Step Functions Local or Express Workflows for fast feedback on orchestration logic.
• Promote builds across environments without rebuilding artifacts to ensure immutability.
• Automate teardown of ephemeral test environments to control cost.

Task 3.3 - Automate deployment testing in CI/CD

• Design AWS CodePipeline stages for source, build, test, approval, and deploy with clear artifacts between stages.
• Write AWS CodeBuild buildspecs that install dependencies, run tests, and produce immutable artifacts.
• Create synthetic test events for AWS Lambda, API Gateway, and AWS SAM resources as part of automated tests.
• Gate production deployments with manual approvals and evidence links to test results.
• Use AWS CloudFormation and AWS SAM to create and update stacks via change sets and guided deployments.
• Employ branch strategies (for example, feature branches and mainline) and protected branches to control releases.
• Tag and promote container images to environment-specific tags (dev, test, prod) in Amazon ECR.
• Run integration tests against deployed test stacks using temporary test credentials.
• Use AWS CodeArtifact for dependency caching to accelerate CI builds.
• Implement parallelism and caching in CodeBuild to reduce build times.
• Orchestrate cross-account deployments with CodePipeline and role assumptions.
• Fail fast and roll back on test failures with automatic pipeline halts and notifications.

Task 3.4 - Deploy code using AWS services and strategies

• Deploy AWS Lambda functions with AWS SAM or AWS CloudFormation and manage versions and aliases.
• Implement canary and linear deployments for Lambda using AWS CodeDeploy traffic shifting.
• Configure rollback alarms for deployments based on Amazon CloudWatch metrics and CodeDeploy hooks.
• Deploy REST and HTTP APIs with Amazon API Gateway and map custom domains to stages via ACM certificates and Amazon Route 53 alias records.
• Use stage variables and Lambda aliases to route traffic to approved versions per environment.
• Perform blue/green deployments for Amazon ECS services behind Application Load Balancers with AWS CodeDeploy.
• Update Amazon CloudFront distributions to serve new S3 or API origins and invalidate cached paths as needed.
• Use AWS Copilot or AWS Amplify to provision environments and promote versions for container and web apps.
• Parameterize CloudFormation stacks for environment differences without duplicating templates.
• Implement database migration steps in pipelines with ordered actions and automatic rollbacks.
• Maintain release notes and labels (Git tags) to trace deployed versions to commits.
• Execute controlled rollbacks using previous Lambda aliases, ECS task sets, or CloudFormation stack versions.

Domain 4: Troubleshooting and Optimization (18%)

Practice this topic →

Task 4.1 - Instrument code for observability

• Emit structured JSON logs with consistent fields (timestamp, level, correlationId) for Amazon CloudWatch Logs.
• Use CloudWatch Logs Insights queries to filter, aggregate, and visualize log data.
• Implement custom metrics with CloudWatch embedded metric format (EMF) to track domain-specific KPIs.
• Set metric filters and alarms on error rates, latency, and throttles to trigger notifications.
• Propagate correlation IDs across microservices via HTTP headers and message attributes.
• Trace distributed requests with AWS X-Ray SDKs and annotations for service maps.
• Configure AWS X-Ray sampling rules to balance visibility and overhead.
• Build CloudWatch dashboards that combine metrics, logs, and alarms for service health.
• Set up alerts for quota thresholds and near-limit conditions using CloudWatch and service-specific throttling metrics.
• Instrument Lambda cold start metrics using initialization duration and provisioned concurrency metrics.
• Redact sensitive fields before logging and enforce log retention policies per environment.
• Integrate Amazon CodeGuru Reviewer to surface code issues in pull requests that affect reliability and security.

Task 4.2 - Assist in root cause analysis

• Triage incidents using CloudWatch alarms, dashboards, and recent deployment history.
• Diagnose API failures by correlating HTTP status codes, error messages, and latency distributions.
• Identify AWS SDK exceptions and map them to retriable versus terminal conditions.
• Query logs to isolate problematic tenants, users, or partitions based on identifiers.
• Use AWS X-Ray service maps and traces to locate bottlenecks and failing upstream dependencies.
• Investigate Lambda throttling, timeouts, and memory errors using concurrency and duration metrics.
• Diagnose stream processing lag by monitoring iterator age and shard-level metrics.
• Analyze AWS Step Functions execution history to find failing states and input or output transformations.
• Inspect AWS CodeBuild, AWS CodeDeploy, and AWS CodePipeline logs to resolve deployment failures quickly.
• Verify IAM permission issues using IAM Access Analyzer findings and AWS CloudTrail events.
• Validate VPC connectivity for Lambda or ECS by checking elastic network interfaces, security groups, and VPC endpoint policies.
• Document findings and create runbooks with remediation steps for recurring issues.

Task 4.3 - Optimize applications for performance and cost

• Profile code hot paths with Amazon CodeGuru Profiler and prioritize cost-effective improvements.
• Tune AWS Lambda memory to minimize duration cost while meeting latency service level objectives.
• Reuse HTTP connections and enable keep-alive to improve SDK call performance.
• Cache frequently accessed data with Amazon ElastiCache or in-memory caches in Lambda initialization.
• Optimize Amazon SQS and Amazon SNS throughput using batching, long polling, and message attributes efficiently.
• Scale Amazon Kinesis shards proactively based on observed throughput, partition key distribution, and enhanced metrics.
• Use Amazon CloudFront to cache API responses based on headers, cookies, and query strings when appropriate.
• Apply DynamoDB adaptive capacity considerations and hot partition mitigation strategies.
• Reduce cold starts with provisioned concurrency or warming strategies where justified.
• Optimize container resources (CPU and memory) and task counts for Amazon ECS services under load.
• Use cost-aware storage classes in Amazon S3 and lifecycle rules to reduce storage spend.
• Implement subscription filter policies in Amazon SNS to minimize unnecessary deliveries to subscribers.

Tip: After finishing a domain, take a 20–25 question drill focused on that domain, then revisit weak objectives before moving on.