Free Practice Questions•AWS Certified Developer – Associate•60 Questions with Answers•Free Practice Questions•AWS Certified Developer – Associate•60 Questions with Answers•
FREE QUESTIONS
AWS Certified Developer – Associate Practice Questions
60 free questions with correct answers and detailed explanations.
60Free Questions
2Free Exams
100%With Explanations
DVA-C02 Practice Set-01
30 questions
Q1
A developer is using Lambda with an SQS trigger. The Lambda function batch size is 10 and processing takes 60 seconds per batch. The queue has thousands of messages. What determines how many concurrent Lambda executions will run?
A
Lambda always uses a single execution
Lambda scales based on the number of available messages and processing time, adding up to 60 instances per minute
C
The batch size determines concurrency
D
Reserved concurrency determines the exact count
E
Use AWS CloudFormation directly
Correct Answer
Lambda scales based on the number of available messages and processing time, adding up to 60 instances per minute
Explanation
Lambda scales up to 60 more instances per minute to consume the SQS queue. The maximum concurrency is approximately equal to the number of messages divided by the average processing time. For 5 shards (or message groups in FIFO), concurrency matches groups. Learn more: https://docs.aws.amazon.com/lambda/latest/dg/with-sqs.html
Q2
A developer is building an API that accepts file uploads up to 100 MB. API Gateway has a 10 MB payload size limit. How should the developer handle large file uploads?
A
Increase the API Gateway payload limit to 100 MB
Generate a presigned S3 URL via the API and have the client upload directly to S3
C
Split the file into 10 MB chunks
D
Use a Network Load Balancer instead
E
Switch to on-premises hosting
Correct Answer
Generate a presigned S3 URL via the API and have the client upload directly to S3
Explanation
Generating a presigned S3 URL and returning it to the client allows direct upload to S3, bypassing API Gateway's 10 MB limit. The client uploads directly to S3 using the presigned URL. Learn more: https://docs.aws.amazon.com/AmazonS3/latest/userguide/PresignedUrlUploadObject.html
Q3
A developer needs to store 10 KB of temporary state data between two Step Functions states. The data is used only within the current workflow execution. Where should the developer store this data?
A
Amazon S3
Pass the data through the Step Functions state machine input/output (up to 256 KB per state)
C
Amazon DynamoDB
D
Amazon ElastiCache
E
Lambda /tmp directory
Correct Answer
Pass the data through the Step Functions state machine input/output (up to 256 KB per state)
Explanation
Step Functions passes state between states via the state machine's JSON input/output. Up to 256 KB of data can flow between states within the execution. No external storage is needed for small payloads. Learn more: https://docs.aws.amazon.com/step-functions/latest/dg/concepts-input-output-filtering.html
Q4
A developer stores API keys for external services in Systems Manager Parameter Store as SecureString. The Lambda function retrieves them using the GetParameter API with WithDecryption=true. The call fails. What is the MOST likely missing permission?
A
ssm:PutParameter
kms:Decrypt permission on the KMS key used to encrypt the SecureString parameter
C
s3:GetObject
D
secretsmanager:GetSecretValue
Correct Answer
kms:Decrypt permission on the KMS key used to encrypt the SecureString parameter
Explanation
Retrieving a SecureString parameter with decryption requires ssm:GetParameter on the parameter AND kms:Decrypt on the KMS key used to encrypt it. If only the SSM permission is granted, decryption fails. Learn more: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-securestring.html
Q5
A developer needs to implement token refresh in a mobile application using Cognito. The ID and access tokens expire after 1 hour. How should the application handle expired tokens?
A
Require the user to sign in again every hour
Use the refresh token to obtain new ID and access tokens without requiring re-authentication
C
Cache the expired tokens
D
Extend the token lifetime to 24 hours
Correct Answer
Use the refresh token to obtain new ID and access tokens without requiring re-authentication
Explanation
Cognito refresh tokens (valid for days to years) can be exchanged for new ID and access tokens without re-authentication. The SDK's Auth flow handles this automatically. Learn more: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html
Q6
A developer's application handles sensitive data and must comply with security best practices. Which TWO approaches secure data in transit? (Choose TWO.)
Enforce HTTPS for all API Gateway endpoints
B
Use HTTP for faster performance
Use VPC interface endpoints with TLS for internal service communication
D
Disable encryption for internal traffic
Correct Answers
Enforce HTTPS for all API Gateway endpoints
Use VPC interface endpoints with TLS for internal service communication
Explanation
HTTPS (TLS) encrypts data between the client and API Gateway. VPC endpoints with TLS keep internal traffic encrypted and within the AWS network. Learn more: https://docs.aws.amazon.com/prescriptive-guidance/latest/encryption-best-practices/transit.html
Q7
A developer needs to implement Cognito custom authentication flows. The sign-in process requires answering a security question before receiving an OTP. Which Cognito feature supports custom multi-step authentication?
A
Standard Cognito sign-in flow
Cognito Custom Authentication flow with Define, Create, and Verify Auth Challenge Lambda triggers
C
MFA with SMS only
D
API Gateway custom authorizer
Correct Answer
Cognito Custom Authentication flow with Define, Create, and Verify Auth Challenge Lambda triggers
Explanation
Cognito Custom Authentication with Define, Create, and Verify Auth Challenge Lambda triggers implements multi-step authentication flows. Each challenge step is handled by a separate trigger. Learn more: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html
Q8
A developer is using KMS to encrypt data. They need to track who used a specific KMS key and which operations were performed. Which AWS service provides this audit trail?
A
Amazon CloudWatch
AWS CloudTrail
C
AWS Config
D
Amazon GuardDuty
Correct Answer
AWS CloudTrail
Explanation
AWS CloudTrail logs all KMS API calls including Encrypt, Decrypt, GenerateDataKey, and key management operations. This provides a complete audit trail of key usage. Learn more: https://docs.aws.amazon.com/kms/latest/developerguide/logging-using-cloudtrail.html
Q9
A developer is troubleshooting Lambda performance. Which TWO CloudWatch metrics help identify performance issues? (Choose TWO.)
Duration metric showing execution time
B
Invocations count only
ConcurrentExecutions showing parallel execution count relative to limits
D
CodeSize metric
Correct Answers
Duration metric showing execution time
ConcurrentExecutions showing parallel execution count relative to limits
Explanation
Duration shows execution time (including cold start). ConcurrentExecutions shows how many functions run simultaneously — hitting limits causes throttling. Learn more: https://docs.aws.amazon.com/lambda/latest/dg/monitoring-metrics.html
Q10
A developer notices that their X-Ray traces are incomplete — some downstream calls are missing from the service map. The application calls DynamoDB and an external HTTP API. What should the developer check?
A
Check Lambda memory
Ensure both the AWS SDK and HTTP client are instrumented with the X-Ray SDK in the application code
C
Enable VPC Flow Logs
D
Increase Lambda timeout
Correct Answer
Ensure both the AWS SDK and HTTP client are instrumented with the X-Ray SDK in the application code
Explanation
The X-Ray SDK must instrument BOTH the AWS SDK client (for DynamoDB traces) AND the HTTP client (for external API traces). If only one is instrumented, the other calls won't appear. Learn more: https://docs.aws.amazon.com/xray/latest/devguide/xray-sdk-python-middleware.html
Q11
A developer uses CloudWatch Logs Insights to analyze Lambda function performance. They want to find the average and p99 duration for the function over the last 24 hours. Which query accomplishes this?
Filtering for REPORT log lines (which contain duration data) and using stats to calculate avg and percentile gives the performance distribution. Learn more: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html
Q12
A developer's Step Functions workflow has a Map state that processes 1,000 items. Each item triggers a Lambda function. Many invocations fail with throttling errors because they exceed the Lambda concurrency limit. How should the developer control the concurrency?
A
Increase Lambda timeout
Set the MaxConcurrency parameter on the Map state to limit parallel Lambda invocations within concurrency limits
C
Remove the Map state
D
Use Express Workflows instead
Correct Answer
Set the MaxConcurrency parameter on the Map state to limit parallel Lambda invocations within concurrency limits
Explanation
Step Functions Map state supports a MaxConcurrency parameter that limits how many items are processed in parallel. Setting it to a value within the Lambda concurrency limit prevents throttling. Learn more: https://docs.aws.amazon.com/step-functions/latest/dg/amazon-states-language-map-state.html
Q13
A developer is using SQS with a Lambda consumer. Messages are failing processing and being sent to a DLQ. The developer needs to analyze and replay the failed messages. Which SQS feature allows moving DLQ messages back to the source queue?
A
Delete and recreate the DLQ
Use SQS DLQ redrive to move messages from the DLQ back to the source queue for reprocessing
C
Manually read and re-send each message
D
Increase the visibility timeout on the DLQ
Correct Answer
Use SQS DLQ redrive to move messages from the DLQ back to the source queue for reprocessing
Explanation
SQS DLQ redrive allows moving messages from the DLQ back to the source queue (or another queue) for reprocessing. This is done via the console or API without writing custom code. Learn more: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues.html
Q14
A developer's application uses API Gateway with Lambda. During load testing, the API returns 502 Bad Gateway errors. Lambda CloudWatch Logs show successful execution. API Gateway logs show 'Execution failed due to configuration error: Malformed Lambda proxy response'. What is the issue?
A
Lambda memory is insufficient
The Lambda function's response does not match the required proxy integration format — it must return {statusCode, headers, body} as a properly structured object
C
API Gateway is overloaded
D
The Lambda function timeout is too short
Correct Answer
The Lambda function's response does not match the required proxy integration format — it must return {statusCode, headers, body} as a properly structured object
Explanation
Lambda proxy integration requires a specific response format: {statusCode: number, headers: object, body: string}. If the function returns a different format, API Gateway cannot parse it and returns 502. Learn more: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html
Q15
A developer is building a microservices application. Service A publishes events that both Service B and Service C need to process independently. Service B requires guaranteed delivery. Which TWO components create this architecture? (Choose TWO.)
Publish events to an SNS topic
B
Send events directly to each service via HTTP
Subscribe SQS queues for Service B and Service C to the SNS topic
D
Use a shared DynamoDB table for event passing
Correct Answers
Publish events to an SNS topic
Subscribe SQS queues for Service B and Service C to the SNS topic
Explanation
SNS provides fan-out to multiple subscribers. SQS subscriptions guarantee delivery — if the consumer is temporarily unavailable, messages are retained in the queue. This SNS+SQS pattern ensures reliable, independent processing. Learn more: https://docs.aws.amazon.com/sns/latest/dg/sns-sqs-as-subscriber.html
Q16
A developer is using Lambda to process DynamoDB Streams events. The function must handle INSERT events differently from MODIFY events. How does the function determine the event type?
A
Check the HTTP method
Inspect the eventName field in each DynamoDB Streams record (INSERT, MODIFY, or REMOVE)
C
Use separate Lambda functions per event type
D
Check the DynamoDB table settings
Correct Answer
Inspect the eventName field in each DynamoDB Streams record (INSERT, MODIFY, or REMOVE)
Explanation
DynamoDB Streams records include an eventName field with values INSERT, MODIFY, or REMOVE. The Lambda handler inspects this field to determine the type of change. Learn more: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Streams.Lambda.html
Q17
A developer needs to implement request validation on API Gateway before the request reaches the Lambda function. Invalid requests should be rejected with a 400 error without invoking Lambda. Which API Gateway feature provides this?
A
Lambda authorizer
API Gateway request validators with a JSON Schema model
C
API Gateway usage plans
D
API Gateway throttling
Correct Answer
API Gateway request validators with a JSON Schema model
Explanation
API Gateway request validators check the request body, query strings, and headers against a model (JSON Schema) BEFORE invoking the backend. Invalid requests are rejected with 400 Bad Request. Learn more: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-method-request-validation.html
Q18
A developer's Lambda function writes 5,000 items to DynamoDB per invocation. Writing items one at a time is slow. Which DynamoDB API optimizes batch writes?
A
PutItem in a loop
Use BatchWriteItem to write up to 25 items per request
C
Use TransactWriteItems for all writes
D
Use DynamoDB Streams
Correct Answer
Use BatchWriteItem to write up to 25 items per request
Explanation
BatchWriteItem writes up to 25 items per call, significantly reducing the number of API calls. The developer processes items in batches of 25 for maximum throughput. Note: BatchWriteItem does not support conditional expressions. Learn more: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithItems.html
Q19
A developer has a Lambda function that calls two external APIs sequentially. API-A takes 3 seconds and API-B takes 2 seconds. Total execution time is 5+ seconds. How can the developer reduce total execution time?
A
Increase Lambda memory
Make both API calls concurrently using asynchronous programming patterns
C
Increase Lambda timeout to 15 minutes
D
Use separate Lambda functions for each API call
E
Switch to EC2 for faster processing
Correct Answer
Make both API calls concurrently using asynchronous programming patterns
Explanation
Making the API calls concurrently (using async/await Promise.all in Node.js or asyncio.gather in Python) allows both calls to execute simultaneously. Total time becomes max(3,2) = 3 seconds instead of 3+2 = 5. Learn more: https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html
Q20
A developer needs to store 500 MB of reference data that a Lambda function reads on every invocation. Downloading from S3 on each invocation adds 2 seconds of latency. How should the developer optimize this?
A
Increase Lambda timeout
Mount an EFS file system to the Lambda function for persistent, shared access to the 500 MB dataset
C
Embed the data in the deployment package
D
Use Lambda environment variables
Correct Answer
Mount an EFS file system to the Lambda function for persistent, shared access to the 500 MB dataset
Explanation
Lambda Layers can package reference data (up to 250 MB unzipped per layer). For larger datasets, loading data into /tmp during the first invocation and reusing it via execution context caching eliminates repeated S3 downloads. EFS can also mount large datasets. Learn more: https://docs.aws.amazon.com/lambda/latest/dg/chapter-layers.html
Q21
A developer is building an API with API Gateway that needs to transform the incoming JSON request body before passing it to a Lambda function. For example, renaming fields and adding default values. Which API Gateway feature handles this transformation?
A
API Gateway stages
API Gateway mapping templates with VTL
C
API Gateway authorizers
D
API Gateway models only
Correct Answer
API Gateway mapping templates with VTL
Explanation
API Gateway mapping templates (written in Velocity Template Language - VTL) transform the request body before forwarding to the backend. They can rename fields, add defaults, and restructure the payload. Learn more: https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-data-transformations.html
Q22
A developer is implementing API Gateway with a Cognito User Pool authorizer. After sign-in, the mobile app receives tokens. Which token does the Cognito authorizer validate when it receives a request?
A
Refresh token
ID token or access token (configurable) — ID token for identity claims, access token for scopes
C
API key
D
Session cookie
E
SAML assertion
Correct Answer
ID token or access token (configurable) — ID token for identity claims, access token for scopes
Explanation
API Gateway Cognito authorizers validate the ID token or access token (configurable). The ID token contains user identity claims (name, email, groups). The access token contains scopes for authorization. Learn more: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
Q23
A developer needs to encrypt a 10 MB file before uploading it to S3. Using KMS directly fails because KMS Encrypt has a 4 KB plaintext limit. What should the developer use?
A
Split the file into 4 KB chunks and encrypt each separately
Use KMS GenerateDataKey for envelope encryption — encrypt the file with the data key, then store the encrypted data key
C
Increase the KMS payload limit
D
Use S3 SSE-S3 instead
Correct Answer
Use KMS GenerateDataKey for envelope encryption — encrypt the file with the data key, then store the encrypted data key
Explanation
The envelope encryption pattern uses KMS GenerateDataKey to create a plaintext data key and an encrypted copy. The application encrypts the file with the plaintext key, then stores the encrypted key alongside the encrypted file. Learn more: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping
Q24
A developer is securing a Lambda function. Which TWO IAM role types are involved in Lambda security? (Choose TWO.)
Execution role — grants the function permission to access AWS services
B
Service-linked role for Lambda scaling
Resource-based policy — controls who can invoke the function
D
Instance profile for Lambda
Correct Answers
Execution role — grants the function permission to access AWS services
Resource-based policy — controls who can invoke the function
Explanation
The execution role grants the Lambda function permission to access AWS services (S3, DynamoDB, etc.). The invocation policy (resource-based) controls which principals can invoke the function. Learn more: https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html
Q25
A developer is using STS AssumeRole to get temporary credentials for cross-account access. The temporary credentials expire after 1 hour. The application needs to handle credential refresh. What is the recommended approach?
A
Cache the credentials and manually call AssumeRole after 1 hour
Use the SDK's built-in STS credential provider for automatic credential refresh before expiration
C
Create an IAM user with long-term keys instead
D
Store credentials in Secrets Manager
Correct Answer
Use the SDK's built-in STS credential provider for automatic credential refresh before expiration
Explanation
The AWS SDK credential providers handle automatic credential refresh for assumed roles. Using the STS credential provider (e.g., STSAssumeRoleCredentialProvider), the SDK automatically calls AssumeRole again before credentials expire. Learn more: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
Q26
A developer is deploying a containerized application to ECS. Which TWO configuration files are needed for a CodeDeploy blue/green deployment on ECS? (Choose TWO.)
appspec.yaml with ECS deployment configuration
B
buildspec.yml for ECS
taskdef.json with container definitions
D
Dockerfile for CodeDeploy
Correct Answers
appspec.yaml with ECS deployment configuration
taskdef.json with container definitions
Explanation
The appspec.yaml for ECS defines the deployment configuration including task definition and container details. The taskdef.json specifies the container definitions, resources, and networking. CodeDeploy uses both for ECS deployments. Learn more: https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file-structure-hooks.html
Q27
A developer is using AWS CDK and wants to avoid redeploying an entire stack when only one Lambda function's code changes. Which CDK feature enables this faster deployment?
A
cdk synth
cdk deploy --hotswap for fast Lambda-only updates
C
cdk destroy and redeploy
D
cdk diff only
Correct Answer
cdk deploy --hotswap for fast Lambda-only updates
Explanation
'cdk deploy --hotswap' detects that only the Lambda code changed and directly updates the function without a full CloudFormation stack update. This significantly speeds up development iterations. Learn more: https://docs.aws.amazon.com/cdk/v2/guide/cli.html
Q28
A developer is managing multiple API versions in API Gateway. They have v1 and v2 of their API running simultaneously. How should they configure API Gateway to support both versions?
A
Create separate AWS accounts per version
Use API Gateway stages or path-based routing with different integrations per version
C
Use Lambda environment variables for versioning
D
Deploy versions on different days
Correct Answer
Use API Gateway stages or path-based routing with different integrations per version
Explanation
API Gateway stages (v1, v2) can point to different Lambda function aliases or different integrations. Alternatively, path-based routing (/v1/resource, /v2/resource) with different integrations per path supports multiple versions. Learn more: https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started.html
Q29
A developer needs to ensure that CloudFormation creates an S3 bucket first, then creates a Lambda function that depends on the bucket. How should the developer define this dependency in the template?
A
List resources in the desired order
Use the DependsOn attribute on the Lambda resource pointing to the S3 bucket
C
Use Fn::If conditionals
D
Create two separate templates
Correct Answer
Use the DependsOn attribute on the Lambda resource pointing to the S3 bucket
Explanation
The DependsOn attribute in CloudFormation explicitly specifies that one resource depends on another. CloudFormation creates the S3 bucket first, then creates the Lambda function. For Ref/GetAtt, CloudFormation infers dependencies automatically. Learn more: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html
Q30
A developer is deploying a new version of their application using Elastic Beanstalk. They want to test the new version in a separate environment and then swap URLs to route production traffic. Which Elastic Beanstalk feature supports this?
Elastic Beanstalk URL swap (CNAME swap) exchanges the environment URLs between two environments. Deploy the new version to a clone environment, test it, then swap URLs to redirect production traffic. Learn more: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.CNAMESwap.html
DVA-C02 Practice Set-02
30 questions
Q1
A developer is writing a Lambda function in Python that processes messages from an SQS queue. The function creates an AWS SDK client inside the handler. During load testing, the function performs slowly due to repeated client initialization. How should the developer optimize this?
A
Increase the Lambda timeout to 15 minutes
Move the SDK client instantiation outside the handler function to leverage execution context reuse
C
Increase the Lambda memory allocation to maximum
D
Use provisioned concurrency for every invocation
E
Use AWS CloudFormation directly
Correct Answer
Move the SDK client instantiation outside the handler function to leverage execution context reuse
Explanation
Instantiating the SDK client OUTSIDE the handler function allows Lambda to reuse it across invocations via execution context reuse. This eliminates repeated initialization overhead and significantly improves performance. Learn more: https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html
Q2
A developer has a DynamoDB table with a composite primary key (userId as partition key and orderDate as sort key). The application needs to query all orders for a specific user sorted by date in descending order. Which API call is MOST efficient?
A
Use a Scan operation with a FilterExpression on userId
Use a Query operation with ScanIndexForward set to false
C
Create a Global Secondary Index with orderDate as partition key
D
Use a GetItem operation with both keys
E
Switch to on-premises hosting
Correct Answer
Use a Query operation with ScanIndexForward set to false
Explanation
The Query API with the partition key (userId) and ScanIndexForward=false returns items sorted by the sort key (orderDate) in descending order. This reads only the items for that user, unlike Scan which reads the entire table. Learn more: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Query.html
Q3
A developer is building a serverless API using API Gateway and Lambda. The API returns product catalog data that changes every 30 minutes. The API receives 50,000 identical requests per minute. How should the developer reduce Lambda invocations while keeping data fresh?
A
Increase Lambda concurrency limits
Enable API Gateway caching with a 30-minute TTL
C
Store responses in S3 and serve directly
D
Use Lambda provisioned concurrency
E
Use CloudFront with API Gateway
Correct Answer
Enable API Gateway caching with a 30-minute TTL
Explanation
API Gateway stage-level caching stores responses for a configurable TTL. Setting a 30-minute TTL matches the data refresh interval, so repeated identical requests are served from cache without invoking Lambda. Learn more: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html
Q4
A developer is implementing a fan-out architecture where a single order event must be processed by three independent downstream services: inventory, billing, and shipping. Each service uses an SQS queue. Which architecture pattern achieves this?
A
Write the event to each SQS queue individually from the application
Publish the event to an SNS topic with each SQS queue subscribed to the topic
C
Use a single SQS queue with three consumers
D
Use Amazon Kinesis with three shards
E
Use the default AWS-managed key only
Correct Answer
Publish the event to an SNS topic with each SQS queue subscribed to the topic
Explanation
Publishing the order event to an SNS topic with three SQS queue subscriptions ensures each service receives an independent copy of every event. This is the standard SNS-SQS fan-out pattern. Learn more: https://docs.aws.amazon.com/sns/latest/dg/sns-sqs-as-subscriber.html
Q5
A developer is building an event-driven application where an S3 PutObject event triggers a Lambda function. Occasionally, S3 delivers duplicate event notifications. The Lambda function writes to DynamoDB, causing duplicate records. How should the developer prevent duplicate processing?
A
Increase the Lambda timeout
Implement idempotent processing by using a DynamoDB conditional write that checks for the event ID before inserting
C
Use SQS FIFO between S3 and Lambda
D
Disable S3 event notifications and poll S3 instead
E
Deploy to a single Region only
Correct Answer
Implement idempotent processing by using a DynamoDB conditional write that checks for the event ID before inserting
Explanation
Using a conditional PutItem with a condition that the event ID does not already exist makes the Lambda function idempotent. If the same event is delivered twice, the second write fails the condition and is safely ignored. Learn more: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Expressions.ConditionExpressions.html
Q6
A developer is designing a DynamoDB table for a social media application. Users post messages that are queried by userId (most common) and occasionally by hashtag. Which TWO design decisions are correct? (Choose TWO.)
Use userId as the partition key with timestamp as the sort key
B
Use hashtag as the partition key for all queries
Create a Global Secondary Index with hashtag as the partition key
D
Use Scan with a FilterExpression for hashtag queries
Correct Answers
Use userId as the partition key with timestamp as the sort key
Create a Global Secondary Index with hashtag as the partition key
Explanation
Using userId as the partition key optimizes the most common access pattern. A GSI on hashtag enables efficient queries by hashtag without full table scans. The sort key (timestamp) allows range queries within a user's posts. Learn more: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GSI.html
Q7
A developer's Lambda function processes Kinesis Data Streams records. When a malformed record is encountered, the function throws an exception and the entire batch fails. The shard is blocked because the bad record keeps being retried. How should the developer handle this?
A
Delete the Kinesis stream and recreate it
Configure bisect-on-function-error with maximum retry count and an on-failure SQS destination
C
Increase the Lambda timeout to avoid failures
D
Skip error handling in the function code
Correct Answer
Configure bisect-on-function-error with maximum retry count and an on-failure SQS destination
Explanation
Configuring bisect-on-function-error with a maximum retry count and an on-failure destination (SQS DLQ) isolates the bad record through binary search. After max retries, the poison pill is sent to the DLQ and processing continues. Learn more: https://docs.aws.amazon.com/lambda/latest/dg/with-kinesis.html
Q8
A developer needs to implement a caching strategy for a DynamoDB-backed application. The application reads the same 1,000 items repeatedly but writes are infrequent. Which caching pattern is MOST appropriate?
A
Write-through caching for all operations
Lazy loading (cache-aside) with ElastiCache
C
Write-behind caching with SQS
D
Disable caching and increase DynamoDB RCUs
Correct Answer
Lazy loading (cache-aside) with ElastiCache
Explanation
Lazy loading (cache-aside) only caches data when it is requested. On a cache miss, data is fetched from DynamoDB and stored in the cache. This is ideal for read-heavy workloads where the same items are repeatedly accessed. Learn more: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Strategies.html
Q9
A developer is building a mobile application that requires users to sign up with email/password and also supports Google and Facebook social logins. After authentication, the app needs temporary AWS credentials to access S3 directly. Which AWS service handles both requirements?
A
IAM users for each mobile user
Amazon Cognito User Pools for authentication and Identity Pools for temporary AWS credentials
C
API Gateway API keys for each user
D
AWS STS AssumeRole directly from the mobile app
Correct Answer
Amazon Cognito User Pools for authentication and Identity Pools for temporary AWS credentials
Explanation
Amazon Cognito User Pools handle user sign-up, sign-in, and social identity federation. Cognito Identity Pools exchange User Pool tokens for temporary AWS credentials (via STS) scoped by IAM roles. Learn more: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html
Q10
A developer stores database credentials in a Lambda function's environment variables encrypted with the default Lambda service key. The security team requires that credentials be stored in a centralized service with automatic rotation capability. Which solution meets this requirement?
A
Store credentials in an S3 bucket with SSE-S3
B
Use AWS Systems Manager Parameter Store SecureString
Migrate credentials to AWS Secrets Manager with automatic rotation enabled
D
Hardcode credentials in the Lambda deployment package
E
Keep encrypted environment variables with custom KMS key
Correct Answer
Migrate credentials to AWS Secrets Manager with automatic rotation enabled
Explanation
Secrets Manager provides centralized credential storage, encryption with KMS, and native automatic rotation for RDS databases. The Lambda function retrieves the secret at runtime via the SDK. Learn more: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html
Q11
A developer is building an API Gateway REST API that needs to authenticate requests using JWT tokens issued by a corporate identity provider (not Cognito). Which API Gateway feature validates these tokens?
A
API Gateway API keys
A Lambda authorizer that validates the JWT tokens
C
IAM authorization with SigV4
D
Cognito User Pool authorizer
Correct Answer
A Lambda authorizer that validates the JWT tokens
Explanation
A Lambda authorizer (also called a custom authorizer) can validate JWT tokens by calling the identity provider's JWKS endpoint or performing custom validation logic. It returns an IAM policy allowing or denying the request. Learn more: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
Q12
A developer needs to encrypt sensitive data before storing it in DynamoDB. The encryption key must be rotated annually and the developer's application must manage the encryption/decryption. Which approach is correct?
A
Rely on DynamoDB default encryption at rest
Use the AWS Encryption SDK with a customer-managed KMS key that has automatic annual rotation enabled
C
Encrypt with a hardcoded AES key in the application
D
Use S3 server-side encryption for DynamoDB data
Correct Answer
Use the AWS Encryption SDK with a customer-managed KMS key that has automatic annual rotation enabled
Explanation
Using the AWS Encryption SDK with a KMS customer-managed key (CMK) performs client-side encryption. KMS automatic key rotation rotates the CMK annually. The application encrypts data before writing to DynamoDB. Learn more: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
Q13
A developer is building a web application with Amazon Cognito. The app needs sign-up/sign-in functionality (authentication) AND temporary AWS credentials to access DynamoDB directly from the browser. Which TWO Cognito components are required? (Choose TWO.)
Cognito User Pool for user authentication and JWT token issuance
B
Cognito Sync for credential management
Cognito Identity Pool for exchanging tokens for temporary AWS credentials
D
API Gateway for credential management
Correct Answers
Cognito User Pool for user authentication and JWT token issuance
Cognito Identity Pool for exchanging tokens for temporary AWS credentials
Explanation
User Pools provide authentication (sign-up, sign-in, JWT tokens). Identity Pools exchange User Pool tokens for temporary AWS credentials (via STS) that allow direct AWS service access from the client. Learn more: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html
Q14
A developer has a Lambda function that assumes an IAM role to access S3 in another AWS account. The cross-account access is failing with an AccessDenied error. The IAM role policy in the target account allows S3 access. What is the MOST likely cause?
A
The Lambda function timeout is too short
The IAM role's trust policy does not include the Lambda function's execution role as a trusted principal
C
S3 does not support cross-account access
D
The Lambda function needs more memory
Correct Answer
The IAM role's trust policy does not include the Lambda function's execution role as a trusted principal
Explanation
For cross-account role assumption, the role's trust policy must specify the source account's principal (Lambda execution role ARN). If the trust policy doesn't trust the source, AssumeRole fails with AccessDenied. Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html
Q15
A developer is deploying a Lambda function using AWS SAM. The SAM template defines an API Gateway endpoint and a DynamoDB table. Which command packages the SAM template and uploads artifacts to S3?
A
sam init
sam package (or sam build followed by sam deploy)
C
sam validate
D
sam local invoke
Correct Answer
sam package (or sam build followed by sam deploy)
Explanation
'sam package' (or 'sam build' followed by 'sam deploy') packages the Lambda code, uploads it to S3, and creates a packaged CloudFormation template with the S3 references. Learn more: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-package.html
Q16
A developer has deployed a new Lambda function version. They want to shift 10% of traffic to the new version while keeping 90% on the previous version for canary testing. Which Lambda feature enables this?
A
Lambda Layers
Lambda alias with weighted routing between two versions
C
Lambda environment variables
D
Lambda Extensions
E
Lambda reserved concurrency
Correct Answer
Lambda alias with weighted routing between two versions
Explanation
Lambda aliases with weighted routing allow pointing an alias to two function versions with configurable traffic percentages. This enables canary deployments where a small percentage tests the new version. Learn more: https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html
Q17
A developer is setting up a CI/CD pipeline using CodePipeline. The pipeline must: pull code from CodeCommit, build with CodeBuild, and deploy to Elastic Beanstalk. In which order are these stages configured?
CodePipeline stages execute in order: Source (CodeCommit) → Build (CodeBuild) → Deploy (Elastic Beanstalk). Each stage can have one or more actions. Learn more: https://docs.aws.amazon.com/codepipeline/latest/userguide/welcome.html
Q18
A developer needs to deploy a new version of an application to an EC2 fleet managed by CodeDeploy. The deployment should route traffic to the new version gradually: 10% first, then 100% after 10 minutes if no errors. Which CodeDeploy deployment configuration fits?
A
CodeDeployDefault.AllAtOnce
A canary deployment configuration routing 10% initially, then 100% after 10 minutes
C
CodeDeployDefault.HalfAtATime
D
Rolling deployment with 1 instance at a time
Correct Answer
A canary deployment configuration routing 10% initially, then 100% after 10 minutes
Explanation
CodeDeploy's CodeDeployDefault.LambdaCanary10Percent10Minutes routes 10% of traffic to the new version and waits 10 minutes before routing the remaining 90%. For EC2, a similar canary configuration achieves this. Learn more: https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations.html
Q19
A developer is deploying a serverless application with AWS SAM. The template includes a Lambda function, API Gateway, and DynamoDB table. Which TWO files are essential for the deployment? (Choose TWO.)
SAM template file (template.yaml) defining serverless resources
B
Dockerfile for Lambda
Application code file with the Lambda handler function
D
buildspec.yml for SAM deployment
Correct Answers
SAM template file (template.yaml) defining serverless resources
Application code file with the Lambda handler function
Explanation
The SAM template (template.yaml) defines all resources using the AWS::Serverless transform. The application code (e.g., app.py or index.js) contains the Lambda handler logic. Both are required for SAM deployment. Learn more: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification.html
Q20
A developer deploys a new Lambda function version but discovers a critical bug. They need to immediately route all traffic back to the previous version with zero downtime. The function uses an alias for the production endpoint. What should the developer do?
A
Delete the new Lambda version
Update the Lambda alias to point 100% traffic to the previous version
C
Redeploy the old code as a new version
D
Increase the Lambda timeout
Correct Answer
Update the Lambda alias to point 100% traffic to the previous version
Explanation
Updating the Lambda alias to point 100% of traffic to the previous version instantly rolls back production. Since the alias is what API Gateway references, the change takes effect immediately with no downtime. Learn more: https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html
Q21
A developer is using Elastic Beanstalk to deploy a web application. They need to run a custom script to install additional packages during deployment. Which Elastic Beanstalk configuration mechanism should they use?
A
Modify the EC2 user data directly
Add a .ebextensions configuration file with commands in the source bundle
C
Edit the Elastic Beanstalk console settings
D
Create a custom AMI with the packages
Correct Answer
Add a .ebextensions configuration file with commands in the source bundle
Explanation
.ebextensions configuration files (YAML/JSON) in the .ebextensions directory allow custom commands, packages, and configurations during deployment. They run during the deployment phase. Learn more: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/ebextensions.html
Q22
A developer needs to implement comprehensive observability for their serverless application. Which TWO AWS services should they use together for metrics and tracing? (Choose TWO.)
Amazon CloudWatch for metrics, logs, and alarms
B
AWS Config
AWS X-Ray for distributed tracing and service maps
D
AWS CloudTrail
Correct Answers
Amazon CloudWatch for metrics, logs, and alarms
AWS X-Ray for distributed tracing and service maps
Explanation
CloudWatch provides metrics, logs, and alarms. X-Ray provides distributed tracing and service maps. Together they provide complete observability. Learn more: https://docs.aws.amazon.com/xray/latest/devguide/aws-xray.html
Q23
A developer's application uses API Gateway caching. After updating the backend data, the API continues returning stale cached responses. How should the developer invalidate the cache for a specific endpoint?
A
Restart API Gateway
Send a request with Cache-Control: max-age=0 header to invalidate the cache, or flush the stage cache
C
Delete and recreate the API
D
Change the stage name
Correct Answer
Send a request with Cache-Control: max-age=0 header to invalidate the cache, or flush the stage cache
Explanation
Sending a request with the Cache-Control: max-age=0 header (and having the proper permissions) invalidates the cache for that specific request. The developer can also flush the entire stage cache from the console. Learn more: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html
Q24
A developer notices that their Lambda function's concurrent executions are hitting the account limit of 1,000. Some functions are being throttled. How should the developer ensure critical functions always have available concurrency?
A
Request a limit increase only
Configure reserved concurrency for critical functions to guarantee available execution capacity
C
Reduce the function timeout
D
Delete unused functions
Correct Answer
Configure reserved concurrency for critical functions to guarantee available execution capacity
Explanation
Reserved concurrency guarantees a specific number of concurrent executions for a function, ensuring it is not starved by other functions consuming the account limit. Learn more: https://docs.aws.amazon.com/lambda/latest/dg/configuration-concurrency.html
Q25
A developer is using X-Ray to trace Lambda functions. They want to trace calls to DynamoDB and external HTTP APIs but X-Ray shows only the Lambda invocation, not downstream calls. What should the developer do?
A
Enable active tracing on Lambda only
Instrument the AWS SDK and HTTP clients in the function code using the X-Ray SDK to capture downstream calls
C
Increase Lambda memory
D
Enable VPC Flow Logs
Correct Answer
Instrument the AWS SDK and HTTP clients in the function code using the X-Ray SDK to capture downstream calls
Explanation
The X-Ray SDK must be used to instrument the AWS SDK client and HTTP client in the Lambda function code. This creates subsegments for each downstream call, showing them in the X-Ray trace. Learn more: https://docs.aws.amazon.com/xray/latest/devguide/xray-sdk-python-middleware.html
Q26
A developer's DynamoDB table read latency is 15ms for strongly consistent reads. The application can tolerate slightly stale data (a few seconds). How can the developer reduce read latency and cost?
A
Increase provisioned RCUs
Switch to eventually consistent reads for lower latency and reduced RCU consumption
C
Add a GSI
D
Enable DynamoDB Streams
Correct Answer
Switch to eventually consistent reads for lower latency and reduced RCU consumption
Explanation
Eventually consistent reads are the DynamoDB default and provide roughly half the latency and half the RCU cost of strongly consistent reads. If the application can tolerate slightly stale data, this is the optimal choice. Learn more: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadConsistency.html
Q27
A developer publishes custom CloudWatch metrics from a Lambda function. The metrics cost is high because the function sends a PutMetricData API call on every invocation (millions/day). How should the developer reduce costs?
A
Reduce the number of invocations
Use CloudWatch Embedded Metric Format (EMF) to publish metrics through logs instead of PutMetricData API calls
C
Switch to a third-party monitoring tool
D
Disable custom metrics
Correct Answer
Use CloudWatch Embedded Metric Format (EMF) to publish metrics through logs instead of PutMetricData API calls
Explanation
CloudWatch Embedded Metric Format (EMF) publishes metrics through CloudWatch Logs instead of PutMetricData API calls. CloudWatch automatically extracts metrics from logs, avoiding API costs and throttling. Learn more: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Embedded_Metric_Format.html
Q28
A developer is debugging a Lambda function that intermittently times out. CloudWatch Logs show that sometimes the function completes in 2 seconds and sometimes takes 30+ seconds. The function initializes a database connection in the handler. What is the MOST likely cause?
A
The Lambda function has a memory leak
The database connection initialization inside the handler is causing variable latency — move it outside the handler for execution context reuse
C
The function's timeout is too high
D
DynamoDB is throttling requests
Correct Answer
The database connection initialization inside the handler is causing variable latency — move it outside the handler for execution context reuse
Explanation
When Lambda creates a new execution context (cold start), the database connection is initialized inside the handler, adding connection time. On warm starts, the handler runs faster but still creates a new connection. Moving the connection outside the handler enables reuse across invocations. Learn more: https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html
Q29
A developer is writing a CloudFormation template and needs to conditionally create a resource only if the environment parameter is 'production'. Which CloudFormation feature enables this?
A
Use Fn::Ref
Use CloudFormation Conditions with Fn::Equals to check the parameter, and apply the Condition attribute to the resource
C
Use nested stacks
D
Create separate templates per environment
Correct Answer
Use CloudFormation Conditions with Fn::Equals to check the parameter, and apply the Condition attribute to the resource
Explanation
The Conditions section defines conditions based on parameter values. The Condition attribute on a resource controls whether it is created. Fn::If, Fn::Equals, and other condition functions support the logic. Learn more: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/conditions-section-structure.html
Q30
A developer's Step Functions workflow calls a Lambda function that is throttled during peak load. The workflow fails immediately instead of retrying. How should the developer handle Lambda throttling in Step Functions?
A
Increase the Step Functions timeout
Add a Retry configuration for Lambda.TooManyRequestsException with exponential backoff in the Task state
C
Remove the Lambda function from the workflow
D
Use Express Workflows instead
Correct Answer
Add a Retry configuration for Lambda.TooManyRequestsException with exponential backoff in the Task state
Explanation
Adding a Retry block in the Step Functions Task state for the Lambda.TooManyRequestsException error with exponential backoff handles throttling gracefully instead of failing the workflow. Learn more: https://docs.aws.amazon.com/step-functions/latest/dg/concepts-error-handling.html
Want More Practice?
These are just the free questions. Unlock the full AWS Certified Developer – Associate exam library with hundreds of additional questions, timed practice mode, and progress tracking.