DVA-C02 Exam Guide
This DVA-C02 exam focuses on practical knowledge and real-world application scenarios related to the subject area. It evaluates your ability to understand core concepts, apply best practices, and make informed decisions in realistic situations rather than relying solely on memorization.
This page provides a structured exam guide, including exam focus areas, skills measured, preparation recommendations, and practice questions with explanations to support effective learning.
Exam Overview
The DVA-C02 exam typically emphasizes how concepts are used in professional environments, testing both theoretical understanding and practical problem-solving skills.
Skills Measured
- Understanding of core concepts and terminology
- Ability to apply knowledge to practical scenarios
- Analysis and evaluation of solution options
- Identification of best practices and common use cases
Preparation Tips
Successful candidates combine conceptual understanding with hands-on practice. Reviewing measured skills and working through scenario-based questions is strongly recommended.
Practice Questions for DVA-C02 Exam
The following practice questions are designed to reinforce key DVA-C02 exam concepts and reflect common scenario-based decision points tested in the certification.
Question#1
A company runs an application in a third-party cloud. The company wants to use the application to update data in AWS by using API calls to AWS services. The API calls require credentials.
The company's security policy requires the company to limit the scope and duration of any credentials used to make API calls to AWS services.
Which solution will meet these requirements in the MOST secure way?
A. Create an IAM user for the application. Configure the application to load the IAM user's credentials as environment variables. Use the IAM user's credentials to interact with AWS services.
B. Create an IAM user for the application. Populate an AWS Secrets Manager secret with the IAM user's AWS credentials. Use the secret to interact with AWS services.
C. Create an IAM role for the application. Configure the application to call the AWS STS GetFederationToken AP
D. Use the STS credentials to interact with AWS services.
E. Create an IAM role for the application. Configure the application to call the AWS STS AssumeRole AP
F. Use the STS credentials to interact with AWS services.
Explanation:
The key security requirement is to limit both scope and duration of credentials used by an external application (running outside AWS). The most secure AWS-native way to do this is to use temporary security credentials issued by AWS Security Token Service (STS), rather than long-term IAM user access keys. Temporary credentials have a short, configurable lifetime and are tied to permissions defined by an IAM role and (optionally) session policies, which enforces least privilege.
With STS AssumeRole, the application requests temporary credentials for a specific IAM role. The role’s permission policy strictly defines what AWS actions and resources the session can access. The resulting credentials automatically expire, reducing the blast radius if the credentials are exposed. This approach also supports best practices such as rotating session credentials frequently and using external IDs and condition keys (where applicable) to reduce confused-deputy risks.
Options A and B rely on long-term IAM user credentials. Even if stored in environment variables or AWS Secrets Manager, these are still persistent credentials that do not inherently meet the “limit duration” requirement and are higher risk if leaked. Secrets Manager improves storage and rotation workflows, but it does not change the fact that IAM user access keys are long-lived by default.
Option C (GetFederationToken) is not the best fit here. Federation tokens are typically used to obtain temporary credentials for a federated user session and are commonly associated with IAM users (or
scenarios like providing temporary access to third parties) rather than the standard, role-based pattern for an application assuming permissions. The most direct and widely recommended method for applications needing scoped, time-bound AWS access is AssumeRole.
Therefore, D is the most secure solution: create an IAM role with least-privilege permissions and have the application call STS AssumeRole to obtain short-lived credentials for AWS API calls.
Question#2
A developer is creating an ecommerce workflow in an AWS Step Functions state machine that includes a HTTP Task state. The task passes shipping information and order details to an endpoint.
The developer needs to test the workflow to confirm that the HTTP headers and body are correct and that the responses meet expectations.
A. Use the TestState API to invoke only the HTTP Task. Set the inspection level to TRAC
B. Use the TestState API to invoke the state machine. Set the inspection level to DEBU
C. Use the data flow simulator to invoke only the HTTP Task. View the request and response data.
D. Change the log level of the state machine to AL
E. Run the state machine.
Explanation:
Comprehensive and Detailed Step-by-Step
To confirm that the HTTP headers, body, and responses meet expectations, you need to test the specific HTTP Task state in isolation and inspect the details.
Option A: TestState API with TRACE:
The TestState API allows developers to test individual states in a state machine without executing the entire workflow.
Setting the inspection level to TRACE provides detailed information about the HTTP request and response, including headers, body, and status codes.
This option provides the precise and granular testing required to verify the HTTP Task functionality.
Why Other Options Are Incorrect:
Option B: The DEBUG inspection level provides less detailed information than TRACE and focuses on general debugging, not a detailed view of HTTP interactions.
Option C: Step Functions does not have a "data flow simulator" to test individual tasks; this option is not valid.
Option D: Changing the state machine’s log level to ALL increases logging granularity for the entire state machine but does not allow isolated testing of a specific HTTP Task.
Reference: AWS Step Functions: Testing State Machines
Question#4
A developer is receiving HTTP 400: ThrottlingException errors intermittently when calling the Amazon CloudWatch API. When a call fails, no data is retrieved.
What best practice should first be applied to address this issue?
A. Contact AWS Support for a limit increase.
B. Use the AWS CLI to get the metrics.
C. Analyze the applications and remove the API call.
D. Retry the call with exponential backoff.
Disclaimer
This page is for educational and exam preparation reference only. It is not affiliated with Amazon, Certified Developer - Associate, or the official exam provider. Candidates should refer to official documentation and training for authoritative information.
