RoleMath Study Track · free study companion

RoleMath Study Track for AWS Certified Developer - Associate (DVA-C02) (DVA-C02)

A free study companion keyed to the officially published exam domains of AWS Certified Developer - Associate (DVA-C02) (DVA-C02): what each domain covers in plain language, clearly labeled free resources, a guided lab outline for every domain, and interactive self-checks from our own question bank. AWS Certified Developer - Associate (DVA-C02) exam guide

A free, source-cited study companion built on AWS's published DVA-C02 exam guide, for independent study only. It is not official training, is not affiliated with or endorsed by AWS or Amazon, and is not a pass guarantee. DVA-C02 is an Associate-level exam, not a first certification: it assumes roughly one year of hands-on AWS development plus programming proficiency (the exam uses SDK code and pseudocode), so begin with AWS fundamentals (CLF-C02) and a programming language if either is new to you. Every hands-on lab here runs only in your OWN AWS free-tier account (never a work or school account), behind a hard billing boundary - set a $5 billing alarm before you start, stay inside the always-free limits, and run the teardown (sam delete) so every resource is removed. Verify the current objectives on the official exam guide before your exam.

Program blueprint under review

Use the whole program, with the limits visible

A complete free AWS Certified Developer - Associate (DVA-C02) program pinned to AWS's currently published exam guide, sequenced the way the skills build rather than in numeric order - development first, then deployment, then security, then troubleshooting and optimization - with every hands-on lab run in the learner's OWN AWS free-tier account (never a work or school account) behind a hard billing boundary: a $5 billing alarm set before starting, always-free service limits, and a sam delete teardown of every resource. This is an ASSOCIATE-level developer certification, not a first cert: it assumes roughly one year of hands-on AWS development plus real programming proficiency (the exam uses SDK code and pseudocode), so it crosslinks AWS fundamentals (Cloud Practitioner) and a programming language as prerequisites. It rechecks the official exam guide before any exam scheduling. It does not predict a score, confer professional experience, or serve as a credential.

This draft exposes RoleMath’s authored sequence and evidence plan. The current labs are guided outlines, not yet a fully fixture-backed course, and objective-leaf coverage has not passed the gold-standard gate. Completion does not predict an exam result.

Modules
4
Labs
4
Concept checks
15
Resource mix
6 official / 1 community

Choose an outcome

Three routes through the same evidence

Choose provisionally. Change routes when the work tells you something new about fit, time, or readiness.

Certification-focused

Developers with roughly a year of AWS exposure and real programming proficiency who want one current, dependency-ordered DVA-C02 sequence across all four domains, with every lab run in their own free-tier account behind a strict billing boundary and a recheck of the official exam guide before scheduling.

Completion emphasis: Complete every phase, run each lab in your OWN AWS free-tier account (billing alarm set first, sam delete teardown after), correct every missed check against its cited source, finish the integrated capstone, and diff the current exam guide before booking - never inferring a pass from coverage, since the 720/1000 bar is compensatory and depends on the whole exam.

Required phases: Development with AWS services and deployment, Security, troubleshooting, and optimization, Integrated serverless capstone

Serverless dev skills first

Career changers who want reviewable evidence that they can build a serverless application on AWS - write Lambda code calling the SDK, ship it with SAM and a safe canary deployment, secure it with least-privilege IAM and Cognito, and diagnose and tune it with X-Ray and CloudWatch - whether or not they sit the exam soon.

Completion emphasis: Retain a labeled command transcript plus the code for each domain - a deployed Lambda+DynamoDB CRUD API, a canary deployment that auto-rolled-back on a CloudWatch alarm, a hand-written least-privilege IAM policy plus a Cognito JWT auth boundary, and an X-Ray/Logs-Insights/memory-tuning record - plus the capstone transcript and a note confirming every lab was torn down with sam delete and nothing billable remained.

Required phases: Development with AWS services and deployment, Security, troubleshooting, and optimization, Integrated serverless capstone

Career-fit sprint

Learners deciding whether AWS serverless development - Lambda, the SDK, event-driven services, and infrastructure as code - is a direction worth deeper investment before committing to the full DVA-C02 grind, and who first want to confirm they have the programming and AWS-fundamentals footing the exam assumes.

Completion emphasis: Complete the prerequisite diagnostic and the development-and-deployment phase (building and safely shipping your first serverless app in your own free-tier account), then choose a next AWS experiment or a full exam commitment rather than inferring job readiness or a pass from partial coverage.

Required phases: Development with AWS services and deployment

Start safely

Prerequisite diagnostic

Confirm you have the programming proficiency, the AWS fundamentals, and the free-tier account the labs and exam assume before you start; this diagnostic is not an AWS prerequisite, a cost promise, or an exam prediction. DVA-C02 is an Associate-level developer exam that assumes roughly one year of hands-on AWS development and real coding ability - it is not a first certification.

  1. Are you proficient in at least one programming language (for example Python, Node.js, or Java) - able to read and write functions, work with JSON, and follow SDK calls - since the exam shows SDK code and pseudocode and the labs use a boto3 Lambda handler?

    Ready when: Yes, you can read and write code in at least one language and follow the boto3 handler in the labs; programming is a genuine requirement for this exam, not optional.

    If not yet: Spend time building real programming fundamentals in one language first; DVA-C02 is not a first cert and cannot be passed on AWS vocabulary alone - come back once you can read and write SDK-style code comfortably.

  2. Are you familiar with AWS fundamentals - core services, the console and CLI, regions, and IAM basics - at roughly the AWS Certified Cloud Practitioner (CLF-C02) level, since the Developer exam assumes that grounding?

    Ready when: Yes, with CLF-C02-level familiarity or equivalent hands-on AWS experience, or a plan to shore up fundamentals in parallel using the free AWS fundamentals resources.

    If not yet: Start with AWS fundamentals (the free Cloud Practitioner scope) first; the Developer exam builds directly on that grounding, and starting there avoids fighting basic AWS concepts while learning developer-specific services.

  3. Can you use your OWN AWS free-tier account (never a work or school account) and set a $5 AWS Budgets billing alarm BEFORE starting any lab, understanding that a payment card may be required at signup but the labs stay within free limits?

    Ready when: Yes, with your own free-tier account and a $5 billing alarm set before the first lab, or a plan to complete the labs documentation-only from the AWS developer docs if you cannot open an account.

    If not yet: Do not run labs in an employer or school account under any circumstances; if you cannot open your own free-tier account, complete the labs documentation-only from the AWS developer docs, which reach the same understanding and written evidence.

  4. Can you install the AWS SAM CLI and the AWS CLI on your own machine and authenticate them to your own account, or will you complete the labs from the documentation instead?

    Ready when: Yes, with the SAM CLI and AWS CLI installed and authenticated to your own account, or a plan to use the documentation-only route for the hands-on labs.

    If not yet: Install the AWS SAM CLI and AWS CLI following the official guides; if local install is impractical, the documentation-only route reads the fixtures and the developer docs to reach the same understanding and evidence.

  5. Have you chosen a pace whose weekly hours you can realistically protect across roughly 60 to 95 total hours (about 60 with strong AWS and coding experience, up to 95 if you are coming from fundamentals only)?

    Ready when: Yes, with a pace selected and the hands-on labs, the missed-check corrections, and the integrated capstone left uncompressed.

    If not yet: Pick the steady pace if you are newer to AWS development and reserve the intensive pace for experienced developers; never compress the hands-on labs or the capstone to save time, because developer fluency comes from building and shipping real code.

Plan, then adapt

Pace options

Steady

12 weeks 7-8 hours/week

A planning estimate of roughly 85-95 hours for a developer coming largely from fundamentals: one phase at a time, every lab run in your own free-tier account (billing alarm first, sam delete teardown) plus the missed-check corrections, the integrated capstone, and an exam-guide recheck before scheduling. A learner shoring up programming or AWS fundamentals in parallel should expect the upper end of this range.

Standard

9 weeks 7-9 hours/week

A planning estimate of roughly 70-80 hours for developers with some real AWS and coding experience that pairs the exam-guide-cited domain study with one retained command transcript and code set per domain, preserves the canary auto-rollback lab and the least-privilege/Cognito security lab, and keeps an exam-guide-diff block before any exam logistics.

Intensive

6 weeks 10-11 hours/week

Roughly 60-70 hours for an experienced developer already comfortable with AWS and serverless; do not compress the hands-on labs, the canary auto-rollback observation, the least-privilege IAM and Cognito auth boundary, or the X-Ray and memory-tuning work, since the exam tests behavior you only truly learn by building, shipping, and observing it.

Evidence-gated sequence

Program roadmap

  1. Development with AWS services and deployment

    Build a serverless application and learn to ship it safely. First take 'Development with AWS Services' (Domain 1, 32% - the heaviest domain): writing Lambda code, calling the AWS SDK against DynamoDB, integrating API Gateway, and the event-driven services (S3, SQS, SNS, EventBridge, Step Functions). Then, out of numeric order, take 'Deployment' (Domain 3, 24%): infrastructure as code with AWS SAM and CloudFormation, the CI/CD tools (CodePipeline, CodeBuild, CodeDeploy), and the deployment strategies (canary, linear, all-at-once, blue/green) with automatic CloudWatch-alarm rollback. Building first, then shipping, makes the security and troubleshooting phases concrete.

    Exit evidence

    • Complete the diagnostic (programming proficiency, AWS fundamentals, own free-tier account with a $5 billing alarm, SAM/CLI tooling, and study-time), choose a pace you can protect, and set a $5 AWS Budgets billing alarm before any lab.
    • Complete the Domain 1 development lab in your OWN free-tier account: deploy a Lambda+DynamoDB CRUD API with SAM, exercise create/get/list through API Gateway (or via a direct aws lambda invoke if past the 12-month API Gateway free window), and run sam delete teardown.
    • Complete the Domain 3 deployment lab in your OWN free-tier account: deploy a Lambda with a SAM Canary10Percent5Minutes DeploymentPreference wired to a CloudWatch Errors alarm, deliberately break it so CodeDeploy auto-rolls-back to v1, contrast with AllAtOnce, and run sam delete teardown.
    • Be able to explain, in your own words, Lambda invocation models and the warm-versus-cold execution environment, Query versus Scan on DynamoDB, the CodePipeline/CodeBuild/CodeDeploy split, and when to choose canary versus all-at-once versus blue/green.
    • Attempt every authored Domain 1 and Domain 3 check and correct each miss against its cited source, then confirm every lab was torn down with sam delete and nothing billable remained.
  2. Security, troubleshooting, and optimization

    Secure the application you built and shipped, then learn to diagnose and tune it. First take 'Security' (Domain 2, 26% - the second-heaviest domain): least-privilege IAM roles and policy JSON, temporary credentials via STS, Amazon Cognito user pools and JWT authorization, and the secrets and encryption services (Secrets Manager, Parameter Store, KMS). Then take 'Troubleshooting and Optimization' (Domain 4, 18%): CloudWatch Logs Insights, X-Ray tracing (concepts still tested despite the 2026-02-25 SDK maintenance mode; AWS recommends OpenTelemetry), cold-start diagnosis, and Lambda memory-and-CPU tuning.

    Exit evidence

    • Complete the Domain 2 security lab in your OWN free-tier account: attach a hand-written least-privilege IAM policy scoped to one table ARN (proving an out-of-scope Scan is DENIED), stand up a Cognito user pool, obtain a JWT, confirm the API returns 401 without the token and 200 with it, and tear down the pool and policy.
    • Complete the Domain 4 troubleshooting lab in your OWN free-tier account: enable X-Ray active tracing and structured logging, read the service map, run a CloudWatch Logs Insights query for cold-start init duration and warm duration, compare Lambda duration at 128MB versus 512MB, and run sam delete teardown.
    • Be able to explain least privilege and why a role beats long-lived keys, the Cognito user-pool-versus-identity-pool split, what causes a cold start and how to reduce it, and why more Lambda memory can make a compute-bound function faster and cheaper.
    • Attempt every authored Domain 2 and Domain 4 check and correct each miss against its cited source, retaining the least-privilege policy plus the Cognito auth boundary and the X-Ray/Logs-Insights/memory-tuning record, everything torn down afterward.
  3. Integrated serverless capstone

    Prove you can span the whole exam by building, securing, deploying, and observing one small serverless application in your own free-tier account, then tearing it all down. This integrated capstone touches all four DVA-C02 domains in the methodology order: build a Lambda+DynamoDB app with the SDK, secure it with least-privilege IAM and Cognito, ship a change with a canary deployment that can auto-roll-back on a CloudWatch alarm, and observe it with X-Ray and CloudWatch Logs Insights - all within a hard billing boundary, then sam delete everything.

    Exit evidence

    • Complete the integrated capstone spanning all four domains in your OWN free-tier account: build a small serverless app (Lambda+DynamoDB+API Gateway via SAM), secure it with a least-privilege IAM execution role and Cognito JWT auth, deploy a change with a canary DeploymentPreference and a CloudWatch alarm capable of auto-rollback, and observe it with X-Ray active tracing and a Logs Insights query - then tear everything down with sam delete.
    • Write a short integrated run record crosswalking each artifact to one of the four domain IDs, confirm nothing billable remained after teardown, and note that a $5 billing alarm was set before starting.
    • Diff the current DVA-C02 exam guide against what you practiced (confirm the four domains and weights and the X-Ray maintenance-mode/OpenTelemetry note), record remaining gaps, and choose a continue, practice, defer, AWS experiment, or exam-scheduling next decision rather than inferring a pass from coverage.

Before a lab

Environment, access, and safety

Required and optional setup

Required

  • A browser plus text tools for the AWS DVA-C02 exam guide, the free AWS Skill Builder exam-prep course, and the AWS developer documentation, and for recording each lab's commands, code, CLI output, and sam delete teardown confirmation
  • Your OWN AWS free-tier account (never a work, school, employer, or client account) with a $5 AWS Budgets billing alarm set BEFORE any lab; a payment card may be required at signup but the labs stay within always-free limits
  • The AWS SAM CLI and the AWS CLI installed and authenticated to your own account, plus a text editor to read and lightly edit the SAM templates, the boto3 handlers, and the IAM policy fixture
  • A teardown-and-cleanup checklist recording, for each lab, that sam delete was run (plus deleting any Cognito pool, IAM policy, or CodePipeline created) and that Cost Management shows nothing billable or lingering

Optional

  • A free AWS Skill Builder account for the exam-prep course, the Official Practice Question Set, and the free-tier hands-on limits (verify the current free labels before relying on them)
  • A free community video course (for example the freeCodeCamp / Andrew Brown ExamPro DVA-C02 course) as an alternate explanation after the official exam-prep course - note it was published 2024-08 and may miss later exam-guide additions, so reconcile it to the current official exam guide
  • Optional paid supplements (a video course, a deep-dive course, or a practice-exam set) that each add something over the free path; each is a third-party product with a free alternative, and pricing fluctuates - verify at purchase
Accounts and accessibility routes

Accounts

  • Every hands-on lab requires your OWN AWS free-tier account and a $5 billing alarm set before starting; NO lab may run in a work, school, employer, or client account.
  • A payment card may be required at AWS signup, but the labs are designed to stay within always-free limits (Lambda 1M requests/month, DynamoDB on-demand idle = $0, IAM, Cognito first 50,000 MAU, CloudWatch Logs 5GB, X-Ray 100,000 traces/month) and 12-month-free limits (API Gateway, S3, available on accounts created before 2025-07-15; newer accounts get a time-limited credit-based free plan instead); some services bill beyond those limits.
  • Every lab has a documentation-only alternative from the AWS developer docs for learners who cannot or prefer not to run live resources; the documentation route reaches the same understanding and written evidence.

Equivalent routes

  • When running live AWS resources is impractical for account, device, or billing-boundary reasons, complete each lab from the AWS developer documentation and the provided fixtures, writing in your own words how each service behaves; this reaches the same written-transcript evidence with no live spend.
  • Every lab is command-line and text driven, so the whole program is keyboard-operable with plain-text CLI output a screen reader can read linearly; the fixtures are plain YAML, Python, and JSON with labeled blocks.
  • In low-bandwidth conditions, prefer the documentation-only route and record every command and code file in a local document; after the one-time SAM build and deploy the live labs generate light traffic, but the docs route avoids the console UI entirely.
Safety baseline
  • Run every lab ONLY in your OWN AWS free-tier account with a $5 billing alarm set BEFORE starting - never a work, school, employer, or client account, and never infrastructure you do not own.
  • Every lab ends with sam delete (and, where relevant, deleting the Cognito user pool, detaching the IAM policy, and deleting any CodePipeline) so no resource lingers or bills; confirm in Cost Management that nothing continues to bill.
  • Stay within the always-free services (Lambda, DynamoDB on PAY_PER_REQUEST, IAM, Cognito) and the 12-month-free limits (API Gateway, S3, available on accounts created before 2025-07-15; newer accounts get a time-limited credit-based free plan instead); some services bill beyond the free tier, and if you are past the 12-month window prefer a direct aws lambda invoke over API Gateway.
  • Never place real credentials, tokens, or personal data into code, a SAM template, an IAM policy, or an environment variable; the labs pass the table name via an environment variable SAM injects and use only throwaway lab credentials for the Cognito test user.
  • The X-Ray SDKs and daemon entered maintenance mode on 2026-02-25 and AWS recommends the AWS Distro for OpenTelemetry; the labs use X-Ray active tracing (no SDK) to learn the still-tested concepts while respecting that direction.

Show your work

Module evidence and missed-check protocol

Module exit evidence

  • A labeled command transcript plus the code for each domain tied to its module: a deployed Lambda+DynamoDB CRUD API exercised through the SDK (Domain 1); a canary deployment that auto-rolled-back to v1 on a CloudWatch alarm (Domain 3); a hand-written least-privilege IAM policy where an out-of-scope Scan was denied plus a Cognito JWT auth boundary returning 401 without a token and 200 with one (Domain 2); and an X-Ray service map, a Logs Insights cold-start/duration query, and a 128MB-versus-512MB memory comparison (Domain 4).
  • A plain-language explanation of the concept, the AWS service and command that demonstrated it, and the safety boundary the lab stayed inside (own free-tier account, $5 billing alarm, everything torn down with sam delete), including the X-Ray maintenance-mode/OpenTelemetry note for Domain 4.
  • All authored checks for the domain attempted, with each miss corrected against its cited source, plus a recorded confirmation that sam delete was run and nothing billable or lingering remained.

After a missed check

  1. Identify whether the question tests development with AWS services, deployment, security, or troubleshooting and optimization before reviewing the answer.
  2. Write why the distractor was plausible and which specific mechanism distinguishes the correct answer - the Lambda invocation model or SDK behavior, the deployment strategy or CI/CD service, the least-privilege or Cognito or STS detail, or the tracing, cold-start, or memory-tuning point.
  3. Because the exam is compensatory across the whole test, do not weight your review only by domain percentage; instead change one detail - the invocation type, the policy action or resource, the deployment preference, or the memory setting - and explain whether the correct answer changes, then re-run the relevant lab step if it is a behavior you can reproduce in your own account.

Completing this policy demonstrates current-exam-guide DVA-C02 coverage and hands-on AWS serverless practice inside RoleMath in your own free-tier account within a strict billing boundary; it does not predict an exam score (the 720/1000 bar is compensatory and depends on the whole exam), confer professional AWS development experience, or serve as a RoleMath credential. Treat your ability to build, secure, deploy, and observe a serverless application and explain each domain's behavior in your own words - not coverage alone - as the honest signal of readiness.

Integrated practice

Integrated DVA-C02 serverless scenario spanning all four domains in your own free-tier account

Run one integrated, methodology-ordered scenario in your OWN AWS free-tier account that touches every DVA-C02 domain - build a small serverless app with Lambda, DynamoDB, and API Gateway via SAM, secure it with a least-privilege IAM execution role and Cognito JWT auth, ship a change with a canary deployment that can auto-roll-back on a CloudWatch alarm, and observe it with X-Ray active tracing and a CloudWatch Logs Insights query - all within a hard billing boundary, then tear everything down with sam delete, proving you can operate across development, deployment, security, and troubleshooting.

Workflow

  1. Set a $5 AWS Budgets billing alarm on your OWN free-tier account and confirm your identity with aws sts get-caller-identity - never a work or school account.
  2. Development (Domain 1): build a small serverless app with SAM - a Lambda calling the AWS SDK against a PAY_PER_REQUEST DynamoDB table, fronted by API Gateway, reading the table name from an environment variable - and exercise create/get/list.
  3. Confirm the event-driven and integration reasoning (Domain 1): explain in your run record which service you would reach for to decouple a producer from a consumer (SQS), fan one event out to many subscribers (SNS), react to a file landing in S3, route events by rule (EventBridge), or orchestrate a multi-step workflow (Step Functions), even if the capstone app itself stays small.
  4. Security (Domain 2): replace the broad managed policy with a hand-written least-privilege IAM execution role scoped to only the DynamoDB actions and the one table ARN (prove an out-of-scope Scan is DENIED), and add a Cognito user pool with a JWT authorizer so an unauthenticated call returns 401 and an authenticated one returns 200.
  5. Deployment (Domain 3): ship a change with a SAM Canary10Percent5Minutes DeploymentPreference wired to a CloudWatch Errors alarm, deliberately break the function so CodeDeploy auto-rolls-back to the last known-good version during the bake, then restore the healthy version.
  6. Troubleshooting and optimization (Domain 4): enable X-Ray active tracing and structured JSON logging, read the service map, run a CloudWatch Logs Insights query for cold-start init duration and warm duration, and compare Lambda duration at 128MB versus 512MB - noting X-Ray concepts are tested while OpenTelemetry is the forward direction.
  7. Write a short integrated run record: for each domain, the commands, code, and evidence (the CRUD interaction, the least-privilege denial and the 401/200 auth boundary, the auto-rollback in the deployment history, and the trace/Logs-Insights/memory comparison), noting the $5 billing alarm was set and nothing billable remained.
  8. Diff the current DVA-C02 exam guide against what you practiced (confirm the four domains and weights and the X-Ray maintenance-mode note), flag any uncovered topic as an explicit gap, crosswalk every artifact to the four domain IDs, then run sam delete everywhere (plus deleting the Cognito pool, IAM policy, and any CodePipeline) and confirm nothing billable or lingering remains.

Retained artifacts

  • A development record: the SAM template and boto3 handler and a create/get/list interaction showing the SDK reading and writing DynamoDB through API Gateway (or a direct invoke)
  • A security record: a hand-written least-privilege IAM policy where an out-of-scope Scan was denied, plus a Cognito JWT auth boundary returning 401 without a token and 200 with one
  • A deployment record: a canary DeploymentPreference with a CloudWatch alarm, and a CodeDeploy automatic rollback to v1 visible in the deployment history
  • A troubleshooting-and-optimization record: an X-Ray service map, a Logs Insights cold-start/duration query result, and a 128MB-versus-512MB memory comparison
  • The integrated run record with a four-domain crosswalk, an exam-guide diff flagging any gaps, and a confirmation that sam delete was run everywhere and nothing billable or lingering remained

Review checklist

  • The scenario ran entirely in the learner's OWN AWS free-tier account with a $5 billing alarm set before starting, with no lab run in a work/school/employer/client account and no action taken against infrastructure the learner does not own.
  • Development is demonstrated with a Lambda+DynamoDB CRUD app built with SAM and exercised through the SDK.
  • Security is demonstrated with a hand-written least-privilege IAM policy (an out-of-scope Scan denied) and a Cognito JWT auth boundary (401 without a token, 200 with one).
  • Deployment is demonstrated with a canary DeploymentPreference wired to a CloudWatch alarm and a CodeDeploy automatic rollback to the last known-good version.
  • Troubleshooting and optimization is demonstrated with an X-Ray service map, a Logs Insights cold-start/duration query, and a 128MB-versus-512MB memory comparison, with the X-Ray maintenance-mode/OpenTelemetry note acknowledged.
  • The current DVA-C02 exam guide was rechecked (the four domains, their weights, and the X-Ray currency note) and any changed objective invalidates the affected mapping or review.
  • All four current DVA-C02 domains map to at least one artifact; uncovered topics remain explicit gaps rather than implied completion, and sam delete was run everywhere (plus deleting the Cognito pool, IAM policy, and any CodePipeline) with nothing billable or lingering left behind.
  • The packet does not claim exam success or a passing score, official AWS approval or training beyond linked sources, professional AWS development experience, or a RoleMath credential.

Safety boundary: Run the entire capstone ONLY in your OWN AWS free-tier account with a $5 billing alarm set BEFORE starting - never a work, school, employer, or client account, and never infrastructure you do not own. Stay within the always-free limits (some services bill beyond them; if past the 12-month window prefer a direct aws lambda invoke over API Gateway). Never place real credentials in code, a template, an IAM policy, or an environment variable, and use only throwaway credentials for the Cognito test user. Run sam delete everywhere (plus deleting the Cognito pool, IAM policy, and any CodePipeline) when finished, and confirm in Cost Management that nothing continues to bill.

Finish honestly

Completion, portfolio, and maintenance

Completion evidence

  • All four current DVA-C02 domain modules have been covered and checked against AWS's official exam guide, including a recheck of the current domains and weights (and the X-Ray maintenance-mode/OpenTelemetry note) before any exam scheduling.
  • Every domain lab has been run only in the learner's OWN AWS free-tier account with a $5 billing alarm set first - always torn down with sam delete (plus deleting any Cognito pool, IAM policy, or CodePipeline) - and its command transcript and code retained.
  • Building a serverless app with the SDK, shipping it with a canary deployment that auto-rolls-back, securing it with least-privilege IAM and Cognito, and diagnosing and tuning it with X-Ray and CloudWatch have each been practiced hands-on, not just read.
  • Every authored knowledge check has been attempted and each miss has a cited correction.
  • The AWS exam guide, the AWS developer documentation, the free Skill Builder exam-prep course and practice question set, and any community walkthrough have been used within their current free-access terms, with any community resource (which may predate later exam-guide additions) reconciled to the current official exam guide.
  • The integrated capstone passes its safety, development, deployment, security, troubleshooting, exam-guide-diff, and four-domain-coverage review, with everything torn down and nothing billable or lingering left behind.
  • The learner has recorded remaining objective gaps and a next AWS-practice or exam-scheduling decision; completion is not represented as an exam result, a passing score, a credential, job readiness, or professional AWS development experience.

Portfolio candidates

  • A sanitized development record: the SAM template and boto3 handler and a create/get/list transcript, with any real account id or ARNs removed
  • A sanitized security record: the least-privilege IAM policy (with placeholders, not a real ARN) where an out-of-scope Scan was denied, and a Cognito JWT auth boundary description (no tokens shown)
  • A deployment record: a canary DeploymentPreference and a CodeDeploy automatic rollback to v1 visible in the deployment history
  • A troubleshooting record: an X-Ray service map (identifiers removed), a Logs Insights cold-start/duration result, and a 128MB-versus-512MB memory comparison
  • A teardown record: a confirmation that sam delete was run everywhere and Cost Management showed nothing billable or lingering

Present the packet as self-directed AWS serverless lab work done only in your OWN free-tier account within a strict billing boundary. Do not call it production AWS work, official AWS approval, professional AWS development experience, or a RoleMath credential, do not claim a passing score, and never publish a real account id, ARN, token, access key, or employer identifier.

Freshness controls

Objective source checked 2026-07-11. Recheck objectives every 30 days and resources every 90 days.

Stop and re-verify when

  • AWS changes the DVA-C02 exam guide, the domain set or weights, the exam code, the format (65 questions / 50 scored + 15 unscored), the 720/1000 compensatory passing model, the $150 fee, the 130-minute duration, the 3-year validity, or the delivery provider (Pearson VUE / online proctoring).
  • A service or feature the labs rely on changes: SAM/CloudFormation resource shapes, the DynamoDB on-demand billing mode, Lambda arm64/python3.12 runtime support, API Gateway free-tier terms, the CodeDeploy Canary10Percent5Minutes preference or alarm-driven rollback behavior, or Cognito user-pool/JWT behavior.
  • The X-Ray currency picture shifts further - for example X-Ray is removed from the DVA-C02 scope, the maintenance-mode status changes, or AWS's OpenTelemetry (ADOT) recommendation is superseded - requiring the Domain 4 currency note to be updated.
  • The AWS Free Tier changes its always-free or 12-month-free limits, its signup terms, or the specific service allowances the labs depend on (Lambda 1M requests, DynamoDB on-demand, IAM, Cognito 50,000 MAU, CloudWatch Logs 5GB, X-Ray 100,000 traces, API Gateway/S3 12-month).
  • A free resource the program links (the AWS exam guide, the Skill Builder exam-prep course, the Official Practice Question Set, the AWS developer docs, or the freeCodeCamp/Andrew Brown community video) changes URL, access, or free status, or a lab can no longer be run for free in an own free-tier account with its teardown and billing-boundary guarantees intact.
  • A development, deployment, security, troubleshooting, or optimization concept materially changes, or a topic is added to or removed from the exam guide.
  • Any module, lab, check, phase, capstone step, account instruction, safety guardrail, or exam-guide diff fails technical, source, AWS-domain, associate-level, safety, cost, privacy, accessibility, currency, or claims review.

Skills measured

The official objective domains and their exam weight — titles & weights only, straight from the vendor’s exam objectives. AWS Certified Developer - Associate (DVA-C02) exam guide

32% of scored contentDevelopment with AWS ServicesAWS Certified Developer - Associate (DVA-C02) exam guide (2026-07-11)
26% of scored contentSecurityAWS Certified Developer - Associate (DVA-C02) exam guide (2026-07-11)
24% of scored contentDeploymentAWS Certified Developer - Associate (DVA-C02) exam guide (2026-07-11)
18% of scored contentTroubleshooting and OptimizationAWS Certified Developer - Associate (DVA-C02) exam guide (2026-07-11)

Suggested study order

AWS weights DVA-C02 as four point-weighted domains that sum to 100: Development with AWS Services (Domain 1, 32%), Security (Domain 2, 26%), Deployment (Domain 3, 24%), and Troubleshooting and Optimization (Domain 4, 18%). We do NOT study them in numeric order; we study them in the order the skills build on one another while still front-loading the heaviest domain. We open with Domain 1 (32%) because it is both the largest slice and the foundation for everything else: you cannot secure, deploy, or troubleshoot an application you have not first built. This is where you learn to write Lambda functions, call the AWS SDK against DynamoDB, wire up API Gateway, and reason about the event-driven glue (S3, SQS, SNS, EventBridge, Step Functions) - the application the other three domains then protect, ship, and observe. We go to Domain 3 Deployment (24%) second, out of numeric order, because once you can build a serverless app the next natural act is to package and ship it: AWS SAM and CloudFormation, the CI/CD services (CodePipeline, CodeBuild, CodeDeploy), and the deployment strategies (canary, linear, all-at-once, blue/green) that get a change into production safely. Doing deployment early means you have a real pipeline in place before you layer security onto it. Third comes Domain 2 Security (26%): now that you have an application and a way to ship it, you tighten it - least-privilege IAM roles and policies, Amazon Cognito for user authentication, and the secrets and encryption services (Secrets Manager, KMS, STS) that keep credentials out of code. Security is the second-heaviest domain and a genuine exam bright line, so it gets real time even though we study it third. We close with Domain 4 Troubleshooting and Optimization (18%) because it is both the smallest slice and the one that most needs a working, deployed, secured application as its subject: you cannot meaningfully read X-Ray traces, hunt cold starts in CloudWatch Logs, or tune Lambda memory until you have a normal baseline to compare against. This is sequencing advice based on the published weights and how the tasks depend on one another, not a claim about the science of learning or about any single topic being more important than its weight says; if a different order fits how you think, use it.

  1. Development with AWS Services32% of scored content of the exam
  2. Deployment24% of scored content of the exam
  3. Security26% of scored content of the exam
  4. Troubleshooting and Optimization18% of scored content of the exam

Module 1 of 4 · domain 1 · 32% of scored content of the exam

Development with AWS Services

Study this first. At 32% it is the heaviest domain and the foundation for everything else: you cannot secure, deploy, or troubleshoot an application you have not first built. This is where you write Lambda functions, call the AWS SDK against DynamoDB, wire up API Gateway, and reason about the event-driven glue (S3, SQS, SNS, EventBridge, Step Functions) the other three domains protect, ship, and observe.

What this domain actually covers

Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. AWS Certified Developer - Associate (DVA-C02) exam guide

This is the 'actually build the application' domain, and AWS weights it at 32% - the largest slice of DVA-C02 and the frame the whole exam is built on. It covers writing code that runs on AWS compute (above all AWS Lambda), calling AWS services from that code with the AWS SDK, designing and integrating the data and messaging services an application needs, and stitching services together into event-driven workflows. Because it is both the heaviest domain and the thing every other domain depends on, we study it first and give it the most time. Note the exam expects real coding: questions show SDK calls and pseudocode in a language (commonly Python, Node.js, or Java), so this is not a domain you can pass on vocabulary alone.

AWS Lambda is the center of gravity. Lambda runs your function code without you managing servers, and the exam expects you to reason about its whole model: the handler signature and the event and context objects your code receives; how you configure memory (which also scales CPU), timeout, and environment variables; the difference between synchronous invocation (API Gateway calls the function and waits) and asynchronous invocation (S3 or SNS drops an event and Lambda retries on failure); and the execution-environment lifecycle, where code you run OUTSIDE the handler (creating an SDK client, opening a connection) is reused across warm invocations while a cold start pays the full initialization cost. Concurrency (reserved versus provisioned) and layers for shared dependencies round out the picture. The recurring exam skill is predicting how a Lambda function behaves given its configuration and how it is invoked.

Using the AWS SDK to talk to services is the domain's coding heart, and DynamoDB is the data store you will use most. You should be fluent in the DynamoDB developer model: single-table design with a partition key and optional sort key; the difference between GetItem (one item by key), Query (items sharing a partition key, efficient), and Scan (reads the whole table, expensive and to be avoided); expressions for filtering, conditional writes, and updates; and how PAY_PER_REQUEST (on-demand) versus provisioned capacity affects cost and throttling. Secondary indexes (local and global) let you query by non-key attributes. The exam also probes SDK behaviors that cut across services - pagination over large result sets, exponential backoff and jitter on retryable errors, and reading configuration and credentials from the environment rather than hard-coding them - because these are the difference between code that works in a demo and code that survives production.

Amazon API Gateway is how a serverless application is exposed to the outside world, and the exam expects working knowledge of the developer-facing pieces. You should understand REST versus HTTP APIs and when each fits, the Lambda proxy integration (where the whole request arrives as an event and your function returns a statusCode/headers/body shape), resources and methods and path/query parameters, stages and stage variables for promoting a deployment, request and response mapping, throttling and usage plans with API keys, and CORS for browser callers. The mental model to carry is that API Gateway is the managed front door that authenticates, throttles, and routes HTTP requests to your Lambda (or other backends), so you reason about it as the boundary between clients and your code.

The event-driven and integration services are what turn individual functions into a system, and the exam tests choosing among them. Amazon S3 stores objects and can trigger Lambda on upload (a classic event source). Amazon SQS queues messages for reliable, decoupled processing (standard versus FIFO, visibility timeout, dead-letter queues for poison messages). Amazon SNS fans a message out to many subscribers (pub/sub). Amazon EventBridge routes events by rule from AWS services and your own applications onto an event bus. AWS Step Functions orchestrates multi-step workflows as a state machine with built-in retries, error handling, and branching. The recurring skill is matching a requirement - decouple a producer from a consumer, fan one event out to many, react to a file landing in S3, coordinate a multi-step process - to the right service, because the exam frames these as 'which service should the developer use' scenarios.

Study this domain by building a real serverless application and reading how each piece behaves, because DVA-C02 rewards developers who have written the code, not just read about it. The lab below uses AWS SAM to deploy a Lambda-plus-DynamoDB CRUD API in your OWN free-tier account: you write and read items with the SDK (boto3), read the table name from an environment variable, exercise the API through API Gateway, and (if you are past the 12-month API Gateway free window) invoke the Lambda directly instead. A hard billing boundary applies: use only an account you own, set a $5 billing alarm first, keep DynamoDB on PAY_PER_REQUEST so an idle table costs nothing, and run sam delete to remove everything. As always, read the official DVA-C02 exam guide for AWS's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.

Learn it free

Dva C02 Serverless Crud Lab

Deploy a Lambda-plus-DynamoDB CRUD API with AWS SAM in a free-tier account you own and exercise it through API Gateway Call the AWS SDK from Lambda, read configuration from an environment variable, and reason about the warm-versus-cold execution environment

Free tools

  • Your own free-tier AWS account
  • The AWS SAM CLI and AWS CLI
  • A terminal
  • A text editor

Steps

  1. Set a $5 billing alarm on your own account, confirm your identity, then build and deploy the SAM stack, reading how the template injects the table name as an environment variable.
  2. Exercise the CRUD API through API Gateway (POST then GET), and if you are past the 12-month API Gateway free window, invoke the Lambda directly instead to stay inside the always-free limits.
  3. Tear down the whole stack so nothing lingers or bills, then confirm nothing remains.

What you should see

Confirm the capture shows a SAM deploy in an account you own, a CRUD interaction where the SDK read and wrote DynamoDB (via API Gateway or a direct invoke), and a sam delete that removed every resource with a billing alarm in place.

Practice evidence maps to exam_domain_aws_certified_developer_associate_01

Stay safe & legal: Deploy and run this ONLY in a free-tier AWS account you own; never a work, school, employer, or client account. Set a $5 AWS Budgets billing alarm BEFORE you start, keep DynamoDB on PAY_PER_REQUEST and Lambda within the always-free 1M requests/month, use API Gateway within its 12-month-free window (or prefer aws lambda invoke if you are past it), and run sam delete to remove every resource - some services bill beyond the free tier. This lab grants no authorization to deploy into any account you do not own. Account required: yes; payment required: no; maximum designed cost: $0.

Check yourself

4RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.

Check 1. A Lambda function should process records from an SQS queue in batches, retry failed batches, and avoid custom polling code in the application. Which implementation detail should a Developer Associate candidate recognize?
Check 2. An application must create an order item only if the order ID does not already exist, preventing accidental overwrite during retries. Which DynamoDB write pattern fits this requirement?
Check 3. A REST endpoint should pass method, headers, path parameters, query string parameters, and body to a Lambda function so the function can handle routing logic. Which API Gateway integration should the developer understand?
Check 4. A service should react only when an order-created event has a specific source and detail type, then invoke downstream targets without tight coupling between producers and consumers. Which EventBridge concept is the key readiness signal?

Module 2 of 4 · domain 3 · 24% of scored content of the exam

Deployment

Study this second, right after development. At 24% it is the third-heaviest domain, and once you can build a serverless app the next natural act is to package and ship it: AWS SAM and CloudFormation, the CI/CD services (CodePipeline, CodeBuild, CodeDeploy), and the deployment strategies (canary, linear, all-at-once, blue/green) that get a change into production safely.

What this domain actually covers

Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. AWS Certified Developer - Associate (DVA-C02) exam guide

This is the 'ship it safely' domain, and AWS weights it at 24% of DVA-C02. Once you can build a serverless application (Domain 1), the next act is getting a change from your machine into production without breaking anything - and this domain is the developer's toolkit for exactly that: infrastructure as code with AWS SAM and CloudFormation, continuous integration and delivery with the AWS developer tools, and the deployment strategies that control how a new version reaches live traffic. We study it second, before security, because having a real pipeline in place makes the rest of the exam concrete and gives you something to secure and observe.

Infrastructure as code with CloudFormation and AWS SAM is the domain's foundation. CloudFormation lets you declare your whole stack - functions, tables, roles, APIs - in a template that AWS provisions and manages as one unit, so an environment is repeatable and reviewable rather than hand-clicked. AWS SAM is a serverless-focused extension of CloudFormation: the AWS::Serverless::Function and AWS::Serverless::Api shorthand resources expand into full CloudFormation, and the SAM CLI (sam build, sam deploy, sam local) is the everyday developer workflow. The exam expects you to read a SAM/CloudFormation template, understand parameters, mappings, outputs, and intrinsic functions (Ref, Fn::Sub, Fn::GetAtt), and know that a change set previews what a deployment will do before it does it. AWS Elastic Beanstalk (for whole-application deployment) and container deployment on Amazon ECS are also in scope as alternative deployment models.

The AWS CI/CD developer tools are the pipeline, and the exam tests knowing what each does. AWS CodePipeline models the release process as stages (source, build, test, deploy) that a change flows through automatically. AWS CodeBuild compiles, tests, and packages your code, driven by a buildspec.yml file. AWS CodeDeploy handles the actual rollout to compute - and for Lambda it is what performs the traffic-shifting deployment strategies. (AWS CodeCommit and other source options feed the source stage.) The clean mental model is that CodePipeline orchestrates, CodeBuild builds, and CodeDeploy deploys, and the exam frames these as 'which service handles this stage' questions and 'what does this buildspec/appspec do' questions.

Deployment strategies are where the domain gets sharp, and they are heavily tested because they map directly to real risk. For Lambda, CodeDeploy (and SAM's DeploymentPreference) can shift traffic gradually: canary (a small percentage first, then the rest after a bake window - for example Canary10Percent5Minutes), linear (equal increments on a schedule), or all-at-once (everything immediately, no gradual shift). The power of gradual shifting is automatic rollback: you attach a CloudWatch alarm to the deployment, and if the new version trips the alarm during the bake window, CodeDeploy rolls back to the last known-good version without human intervention. For servers and containers there are blue/green (stand up a parallel environment and switch) and rolling deployments, and for Elastic Beanstalk there are all-at-once, rolling, rolling-with-additional-batch, and immutable options. The exam expects you to match a risk tolerance to a strategy - and to recognize that a canary with an alarm is the safe default for a change you are not fully sure of.

Versioning and configuration management tie the domain together. Lambda versions are immutable snapshots of your code, and aliases (like live or prod) are named pointers to a version that you can shift traffic across - which is exactly what a canary deployment manipulates. Environment variables carry configuration into a function, and Systems Manager Parameter Store and AppConfig let you manage configuration and feature flags outside the deployment package so you can change behavior without redeploying. The exam rewards understanding that immutable versions plus movable aliases are what make safe, reversible Lambda deployments possible, and that separating configuration from code is what lets you promote the same artifact through environments.

Study this domain by running a real safe deployment and watching a rollback happen, because DVA-C02 tests the deployment-strategy tradeoffs directly. The lab below, in your OWN free-tier account, deploys a Lambda with a SAM DeploymentPreference of Canary10Percent5Minutes wired to a CloudWatch Errors alarm: you deploy a healthy v1, then deliberately break the function and redeploy so that during the 5-minute canary bake the alarm trips and CodeDeploy automatically rolls back to v1 - no hands needed - and you compare against AllAtOnce. Lambda, CodeDeploy-for-Lambda, and the first 10 CloudWatch alarms are free-tier for this tiny workload; set a $5 billing alarm first and run sam delete in teardown. As always, read the official DVA-C02 exam guide for AWS's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.

Learn it free

Dva C02 Canary Deploy Lab

Deploy a Lambda with a SAM canary DeploymentPreference wired to a CloudWatch alarm in a free-tier account you own Trigger and observe an automatic CodeDeploy rollback on a bad deploy, and contrast canary with all-at-once

Free tools

  • Your own free-tier AWS account
  • The AWS SAM CLI and AWS CLI
  • A terminal
  • A text editor

Steps

  1. Set a $5 billing alarm and confirm your account, then deploy the healthy v1 and read how the canary DeploymentPreference and the Errors alarm are wired to the live alias.
  2. Flip FAIL_ON_PURPOSE to True and redeploy, drive a little traffic during the 5-minute bake so the Errors alarm trips, and watch CodeDeploy roll back to v1 automatically; inspect the deployment history.
  3. Revert FAIL_ON_PURPOSE to False, optionally switch DeploymentPreference to AllAtOnce to see there is no bake window, then tear the whole stack down.

What you should see

Confirm the capture shows a canary deployment with a CloudWatch alarm, a deliberately broken redeploy whose alarm tripped during the bake window, an automatic CodeDeploy rollback to v1 in the deployment history, and a sam delete teardown in an account you own.

Practice evidence maps to exam_domain_aws_certified_developer_associate_03

Stay safe & legal: Deploy and run this ONLY in a free-tier AWS account you own; never a work, school, employer, or client account. Set a $5 AWS Budgets billing alarm BEFORE you start. Lambda, CodeDeploy-for-Lambda, and the first 10 CloudWatch alarms are free-tier for this tiny workload; a CodePipeline is free for 30 days then about $1/month, so delete it after. Some services bill beyond the free tier - run sam delete to remove every resource. This lab grants no authorization to deploy into any account you do not own. Account required: yes; payment required: no; maximum designed cost: $0.

Check yourself

4RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.

Check 1. A serverless application includes Lambda functions, API Gateway routes, and permissions that should be packaged and deployed as infrastructure from a template. Which AWS developer tool should the candidate recognize?
Check 2. A Lambda release should send a small percentage of traffic to the new version, watch alarms, and automatically roll back if errors spike. Which deployment capability supports this?
Check 3. Before a production stack update, the team wants to inspect whether a database resource will be replaced. Which CloudFormation feature should be part of the deployment readiness check?
Check 4. A release workflow should build the artifact automatically but require a human approval before production deployment. Which CodePipeline stage action should the developer understand?

Module 3 of 4 · domain 2 · 26% of scored content of the exam

Security

Study this third (after Domain 1 development and Domain 3 deployment). At 26% it is the second-heaviest domain and a genuine exam bright line: least-privilege IAM roles and policies, Amazon Cognito for user authentication, and the secrets and encryption services (Secrets Manager, KMS, STS) that keep credentials out of code. Study it once you have an application and a pipeline to secure.

What this domain actually covers

Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. AWS Certified Developer - Associate (DVA-C02) exam guide

This is the 'lock the application down' domain, and AWS weights it at 26% - the second-heaviest slice of DVA-C02. It is where a working, deployed application becomes a safe one: the developer's job here is to authenticate and authorize both the application's own components and its end users, and to keep secrets and encryption keys out of code and out of source control. It is a genuine exam bright line - many questions hinge on the difference between an approach that follows least privilege and one that is convenient but over-permissive - so it earns real study time even though we take it third, after you have something built and shippable to secure.

IAM authentication and authorization is the domain's core, and least privilege is the idea the exam returns to again and again. You should be able to distinguish IAM users (long-lived identities, generally for humans) from IAM roles (assumed temporarily, the right way for AWS services and applications to get permissions), and understand that a Lambda function should run under an execution role scoped to exactly the actions and resources it needs. You should read and write IAM policy JSON fluently: the Effect/Action/Resource/Condition structure, the difference between identity-based and resource-based policies, and how a policy that grants dynamodb:GetItem and dynamodb:PutItem on one specific table ARN is dramatically safer than one granting dynamodb:* on Resource:*. The exam rewards recognizing the least-privilege version of a policy and spotting the over-broad one, so practice narrowing actions and resources to the minimum.

Temporary credentials and cross-account access run on AWS STS, and the exam expects you to reason about them. AWS Security Token Service issues short-lived credentials, and AssumeRole is how a principal takes on a role's permissions for a bounded time - the mechanism behind a Lambda getting its execution-role permissions, a user switching roles, and cross-account access. The clean idea to carry is that temporary, automatically rotated credentials from a role are strongly preferred over long-lived access keys embedded in code or configuration, because they limit the blast radius of a leak and never need to be manually rotated.

Authenticating end users is Amazon Cognito's job, and it is a heavily tested developer topic. A Cognito user pool is a user directory that handles sign-up, sign-in, and issues standards-based JSON Web Tokens (an ID token and an access token) your application and API Gateway can verify; identity pools (federated identities) then exchange those tokens for temporary AWS credentials so a signed-in user can call AWS services directly with scoped permissions. The exam expects you to know the split - user pools authenticate users and mint JWTs, identity pools grant AWS access - and to recognize how a Cognito authorizer on API Gateway rejects an unauthenticated request (401) while allowing one that presents a valid token (200). That authenticated-versus-unauthenticated behavior is exactly what the lab below has you prove.

Protecting secrets and data at rest and in transit rounds out the domain. AWS Secrets Manager stores and rotates secrets (database passwords, API keys) so they never live in code or environment variables in plaintext; Systems Manager Parameter Store is the lighter-weight alternative for configuration and (with SecureString) secrets. AWS KMS manages encryption keys and performs envelope encryption, and the exam expects you to understand that services like S3, DynamoDB, and EBS integrate with KMS to encrypt data at rest, while TLS protects data in transit. The habit the exam rewards is never hard-coding a secret: fetch it at runtime from Secrets Manager or Parameter Store, encrypt sensitive data with a KMS key, and let IAM control who can use that key.

Study this domain by writing a least-privilege policy by hand and proving an auth boundary actually holds, because DVA-C02 tests the security bright line directly. The lab below, in your OWN free-tier account, has two parts: attach an IAM policy that grants ONLY GetItem and PutItem on the single table ARN (so a Scan is correctly DENIED - AccessDenied is the success signal), then stand up a Cognito user pool, obtain a JWT, and confirm the API returns 401 without the token and 200 with it. IAM and Cognito (first 50,000 monthly active users) are always-free; set a $5 billing alarm first and delete the pool and detach the policy in teardown. As always, read the official DVA-C02 exam guide for AWS's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.

Learn it free

Dva C02 Iam Cognito Lab

Attach a hand-written least-privilege IAM policy scoped to one table ARN and prove an out-of-scope Scan is denied Stand up a Cognito user pool, obtain a JWT, and confirm the API returns 401 without the token and 200 with it, in an account you own

Free tools

  • Your own free-tier AWS account
  • The AWS CLI
  • A terminal
  • A text editor

Steps

  1. Set a $5 billing alarm and confirm your account, then fill in and attach the least-privilege policy to the Lambda execution role and reason about why an out-of-scope Scan is denied.
  2. Create a Cognito user pool and app client, create a throwaway user, obtain a JWT, attach the pool as an API authorizer, and confirm 401 without the token and 200 with it.
  3. Tear down the security resources so nothing lingers or bills, then confirm nothing remains.

What you should see

Confirm the capture shows a hand-written least-privilege policy where an out-of-scope Scan is denied, a Cognito-protected API returning 401 without a JWT and 200 with one, and a teardown deleting the pool and policy in an account you own.

Practice evidence maps to exam_domain_aws_certified_developer_associate_02

Stay safe & legal: Run this ONLY in a free-tier AWS account you own; never a work, school, employer, or client account. Set a $5 AWS Budgets billing alarm BEFORE you start. IAM and Amazon Cognito user pools (first 50,000 monthly active users) are always-free, but some services bill beyond the free tier, so delete the Cognito pool, detach the policy, and sam delete any remaining stack in teardown. Use only throwaway credentials for the test user. This lab grants no authorization to change IAM or auth on any account you do not own. Account required: yes; payment required: no; maximum designed cost: $0.

Check yourself

4RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.

Check 1. A Lambda function needs to read one DynamoDB table and write logs, but it should not receive broad administrator permissions. What should the developer configure?
Check 2. Application code needs a database password at runtime without storing the password in source control or plaintext environment variables. Which AWS pattern should the developer use?
Check 3. A Lambda function uses sensitive environment variables, and the team wants explicit control over the KMS key used for encryption at rest. Which setting is relevant?
Check 4. A user-facing API should accept requests only from authenticated users in an Amazon Cognito user pool, with API Gateway validating the token before invoking backend logic. Which API Gateway security control fits?

Module 4 of 4 · domain 4 · 18% of scored content of the exam

Troubleshooting and Optimization

Study this last. At 18% it is the smallest slice by weight and the one that most needs a working, deployed, secured application as its subject: you cannot meaningfully read X-Ray traces, hunt cold starts in CloudWatch Logs, or tune Lambda memory until you have a normal baseline to compare against. NOTE: the X-Ray SDKs/daemon entered maintenance mode 2026-02-25 (AWS recommends OpenTelemetry), but X-Ray concepts are still tested.

What this domain actually covers

Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. AWS Certified Developer - Associate (DVA-C02) exam guide

This is the 'find out why it is slow or broken, and make it better' domain, and AWS weights it at 18% - the smallest slice of DVA-C02, and the one we study last because it needs a real, running application as its subject. Troubleshooting and optimization is the day-two developer skill: reading logs and traces to diagnose a failure, understanding the performance characteristics of the services you built on, and tuning them for cost and speed. You cannot practice it in a vacuum, which is exactly why it comes after you have built (Domain 1), deployed (Domain 3), and secured (Domain 2) an application to observe.

Observability with CloudWatch is the domain's backbone. Amazon CloudWatch Logs captures your function's output, and the single most useful habit is structured (JSON) logging, because CloudWatch Logs Insights can then parse fields and let you run queries like stats avg(@duration), max(@duration) by field over your logs - turning a wall of text into answerable questions. CloudWatch Metrics track service health (Lambda Errors, Throttles, Duration, ConcurrentExecutions; DynamoDB throttling; API Gateway 4xx/5xx), CloudWatch Alarms fire on thresholds (and, as you saw in Domain 3, can drive an automatic deployment rollback), and CloudWatch dashboards visualize it all. The exam expects you to know which metric answers which question and how to reach for Logs Insights to find the needle in the logs.

Distributed tracing with AWS X-Ray is the domain's diagnostic tool for serverless applications - and it carries an important currency caveat. X-Ray traces a request as it flows across services (API Gateway to Lambda to DynamoDB), producing a service map and per-segment timing so you can see WHERE latency or errors occur across a distributed call. You enable it on Lambda with active tracing. The caveat: the X-Ray SDKs and the X-Ray daemon entered MAINTENANCE MODE on 2026-02-25 - they receive security patches only, and AWS now recommends the AWS Distro for OpenTelemetry (ADOT) for new instrumentation, often paired with CloudWatch Application Signals. But X-Ray CONCEPTS remain in the DVA-C02 scope, so you should still learn tracing, the service map, and trace analysis (which the lab does with active tracing, no SDK required), while knowing that OpenTelemetry is the forward direction the ecosystem is moving toward. Study the concepts; note the migration.

Performance optimization is where the domain gets concrete, and Lambda cold starts and memory tuning are the headline topics. A cold start is the extra latency the first invocation of a new execution environment pays to initialize your code and runtime; you reduce its impact by keeping initialization cheap, creating SDK clients OUTSIDE the handler for reuse across warm invocations (as Domain 1's function does), and - when latency must be predictable - using provisioned concurrency to keep environments warm. Lambda memory is the key tuning knob: more memory also gives more CPU, so a compute-bound function can actually run faster AND cheaper at a higher memory setting because it finishes sooner - a counterintuitive result the exam loves. The lab has you measure this directly by comparing 128MB against 512MB.

Optimizing the data and caching layers rounds out the domain. On DynamoDB, the recurring optimization is to Query on keys rather than Scan the whole table, to design keys that avoid hot partitions, and to reach for DynamoDB Accelerator (DAX) or ElastiCache when read latency must drop further. On API Gateway, response caching reduces backend calls. The general throttling-and-retry discipline you met in Domain 1 - exponential backoff with jitter on retryable errors, and understanding provisioned versus on-demand capacity - is also an optimization lens here. The exam rewards recognizing the efficient access pattern and the caching layer that fits, and knowing that the cheapest, fastest request is often the one you never make because a cache answered it.

Study this domain by instrumenting a real function and reading what it tells you, because DVA-C02 tests diagnosis and tuning you can actually perform. The lab below, in your OWN free-tier account, enables X-Ray active tracing and structured JSON logging on a small workload function, invokes it about 20 times, then reads the X-Ray service map, runs a CloudWatch Logs Insights query for cold-start init duration and warm duration, and bumps memory from 128MB to 512MB to compare. Lambda is always-free (1M requests), CloudWatch Logs gives 5GB free, and X-Ray gives 100,000 traces/month free; set a $5 billing alarm first and run sam delete in teardown. The lab uses active tracing (no SDK) precisely because the X-Ray SDK is in maintenance mode - you learn the concepts the exam still tests while respecting the OpenTelemetry direction. As always, read the official DVA-C02 exam guide for AWS's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.

Learn it free

Dva C02 Observability Lab

Enable X-Ray active tracing and structured logging on a Lambda in a free-tier account you own and read the service map and Logs Insights results Measure cold-start init duration and compare Lambda duration at 128MB versus 512MB to see the memory-CPU tradeoff

Free tools

  • Your own free-tier AWS account
  • The AWS SAM CLI and AWS CLI
  • A terminal
  • A text editor

Steps

  1. Set a $5 billing alarm and confirm your account, then deploy the function with X-Ray active tracing on at 128MB and generate about 20 invocations so there is data to analyze.
  2. Read the X-Ray service map for the request path and latency, then run the CloudWatch Logs Insights query to see average/max duration and average init (cold-start) duration.
  3. Bump memory from 128MB to 512MB, invoke about 20 more times, re-run the query to compare durations, then tear the stack down.

What you should see

Confirm the capture shows an X-Ray service map, a Logs Insights query returning warm and cold-start (init) duration, a 128MB-versus-512MB duration comparison, and a sam delete teardown in an account you own, with X-Ray used via active tracing per the maintenance-mode note.

Practice evidence maps to exam_domain_aws_certified_developer_associate_04

Stay safe & legal: Deploy and run this ONLY in a free-tier AWS account you own; never a work, school, employer, or client account. Set a $5 AWS Budgets billing alarm BEFORE you start. Lambda is always-free (1M req), CloudWatch Logs gives 5GB free, and X-Ray gives 100,000 traces/month free; some services bill beyond the free tier, so run sam delete to remove every resource. This lab grants no authorization to deploy into any account you do not own. Account required: yes; payment required: no; maximum designed cost: $0.

Check yourself

3RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.

Check 1. A production Lambda function has intermittent failures, and developers need to search recent logs by request ID and aggregate error counts without exporting the data. Which AWS tool should they use?
Check 2. A request crosses API Gateway, Lambda, and DynamoDB, but aggregate metrics do not show which segment causes latency. Which observability signal should the developer add?
Check 3. A function receives throttling errors during traffic spikes, and the team must decide whether reserved concurrency, provisioned concurrency, or upstream backpressure is appropriate. Which Lambda topic is being tested?

Before you book the exam

Work through the modules above, then get a personalized read on where you stand: the readiness check maps your background against these same published domains and suggests what to study first — no score, no pass prediction.

Exam facts (cited)

A free, source-cited study companion built on AWS's published DVA-C02 exam guide, for independent study only. It is not official training, is not affiliated with or endorsed by AWS or Amazon, and is not a pass guarantee. DVA-C02 is an Associate-level exam, not a first certification: it assumes roughly one year of hands-on AWS development plus programming proficiency (the exam uses SDK code and pseudocode), so begin with AWS fundamentals (CLF-C02) and a programming language if either is new to you. Every hands-on lab here runs only in your OWN AWS free-tier account (never a work or school account), behind a hard billing boundary - set a $5 billing alarm before you start, stay inside the always-free limits, and run the teardown (sam delete) so every resource is removed. Verify the current objectives on the official exam guide before your exam.

Sources used on this page

Certification and vendor names are used only to identify the program this independent study companion refers to. RoleMath is not affiliated with, endorsed by, or sponsored by Amazon Web Services.