4.3 Common Traps & Final Review

High-confusion pairs

Most wrong answers on DVA-C02 come from confusing two similar services. Memorize the single deciding distinction for each pair below.

Other classic traps

• API keys are not authentication — they meter usage plans; real auth is IAM SigV4, a Cognito authorizer, or a Lambda authorizer.
• Filter expressions do not save read capacity — DynamoDB reads the items matching the key first, then discards filtered items; you still pay RCU for what was read.
• GSIs are eventually consistent and can be added anytime; LSIs can be strongly consistent but must be created with the table and share its partition.
• Explicit Deny always wins in IAM evaluation; no Allow can override it.
• SQS visibility timeout should exceed the Lambda timeout (default 30 s vs Lambda max 15 min) to avoid a second consumer reprocessing an in-flight message.
• Lambda env vars are encrypted at rest with KMS, but a plaintext value is still readable by anyone with GetFunctionConfiguration — use Parameter Store or Secrets Manager for secrets.
• CodeDeploy hooks differ by compute — BeforeAllowTraffic/AfterAllowTraffic for Lambda and ECS; ApplicationStop/ValidateService for EC2/on-premises.

Exam-taking tactics

1. Read the qualifier last: "MOST cost-effective," "LEAST operational overhead," or "with no code change" usually decides between two technically correct answers.
2. Count required answers on multiple-response items ("choose TWO"); these have five or more options and you must select exactly the number asked.
3. Eliminate impossible options first (wrong service layer, retired feature, made-up API name).
4. Watch keywords: "ordering/exactly-once" then FIFO; "temporary AWS credentials" then STS/identity pool; "rotate" then Secrets Manager; "microsecond" then DAX; "trace across services" then X-Ray; "fan-out" then SNS.
5. Flag and return — unanswered questions score as incorrect and there is no guessing penalty, so never leave one blank.

Final-week checklist & logistics

• Exam logistics (verified June 2026): 65 questions total — 50 scored plus 15 unscored; 130 minutes; scaled score 100-1,000 with a 720 pass mark; registration fee 150 USD; vendor Pearson VUE or PSI, online or test center.
• Domain weights: Development with AWS Services 32%, Security 26%, Deployment 24%, Troubleshooting and Optimization 18% (compensatory scoring — you only need to pass the overall exam).
• Lambda limits: 15-min max timeout, 6 MB synchronous / 256 KB asynchronous payload, 512 MB-10 GB /tmp, 128 MB-10,240 MB memory.
• IAM evaluation order: implicit deny then explicit allow, but explicit deny always wins.
• CodeDeploy traffic shifting: all-at-once, canary, linear; use blue/green for instant rollback.
• Caching layers: API Gateway (HTTP responses), CloudFront (edge), ElastiCache (any data), DAX (DynamoDB reads only).
• X-Ray: annotations are searchable, metadata is not; enable active tracing on Lambda.

Deployment & CI/CD facts worth a quick re-read

Deployment is 24% of the exam, so lock down these specifics. CodeDeploy for Lambda and Amazon ECS shifts traffic via aliases using Canary (e.g. Canary10Percent5Minutes), Linear (e.g. Linear10PercentEvery1Minute), or AllAtOnce; a CloudWatch alarm during the shift triggers an automatic rollback. CodePipeline orchestrates stages (Source, Build, Deploy); CodeBuild runs the buildspec.yml. The AWS SAM template.yaml plus sam deploy packages serverless apps; AutoPublishAlias and DeploymentPreference wire SAM into CodeDeploy canaries.

Security & API facts to memorize

• STS AssumeRole returns temporary credentials (default 1 hour, max 12 hours); cross-account access uses a role with a trust policy, never long-lived keys.
• KMS encrypts data keys via envelope encryption; for objects over 4 KB you encrypt a data key, not the payload directly.
• S3 presigned URLs grant time-limited object access inheriting the signer's permissions — the right answer for "let a browser upload/download without AWS credentials."
• API Gateway supports IAM (SigV4), Cognito, and Lambda (TOKEN/REQUEST) authorizers; CORS errors are a separate, common troubleshooting item — enable CORS on the resource and return the right Access-Control-Allow-* headers.

Final-day routine

Sleep, arrive early, and budget about two minutes per question (130 minutes divided by 65 questions). Make one decisive pass, flag anything that takes more than about 90 seconds, and use the remaining time on flagged items. Trust the keyword mapping above before second-guessing a sound first instinct, and remember the scoring is compensatory — a weak domain cannot fail you if your overall scaled score reaches 720. If two options both seem correct, the differentiator is almost always the qualifier in the stem, so reread it once before committing.

Watch for out-of-scope distractors such as VPC design, IAM user administration, or building pipelines from scratch — those are explicitly outside the target candidate's job tasks and rarely the intended answer on a developer-role exam.