DVA-C02 Sprint Dashboard

All-at-once = fastest, downtime. Rolling = batches, reduced capacity. Rolling with additional batch = no capacity loss. Immutable = new instances, safest, slowest. Blue/Green = swap URL, instant rollback. "Full capacity throughout" = Immutable OR Rolling with additional batch (your Q30 miss).

Worker tier periodic tasks require exactly cron.yaml in the source bundle root. Not cron.config, not appspec.yaml. Write it out 3 times if needed — this is a pure memorization question.

.ebextensions/ folder in source bundle root. Files end in .config. Used to configure environment (install packages, run commands, set env vars). Different from cron.yaml.

For every deployment mode question — write out which modes maintain full capacity before picking an answer.

AppSpec.yaml for Lambda specifies: (1) function name, (2) the version to deploy, (3) validation hooks. The version is declared IN the AppSpec file — not via aliases. Aliases are for traffic routing, not version declaration in CodeDeploy.

All-at-Once = 100% traffic shifted instantly. Canary = small % first (e.g. 10% for 10 min) then rest. Linear = gradual equal increments over time. "Instantaneously" in any question = All-at-Once. Every time.

appspec.yml hooks run in this order. ValidateService is the last hook — used to verify deployment worked. Know which hooks you can use to run scripts.

buildspec.yml phases: install → pre_build → build → post_build. CodePipeline stages: Source → Build → Test → Deploy. Artifacts pass between stages via S3.

For every traffic shifting Q — write All-at-Once / Canary / Linear meanings before reading options.

Standard metrics = 1-minute minimum. High-resolution custom metrics = 1-second granularity, alarms every 10 or 30 seconds. "Monitor every 10 seconds" = high-resolution custom metric. CloudTrail = API logging, not monitoring metrics.

IteratorAge = age of the last record in each batch Lambda reads from Kinesis. High IteratorAge = Lambda falling behind, records aging toward retention limit. Throttles = invocations exceeding concurrency. ConcurrentExecutions = aggregate across all functions. "Data not delivered fast enough from Kinesis" = IteratorAge.

Log Insights = query language for logs. Subscription filters stream logs to Lambda, Kinesis, or Firehose in real-time. Metric filters extract metric data from log events.

Lambda has X-Ray daemon built in — you don't install it. To enable: (1) add AWSXRayWriteOnlyAccess to the Lambda execution role, (2) enable active tracing in Lambda config. No daemon install needed. No "X-Ray function" — it's the X-Ray service.

Watch for CloudTrail vs CloudWatch confusion — CloudTrail = API calls audit log, CloudWatch = metrics/logs/alarms.

Multiple consumers getting same message = visibility timeout expired before processing finished. Fix = INCREASE visibility timeout via ChangeMessageVisibility API. UpdateMessageVisibility does not exist. Decreasing makes it worse.

Standard = at-least-once, best-effort ordering. FIFO = exactly-once, ordered, 3000 msg/s. DLQ = after MaxReceiveCount failures. Delay queue = postpone delivery up to 15 min.

Parameters = values passed INTO template at runtime. Outputs = values exported FROM stack. Metadata = extra template info. Transform = SAM declaration. "Base creation on runtime values" = Parameters section every time.

Projection Expression = which attributes to return. Filter Expression = filter results after read (still consumes RCU). Condition Expression = conditional writes. Update Expression = how to modify an item. "Return only Colour and Size" = Projection Expression.

Task role = IAM permissions for the container (assign per task, not instance). Instance role = for the EC2 host running ECS. By default containers CAN access instance profile credentials — security risk. Block with ECS_AWSVPC_BLOCK_IMDS=true. Network isolation between containers = Security Groups on EC2 instances.

GSI does NOT support ConsistentRead=true. Attempting it throws a ValidationException. For "latest results with least RCU on GSI" = Query with EventualRead. Eventual reads cost half the RCU of consistent reads.

Method request/response = frontend (client-facing side). Integration request/response = backend (how API GW talks to Lambda/backend). "Control front-end API behavior" = Method request + Method response. Never pick Integration for front-end questions.

AllowedOrigin = which domains. AllowedMethod = which HTTP methods (GET/PUT/POST/DELETE/HEAD). AllowedHeader = which request headers. MaxAgeSeconds = preflight cache duration. "Only allow GET" = AllowedMethod element.

Sync = API GW calls Lambda directly, waits for response. Async = S3/SNS triggers, Lambda retries on failure. Event source mapping = SQS/Kinesis polling, Lambda reads batches. Error behavior differs for each.

Default 1000 concurrent limit (soft, per region). Reserved = cap + guarantee for that function. Provisioned = eliminates cold start. Throttled = 429 error returned to caller.

Versions = immutable snapshots. Aliases = mutable pointer to version (used for blue/green Lambda). Layers = shared code/dependencies across functions. Alias weighted routing = canary deployments.

Minimum viable day. Keep the streak alive.

Week 1 benchmark. Target 58–65% — you've now covered your actual gaps. Compare domain scores to your Day 1 diagnostic. Deployment should be up from 31%.

Explicit deny always wins. If no explicit allow → implicit deny. Resource-based policy on S3 allows cross-account without assuming a role.

Never embed credentials in code — attach an IAM role. Cross-account: Account A assumes role in Account B using sts:AssumeRole. Trust policy controls who can assume.

Permission boundary = max permissions an entity can have (caps what SCPs/policies can grant). Used to delegate admin safely.

Common trap: "Deny in SCP but Allow in identity policy → what happens?" Deny wins.

User Pool = sign up / sign in, returns JWT. Identity Pool = exchange token for temporary AWS credentials (IAM). Exam loves asking which one to use. Tip: if they say "authenticate", User Pool. If they say "access AWS resources", Identity Pool.

Envelope encryption = KMS encrypts a data key, data key encrypts the data. GenerateDataKey returns plaintext + encrypted copy. You encrypt data locally, send encrypted data key alongside. KMS never sees your data.

Unlike IAM, KMS key policy must explicitly allow the account root — otherwise even admin can't use the key. Grants = programmatic temp access to a key.

Secrets Manager = designed for secrets, auto-rotates (uses Lambda), costs money. Use when: DB credentials that need automatic rotation.

Parameter Store = free (Standard tier), no auto-rotation, can use KMS to encrypt (SecureString). Use for config/non-secret params. Exam decision: need rotation? Secrets Manager. Just storing config? Parameter Store.

SSE-S3 = AWS manages key (AES-256). SSE-KMS = you own key in KMS, audit trail in CloudTrail. SSE-C = you provide key per request (AWS doesn't store it). Client-side = encrypted before upload.

Git-compatible hosted repo. Auth via HTTPS (Git credentials) or SSH. Triggers → SNS/Lambda. Note: AWS announced CodeCommit end-of-new-customer enrollment but it's still in DVA-C02 scope.

buildspec.yml is the critical config file. Phases: install → pre_build → build → post_build. Artifacts go to S3. Cache dependencies to speed up builds. Env vars from Parameter Store/Secrets Manager.

appspec.yml controls lifecycle hooks: BeforeInstall, AfterInstall, ApplicationStart, ValidateService. Deployment types: In-place (EC2/on-prem), Blue/Green (EC2 + Lambda + ECS). Lambda: linear or canary traffic shifting.

Pipeline = source → build → test → deploy stages. Each stage has actions. Artifacts pass between stages via S3. Manual approval action pauses for human sign-off. EventBridge triggers on state changes.

Deployment modes: all-at-once (fastest, downtime), rolling, rolling with additional batch (no capacity loss), immutable (safest, double capacity briefly), blue/green (swap URLs). Worker vs Web tier.

DeletionPolicy: Retain (keep resource), Snapshot (RDS), Delete. Cross-stack: Export + Fn::ImportValue. Nested stacks = reusable templates. Change sets = preview changes before applying.

SAM template requires: Transform: AWS::Serverless-2016-10-31 at top. Shorthand resource types: AWS::Serverless::Function, ::Api, ::Table. SAM CLI: sam local invoke for local testing.

Custom metrics need CloudWatch agent. Log Insights = query language for logs. Alarm states: OK, ALARM, INSUFFICIENT_DATA. Composite alarms = combine multiple. Log Subscription Filters → Kinesis/Lambda.

X-Ray daemon receives UDP data from SDK and batches to X-Ray service. Annotations = indexed key-value (filterable in console). Metadata = not indexed. Sampling rules reduce cost — only trace % of requests.

CloudTrail logs API calls (who did what when). Management events on by default. Data events (S3 object access, Lambda invocations) must be enabled — cost extra. CloudTrail Insights detects unusual API activity.

Exam conditions: no pausing, phone away, no looking things up. Flag uncertain Qs and move on.

Which domain is still your weakest? That becomes Week 3 priority #1. Write it down.

If security: re-watch Cognito or KMS. If deploy: re-watch CodeDeploy strategies. If dev: Lambda concurrency. Don't open new topics — reinforce what's already shaky.

TutorialsDojo explanations are excellent — read every explanation, not just for wrong answers.

Fargate = serverless containers (no EC2 to manage). EC2 launch type = you manage host. Task role = IAM permissions for the container (not the host). Task execution role = allows ECS to pull from ECR and log to CloudWatch.

"Most scalable / serverless" → Lambda + DynamoDB. "Lowest operational overhead" → Fargate or managed service. "Most secure / least privilege" → IAM least-privilege + KMS. "Decouple / async" → SQS / SNS / EventBridge. Practice spotting these in 20 random Qs.

TutorialsDojo is scenario-heavier and closer to the real exam tone than Whizlabs. Use elimination strategy on every Q.

Look for clusters: if 4 Qs all missed on "CodeDeploy lifecycle hooks" that's a signal. Note exactly which concept tripped you.

Maarek video (1 section max, 15 min) + 20 focused Qs on that service. Do not open anything new today.

SQS vs SNS · Secrets Manager vs Parameter Store · User Pool vs Identity Pool · X-Ray annotations vs metadata · SAM vs CDK · CodeBuild vs CodeDeploy · SSE-KMS vs SSE-S3 · Lambda sync vs async · Fargate vs EC2 launch type · GSI vs LSI

Tripwire: if you hit 72%+ today, book the exam. If below 70%, add 3 more days of targeted drilling before scheduling.

AWS DVA-C02 on Pearson VUE. Pick a date 2 days from now. Booking it creates real commitment.

This is more valuable than a timed exam right now. The goal is calm, not performance.

Pull out the sheet from Day 1. Most of those gaps should feel covered. The ones that still feel shaky — quickly note which Maarek video covers it for a final pass tomorrow morning.

20 min max. No opening new material. No watching videos. Your brain needs retrieval mode, not intake mode.

Tactic 1: Find the constraint keyword in every scenario (cost / latency / decouple / secure / scalable). Tactic 2: Eliminate 2 obviously wrong answers first. Tactic 3: Flag and move if stuck > 2 min — come back. 15 Qs are unscored research questions — don't panic on weird ones.

DVA-C02 belongs on both your Lane A and Lane B resumes. It signals you can build and ship on AWS, not just architect it.