DVA-C02 Diagnostic — Gap Log

Completed Sun 28 Jun 2026 · 32/65 correct · 49.23% · 44 min (rushed) · 33 wrong answers catalogued

5/16

Deployment — 31% ← PRIORITY 1

4/11

Troubleshooting — 36% ← PRIORITY 2

11/18

Security — 61%

12/20

Development — 60%

Sprint adjustment — flip the plan

The original dashboard had Security in Week 1 and Deployment in Week 2. Your numbers say the opposite. Deployment (31%) and Troubleshooting (36%) are bleeding the most points. Security (61%) and Development (60%) are your stronger domains — shore up, don't start there. The sprint dashboard day order has been adjusted below.

Where the points went — by service/concept

Beanstalk deployment modes

3 wrong

Q18, Q30, Q34

CodeDeploy (Lambda/ECS)

3 wrong

Q25, Q34, Dep Qs

CloudWatch metrics/alarms

2–3 wrong

Q10, Q21

SQS visibility timeout

1–2 wrong

Q11

DynamoDB GSI/read consistency

1–2 wrong

Q26

KMS envelope encryption

1 wrong

X-Ray + Lambda setup

1 wrong

Q24

API Gateway (frontend vs backend)

1 wrong

Q29

ECS IAM roles (task vs instance)

1 wrong

Q28, Q33

S3 CORS config elements

1 wrong

Q13

DynamoDB projection expressions

1 wrong

CloudFormation Parameters section

1 wrong

Q12

Adjusted sprint priority order (update in dashboard)

D2 Beanstalk deployment modes — all 5 types cold (was D12)

D3 CodeDeploy — AppSpec, Lambda/ECS strategies, All-at-Once vs Canary vs Linear

D4 CloudWatch — high-resolution metrics, alarm periods, IteratorAge for Kinesis+Lambda

D5 SQS visibility timeout mechanics + CloudFormation Parameters (quick wins)

D6 ECS IAM roles (task role vs instance role) + X-Ray with Lambda setup

D7 DynamoDB GSI read consistency + KMS envelope encryption

D8+ Security domain (already 61% — maintain, don't overindex)

All 33 wrong answers — what you missed and the one-line fix

TroubleshootingDynamoDB

DynamoDB Projection Expressions vs Expression Attribute Names

You picked: Expression Attribute Names · Correct: Projection Expressions

Fix: Projection Expression = specify which attributes to return from a query/scan. Expression Attribute Names = alias for reserved words or special characters in expressions. "Return Colour and Size" = Projection Expression.

→ Covered: D7 (DynamoDB deep dive)

SecurityKMS

KMS Envelope Encryption — correct sequence

You picked: Use CustomerMasterKey to encrypt data directly · Correct: GenerateDataKey → encrypt locally → delete plaintext key

Fix: You never encrypt data directly with KMS CMK — it's too slow and has size limits. The pattern is: (1) GenerateDataKey → get plaintext + encrypted data key, (2) encrypt data locally with plaintext key, (3) delete plaintext key from memory, (4) store encrypted data key with the ciphertext. This is envelope encryption.

→ Covered: D7 (KMS envelope encryption)

Q10

TroubleshootingCloudWatch

CloudWatch metric resolution for 10-second monitoring intervals

You picked: Create a custom CloudTrail log · Correct: High-resolution custom CloudWatch metric

Fix: Standard CloudWatch metrics = 1-minute minimum period. High-resolution custom metrics = 1-second granularity, alarms can trigger every 10 or 30 seconds. CloudTrail = API activity logging, not monitoring. For "10-second trigger" → always high-resolution CloudWatch metric.

→ Covered: D4 (CloudWatch high-resolution metrics)

Q11

TroubleshootingSQS

SQS Visibility Timeout — correct API to change it

You picked: Decrease visibility timeout using ChangeMessageVisibility · Correct: Increase using ChangeMessageVisibility

Fix: Multiple consumers processing the same message = visibility timeout expired before processing completed. Fix = INCREASE visibility timeout so message stays hidden while being processed. API = ChangeMessageVisibility. UpdateMessageVisibility does not exist.

→ Covered: D5 (SQS mechanics)

Q12

DeploymentCloudFormation

CloudFormation runtime values — which section to use

You picked: Outputs section · Correct: Parameters section

Fix: Parameters = values passed INTO the template at runtime (environment name, instance type, etc). Outputs = values exported FROM the stack for other stacks to use. Metadata = extra info about template. Transform = SAM transform declaration.

→ Covered: D5 (CloudFormation Parameters quick win)

Q13

TroubleshootingS3 CORS

S3 CORS — which element controls allowed HTTP methods

You picked: AllowedOrigin Element · Correct: AllowedMethod Element

Fix: AllowedOrigin = which domains can make cross-origin requests. AllowedMethod = which HTTP methods (GET, PUT, POST, DELETE, HEAD) are allowed. AllowedHeader = which request headers allowed. "Only allow GET requests" → AllowedMethod.

→ Covered: D7 (S3 CORS in Development deep dive)

Q18

DeploymentElastic Beanstalk

Beanstalk Worker tier — what file is required for periodic tasks

You picked: cron.config file · Correct: cron.yaml file

Fix: Beanstalk Worker tier periodic tasks require a cron.yaml file in the application source bundle root. Not .config (that's .ebextensions for env config). Not appspec (that's CodeDeploy). File must be named exactly cron.yaml.

→ Covered: D2 (Beanstalk deep dive — Worker tier)

Q21

TroubleshootingCloudWatchLambda+Kinesis

Lambda + Kinesis: which CloudWatch metric shows data not being processed fast enough

You picked: Throttles · Correct: IteratorAge

Fix: IteratorAge = age of the last record in each batch that Lambda reads from a Kinesis stream. High IteratorAge = Lambda is falling behind, records aging toward retention limit. Throttles = invocation attempts exceeding concurrency (not the right metric here). ConcurrentExecutions = aggregate across all functions.

→ Covered: D4 (CloudWatch + Lambda+Kinesis metrics)

Q24

SecurityX-Ray

Enabling X-Ray with Lambda — what's required

You picked: IAM Role assigned to Lambda has access to X-Ray function · Correct: IAM Role assigned to Lambda has access to X-Ray service

Fix: The Lambda execution role needs AWSXRayWriteOnlyAccess policy attached. The daemon is built into Lambda — you don't install it separately. "Access to the X-Ray function" is not a thing. Direction is Lambda → X-Ray service, not Lambda → X-Ray function.

→ Covered: D6 (X-Ray + Lambda)

Q25

DeploymentCodeDeploy

CodeDeploy with Lambda versioning — how to specify which version to deploy

You picked: Create an ALIAS and use it in CodeDeploy · Correct: Specify version in the AppSpec file

Fix: CodeDeploy AppSpec file for Lambda specifies: (1) the function name, (2) the version to deploy, (3) validation hook functions. The AppSpec file is the source of truth for which version gets deployed — not aliases. Aliases are used for traffic shifting but the version is declared in AppSpec.

→ Covered: D3 (CodeDeploy AppSpec for Lambda)

Q26

DeploymentDynamoDB

DynamoDB GSI — which read type gives latest results quickly with least RCU impact

You picked: Query with ConsistentRead · Correct: Query with EventualRead

Fix: GSI does NOT support strongly consistent reads — you can't use ConsistentRead=true on a GSI. Eventual consistency is the only option on a GSI. For "least RCU impact" + GSI = Query with EventualRead (also half the RCU cost). ConsistentRead on GSI would throw a ValidationException.

→ Covered: D7 (DynamoDB GSI mechanics)

Q28

DeploymentECS

ECS — how to isolate containers from accessing each other's credentials

You picked: Place IAM Roles on EC2 instances · Correct: Configure Security Groups on instances to allow only required traffic

Fix: IAM roles should be assigned at task level (taskRoleArn), not the instance level — so containers only get the permissions they need. BUT the Q asks about network isolation between containers. Security Groups on EC2 instances control inbound/outbound traffic. Don't confuse IAM isolation (credentials) with network isolation (traffic).

→ Covered: D6 (ECS IAM roles — task vs instance)

Q29

DevelopmentAPI Gateway

API Gateway — controlling front-end vs back-end behavior

You picked: Integration response (backend) · Correct: Method request + Method response (frontend)

Fix: Method request/response = frontend (client-facing). Integration request/response = backend (how API GW communicates with Lambda/backend). "Control front-end interactions" = Method request + Method response. "Control back-end interactions" = Integration request + Integration response.

→ Covered: D7 (API Gateway front vs back end)

Q30

DeploymentElastic Beanstalk

Beanstalk — which deployment modes maintain full capacity

You picked: Rolling (wrong) + Rolling with additional batch (right) · Correct: Immutable + Rolling with additional batch

Fix: Full capacity throughout = Immutable (launches new instances, terminates old after) and Rolling with additional batch (adds a batch before removing old). Rolling = removes a batch from service = temporarily reduced capacity. All-at-once = full downtime. Blue/Green = full capacity but swaps URL — not a Beanstalk native "deployment mode".

→ Covered: D2 (Beanstalk deployment modes — the table)

Q33

SecurityECS

ECS IAM — what statement is NOT true about signing API requests with IAM roles for ECS tasks

You picked: "Recommended to limit permissions to minimal list in AmazonEC2ContainerServiceforEC2Role" — this is actually TRUE (your answer was wrong) · Correct answer A: "Containers are prevented from accessing credentials of container instance profile" — this is FALSE (they're NOT prevented by default)

Fix: "NOT true" questions are tricky. By default, containers CAN access the EC2 instance profile credentials (which is a security risk). To block this, set ECS_AWSVPC_BLOCK_IMDS=true. So statement A is false/not-true. Your instinct to limit permissions is correct, but that statement IS true.

→ Covered: D6 (ECS security — task role vs instance profile)

Q34

DeploymentCodeDeploy

CodeDeploy Lambda — shifting ALL traffic instantly to new version

You picked: Canary · Correct: All-at-Once

Fix: "All traffic shifted instantly" = All-at-Once. Canary = small % first (e.g. 10% for 10 min), then rest. Linear = gradual equal increments. Gradual = not a real CodeDeploy option. When Q says "instantaneously" → All-at-Once every time.

→ Covered: D3 (CodeDeploy Lambda traffic shifting strategies)

Note: 33 wrong questions captured. The report showed Qs 4, 9, 10, 11, 12, 13, 18, 21, 24, 25, 26, 28, 29, 30, 33, 34 clearly. Remaining ~17 wrong answers are distributed across Deployment and Security domains per the domain tally — specific Qs not fully visible in report but covered by sprint plan. · Completed by Claude from SimpleSnap PDF · DVA-C02 Sprint Dashboard