Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsDVA-C02Flashcards
Free — No Signup RequiredAmazon Web Services· Updated 2026

DVA-C02 Flashcards — Free AWS Certified Developer Associate DVA-C02 Study Cards

Reinforce DVA-C02 concepts with active-recall study cards covering all 4 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.

1616+ study cards4 domains coveredActive recall methodFull explanations included
Start 30-card session50-card shuffle
Exam OverviewPractice TestMock ExamStudy GuideFlashcards

Study Sessions

DVA-C02 Flashcards

Pick a session size:

⚡Quick 10📝20 Cards🎯30 Cards📊50 Cards💪100 Cards
1,616+ cards · All free

Domains

Development with AWS Services
Security
Deployment
Troubleshooting and Optimization

How to use DVA-C02 flashcards effectively

Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For DVA-C02 preparation, this means flashcards are one of the highest-return study tools available.

Attempt recall first

Read the DVA-C02 question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.

Review wrong cards again

When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.

Study by domain

Group your DVA-C02 flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real DVA-C02 exam requires.

Short sessions beat marathon reviews

20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass DVA-C02.

DVA-C02 flashcard preview

Sample cards from the DVA-C02 flashcard bank. Read the question, think of the answer, then read the explanation below.

1

A developer has an AWS Lambda function that processes messages from an Amazon SQS queue. The function is configured with a batch size of 10, reserved concurrency of 5, and a timeout of 5 minutes. The SQS queue has a large backlog, and CloudWatch metrics show high throttling (Throttles) for the Lambda function. The function is idempotent and can process up to 100 messages in a single invocation. What is the MOST effective way to increase throughput without increasing the reserved concurrency?

Development with AWS Services

Increase the batch size to 100.

Increasing the batch size to 100 allows each Lambda invocation to process up to 100 messages from the SQS queue instead of the current 10. Since the function is idempotent and can handle 100 messages per invocation, this change maximizes the number of messages processed per invocation without altering the reserved concurrency of 5. With a batch size of 100, each of the 5 concurrent invocations can process up to 100 messages, yielding a potential throughput of 500 messages per invocation cycle, which directly reduces the backlog and throttling by consuming messages faster.

2

A developer has an AWS Lambda function that needs to read objects from an S3 bucket in another account. The Lambda function's execution role includes an IAM policy that allows s3:GetObject on the bucket. The bucket owner has added a bucket policy that grants s3:GetObject to the Lambda execution role. However, the Lambda function receives Access Denied errors. The S3 bucket uses SSE-KMS for encryption. What is the most likely cause?

Security

The Lambda function does not have kms:Decrypt permission on the KMS key used by the bucket.

When an S3 bucket uses SSE-KMS, the Lambda function must have explicit kms:Decrypt permission on the KMS key to decrypt the object after s3:GetObject retrieves the encrypted data. Even though the bucket policy and execution role allow s3:GetObject, the missing KMS permission causes an Access Denied error because S3 returns the encrypted object and the Lambda runtime cannot decrypt it without the key.

3

A developer is using AWS CodeDeploy with a blue/green deployment strategy to update an application running on Amazon ECS with the Fargate launch type. After the new (green) task set is created and traffic is shifted to it, users immediately report errors when trying to write data. The developer discovers that the green task set is connecting to a different database than the blue task set. The database endpoints are configured in the ECS task definition. What is the simplest way to prevent this issue in future deployments?

Deployment

Modify the blue/green deployment configuration to use the same database endpoint for both task sets by updating the environment variables in the task definition before deployment.

Option A is correct because the issue stems from the green task set using a different database endpoint than the blue task set, which is configured via environment variables in the ECS task definition. By updating the task definition to use the same database endpoint before deployment, both task sets will connect to the same database, ensuring consistency during the traffic shift. This is the simplest fix as it requires no additional infrastructure or complex routing changes.

4

A developer deployed a new version of an AWS Lambda function that is part of a serverless application. The function uses an Amazon DynamoDB table as a data store. After deployment, the developer notices that the function's latency has increased significantly for some requests. CloudWatch traces show that the increase is due to DynamoDB throttle events. The function is configured with a reserved concurrency of 100 and the DynamoDB table has 5 read capacity units (RCUs) and 5 write capacity units (WCUs). What is the most effective way to reduce the throttling while maintaining application performance?

Troubleshooting and Optimization

Increase the read and write capacity units on the DynamoDB table

The primary cause of the throttling is insufficient DynamoDB capacity to handle the request volume from the Lambda function. Increasing the read and write capacity units (RCUs/WCUs) directly addresses the throttle events by providing more throughput to match the function's concurrency of 100. This is the most effective solution because it resolves the bottleneck at the data store level without reducing the application's ability to process requests concurrently.

5

A developer is troubleshooting an AWS Lambda function that is triggered by an S3 event. The function occasionally fails with a timeout error. CloudWatch logs show that the timeout occurs during the processing of large files. The function has a memory setting of 128 MB and a timeout of 3 seconds. The developer wants to process large files without modifying the code. Which parameter should the developer adjust first?

Increase the function's memory

Increasing the function's memory is the correct first step because Lambda allocates CPU proportionally to memory, and more CPU reduces processing time for CPU-bound tasks like decompressing or parsing large files. This directly addresses the timeout by making the function complete faster, without requiring code changes. The current 128 MB setting is the minimum, which provides the least CPU, so even a modest increase can significantly reduce execution time.

6

A developer needs to call AWS APIs from application code running on EC2. Which credential source should the AWS SDK use by default?

Temporary credentials from the instance profile role

Option D is correct because the AWS SDK on EC2 automatically retrieves temporary credentials from the instance metadata service (IMDS) at http://169.254.169.254/latest/meta-data/iam/security-credentials/. These credentials are provided by the IAM role attached to the EC2 instance (the instance profile role) and are rotated automatically, eliminating the need to store long-term credentials on the instance.

7

A developer needs to allow an IAM user in a different AWS account to assume a role in the developer's account. The role has permissions to access an S3 bucket. Which policy is required in the developer's account to enable this cross-account access?

An IAM role with a trust policy that allows the external account's root user or specific IAM users/roles to assume the role

Option A is correct because cross-account IAM role access requires a trust policy attached to the role in the developer's account. This trust policy specifies the external AWS account ID (or specific IAM users/roles in that account) as the principal, allowing them to call sts:AssumeRole. Once the role is assumed, the developer's account grants the necessary S3 permissions via the role's permissions policy.

8

A developer needs to grant an IAM role in Account B read-only access to objects in an S3 bucket in Account A. The bucket is encrypted with server-side encryption using AWS KMS (SSE-KMS) with a customer managed key (CMK) in Account A. Which combination of policies is required for the cross-account access to succeed?

The bucket policy in Account A grants s3:GetObject to the role, the KMS key policy grants kms:Decrypt to the role, and the role in Account B has an IAM policy allowing s3:GetObject and kms:Decrypt

Option A is correct because cross-account access to an SSE-KMS encrypted S3 bucket requires three layers of permissions: the bucket policy in Account A must grant s3:GetObject to the IAM role in Account B, the KMS key policy must grant kms:Decrypt to the same role, and the role's IAM policy in Account B must allow both s3:GetObject and kms:Decrypt. Without any one of these, the request will fail due to either an S3 authorization error or a KMS decryption failure.

9

An API Gateway HTTP API should allow access only to users authenticated by an external OIDC provider. Which authorizer type is most appropriate?

JWT authorizer configured for the issuer and audience

Option C is correct because an HTTP API Gateway with an external OIDC provider requires a JWT authorizer. The JWT authorizer validates the token's signature, issuer, and audience against the OIDC provider's configuration, ensuring only authenticated users gain access. This is the native AWS mechanism for integrating third-party OIDC identity providers like Auth0 or Okta.

10

A developer needs to allow an EC2 instance to read from a DynamoDB table. Which is the best practice to grant permissions?

Create an IAM role with the required permissions and attach it to the EC2 instance.

The best practice for granting an EC2 instance permissions to access DynamoDB is to create an IAM role with the required permissions and attach it to the instance. This eliminates the need to manage long-term credentials, as the instance automatically retrieves temporary security credentials from the instance metadata service (IMDS) via the AWS Security Token Service (STS). This approach follows the principle of least privilege and ensures credentials are rotated automatically.

11

A developer is building a serverless application using AWS Lambda. The function needs to access a private S3 bucket in the same AWS account. What is the BEST way to grant the Lambda function access to the bucket?

Create an IAM execution role with an S3 access policy and attach it to the Lambda function.

Option A is the correct answer. The best practice for granting an AWS Lambda function access to an S3 bucket in the same account is to create an IAM execution role with a policy that allows the necessary S3 actions, and then attach that role to the Lambda function. This provides temporary credentials via STS, follows the principle of least privilege, and avoids hardcoding credentials. Option B is incorrect because storing AWS credentials in environment variables is insecure and can lead to accidental exposure. AWS recommends using IAM roles for temporary credentials. Option C is incorrect because Lambda functions do not support attaching IAM policies directly. Policies must be attached to an IAM role, and that role is assigned to the function. Option D is incorrect because while a bucket policy could grant access based on the function's ARN, it is not the best approach for same-account access. Using an execution role is more scalable, easier to manage, and follows the principle of least privilege.

12

A developer wants to grant a user in a different AWS account access to an S3 bucket. The developer has written a bucket policy that allows the user's IAM user ARN. However, the access is still denied. What is the most likely reason?

The user's IAM user policy does not explicitly allow the required S3 action

When granting cross-account access to an S3 bucket, both the bucket policy (resource-based policy) and the user's IAM policy (identity-based policy) must explicitly allow the action. The bucket policy alone is insufficient if the user's IAM policy does not include an explicit Allow for the S3 action, because IAM denies by default. Even though the bucket policy grants access, the user's own IAM policy must also permit the operation for the request to succeed.

13

Based on the CloudTrail log entry, which security concern should be investigated?

Multi-factor authentication (MFA) was not used when assuming the role.

The CloudTrail log entry shows that the `sts:AssumeRole` API call was made without the `aws:MultiFactorAuthPresent` key set to `true`. This indicates that the role was assumed without MFA, which violates the security best practice of requiring MFA for privileged role assumptions. The absence of MFA increases the risk of unauthorized access if the user's credentials are compromised.

14

A developer wants to securely store database credentials for a Lambda function. Which AWS service should be used?

AWS Secrets Manager

Option A is correct because AWS Secrets Manager is specifically designed for secure storage and automatic rotation of database credentials. Option B (Systems Manager Parameter Store) can store secrets but lacks native automatic rotation capabilities, making it less suitable for this use case. Option C (S3 with server-side encryption) is not a dedicated secrets store and would require additional access control management. Option D (DynamoDB) is a NoSQL database, not a secret management service, and would require custom encryption and rotation logic.

15

A company has an IAM policy that allows access to an S3 bucket only if the request comes from a specific VPC endpoint. The developer notices that requests from an EC2 instance in that VPC are being denied. What is the most likely cause?

The VPC endpoint policy does not allow the required S3 action for the principal

The correct answer is A because the VPC endpoint policy is an additional layer of access control that can explicitly deny actions even if the bucket policy allows them. If the endpoint policy does not grant the required S3 action (e.g., s3:GetObject) for the IAM principal (the EC2 instance's role), requests will be denied regardless of the bucket policy. This is a common misconfiguration where developers focus only on the bucket policy and overlook the endpoint policy.

16

A company is using AWS CodeCommit and wants to ensure that all commits are signed with GPG keys. Which approach should be used to enforce this?

Create an IAM policy that denies codecommit:GitPush unless the commit is signed.

Option C is correct because AWS CodeCommit does not natively support a 'require signed commits' toggle in the repository settings. Instead, you must use an IAM policy with a condition key like `codecommit:referencedRefName` and a custom condition (e.g., using the `git` protocol's signed commit metadata) to deny `codecommit:GitPush` actions when the commit is not signed. This is the only way to enforce GPG signing at the AWS service level.

17

An application uses IAM roles to grant EC2 instances access to S3. The developer notices that the application works correctly in one account but fails with access denied in another account. What is the most likely cause?

The S3 bucket policy does not grant access to the IAM role

The most likely cause is that the S3 bucket policy in the second account does not explicitly grant the IAM role from the first account (or the second account's own IAM role) the necessary permissions. When an IAM role is used, both the role's trust policy and the resource-based policy (S3 bucket policy) must allow the action; if the bucket policy denies or omits the role's ARN, access will be denied even if the role itself has S3 permissions.

18

A developer notices that an AWS Lambda function is timing out after 15 seconds. The function makes HTTP requests to an external API. How can the developer resolve this issue without changing the function code?

Increase the timeout setting of the Lambda function

The Lambda function is timing out because its default execution timeout (3 seconds) is too short for the HTTP requests to the external API. Increasing the timeout setting allows the function to wait longer for the API response, resolving the timeout without modifying the code. This is a configuration change in the Lambda function settings, not a code change.

19

A developer is creating an IAM policy to allow a Lambda function to write logs to CloudWatch. Which policy should be attached to the Lambda execution role?

AWSLambdaBasicExecutionRole

The AWSLambdaBasicExecutionRole managed policy grants permissions for Lambda to write logs to CloudWatch Logs, specifically allowing the logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents actions. This is the minimal set of permissions required for a Lambda function to send execution logs to CloudWatch, making it the correct choice for this use case.

20

A developer is building a serverless application using AWS Lambda and API Gateway. The Lambda function needs to access a DynamoDB table that stores sensitive customer data. The developer wants to follow the principle of least privilege. Which IAM role configuration should be used?

Create a custom IAM policy with specific DynamoDB actions (e.g., GetItem, PutItem) on the specific table and attach it to the Lambda execution role.

Option D is correct because it adheres to the principle of least privilege by granting only the specific DynamoDB actions (e.g., GetItem, PutItem) required by the Lambda function, scoped to the exact table. The Lambda execution role is an IAM role that the Lambda service assumes, and attaching a custom policy with fine-grained permissions ensures minimal access. This approach avoids over-permissioning and follows AWS security best practices for serverless applications.

21

A company wants to allow cross-account access to an S3 bucket in Account A from a role in Account B. The S3 bucket policy in Account A allows the role's ARN. However, access is denied. What is the most likely missing step?

The role in Account B must have an IAM policy that allows the S3 actions.

Option B is correct because cross-account S3 access requires both a resource-based policy (the bucket policy in Account A) that grants access to the role ARN, and an identity-based policy (an IAM policy attached to the role in Account B) that explicitly allows the S3 actions. Without the IAM policy in Account B, the role lacks permission to perform the S3 operations, even though the bucket policy permits the access. This is a fundamental principle of AWS cross-account authorization: both the resource side and the principal side must grant the necessary permissions.

22

A developer wants to encrypt data in transit between an API Gateway REST API and its clients. Which configuration should be used?

Use the default HTTPS endpoint provided by API Gateway.

Option C is correct because API Gateway REST APIs automatically provide an HTTPS endpoint using TLS for data in transit encryption. This default endpoint uses an Amazon-issued certificate, ensuring encryption between clients and API Gateway without any additional configuration. The developer only needs to use the default HTTPS URL provided by API Gateway to satisfy the requirement.

Study all 1616+ DVA-C02 cards

DVA-C02 flashcards by domain

The DVA-C02 flashcard bank covers all 4 official blueprint domains published by Amazon Web Services. Cards are distributed proportionally, so domains with higher exam weight have more cards.

Domain Coverage

Development with AWS Services

~1 cards

Security

~1 cards

Deployment

~1 cards

Troubleshooting and Optimization

~1 cards

Flashcards vs practice tests: which is better for DVA-C02?

Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:

Flashcards — concept retention

Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that DVA-C02 questions assume you know.

Best in: weeks 1–3

Practice tests — application

Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.DVA-C02 questions test scenario reasoning — not just recall — so practice tests are essential.

Best in: weeks 3–6

The most effective DVA-C02 study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.

DVA-C02 flashcards — frequently asked questions

Are the DVA-C02 flashcards free?

Yes. Courseiva provides free DVA-C02 flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.

How many DVA-C02 flashcards are on Courseiva?

Courseiva has 1616+ original DVA-C02 flashcards across all 4 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official Amazon Web Services exam objectives.

How are Courseiva flashcards different from Anki or Quizlet?

Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official DVA-C02 exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.

Can I use DVA-C02 flashcards offline?

Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.

Free forever · No credit card required

Track your DVA-C02 flashcard progress

Save your results, see which domains need more work, and get spaced repetition recommendations — all free.

Sign Up Free

Free forever · Every certification included

Start Studying

⚡Quick 10 cards📝20-card session🎯30-card session📊50-card shuffle💪100-card marathon

Also Study With

Practice TestMock ExamStudy GuideExam Domains

Related Flashcards

SAA-C03DOP-C02CLF-C02

Related Flashcard Sets

SAA-C03

Solutions Architect Associate

DOP-C02

DevOps Professional

CLF-C02

Cloud Practitioner

Browse all certifications →