AWS Lambda is the cornerstone of serverless computing on AWS and a critical topic for the DVA-C02 exam. This chapter covers Lambda's execution model, configuration, triggers, monitoring, and best practices—all of which are tested heavily. Expect 15-20% of exam questions to involve Lambda directly or indirectly, making it the most important compute service for the Developer Associate. Mastering Lambda requires understanding not just how to write a function, but how the service scales, how to optimize performance and cost, and how to troubleshoot common failures.
Jump to a section
AWS Lambda works like a food truck commissary kitchen. A commissary is a shared commercial kitchen where food trucks reserve space on demand. Each truck (your function) brings its own ingredients (code and dependencies). When a truck arrives (a trigger event), the commissary manager (AWS Lambda service) assigns a clean cooking station (execution environment) with standard equipment (runtime, memory, CPU). The truck cooks the order (executes the function) and leaves. The commissary then cleans the station (tears down the environment) and makes it available for the next truck. The manager handles scaling: if 50 trucks arrive at lunchtime, the commissary has 50 stations ready in minutes, each isolated from the others. The truck only pays for the time it uses the station, not for idle time. The commissary also handles security (no truck can access another truck's ingredients) and maintenance (upgrades to equipment are automatic). This is exactly how Lambda works: event-driven, ephemeral, auto-scaling, pay-per-use, and fully managed.
What is AWS Lambda?
AWS Lambda is a serverless compute service that runs your code in response to events and automatically manages the underlying compute resources. You upload your code, configure a trigger, and Lambda executes your code only when needed, scaling automatically from zero to thousands of concurrent executions. You pay only for the compute time consumed—no charge when your code is not running.
Execution Model and Lifecycle
Lambda functions run inside ephemeral execution environments. When a trigger event arrives, the Lambda service performs the following steps:
Cold Start: If no existing execution environment is available to handle the request, Lambda provisions a new one. This involves:
- Downloading your code (from S3 or ECR) into a sandbox. - Starting a new runtime process (e.g., Python, Node.js, Java). - Running any code outside the handler (initialization code). - Invoking the handler function. Cold starts add latency, typically 100ms to 1+ seconds depending on runtime, deployment package size, and memory allocation.
Warm Start: If an execution environment is already available (kept alive for a period after a previous invocation), Lambda reuses it. The handler code runs immediately without re-initializing the runtime or global/static variables. This is much faster than a cold start.
Execution: The handler processes the event and returns a response. The environment remains available for subsequent invocations for a period (typically 5-15 minutes) before being recycled.
Shutdown: After a period of inactivity, Lambda freezes the environment and eventually destroys it. Any resources (database connections, file handles) opened during execution may be leaked if not cleaned up.
Configuration Parameters
Memory (128 MB – 10,240 MB): Allocated in 1 MB increments. CPU power scales proportionally with memory. At 1,769 MB, you get 1 full vCPU. More memory reduces execution time for CPU-bound tasks.
Timeout (1 second – 15 minutes): Maximum execution time per invocation. Default is 3 seconds. If exceeded, Lambda terminates the function and throws a timeout error.
Ephemeral Storage (/tmp): 512 MB to 10,240 MB (in 1 MB increments). Default is 512 MB. Used for temporary files. Not persisted between invocations unless you write to a mounted EFS file system.
IAM Role (Execution Role): Grants permissions to your function to access other AWS services (e.g., DynamoDB, S3). Must be attached to the function.
VPC Configuration: By default, functions run in a Lambda-owned VPC with internet access. If you enable VPC, you must provide subnets and security groups; the function loses internet access unless you add a NAT gateway or VPC endpoint.
Concurrency: Reserved concurrency sets a limit on the number of concurrent executions for a function. Provisioned concurrency pre-warms environments to eliminate cold starts.
Layers: ZIP archives containing libraries, custom runtimes, or other dependencies. Layers are extracted to /opt in the execution environment. You can include up to 5 layers per function.
Triggers and Event Sources
Lambda can be invoked synchronously or asynchronously, or via stream-based polling.
Synchronous Invocations: The caller waits for the function to complete. Examples: API Gateway (REST/HTTP), AWS SDK Invoke, Application Load Balancer, Cognito triggers, CloudFront Lambda@Edge. The response is returned directly.
Asynchronous Invocations: Lambda queues the event and returns a 202 response immediately. Examples: S3, SNS, CloudWatch Events/EventBridge, SES. Lambda automatically retries failed invocations twice (total 3 attempts) and can send failure records to a dead-letter queue (DLQ) or on-failure destination.
Polling-based (Stream) Invocations: Lambda polls a data stream (DynamoDB Streams, Kinesis) and invokes the function with batches of records. The function must process records in order. If processing fails, Lambda retries the batch until it succeeds or expires. Event Source Mapping (ESM) manages this.
Scaling Behavior
Lambda scales by creating new execution environments. For synchronous invocations, scaling is limited by your account's Regional concurrency limit (default 1,000 concurrent executions). For asynchronous invocations, Lambda can scale to very high concurrency but applies internal throttling to protect downstream services. For stream-based sources, Lambda creates one shard iterator per shard and processes each shard sequentially; concurrency equals the number of shards.
Monitoring and Logging
CloudWatch Logs: Lambda automatically streams logs to CloudWatch Logs. Each invocation generates a log stream. You can set log retention policies.
CloudWatch Metrics: Invocations, Errors, Duration, Throttles, ConcurrentExecutions, IteratorAge (for streams), DeadLetterErrors. Metrics are published every minute.
AWS X-Ray: Can be enabled for tracing. Lambda uses segments and subsegments. You must instrument your code to send trace data.
Best Practices for DVA-C02
Minimize deployment package size to reduce cold start time. Use layers for shared dependencies.
Use environment variables for configuration (database URLs, etc.) — they are encrypted at rest with KMS.
Reuse connections (database, HTTP) by initializing them outside the handler function.
Set appropriate timeout and memory. Use the AWS Lambda Power Tuning tool to find optimal memory.
Use reserved concurrency to protect downstream resources and provisioned concurrency for latency-sensitive workloads.
For asynchronous invocations, always configure a DLQ or destination for failed events.
Use VPC endpoints for services like S3, DynamoDB to avoid internet dependency when in a VPC.
For long-running functions, consider using Step Functions to orchestrate multiple Lambda invocations (max 15 min per invocation).
Common Errors
Throttles (429 TooManyRequestsException): Exceeded concurrency limit. Use reserved concurrency or request a limit increase.
Timeouts (Task timed out): Function ran longer than configured timeout. Increase timeout or optimize code.
OutOfMemory (Error: Runtime exited with error: signal: killed): Function exceeded memory limit. Increase memory allocation.
AccessDenied: Execution role lacks permissions. Update IAM policy.
InvalidParameterValueException: Wrong event structure or malformed payload.
Lambda Function URLs
Lambda Function URLs provide a dedicated HTTPS endpoint for your function. They support synchronous invocation only. You can configure authentication (AWS_IAM or NONE) and CORS. No API Gateway needed, but limited features (no custom domains, no throttling per endpoint, no API keys).
Lambda and EFS
Lambda can mount an Amazon EFS file system for persistent, shared storage. This is useful for large datasets that exceed /tmp limits or need to be shared across invocations. The function must be in the same VPC as the EFS mount target. Access is controlled via IAM and security groups.
Code Examples
#### Python Function with DynamoDB
import boto3
import os
dynamodb = boto3.resource('dynamodb')
table_name = os.environ['TABLE_NAME']
table = dynamodb.Table(table_name)
def lambda_handler(event, context):
# event['key'] contains the partition key
response = table.get_item(Key={'pk': event['key']})
return response['Item']#### Node.js Function with Connection Reuse
const AWS = require('aws-sdk');
const docClient = new AWS.DynamoDB.DocumentClient();
exports.handler = async (event) => {
const params = {
TableName: process.env.TABLE_NAME,
Key: { pk: event.key }
};
const data = await docClient.get(params).promise();
return data.Item;
};Lambda Versions and Aliases
Versions: Immutable snapshots of your function code and configuration. Published versions have an ARN with a version number (e.g., function:1). The $LATEST version is mutable.
Aliases: Pointers to a specific version (e.g., PROD -> version 3). Support canary deployments by routing a percentage of traffic to a different version. Aliases have their own ARN.
Lambda and CloudFront (Lambda@Edge)
Lambda@Edge runs functions at CloudFront edge locations in response to CloudFront events: viewer request, origin request, viewer response, origin response. Functions must be in us-east-1. Execution timeout is 5 seconds for viewer events and 30 seconds for origin events. Environment variables and layers are not supported. Functions cannot access VPC resources.
Create Lambda Function
In the AWS Management Console, navigate to Lambda and choose 'Create function'. Select 'Author from scratch' (or use a blueprint/container image). Provide a function name, runtime (e.g., Python 3.9), and an execution role. The role can be created automatically with basic Lambda permissions (CloudWatch Logs) or you can choose an existing role with specific permissions. For container images, specify the ECR image URI. Click 'Create function'.
Configure Trigger
After creation, add a trigger by clicking 'Add trigger' in the function overview. Choose a source (e.g., S3, SNS, API Gateway, DynamoDB Streams). For S3, select the bucket and event type (e.g., s3:ObjectCreated:*). For DynamoDB Streams, select the table and batch size. The trigger configuration varies by source. For API Gateway, you can create a new REST or HTTP API and configure the endpoint method and path. Once added, the trigger appears in the function's Designer.
Write and Test Code
In the code editor (inline or upload a .zip), write your handler function. The handler receives two parameters: event (the input payload) and context (runtime information like function name, memory limit, request ID). You can test the function by creating a test event (e.g., a JSON object simulating an S3 event). Click 'Test' to invoke the function. The execution result, logs, and duration are displayed. You can also use the 'Monitor' tab to view CloudWatch metrics and logs.
Adjust Configuration
Edit the function's configuration: memory (128-10240 MB), timeout (1 sec-15 min), ephemeral storage (512-10240 MB), environment variables, VPC settings, and concurrency (reserved/provisioned). For VPC, select subnets and security groups. Note that VPC-enabled functions need a NAT gateway for internet access. Set environment variables for configuration values (e.g., database table name). Use the 'Configuration' tab to modify these.
Monitor and Troubleshoot
Use CloudWatch Logs to view function logs. Each invocation produces a log stream. Filter by error messages. Use CloudWatch Metrics to see invocation count, duration, error count, and throttles. Enable X-Ray tracing to see a detailed service map of downstream calls. Common issues: timeouts (increase timeout or optimize code), out-of-memory (increase memory), throttles (increase concurrency limit or use reserved concurrency), and permission errors (update execution role).
Enterprise Scenario 1: Image Processing Pipeline
A social media platform uploads user images to S3. Each upload triggers a Lambda function that resizes the image into multiple dimensions (thumbnail, medium, large) using the Sharp library, stores the resized images back to S3, and records metadata in DynamoDB. The function is configured with 512 MB memory and 30-second timeout. To handle sudden spikes (e.g., viral event), the function uses reserved concurrency of 500 to avoid overwhelming DynamoDB. Provisioned concurrency of 50 is set to keep a baseline warm for latency-sensitive thumbnail generation. The function uses a layer for the Sharp binary to keep the deployment package small. Cold starts are mitigated by using Node.js runtime and periodic 'ping' events from CloudWatch Events every 5 minutes. The team monitors thumbnail latency and uses Lambda Power Tuning to find the optimal memory. Misconfiguration: initially, the function had no reserved concurrency, causing DynamoDB throttling errors during peak times. Adding reserved concurrency solved it.
Enterprise Scenario 2: Real-Time Data Enrichment
A financial services company ingests stock trade data from Kinesis Data Streams. A Lambda function processes each record, enriches it with reference data from DynamoDB, and writes the result to an S3 bucket for analytics. The function is configured with 1 GB memory and 5-minute timeout. The Kinesis stream has 100 shards, so the Lambda function processes 100 batches concurrently (one per shard). The function uses a DynamoDB DAX cluster for low-latency reference data lookups. The team sets the batch window to 60 seconds to accumulate records before invocation, reducing DynamoDB calls. They also configure a dead-letter queue (SQS) for failed records. Common issue: the function's execution role lacked permission to write to S3, causing silent failures. CloudWatch alarms on error count alerted the team.
Enterprise Scenario 3: Serverless Web Application Backend
A SaaS startup uses Lambda behind API Gateway to serve REST APIs. Each API endpoint corresponds to a separate Lambda function (e.g., /users, /orders). The functions are written in Python and use a shared layer for common utilities. They use Amazon RDS Proxy to pool database connections to Aurora Serverless. The functions are VPC-enabled and use VPC endpoints for S3 and DynamoDB to avoid NAT costs. Provisioned concurrency is set on critical endpoints to keep p99 latency under 200 ms. The team uses canary deployments via Lambda aliases: 90% traffic to version 1, 10% to version 2. CloudWatch Synthetics monitors the API endpoints. Misconfiguration: one function had a timeout of 3 seconds, but an external API call sometimes took 4 seconds, causing intermittent 504 errors. Increasing timeout to 10 seconds fixed it.
The DVA-C02 exam tests Lambda across multiple objectives, especially Objective 1.1 (Develop Lambda functions) and Objective 2.1 (Design event-driven architectures). Expect scenario-based questions where you must choose the correct configuration, trigger, or error-handling approach.
Common Wrong Answers:
Choosing 'Increase Lambda timeout' for all performance issues. Wrong: timeout only fixes timeout errors. For memory errors, you need to increase memory. For throttles, you need to increase concurrency or use reserved concurrency. The exam loves to present a scenario where a function is failing with 'Task timed out' and candidates incorrectly increase memory instead of timeout.
Selecting SQS as a trigger for synchronous invocation. Wrong: SQS triggers Lambda asynchronously via event source mapping. The function receives a batch of messages and must delete them from the queue. Candidates often think SQS invokes Lambda synchronously.
Believing Lambda functions always have internet access when in a VPC. Wrong: By default, VPC-enabled functions have no internet access. You must add a NAT gateway or VPC endpoints. The exam will present a scenario where a function in a VPC cannot access an external API, and candidates incorrectly suggest adding an internet gateway to the VPC (which doesn't work without a NAT).
Assuming provisioned concurrency eliminates all cold starts. Wrong: Provisioned concurrency keeps environments warm but cold starts can still occur if the number of concurrent requests exceeds the provisioned concurrency level. Also, provisioned concurrency incurs costs even when not in use.
Specific Numbers to Memorize: - Memory range: 128 MB to 10,240 MB (1 MB increments) - Timeout: 1 second to 15 minutes (default 3 seconds) - Ephemeral storage: 512 MB to 10,240 MB (default 512 MB) - Invocation payload: 256 KB (synchronous) and 128 KB (asynchronous) - Deployment package size: 50 MB (zipped) / 250 MB (unzipped) for Lambda, 250 MB (zipped) for container images - Layers: up to 5 layers, total unzipped size 250 MB - Concurrency: default 1,000 per region (can be increased) - Retries for async invocations: 2 (total 3 attempts) - Stream batch size: up to 10,000; batch window: up to 300 seconds
Edge Cases: - Lambda@Edge functions cannot access VPC resources and have stricter limits (5s timeout for viewer events, 30s for origin events). - When using Lambda with RDS Proxy, the function must be in the same VPC as the proxy. - Lambda container images can be up to 10 GB (from ECR) but cold start is significantly higher. - For DynamoDB Streams, if the function fails to process a batch, it retries until the data expires (24 hours).
How to Eliminate Wrong Answers: Understand the underlying mechanism. If a question mentions 'latency-sensitive workload', think about provisioned concurrency. If it mentions 'cost optimization with unpredictable traffic', think about using async invocation with DLQ. If it mentions 'processing records from Kinesis in order', remember that one shard = one concurrent invocation.
Lambda memory range: 128 MB to 10,240 MB in 1 MB increments; CPU scales with memory.
Timeout: 1 second to 15 minutes; default 3 seconds.
Ephemeral storage (/tmp): 512 MB to 10,240 MB; default 512 MB.
Deployment package limits: 50 MB zipped, 250 MB unzipped; container images up to 10 GB.
Asynchronous invocations retry twice (total 3 attempts); configure DLQ for failed events.
Provisioned concurrency eliminates cold starts; reserved concurrency limits concurrent executions.
VPC-enabled functions lose internet access unless NAT gateway or VPC endpoints are added.
Lambda@Edge functions must be in us-east-1; max timeout 5s for viewer events, 30s for origin events.
Stream-based (DynamoDB/Kinesis) invocations process one shard per concurrent execution; batch size up to 10,000.
Use layers for shared dependencies; max 5 layers per function, total unzipped size 250 MB.
These come up on the exam all the time. Here's how to tell them apart.
Synchronous Invocation
Caller waits for function response.
Used with API Gateway, ALB, SDK Invoke.
No built-in retry; caller must handle failures.
Payload limit: 256 KB.
Throttling returns 429 to caller.
Asynchronous Invocation
Lambda queues event and returns 202 immediately.
Used with S3, SNS, CloudWatch Events.
Automatic retry (2 retries) and DLQ support.
Payload limit: 128 KB.
Throttling is queued; Lambda retries internally.
Mistake
Lambda functions run continuously like EC2 instances.
Correct
Lambda functions are ephemeral: they only run when triggered and are frozen/destroyed after a period of inactivity (typically 5-15 minutes). You cannot SSH into them or keep them running 24/7.
Mistake
Increasing memory always increases performance linearly.
Correct
CPU scales linearly with memory only up to a point (at 1,769 MB you get 1 vCPU). Beyond that, you get more vCPUs. However, for I/O-bound tasks, memory increase may not help. Use Lambda Power Tuning to find optimal memory.
Mistake
You can use /tmp to store data permanently.
Correct
/tmp is ephemeral storage that exists only during the lifecycle of the execution environment. It is not preserved across invocations. For persistent storage, use EFS or S3.
Mistake
Lambda automatically retries all failed invocations.
Correct
Automatic retries only occur for asynchronous invocations (2 retries). Synchronous invocations do not retry unless you implement retry logic in the caller. Stream-based invocations retry until the data expires.
Mistake
Reserved concurrency guarantees performance.
Correct
Reserved concurrency sets a limit but does not pre-warm environments. It prevents other functions from using that concurrency. For pre-warming, use provisioned concurrency.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Cold starts happen when a new execution environment is provisioned. To reduce them: 1) Use a runtime with lower initialization overhead (Python, Node.js vs Java, .NET). 2) Minimize deployment package size; use layers for dependencies. 3) Use provisioned concurrency to keep a set number of environments warm. 4) Use periodic 'ping' events (e.g., CloudWatch Events every 5 minutes) to keep environments warm. 5) For latency-sensitive workloads, consider using Lambda@Edge with smaller packages. Note that cold starts are inherent to serverless; provisioned concurrency is the most reliable solution but incurs costs.
Reserved concurrency sets a limit on the number of concurrent executions for a function, preventing it from using more than that amount. It also guarantees that this concurrency is reserved for the function (other functions cannot use it). Provisioned concurrency pre-warms a specified number of environments so they are ready to handle requests immediately, eliminating cold starts. Reserved concurrency does not pre-warm; it only limits and reserves. Both can be used together: reserved concurrency to cap usage, provisioned concurrency to pre-warm within that cap.
Yes, you can configure a Lambda function to access resources in a VPC (e.g., RDS, ElastiCache) by specifying subnets and security groups. However, this removes internet access from the function unless you add a NAT gateway in a public subnet or use VPC endpoints for AWS services. For internet access, the function must be in a private subnet with a route to a NAT gateway. Alternatively, use VPC endpoints for services like S3 and DynamoDB to avoid NAT costs.
For DynamoDB Streams and Kinesis, Lambda processes records in batches. If the function returns an error or times out, Lambda retries the entire batch until it succeeds or the data expires (24 hours for DynamoDB, up to 7 days for Kinesis). You can configure a destination for failed batches (SQS, SNS, Lambda) or use a DLQ. To avoid blocking the shard, you can split the batch or set a smaller batch size. The IteratorAge metric shows how far behind the function is.
The maximum timeout is 15 minutes (900 seconds). For longer-running tasks, you must use AWS Step Functions to orchestrate multiple Lambda functions or use other compute services like ECS or EC2. Lambda@Edge has shorter limits: 5 seconds for viewer events and 30 seconds for origin events.
Use environment variables (up to 4 KB total). They are encrypted at rest with AWS KMS. You can also use AWS AppConfig, Parameter Store, or Secrets Manager for more complex configuration. For sensitive data like database passwords, use Secrets Manager and retrieve them at runtime (outside the handler to cache). Environment variables are visible in the console, so avoid storing secrets directly.
Yes, API Gateway provides a default endpoint (e.g., https://api-id.execute-api.region.amazonaws.com). You can also use Lambda Function URLs for a simpler HTTPS endpoint without API Gateway. Function URLs support AWS_IAM auth or NONE, and CORS configuration. They are suitable for simple use cases but lack API Gateway features like throttling, API keys, usage plans, and custom domains.
You've just covered AWS Lambda for Developers — now see how well it sticks with free DVA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?