This chapter covers Lambda Destinations and Dead Letter Queues (DLQs), two mechanisms for handling asynchronous function invocation results and failures. For the SAA-C03 exam, these topics appear in roughly 5-7% of questions, often in scenarios involving event-driven architectures, error handling, and integration with other AWS services like SQS and EventBridge. Understanding the differences between Destinations and DLQs, their configuration, and use cases is critical for designing resilient serverless applications.
Jump to a section
Imagine a luxury hotel where guests submit requests via phone or in-person (the Lambda function). The front desk (the event source) processes each request and either succeeds (e.g., arranges a tour) or fails (e.g., the tour company is overbooked). For successful requests, the concierge (Lambda Destinations) immediately sends a confirmation to the guest's preferred channel: SMS for successful tour bookings, email for restaurant reservations, or a physical note for spa appointments. For failed requests, the concierge sends an alert to the hotel manager's pager. Additionally, if the front desk is overwhelmed and cannot handle a request (the function throws an error or the queue is full), the request is placed into a locked drawer (the Dead Letter Queue). The hotel's operations team periodically checks the drawer to manually reprocess those failed requests. The concierge does not wait for the guest to confirm receipt; it dispatches the result asynchronously. The Dead Letter Queue is only used when the request cannot be processed at all after repeated attempts (e.g., the tour company never answers), ensuring no request is permanently lost.
What Are Lambda Destinations and Dead Letter Queues?
AWS Lambda supports two distinct mechanisms for handling the outcomes of asynchronous function invocations: Lambda Destinations and Dead Letter Queues (DLQs). Both serve to route events based on the execution result (success or failure), but they operate at different stages of the invocation lifecycle and have different capabilities.
Lambda Destinations are a feature introduced in 2019 that allows you to route invocation records to four AWS services (SQS, SNS, Lambda, or EventBridge) for both successful and failed invocations. They are configured on a per-function version or alias basis and are triggered after the function completes execution.
Dead Letter Queues are a legacy feature that routes only failed invocation events to an SQS queue or SNS topic. They are configured at the function level and are triggered when the function fails after exhausting all retry attempts (by default, 2 retries for asynchronous invocations).
The key difference is that Destinations can handle both success and failure, while DLQs handle only failure. Additionally, Destinations provide richer context (the invocation record) and can trigger other Lambda functions or EventBridge rules, enabling complex workflows.
How They Work Internally
For asynchronous invocations (e.g., from S3, SNS, EventBridge, or API Gateway with async integration), Lambda places the event into an internal queue. Lambda then attempts to execute the function. If the function succeeds, the result is handled by the success destination (if configured). If the function fails (throws an error or times out), Lambda retries the invocation up to two more times (for a total of three attempts), with a delay between retries (starting at 1 minute, increasing exponentially up to about 20 minutes). After exhausting retries, the event is routed to either the DLQ or the failure destination (if configured).
Lambda Destinations work by publishing an invocation record to the configured destination service. The record contains:
- version: the function version
- timestamp: the time of invocation
- requestContext: the request ID and function ARN
- responsePayload: the function's return value (for success) or error object (for failure)
- responseContext: status code and function error (for failure)
Dead Letter Queues simply send the original event payload to the configured SQS queue or SNS topic. The payload is exactly what was passed to the function, with no additional metadata. This is a key difference: Destinations include the function's output, while DLQs only include the input.
Key Components, Values, Defaults, and Timers
Asynchronous invocation retries: default 2 retries (total 3 attempts). Can be configured up to 2 retries (minimum 0). Retry interval starts at 1 minute and doubles up to ~20 minutes.
Destination types: SQS queue, SNS topic, Lambda function, or EventBridge event bus.
Destination configuration: per function version or alias. You can set separate destinations for success and failure.
DLQ types: SQS standard queue or SNS topic. FIFO queues are not supported for DLQs.
DLQ configuration: at the function level (not per version). Only one DLQ can be configured per function.
Maximum event age: default 6 hours. Lambda will not retry events older than this. Can be set between 60 seconds and 6 hours.
Maximum retry attempts: default 2. Can be set between 0 and 2.
Configuration and Verification
You can configure Destinations and DLQs via the AWS Management Console, AWS CLI, or CloudFormation.
CLI example for Destinations:
aws lambda put-function-event-invoke-config \
--function-name my-function \
--destination-config '{"OnSuccess":{"Destination":"arn:aws:sqs:us-east-1:123456789012:my-dest-queue"},"OnFailure":{"Destination":"arn:aws:sns:us-east-1:123456789012:my-dest-topic"}}'CLI example for DLQ:
aws lambda update-function-configuration \
--function-name my-function \
--dead-letter-config TargetArn=arn:aws:sqs:us-east-1:123456789012:my-dlqVerification:
aws lambda get-function-event-invoke-config --function-name my-function
aws lambda get-function-configuration --function-name my-function | jq '.DeadLetterConfig'Interaction with Related Technologies
SQS as DLQ: The DLQ receives the original event payload. You can set up a redrive policy to reprocess messages from the DLQ back to the source queue (if using SQS as the event source) or manually process them.
SNS as DLQ: Subscribers (e.g., email, SMS, Lambda) receive notifications of failures.
EventBridge as Destination: Enables integration with EventBridge rules for further processing, such as triggering Step Functions or other downstream services.
Lambda as Destination: You can chain Lambda functions, e.g., a success destination function that sends a confirmation email, or a failure destination function that logs errors to CloudWatch.
SQS FIFO not supported for DLQs because DLQs must accept messages from multiple concurrent invocations, and FIFO ordering cannot be guaranteed.
Important Considerations for the Exam
Destinations and DLQs are mutually exclusive for failure handling? No — you can configure both, but if both are present, the destination takes precedence for failure events. The DLQ will not receive events if a failure destination is configured.
DLQs are only for asynchronous invocations. For synchronous invocations (e.g., API Gateway proxy), you must handle errors in the client or use services like SQS for decoupling.
Destinations can be used for both synchronous and asynchronous invocations? No — Destinations only work with asynchronous invocation. For synchronous, you must handle the response directly.
The MaximumRetryAttempts and MaximumEventAge settings are part of the function's event invoke configuration, not the DLQ or destination configuration.
Step-by-Step Walkthrough of a Failure Scenario
An S3 bucket event triggers a Lambda function asynchronously.
Lambda places the event in its internal queue.
Lambda attempts to execute the function. The function throws an unhandled exception.
Lambda waits 1 minute and retries. The function fails again.
Lambda waits ~2 minutes and retries a third time. The function fails again.
Lambda checks for a failure destination. If configured, it publishes the invocation record to the destination (e.g., SQS). If not, it checks for a DLQ. If a DLQ is configured, it sends the original event payload to the DLQ. If neither is configured, the event is discarded.
Common Pitfalls
FIFO queues as DLQ: Not supported. The exam may present a FIFO queue as a trap.
Confusing Destinations and DLQ: Destinations can route both success and failure; DLQ only failure. Destinations include response payload; DLQ only input.
Setting both DLQ and failure destination: The failure destination overrides the DLQ. The DLQ will not be used.
Assuming DLQ works for synchronous invocations: It does not. DLQ is only for asynchronous invocations.
Assuming Destinations work for synchronous invocations: They do not.
Event Trigger and Asynchronous Invocation
An event source, such as an S3 bucket or SNS topic, publishes an event to Lambda. Lambda receives the event and places it into an internal, managed queue. This queue is not visible to the user. The invocation is asynchronous, meaning the event source does not wait for the function to complete. Lambda immediately returns a 202 Accepted status to the event source.
First Execution Attempt
Lambda dequeues the event and attempts to execute the function. The function runs with the event payload as input. If the function completes without error (returns a response), Lambda checks for a success destination. If configured, the invocation record (including the response payload) is sent to the destination. If no success destination, the result is discarded. If the function throws an error or times out, the execution fails.
Retry with Exponential Backoff
Upon failure, Lambda waits a period of time before retrying. The first retry occurs after approximately 1 minute. If that fails, the second retry occurs after approximately 2 minutes. The maximum retry interval is about 20 minutes. Lambda will retry up to the configured `MaximumRetryAttempts` (default 2, total 3 attempts). If the function fails all retries, the event is considered permanently failed.
Check Maximum Event Age
Lambda also enforces a `MaximumEventAge` (default 6 hours). If the event's age exceeds this limit, Lambda discards the event without further processing. This prevents stale events from consuming resources. The event age is calculated from the time Lambda received the event. If retries extend beyond the maximum age, the event is dropped even if retry attempts remain.
Route to Destination or DLQ
After exhausting retries (or if the event age exceeds the limit), Lambda checks for a failure destination. If a failure destination is configured, Lambda publishes an invocation record (with error details) to the destination (SQS, SNS, Lambda, or EventBridge). If no failure destination but a DLQ is configured, Lambda sends the original event payload to the DLQ (SQS or SNS). If neither is configured, the event is discarded. Note: If both are configured, the destination takes precedence; the DLQ is ignored for failures.
Processing in DLQ or Destination
For DLQ (SQS), the message remains in the queue until consumed. You can set a redrive policy to reprocess messages back to the source queue or process them manually. For SNS as DLQ, subscribers receive notifications. For Destinations, the target service (e.g., another Lambda function) can process the invocation record. For example, a failure destination Lambda might log the error to CloudWatch or trigger an alert.
Enterprise Scenario 1: Image Processing Pipeline
A media company uses S3 to store user-uploaded images. An S3 event triggers a Lambda function to generate thumbnails. Occasionally, the function fails due to corrupt images or timeouts. The team configures a failure destination to an SQS queue. A separate Lambda function polls this queue, logs the error details, and sends a notification to the operations team via SNS. Additionally, a success destination sends the thumbnail metadata to an SQS queue for further processing (e.g., updating a database). This design ensures that both successes and failures are tracked. In production, the queue handles thousands of events per second. The team sets MaximumRetryAttempts to 1 (total 2 attempts) to reduce latency. The DLQ is not used because the failure destination provides richer error context.
Enterprise Scenario 2: Order Processing with DLQ
An e-commerce platform uses EventBridge to trigger a Lambda function for order validation. The function calls an external payment gateway. If the gateway is down, the function fails. The team configures a DLQ as an SQS queue. The DLQ stores the original order events. A scheduled Lambda function runs every hour to reprocess messages from the DLQ. This is a simpler setup compared to Destinations, but the team loses the error details. They mitigate this by having the function log errors to CloudWatch before failing. In production, the DLQ accumulates messages during outages, and the reprocessing Lambda must handle idempotency. The team sets MaximumEventAge to 2 hours to avoid processing stale orders.
What Goes Wrong When Misconfigured
No DLQ or Destination: Failed events are silently discarded. The team may not realize there is a problem until customers complain.
FIFO queue as DLQ: Configuration fails because FIFO is not supported. The exam tests this.
Both DLQ and failure destination: The failure destination takes precedence. The DLQ never receives messages, leading to confusion if the team monitors the DLQ for failures.
Incorrect IAM permissions: The destination or DLQ must have a resource-based policy allowing Lambda to send messages. Without it, the route fails silently.
Using DLQ for synchronous invocations: The DLQ is ignored. Synchronous errors must be handled in the client.
SAA-C03 Exam Focus
This topic falls under Domain 2: Resilient Architectures, specifically Objective 2.1: Design a multi-tier architecture solution. The exam tests your ability to choose between Destinations and DLQs for error handling in asynchronous Lambda invocations.
Common Wrong Answers and Why
"Use a DLQ for both success and failure events." – Wrong. DLQs only handle failures. Candidates confuse DLQ with Destinations, which can handle both.
"Configure a FIFO SQS queue as a DLQ." – Wrong. FIFO queues are not supported for DLQs because DLQs must handle high throughput and ordering is not guaranteed.
"Destinations can be used with synchronous invocations." – Wrong. Destinations only work with asynchronous invocations. For synchronous, you must handle the response in the calling application.
"If both DLQ and failure destination are configured, the DLQ receives the failure event." – Wrong. The failure destination takes precedence. The DLQ is ignored for failures.
Specific Numbers and Terms
Default retry attempts: 2 (total 3 attempts)
Default event age: 6 hours (configurable from 60 seconds to 6 hours)
Supported DLQ services: SQS standard and SNS (not FIFO)
Supported destination services: SQS, SNS, Lambda, EventBridge
Destination configuration is per function version or alias; DLQ is per function.
Edge Cases
If MaximumRetryAttempts is set to 0, the function will not retry. On first failure, it goes directly to the destination/DLQ.
If MaximumEventAge is set very low (e.g., 60 seconds), the event may expire before retries complete.
Destinations can be used to trigger another Lambda function, creating a chain. The exam may ask about this pattern for decoupling.
How to Eliminate Wrong Answers
If the question mentions "success" routing, eliminate DLQ.
If the question mentions "FIFO", eliminate DLQ.
If the question mentions "synchronous", eliminate both Destinations and DLQ (they are not applicable).
If the question mentions "response payload", choose Destinations over DLQ.
If the question mentions "original event only", choose DLQ.
Lambda Destinations support both success and failure routing; DLQs support only failure.
DLQs only support standard SQS queues and SNS topics — FIFO queues are NOT supported.
If both a failure destination and a DLQ are configured, the failure destination takes precedence.
Destinations include the function's response payload; DLQs include only the original event.
Destinations and DLQs only work with asynchronous invocations.
Default asynchronous retry attempts: 2 (total 3). Default maximum event age: 6 hours.
Destinations are configured per function version or alias; DLQs are configured per function.
Destinations can route to Lambda functions and EventBridge, enabling complex workflows.
These come up on the exam all the time. Here's how to tell them apart.
Lambda Destinations
Supports both success and failure routing.
Sends an invocation record with response payload and metadata.
Can route to SQS, SNS, Lambda, or EventBridge.
Configured per function version or alias.
Failure destination overrides DLQ if both are set.
Dead Letter Queues (DLQs)
Only supports failure routing.
Sends only the original event payload (no metadata).
Can route to SQS (standard) or SNS only.
Configured at the function level (not per version).
Ignored if a failure destination is configured.
Mistake
DLQ can route both successful and failed invocations.
Correct
DLQ only routes failed invocations after retries are exhausted. Destinations are needed for success routing.
Mistake
FIFO SQS queues are supported as DLQs.
Correct
Only standard SQS queues are supported as DLQs. FIFO queues are not supported because DLQs must handle high concurrency and ordering is not guaranteed.
Mistake
If both DLQ and failure destination are configured, the DLQ receives the failure.
Correct
The failure destination takes precedence. The DLQ will not receive the failure event if a failure destination is configured.
Mistake
Destinations work for synchronous Lambda invocations.
Correct
Destinations only work for asynchronous invocations. For synchronous invocations, you must handle the response in the calling code.
Mistake
DLQ and Destinations are the same thing.
Correct
They are different features. DLQ is older, only for failures, and only sends the original event. Destinations are newer, support success and failure, and send invocation records with response payloads.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No. Dead Letter Queues only work with asynchronous Lambda invocations. For synchronous invocations, you must handle errors in the calling application or use a service like SQS to decouple the invocation.
The failure destination takes precedence. Lambda will send the failure invocation record to the destination and ignore the DLQ. The DLQ will not receive any events unless you remove the failure destination.
No. Only standard SQS queues are supported as DLQs. FIFO queues are not supported because DLQs must handle high throughput and ordering is not guaranteed.
No. Destinations only work with asynchronous invocations. For synchronous invocations, the caller receives the response directly and must handle success/failure there.
The default is 2 retry attempts, for a total of 3 executions. You can configure this between 0 and 2.
Yes, Lambda Destinations support SQS FIFO queues as a destination (unlike DLQs). However, you must ensure the message group ID is set appropriately.
You can set up CloudWatch alarms on the DLQ's ApproximateNumberOfMessagesVisible metric. Alternatively, you can configure an SNS topic as the DLQ and subscribe an email or Lambda function to it.
You've just covered Lambda Destinations and Dead Letter Queues — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?