Back to AWS Certified Developer Associate DVA-C02 questions

Scenario-based practice

Hard Difficulty Questions

Practise AWS Certified Developer Associate DVA-C02 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
DVA-C02
exam code
Amazon Web Services
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related DVA-C02 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

A developer needs to grant an IAM role in Account B read-only access to objects in an S3 bucket in Account A. The bucket is encrypted with server-side encryption using AWS KMS (SSE-KMS) with a customer managed key (CMK) in Account A. Which combination of policies is required for the cross-account access to succeed?

Question 2hardmultiple choice
Full question →

An API Gateway HTTP API should allow access only to users authenticated by an external OIDC provider. Which authorizer type is most appropriate?

Question 3hardmulti select
Full question →

A developer is designing a serverless application using AWS Lambda and API Gateway. The application needs to authenticate users via a third-party identity provider (IdP). Which TWO services can be used to manage user authentication?

Question 4hardmultiple choice
Full question →

Based on the CloudTrail log entry, which security concern should be investigated?

Exhibit

Refer to the exhibit.
CloudTrail log entry:
{
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "AssumedRole",
    "arn": "arn:aws:sts::123456789012:assumed-role/AdminRole/MySession",
    "accountId": "123456789012",
    "sessionContext": {
      "sessionIssuer": {
        "type": "Role",
        "arn": "arn:aws:iam::123456789012:role/AdminRole"
      },
      "attributes": {
        "creationDate": "2024-01-15T10:00:00Z",
        "mfaAuthenticated": "false"
      }
    }
  },
  "eventTime": "2024-01-15T10:05:00Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "RunInstances",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "203.0.113.5",
  "userAgent": "console.amazonaws.com",
  "requestParameters": {
    "instancesSet": {
      "items": [
        {
          "imageId": "ami-0abcdef1234567890"
        }
      ]
    }
  }
}
Question 5hardmultiple choice
Full question →

A company has an IAM policy that allows access to an S3 bucket only if the request comes from a specific VPC endpoint. The developer notices that requests from an EC2 instance in that VPC are being denied. What is the most likely cause?

Question 6hardmultiple choice
Full question →

A developer applied the above bucket policy to an S3 bucket. What is the outcome?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyNonHttps",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 7hardmultiple choice
Full question →

A developer is deploying an application on EC2 instances behind an Application Load Balancer. The application must support mutual TLS (mTLS) authentication between clients and the load balancer. Which configuration is required?

Question 8hardmultiple choice
Full question →

A developer is troubleshooting access to an S3 bucket from an EC2 instance. The instance has an IAM role with a policy that allows s3:GetObject on the bucket. However, the application receives an AccessDenied error. The bucket policy is as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AppRole"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

The EC2 instance is using the correct IAM role. What is the most likely cause of the error?

A developer is troubleshooting an AWS Lambda function that processes large CSV files (up to 1 GB) uploaded to an Amazon S3 bucket. The function uses Python and the pandas library to perform data transformations. Recently, the function started timing out on large files. CloudWatch Logs show that the function's execution time is close to the 15-minute Lambda timeout, and memory utilization peaks at around 80% of the configured 3,008 MB. The function has not been modified in months. Which action will most likely resolve the timeout issue without requiring code changes?

Question 10hardmultiple choice
Full question →

A developer optimized an Amazon S3 bucket for high request rates. The bucket receives over 5,000 PUT requests per second. Recently, some requests are failing with a 503 Slow Down error. What is the most likely cause and how should the developer fix it?

Question 11hardmultiple choice
Full question →

A company uses AWS CodePipeline with CodeBuild to deploy a Node.js application. The build fails intermittently with 'npm ERR! network' errors. What is the most likely cause and solution?

Question 12hardmultiple choice
Read the full NAT/PAT explanation →

A developer is deploying a microservices architecture on Amazon ECS. The services need to communicate with each other securely. The developer wants to use service discovery and ensure that traffic between services is encrypted. Which combination of services should the developer use?

Question 13hardmultiple choice
Full question →

A developer is deploying an AWS Lambda function that processes data from an Amazon Kinesis stream. The function must be idempotent and handle duplicate records. The developer notices that the same record is being processed multiple times. What is the most likely cause of this issue?

Question 14hardmultiple choice
Full question →

A company is using AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error message 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The developer checks the deployment logs and finds that the ApplicationStop hook failed on some instances. What is the most likely cause of this failure?

Question 15hardmultiple choice
Full question →

A company is deploying a containerized application on Amazon EKS. The developer wants to automate the deployment process using a CI/CD pipeline that builds a Docker image, pushes it to Amazon ECR, and updates the Kubernetes deployment. Which tool should the developer use to update the Kubernetes deployment?

Question 16hardmulti select
Full question →

A developer is deploying a new version of an AWS Lambda function. The function is behind an API Gateway endpoint. The developer wants to use canary deployments to gradually shift traffic to the new version. Which TWO steps should the developer perform?

Question 17hardmultiple choice
Full question →

Refer to the exhibit. A developer is troubleshooting a failed CodeDeploy deployment to an EC2 Auto Scaling group. The instance logs show that the 'BeforeInstall' script failed with exit code 1. What should the developer do to resolve the issue?

Exhibit

DeploymentId: d-EXAMPLE123
Status: FAILED
Error: The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.

Instance logs:
i-abc12345: Script 'BeforeInstall' failed with exit code 1
Question 18hardmulti select
Full question →

Which THREE components are required to perform a blue/green deployment of an application running on Amazon ECS using AWS CodeDeploy? (Select THREE.)

Question 19hardmultiple choice
Full question →

A developer deployed a new version of an AWS Lambda function that is part of a serverless application. The function uses an Amazon DynamoDB table as a data store. After deployment, the developer notices that the function's latency has increased significantly for some requests. CloudWatch traces show that the increase is due to DynamoDB throttle events. The function is configured with a reserved concurrency of 100 and the DynamoDB table has 5 read capacity units (RCUs) and 5 write capacity units (WCUs). What is the most effective way to reduce the throttling while maintaining application performance?

Question 20hardmultiple choice
Full question →

A developer is deploying a microservices application on Amazon ECS using Fargate. The developer wants to implement a blue/green deployment strategy using AWS CodeDeploy. The current production environment uses an Application Load Balancer (ALB). What is the minimum configuration required to enable blue/green deployments?

These DVA-C02 practice questions are part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style DVA-C02 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.