AWS DVA-C02 Cheat Tables
1. CI/CD Tools
The pipeline mental model: CodeCommit/GitHub → CodeBuild → CodeArtifact (stores packages) → CodeDeploy → CodePipeline ties it all together
| Service |
What it does |
Key details to know |
Exam gotcha |
| CodeCommit |
Private Git repos hosted in AWS. Like GitHub but inside your AWS account. |
Uses IAM for auth (not username/password). Supports SSH and HTTPS. Triggers events to EventBridge, SNS, Lambda on push. |
⚠️ AWS deprecated this in 2024 — may still appear on exam but flagged as legacy |
| CodeBuild |
Compiles code, runs tests, produces deployable artifacts. Fully managed build server — no Jenkins to maintain. |
buildspec.yml file in your repo defines the build steps (install, pre-build, build, post-build phases). Outputs to S3. Billed per build minute. Runs in Docker containers. |
🚨 buildspec.yml must be at root of repo or explicitly specified — exam loves this |
| CodeDeploy |
Automates deploying code to EC2, Lambda, ECS, or even on-premises servers. |
appspec.yml defines deployment hooks (BeforeInstall, AfterInstall, ApplicationStart etc). Supports blue/green, canary, and rolling deployments. For EC2 — needs the CodeDeploy agent installed on the instance. |
🚨 appspec.yml ≠ buildspec.yml — CodeBuild uses buildspec, CodeDeploy uses appspec. Exam will mix these up to trick you. |
| CodePipeline |
The orchestrator. Connects source → build → test → deploy into one automated workflow. |
Stages contain actions. Can add manual approval gates between stages. Integrates with GitHub, CodeCommit, CodeBuild, CodeDeploy, CloudFormation, Elastic Beanstalk, ECS. Triggered by code push or on a schedule. |
ℹ️ CodePipeline doesn't build or deploy itself — it just orchestrates other services that do |
| CodeArtifact |
Private artifact/package repository. Stores npm, pip, Maven, NuGet packages inside your AWS account. |
Acts as a proxy to public repos (npm, PyPI) AND caches them. So your builds never depend directly on the public internet. Access controlled via IAM and resource policies. |
ℹ️ Think "private npm/pip registry inside AWS" — question about securing dependencies → CodeArtifact |
2. Event-Driven Architecture — Choreography vs Orchestration
|
Choreography |
Orchestration |
| Mental model |
Jazz band — everyone improvises together |
Symphony conductor — one person directs everyone |
| Central brain? |
No. Services react to events independently |
Yes. One coordinator controls the flow |
| AWS services |
EventBridge, SNS, SQS |
Step Functions, Lambda |
| Coupling |
Loosely coupled |
More tightly coupled around the orchestrator |
| Visibility |
Harder to trace the full flow |
Easy — the workflow definition IS the flow |
| Pick when... |
Fan-out to multiple consumers, services owned by different teams, "publish and forget", high scalability needed |
Complex multi-step workflows, state must be tracked, error handling and retries matter, steps depend on previous results |
Exam tip: Question about "complex order processing with error handling and compensation steps" → Step Functions. Question about "notify multiple downstream services when something happens" → EventBridge or SNS.
3. Cognito — User Pools vs Identity Pools
|
User Pools |
Identity Pools |
| What it is |
A user directory. Handles sign-up, sign-in, passwords, MFA. |
A credential vending machine. Exchanges tokens for temporary AWS credentials. |
| What it gives you |
A JWT token (ID token, access token, refresh token) |
Temporary IAM credentials (access key, secret key, session token) via STS |
| Who are the users |
Humans logging into your app |
Anyone who needs to call AWS services directly |
| Supports federation? |
Yes — Google, Facebook, SAML, OIDC IdPs can log in through User Pools |
Yes — can accept User Pool tokens, social logins, SAML, even unauthenticated guests |
| What you do with the output |
Use the JWT to authenticate API calls to your app backend |
Use the IAM credentials to call AWS services directly (S3, DynamoDB, etc.) |
| AWS service it calls |
Nothing — it IS the auth service |
Calls STS AssumeRoleWithWebIdentity under the hood |
| Analogy |
The bouncer checking IDs at the door |
The coat check that gives you a ticket to pick up AWS resources |
One-line memory hooks:
-
User Pool = WHO are you? (authentication, identity, JWT)
-
Identity Pool = WHAT can you access? (authorization, AWS credentials, IAM)
- User Pool → your app. Identity Pool → AWS services.
-
InitiateAuth = native User Pool users only. Federation always goes through the hosted UI.
4. Cognito — Tricky Scenario Table
| Scenario |
Answer |
| User logs in with Google and gets a JWT to call YOUR app's API |
User Pool (with Google as federated IdP) |
| User logs in and then needs to read their own S3 files directly from the browser |
Identity Pool (exchanges token for IAM creds to call S3) |
| You need MFA, password reset, email verification |
User Pool — Identity Pools don't do any of that |
| Unauthenticated guest users need limited AWS access |
Identity Pool — supports unauthenticated identities |
| SAML corporate SSO → app login |
User Pool with SAML IdP configured |
| Mobile app needs to write to DynamoDB directly |
Identity Pool — gets IAM creds, calls DynamoDB |
| Federated sign-in is failing, IdP is configured correctly |
User must use /oauth2/authorize hosted UI endpoint, NOT InitiateAuth
|
| Need to chain both together |
User Pool authenticates → passes JWT to Identity Pool → gets IAM creds |
Top comments (0)