AWS DVA-C02 Cheat Tables
1. CI/CD Tools
The pipeline mental model: CodeCommit/GitHub → CodeBuild → CodeArtifact (stores packages) → CodeDeploy → CodePipeline ties it all together
| Service | What it does | Key details to know | Exam gotcha |
|---|---|---|---|
| CodeCommit | Private Git repos hosted in AWS. Like GitHub but inside your AWS account. | Uses IAM for auth (not username/password). Supports SSH and HTTPS. Triggers events to EventBridge, SNS, Lambda on push. | ⚠️ AWS deprecated this in 2024 — may still appear on exam but flagged as legacy |
| CodeBuild | Compiles code, runs tests, produces deployable artifacts. Fully managed build server — no Jenkins to maintain. |
buildspec.yml file in your repo defines the build steps (install, pre-build, build, post-build phases). Outputs to S3. Billed per build minute. Runs in Docker containers. |
🚨 buildspec.yml must be at root of repo or explicitly specified — exam loves this |
| CodeDeploy | Automates deploying code to EC2, Lambda, ECS, or even on-premises servers. |
appspec.yml defines deployment hooks (BeforeInstall, AfterInstall, ApplicationStart etc). Supports blue/green, canary, and rolling deployments. For EC2 — needs the CodeDeploy agent installed on the instance. |
🚨 appspec.yml ≠ buildspec.yml — CodeBuild uses buildspec, CodeDeploy uses appspec. Exam will mix these up to trick you. |
| CodePipeline | The orchestrator. Connects source → build → test → deploy into one automated workflow. | Stages contain actions. Can add manual approval gates between stages. Integrates with GitHub, CodeCommit, CodeBuild, CodeDeploy, CloudFormation, Elastic Beanstalk, ECS. Triggered by code push or on a schedule. | ℹ️ CodePipeline doesn't build or deploy itself — it just orchestrates other services that do |
| CodeArtifact | Private artifact/package repository. Stores npm, pip, Maven, NuGet packages inside your AWS account. | Acts as a proxy to public repos (npm, PyPI) AND caches them. So your builds never depend directly on the public internet. Access controlled via IAM and resource policies. | ℹ️ Think "private npm/pip registry inside AWS" — question about securing dependencies → CodeArtifact |
2. Event-Driven Architecture — Choreography vs Orchestration
| Choreography | Orchestration | |
|---|---|---|
| Mental model | Jazz band — everyone improvises together | Symphony conductor — one person directs everyone |
| Central brain? | No. Services react to events independently | Yes. One coordinator controls the flow |
| AWS services | EventBridge, SNS, SQS | Step Functions, Lambda |
| Coupling | Loosely coupled | More tightly coupled around the orchestrator |
| Visibility | Harder to trace the full flow | Easy — the workflow definition IS the flow |
| Pick when... | Fan-out to multiple consumers, services owned by different teams, "publish and forget", high scalability needed | Complex multi-step workflows, state must be tracked, error handling and retries matter, steps depend on previous results |
Exam tip: Question about "complex order processing with error handling and compensation steps" → Step Functions. Question about "notify multiple downstream services when something happens" → EventBridge or SNS.
3. Cognito — User Pools vs Identity Pools
| User Pools | Identity Pools | |
|---|---|---|
| What it is | A user directory. Handles sign-up, sign-in, passwords, MFA. | A credential vending machine. Exchanges tokens for temporary AWS credentials. |
| What it gives you | A JWT token (ID token, access token, refresh token) | Temporary IAM credentials (access key, secret key, session token) via STS |
| Who are the users | Humans logging into your app | Anyone who needs to call AWS services directly |
| Supports federation? | Yes — Google, Facebook, SAML, OIDC IdPs can log in through User Pools | Yes — can accept User Pool tokens, social logins, SAML, even unauthenticated guests |
| What you do with the output | Use the JWT to authenticate API calls to your app backend | Use the IAM credentials to call AWS services directly (S3, DynamoDB, etc.) |
| AWS service it calls | Nothing — it IS the auth service | Calls STS AssumeRoleWithWebIdentity under the hood |
| Analogy | The bouncer checking IDs at the door | The coat check that gives you a ticket to pick up AWS resources |
One-line memory hooks:
- User Pool = WHO are you? (authentication, identity, JWT)
- Identity Pool = WHAT can you access? (authorization, AWS credentials, IAM)
- User Pool → your app. Identity Pool → AWS services.
- InitiateAuth = native User Pool users only. Federation always goes through the hosted UI.
4. Cognito — Tricky Scenario Table
| Scenario | Answer |
|---|---|
| User logs in with Google and gets a JWT to call YOUR app's API | User Pool (with Google as federated IdP) |
| User logs in and then needs to read their own S3 files directly from the browser | Identity Pool (exchanges token for IAM creds to call S3) |
| You need MFA, password reset, email verification | User Pool — Identity Pools don't do any of that |
| Unauthenticated guest users need limited AWS access | Identity Pool — supports unauthenticated identities |
| SAML corporate SSO → app login | User Pool with SAML IdP configured |
| Mobile app needs to write to DynamoDB directly | Identity Pool — gets IAM creds, calls DynamoDB |
| Federated sign-in is failing, IdP is configured correctly | User must use /oauth2/authorize hosted UI endpoint, NOT InitiateAuth
|
| Need to chain both together | User Pool authenticates → passes JWT to Identity Pool → gets IAM creds |
Elastic Beanstalk — The 6 Things DVA Tests
| Topic | What to know |
|---|---|
| Deployment policies | All at once — fastest, has downtime. Rolling — no downtime, reduced capacity during deploy. Rolling with additional batch — no downtime, no reduced capacity (spins up extra instances first). Immutable — safest, creates entirely new instances then swaps. Blue/Green — swap environment URLs via Route 53/CNAME swap. |
| Procfile | Defines multiple long-running processes (web server + background workers). Beanstalk starts and monitors all of them. |
| Buildfile | Commands that run ONCE during deployment. Not for long-running processes — for build steps. |
.ebextensions/ |
Folder of YAML config files that customize the environment — install packages, set env vars, run scripts on instance startup. |
env.yaml |
Define environment configuration (environment name, solution stack, option settings). |
| Saved configurations | Snapshot of an environment's full config. Reuse it to spin up identical environments or restore a previous state. |
Exam tip: "No downtime + no reduced capacity" → Rolling with additional batch. "Safest / can roll back instantly" → Immutable. "Separate live environment, swap DNS" → Blue/Green.
IAM — Trust Policies vs Permission Policies
This is one of the most misunderstood IAM concepts and the exam exploits it constantly.
Two completely separate questions
| Question | Answered by | Where it lives |
|---|---|---|
| Can this principal DO this action? | Permissions policy | Attached to the user/role doing the action |
| Can this principal ASSUME this role? | Trust policy | Attached to the TARGET role being assumed |
AssumeRole requires BOTH to be true
When Lambda tries to assume a role, TWO things must both be true:
- The Lambda execution role must have
sts:AssumeRolepermission in its permissions policy ✓ - The target role must list the Lambda execution role as a trusted principal in its trust policy ✓
If either one is missing → AccessDenied. The exam gives you a scenario where #1 is satisfied but #2 is missing. Most people only think about the caller's permissions and miss the trust policy entirely.
What a trust policy looks like
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/MyLambdaExecutionRole"
},
"Action": "sts:AssumeRole"
}
]
}
This lives on the TARGET role. It says "I trust MyLambdaExecutionRole to assume me." Without this, AssumeRole is denied no matter what.
Memory hook
Permissions policy = what I can do
Trust policy = who can wear my hat
AssumeRole denied despite havingsts:AssumeRole? → Check the target role's trust policy
IAM — Allow/Deny Evaluation Order
| Priority | Rule |
|---|---|
| 1 — Explicit Deny | Always wins. One Deny anywhere overrides every Allow everywhere. No exceptions. |
| 2 — SCPs | Org-level guardrails. If the SCP doesn't allow it, nothing below matters. |
| 3 — Resource-based policies | Evaluated alongside identity policies for cross-account access. |
| 4 — Identity-based policies | What's attached to the user/role making the request. |
| 5 — Default Deny | If nothing explicitly Allows it, it's denied. |
The tricky distinctions
| Concept | What it means |
|---|---|
| Explicit Deny | A policy literally says "Effect": "Deny". Overrides any Allow anywhere. |
| Default Deny (implicit) | No policy says anything about this action. Denied by default. Does NOT override an Allow. |
NotAction + Deny |
Denies everything EXCEPT the listed actions. Exam loves this one. |
Key exam trap: "The user has an Allow in their group policy but still gets denied" → there is an explicit Deny somewhere else. Find it. One explicit Deny beats unlimited Allows.
Top comments (0)