🧪 Full Mock Exam — DVA-C02 (65 Questions)

Instructions: Answer all questions, then check explanations. Passing = 72/100 scaled score (roughly 47+/65 correct). Target 80%+ (52+/65) before the real exam.

⏱️ Time yourself: 130 minutes (2 min/question average)

Interview Questions (Senior Level)

How should a senior engineer use mock exams differently from a junior candidate?
What post-mock review method best converts mistakes into durable architectural judgment?
How do you detect “memorized answers” versus real AWS decision-making competence?
Which mock-exam domains map most directly to production incident ownership?

Short answer guide:

Focus on trade-offs and failure modes, not just score.
Build error logs by pattern and close gaps with hands-on labs.
Reframe each wrong answer as a design scenario.
Security, deployment, and troubleshooting domains are most operationally transferable.

Interview Focus

Use each missed question to build a reusable decision rule for real systems.

Interview Trap

Treating high mock scores as proof of production-level architecture judgment.

Domain 1 — Development with AWS Services (21 Questions)

Q1. A Lambda function processing SQS messages sometimes fails. The team wants failed messages to be retained for manual inspection. What is the BEST solution?

A) Set Lambda timeout to 15 minutes
B) Configure a Dead Letter Queue (DLQ) on the SQS Event Source Mapping
C) Use a try-catch in the Lambda and log to CloudWatch
D) Increase the SQS message retention period

✅ Answer

B — A DLQ on the ESM captures messages that fail after all retries. The team can then inspect, debug, and redrive messages from the DLQ.

Q2. An application needs to process each customer's orders strictly in sequence. Orders from different customers can be processed in parallel. Which SQS feature enables this?

A) Standard Queue
B) FIFO Queue with MessageGroupId per customer
C) FIFO Queue with a single MessageGroupId
D) Standard Queue with sequence numbers in the message body

✅ Answer

B — FIFO Queues with MessageGroupId per customer ensure ordering within each customer's group, while different groups (customers) are processed in parallel.

Q3. A DynamoDB table has userId (partition key) and createdAt (sort key). A query needs all items where userId = "U1" AND createdAt is between two dates. What is the MOST efficient approach?

A) Scan with FilterExpression
B) Query with partition key + BETWEEN condition on sort key
C) Create a GSI on createdAt
D) GetItem in a loop

✅ Answer

B — Since createdAt IS the sort key, a Query with KeyConditionExpression: userId = :u AND createdAt BETWEEN :start AND :end is a single efficient operation. No scan or GSI needed.

Q4. A Lambda function needs to make 1,000 calls per second to the KMS Decrypt API. Performance starts degrading. What should the developer implement?

A) Use KMS multi-region keys
B) Switch to client-side encryption
C) Implement Data Key Caching using the AWS Encryption SDK
D) Increase Lambda memory

✅ Answer

C — Data Key Caching reuses decrypted data keys for a configurable duration, dramatically reducing KMS API calls. KMS has throttle limits (~10,000 TPS), so caching is essential at scale.

Q5. An application stores user-uploaded files in S3. Users should be able to directly upload from the browser to S3 without going through the app server. What should the developer provide to the client?

A) The bucket's access key and secret key
B) A presigned PUT URL generated by the server
C) Make the S3 bucket public
D) An API Gateway proxy to S3

✅ Answer

B — A presigned PUT URL grants time-limited, scoped upload permission to the S3 bucket without exposing credentials. The server generates it using its IAM role.

Q6. A Kinesis Data Stream has 4 shards. The consumer Lambda needs to process each shard's records in order. What should the developer configure?

A) BatchSize = 1 for the Event Source Mapping
B) Lambda with FIFO SQS trigger
C) One Lambda per shard using parallel execution in the ESM
D) Increase shard count

✅ Answer

C — Kinesis ESM invokes Lambda per shard — each shard's records are processed sequentially by one concurrent Lambda invocation. Ordering is preserved within each shard. The default parallelization factor is 1 (one Lambda per shard).

Q7. A developer uses DynamoDB Transactions to transfer funds between accounts. The operation consumes how many WCUs compared to a non-transactional write?

A) Same WCUs
B) Half the WCUs
C) 2× the WCUs
D) 4× the WCUs

✅ Answer

C — DynamoDB Transactions use 2× the capacity units of equivalent non-transactional operations to maintain ACID guarantees.

Q8. An API Gateway REST API needs to return a response in under 100ms for all requests. The backend Lambda takes 2-3 seconds. Which API Gateway feature helps for cacheable responses?

A) Lambda Provisioned Concurrency
B) API Gateway Stage-level caching
C) API Gateway Request Validation
D) Lambda SnapStart

✅ Answer

B — API Gateway caching stores Lambda responses at the edge. Subsequent identical requests return from cache in under 10ms without invoking Lambda at all. Ideal for cacheable GET endpoints.

Q9. A developer wants to process the same event with 3 different microservices independently. The event is published once. Which architecture is correct?

A) Publish to 3 SQS queues directly from the publisher
B) Publish to SNS Topic → 3 SQS queue subscriptions (fan-out)
C) Publish to Kinesis with 3 shards
D) Publish to SQS FIFO with 3 MessageGroupIds

✅ Answer

B — SNS → SQS fan-out pattern: one SNS publish → all 3 SQS queues receive it simultaneously. Each microservice has its own queue, providing independent processing and decoupling.

Q10. A Step Functions workflow processes a loan application. After calculating eligibility, it must wait for a loan officer to approve before continuing. The wait could be hours. Which pattern should be used?

A) Wait state with Seconds: 86400
B) Choice state polling a DynamoDB approval table
C) Lambda that checks an SQS approval queue
D) Task state with waitForTaskToken (Callback pattern)

✅ Answer

D — The Callback pattern (waitForTaskToken) pauses the workflow indefinitely until the loan officer calls SendTaskSuccess or SendTaskFailure with the token. No polling or fixed wait.

Q11. A Java Lambda function is experiencing slow cold starts (8 seconds). The function uses Spring Boot. What is the BEST solution?

A) Increase Lambda memory to 3GB
B) Use a smaller JVM (GraalVM native)
C) Enable Lambda SnapStart on Java 11+ runtime
D) Reduce the number of Lambda layers

✅ Answer

C — Lambda SnapStart takes a snapshot of the initialized JVM state and resumes from it, reducing Java cold starts from seconds to milliseconds. It's purpose-built for this problem.

Q12. An application uses AppSync to serve a mobile app. When a user submits an order, all connected devices belonging to that user should receive a real-time update. Which AppSync feature enables this?

A) Resolvers
B) Pipeline Resolvers
C) Subscriptions
D) Caching

✅ Answer

C — AppSync Subscriptions maintain WebSocket connections to clients. When the createOrder mutation fires, all subscribers matching the filter (userId) receive the push update automatically.

Q13. An ElastiCache Redis cluster has a primary node and 2 replicas. The primary node fails. What happens?

A) All requests fail until manual intervention
B) One replica becomes read-only primary
C) Automatic failover promotes a replica to primary within seconds
D) A new primary is created from snapshot

✅ Answer

C — Redis with Multi-AZ and automatic failover promotes a replica to primary automatically. The DNS endpoint updates within seconds. This is why replicas (not just standalone) are critical for HA.

Q14. A Lambda reads a secret from Secrets Manager on every invocation, resulting in high API costs. The secret changes monthly. What is the BEST fix?

A) Cache the secret in DynamoDB
B) Store it in an environment variable
C) Use the Secrets Manager Caching Client with a TTL slightly below the rotation interval
D) Read the secret in the handler but only when event.refresh == true

✅ Answer

C — The Secrets Manager Caching Client caches secrets in Lambda memory across warm invocations. Set TTL < rotation interval to ensure fresh values after rotation, while avoiding API calls on every invocation.

Q15. A developer needs to paginate DynamoDB Query results. The first call returns 100 items and a LastEvaluatedKey. How should they retrieve the next page?

A) Re-run the Query with Offset: 100
B) Use NextPage: true in the request
C) Pass LastEvaluatedKey as ExclusiveStartKey in the next Query
D) Scan from item 101

✅ Answer

C — DynamoDB pagination uses ExclusiveStartKey = the LastEvaluatedKey from the previous response. There's no offset-based pagination — it's cursor-based.

Q16. A Kinesis Data Firehose stream needs to deliver data to S3, but only records with eventType = "ERROR". Where should the filtering be applied?

A) S3 lifecycle rule
B) Lambda transformation attached to the Firehose delivery stream
C) S3 Select on the output
D) EventBridge Pipes

✅ Answer

B — Kinesis Firehose supports a Lambda transformation function that can filter, enrich, and transform records before delivery. Return Dropped for records you don't want delivered.

Q17. An API Gateway HTTP API uses a Cognito JWT authorizer. A request arrives with an expired Access Token. What does API Gateway return?

A) 500 Internal Server Error
B) 403 Forbidden
C) 401 Unauthorized
D) 404 Not Found

✅ Answer

C — An expired JWT token means the request is unauthenticated → HTTP 401 Unauthorized. 403 would mean authenticated but not authorized.

Q18. A CloudFront distribution serves a React SPA from S3. After deploying a new version, some users still see old content. What should the developer do?

A) Increase S3 object TTL
B) Delete all S3 objects
C) Create a CloudFront invalidation for /* or the changed paths
D) Redeploy the CloudFront distribution

✅ Answer

C — A CloudFront invalidation purges cached objects at edge locations. For full purge: /*. For targeted: /index.html, /js/*. First 1,000 paths/month are free.

Q19. A developer needs to ensure that a DynamoDB UpdateItem only succeeds if the item's status is currently "PENDING". What feature should they use?

A) DynamoDB Transactions
B) UpdateItem with ConditionExpression: status = :pending
C) Read before write in application code
D) DynamoDB Streams trigger

✅ Answer

B — ConditionExpression on UpdateItem performs an atomic conditional update — the update only succeeds if the condition is true. This avoids race conditions that a read-then-write approach would have.

Q20. An S3 bucket must reject any PutObject request that doesn't include server-side encryption with a KMS key. What should the developer configure?

A) S3 Default Encryption
B) A bucket policy with Deny on s3:PutObject when s3:x-amz-server-side-encryption != "aws:kms"
C) An S3 lifecycle rule
D) KMS key policy

✅ Answer

B — A bucket policy with an explicit Deny for unencrypted uploads is the only way to enforce encryption on every object. Default encryption applies encryption but doesn't reject unencrypted requests.

Q21. A Lambda function calls an external HTTPS payment API. Inside a VPC, no NAT Gateway is configured, and no internet access exists. What should be added?

A) An Internet Gateway attached to the Lambda's subnet
B) A VPC Gateway Endpoint for the payment API
C) A NAT Gateway in a public subnet with a route from the private subnet
D) An Elastic IP on the Lambda function

✅ Answer

C — External internet access from a private subnet requires a NAT Gateway in a public subnet. VPC Gateway Endpoints only work for S3 and DynamoDB. Lambda functions can't have Elastic IPs.

Domain 2 — Security (17 Questions)

Q22. A developer accidentally commits an AWS access key to a public GitHub repository. What should they do FIRST?

A) Delete the git commit history
B) Make the GitHub repository private
C) Immediately deactivate/delete the access key via IAM console
D) Rotate the access key

✅ Answer

C — The immediate priority is deactivating the key (assume it's already compromised). Then: check CloudTrail for unauthorized usage, delete the key, create a new one, remove from git history, post-mortem.

Q23. A microservice running on ECS Fargate needs to write to SQS. No credentials should be stored in the container. What is the correct approach?

A) Pass AWS_ACCESS_KEY_ID as a container environment variable
B) Store credentials in Secrets Manager and inject them
C) Attach an IAM Task Role to the ECS task definition with sqs:SendMessage permission
D) Use the AWS root account credentials

✅ Answer

C — The ECS Task Role grants the application code in the container temporary IAM credentials via the instance metadata service. No credentials need to be stored.

Q24. Which Cognito token should be used to authorize API calls to API Gateway?

A) ID Token
B) Refresh Token
C) Access Token
D) SAML Assertion

✅ Answer

C — The Access Token is used for API authorization (sent as Authorization: Bearer <access_token>). The ID Token contains user identity claims and is for the application itself, not backend APIs.

Q25. A developer needs to grant a third-party auditing tool read-only access to AWS resources. The security team is concerned about the confused deputy problem. What should be added to the IAM role's trust policy?

A) aws:SourceVpc condition
B) aws:SourceIp condition
C) sts:ExternalId condition
D) aws:RequestedRegion condition

✅ Answer

C — sts:ExternalId is the standard defense against the confused deputy problem in cross-account scenarios. The third party must supply this secret when assuming the role.

Q26. An application encrypts data using a KMS Customer Managed Key. The key is accidentally deleted. What happens to the encrypted data?

A) AWS automatically recreates the key
B) Data can be decrypted with the AWS-managed default key
C) Data is permanently unrecoverable (unless key was in 7-30 day pending deletion period)
D) Data is automatically re-encrypted with a new key

✅ Answer

C — KMS CMK deletion is a 7–30 day pending deletion period (configurable, no minimum if using ScheduleKeyDeletion). If the key is fully deleted, encrypted data is permanently unrecoverable. Always set the maximum pending deletion window.

Q27. A Lambda function needs to access a private RDS database using IAM authentication (no password). What must be true?

A) RDS must have public access enabled
B) The Lambda must be in the same VPC as RDS, and its role must have rds-db:connect permission
C) The Lambda must use the root account credentials
D) RDS must have SSL disabled

✅ Answer

B — IAM DB Authentication requires: 1) Lambda in same VPC, 2) SSL enabled, 3) IAM role with rds-db:connect permission for the specific DB user. The auth token is generated via the AWS SDK.

Q28. A team wants to prevent developers from creating IAM users with AdministratorAccess in any account within an AWS Organization. Which control should they use?

A) IAM Permission Boundary
B) Cognito User Pool policy
C) Service Control Policy (SCP) on the Organization/OU
D) AWS Config rule

✅ Answer

C — SCPs set guardrails at the Organization or OU level that even account admins cannot override. An SCP denying iam:AttachUserPolicy with AdministratorAccess ARN would prevent this.

Q29. A developer uses SSM Parameter Store to store database credentials. The application team says they also need automatic credential rotation. What should the developer migrate to?

A) SSM Parameter Store Advanced tier with Parameter Policies
B) AWS Secrets Manager
C) KMS encrypted S3 file
D) Environment variables in Lambda

✅ Answer

B — Secrets Manager has native automatic rotation for RDS, Redshift, DocumentDB, and custom Lambda rotators. SSM Parameter Store does not have built-in automatic rotation.

Q30. A Cognito User Pool uses an OAuth 2.0 Authorization Code flow. A mobile app receives an authorization code. What must the app do NEXT to get tokens?

A) Use the code as an Access Token directly
B) Exchange the code for tokens via the /oauth2/token endpoint with grant_type=authorization_code
C) Store the code in localStorage for future use
D) Call the Cognito JWKS endpoint

✅ Answer

B — The authorization code must be exchanged for tokens via a POST to the /oauth2/token endpoint. Include: grant_type=authorization_code, code, redirect_uri, and optionally PKCE code_verifier.

Q31. Which cookie flag prevents JavaScript from reading a session cookie, protecting against XSS-based session theft?

A) Secure
B) SameSite=Strict
C) HttpOnly
D) Encrypted

✅ Answer

C — The HttpOnly flag prevents JavaScript (document.cookie) from accessing the cookie. Secure ensures HTTPS-only transmission. SameSite=Strict prevents CSRF. All three together provide comprehensive session cookie protection.

Q32. An application needs to sign API requests with HMAC-SHA256 to prevent tampering and replay attacks. How should old requests be rejected?

A) Check the signature algorithm version
B) Validate the request body hash
C) Reject requests where the timestamp header is older than 5 minutes
D) Use a nonce stored in DynamoDB

✅ Answer

C — A timestamp window check (e.g., reject requests older than 5 minutes) prevents replay attacks. The timestamp is included in the signed payload, so it can't be modified without invalidating the signature.

Q33. A developer needs to store 100 application configuration values. Most are non-sensitive. What is the MOST cost-effective approach?

A) 100 Secrets Manager secrets
B) 100 SSM Parameter Store Standard parameters
C) One SSM Parameter Store parameter with JSON value
D) 100 Lambda environment variables

✅ Answer

B — SSM Parameter Store Standard is free — no charge per parameter. Secrets Manager costs $0.40/secret/month =$ 40/month for 100 secrets. For non-sensitive config, SSM is the right choice. (C is also cost-effective but limits individual access patterns.)

Q34. An AWS Lambda Authorizer validates a JWT token for API Gateway. The Lambda returns an IAM policy. For frequently-called APIs, what should be configured to reduce Lambda invocations?

A) Increase Lambda memory
B) Use API Gateway caching for responses
C) Enable authorizer caching with a TTL on the Lambda Authorizer
D) Use Cognito instead

✅ Answer

C — API Gateway's Lambda Authorizer result caching (TTL: 0–3600s) reuses the IAM policy for subsequent requests with the same token, reducing Lambda authorizer invocations dramatically.

Q35. Which of the following S3 bucket policies correctly enforces HTTPS-only access?

A) "Condition": { "Bool": { "aws:SecureTransport": "true" }, "Effect": "Allow" }
B) "Effect": "Deny", "Condition": { "Bool": { "aws:SecureTransport": "false" } }
C) "Action": "s3:GetObject", "Condition": { "StringEquals": { "s3:protocol": "https" } }
D) Enable default encryption

✅ Answer

B — Deny requests where aws:SecureTransport = false (HTTP). This forces HTTPS. Option A is an Allow but doesn't deny HTTP. The correct pattern is an explicit Deny on non-secure transport.

Q36. A developer enables X-Ray Active Tracing on Lambda. DynamoDB calls don't appear as subsegments in traces. What is the most likely cause?

A) X-Ray daemon is not running
B) The sampling rate is too low
C) The AWS X-Ray SDK SDK instrumentor for AWS SDK v2 is not on the classpath
D) IAM role lacks xray:PutTraceSegments

✅ Answer

C — Auto-instrumentation of AWS SDK v2 calls requires aws-xray-recorder-sdk-aws-sdk-v2-instrumentor. Without it, DynamoDB/S3/SQS calls don't appear as subsegments even with Active Tracing enabled.

Q37. What is the MAXIMUM duration (in seconds) of a Cognito User Pool Access Token?

A) 300
B) 1,800
C) 3,600
D) 86,400

✅ Answer

C — The maximum (and default) Access Token duration is 3,600 seconds (1 hour). It's configurable between 5 minutes and 1 day (86,400s) but the default and the value most commonly tested is 1 hour.

(Note: You can set it up to 86,400 but the default/common exam answer is 1 hour / 3,600s)

Q38. When should you use AssumeRoleWithWebIdentity over AssumeRole?

A) When assuming a role within the same AWS account
B) When a web identity token (Cognito, Google OIDC token) is used to authenticate
C) When MFA is required
D) When using SAML federation

✅ Answer

B — AssumeRoleWithWebIdentity is used when the caller has an OIDC web identity token (from Cognito Identity Pools, Google, Facebook) and wants to exchange it for AWS temporary credentials. AssumeRoleWithSAML is for enterprise SAML.

Domain 3 — Deployment (16 Questions)

Q39. A developer needs to test a SAM function locally with a simulated SQS event before deploying. Which command should they use?

A) sam build
B) sam deploy --dry-run
C) sam local invoke MyFunction -e events/sqs-event.json
D) sam test

✅ Answer

C — sam local invoke <FunctionName> -e <event-file> invokes the function locally with a sample event file. Docker must be running for local invocation.

Q40. A CloudFormation stack update replaces an RDS instance (due to a parameter group change that requires replacement). The team wants to preview this impact before executing. What should they do?

A) Apply the update and watch the console
B) Create a Change Set and review the Replacement: True resources
C) Use --dry-run flag on aws cloudformation update-stack
D) Check CloudTrail for the previous deployment

✅ Answer

B — A Change Set shows exactly what will change, including which resources will be Modified, Added, Removed, or Replaced (destroyed and recreated). Never execute production stack updates without reviewing a Change Set first.

Q41. An Elastic Beanstalk deployment must complete with zero downtime and support instant rollback without deploying again. Which policy?

A) Rolling
B) Rolling with Additional Batch
C) All at Once
D) Immutable

✅ Answer

D — Immutable deploys to a fresh Auto Scaling Group. Rollback = terminate the new ASG (instant, no redeployment needed). It's the safest single-environment deployment strategy.

Q42. In a CodeDeploy Blue/Green deployment for Lambda, traffic is shifted 10% to the new version. CloudWatch alarms detect elevated error rates. What does CodeDeploy do automatically?

A) Shifts 100% traffic to the new version
B) Pauses traffic shifting
C) Rolls back to the previous version
D) Sends an SNS notification only

✅ Answer

C — When CodeDeploy detects configured CloudWatch alarm thresholds are breached during deployment, it automatically rolls back to the previous version — a key safety mechanism.

Q43. What is the REQUIRED Transform header value for an AWS SAM template to be valid?

A) Transform: AWS::SAM-2016-10-31
B) Transform: AWS::Serverless-2016-10-31
C) Transform: AWS::Serverless-Latest
D) Version: SAM-2016

✅ Answer

B — The exact string is Transform: AWS::Serverless-2016-10-31. This tells CloudFormation to process the SAM-specific resource types before deployment. Common exam trap: the word is Serverless, not SAM.

Q44. A CodeBuild project needs to access an RDS instance in a private subnet. What configuration is required on the CodeBuild project?

A) Set RDS to publicly accessible
B) Use a NAT Gateway for CodeBuild
C) Configure VPC, Subnets, and Security Groups on the CodeBuild project
D) Add the CodeBuild service role to the RDS resource policy

✅ Answer

C — Configuring VPC settings on CodeBuild runs the build environment inside your VPC, allowing access to private resources like RDS. A NAT Gateway is also needed if the build requires internet access (e.g., downloading Maven dependencies).

Q45. A CodePipeline has Source → Build → Deploy to Staging → Deploy to Production stages. The team wants to require approval before the Production stage. What should be added?

A) A CodeBuild test stage with human notifications
B) An SNS topic between stages
C) A Manual Approval action between the Staging and Production stages
D) A Lambda function that polls a Jira ticket

✅ Answer

C — CodePipeline's Manual Approval action pauses execution and sends an SNS email to reviewers. The pipeline only continues after an authorized person approves via console or API.

Q46. A developer publishes Lambda version 5 and updates the prod alias to point to it. The team wants to roll back to version 4 immediately. What command achieves this?

A) aws lambda delete-function --function-name MyFunc:5
B) aws lambda update-alias --function-name MyFunc --name prod --function-version 4
C) Re-deploy version 4 code as version 5
D) Delete and recreate the prod alias

✅ Answer

B — update-alias with --function-version 4 instantly redirects all traffic from the prod alias to version 4 — effectively a zero-downtime rollback.

Q47. A CloudFormation stack is being deleted but the developer wants the S3 bucket to survive. What property should be set on the S3 bucket resource?

A) TerminationProtection: true
B) DeletionPolicy: Retain
C) RemovalPolicy: DESTROY
D) DependsOn: KeepBucket

✅ Answer

B — DeletionPolicy: Retain keeps the resource when the stack is deleted. CloudFormation removes the resource from its management but leaves it running/existing in AWS.

Q48. Which intrinsic function in CloudFormation retrieves the ARN of a Lambda function defined in the same template?

A) !Ref MyLambdaFunction
B) !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${MyLambdaFunction}"
C) !GetAtt MyLambdaFunction.Arn
D) !ImportValue MyLambdaFunction

✅ Answer

C — !GetAtt retrieves resource attributes. !Ref on Lambda returns the function name (not ARN). Use !GetAtt <ResourceId>.Arn for the full ARN.

Q49. A team needs the same CloudFormation stack deployed in 5 AWS accounts across 2 regions. What is the most efficient approach?

A) Deploy manually to each account-region combination
B) Use CodePipeline with 10 deploy stages
C) CloudFormation StackSets with account and region targets
D) Terraform

✅ Answer

C — StackSets deploy and manage stacks across multiple accounts and regions from a single admin account — designed exactly for this multi-account scenario.

Q50. A Beanstalk deployment strategy must maintain full capacity at all times (no reduced capacity) but is willing to pay for extra instances temporarily. Which strategy?

A) All at Once
B) Rolling
C) Rolling with Additional Batch
D) Immutable

✅ Answer

C — Rolling with Additional Batch adds a new batch of instances first (keeping full capacity), then replaces old batches, then removes the extra. Full capacity throughout, slightly higher cost.

Q51. Which buildspec.yml section runs commands after the build phase, typically to push Docker images or copy artifacts?

A) install
B) pre_build
C) build
D) post_build

✅ Answer

D — The post_build phase runs after build. It's the conventional place for pushing Docker images to ECR, generating deployment manifests, and copying artifacts to S3.

Q52. A CodeDeploy Blue/Green deployment for ECS must stop routing traffic to old (blue) tasks. After deploying successfully, how long are blue tasks retained by default?

A) 0 minutes (terminated immediately)
B) 5 minutes
C) 60 minutes (configurable)
D) 24 hours

✅ Answer

C — By default, CodeDeploy retains blue tasks for 60 minutes after successful traffic switching — this is the rollback window. After the window, blue tasks are terminated. Configurable to 0–2,880 minutes.

Q53. What does sam local start-api do?

A) Deploys the SAM app to a test environment
B) Validates the SAM template
C) Starts a local HTTP server simulating API Gateway, invoking Lambda functions locally
D) Runs integration tests against deployed APIs

✅ Answer

C — sam local start-api starts a local API Gateway simulator on port 3000 (default). HTTP requests trigger the Lambda handlers locally, enabling local end-to-end testing before deployment.

Q54. A CloudFormation cross-stack reference uses !ImportValue. The exporting stack tries to delete the exported output, but another stack imports it. What happens?

A) The export is deleted, the importing stack breaks
B) The deletion fails — you can't delete an export that is being imported
C) CloudFormation prompts for confirmation
D) CloudFormation updates the importing stack automatically

✅ Answer

B — CloudFormation prevents deletion of a stack export that is referenced by another stack via !ImportValue. You must update the importing stack to remove the reference first.

Domain 4 — Troubleshooting & Optimization (11 Questions)

Q55. A Lambda function processes 1,000 records from a Kinesis shard per second. The IteratorAge CloudWatch metric is steadily increasing. What does this indicate?

A) The function is processing records too quickly
B) The Kinesis shard needs to be split
C) The consumer is falling behind — processing is slower than incoming data rate
D) The Lambda has too much memory

✅ Answer

C — Rising IteratorAge means the consumer is processing older and older records — it's falling behind the production rate. Solutions: increase Lambda concurrency, optimize processing time, or add shards.

Q56. An API Gateway endpoint intermittently returns 504 Gateway Timeout. The backend Lambda succeeds in CloudWatch logs. What is the most likely cause?

A) Lambda is throwing unhandled exceptions
B) API Gateway integration timeout (default 29 seconds) is exceeded
C) Lambda concurrency is at the reserved limit
D) The API Gateway stage cache is returning stale 504s

✅ Answer

B — API Gateway has a 29-second maximum integration timeout — even if Lambda eventually succeeds, API Gateway has already given up. The fix: optimize Lambda to complete within 29 seconds, or use asynchronous patterns.

Q57. A Lambda function is receiving TooManyRequestsException from DynamoDB. The table has sufficient provisioned capacity. What is the most likely cause?

A) DynamoDB table is encrypted with KMS
B) Lambda is in a VPC without a VPC endpoint
C) Hot partition — all requests target the same partition key
D) Lambda memory is too low

✅ Answer

C — ProvisionedThroughputExceededException (often wrapped as TooManyRequests) despite sufficient total capacity typically indicates a hot partition. Even with 1,000 WCUs total, a single partition is limited to ~3,000 WCUs. Review partition key design.

Q58. A developer needs to find all X-Ray traces where a specific user (userId = "U123") experienced latency > 2 seconds. What should they have instrumented?

A) X-Ray Metadata with key userId
B) X-Ray Annotations with key userId, then use filter expressions in the X-Ray console
C) CloudWatch Log Insights query
D) DynamoDB query on X-Ray data

✅ Answer

B — X-Ray Annotations are indexed and searchable. Use the X-Ray console filter: annotation.userId = "U123" AND responsetime > 2. Metadata is stored but not searchable.

Q59. A CloudWatch Alarm shows INSUFFICIENT_DATA state. What does this mean?

A) The metric has exceeded the threshold
B) The metric is within the threshold
C) Not enough data points have been collected yet to evaluate the threshold
D) The metric source (Lambda/EC2) has been deleted

✅ Answer

C — INSUFFICIENT_DATA means the alarm hasn't received enough data points to determine if it's OK or ALARM. Common on newly created alarms or metrics that rarely report data.

Q60. An SQS message has been received and is being processed. The processing takes 40 seconds, but the visibility timeout is 30 seconds. What is the correct fix?

A) Increase the SQS message retention period
B) Use FIFO queue instead of Standard
C) Increase the visibility timeout to exceed the maximum processing time
D) Reduce batch size to 1

✅ Answer

C — The visibility timeout must be greater than the maximum processing time (including retries). If it expires before processing completes, the message becomes visible again and may be processed twice. Set it to max_processing_time * 1.5 as a safe buffer.

Q61. A developer wants to know which IAM principal deleted an S3 bucket in production yesterday. Which service provides this information?

A) CloudWatch Metrics
B) S3 Access Logs
C) AWS CloudTrail
D) VPC Flow Logs

✅ Answer

C — CloudTrail records all DeleteBucket API calls with the caller's IAM identity (user, role, or service), source IP, timestamp, and request parameters. CloudWatch tracks performance; S3 access logs track object operations; VPC Flow Logs track network traffic.

Q62. A CodeBuild project fails with Unable to locate credentials. The project has a service role attached. What is the most likely cause?

A) AWS SDK is not installed
B) The service role lacks CodeBuild permissions
C) The service role does not have the required IAM permissions for the AWS service being called in the buildspec
D) The AWS region is incorrect

✅ Answer

C — The CodeBuild service role IS how the build authenticates — Unable to locate credentials in this context means the buildspec is calling an AWS service (e.g., aws ecr get-login-password) and the service role lacks that specific permission.

Q63. After deploying a Lambda function update, some users get responses from the new code and some from the old code. What is the cause?

A) Lambda has a bug
B) API Gateway caching old responses
C) Lambda is using provisioned concurrency — some pre-warmed environments still have old code
D) CloudFront is caching Lambda responses

✅ Answer

C — When Provisioned Concurrency is enabled, pre-initialized environments may still run the old code until the provisioned concurrency is updated to the new published version. Always update the provisioned concurrency configuration after publishing a new version.

Q64. A DynamoDB scan on a 1 million item table takes over 30 seconds and consumes all read capacity. What architectural change would MOST reduce this?

A) Increase provisioned capacity
B) Use parallel scan with multiple segments
C) Add a GSI to support a targeted Query instead of a Scan
D) Enable DynamoDB Auto Scaling

✅ Answer

C — The root cause is using Scan where a Query should be used. A GSI with the appropriate partition key allows targeted Query operations that read only relevant items — dramatically more efficient and cheaper than scanning all items.

Q65. A Lambda function behind API Gateway throws unhandled exceptions. What HTTP status code does API Gateway return to the client?

A) 400 Bad Request
B) 404 Not Found
C) 502 Bad Gateway
D) 503 Service Unavailable

✅ Answer

C — An unhandled Lambda exception (or a malformed response) causes API Gateway to return 502 Bad Gateway. This is distinct from:

500 — API Gateway internal error
503 — API Gateway service unavailable
504 — Integration timeout (Lambda exceeded 29s)

📊 Score Tracker

Domain	Questions	Your Correct
Domain 1 — Development	Q1–Q21 (21 Qs)	/21
Domain 2 — Security	Q22–Q38 (17 Qs)	/17
Domain 3 — Deployment	Q39–Q54 (16 Qs)	/16
Domain 4 — Troubleshooting	Q55–Q65 (11 Qs)	/11
Total	65 Questions	/65

Score Guide:

🔴 < 45/65 (< 70%) — Need more study
🟡 45–51/65 (70–78%) — Almost there
🟢 52+/65 (80%+) — Ready to book the exam

What to do with wrong answers

For every wrong answer:

Re-read the explanation
Go to the relevant topic page in this guide
Understand the why, not just the answer
Revisit in 2 days to confirm retention

Next Steps

Do this exam again in 1 week without looking at answers first
Try TutorialsDojo mock exams for more variety
Book exam when consistently scoring 80%+ across 3 different mock exams

Interview Questions (Senior Level)​

Domain 1 — Development with AWS Services (21 Questions)​

Domain 2 — Security (17 Questions)​

Domain 3 — Deployment (16 Questions)​

Domain 4 — Troubleshooting & Optimization (11 Questions)​

📊 Score Tracker​

Interview Questions (Senior Level)

Domain 1 — Development with AWS Services (21 Questions)

Domain 2 — Security (17 Questions)

Domain 3 — Deployment (16 Questions)

Domain 4 — Troubleshooting & Optimization (11 Questions)

📊 Score Tracker