Courses Tools Exam Guides Pricing For Teams
Sign Up Free
AWS 7 min read · 1,348 words

AWS Certified Developer Associate - Most Secure Option Trap

Expert guide: candidate falls for most-secure-sounds-right trap. Practical recovery advice for AWS Certified Developer Associate candidates.

Why You’re Choosing the “Most Secure” Option and Failing AWS Certified Developer Associate Questions

You’ve studied the security best practices. You know IAM least privilege is correct. You understand encryption at rest matters. So when you see an answer that mentions additional security controls, you pick it—and you fail the question. The AWS Certified Developer Associate (DVA-C02) exam isn’t testing whether you can memorize security features; it’s testing whether you can balance security with the practical constraints developers actually face.

Direct Answer

The AWS Certified Developer Associate exam deliberately includes questions where the most secure-sounding answer is incorrect because it violates the exam’s core principle: developers must ship code. The exam tests your ability to recognize when security measures are excessive for the stated requirements, introduce unnecessary latency or cost, or solve problems that don’t exist in the given scenario. On DVA-C02, the correct answer often implements “sufficient” security—not maximum security—while remaining architecturally practical and cost-effective for the business context.

Why This Happens to AWS Certified Developer Associate Candidates

You’re falling into a pattern that affects roughly 40% of candidates in their first attempt. You’ve absorbed AWS security documentation so thoroughly that you’ve internalized a bias: more security controls = better architecture. But the DVA-C02 exam is written by practitioners who know that this mindset blocks developers in real jobs.

Consider how this plays out across exam topics:

IAM scenarios present situations where you could add a custom policy with five conditions, or use a managed policy. The managed policy is “less secure” in theory, but it’s the correct answer because it solves the stated problem without overengineering.

Lambda and DynamoDB questions ask you to choose between asynchronous processing with SQS or SNS, or synchronous direct invocation. The async approach sounds more robust and secure (decoupled, with retry logic), but if the requirement explicitly asks for real-time response, synchronous is correct—and cheaper.

API Gateway scenarios include options to enable VPC endpoints, add WAF rules, implement request signing, and apply throttling. Adding all of them might be theoretically ideal, but the exam asks: which controls does this specific use case actually require?

S3 questions trap you with encryption options. You know SSE-S3 exists, SSE-KMS exists, and client-side encryption exists. But if the scenario states the data isn’t sensitive and compliance requirements aren’t mentioned, basic encryption might be sufficient—and it’s faster and cheaper.

VPC and EC2 scenarios present the option of isolating everything in private subnets with NAT gateways, bastion hosts, and security groups with /32 CIDR blocks. Sometimes the correct answer is a public subnet with a security group allowing port 443 from anywhere, because that’s what the application actually needs.

The Root Cause: Not Recognizing Security-vs-Practicality Tradeoffs the Exam Tests

Here’s what’s actually happening in your mind:

You read a question about storing API keys for an external service that your Lambda function calls. Four options appear:

  1. Store in Systems Manager Parameter Store with no encryption
  2. Store in Secrets Manager with automatic rotation
  3. Store in environment variables in the Lambda deployment package
  4. Store in a DynamoDB table with client-side encryption

Your brain immediately rejects option 1 (no encryption sounds irresponsible) and option 3 (storing secrets in code is a red flag). You’re left with options 2 and 4, and you pick Secrets Manager because it sounds more sophisticated and offers rotation—the most secure option.

But the exam is testing whether you recognize that the correct answer depends on context you haven’t fully processed. If the question specified that rotation is a compliance requirement, option 2 is correct. If it didn’t, option 1 might be sufficient because the parameter is still encrypted (Parameter Store uses AWS KMS by default) and rotation isn’t needed for third-party API keys that don’t change.

The root cause is this: you’re optimizing for security in isolation, not for the problem statement. The DVA-C02 exam tests developers, not security architects. Developers ship features. Security is one constraint among many—cost, latency, complexity, and time-to-market are equally important.

You’re also not recognizing the specific security tradeoff the exam is measuring: the difference between baseline security (which AWS provides by default) and enhanced security (which adds cost or complexity). The exam assumes candidates understand that most AWS services provide reasonable default security, and adding more controls is a choice based on threat model and compliance requirements—not a default best practice.

How the AWS Certified Developer Associate Exam Actually Tests This

AWS test writers include “security theater” answers specifically to identify candidates who haven’t thought critically about when to apply controls. They’re measuring whether you can:

  1. Read requirements carefully instead of defaulting to the most comprehensive option
  2. Recognize when theoretical security exceeds practical risk for the stated scenario
  3. Understand the tradeoff between security and performance/cost that developers actually make
  4. Know AWS service defaults so you don’t over-engineer

The exam presents scenarios with deliberately incomplete threat models. Your job is to implement security that matches the threat model described, not the threat model you imagine.

A Lambda function needs to read a DynamoDB table. That’s the entire requirement. You see four answers:

  • A) Create an IAM role with dynamodb:GetItem permission for the specific table
  • B) Create an IAM role with dynamodb:* permission for all resources, then use resource-level restrictions on the Lambda execution
  • C) Create an IAM role with dynamodb:GetItem, dynamodb:PutItem, dynamodb:UpdateItem, and dynamodb:DeleteItem permissions to handle future changes
  • D) Encrypt the DynamoDB table with a customer-managed KMS key and grant the Lambda role explicit permissions to use that key

Most candidates choose D because it’s the most comprehensive security posture. But the correct answer is A. Option D adds encryption overhead and KMS latency for a requirement that doesn’t mention sensitive data or compliance. Option C over-scopes permissions in case of future requirements that may never come (the principle of least privilege is about present requirements, not speculative future ones). Option B is backwards.

Example scenario:

Your team has deployed an API using API Gateway and Lambda. The API retrieves publicly available product information from a DynamoDB table and returns it to clients. You need to protect the API from abuse. Which approach best balances security with the stated requirements?

A) Enable WAF on the API Gateway to block known attack patterns; implement VPC endpoints for Lambda; add request signing with AWS Signature Version 4; encrypt all DynamoDB items with customer-managed KMS keys

B) Enable API Gateway throttling and API keys; use IAM roles with least-privilege access to DynamoDB; enable CloudTrail logging for audit purposes

C) Enable API Gateway throttling; restrict traffic using security groups; encrypt data in transit with TLS (default with API Gateway)

D) Implement OAuth 2.0 authentication; add VPC endpoints; use Secrets Manager for API key storage; enable DynamoDB point-in-time recovery

The answer is B. Here’s why each distractor fails:

A solves multiple problems at once—some that don’t exist. WAF is useful for applications serving user-facing web content vulnerable to XSS or SQL injection. This API returns product data (presumably already validated in DynamoDB). VPC endpoints cost money and add operational complexity for an API that has no requirement for private connectivity. Customer-managed KMS keys add latency for non-sensitive, public data.

C is incomplete. API keys are not a security control; they’re an identification and rate-limiting tool. Restricting with security groups only makes sense if there’s a requirement for restricted source IPs.

D adds authentication (OAuth 2.0) when no access control requirement was stated—public API endpoints don’t need OAuth. Point-in-time recovery is a business continuity feature, not a security control for this scenario.

B is correct because it addresses the stated problem (abuse protection) with proportionate controls: throttling stops distributed attacks, least-privilege IAM roles prevent the Lambda from doing anything beyond its scope, and CloudTrail provides audit history if something does go wrong. No unnecessary encryption, no over-engineered VPC topology, no imagined threats.

How to Fix This Before Your Next Attempt

1. Create a “Security Tradeoff” decision matrix for each exam topic

For Lambda, DynamoDB, API Gateway, S3, IAM, and the others, write down:

  • What security controls

Ready to pass?

Start AWS Practice Exam on Certsqill →

1,000+ exam-accurate questions, AI Tutor explanations, and a performance dashboard that shows exactly which domains to fix.

Practice AWS for Free Browse all guides
All exam guides