DVA-C02 logo
Focused certification exam prep
Start practice

DVA-C02 Domain 2: Security (26%) - Complete Study Guide 2026

TL;DR
  • Domain 2: Security is worth 26% of the DVA-C02 exam - second only to Development with AWS Services.
  • IAM roles, policies, and temporary credentials dominate this domain's question pool.
  • You must know when to use Secrets Manager vs. Parameter Store vs. KMS on sight.
  • The exam has 65 questions (50 scored) in 130 minutes, so security questions need fast, confident recall.

Why Security Carries 26% of Your Score

Domain 2: Security is the second-largest of the four domains on the DVA-C02 exam, trailing only Development with AWS Services (32%) and outweighing both Deployment (24%) and Troubleshooting and Optimization (18%). That weighting is not accidental. AWS wants certified developers who can write code that authenticates correctly, encrypts data by default, and never leaks credentials - not just developers who can wire up a Lambda function.

If you're mapping out your overall prep, this domain deserves a dedicated study block rather than being folded into general "AWS knowledge" review. For the bigger picture of how all four domains fit together, see the DVA-C02 Exam Domains 2026: Complete Guide to All 4 Content Areas, and if you haven't built a full prep plan yet, start with the DVA-C02 Study Guide 2026: How to Pass on Your First Attempt.

Scoring Context: The DVA-C02 exam uses compensatory scoring on a 100-1000 scale, with 720 required to pass. There's no minimum per-domain score published, but because Security accounts for roughly a quarter of scored items, weak performance here is hard to offset elsewhere.

What's Actually Tested in Domain 2

AWS groups Security topics into a few recurring themes across the exam guide. Expect scenario-based questions that ask you to pick the most secure, least-privilege, or most operationally sound approach - not just define a service.

Authentication and Authorization

Candidates must understand how applications and services prove identity and what they're allowed to do once authenticated.

  • IAM users, groups, roles, and policies (identity-based vs. resource-based)
  • Temporary security credentials via AWS STS (AssumeRole, federation)
  • Amazon Cognito user pools vs. identity pools for application-layer auth
  • Cross-account access patterns for multi-account architectures

Encryption and Key Management

You need to know both encryption in transit and at rest, and which AWS service handles which layer.

  • AWS KMS: customer managed keys vs. AWS managed keys, key policies, envelope encryption
  • Encrypting data in S3, DynamoDB, RDS, and EBS using KMS
  • TLS/SSL for data in transit, including API Gateway and ALB configurations

Secrets and Sensitive Data Handling

A recurring exam scenario: an application needs a database password or API key without hardcoding it.

  • AWS Secrets Manager for automated credential rotation
  • Systems Manager Parameter Store (standard vs. advanced parameters) for configuration and lighter-weight secrets
  • Choosing between the two based on rotation needs, cost, and integration

Application Security Best Practices

This ties directly to writing and deploying secure code, not just configuring IAM.

  • Least-privilege IAM policy design for Lambda execution roles
  • Securing API Gateway endpoints with IAM auth, Cognito authorizers, or Lambda authorizers
  • Input validation and protecting against injection in serverless functions
  • Vulnerability and dependency scanning as part of CI/CD

IAM: The Core of Every Security Question

If there's one service you cannot afford to be shaky on, it's IAM. A large share of Domain 2 questions present a policy JSON snippet, a resource ARN, or a permission error and ask you to identify the fix or the correct configuration. You should be able to:

  • Read and mentally evaluate an IAM policy statement (Effect, Action, Resource, Condition)
  • Distinguish explicit deny, implicit deny, and allow evaluation logic
  • Know when to attach a policy to a role vs. a resource-based policy (e.g., S3 bucket policy, Lambda resource policy)
  • Understand permission boundaries and service control policies at a conceptual level

Because Lambda, API Gateway, and DynamoDB also appear heavily in Domain 1, IAM questions often blend the two domains - for example, "which execution role permissions does this Lambda function need to write to this DynamoDB table?" That overlap is exactly why understanding Domain 1: Development with AWS Services alongside Security pays off on both fronts.

Key Takeaway

Practice reading raw IAM policy JSON until you can spot a missing permission or an overly broad wildcard in under 20 seconds - this skill alone resolves a meaningful chunk of Domain 2 questions.

Secrets Management and Encryption

A classic DVA-C02 scenario places you in front of a database credential problem: an application needs to connect to RDS without hardcoding a password in source code or environment variables. The exam expects you to know Secrets Manager can automatically rotate that credential on a schedule and integrate with RDS natively, while Parameter Store is a better fit for configuration values or secrets that don't need automatic rotation and where cost matters more.

On encryption, expect questions that test whether you understand KMS key policies versus IAM policies (both must allow access), and how envelope encryption lets services like S3 and DynamoDB encrypt large objects efficiently using a data key protected by a KMS key.

Use CaseBest FitWhy
Rotating database credentials automaticallySecrets ManagerBuilt-in rotation with Lambda for RDS, Redshift, DocumentDB
Storing non-sensitive app configurationParameter Store (Standard)Free tier, simple key-value storage, no rotation needed
Encrypting data at rest in S3/DynamoDBAWS KMSCentralized key management with audit trail via CloudTrail
Securing API Gateway endpointsCognito or Lambda authorizerToken-based auth without managing IAM users directly

Application-Level Security Patterns

Domain 2 doesn't stop at infrastructure permissions - it also probes whether you can secure the application itself. Expect coverage of:

  • API Gateway authorization options: IAM authorization, Amazon Cognito user pool authorizers, and custom Lambda authorizers, plus when each is appropriate.
  • Securing environment variables: Lambda environment variable encryption using KMS.
  • CI/CD security: scanning dependencies and container images before deployment, and using least-privilege deployment roles in CodePipeline/CodeBuild.
  • Data protection in transit: enforcing HTTPS-only access and understanding certificate management via AWS Certificate Manager.

Because deployment pipelines and security intersect so often on this exam, it's worth reviewing the Domain 3: Deployment guide in parallel - many CI/CD security questions could technically be classified under either domain.

How Security Questions Are Actually Worded

The DVA-C02 exam uses multiple choice and multiple response formats across 65 total questions (50 scored, 15 unscored pretest items you can't identify), all within 130 minutes. Security questions tend to follow a predictable pattern: a short scenario describing a developer task, followed by four or five answer options that all sound technically plausible. The correct answer is usually the one that satisfies least privilege or uses managed AWS security tooling instead of custom-built logic.

A typical phrasing looks like: "A developer needs to grant a Lambda function temporary access to an S3 bucket in another AWS account. Which approach requires the least ongoing maintenance?" You're not just tested on whether cross-account access is possible - you're tested on the most maintainable, AWS-recommended way to do it (typically an IAM role with a trust policy, assumed via STS).

Format Reminder: Unanswered questions are scored as incorrect, and there's no separate penalty for wrong guesses - so always select an answer, even an educated one, on every Security question you're unsure about.

Scheduling Domain 2 Into Your Prep

Because Security overlaps heavily with Development with AWS Services, it makes sense to study them close together rather than in isolation. Here's a sample allocation if you're building a multi-week plan:

Week 2

IAM Foundations

  • Practice writing and evaluating IAM policies from scratch
  • Build hands-on labs assuming roles across two AWS accounts
Week 3

Secrets, KMS, and Cognito

  • Configure Secrets Manager rotation for an RDS instance
  • Compare Parameter Store tiers and set up a Cognito user pool authorizer on API Gateway
Week 4

Mixed Domain 1 + Domain 2 Drills

  • Practice scenario questions combining Lambda execution roles with DynamoDB/S3 permissions
  • Review CI/CD pipeline security alongside Domain 3 deployment topics

If you want a broader sense of how difficult candidates find this material relative to other AWS associate exams, How Hard Is the DVA-C02 Exam? Complete Difficulty Guide 2026 breaks down where most people struggle, and DVA-C02 Pass Rate 2026: What the Data Shows covers what's publicly known about outcomes.

Common Mistakes on Security Questions

  • Confusing identity-based and resource-based policies. Know that S3 bucket policies and Lambda resource policies grant access from the resource side, while IAM policies grant access from the identity side.
  • Overusing root or admin-level permissions in example answers. If an answer choice grants broader access than the scenario requires, it's almost never correct on DVA-C02.
  • Mixing up Secrets Manager and Parameter Store use cases. Rotation capability is usually the deciding factor in the question.
  • Forgetting KMS key policies matter as much as IAM policies. Both must permit the action, or access fails.
  • Skipping practice with actual policy JSON. Reading about IAM is not the same as parsing a real policy document under time pressure.

Running through timed practice questions on our DVA-C02 practice test platform is one of the fastest ways to expose these gaps before exam day, since it forces you to apply IAM and encryption concepts under the same 130-minute pressure you'll face at Pearson VUE or in an online proctored session.

Frequently Asked Questions

How many questions on the DVA-C02 exam come from the Security domain?

AWS doesn't publish an exact question count per domain, but Security is weighted at 26% of the exam, making it the second-largest of the four domains behind Development with AWS Services at 32%.

Do I need deep security engineering experience to pass Domain 2?

No. Domain 2 focuses on developer-relevant security: IAM, secrets management, encryption, and securing application endpoints. It does not require the depth expected on the AWS Certified Security - Specialty exam.

Which AWS services should I prioritize for the Security domain?

Focus on IAM (roles, policies, STS), AWS KMS, Secrets Manager, Systems Manager Parameter Store, and Amazon Cognito, since these appear most frequently in Domain 2 scenarios.

Is Domain 2 harder than Domain 1?

Difficulty is subjective, but many candidates find Security questions harder because they require precise policy-reading skills rather than general service knowledge. Pairing study of both domains together tends to help, since they frequently overlap in scenario questions.

What happens if I run out of time on security-heavy questions?

Unanswered questions count as incorrect with no separate guessing penalty, so it's always better to select your best guess than leave a question blank within the 130-minute limit.

Ready to pass your DVA-C02 exam?

Put this into practice with free DVA-C02 questions across every exam domain.