- Why Security Carries 26% of Your Score
- What's Actually Tested in Domain 2
- IAM: The Core of Every Security Question
- Secrets Management and Encryption
- Application-Level Security Patterns
- How Security Questions Are Actually Worded
- Scheduling Domain 2 Into Your Prep
- Common Mistakes on Security Questions
- FAQ
- Domain 2: Security is worth 26% of the DVA-C02 exam - second only to Development with AWS Services.
- IAM roles, policies, and temporary credentials dominate this domain's question pool.
- You must know when to use Secrets Manager vs. Parameter Store vs. KMS on sight.
- The exam has 65 questions (50 scored) in 130 minutes, so security questions need fast, confident recall.
Why Security Carries 26% of Your Score
Domain 2: Security is the second-largest of the four domains on the DVA-C02 exam, trailing only Development with AWS Services (32%) and outweighing both Deployment (24%) and Troubleshooting and Optimization (18%). That weighting is not accidental. AWS wants certified developers who can write code that authenticates correctly, encrypts data by default, and never leaks credentials - not just developers who can wire up a Lambda function.
If you're mapping out your overall prep, this domain deserves a dedicated study block rather than being folded into general "AWS knowledge" review. For the bigger picture of how all four domains fit together, see the DVA-C02 Exam Domains 2026: Complete Guide to All 4 Content Areas, and if you haven't built a full prep plan yet, start with the DVA-C02 Study Guide 2026: How to Pass on Your First Attempt.
What's Actually Tested in Domain 2
AWS groups Security topics into a few recurring themes across the exam guide. Expect scenario-based questions that ask you to pick the most secure, least-privilege, or most operationally sound approach - not just define a service.
Authentication and Authorization
Candidates must understand how applications and services prove identity and what they're allowed to do once authenticated.
- IAM users, groups, roles, and policies (identity-based vs. resource-based)
- Temporary security credentials via AWS STS (AssumeRole, federation)
- Amazon Cognito user pools vs. identity pools for application-layer auth
- Cross-account access patterns for multi-account architectures
Encryption and Key Management
You need to know both encryption in transit and at rest, and which AWS service handles which layer.
- AWS KMS: customer managed keys vs. AWS managed keys, key policies, envelope encryption
- Encrypting data in S3, DynamoDB, RDS, and EBS using KMS
- TLS/SSL for data in transit, including API Gateway and ALB configurations
Secrets and Sensitive Data Handling
A recurring exam scenario: an application needs a database password or API key without hardcoding it.
- AWS Secrets Manager for automated credential rotation
- Systems Manager Parameter Store (standard vs. advanced parameters) for configuration and lighter-weight secrets
- Choosing between the two based on rotation needs, cost, and integration
Application Security Best Practices
This ties directly to writing and deploying secure code, not just configuring IAM.
- Least-privilege IAM policy design for Lambda execution roles
- Securing API Gateway endpoints with IAM auth, Cognito authorizers, or Lambda authorizers
- Input validation and protecting against injection in serverless functions
- Vulnerability and dependency scanning as part of CI/CD
IAM: The Core of Every Security Question
If there's one service you cannot afford to be shaky on, it's IAM. A large share of Domain 2 questions present a policy JSON snippet, a resource ARN, or a permission error and ask you to identify the fix or the correct configuration. You should be able to:
- Read and mentally evaluate an IAM policy statement (Effect, Action, Resource, Condition)
- Distinguish explicit deny, implicit deny, and allow evaluation logic
- Know when to attach a policy to a role vs. a resource-based policy (e.g., S3 bucket policy, Lambda resource policy)
- Understand permission boundaries and service control policies at a conceptual level
Because Lambda, API Gateway, and DynamoDB also appear heavily in Domain 1, IAM questions often blend the two domains - for example, "which execution role permissions does this Lambda function need to write to this DynamoDB table?" That overlap is exactly why understanding Domain 1: Development with AWS Services alongside Security pays off on both fronts.
Key Takeaway
Practice reading raw IAM policy JSON until you can spot a missing permission or an overly broad wildcard in under 20 seconds - this skill alone resolves a meaningful chunk of Domain 2 questions.
Secrets Management and Encryption
A classic DVA-C02 scenario places you in front of a database credential problem: an application needs to connect to RDS without hardcoding a password in source code or environment variables. The exam expects you to know Secrets Manager can automatically rotate that credential on a schedule and integrate with RDS natively, while Parameter Store is a better fit for configuration values or secrets that don't need automatic rotation and where cost matters more.
On encryption, expect questions that test whether you understand KMS key policies versus IAM policies (both must allow access), and how envelope encryption lets services like S3 and DynamoDB encrypt large objects efficiently using a data key protected by a KMS key.
| Use Case | Best Fit | Why |
|---|---|---|
| Rotating database credentials automatically | Secrets Manager | Built-in rotation with Lambda for RDS, Redshift, DocumentDB |
| Storing non-sensitive app configuration | Parameter Store (Standard) | Free tier, simple key-value storage, no rotation needed |
| Encrypting data at rest in S3/DynamoDB | AWS KMS | Centralized key management with audit trail via CloudTrail |
| Securing API Gateway endpoints | Cognito or Lambda authorizer | Token-based auth without managing IAM users directly |
Application-Level Security Patterns
Domain 2 doesn't stop at infrastructure permissions - it also probes whether you can secure the application itself. Expect coverage of:
- API Gateway authorization options: IAM authorization, Amazon Cognito user pool authorizers, and custom Lambda authorizers, plus when each is appropriate.
- Securing environment variables: Lambda environment variable encryption using KMS.
- CI/CD security: scanning dependencies and container images before deployment, and using least-privilege deployment roles in CodePipeline/CodeBuild.
- Data protection in transit: enforcing HTTPS-only access and understanding certificate management via AWS Certificate Manager.
Because deployment pipelines and security intersect so often on this exam, it's worth reviewing the Domain 3: Deployment guide in parallel - many CI/CD security questions could technically be classified under either domain.
How Security Questions Are Actually Worded
The DVA-C02 exam uses multiple choice and multiple response formats across 65 total questions (50 scored, 15 unscored pretest items you can't identify), all within 130 minutes. Security questions tend to follow a predictable pattern: a short scenario describing a developer task, followed by four or five answer options that all sound technically plausible. The correct answer is usually the one that satisfies least privilege or uses managed AWS security tooling instead of custom-built logic.
A typical phrasing looks like: "A developer needs to grant a Lambda function temporary access to an S3 bucket in another AWS account. Which approach requires the least ongoing maintenance?" You're not just tested on whether cross-account access is possible - you're tested on the most maintainable, AWS-recommended way to do it (typically an IAM role with a trust policy, assumed via STS).
Scheduling Domain 2 Into Your Prep
Because Security overlaps heavily with Development with AWS Services, it makes sense to study them close together rather than in isolation. Here's a sample allocation if you're building a multi-week plan:
IAM Foundations
- Practice writing and evaluating IAM policies from scratch
- Build hands-on labs assuming roles across two AWS accounts
Secrets, KMS, and Cognito
- Configure Secrets Manager rotation for an RDS instance
- Compare Parameter Store tiers and set up a Cognito user pool authorizer on API Gateway
Mixed Domain 1 + Domain 2 Drills
- Practice scenario questions combining Lambda execution roles with DynamoDB/S3 permissions
- Review CI/CD pipeline security alongside Domain 3 deployment topics
If you want a broader sense of how difficult candidates find this material relative to other AWS associate exams, How Hard Is the DVA-C02 Exam? Complete Difficulty Guide 2026 breaks down where most people struggle, and DVA-C02 Pass Rate 2026: What the Data Shows covers what's publicly known about outcomes.
Common Mistakes on Security Questions
- Confusing identity-based and resource-based policies. Know that S3 bucket policies and Lambda resource policies grant access from the resource side, while IAM policies grant access from the identity side.
- Overusing root or admin-level permissions in example answers. If an answer choice grants broader access than the scenario requires, it's almost never correct on DVA-C02.
- Mixing up Secrets Manager and Parameter Store use cases. Rotation capability is usually the deciding factor in the question.
- Forgetting KMS key policies matter as much as IAM policies. Both must permit the action, or access fails.
- Skipping practice with actual policy JSON. Reading about IAM is not the same as parsing a real policy document under time pressure.
Running through timed practice questions on our DVA-C02 practice test platform is one of the fastest ways to expose these gaps before exam day, since it forces you to apply IAM and encryption concepts under the same 130-minute pressure you'll face at Pearson VUE or in an online proctored session.
Frequently Asked Questions
AWS doesn't publish an exact question count per domain, but Security is weighted at 26% of the exam, making it the second-largest of the four domains behind Development with AWS Services at 32%.
No. Domain 2 focuses on developer-relevant security: IAM, secrets management, encryption, and securing application endpoints. It does not require the depth expected on the AWS Certified Security - Specialty exam.
Focus on IAM (roles, policies, STS), AWS KMS, Secrets Manager, Systems Manager Parameter Store, and Amazon Cognito, since these appear most frequently in Domain 2 scenarios.
Difficulty is subjective, but many candidates find Security questions harder because they require precise policy-reading skills rather than general service knowledge. Pairing study of both domains together tends to help, since they frequently overlap in scenario questions.
Unanswered questions count as incorrect with no separate guessing penalty, so it's always better to select your best guess than leave a question blank within the 130-minute limit.