Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For DVA-C02 candidates, the confusion often lies in how to manage consistent and repeatable database user configurations across multiple accounts without adding operational overhead or complexity. In production, this is about knowing exactly how to leverage automation, infrastructure as code, and cross-account APIs to maintain synchronization. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
A software delivery organization, NexaApps, manages three separate AWS accounts. Each account hosts an Amazon RDS PostgreSQL database instance deployed in a private subnet within a VPC. The development team requires the same set of database users to be created and updated regularly in all three database instances, ensuring user access and privileges remain consistent across accounts.
There is a strong emphasis on minimizing operational overhead and complexity while ensuring updates to users propagate efficiently and reliably.
The Requirement: #
Define and maintain database users consistently across three Amazon RDS instances located in different AWS accounts, with minimal ongoing manual effort.
The Options #
- A) Create an AWS CloudFormation template that declares the database users as part of the database resource. Deploy this template in all three AWS accounts to sync users.
- B) Create a CloudFormation template that includes a custom resource (such as a Lambda-backed custom resource) that runs database user creation commands during stack deployment. Deploy this template in all accounts.
- C) Write a script that creates and updates users via SQL commands. Launch an Amazon EC2 instance in each account configured to run the script against the local RDS instance on a scheduled basis.
- D) Implement an AWS Lambda function outside of these accounts that connects to each database instance (cross-account using appropriate networking and credentials) and creates or updates the users. Maintain all user definitions centrally in this Lambda function.
Google adsense #
leave a comment:
Correct Answer #
D
Quick Insight: The Developer Automation Imperative #
The correct approach revolves around a single, centralized Lambda function that automates user creation/updates remotely. This minimizes duplication, operational overhead, and avoids managing ephemeral infrastructure. It also leverages AWS SDK and Lambda capabilities for cross-account automation.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option D
The Winning Logic #
Option D stands out because it centralizes the user creation and update logic into a single AWS Lambda function capable of cross-account connections. This approach provides:
- Operational Efficiency: One function to maintain, troubleshoot, and update rather than duplicating logic in three accounts.
- Cross-account Access: Lambda can assume roles or use secrets manager credentials to access each RDS endpoint securely.
- Minimal Infrastructure: No need to maintain EC2 instances or manage lifecycle hooks in CloudFormation stacks.
- Consistency: Ensures updates happen simultaneously across all databases with the single source of truth inside the Lambda code.
- Automation Friendly: Can be triggered on demand or on a schedule using EventBridge, integrating well with CI/CD pipelines.
The Trap (Distractor Analysis): #
- Why not A? CloudFormation doesn’t natively manage database users inside RDS instances; there is no resource for declaring database users or running SQL DDL commands directly. This option misunderstands CloudFormation’s capabilities.
- Why not B? While custom resources can run Lambda functions during stack operations, they typically run infrequently during deploys and introduce complexity. They are not designed for ongoing user sync and create operational coupling to stack updates.
- Why not C? Running EC2 instances adds unnecessary operational overhead for scripted automation. It requires managing instances, patching, and failover handling, which is avoidable by serverless approaches.
The Technical Blueprint #
# Example AWS CLI snippet showing Lambda assuming cross-account role before executing user updates
# Assume role in target account to access RDS credentials
aws sts assume-role --role-arn arn:aws:iam::ACCOUNT_ID:role/DBUserUpdaterRole --role-session-name UpdateSession
# Lambda function uses the returned temporary credentials to connect to RDS with the database driver (e.g. psycopg2 for PostgreSQL):
# Connect using credentials, run CREATE USER and GRANT statements safely per account
The Comparative Analysis #
| Option | API Complexity | Performance | Use Case |
|---|---|---|---|
| A | Low (CloudFormation only) | Ineffective (no direct DB user support) | Non-viable for DB user management |
| B | High (custom resource Lambda) | Moderate (runs only on deploy) | Possible but not operationally efficient |
| C | Moderate (custom script on EC2) | Good but with maintenance overhead | Legacy-style automation, less serverless |
| D | Moderate (Lambda + cross-account role usage) | Best (serverless, centralized control) | Optimal for multi-account RDS user sync |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick serverless centralized automation with Lambda when you see multi-account API calls or cross-account management requirements that involve running commands/actions outside infrastructure deployment lifecycles.
Real World #
In production, companies often integrate Lambda with AWS Systems Manager Parameter Store or Secrets Manager for credentials, and use EventBridge for scheduling. Terraform or CDK can also deploy the Lambda function with appropriate IAM roles across accounts.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the DVA-C02 exam.