AWS Certified Cloud Practitioner CLF-C02 (CLF-C02) — Questions 175

1024 questions total · 14pages · All types, answers revealed

Page 1 of 14

Page 2
1
MCQeasy

Which AWS pricing benefit means that the more AWS services you use across your organization, the greater the volume discounts you receive on some services?

A.Reserved Instance discounts
B.Tiered volume pricing discounts
C.Spot Instance savings
D.Savings Plans commitment discounts
AnswerB

Tiered pricing rewards higher usage volumes with lower per-unit costs — e.g., S3 charges less per GB as monthly storage crosses higher tier thresholds.

Why this answer

Tiered volume pricing discounts reward customers with lower per-unit costs as their usage volume increases across multiple services. This is a built-in AWS pricing model where the more you use, the more you save, without requiring any upfront commitment or reservation.

Exam trap

The trap here is that candidates often confuse tiered volume pricing with Savings Plans, but Savings Plans require a specific commitment amount and are limited to compute services, whereas tiered volume pricing is automatic and applies to a broader set of services without any upfront commitment.

How to eliminate wrong answers

Option A is wrong because Reserved Instance discounts apply only to specific EC2 instance families and require a 1- or 3-year commitment, not a volume-based discount across services. Option C is wrong because Spot Instance savings come from bidding on unused EC2 capacity and are subject to interruption, not from aggregate usage volume across the organization. Option D is wrong because Savings Plans commitment discounts require a consistent usage commitment (measured in $/hour) for 1 or 3 years, and they apply to a specific compute family, not as a volume-based discount across all services.

2
MCQmedium

A company is migrating a large enterprise workload to AWS. They want to understand all the migration strategies available. Which framework categorizes cloud migration strategies as the '7 Rs'?

A.AWS Well-Architected Framework pillars
B.AWS Cloud Adoption Framework perspectives
C.AWS Migration Strategy 7 Rs
D.AWS Service Control Policy levels
AnswerC

The 7 Rs (Retire, Retain, Rehost, Replatform, Repurchase, Refactor, Relocate) provide a structured way to categorize migration strategies for each application in an enterprise portfolio.

Why this answer

Option C is correct because the '7 Rs' (Retire, Retain, Rehost, Replatform, Repurchase, Refactor, Relocate) is a specific set of migration strategies defined by AWS to categorize how workloads can be moved to the cloud. This framework is directly referenced in AWS documentation and training as the 'AWS Migration Strategy 7 Rs' and is the standard taxonomy for discussing migration approaches.

Exam trap

The trap here is that candidates confuse the '7 Rs' with the AWS Well-Architected Framework pillars or the AWS CAF perspectives, because all three are numbered frameworks used in AWS cloud adoption discussions, but only the 7 Rs specifically categorize migration strategies.

How to eliminate wrong answers

Option A is wrong because the AWS Well-Architected Framework pillars (Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability) focus on designing and operating reliable, secure, efficient, and cost-effective systems in the cloud, not on categorizing migration strategies. Option B is wrong because the AWS Cloud Adoption Framework (AWS CAF) perspectives (Business, People, Governance, Platform, Security, Operations) provide guidance on organizational capabilities and processes for cloud adoption, not a taxonomy of migration strategies. Option D is wrong because AWS Service Control Policy (SCP) levels refer to the hierarchical application of permission boundaries in AWS Organizations (e.g., root, OU, account level), and have no relation to migration strategy categorization.

3
MCQmedium

A company runs a monthly data processing job that requires 100 Amazon EC2 instances to complete within 4 hours. The job is not needed at any other time. The company previously ran this job on its on-premises servers, which required maintaining enough capacity to handle the peak load year-round, leading to low average utilization. The company has now migrated the job to AWS. Each month, the company automatically provisions the 100 instances, runs the job, and then terminates the instances. Which essential characteristic of cloud computing does this scenario best illustrate?

A.Resource pooling
B.Measured service
C.On-demand self-service
D.Rapid elasticity
AnswerD

Rapid elasticity is the ability to quickly and automatically scale resources up and down in response to demand. By provisioning 100 instances only when needed and terminating them after use, the company avoids over-provisioning and pays only for what it uses, directly illustrating this essential characteristic.

Why this answer

This scenario best illustrates rapid elasticity because the company provisions 100 EC2 instances only when needed for the monthly job, scaling up from zero to 100 instances in minutes and then scaling back down to zero after the job completes. Rapid elasticity allows cloud resources to be quickly scaled out (increased) and scaled in (decreased) to match demand, eliminating the need to maintain idle capacity for peak loads.

Exam trap

The trap here is that candidates often confuse 'on-demand self-service' (the ability to provision resources without manual approval) with 'rapid elasticity' (the ability to quickly scale resources up and down to match fluctuating demand), but the key clue in the question is the dynamic scaling from zero to 100 instances and back, which directly tests the elasticity concept.

How to eliminate wrong answers

Option A is wrong because resource pooling refers to the provider's multi-tenant model where computing resources are pooled to serve multiple customers, not the customer's ability to scale resources up and down on demand. Option B is wrong because measured service involves metering and billing for resource usage (e.g., per hour or per GB), which is a characteristic of cloud computing but not the primary focus of this scenario. Option C is wrong because on-demand self-service allows users to provision resources without human interaction, which is true here, but the key differentiator is the ability to rapidly scale from zero to 100 instances and back, which is the essence of elasticity, not just self-service provisioning.

4
MCQmedium

A company runs a set of Amazon EC2 instances that handle a consistent, predictable workload 24 hours a day, 7 days a week. The company expects to continue running this workload for the next three years. The finance team wants to minimize the total cost of these EC2 instances while maintaining flexibility to change instance families if needed. Which AWS pricing option should the company choose to meet these requirements?

A.On-Demand instances
B.EC2 Instance Savings Plans (1-year, no upfront)
C.Compute Savings Plans (3-year, all upfront)
D.Spot Instances
AnswerC

Compute Savings Plans offer the broadest flexibility, covering changes to instance families, regions, and even other compute services (e.g., AWS Fargate, AWS Lambda). A 3-year term with all upfront payment provides the highest discount (up to 66%) for consistent usage, making this the most cost-effective choice that also allows instance family changes.

Why this answer

Compute Savings Plans (3-year, all upfront) provide the highest discount (up to 66%) for consistent, predictable workloads running 24/7 for three years, and they offer flexibility to change instance families, operating systems, or regions within the compute scope. This matches the requirement to minimize cost while maintaining the ability to switch instance families.

Exam trap

The trap here is that candidates often confuse EC2 Instance Savings Plans (which lock instance family) with Compute Savings Plans (which allow instance family changes), or they overlook that Spot Instances are unsuitable for non-interruptible workloads despite their low cost.

How to eliminate wrong answers

Option A is wrong because On-Demand instances have no upfront commitment and offer no discount, making them the most expensive option for a steady-state, long-term workload. Option B is wrong because EC2 Instance Savings Plans (1-year, no upfront) lock you to a specific instance family in a region, which does not provide the flexibility to change instance families, and the 1-year term with no upfront yields a lower discount than a 3-year all upfront plan. Option D is wrong because Spot Instances are designed for fault-tolerant, interruptible workloads and can be terminated with a 2-minute notice, making them unsuitable for a consistent, predictable workload that must run 24/7.

5
MCQeasy

Which AWS service allows you to monitor API calls made in your AWS account, including who made the call, from which IP address, and when?

A.Amazon CloudWatch
B.AWS CloudTrail
C.VPC Flow Logs
D.AWS Config
AnswerB

CloudTrail records every API call including who made it, from what IP, at what time, on what resource, with what parameters — the core audit trail for AWS accounts.

Why this answer

AWS CloudTrail is the service that records API activity in your AWS account, capturing details such as the identity of the caller, the source IP address, and the timestamp of each API call. This makes it the correct choice for monitoring who made a call, from where, and when.

Exam trap

The trap here is that candidates often confuse CloudWatch (for monitoring metrics and logs) with CloudTrail (for auditing API calls), because both involve logging, but CloudTrail is specifically designed for recording API activity with caller identity and source IP details.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms, not for recording API call details like caller identity or source IP. Option C is wrong because VPC Flow Logs capture information about IP traffic going to and from network interfaces in a VPC, not API calls made to the AWS management plane. Option D is wrong because AWS Config evaluates resource configurations and compliance rules, and does not log API call metadata such as who made the call or the source IP address.

6
MCQmedium

A company uses AWS CloudTrail to log all API calls in their AWS account for compliance and security auditing. Their compliance officer needs to prove to an external auditor that the CloudTrail log files have not been altered or deleted after they were created. The company must use the most cost-effective and built-in AWS feature to detect any tampering with the log files. What should the company enable?

A.Enable CloudTrail log file integrity validation
B.Enable server-side encryption for the CloudTrail log file S3 bucket using SSE-KMS
C.Configure CloudTrail to send logs to CloudWatch Logs and set a metric filter for changes
D.Enable multi-factor authentication (MFA) delete on the S3 bucket
AnswerA

Correct. Log file integrity validation uses hash-based digital signatures to verify that CloudTrail log files have not been modified or deleted after they were delivered to the S3 bucket. It is a built-in, cost-effective feature designed for this purpose.

Why this answer

CloudTrail log file integrity validation uses a hash chain (SHA-256) to create a digest file that is signed with a private key, allowing you to verify that log files have not been modified, deleted, or tampered with after delivery. This is a built-in, no-cost feature that directly meets the compliance officer's requirement to prove log integrity to an external auditor without additional services or costs.

Exam trap

The trap here is that candidates confuse encryption (which protects confidentiality) with integrity validation (which proves data has not been altered), leading them to choose SSE-KMS or MFA delete instead of the built-in, cost-free integrity validation feature.

How to eliminate wrong answers

Option B is wrong because server-side encryption with SSE-KMS protects the confidentiality of log files at rest, but does not provide any mechanism to detect tampering or prove that the files have not been altered after creation. Option C is wrong because sending logs to CloudWatch Logs and setting a metric filter can alert on changes or patterns, but it does not provide cryptographic proof of integrity or a verifiable chain of custody for the log files. Option D is wrong because MFA delete on the S3 bucket prevents unauthorized deletion of objects, but it does not detect or prove that existing log files have been altered or tampered with after they were written.

7
MCQmedium

A company is planning to migrate its on-premises database and web application to AWS. The solutions architect needs to provide a detailed monthly cost estimate for the AWS resources that will be used, including Amazon EC2 instances, Amazon RDS database instances, and Amazon S3 storage. The architect wants to specify instance types, storage sizes, data transfer amounts, and other parameters to get a precise estimate before building the environment. Which AWS tool should the architect use?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Pricing Calculator
D.AWS Total Cost of Ownership (TCO) Calculator
AnswerC

The AWS Pricing Calculator (formerly the Simple Monthly Calculator) enables you to explore AWS services and create an estimate for your use cases. You can specify resource configurations, including instance types, storage, data transfer, and more, to generate a detailed monthly cost estimate. This directly meets the architect's requirement.

Why this answer

The AWS Pricing Calculator (formerly Simple Monthly Calculator) allows users to specify exact instance types, storage sizes, data transfer amounts, and other parameters for services like EC2, RDS, and S3 to generate a detailed monthly cost estimate before provisioning resources. This makes it the correct tool for the architect's requirement of a precise, pre-build cost estimate.

Exam trap

The trap here is that candidates confuse the AWS Pricing Calculator (for future estimates) with AWS Cost Explorer (for past analysis), or they mistakenly think the TCO Calculator provides the same detailed monthly breakdown for specific AWS resources.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer analyzes historical cost and usage data, not future estimates based on custom specifications like instance types or storage sizes. Option B is wrong because AWS Budgets sets cost alerts and monitors spending against a predefined budget, but it cannot generate a detailed cost estimate from scratch for planned resources. Option D is wrong because the AWS Total Cost of Ownership (TCO) Calculator compares on-premises costs with AWS costs, focusing on savings over time rather than providing a precise monthly estimate for specific AWS resource configurations.

8
MCQeasy

Which Amazon EC2 pricing option allows customers to bid for unused EC2 capacity with potential savings of up to 90%, while accepting that instances may be interrupted?

A.On-Demand Instances
B.Reserved Instances
C.Spot Instances
D.Dedicated Instances
AnswerC

Spot Instances use AWS spare capacity at up to 90% discount, with the trade-off that AWS can interrupt with 2 minutes notice when capacity is needed.

Why this answer

Spot Instances allow customers to bid for unused EC2 capacity, offering potential savings of up to 90% compared to On-Demand pricing. However, these instances can be interrupted (terminated or hibernated) by AWS when the Spot price exceeds the customer's bid or when capacity is needed for On-Demand or Reserved Instance customers, making them ideal for fault-tolerant and flexible workloads.

Exam trap

The trap here is that candidates may confuse Spot Instances with Reserved Instances, thinking both offer similar discounts, but Reserved Instances require a commitment and are not interruptible, while Spot Instances are interruptible and involve bidding on unused capacity.

How to eliminate wrong answers

Option A is wrong because On-Demand Instances provide full pricing flexibility with no interruption risk, but they do not allow bidding on unused capacity or offer up to 90% savings. Option B is wrong because Reserved Instances provide a significant discount (up to 72%) in exchange for a 1- or 3-year commitment, but they are not interruptible and do not involve bidding on unused capacity. Option D is wrong because Dedicated Instances run on single-tenant hardware and are not associated with bidding on unused capacity or interruption; they are used for compliance or licensing requirements, not for cost savings via spot pricing.

9
Drag & Dropmedium

Drag and drop the steps to set up CloudFront with an S3 origin in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

CloudFront with S3: prepare S3, create distribution, configure origin, and update DNS.

10
MCQmedium

Which AWS service automatically moves S3 objects between storage classes based on access patterns without requiring upfront knowledge of how frequently data will be accessed?

A.S3 Lifecycle policies
B.S3 Intelligent-Tiering
C.S3 Standard-IA
D.S3 Replication
AnswerB

Intelligent-Tiering monitors access frequency and automatically moves objects to the most cost-effective tier without performance impact or retrieval fees.

Why this answer

S3 Intelligent-Tiering is the correct answer because it is the only AWS service that automatically moves objects between storage classes based on changing access patterns, without requiring any upfront knowledge or lifecycle rules. It monitors access at the object level and moves data between two access tiers (frequent and infrequent) and an optional archive tier, charging a small monitoring fee but no retrieval costs.

Exam trap

The trap here is that candidates confuse S3 Lifecycle policies (which require manual rule creation) with Intelligent-Tiering (which automates transitions based on actual usage), leading them to choose A instead of B.

How to eliminate wrong answers

Option A is wrong because S3 Lifecycle policies require you to define explicit rules (e.g., 'move to S3 Standard-IA after 30 days') based on your own predictions of access patterns, not automatic adaptation. Option C is wrong because S3 Standard-IA is a static storage class that does not automatically move data; it simply provides lower-cost storage for infrequently accessed data with a retrieval fee. Option D is wrong because S3 Replication is used to copy objects across buckets or regions for redundancy or compliance, not to transition between storage classes based on access patterns.

11
MCQmedium

Which AWS storage class is optimized for long-term archival where data is rarely accessed and retrieval time of several hours is acceptable?

A.S3 Standard-IA
B.S3 One Zone-IA
C.S3 Glacier Deep Archive
D.S3 Intelligent-Tiering
AnswerC

Deep Archive is the lowest-cost storage, designed for rarely accessed archival data with retrieval times of 12–48 hours.

Why this answer

S3 Glacier Deep Archive is designed for long-term archival of data that is accessed rarely, with retrieval times ranging from 12 to 48 hours. This makes it the most cost-effective storage class for scenarios where retrieval latency of several hours is acceptable, such as compliance or regulatory archives.

Exam trap

The trap here is that candidates confuse S3 Glacier Deep Archive with S3 Glacier Flexible Retrieval, assuming both offer similar retrieval times, but the exam specifically tests the distinction that Deep Archive requires 12–48 hours while Flexible Retrieval can provide minutes to hours.

How to eliminate wrong answers

Option A is wrong because S3 Standard-IA is optimized for infrequently accessed data but offers millisecond retrieval times, not the several-hour retrieval window required for archival. Option B is wrong because S3 One Zone-IA stores data in a single Availability Zone and provides rapid access, making it unsuitable for long-term archival with multi-hour retrieval. Option D is wrong because S3 Intelligent-Tiering automatically moves data between access tiers based on usage patterns but still provides millisecond retrieval for all tiers, not the several-hour retrieval specified in the question.

12
MCQmedium

A company runs a read-heavy web application that retrieves the same product catalog data from an Amazon RDS database hundreds of times per second. The database is experiencing high CPU utilization due to repeated reads of the same information. The company wants to reduce the load on the database and improve application response time without modifying the application code or adding more database capacity. The solution must be fully managed and provide a low-latency, in-memory cache for frequently accessed data. Which AWS service should the company use?

A.Amazon CloudFront
B.Amazon ElastiCache
C.Amazon DynamoDB Accelerator (DAX)
D.Amazon Simple Queue Service (SQS)
AnswerB

Amazon ElastiCache is a fully managed, in-memory caching service that supports Memcached and Redis. It can be used to cache the results of frequently executed database queries, reducing the load on the RDS instance and improving application latency. The application can be configured to check the cache first before querying the database, which does not require modifying the core application logic if designed appropriately. This is the correct solution for offloading read traffic from the database.

Why this answer

Amazon ElastiCache is the correct choice because it provides a fully managed, in-memory caching service (Memcached or Redis) that can store frequently accessed product catalog data. By caching the results of repeated read queries, ElastiCache offloads the RDS database, reducing CPU utilization and improving response times without requiring application code changes or additional database capacity.

Exam trap

The trap here is that candidates may confuse DAX (a DynamoDB-specific cache) with a general-purpose cache for RDS, or assume CloudFront can serve as an application-level cache for database queries, when in fact ElastiCache is the only fully managed, in-memory caching service that works with RDS without code changes.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront is a content delivery network (CDN) that caches static and dynamic content at edge locations, but it is not designed as a low-latency, in-memory cache for database query results; it operates at the HTTP/HTTPS level and would require modifying the application to route requests through it. Option C is wrong because Amazon DynamoDB Accelerator (DAX) is an in-memory cache specifically for DynamoDB tables, not for Amazon RDS databases; it cannot be used to cache RDS query results. Option D is wrong because Amazon Simple Queue Service (SQS) is a fully managed message queuing service for decoupling application components, not a caching service; it does not provide low-latency, in-memory data retrieval for repeated reads.

13
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to enforce a policy that prevents any user, including account administrators, from creating Amazon S3 buckets that are publicly accessible across the entire organization. The policy must be centrally managed and cannot be overridden by individual account administrators. Which AWS feature should the security team use?

A.AWS Config rules with auto-remediation
B.Service Control Policies (SCPs) in AWS Organizations
C.AWS Identity and Access Management (IAM) policies with a Deny effect
D.Amazon Macie with automated response
AnswerB

SCPs are a type of organization policy that you can use to specify the maximum permissions for member accounts. They apply to all users and roles in the account, including the account root user, and cannot be overridden by any IAM policy within those accounts. By attaching an SCP that denies actions that make S3 buckets public (e.g., setting a bucket policy that allows public access), the security team can enforce this restriction across the entire organization.

Why this answer

Service Control Policies (SCPs) in AWS Organizations are the correct choice because they allow the security team to centrally define a policy that denies the creation of publicly accessible S3 buckets across all accounts in the organization. SCPs apply to all users, including account administrators, and cannot be overridden by any IAM policy or local account permissions, ensuring organization-wide enforcement.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking IAM Deny effects can be centrally managed and enforced across accounts, but IAM policies are account-scoped and can be overridden by local administrators, whereas SCPs operate at the organization level and are non-overridable.

How to eliminate wrong answers

Option A is wrong because AWS Config rules with auto-remediation can detect and fix non-compliant resources after creation, but they do not prevent the action from being taken in the first place and can be overridden by account administrators with sufficient permissions. Option C is wrong because IAM policies with a Deny effect are account-specific and can be overridden by account administrators who have full control over IAM in their own accounts, failing the requirement for central management and non-overridability. Option D is wrong because Amazon Macie is a data security service that discovers and protects sensitive data, not a policy enforcement mechanism for preventing bucket creation.

14
MCQmedium

A cloud provider uses shared physical infrastructure to serve many customers. Each customer's compute and storage resources are logically isolated and secure, but the underlying hardware is pooled across all customers. Which essential characteristic of cloud computing does this scenario BEST describe?

A.On-demand self-service
B.Resource pooling
C.Broad network access
D.Rapid elasticity
AnswerB

Resource pooling is the correct answer. The scenario explicitly describes shared physical infrastructure serving many customers with logical isolation, which is the essence of resource pooling in cloud computing.

Why this answer

Resource pooling is the correct characteristic because the scenario describes a multi-tenant model where physical and virtual resources are dynamically assigned and reassigned according to consumer demand. The cloud provider's shared infrastructure (compute, storage, network) is pooled to serve multiple customers, with logical isolation ensuring each customer's data remains secure despite the shared underlying hardware. This directly matches the NIST SP 800-145 definition of resource pooling.

Exam trap

The trap here is that candidates confuse 'resource pooling' with 'on-demand self-service' because both involve shared infrastructure, but the key distinction is that resource pooling focuses on the provider's multi-tenant architecture, not the consumer's ability to provision resources without human interaction.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a consumer's ability to provision computing capabilities unilaterally without requiring human interaction with each service provider, not to the sharing of physical infrastructure. Option C is wrong because broad network access describes capabilities being available over the network and accessed through standard mechanisms (e.g., mobile phones, laptops), which is unrelated to the pooling of hardware resources across multiple customers.

15
MCQeasy

A company wants to automatically receive an email alert whenever their monthly AWS spend is forecasted to exceed $10,000, or if it actually exceeds $10,000. Which AWS service provides this capability?

A.AWS Cost Explorer
B.AWS Pricing Calculator
C.AWS Budgets
D.Amazon CloudWatch
AnswerC

AWS Budgets allows setting cost, usage, and reservation budgets with email or SNS alerts when actual or forecasted spending exceeds defined thresholds. Both actual and forecasted threshold alerts are supported.

Why this answer

AWS Budgets allows you to set a custom budget (e.g., monthly cost budget of $10,000) and configure alert thresholds (actual or forecasted) that trigger an Amazon SNS notification, which can send an email alert. This directly meets the requirement to be notified when the forecasted or actual spend exceeds $10,000.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's visualization capabilities with proactive alerting, or assume CloudWatch can handle cost-based alarms, but AWS Budgets is the only service that provides both forecasted and actual cost threshold alerts with email notifications.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer provides historical cost and usage data and allows you to visualize trends, but it does not natively send proactive email alerts based on forecasted or actual spend thresholds. Option B is wrong because AWS Pricing Calculator is a tool for estimating costs before deployment, not for monitoring or alerting on actual or forecasted spend. Option D is wrong because Amazon CloudWatch can monitor AWS resources and trigger alarms on metrics, but it does not natively provide cost budget alerts or forecasted spend data; cost monitoring is outside CloudWatch's primary metric scope.

16
MCQmedium

Which AWS service allows you to create a private network connection between your on-premises data center and AWS without using the public internet?

A.AWS VPN
B.Amazon VPC Peering
C.AWS Direct Connect
D.AWS Transit Gateway
AnswerC

Direct Connect provides a dedicated, private network connection from on-premises to AWS bypassing the internet.

Why this answer

AWS Direct Connect is the correct answer because it provides a dedicated, private network connection from your on-premises data center directly to AWS, bypassing the public internet entirely. This is achieved through a physical cross-connect at an AWS Direct Connect location, using industry-standard 802.1Q VLANs to maintain traffic isolation. Unlike VPN-based solutions, Direct Connect offers consistent network performance, lower latency, and higher bandwidth, making it ideal for hybrid workloads and large-scale data transfers.

Exam trap

The trap here is that candidates confuse AWS VPN (which also creates a private tunnel) with a truly private connection, forgetting that VPNs still traverse the public internet, whereas Direct Connect uses a dedicated physical link that never touches the internet.

How to eliminate wrong answers

Option A is wrong because AWS VPN uses the public internet to establish an encrypted tunnel (IPsec) between your on-premises network and AWS, so it does not create a private connection that bypasses the public internet. Option B is wrong because Amazon VPC Peering connects two VPCs within the AWS network, not an on-premises data center to AWS; it also relies on the AWS global infrastructure but does not extend to on-premises environments. Option D is wrong because AWS Transit Gateway is a network transit hub that connects VPCs, VPNs, and Direct Connect attachments, but it is not itself a private connection service; it requires Direct Connect or VPN to extend to on-premises.

17
MCQmedium

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team wants to protect the application from common web exploits, including SQL injection and cross-site scripting (XSS). The solution must integrate directly with the ALB and allow custom rules to be defined. Which AWS service should the company use?

A.AWS WAF
B.AWS Shield Advanced
C.Security Groups
D.AWS Firewall Manager
AnswerA

AWS WAF is a web application firewall that protects against common web exploits like SQL injection and XSS. It integrates directly with ALB and allows custom rules to be defined.

Why this answer

AWS WAF is a web application firewall that integrates directly with an Application Load Balancer to filter and monitor HTTP(S) requests. It provides managed rules to block common web exploits such as SQL injection and cross-site scripting (XSS), and allows you to define custom rules using conditions like IP addresses, HTTP headers, and URI strings. This makes it the correct choice for protecting the ALB-hosted application against these specific threats.

Exam trap

The trap here is that candidates confuse AWS Shield Advanced (Layer 3/4 DDoS protection) with AWS WAF (Layer 7 web exploit filtering), or mistakenly think Security Groups can inspect application-layer traffic when they only filter at the network and transport layers.

How to eliminate wrong answers

Option B is wrong because AWS Shield Advanced provides DDoS protection and enhanced detection for larger volumetric attacks, but it does not include the ability to inspect HTTP request payloads for SQL injection or XSS patterns, nor does it support custom rule definitions for web exploits. Option C is wrong because Security Groups act as a stateful firewall at the instance or ENI level, filtering traffic based on IP addresses and protocols (TCP/UDP), but they cannot inspect application-layer payloads or block specific web exploits like SQL injection or XSS.

18
MCQmedium

A company is planning to migrate its on-premises workloads to AWS. The cloud architect needs to create a detailed estimate of the monthly AWS bill based on specific configuration details, such as the number of Amazon EC2 instances with particular instance types, storage volumes, data transfer amounts, and Amazon RDS database instances. The architect wants to input these known specifications and obtain an estimated monthly cost breakdown before launching any resources. Which AWS tool should the architect use to meet this requirement?

A.AWS TCO Calculator
B.AWS Pricing Calculator
C.AWS Cost Explorer
D.AWS Budgets
AnswerB

The AWS Pricing Calculator enables you to select specific AWS services, configure them with your exact requirements (e.g., EC2 instance type, storage size, data transfer), and generate a detailed monthly cost estimate. This is the correct tool for the architect to use when planning a migration and needing a precise forecast of the monthly bill based on known specifications.

Why this answer

The AWS Pricing Calculator (formerly AWS Simple Monthly Calculator) allows users to input specific configuration details such as EC2 instance types, storage volumes, data transfer amounts, and RDS database instances to generate a detailed monthly cost estimate before launching any resources. This tool is designed for upfront cost planning and provides a breakdown of estimated charges based on the user's exact specifications, making it the correct choice for the architect's requirement.

Exam trap

The trap here is that candidates often confuse the AWS Pricing Calculator with the AWS TCO Calculator, mistakenly thinking both can generate detailed monthly cost estimates for specific configurations, but the TCO Calculator is designed for high-level cost comparison between on-premises and cloud, not for granular resource-level pricing.

How to eliminate wrong answers

Option A is wrong because the AWS TCO Calculator is used to compare the total cost of ownership between on-premises infrastructure and AWS, not to generate a detailed monthly bill estimate based on specific resource configurations. Option C is wrong because AWS Cost Explorer analyzes historical usage and costs after resources have been launched, and it cannot be used to estimate costs for planned configurations before deployment.

19
MCQeasy

According to the AWS Shared Responsibility Model, for which of the following is the customer ALWAYS responsible, regardless of the AWS service used?

A.Physical security of the data center
B.Patching the underlying hypervisor
C.Customer data and its classification
D.Network infrastructure management
AnswerC

Customer data ownership and responsibility never transfers to AWS — the customer always decides what data to store, how to classify it, who can access it, and whether to encrypt it.

Why this answer

Under the AWS Shared Responsibility Model, the customer is always responsible for customer data and its classification, regardless of the service used. This includes deciding what data to store, how it is encrypted, and how access controls are configured. AWS never assumes responsibility for the content or classification of customer data, as this is entirely under the customer's control.

Exam trap

The trap here is that candidates often confuse operational responsibilities (like patching or network management) with customer-owned data governance, leading them to select options that AWS actually manages under the 'Security of the Cloud' pillar.

How to eliminate wrong answers

Option A is wrong because physical security of the data center is AWS's responsibility, not the customer's, as part of the 'Security of the Cloud' under the shared model. Option B is wrong because patching the underlying hypervisor is managed by AWS, as it is part of the virtualization infrastructure that the customer does not have access to. Option D is wrong because network infrastructure management, including routers, switches, and the AWS global network backbone, is AWS's responsibility; the customer only manages their own virtual network configurations (e.g., VPCs, subnets, security groups).

20
MCQeasy

A large enterprise runs business-critical workloads on AWS and needs 24/7 phone and chat access to Cloud Support Engineers, a designated Technical Account Manager (TAM), and access to proactive guidance and architectural reviews. Which AWS Support plan includes all of these features?

A.Basic Support
B.Developer Support
C.Business Support
D.Enterprise Support
AnswerD

AWS Enterprise Support includes 24/7 access to Senior Cloud Support Engineers via phone/chat, a designated Technical Account Manager (TAM) who provides proactive guidance and architectural reviews — all requirements of the question.

Why this answer

The Enterprise Support plan is the only AWS Support plan that includes 24/7 phone and chat access to Cloud Support Engineers, a designated Technical Account Manager (TAM), and proactive guidance and architectural reviews. These features are specifically designed for large enterprises running business-critical workloads that require personalized support and strategic advice.

Exam trap

The trap here is that candidates often confuse the Business Support plan's 24/7 phone/chat access and faster response times with the Enterprise plan's additional features, forgetting that only Enterprise includes a designated TAM and proactive architectural reviews.

How to eliminate wrong answers

Option A is wrong because Basic Support provides only access to account and billing support, with no phone/chat access to Cloud Support Engineers, no TAM, and no proactive guidance. Option B is wrong because Developer Support offers business hours email access to Cloud Support Engineers but no TAM, no 24/7 phone/chat, and no proactive architectural reviews. Option C is wrong because Business Support includes 24/7 phone/chat access to Cloud Support Engineers but does not provide a designated TAM or proactive architectural reviews.

21
MCQmedium

A company runs its web application on a fleet of Amazon EC2 instances. The operations team does not know which specific physical servers host their instances, nor does the team have any control over the underlying hardware. However, the team can be confident that if one physical server fails, AWS will automatically launch replacement instances on different hosts. The team can also specify the general geographic region (e.g., us-west-2) but not the exact data center. This scenario best describes which essential characteristic of cloud computing?

A.Rapid elasticity
B.Resource pooling
C.Measured service
D.On-demand self-service
AnswerB

Resource pooling is the correct characteristic. The cloud provider pools its infrastructure to serve multiple customers, and customers do not know the exact physical location of their resources. The scenario explicitly states that the team does not know which physical servers host their instances and can only specify a region, matching resource pooling.

Why this answer

Resource pooling is correct because the scenario describes how the cloud provider's physical and virtual resources (servers, hosts, data centers) are aggregated into a shared pool to serve multiple customers. The operations team cannot control or know the exact physical host or data center, but AWS abstracts that complexity and can automatically launch replacement instances on different hosts if one fails. This multi-tenant model, where the customer has no visibility or control over the underlying physical location beyond a high-level region, is the defining characteristic of resource pooling.

Exam trap

The trap here is that candidates confuse the automatic failover and lack of hardware control with 'rapid elasticity' or 'on-demand self-service,' but the key is the abstraction of physical resources and multi-tenancy, which is the textbook definition of resource pooling.

How to eliminate wrong answers

Option A is wrong because rapid elasticity refers to the ability to quickly scale resources up or down in response to demand, not to the abstraction of physical hardware or automatic failover. Option C is wrong because measured service involves metering and billing for resource usage (e.g., per-hour or per-GB charges), which is not mentioned in the scenario about hardware abstraction and automatic replacement. Option D is wrong because on-demand self-service means a user can provision computing capabilities (like launching an EC2 instance) without requiring human interaction with the provider, whereas the scenario focuses on the lack of control over physical hosts and automatic failover, not the provisioning process.

22
MCQeasy

Which IAM feature allows you to grant temporary, limited access to AWS resources for users who don't have AWS accounts, such as third-party contractors?

A.IAM Groups
B.IAM Roles with cross-account access
C.IAM password policies
D.Service Control Policies (SCPs)
AnswerB

IAM Roles with STS AssumeRole grant temporary credentials to external identities without requiring permanent IAM users, with fine-grained permissions and automatic expiration.

Why this answer

IAM Roles with cross-account access allow you to grant temporary, limited permissions to users from another AWS account or external identity providers (e.g., third-party contractors) without creating IAM users for them. The role is assumed via AWS Security Token Service (STS), which issues temporary credentials that expire after a defined duration, ensuring least-privilege access.

Exam trap

The trap here is that candidates often confuse IAM Roles with cross-account access with IAM Groups, thinking groups can be used to grant permissions to external users, but groups only apply to IAM users within your own account.

How to eliminate wrong answers

Option A is wrong because IAM Groups are used to organize IAM users within your own AWS account and assign permissions collectively; they cannot grant access to users who don't have AWS accounts. Option C is wrong because IAM password policies only enforce password complexity and rotation rules for IAM users in your account; they do not provide any mechanism for granting temporary access to external users. Option D is wrong because Service Control Policies (SCPs) are used in AWS Organizations to set permission guardrails for member accounts, not to grant temporary access to individual users or contractors.

23
MCQeasy

Which Amazon EC2 instance type provides the best performance for a relational database that requires very high IOPS with consistent sub-millisecond storage latency?

A.General purpose instances (M family)
B.Storage-optimized instances (I family)
C.Compute-optimized instances (C family)
D.Memory-optimized instances (R family)
AnswerB

I-family instances provide NVMe SSD-backed storage with hundreds of thousands of IOPS and sub-millisecond latency — designed for I/O-intensive database workloads.

Why this answer

The I family (Storage-optimized instances) is designed for high-frequency, low-latency I/O operations, leveraging NVMe SSD-backed instance storage to deliver very high IOPS and consistent sub-millisecond latency, making it ideal for relational databases with demanding storage performance requirements.

Exam trap

The trap here is that candidates often confuse 'high IOPS' with compute or memory optimization, overlooking that storage-optimized instances are the only family specifically engineered for ultra-low latency and high-throughput storage operations.

How to eliminate wrong answers

Option A is wrong because General purpose instances (M family) offer a balanced mix of compute, memory, and networking, but their EBS-optimized throughput and local NVMe storage options are not designed to sustain the extreme IOPS and sub-millisecond latency required for high-performance relational databases. Option C is wrong because Compute-optimized instances (C family) prioritize CPU performance for compute-intensive workloads, not storage I/O, and lack the dedicated NVMe instance storage or high-throughput EBS configurations needed for very high IOPS with low latency. Option D is wrong because Memory-optimized instances (R family) are optimized for large datasets in memory, but their storage performance is not specialized for high IOPS or sub-millisecond latency; they rely on EBS or instance storage that does not match the I family's dedicated NVMe performance.

24
MCQmedium

A company has enabled Amazon GuardDuty for threat detection, Amazon Inspector for vulnerability scans, and AWS Config for compliance checks. The security team wants a single, centralized dashboard that aggregates all security findings from these services, provides a consolidated security score, and allows them to automate remediation workflows. Which AWS service should the team use?

A.AWS Trusted Advisor
B.AWS Security Hub
C.AWS Systems Manager
D.Amazon Detective
AnswerB

AWS Security Hub is the correct service. It provides a comprehensive view of security alerts and compliance status across AWS accounts. It integrates with services like GuardDuty, Inspector, and Config, aggregates findings, generates a consolidated security score, and supports automated remediation through AWS Config rules and custom actions.

Why this answer

AWS Security Hub is designed to aggregate findings from multiple AWS security services, including GuardDuty, Inspector, and Config, into a single dashboard. It provides a consolidated security score (via the security standards framework) and supports automated remediation through integration with AWS Systems Manager and EventBridge. This makes it the correct choice for centralized security visibility and response.

Exam trap

The trap here is that candidates may confuse AWS Security Hub with AWS Trusted Advisor, thinking both provide security recommendations, but Trusted Advisor lacks the ability to aggregate findings from multiple security services or provide a consolidated security score and automated remediation workflows.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides best-practice recommendations for cost optimization, performance, security, and fault tolerance, but it does not aggregate findings from GuardDuty, Inspector, or Config, nor does it offer a consolidated security score or automated remediation workflows. Option C is wrong because AWS Systems Manager is an operations management service for patching, configuration, and automation of EC2 and on-premises instances, not a security findings aggregator; while it can be used as a target for remediation actions triggered by Security Hub, it does not itself provide a centralized security dashboard or security score.

25
MCQmedium

Which AWS service provides a managed graph database for storing and querying highly connected data?

A.Amazon DocumentDB
B.Amazon Keyspaces
C.Amazon Neptune
D.Amazon QLDB
AnswerC

Neptune is AWS's managed graph database for highly connected data.

Why this answer

Amazon Neptune is a fully managed graph database service optimized for storing and querying highly connected data. It supports both property graph models (using Apache TinkerPop Gremlin) and RDF models (using SPARQL), making it ideal for use cases like social networks, fraud detection, and knowledge graphs.

Exam trap

The trap here is that candidates confuse 'graph database' with 'document database' (DocumentDB) or 'ledger database' (QLDB), because all three involve structured data but only Neptune is designed for relationship-heavy queries.

How to eliminate wrong answers

Option A is wrong because Amazon DocumentDB is a document database (MongoDB-compatible) designed for JSON-like documents, not for graph relationships. Option B is wrong because Amazon Keyspaces is a managed Apache Cassandra-compatible wide-column database for key-value and tabular data, not for graph traversal. Option D is wrong because Amazon QLDB is a ledger database that provides an immutable, cryptographically verifiable transaction log, not a graph database for connected data.

26
MCQmedium

A company stores large amounts of data in Amazon S3 and wants to query it using standard SQL without loading it into a database. They need queries to complete in seconds. Which query optimization technique should they apply?

A.Store data in CSV format for maximum compatibility
B.Convert data to columnar Parquet format and implement partitioning
C.Enable S3 Transfer Acceleration on the bucket
D.Move all data to Amazon RDS for faster SQL queries
AnswerB

Parquet's columnar storage lets Athena skip irrelevant columns. Partitioning by date/region reduces files scanned. Together, these can reduce query time from minutes to seconds and cost by 90%+.

Why this answer

B is correct because converting data to columnar Parquet format reduces the amount of data scanned by only reading the columns needed for the query, and partitioning further limits the data scanned by filtering on partition keys. This combination enables queries to complete in seconds on Amazon S3 using services like Amazon Athena or Amazon Redshift Spectrum, without loading data into a database.

Exam trap

The trap here is that candidates often confuse data transfer optimization (S3 Transfer Acceleration) with query optimization, or assume that CSV's universal compatibility makes it the best choice for performance, ignoring the critical role of columnar formats and partitioning in reducing scan volume.

How to eliminate wrong answers

Option A is wrong because CSV is a row-oriented format that requires scanning entire rows even when only a few columns are needed, leading to slower query performance and higher data scanned. Option C is wrong because S3 Transfer Acceleration optimizes data transfer speed over long distances by using AWS edge locations, not query performance or optimization. Option D is wrong because moving data to Amazon RDS would require loading it into a database, which contradicts the requirement to query data directly in S3 without loading it, and RDS is not designed for direct S3 querying.

27
MCQmedium

A company is evaluating cloud adoption. Which of the following is a benefit of moving to the cloud over traditional on-premises infrastructure? (Select all that apply in context: which single answer best captures the operational model shift?)

A.Shift from operational expenditure (OpEx) to capital expenditure (CapEx)
B.Shift from capital expenditure (CapEx) to operational expenditure (OpEx)
C.Increased requirement for physical infrastructure management
D.Reduced ability to scale resources based on demand
AnswerB

Cloud computing replaces large upfront capital purchases (servers, storage) with ongoing operational costs, improving budget flexibility and eliminating stranded hardware risk.

Why this answer

Moving to the cloud shifts infrastructure costs from upfront capital expenditure (CapEx) for hardware to operational expenditure (OpEx) for pay-as-you-go services. This operational model change allows companies to avoid large initial investments and instead pay for compute and storage resources based on actual usage, aligning costs with business growth.

Exam trap

The trap here is that candidates often confuse the direction of the cost shift (CapEx to OpEx) or mistakenly think cloud adoption increases physical management, but AWS's shared responsibility model clearly offloads infrastructure management to the provider.

How to eliminate wrong answers

Option A is wrong because it reverses the actual shift: cloud adoption moves from CapEx to OpEx, not the other way around. Option C is wrong because cloud providers handle physical infrastructure management (e.g., AWS manages data centers, networking, and hardware maintenance), reducing the customer's burden. Option D is wrong because cloud platforms enable rapid, elastic scaling (e.g., AWS Auto Scaling, EC2 instance resizing) rather than reducing the ability to scale based on demand.

28
MCQmedium

Which tool allows a company to estimate the monthly cost of running a new AWS architecture before deploying any resources?

A.AWS Cost Explorer
B.AWS Pricing Calculator
C.AWS Budgets
D.AWS Trusted Advisor
AnswerB

Pricing Calculator allows planning and estimating costs for new architectures before any resources are deployed, supporting detailed configuration of individual services.

Why this answer

The AWS Pricing Calculator (formerly Simple Monthly Calculator) allows users to estimate the monthly cost of AWS services by configuring resources like EC2 instances, storage, and data transfer before deployment. It provides a detailed cost breakdown based on selected regions, instance types, and usage patterns, enabling informed budgeting without incurring actual charges.

Exam trap

The trap here is that candidates confuse AWS Cost Explorer (a historical analysis tool) with the Pricing Calculator, assuming any cost-related tool can estimate future costs, but only the Pricing Calculator is designed for pre-deployment estimation.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer analyzes historical and current costs, not pre-deployment estimates; it requires existing usage data to generate reports. Option C is wrong because AWS Budgets sets alerts and tracks spending against predefined thresholds, but it cannot estimate costs for architectures that are not yet deployed. Option D is wrong because AWS Trusted Advisor inspects existing environments for optimization and security best practices, not cost estimation for new, undeployed architectures.

29
MCQmedium

A company operates an e-commerce website that sends transactional emails such as order confirmations, password reset links, and shipping updates to customers. The company expects email volume to grow significantly during promotional events. The development team wants a fully managed AWS service that can reliably send high volumes of transactional emails, provide real-time tracking of bounces and complaints, and allow integration through a simple API. The team does not want to manage any email servers. Which AWS service should the team use?

A.Amazon Simple Notification Service (Amazon SNS)
B.Amazon Simple Email Service (Amazon SES)
C.Amazon Simple Queue Service (Amazon SQS)
D.Amazon Pinpoint
AnswerB

Amazon SES is a cloud-based email sending service designed specifically for sending high-volume transactional and marketing emails. It provides detailed feedback loops for bounces and complaints, a simple API, and does not require managing email servers.

Why this answer

Amazon Simple Email Service (Amazon SES) is a fully managed, cloud-based email sending service designed specifically for sending transactional and marketing emails at high volume. It provides a simple API for integration, real-time tracking of bounces, complaints, and deliveries via Amazon CloudWatch and Amazon SNS notifications, and eliminates the need to manage any email servers. This makes it the ideal choice for the e-commerce company's requirements.

Exam trap

The trap here is that candidates confuse Amazon SNS with an email service because SNS can send email notifications, but they overlook that SNS is not a dedicated transactional email platform and lacks the deliverability features, bounce/complaint tracking, and high-volume sending capabilities that Amazon SES provides.

How to eliminate wrong answers

Option A is wrong because Amazon SNS is a pub/sub messaging service for sending notifications via SMS, email, or HTTP endpoints, but it is not designed for high-volume transactional email sending, lacks dedicated email deliverability features like bounce and complaint tracking, and does not provide a dedicated email-sending API. Option C is wrong because Amazon SQS is a fully managed message queue service for decoupling application components, not an email sending service; it cannot send emails directly or track email bounces and complaints. Option D is wrong because Amazon Pinpoint is a customer engagement service focused on targeted marketing campaigns, audience segmentation, and analytics, and while it can send transactional emails, it is more complex and overkill for the simple transactional email use case described, and its primary strength is not raw high-volume transactional email sending with a simple API.

30
MCQmedium

An organization needs to sign a Business Associate Agreement (BAA) with AWS to run applications that process Protected Health Information (PHI) under HIPAA. Which statement about AWS and HIPAA is accurate?

A.AWS is HIPAA certified, meaning all AWS services automatically comply with HIPAA
B.AWS will sign a BAA for eligible services, and customers are responsible for configuring services to meet HIPAA requirements
C.PHI cannot be stored in the cloud because cloud environments are inherently non-compliant with HIPAA
D.HIPAA compliance is automatic once a BAA is signed with AWS
AnswerB

AWS signs BAAs for HIPAA-eligible services. The Shared Responsibility Model applies — AWS secures the infrastructure, customers must configure encryption, access controls, and audit logging per HIPAA requirements.

Why this answer

AWS does not have a blanket HIPAA certification; instead, it provides a Business Associate Agreement (BAA) for specific services listed in its HIPAA Eligible Services Reference. Customers must sign a BAA with AWS and then configure those eligible services (e.g., enabling encryption, access controls, logging) to meet their own HIPAA compliance obligations. This shared responsibility model means AWS is responsible for the security of the cloud, while the customer is responsible for security in the cloud.

Exam trap

The trap here is that candidates assume signing a BAA automatically makes the entire AWS environment HIPAA-compliant, ignoring the shared responsibility model and the need to configure services correctly.

How to eliminate wrong answers

Option A is wrong because AWS is not 'HIPAA certified' as a whole; HIPAA compliance is not a certification but a regulatory framework, and only specific AWS services are eligible for a BAA, not all services. Option C is wrong because PHI can be stored in the cloud if the customer uses AWS services covered by a BAA and configures them correctly, as cloud environments are not inherently non-compliant. Option D is wrong because signing a BAA is a prerequisite, not a guarantee of compliance; the customer must still implement technical and administrative safeguards (e.g., encryption, access controls, audit logging) to meet HIPAA requirements.

31
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to prevent accounts in the 'Development' OU from launching any resources in regions outside of us-east-1 and eu-west-1. Which AWS Organizations feature allows this restriction?

A.IAM permission boundaries
B.Resource-based policies attached to each S3 bucket
C.Service Control Policies (SCPs)
D.AWS Config rules across all accounts
AnswerC

SCPs are applied at the OU or account level in AWS Organizations and act as guardrails on all accounts within the OU. An SCP denying all regions except us-east-1 and eu-west-1 would apply to every account in the Development OU, regardless of their individual IAM policies.

Why this answer

Service Control Policies (SCPs) are the correct AWS Organizations feature because they allow you to centrally control the maximum available permissions for all accounts within an OU. By attaching an SCP that denies all actions in regions other than us-east-1 and eu-west-1, the security team can enforce this restriction across all 'Development' accounts, even if IAM policies within those accounts allow broader access.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking that IAM permission boundaries or resource-based policies can enforce cross-account region restrictions, but SCPs are the only mechanism that operates at the organization level to centrally limit permissions for all accounts in an OU.

How to eliminate wrong answers

Option A is wrong because IAM permission boundaries are applied to individual IAM users or roles within a single account, not across multiple accounts in an OU, and they cannot restrict the region where resources are launched at the organization level. Option B is wrong because resource-based policies attached to S3 buckets only control access to those specific S3 buckets, not the ability to launch any resources in other regions. Option D is wrong because AWS Config rules evaluate resource configurations for compliance after resources are created, but they do not prevent the launch of resources in unauthorized regions; they only detect and report non-compliance.

32
MCQeasy

A development team needs to create a new Amazon RDS MySQL database for a temporary testing environment. A developer logs into the AWS Management Console, selects the desired instance type, storage, and network settings, and clicks 'Create database'. The database is available within 10 minutes, and the developer did not need to submit a request or wait for IT approval. Which essential characteristic of cloud computing does this process best demonstrate?

A.Rapid elasticity
B.On-demand self-service
C.Broad network access
D.Resource pooling
AnswerB

This is correct. On-demand self-service is the ability to provision resources without requiring human interaction. The developer directly created the database through the console without needing to wait for IT approval, which is the defining characteristic demonstrated here.

Why this answer

The developer was able to create and provision the RDS MySQL database entirely through the AWS Management Console without any human interaction or approval from IT. This is the core definition of on-demand self-service: a user can provision computing resources as needed automatically, without requiring service provider interaction. The process took only 10 minutes and required no ticket submission, which directly aligns with the NIST definition of on-demand self-service.

Exam trap

The trap here is that candidates confuse 'rapid elasticity' with the speed of provisioning (10 minutes), but rapid elasticity specifically refers to automatic scaling of resources based on load, not the initial creation of a resource without human approval.

How to eliminate wrong answers

Option A is wrong because rapid elasticity refers to the ability to scale resources up or down automatically in response to demand, not the ability to provision a resource without human approval. Option C is wrong because broad network access describes the ability to access resources over the network using standard protocols (e.g., HTTPS, SSH), which is not demonstrated by the provisioning workflow described. Option D is wrong because resource pooling refers to the provider's multi-tenant model where physical and virtual resources are dynamically assigned to multiple customers, not the user's ability to self-provision a database instance.

33
MCQeasy

A company's public-facing web application is being attacked with SQL injection and cross-site scripting (XSS) attempts. Which AWS service should they deploy to detect and block these web application attacks?

A.AWS Shield Standard
B.Amazon GuardDuty
C.AWS WAF
D.Amazon Inspector
AnswerC

AWS WAF is a web application firewall that inspects HTTP/HTTPS requests and applies rules to block attacks including SQL injection and XSS. AWS Managed Rules provide pre-built protections for common OWASP Top 10 attacks.

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common web exploits like SQL injection and cross-site scripting (XSS). It allows you to create custom rules to filter and monitor HTTP(S) requests based on conditions such as IP addresses, HTTP headers, or request body patterns, and can block malicious traffic before it reaches your application.

Exam trap

The trap here is that candidates often confuse AWS Shield (DDoS protection) with AWS WAF (web application firewall), but Shield operates at Layer 3/4 and cannot inspect or block application-layer payloads like SQL injection or XSS.

How to eliminate wrong answers

Option A is wrong because AWS Shield Standard provides always-on protection against DDoS attacks at the network and transport layers (Layer 3/4), not against application-layer attacks like SQL injection or XSS. Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity using VPC Flow Logs, DNS logs, and CloudTrail events, but it does not actively block web application attacks at the HTTP request level. Option D is wrong because Amazon Inspector is a vulnerability management service that scans EC2 instances and container images for software vulnerabilities and unintended network exposure, not a runtime web application firewall that can inspect and block HTTP requests.

34
MCQmedium

A company runs a web application on AWS that experiences unpredictable traffic spikes. The operations team wants the infrastructure to automatically add compute capacity when demand increases and remove it when demand decreases, without manual intervention. The team also wants to pay only for the compute resources they actually use. Which cloud computing concept does this scenario best describe?

A.High availability
B.Elasticity
C.Fault tolerance
D.Pay-as-you-go
AnswerB

Elasticity is the ability to provision and de-provision computing resources automatically to match workload demands. This concept allows the company to handle traffic spikes without manual intervention and only pay for resources consumed, directly matching the scenario.

Why this answer

Elasticity is the ability of a cloud system to automatically scale resources up or down based on demand. In this scenario, AWS services like Auto Scaling groups and Amazon EC2 can add instances during traffic spikes and terminate them when demand drops, ensuring the infrastructure matches workload requirements without manual intervention.

Exam trap

The trap here is that candidates confuse 'pay-as-you-go' (a billing model) with 'elasticity' (the operational capability to scale), but the question explicitly asks for the concept that enables automatic scaling, not just the cost benefit.

How to eliminate wrong answers

Option A is wrong because high availability focuses on ensuring the application remains accessible despite failures (e.g., across multiple Availability Zones), not on dynamically adjusting capacity in response to demand changes. Option C is wrong because fault tolerance is about designing systems to continue operating without interruption when components fail, not about scaling resources up or down. Option D is wrong because pay-as-you-go is a pricing model where you pay only for resources consumed, but it does not describe the automatic scaling behavior; elasticity enables pay-as-you-go by allowing resources to be added and removed dynamically.

35
MCQmedium

A SaaS company wants to expose their service to AWS customers through the AWS Marketplace and allow customers to access it privately without traversing the public internet. Which technology enables this?

A.Amazon VPC Peering
B.AWS PrivateLink
C.AWS Direct Connect
D.AWS Transit Gateway
AnswerB

PrivateLink enables service providers to expose their services privately to multiple customer VPCs — customers create Interface Endpoints that connect to the provider's service over the AWS network without internet exposure.

Why this answer

AWS PrivateLink enables private connectivity between VPCs and AWS services without traversing the public internet. By creating a VPC Endpoint powered by PrivateLink, the SaaS company can expose their service via an internal Network Load Balancer (NLB) in their own VPC, and customers can access it privately using Elastic Network Interfaces (ENIs) in their VPCs. This ensures traffic stays within the AWS network, meeting the requirement for private, non-internet-based access through the AWS Marketplace.

Exam trap

The trap here is that candidates often confuse AWS PrivateLink with VPC Peering, thinking peering provides private connectivity between accounts, but they miss that PrivateLink is specifically designed for exposing services to multiple customer VPCs without requiring full VPC mesh or routing tables.

How to eliminate wrong answers

Option A is wrong because Amazon VPC Peering connects two VPCs directly using private IP addresses, but it does not allow a SaaS provider to expose a service to multiple customer VPCs without complex transitive routing and does not integrate with AWS Marketplace for service listing. Option C is wrong because AWS Direct Connect establishes a dedicated physical network connection from an on-premises data center to AWS, not between VPCs or for SaaS service exposure to other AWS customers. Option D is wrong because AWS Transit Gateway acts as a central hub for interconnecting multiple VPCs and on-premises networks, but it does not provide the ability to expose a specific service privately to other AWS accounts without additional components like PrivateLink or VPC endpoints.

36
MCQmedium

A company is migrating a three-tier web application to AWS. The application will run on Amazon EC2 instances using a custom Linux distribution, and a self-managed MySQL database will be installed on the same instances. The company's security team needs to understand which security responsibilities belong to AWS and which belong to the company under the AWS Shared Responsibility Model. According to this model, who is responsible for applying operating system security patches to the EC2 instances and for updating the MySQL database software?

A.AWS is responsible for both the operating system patches and the MySQL database updates.
B.The company is responsible for both the operating system patches and the MySQL database updates.
C.AWS is responsible for the operating system patches, and the company is responsible for the MySQL database updates.
D.The company is responsible for the operating system patches, and AWS is responsible for the MySQL database updates.
AnswerB

This is correct. Since the company controls the EC2 instance's guest OS and the MySQL database, it is responsible for all patching and updates of that software.

Why this answer

Under the AWS Shared Responsibility Model, AWS is responsible for the security of the cloud (e.g., physical infrastructure, hypervisor), while the customer is responsible for security in the cloud (e.g., guest OS, applications, and data). Since the company is using a custom Linux distribution on EC2 instances and installing a self-managed MySQL database, both the operating system patches and the MySQL database updates fall under the customer's responsibility. AWS does not manage or patch the guest operating system or any software installed by the customer on EC2 instances.

Exam trap

The trap here is that candidates often confuse self-managed software on EC2 with AWS-managed services (like RDS) and incorrectly assume AWS handles patching for any database or OS running on EC2.

How to eliminate wrong answers

Option A is wrong because AWS is never responsible for patching the guest operating system or customer-installed software on EC2 instances; AWS only manages the hypervisor and underlying infrastructure. Option C is wrong because AWS does not apply operating system patches to the guest OS on EC2 instances; the customer is responsible for all patches on the custom Linux distribution. Option D is wrong because the customer is responsible for both the OS and the MySQL database updates, not just the OS; AWS has no role in updating self-managed database software.

37
MCQmedium

A company generates large log files from its application and stores them in an Amazon S3 bucket. During the first 30 days, logs are frequently accessed for troubleshooting. After 30 days, logs are accessed infrequently (a few times per month). After 90 days, logs are rarely accessed but must be retained for compliance for one year, with retrieval possible within minutes if needed. The company wants to minimize storage costs while meeting these access and retention requirements. Which S3 feature should the company configure?

A.S3 Object Lock
B.S3 Lifecycle policies
C.S3 Transfer Acceleration
D.S3 Replication
AnswerB

S3 Lifecycle policies automate the transition of objects to more cost-effective storage classes (e.g., from Standard to Standard-IA to Glacier Instant Retrieval) as data ages, directly meeting the cost optimization and retention requirements described.

Why this answer

B is correct because S3 Lifecycle policies allow you to define rules that automatically transition objects between storage classes (e.g., from S3 Standard to S3 Standard-IA after 30 days, then to S3 Glacier Instant Retrieval after 90 days) and expire them after one year. This directly matches the access patterns: frequent access for 30 days, infrequent access for the next 60 days, rare access with minute-level retrieval for the remainder of the year, and deletion after compliance retention is met.

Exam trap

The trap here is that candidates may confuse S3 Object Lock (a compliance feature) with lifecycle policies (a cost-optimization feature), or assume that S3 Transfer Acceleration is relevant to storage cost reduction, when it only addresses upload speed.

How to eliminate wrong answers

Option A is wrong because S3 Object Lock is used to enforce a write-once-read-many (WORM) model to prevent object deletion or overwrites for compliance or legal hold, not to automate storage class transitions or cost optimization based on access patterns. Option C is wrong because S3 Transfer Acceleration speeds up uploads over long distances by using AWS edge locations and the AWS global network, but it does not manage storage tiering, retention, or cost reduction for existing objects.

38
MCQeasy

A company currently runs its infrastructure in a colocation data center. The CIO wants to estimate the total cost of ownership (TCO) of migrating the existing workload to AWS, compared to continuing with the on-premises solution. The company has detailed data on current server specifications, power, cooling, and labor costs. Which AWS tool should the company use to perform this analysis?

A.AWS Pricing Calculator
B.AWS Total Cost of Ownership (TCO) Calculator
C.AWS Cost Explorer
D.AWS Budgets
AnswerB

The AWS TCO Calculator is specifically designed to compare the total cost of ownership between on-premises infrastructure and AWS. It incorporates inputs such as server specs, power, cooling, and labor to produce a side-by-side cost comparison.

Why this answer

The AWS Total Cost of Ownership (TCO) Calculator is specifically designed to compare the costs of running infrastructure on-premises versus on AWS. It allows you to input detailed data on server specifications, power, cooling, and labor costs to generate a side-by-side TCO comparison, which directly meets the CIO's requirement.

Exam trap

The trap here is that candidates confuse the AWS Pricing Calculator (which only estimates AWS service costs) with the TCO Calculator (which performs a full on-premises vs. AWS cost comparison), leading them to select the wrong tool for a migration TCO analysis.

How to eliminate wrong answers

Option A is wrong because the AWS Pricing Calculator is used to estimate the cost of AWS services based on usage, not to compare on-premises TCO with AWS. Option C is wrong because AWS Cost Explorer is a tool for analyzing historical AWS spending and usage patterns, not for performing a pre-migration TCO comparison against on-premises costs.

39
MCQmedium

A company stores product images in an Amazon S3 bucket. New images are accessed frequently for the first 30 days, but access drops sharply after that. The company wants to automatically optimize storage costs by moving data between access tiers without any manual intervention or upfront lifecycle policy setup. Which Amazon S3 storage class should the company use to meet these requirements?

A.Amazon S3 Intelligent-Tiering
B.Amazon S3 Standard
C.Amazon S3 One Zone-Infrequent Access
D.Amazon S3 Glacier Deep Archive
AnswerA

Correct. S3 Intelligent-Tiering automatically moves objects between frequent and infrequent access tiers based on changing access patterns, achieving cost optimization without manual lifecycle policies.

Why this answer

Amazon S3 Intelligent-Tiering is the correct choice because it automatically moves objects between three access tiers (frequent, infrequent, and archive instant) based on changing access patterns, with no lifecycle rules required. This meets the requirement of optimizing storage costs for images that are frequently accessed for the first 30 days and then rarely accessed afterward, without any manual intervention or upfront setup.

Exam trap

AWS often tests the misconception that S3 Intelligent-Tiering requires lifecycle policies to be configured, but the key trap here is that candidates may choose S3 Standard-Infrequent Access or Glacier Deep Archive, failing to recognize that Intelligent-Tiering is the only storage class that automatically optimizes costs without any manual or upfront lifecycle setup.

How to eliminate wrong answers

Option B (Amazon S3 Standard) is wrong because it is designed for frequently accessed data and does not automatically transition data to lower-cost tiers, leading to higher costs for data that becomes infrequently accessed. Option C (Amazon S3 One Zone-Infrequent Access) is wrong because it is intended for infrequently accessed data from the start and does not automatically adapt to changing access patterns; it also lacks the multi-AZ resilience needed for this use case. Option D (Amazon S3 Glacier Deep Archive) is wrong because it is meant for long-term archival data with retrieval times of 12 hours or more, and it does not support automatic tiering from a frequently accessed state; it would require manual lifecycle policies to move data into it.

40
Multi-Selectmedium

A company needs to generate detailed AWS billing reports segmented by department. Each department uses distinct AWS accounts under an AWS Organization. Which two mechanisms work together to provide department-level cost allocation?

Select 2 answers
A.AWS Budgets + CloudWatch Billing Alarms
B.AWS Organizations consolidated billing + Cost Explorer grouped by linked account
C.AWS Pricing Calculator + Cost and Usage Report
D.AWS Config + AWS Trusted Advisor
AnswersB, C

Organizations aggregates member account bills into one, while Cost Explorer's 'group by linked account' view shows each department account's contribution — providing department-level cost allocation.

Why this answer

Option B is correct because AWS Organizations consolidated billing aggregates costs from all linked accounts into a single payer account, and Cost Explorer can then group costs by linked account ID. This combination allows the company to view and allocate costs per department, where each department uses a distinct AWS account under the organization.

Exam trap

The trap here is that candidates may confuse cost monitoring tools (like Budgets and Alarms) or configuration tools (like Config and Trusted Advisor) with actual cost allocation and reporting mechanisms, leading them to select options that sound plausible but lack the specific segmentation capability required.

41
MCQeasy

A company wants to purchase and deploy a third-party security software solution (a firewall appliance) directly to their AWS environment, with licensing costs added to their AWS monthly bill. Where can they find and subscribe to this software?

A.AWS Service Catalog
B.AWS Marketplace
C.AWS Partner Network
D.AWS Trusted Advisor
AnswerB

AWS Marketplace is the digital storefront for third-party software and services. Vendors list their products (AMIs, SaaS, professional services), customers subscribe and deploy, and costs are added to the AWS bill.

Why this answer

AWS Marketplace is the correct place to find, subscribe to, and purchase third-party software solutions like a firewall appliance. It allows you to launch the software directly into your AWS environment and have the licensing costs added to your monthly AWS bill through consolidated billing.

Exam trap

The trap here is confusing AWS Marketplace (a digital catalog for third-party software with integrated billing) with AWS Service Catalog (an internal service catalog for approved IT services), leading candidates to incorrectly select Service Catalog for purchasing external software.

How to eliminate wrong answers

Option A is wrong because AWS Service Catalog is used to create and manage a catalog of IT services that are approved for use on AWS, not for purchasing third-party software with marketplace billing. Option C is wrong because the AWS Partner Network (APN) is a global community of partners that provides programs, expertise, and resources, but it is not a storefront for directly subscribing to and purchasing software with AWS billing integration. Option D is wrong because AWS Trusted Advisor is an advisory service that inspects your AWS environment and makes recommendations for cost optimization, performance, security, and fault tolerance; it does not offer software purchasing or subscription capabilities.

42
MCQmedium

A development team uses AWS developer tools for their entire software delivery process: a Git-based code repository, automated compilation and testing, and automated deployment to EC2 instances. Which combination of AWS services provides these three capabilities?

A.AWS CloudFormation, AWS Elastic Beanstalk, and Amazon EC2
B.Amazon S3, AWS Lambda, and Amazon CloudWatch
C.AWS CodeCommit, AWS CodeBuild, and AWS CodeDeploy
D.AWS CodePipeline, Amazon ECR, and Amazon ECS
AnswerC

CodeCommit is a managed Git-based source code repository. CodeBuild compiles code and runs tests. CodeDeploy automates application deployments to EC2, Lambda, and ECS. Together they form a complete CI/CD toolchain.

Why this answer

AWS CodeCommit provides a Git-based code repository for source control. AWS CodeBuild performs automated compilation and testing. AWS CodeDeploy automates deployment to EC2 instances.

Together, these three services directly map to the three capabilities described in the question.

Exam trap

The trap here is that candidates may confuse AWS CodePipeline (a CI/CD orchestrator) with the individual services that actually provide the repository, build, and deployment capabilities, leading them to select Option D instead of the correct combination of CodeCommit, CodeBuild, and CodeDeploy.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation is an Infrastructure as Code service for provisioning resources, not a code repository or build service; AWS Elastic Beanstalk is a PaaS that automates deployment but does not provide a Git repository or separate build service. Option B is wrong because Amazon S3 is object storage, AWS Lambda is serverless compute, and Amazon CloudWatch is monitoring — none of these provide a Git-based code repository, automated compilation/testing, or deployment to EC2 instances. Option D is wrong because AWS CodePipeline is a CI/CD orchestrator, not a code repository; Amazon ECR is a container registry; Amazon ECS is a container orchestration service — this combination lacks a Git repository and a dedicated build service, and targets containers rather than EC2 instances directly.

43
MCQeasy

Which AWS pricing model provides the largest discount compared to On-Demand pricing in exchange for a 1 or 3-year commitment with full upfront payment?

A.Spot Instances
B.On-Demand Instances
C.Reserved Instances (All Upfront, 3-year)
D.Compute Savings Plans (1-year, No Upfront)
AnswerC

All-upfront 3-year Reserved Instances provide the maximum discount — up to 72% — in exchange for the maximum commitment (payment and duration).

Why this answer

Reserved Instances (All Upfront, 3-year) provide the largest discount compared to On-Demand pricing because the customer commits to a 1- or 3-year term and pays the entire amount upfront, which gives AWS predictable capacity planning and reduces billing overhead. This model can offer discounts of up to 72% off On-Demand rates, significantly more than partial upfront or no upfront options, and is the most cost-effective for steady-state workloads.

Exam trap

The trap here is that candidates often confuse the discount depth of Compute Savings Plans (which are flexible across instance families) with the maximum discount available, overlooking that the 3-year All Upfront Reserved Instance commitment provides the highest percentage discount due to the longest term and full upfront payment.

How to eliminate wrong answers

Option A is wrong because Spot Instances offer discounts of up to 90% but do not require a 1- or 3-year commitment; they are spare capacity that can be reclaimed by AWS with a 2-minute interruption notice, making them unsuitable for the described commitment-based pricing model. Option B is wrong because On-Demand Instances have no upfront payment or term commitment and thus provide no discount compared to themselves; they are the baseline pricing model, not a discounted one. Option D is wrong because Compute Savings Plans (1-year, No Upfront) provide a discount (up to 66%) but require no upfront payment and a shorter 1-year term, resulting in a smaller discount than the 3-year All Upfront Reserved Instance option, which offers the maximum savings.

44
MCQeasy

AWS builds and operates large physical data centres and uses virtualisation to serve thousands of customers simultaneously on shared hardware while keeping each customer's data logically isolated. Which cloud computing characteristic does this describe?

A.On-demand self-service
B.Measured service
C.Resource pooling
D.Rapid elasticity
AnswerC

Resource pooling is the cloud characteristic where the provider's resources are pooled to serve multiple customers simultaneously using virtualisation and multi-tenancy, with each customer's data remaining logically isolated.

Why this answer

Resource pooling is the correct answer because AWS uses virtualization to aggregate physical hardware from its data centers into a shared pool of compute, storage, and network resources that can be dynamically assigned and reassigned to multiple customers. Each customer's data remains logically isolated through hypervisor-level isolation (e.g., using Xen or Nitro hypervisors), but the underlying hardware is shared, which is the essence of resource pooling as defined by NIST SP 800-145.

Exam trap

The trap here is that candidates confuse resource pooling with rapid elasticity, because both involve dynamic allocation, but resource pooling is about the shared infrastructure model, while rapid elasticity is about the speed of scaling resources up or down.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user's ability to provision computing resources automatically without requiring human interaction with the service provider, not the sharing of physical hardware. Option B is wrong because measured service involves metering resource usage (e.g., CPU hours, GB-months) for billing and monitoring, not the multi-tenant sharing of infrastructure. Option D is wrong because rapid elasticity describes the ability to scale resources up or out quickly and automatically in response to demand, not the underlying multi-tenant architecture.

45
MCQmedium

A gaming company launches a new online multiplayer game. During peak hours (evenings and weekends), the player count spikes dramatically, requiring dozens of Amazon EC2 instances to handle the load. During off-peak hours, the player count drops to near zero. The company configures an Amazon EC2 Auto Scaling group that automatically adds instances when CPU utilization exceeds 70% and removes instances when utilization drops below 30%. Which characteristic of cloud computing does this configuration best demonstrate?

A.High availability
B.Elasticity
C.Fault tolerance
D.Global reach
AnswerB

Elasticity is the cloud computing characteristic that allows resources to be provisioned and de-provisioned automatically to match changing demand. The Auto Scaling configuration that adds and removes EC2 instances based on CPU utilization directly illustrates this concept.

Why this answer

Elasticity is the ability of a cloud system to automatically scale resources up or down based on demand. In this scenario, the Auto Scaling group dynamically adds EC2 instances when CPU utilization exceeds 70% and removes them when it drops below 30%, directly matching the fluctuating player load. This demonstrates elasticity because resources are provisioned and de-provisioned in real-time to match the exact workload, minimizing cost during low usage and ensuring performance during spikes.

Exam trap

The trap here is that candidates often confuse elasticity with high availability, but elasticity is specifically about scaling resources to match demand, while high availability is about maintaining uptime through redundancy and failover mechanisms.

How to eliminate wrong answers

Option A is wrong because high availability focuses on ensuring the system remains operational despite failures (e.g., using multiple Availability Zones), not on dynamically adjusting capacity based on load. Option C is wrong because fault tolerance is the ability to continue operating without interruption when a component fails (e.g., using redundant instances or failover), not the automatic scaling of resources in response to demand. Option D is wrong because global reach refers to deploying resources across multiple geographic regions to serve a worldwide user base, not to the automatic scaling of instances within a single region based on CPU utilization.

46
MCQmedium

A company uses multiple AWS accounts and wants to enforce cost governance. The company needs to set a monthly cost budget of $10,000 for each account. When an account's actual or forecasted costs exceed this budget, the company wants to automatically apply a restrictive IAM policy that prevents the creation of new resources in that account. Additionally, the company wants to receive an email notification when the budget is exceeded. Which AWS feature should the company use to meet these requirements?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Cost Anomaly Detection
D.AWS Trusted Advisor
AnswerB

AWS Budgets enables you to set custom budgets for costs or usage and configure budget actions that automatically enforce policies or send notifications when the budget is exceeded. This directly meets the requirement for automated application of a restrictive IAM policy and email alerts.

Why this answer

AWS Budgets allows you to set custom cost and usage budgets, and when actual or forecasted costs exceed the budget threshold, it can trigger actions such as applying an IAM policy to restrict resource creation and sending SNS-based email notifications. This directly meets the requirement for automated enforcement and alerting per account.

Exam trap

The trap here is that candidates may confuse AWS Cost Explorer's reporting capabilities with the automated enforcement and notification features that only AWS Budgets provides.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer provides visualization and analysis of historical cost data but cannot trigger automated actions like applying IAM policies or sending notifications. Option C is wrong because AWS Cost Anomaly Detection uses machine learning to detect unusual spending patterns but does not support setting fixed monthly budgets or applying IAM policies. Option D is wrong because AWS Trusted Advisor offers best-practice checks and recommendations but does not provide budget-based threshold actions or automated IAM policy enforcement.

47
MCQmedium

A company uses a variety of AWS services and wants to automatically detect unexpected cost spikes that might indicate resource misuse, billing errors, or unauthorized activity. The company needs a managed service that uses machine learning to analyze spending patterns and provide alerts when costs deviate from expected trends. The finance team does not want to manually define thresholds for every service. Which AWS service should the finance team use?

A.AWS Cost Anomaly Detection
B.AWS Budgets
C.AWS Cost Explorer
D.AWS Trusted Advisor
AnswerA

This service uses machine learning to continuously monitor cost and usage patterns, detect anomalies based on historical baselines, and send alerts. It matches the requirement for automatic, threshold-free anomaly detection.

Why this answer

AWS Cost Anomaly Detection is a managed service that uses machine learning to continuously monitor your cost and usage patterns, automatically detecting anomalous spending without requiring manual threshold definitions. It analyzes historical data to establish a baseline and alerts you when costs deviate from expected trends, making it ideal for identifying unexpected spikes from resource misuse, billing errors, or unauthorized activity.

Exam trap

The trap here is that candidates often confuse AWS Budgets (which requires manual thresholds) with a proactive ML-based anomaly detection service, leading them to choose Budgets because they think 'alerts' automatically imply anomaly detection.

How to eliminate wrong answers

Option B (AWS Budgets) is wrong because it requires you to manually set fixed cost or usage thresholds and does not use machine learning to automatically detect anomalies based on spending patterns. Option C (AWS Cost Explorer) is wrong because it is a visualization and analysis tool for exploring historical cost data, not a proactive anomaly detection service that uses ML to alert on unexpected deviations. Option D (AWS Trusted Advisor) is wrong because it provides best-practice recommendations for cost optimization, security, and performance, but it does not analyze spending patterns with ML or alert on cost anomalies.

48
MCQmedium

A company runs a data processing job once per month. The job takes approximately 3 hours to complete when run on a single server. The company wants to minimize operational overhead and pay only for the compute time used during the job. The job does not require user interaction and must be able to automatically retry if a task fails. Which AWS service should the company use?

A.AWS Lambda
B.AWS Batch
C.Amazon EC2
D.AWS Elastic Beanstalk
AnswerB

Correct. AWS Batch is a fully managed service that enables you to run batch computing workloads of any scale. It automatically provisions compute resources (e.g., Amazon EC2 instances or AWS Fargate), schedules jobs, and retries failed tasks. You only pay for the compute resources consumed, and there is no need to manage underlying servers.

Why this answer

AWS Batch is designed for batch computing workloads that run to completion without user interaction. It automatically provisions the necessary compute resources (e.g., EC2 instances or Fargate), scales them to zero when idle, and provides built-in retry logic for failed tasks. This matches the requirement of a monthly 3-hour job with minimal operational overhead and pay-per-use billing.

Exam trap

The trap here is that candidates may choose AWS Lambda for its serverless and pay-per-use model, overlooking the hard 15-minute execution limit that makes it unsuitable for long-running batch jobs.

How to eliminate wrong answers

Option A is wrong because AWS Lambda has a maximum execution timeout of 15 minutes per invocation, which cannot accommodate a 3-hour job. Option C is wrong because Amazon EC2 requires manual provisioning, scaling, and management of instances, increasing operational overhead and requiring payment for idle time if not carefully stopped. Option D is wrong because AWS Elastic Beanstalk is a PaaS service for deploying web applications, not optimized for long-running batch jobs, and it lacks native retry logic for task failures.

49
MCQmedium

A company wants to deploy their application globally and needs AWS to automatically route users to the nearest healthy application endpoint with improved network performance. Which AWS service uses the AWS global network backbone for routing optimization?

A.Amazon CloudFront
B.AWS Global Accelerator
C.Amazon Route 53 with latency routing
D.Amazon VPC peering
AnswerB

Global Accelerator routes traffic into the AWS network at the nearest edge location, then uses AWS's congestion-free backbone to the endpoint — improving performance for TCP/UDP applications beyond what CloudFront provides.

Why this answer

AWS Global Accelerator uses the AWS global network backbone to optimize the path from users to applications. It routes traffic over the AWS internal network rather than the public internet, improving performance and reliability. It also automatically directs users to the nearest healthy endpoint, meeting the requirement for global deployment with automatic failover.

Exam trap

The trap here is that candidates often confuse Amazon CloudFront's edge caching with Global Accelerator's network-layer routing, but CloudFront is for content delivery and does not optimize TCP/UDP traffic routing to application endpoints using the AWS global backbone.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront is a content delivery network (CDN) that caches static and dynamic content at edge locations, but it does not route traffic to application endpoints—it serves cached content or proxies requests to an origin, and it does not provide the same TCP/UDP optimization or static IP addresses for application routing. Option C is wrong because Amazon Route 53 with latency routing directs users based on DNS resolution, which can be affected by DNS caching and does not use the AWS global network backbone for real-time traffic optimization; it also does not provide static IP addresses or health-check-driven endpoint routing at the network layer. Option D is wrong because Amazon VPC peering connects two VPCs within the same or different AWS regions using the AWS network, but it is not a global traffic routing service for users on the internet and does not automatically route users to the nearest healthy endpoint.

50
MCQeasy

A startup founder is evaluating whether to build their own data center or use AWS. Which cloud benefit eliminates the need for guessing future infrastructure requirements and making large upfront investments?

A.Stop spending money running and maintaining data centers
B.Trade capital expense for variable expense and stop guessing capacity
C.Benefit from massive economies of scale
D.Increase speed and agility for innovation
AnswerB

Cloud computing converts large upfront hardware investment to pay-per-use operational expense, while on-demand provisioning eliminates over-provisioning and capacity planning guesswork.

Why this answer

Option B is correct because it directly addresses the startup founder's concern about eliminating the need to guess future infrastructure requirements and make large upfront investments. AWS's pay-as-you-go model allows you to trade capital expense (upfront hardware costs) for variable expense (paying only for what you use), and you no longer have to predict capacity needs—you can scale up or down based on actual demand. This is a core pillar of the AWS Well-Architected Framework's Cost Optimization pillar.

Exam trap

The trap here is that candidates often confuse 'stop spending money running data centers' (Option A) with the specific financial and capacity-planning benefit described, but the question explicitly asks about eliminating the need to guess capacity and make large upfront investments, which is uniquely addressed by the 'trade capital expense for variable expense' concept.

How to eliminate wrong answers

Option A is wrong because while AWS does eliminate the need to run and maintain physical data centers, this benefit focuses on operational overhead reduction, not on eliminating the need to guess future capacity or avoid large upfront investments. Option C is wrong because economies of scale refer to AWS's ability to offer lower prices due to its massive aggregated usage, but this does not directly address the startup's specific concern about capacity guessing and upfront capital. Option D is wrong because increased speed and agility refers to the ability to rapidly provision resources and experiment, which is a separate benefit from the financial and capacity-planning flexibility described in the question.

51
MCQmedium

A media company processes user-uploaded images. When a user uploads a high-resolution image to an Amazon S3 bucket, the company must automatically generate three resized thumbnail versions (small, medium, large) within seconds. The company wants a solution that requires no infrastructure management and scales automatically to handle thousands of concurrent uploads. Which AWS service should the company use to execute the thumbnail generation code?

A.Run the thumbnailing code on Amazon EC2 instances behind an Application Load Balancer
B.AWS Lambda
C.Amazon ECS with AWS Fargate launch type
D.AWS Elastic Beanstalk
AnswerB

AWS Lambda is a serverless function-as-a-service (FaaS) platform that runs code in response to events and automatically manages the underlying compute resources. It can be directly triggered by S3 bucket notifications (e.g., s3:ObjectCreated events). Lambda scales instantly to handle the upload volume and requires no server provisioning, making it ideal for this workload.

Why this answer

AWS Lambda is the correct choice because it is a serverless compute service that executes code in response to S3 events (e.g., object creation) without provisioning or managing servers. It scales automatically to handle thousands of concurrent uploads, and the 15-minute execution timeout is sufficient for generating three thumbnail versions within seconds. This meets the requirement for no infrastructure management and automatic scaling.

Exam trap

The trap here is that candidates may choose Amazon ECS with Fargate (Option C) thinking it is the only serverless container option, but they overlook that Lambda is purpose-built for short-lived, event-driven tasks like image processing and requires no cluster or task definition management, making it the simpler and more cost-effective choice for this use case.

How to eliminate wrong answers

Option A is wrong because running EC2 instances behind an ALB requires manual management of server capacity, scaling policies, and infrastructure, which violates the 'no infrastructure management' requirement. Option C is wrong because Amazon ECS with Fargate, while serverless, still requires cluster configuration, task definition management, and is overkill for simple event-driven thumbnail generation; it also incurs higher latency for short-lived tasks compared to Lambda. Option D is wrong because Elastic Beanstalk abstracts infrastructure but still manages underlying EC2 instances and requires environment configuration, scaling policies, and is not designed for event-driven, sub-second execution triggered by S3 uploads.

52
MCQmedium

A company has workloads that must remain on-premises due to data residency regulations but want to use the same AWS APIs, tools, and services they use in the cloud — including EC2, RDS, and S3 — on their on-premises hardware. Which AWS service enables this?

A.AWS Direct Connect
B.AWS Snow Family
C.AWS Outposts
D.AWS Local Zones
AnswerC

AWS Outposts delivers fully managed AWS racks to customer on-premises facilities. AWS manages the hardware, and customers run native AWS services (EC2, EBS, EKS, RDS) using standard AWS APIs on-premises.

Why this answer

AWS Outposts is a fully managed service that extends AWS infrastructure, services, APIs, and tools to virtually any on-premises data center or co-location space. It allows customers to run EC2, RDS, and S3 locally on Outposts hardware while maintaining the same AWS control plane and APIs, satisfying data residency requirements without sacrificing cloud-native tooling.

Exam trap

The trap here is that candidates confuse AWS Outposts with AWS Local Zones or Direct Connect, mistakenly thinking that a network connection or edge location alone provides the same on-premises service compatibility, when only Outposts actually runs the AWS infrastructure on customer-owned hardware.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect is a dedicated network connection from on-premises to AWS, but it does not provide local compute or storage services; it only improves network latency and reliability. Option B is wrong because the AWS Snow Family (Snowcone, Snowball, Snowmobile) is used for physical data transport and edge computing in disconnected or limited-connectivity environments, not for running persistent workloads with full AWS API compatibility on customer premises. Option D is wrong because AWS Local Zones are extensions of an AWS Region that place compute, storage, and database services closer to end users, but they are still AWS-managed infrastructure in AWS data centers, not on customer premises.

53
MCQmedium

Which AWS service provides centralized governance and compliance across multiple AWS accounts in an organization?

A.AWS IAM
B.AWS Config
C.AWS Organizations
D.Amazon Macie
AnswerC

AWS Organizations provides centralized multi-account governance, SCPs, and consolidated billing.

Why this answer

AWS Organizations is the correct service because it provides centralized governance and compliance across multiple AWS accounts by enabling you to create a hierarchy of accounts with Service Control Policies (SCPs) that centrally control permissions. SCPs allow you to enforce compliance rules, such as restricting the use of specific AWS services or regions, across all accounts in the organization without requiring individual account-level configuration.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation capabilities with centralized governance, but AWS Config is a detective service that reports on compliance after resources are created, whereas AWS Organizations provides preventive governance through SCPs that block non-compliant actions before they occur.

How to eliminate wrong answers

Option A is wrong because AWS IAM is an identity and access management service that controls permissions for individual users, groups, and roles within a single AWS account, not across multiple accounts in an organization. Option B is wrong because AWS Config is a service that evaluates and records resource configurations for compliance within individual accounts or across accounts via aggregators, but it does not provide centralized governance or policy enforcement across accounts—it is a detective tool, not a preventive one. Option D is wrong because Amazon Macie is a data security service that uses machine learning to discover and protect sensitive data in Amazon S3, and it does not provide governance or compliance controls across multiple accounts.

54
MCQmedium

A company hosts a web application on Amazon EC2 instances in two AWS Regions: us-east-1 and eu-west-1. The application serves a global user base. The company wants to improve performance by directing users to the nearest healthy regional endpoint with minimal latency. Additionally, the company requires two static Anycast IP addresses that remain constant, representing the application entry point. The solution should automatically reroute traffic if a regional endpoint becomes unhealthy. Which AWS service should the company use?

A.AWS Global Accelerator
B.Amazon CloudFront
C.Amazon Route 53
D.AWS Shield
AnswerA

AWS Global Accelerator uses the global AWS network to direct traffic to the nearest healthy endpoint via static Anycast IP addresses. It improves performance for global users by minimizing latency and provides automatic failover. This matches all requirements.

Why this answer

AWS Global Accelerator is correct because it uses the AWS global network and Anycast static IP addresses to route user traffic to the nearest healthy regional endpoint (EC2 instances in us-east-1 or eu-west-1). It automatically reroutes traffic if an endpoint becomes unhealthy, providing low latency and high availability for global users.

Exam trap

The trap here is that candidates often confuse Global Accelerator with CloudFront or Route 53, thinking DNS-based routing or CDN caching can provide static Anycast IPs and instant failover, but only Global Accelerator offers fixed Anycast addresses with automatic traffic rerouting at the network layer.

How to eliminate wrong answers

Option B (Amazon CloudFront) is wrong because CloudFront is a content delivery network (CDN) that caches content at edge locations and does not provide static Anycast IP addresses as a fixed entry point; it uses DNS-based routing and domain names. Option C (Amazon Route 53) is wrong because Route 53 is a DNS service that resolves domain names to IP addresses using policies like latency-based routing, but it does not provide static Anycast IP addresses and relies on DNS caching, which can introduce latency and does not offer the same level of immediate traffic rerouting as Global Accelerator.

55
MCQmedium

A multinational corporation has a policy that all cloud resources must be provisioned through a centralized IT team. This has caused delays, as developers sometimes wait days for a test environment to be created. The company wants to migrate to AWS to allow individual project teams to provision their own resources (such as Amazon EC2 instances and Amazon S3 buckets) directly through the AWS Management Console or API, without any manual approval process from IT. Which characteristic of cloud computing does this desired capability best represent?

A.High availability
B.Elasticity
C.On-demand self-service
D.Resource pooling
AnswerC

On-demand self-service is a core cloud characteristic where users can provision and manage computing resources without requiring human interaction from the service provider. This directly matches the company's goal of allowing teams to create resources through the AWS Management Console or API without waiting for IT approval.

Why this answer

Option C is correct because the scenario describes developers provisioning AWS resources (EC2 instances, S3 buckets) directly via the AWS Management Console or API without requiring IT approval. This is the core definition of on-demand self-service, one of the five essential characteristics of cloud computing as defined by NIST SP 800-145: a consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.

Exam trap

The trap here is that candidates often confuse on-demand self-service with elasticity, because both involve rapid provisioning, but elasticity specifically refers to scaling up/down based on load, not the removal of human approval for initial resource creation.

How to eliminate wrong answers

Option A is wrong because high availability refers to systems that are continuously operational for a desirably long length of time, often achieved through redundancy across multiple Availability Zones; it does not address the ability to provision resources without manual approval. Option B is wrong because elasticity is the ability to automatically scale resources up or down based on demand, not the capability to provision resources on-demand without human intervention. Option D is wrong because resource pooling describes the provider's multi-tenant model where physical and virtual resources are dynamically assigned and reassigned according to consumer demand; it does not relate to the self-service provisioning workflow described.

56
MCQmedium

A financial services company stores sensitive transaction data in Amazon S3. The company must encrypt the data at rest using keys that are stored in a hardware security module (HSM) validated under FIPS 140-2 Level 3. Additionally, the company requires full control over the key lifecycle, including rotation and deletion, and AWS must not have any access to the keys. Which AWS service should the company use to generate and store the encryption keys?

A.AWS Key Management Service (KMS) with a customer managed key
B.AWS CloudHSM
C.AWS Secrets Manager
D.AWS Certificate Manager (ACM)
AnswerB

AWS CloudHSM provides dedicated HSMs that are FIPS 140-2 Level 3 validated. Customers have full control over the HSMs and the keys stored inside them, including the ability to rotate and delete keys. AWS cannot access the keys because the HSMs are dedicated to the customer and managed by the customer.

Why this answer

AWS CloudHSM is the correct choice because it provides dedicated hardware security modules (HSMs) that are validated under FIPS 140-2 Level 3, allowing you to generate and store encryption keys entirely within the HSM. With CloudHSM, AWS has no access to your keys, and you retain full control over key lifecycle operations such as rotation and deletion, meeting the strict compliance and security requirements of the financial services company.

Exam trap

The trap here is that candidates often confuse AWS KMS customer managed keys with full customer control, but KMS still allows AWS to manage the underlying HSM infrastructure and does not meet FIPS 140-2 Level 3 requirements, whereas CloudHSM provides exclusive customer control and a higher validation level.

How to eliminate wrong answers

Option A is wrong because AWS KMS with a customer managed key does not use a dedicated HSM that is FIPS 140-2 Level 3 validated; KMS uses FIPS 140-2 Level 2 validated HSMs, and AWS retains the ability to manage and access the underlying key material. Option C is wrong because AWS Secrets Manager is a service for securely storing and rotating secrets (like database credentials), not for generating or storing encryption keys in a dedicated HSM, and it does not provide FIPS 140-2 Level 3 validation or full customer control over key lifecycle. Option D is wrong because AWS Certificate Manager (ACM) is used to provision, manage, and deploy SSL/TLS certificates, not for generating or storing encryption keys for S3 data at rest, and it does not offer FIPS 140-2 Level 3 HSM-based key storage.

57
MCQmedium

A company wants to deploy AWS services in a specific geographic location within a metropolitan area to reduce latency for end users in that city, while still using standard AWS APIs. Which AWS infrastructure type addresses this?

A.AWS Outposts
B.AWS Local Zones
C.CloudFront Edge Locations
D.AWS Wavelength Zones
AnswerB

Local Zones extend AWS infrastructure to metropolitan areas for ultra-low latency (<10ms) applications, using standard AWS APIs and connecting to the parent Region.

Why this answer

AWS Local Zones are an infrastructure type that places compute, storage, and other select AWS services closer to end users in a specific metropolitan area, enabling single-digit millisecond latency for latency-sensitive applications while using the same AWS APIs and tools as in an AWS Region. This directly meets the requirement of reducing latency within a city without requiring custom APIs or on-premises hardware.

Exam trap

The trap here is that candidates confuse AWS Local Zones with CloudFront Edge Locations, assuming both provide compute and storage for general workloads, but CloudFront Edge Locations are limited to caching and content delivery, not full AWS service deployment.

How to eliminate wrong answers

Option A is wrong because AWS Outposts is a fully managed service that extends AWS infrastructure, services, and APIs to on-premises or co-location facilities, not to a specific geographic location within a metropolitan area for latency reduction. Option C is wrong because CloudFront Edge Locations are content delivery network (CDN) points of presence that cache static and dynamic content for low-latency delivery, but they do not run compute or storage services with standard AWS APIs for deploying arbitrary workloads. Option D is wrong because AWS Wavelength Zones embed AWS compute and storage services at the edge of 5G telecommunications networks, targeting ultra-low-latency mobile and IoT applications, not general-purpose deployment in a metropolitan area using standard internet connectivity.

58
MCQmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application normally handles 1,000 requests per second, but occasionally experiences unpredictable spikes of up to 10,000 requests per second for a few minutes. The Auto Scaling group is configured with a maximum capacity of 2,000 instances, which is insufficient to handle the spikes. The company must ensure that no requests are lost during these spikes without requiring manual scaling. Which solution should the company implement?

A.Configure an Amazon CloudFront distribution in front of the ALB to cache responses and absorb the spike.
B.Use an Amazon SQS queue between the ALB and the EC2 instances to decouple the request flow and buffer excess requests.
C.Enable Amazon EC2 Auto Scaling with predictive scaling to forecast and pre-provision capacity for the spikes.
D.Register additional EC2 instances in an on-premises data center as targets for the ALB and use manual failover.
AnswerB

Amazon SQS is a fully managed message queuing service that can decouple application components. By placing an SQS queue between the ALB and the EC2 instances, incoming requests are stored as messages. The instances process messages at their own pace, buffering the excess during spikes. This ensures no requests are lost even when the spike exceeds the Auto Scaling group's maximum capacity.

Why this answer

Option B is correct because an Amazon SQS queue decouples the ALB from the EC2 instances, allowing the ALB to offload excess requests into the queue during traffic spikes. The EC2 instances then process messages from the queue at their own pace, ensuring no requests are lost even if the spike exceeds the Auto Scaling group's maximum capacity. This buffering mechanism handles unpredictable bursts without requiring manual intervention or pre-provisioning.

Exam trap

The trap here is that candidates often assume CloudFront can absorb any traffic spike, but it only helps with cacheable content and does not prevent request loss for dynamic, uncacheable workloads.

How to eliminate wrong answers

Option A is wrong because CloudFront caches static or dynamic content at edge locations, but it cannot absorb unpredictable spikes of dynamic web requests that must be processed by the backend; it only reduces load on the origin for cacheable content, and if the spike consists of uncacheable requests, the ALB and EC2 instances still face the full load. Option C is wrong because predictive scaling relies on historical patterns to forecast capacity, but the spikes are unpredictable and occasional, so predictive scaling cannot accurately pre-provision instances for events that have no consistent trend, and it cannot exceed the maximum capacity of 2,000 instances.

59
MCQmedium

Which statement accurately describes the relationship between AWS Regions and Availability Zones?

A.Each Availability Zone contains multiple Regions
B.Each Region is a single large data center
C.Each Region contains multiple Availability Zones connected with low-latency networking
D.Availability Zones in the same Region share the same power infrastructure
AnswerC

Regions are geographic areas with typically 3+ AZs, each AZ being physically isolated data centers interconnected with high-bandwidth, low-latency private fiber within the Region.

Why this answer

Option C is correct because an AWS Region is a geographical area that consists of multiple, isolated Availability Zones (AZs), each containing one or more data centers. These AZs within a Region are connected via redundant, low-latency networking (typically less than 2 milliseconds round-trip time) to enable high availability and fault tolerance for applications.

Exam trap

The trap here is that candidates often confuse Regions with Availability Zones, mistakenly thinking a Region is a single data center or that AZs share critical infrastructure like power, when in fact AWS deliberately isolates them to ensure fault tolerance.

How to eliminate wrong answers

Option A is wrong because it reverses the relationship: an Availability Zone does not contain multiple Regions; rather, each Region contains multiple Availability Zones. Option B is wrong because a Region is not a single large data center; it is a collection of multiple, physically separate Availability Zones, each with one or more data centers. Option D is wrong because Availability Zones in the same Region are designed with independent power infrastructure (including separate power grids and backup generators) to prevent a single point of failure from affecting multiple AZs.

60
MCQmedium

A healthcare company is required to encrypt all protected health information (PHI) stored in Amazon S3. The company must maintain control over the encryption keys, rotate them annually, and log all key usage. Which AWS service or feature should they use to meet these requirements?

A.Amazon S3 server-side encryption with Amazon S3-managed keys (SSE-S3)
B.AWS Key Management Service (AWS KMS) with customer managed keys
C.Amazon S3 server-side encryption with customer-provided keys (SSE-C)
D.AWS Certificate Manager (ACM)
AnswerB

With customer managed keys in AWS KMS, the company has full control over the encryption keys, can set automatic key rotation, and can audit key usage through AWS CloudTrail. This matches all stated requirements.

Why this answer

AWS KMS with customer managed keys is correct because it allows the healthcare company to maintain full control over the encryption keys, enforce annual rotation (via automatic or manual key rotation), and log all key usage through AWS CloudTrail. This meets the compliance requirements for protecting PHI in S3 while retaining key management authority.

Exam trap

The trap here is that candidates often confuse SSE-S3 (which is simpler but lacks key control and logging) with the required key management and audit capabilities, or they mistakenly think ACM can be used for S3 encryption when it only handles transport layer security.

How to eliminate wrong answers

Option A is wrong because SSE-S3 uses Amazon-managed keys, meaning the company cannot control or rotate the keys themselves, and key usage is not logged in CloudTrail. Option C is wrong because SSE-C requires the customer to provide and manage their own encryption keys outside of AWS, which does not integrate with AWS KMS for rotation or CloudTrail logging of key usage. Option D is wrong because AWS Certificate Manager (ACM) handles SSL/TLS certificates for HTTPS, not encryption of data at rest in S3.

61
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The operations team runs hundreds of Amazon EC2 instances across these accounts for various applications. The security team requires that all EC2 instances be patched with the latest security updates within 7 days of release. Currently, the operations team manually applies patches by logging into each account and using Systems Manager Patch Manager individually. The team wants to centralize patch compliance management so that a single operations team can define patch baselines, schedule patching, and view compliance status across all accounts from a single pane of glass, without needing to switch between accounts. Which AWS service or feature should the team use to meet these requirements?

A.AWS Config
B.Amazon Inspector
C.AWS Systems Manager Patch Manager
D.AWS Trusted Advisor
AnswerC

AWS Systems Manager Patch Manager automates the process of patching managed instances. With cross-account support via AWS Organizations and IAM roles, it allows you to define a single patch baseline, schedule patching across multiple accounts, and view aggregated compliance status in the Systems Manager console.

Why this answer

AWS Systems Manager Patch Manager is the correct choice because it allows the operations team to centrally define patch baselines, schedule patching across multiple AWS accounts, and view compliance status from a single pane of glass using AWS Systems Manager Quick Setup or multi-account management features. By integrating with AWS Organizations, Patch Manager can target EC2 instances across all accounts without requiring the team to switch between accounts, meeting the requirement for centralized patch compliance management.

Exam trap

The trap here is that candidates may confuse Amazon Inspector's vulnerability scanning with actual patch management, but Inspector only identifies vulnerabilities and does not apply patches, whereas Patch Manager is the service designed for centralized patching and compliance reporting.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating resource configurations against desired policies (e.g., checking if EC2 instances have a specific tag or security group rule), but it does not have the ability to define patch baselines, schedule patching, or apply patches to EC2 instances; it only provides compliance visibility for configuration rules, not patch management. Option B is wrong because Amazon Inspector is a vulnerability assessment service that scans EC2 instances for software vulnerabilities and unintended network exposure, but it does not perform patching or schedule patch operations; it only identifies vulnerabilities and generates findings, leaving the actual patching to another service like Patch Manager.

62
MCQmedium

A financial services company requires all data stored in Amazon S3 to be encrypted at rest. The company has a compliance policy that states encryption keys must be managed entirely by the customer and must never be stored or managed by the cloud provider. Which encryption option should the company use for Amazon S3?

A.Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
B.Server-Side Encryption with AWS KMS Customer Managed Keys (SSE-KMS)
C.Server-Side Encryption with Customer-Provided Keys (SSE-C)
D.Client-Side Encryption using an on-premises key management system
AnswerC

Correct. SSE-C allows you to provide your own encryption key with each request. AWS uses the key to encrypt/decrypt the data but does not store the key. This meets the compliance requirement that keys are managed entirely by the customer and are never stored by the cloud provider.

Why this answer

SSE-C allows the customer to provide their own encryption keys for server-side encryption of S3 objects. The customer manages the keys entirely, and AWS does not store or manage them, meeting the compliance requirement that encryption keys must never be stored or managed by the cloud provider.

Exam trap

The trap here is that candidates often choose SSE-KMS (Option B) thinking 'customer managed keys' means the customer fully controls the keys, but AWS KMS still stores and manages the key material, which violates the policy that keys must never be stored or managed by the cloud provider.

How to eliminate wrong answers

Option A is wrong because SSE-S3 uses Amazon S3-managed keys, where AWS manages the encryption keys, violating the policy that keys must not be stored or managed by the cloud provider. Option B is wrong because SSE-KMS with customer managed keys still stores and manages the keys within AWS KMS, which is a managed service by AWS, thus not meeting the requirement that keys must never be stored or managed by the cloud provider. Option D is wrong because client-side encryption encrypts data before it is sent to S3, but the question specifies encryption at rest in S3, and the compliance policy requires keys to be managed entirely by the customer; while client-side encryption does use customer-managed keys, it is not a server-side encryption option and does not address the requirement for encryption at rest within S3 itself.

63
MCQmedium

A company needs to allow inbound HTTPS traffic (port 443) to their EC2 web servers while blocking all other inbound traffic. The solution should be stateful — return traffic for allowed inbound connections should automatically be permitted without additional rules. Which AWS feature provides this?

A.Network Access Control Lists (NACLs)
B.AWS WAF rules
C.Security groups
D.VPC route tables
AnswerC

Security groups are stateful firewalls applied at the instance level. An inbound rule allowing port 443 automatically allows the corresponding return traffic. Only the allowed inbound connections need to be specified.

Why this answer

Security groups act as a stateful virtual firewall for EC2 instances. When you allow inbound HTTPS traffic on port 443, the security group automatically tracks the connection state and permits the corresponding outbound return traffic without requiring an explicit outbound rule. This stateful behavior is inherent to security groups and is the correct choice for the described requirement.

Exam trap

The trap here is that candidates often confuse the stateless nature of Network ACLs with the stateful behavior of security groups, assuming NACLs automatically permit return traffic, which they do not.

How to eliminate wrong answers

Option A is wrong because Network ACLs are stateless, meaning you must explicitly define both inbound and outbound rules to allow return traffic; they do not automatically permit response traffic. Option B is wrong because AWS WAF is a web application firewall that inspects HTTP/HTTPS requests at the application layer (Layer 7) and does not control network-level stateful traffic filtering or port-based access. Option D is wrong because VPC route tables control the path of network traffic (routing) between subnets and gateways, not the filtering or stateful tracking of individual connections.

64
MCQmedium

An e-commerce company runs a MySQL database on-premises to support its transactional workload. The company plans to migrate this database to AWS to reduce operational overhead. The company requires a fully managed database solution that automatically replicates data across multiple Availability Zones to provide failover in the event of an Availability Zone failure. The company does not want to manage database patching, backup scheduling, or replication. Which AWS service should the company use to meet these requirements?

A.Amazon DynamoDB
B.Amazon RDS with Multi-AZ deployment
C.Amazon EC2 with a self-managed MySQL installation
D.Amazon Redshift
AnswerB

Amazon RDS with Multi-AZ deployment is the correct choice. RDS provides a fully managed relational database service compatible with MySQL. Multi-AZ creates a synchronous standby replica in a different Availability Zone, ensuring automatic failover if the primary instance fails. RDS also automates patching, backups, and replication, meeting all stated requirements.

Why this answer

Amazon RDS with Multi-AZ deployment is the correct choice because it provides a fully managed MySQL database that automatically replicates data synchronously across multiple Availability Zones, enabling automatic failover in the event of an AZ failure. AWS handles patching, backup scheduling, and replication management, meeting the company's requirement to reduce operational overhead.

Exam trap

The trap here is that candidates may confuse Amazon DynamoDB's built-in Multi-AZ replication with the requirement for a MySQL relational database, or assume that a self-managed EC2 instance can meet the 'fully managed' requirement by using additional services like Auto Scaling.

How to eliminate wrong answers

Option A is wrong because Amazon DynamoDB is a NoSQL key-value and document database, not a relational MySQL database, and it does not support the MySQL engine or SQL queries required for the transactional workload. Option C is wrong because Amazon EC2 with a self-managed MySQL installation requires the company to manually manage patching, backup scheduling, replication, and failover, which contradicts the requirement for a fully managed solution. Option D is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for analytical workloads, not for transactional MySQL workloads, and it does not provide automatic Multi-AZ failover for MySQL databases.

65
MCQmedium

A company runs hundreds of Amazon EC2 instances for its application. The operations team manually reviews instance utilization metrics once a month to identify instances that are over-provisioned (e.g., using only 10% of CPU) or under-provisioned. They want to automate this analysis and receive rightsizing recommendations to optimize costs and performance. The solution must be natively provided by AWS and must use historical utilization data to generate recommendations. Which AWS service should the company use?

A.AWS Compute Optimizer
B.AWS Trusted Advisor
C.AWS Cost Explorer
D.AWS Systems Manager
AnswerA

Correct. AWS Compute Optimizer uses machine learning to analyze historical utilization metrics and provides actionable rightsizing recommendations for EC2 instances, Auto Scaling groups, and EBS volumes, exactly matching the company's need for automated optimization.

Why this answer

AWS Compute Optimizer is the correct choice because it is a native AWS service that uses machine learning to analyze historical utilization metrics (such as CPU, memory, and network) across EC2 instances and automatically generates rightsizing recommendations. It specifically identifies over-provisioned and under-provisioned instances to optimize both cost and performance, meeting the requirement for automated analysis based on historical data.

Exam trap

The trap here is that candidates often confuse AWS Trusted Advisor's cost optimization checks with detailed rightsizing recommendations, but Trusted Advisor does not analyze historical utilization data or provide instance-specific rightsizing suggestions like Compute Optimizer does.

How to eliminate wrong answers

Option B (AWS Trusted Advisor) is wrong because it provides general best-practice checks (e.g., security, cost optimization, service limits) but does not analyze historical utilization data to generate specific EC2 rightsizing recommendations; its cost optimization checks are high-level and not based on detailed historical metrics. Option C (AWS Cost Explorer) is wrong because it focuses on visualizing and analyzing cost and usage data over time, not on providing rightsizing recommendations based on resource utilization; it lacks the machine learning-driven analysis of instance performance metrics that Compute Optimizer offers.

66
MCQmedium

A company runs a web application on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The application serves dynamic content that changes frequently, but also serves static assets (CSS, JavaScript, images) that change rarely. The company wants to improve the overall performance and reduce the load on the EC2 instances by caching the static assets at edge locations while still routing dynamic requests to the ALB. Which combination of AWS services should the company use?

A.Use Amazon CloudFront with the ALB as the origin, and configure CloudFront to cache the static assets while forwarding dynamic requests to the ALB.
B.Use Amazon Route 53 with latency-based routing to direct users to the closest ALB endpoint.
C.Use Amazon S3 to host the entire application, and use the ALB to route traffic to the S3 bucket.
D.Use AWS Global Accelerator to distribute traffic across multiple ALBs in different AWS Regions.
AnswerA

CloudFront acts as a CDN and can be configured with multiple cache behaviors. Static assets are cached at edge locations, reducing the load on the ALB and EC2 instances. Dynamic requests are forwarded to the ALB as needed. This directly meets the company's requirements.

Why this answer

Amazon CloudFront can be configured with the ALB as the origin, allowing it to cache static assets (CSS, JavaScript, images) at edge locations while forwarding dynamic requests to the ALB. This reduces latency for users by serving cached content from the nearest edge location and offloads the EC2 instances from handling repeated requests for static files. CloudFront supports path-based caching behaviors, so you can define specific URL patterns (e.g., /static/*) to cache and others to forward directly to the ALB.

Exam trap

The trap here is that candidates may think Route 53 latency-based routing (Option B) can cache content at edge locations, but Route 53 is a DNS service only and does not provide any caching or content delivery functionality.

How to eliminate wrong answers

Option B is wrong because Route 53 latency-based routing directs users to the closest ALB endpoint, but it does not cache static assets at edge locations or reduce load on EC2 instances; it only optimizes network routing. Option C is wrong because hosting the entire application on S3 would not support dynamic content that changes frequently, as S3 is a static object store and cannot process server-side logic or database queries; the ALB cannot route traffic to an S3 bucket as an origin for dynamic requests.

67
MCQmedium

A company is developing a real-time multiplayer game that requires extremely low latency (under 10ms) for player interactions. The game will be accessed by mobile users on 5G networks in select metropolitan areas. The company wants to run the game server logic as close to the users as possible, leveraging the low latency of 5G and avoiding the round trip to an AWS Region. Which AWS service should the company use to deploy the game server compute at the edge of the 5G network?

A.AWS Outposts
B.AWS Local Zones
C.AWS Wavelength
D.AWS Global Accelerator
AnswerC

AWS Wavelength is the correct choice. It embeds AWS compute and storage at the edge of 5G networks, directly within the mobile network operator's data centers. This enables developers to build applications that require ultra-low latency (single-digit milliseconds) for mobile devices on 5G, ideal for real-time gaming.

Why this answer

AWS Wavelength is designed specifically to bring AWS compute and storage services to the edge of 5G networks, embedding AWS infrastructure within telecommunications providers' data centers. This enables sub-10ms latency for mobile users by eliminating the round trip to a regional AWS Region, making it ideal for real-time multiplayer game server logic on 5G.

Exam trap

The trap here is that candidates confuse AWS Local Zones with Wavelength, but Local Zones reduce latency only to ~10-20ms from a nearby metro area, not the sub-10ms edge latency achievable only by embedding compute inside the 5G carrier's network via Wavelength.

How to eliminate wrong answers

Option A is wrong because AWS Outposts is a fully managed service that extends AWS infrastructure on-premises, but it is not embedded within a 5G carrier's network edge and does not provide the sub-10ms latency required for mobile users on 5G. Option B is wrong because AWS Local Zones place compute resources closer to end users than a standard Region, but they are still located in metropolitan areas outside of telecom carrier edge sites, adding latency that exceeds the 10ms requirement for 5G real-time gaming.

68
MCQmedium

A media company runs a website that serves video content globally. Users request video previews, which require the generation of thumbnail images on-the-fly. The company wants to generate these thumbnails at AWS edge locations so that the processing occurs close to users, reducing latency and offloading the origin servers. The solution must run custom code in response to CloudFront events without provisioning any servers. Which AWS service should the company use to meet these requirements?

A.AWS Lambda
B.AWS Lambda@Edge
C.Amazon EC2 instances in an Auto Scaling group
D.Amazon ElastiCache
AnswerB

AWS Lambda@Edge is a feature of Amazon CloudFront that runs Lambda functions at AWS edge locations in response to CloudFront events. It is serverless, scales automatically, and is ideal for processing content close to users, such as on-the-fly thumbnail generation.

Why this answer

AWS Lambda@Edge is the correct service because it allows you to run custom code in response to CloudFront events (such as viewer request, origin request, viewer response, and origin response) at AWS edge locations, enabling on-the-fly thumbnail generation close to users without provisioning any servers. This reduces latency and offloads origin servers, meeting the requirement for serverless edge processing.

Exam trap

The trap here is that candidates often confuse standard AWS Lambda with Lambda@Edge, assuming Lambda can run at edge locations, but standard Lambda is region-bound and cannot intercept CloudFront events at the edge.

How to eliminate wrong answers

Option A is wrong because AWS Lambda functions run in a specific AWS Region, not at edge locations, so they cannot process requests close to users globally to reduce latency for CloudFront events. Option C is wrong because Amazon EC2 instances require provisioning and managing servers, which violates the requirement of not provisioning any servers, and they cannot run at edge locations natively. Option D is wrong because Amazon ElastiCache is a caching service that does not run custom code in response to CloudFront events, nor does it process thumbnail generation at edge locations.

69
MCQmedium

A company needs to synchronize data in real time between its on-premises Oracle database and an Amazon RDS MySQL instance during a migration. Which AWS service handles ongoing data replication between heterogeneous databases?

A.AWS DataSync
B.AWS Database Migration Service (DMS)
C.AWS Snowball
D.Amazon Kinesis Data Streams
AnswerB

DMS handles both full-load migration and continuous change data capture (CDC) replication between heterogeneous databases, supporting live cutover with minimal downtime.

Why this answer

AWS Database Migration Service (DMS) is the correct choice because it supports ongoing replication (change data capture, CDC) from an on-premises Oracle database to an Amazon RDS MySQL instance, even when the source and target are heterogeneous database engines. DMS uses a replication instance to read the source database's transaction logs and apply changes in near real time to the target, making it ideal for continuous synchronization during a migration.

Exam trap

The trap here is that candidates confuse AWS DataSync (file sync) or Kinesis (streaming) with database replication, but only DMS provides native support for ongoing, heterogeneous database replication using CDC.

How to eliminate wrong answers

Option A is wrong because AWS DataSync is designed for file-based data transfers (e.g., NFS, SMB) between on-premises storage and AWS, not for database-level replication or heterogeneous database synchronization. Option C is wrong because AWS Snowball is a physical data transport device used for large-scale offline data migration, not for real-time or ongoing replication between databases. Option D is wrong because Amazon Kinesis Data Streams is a real-time streaming service for ingesting and processing large streams of data records (e.g., log events, IoT telemetry), not for direct database-to-database replication with change data capture.

70
MCQeasy

Which AWS service helps customers understand the compliance programs that AWS has been validated against, such as PCI DSS, HIPAA, and SOC 2?

A.AWS Trusted Advisor
B.AWS Config
C.AWS Artifact
D.AWS Security Hub
AnswerC

AWS Artifact provides self-service download of AWS compliance reports (SOC, PCI, ISO, HIPAA) and agreements (NDA, BAA) for customer audit needs.

Why this answer

AWS Artifact is the correct service because it provides on-demand access to AWS’s compliance reports, such as PCI DSS, HIPAA, and SOC 2, as well as the AWS Service Organization Controls (SOC) reports. It allows customers to download and review the specific certifications and attestations that AWS has been validated against, directly supporting audit and compliance needs.

Exam trap

The trap here is that candidates often confuse services that help with internal compliance posture (like AWS Config or Security Hub) with the service that provides AWS’s own third-party compliance certifications, leading them to pick a wrong answer that sounds compliance-related but does not deliver the actual audit reports.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor is an advisory tool that inspects your AWS environment and provides recommendations to optimize cost, performance, security, and fault tolerance—it does not provide compliance program validation reports. Option B is wrong because AWS Config is a service that evaluates and records resource configurations against desired policies (e.g., using AWS Config rules), but it does not host or deliver third-party compliance attestations like PCI DSS or SOC reports. Option D is wrong because AWS Security Hub aggregates security findings from multiple AWS services and third-party tools, providing a centralized view of security alerts and compliance status based on standards like CIS, but it does not provide the underlying compliance program validation documents that AWS itself has been audited against.

71
MCQmedium

A mid-size company is planning to migrate its IT infrastructure to the AWS Cloud. The Chief Information Officer (CIO) expresses concern that multiple customers' virtual servers might run on the same physical hardware, potentially increasing the risk of data exposure. Which cloud computing characteristic describes this shared infrastructure model, where computing resources are pooled to serve multiple customers using a multi-tenant model?

A.On-demand self-service
B.Resource pooling
C.Measured service
D.Broad network access
AnswerB

Resource pooling is the cloud characteristic where the provider's computing resources are pooled to serve multiple customers using a multi-tenant model. This directly addresses the CIO's concern about shared physical hardware, and AWS implements strong isolation mechanisms to prevent data exposure.

Why this answer

Resource pooling is the correct answer because it directly describes the multi-tenant model where the provider's computing resources (such as physical servers, storage, and network) are pooled to serve multiple customers. In AWS, this is achieved through hypervisor-level isolation (e.g., Xen or Nitro hypervisors) that allows multiple virtual servers (EC2 instances) to run on the same physical host while maintaining strict memory and I/O separation, preventing data exposure between tenants.

Exam trap

The trap here is that candidates often confuse resource pooling with multi-tenancy as a security risk, but AWS's shared responsibility model and hypervisor isolation ensure that resource pooling does not inherently increase data exposure risk.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to the ability for users to provision resources automatically without human interaction, not the shared infrastructure model. Option C is wrong because measured service involves metering and billing for resource usage (e.g., per-hour or per-GB charges), not the pooling of resources across customers. Option D is wrong because broad network access describes the ability to access resources over the network via standard protocols (e.g., HTTPS, SSH), not the multi-tenant sharing of physical hardware.

72
MCQmedium

A company runs a web application that accepts customer orders. During peak hours, the order processing component often becomes overloaded, causing orders to be dropped. The company wants to ensure that every order is reliably stored and processed, and that the web tier and the processing tier can scale independently without losing data. Which AWS service should the company use to decouple the application components and provide a durable buffer for incoming orders?

A.Amazon Simple Queue Service (SQS)
B.Amazon Simple Notification Service (SNS)
C.Amazon Kinesis Data Streams
D.AWS Step Functions
AnswerA

Amazon SQS is a message queue service that reliably stores messages until they are consumed. It decouples the web tier from the processing tier, buffers orders during spikes, and ensures no orders are lost. This makes it the correct choice for this scenario.

Why this answer

Amazon Simple Queue Service (SQS) is the correct choice because it provides a fully managed, durable, and scalable message queue that decouples the web tier from the processing tier. Orders are reliably stored in an SQS queue until the processing component retrieves them, ensuring no orders are dropped even during peak loads. SQS guarantees at-least-once delivery and supports independent scaling of producers and consumers without data loss.

Exam trap

The trap here is that candidates confuse SQS with SNS, thinking both can decouple components, but SNS pushes messages and lacks a durable buffer, while SQS stores messages until consumers retrieve them, making it the correct choice for reliable order processing.

How to eliminate wrong answers

Option B (Amazon Simple Notification Service) is wrong because SNS is a pub/sub messaging service that pushes messages to subscribers, but it does not provide a durable buffer or allow consumers to pull messages at their own pace; if a subscriber is unavailable, messages can be lost. Option C (Amazon Kinesis Data Streams) is wrong because it is designed for real-time streaming of large volumes of data (e.g., log ingestion, clickstreams) and requires shard-level management, making it overly complex and costly for simple order buffering; it also does not guarantee exactly-once processing without additional logic. Option D (AWS Step Functions) is wrong because it is a serverless orchestration service for coordinating multiple AWS services into workflows, not a message buffer; it lacks the durable, decoupled queueing mechanism needed to absorb spikes in order volume.

73
MCQmedium

A company needs to run a data processing job that typically takes 2 hours to complete. The job is stateless and can be parallelized across multiple workers. The company wants to minimize operational overhead and only pay for the compute time consumed. The job runs only once a month. Which AWS compute service should the company use?

A.AWS Lambda
B.Amazon EC2 Spot Instances
C.AWS Fargate
D.AWS Batch
AnswerD

AWS Batch is purpose-built for batch computing. It automatically provisions the required compute resources (including Spot Instances) based on job requirements, manages job queues, retries, and dependencies. The company pays only for the underlying compute resources consumed. This combination of minimal operational overhead and pay-per-use pricing makes AWS Batch the best fit for this scenario.

Why this answer

AWS Batch is the correct choice because it is designed for running batch computing workloads that are stateless, parallelizable, and can run on a schedule. It automatically provisions and manages the underlying compute resources (EC2 or Fargate), scales to the required number of workers, and only charges for the compute time consumed. The 2-hour, once-a-month job fits perfectly within AWS Batch's capabilities, and it minimizes operational overhead by handling job queuing, retries, and dependency management.

Exam trap

The trap here is that candidates often choose AWS Lambda for any serverless or 'pay-per-use' scenario, forgetting its hard 15-minute timeout limit, or they pick Fargate thinking it handles batch jobs natively, when in fact AWS Batch is the dedicated service for batch computing with built-in scheduling and scaling.

How to eliminate wrong answers

Option A is wrong because AWS Lambda has a maximum execution timeout of 15 minutes, which is far less than the required 2-hour job duration. Option B is wrong because Amazon EC2 Spot Instances require manual provisioning, scaling, and management of instances, which increases operational overhead and does not natively handle job scheduling or parallelization. Option C is wrong because AWS Fargate is a serverless compute engine for containers, but it lacks native batch job scheduling, queue management, and automatic parallelization features that AWS Batch provides; you would need to build additional orchestration logic.

74
MCQeasy

Which Amazon EC2 instance family is optimized for memory-intensive workloads such as in-memory databases, real-time big data analytics, and high-performance computing?

A.Compute-optimized instances (C family)
B.Memory-optimized instances (R and X family)
C.Storage-optimized instances (I and D family)
D.Accelerated computing instances (P and G family)
AnswerB

Memory-optimized instances provide large amounts of RAM for workloads that need to process large datasets in memory — up to 24 TB of RAM for high-memory instances.

Why this answer

Memory-optimized instances (R and X families) are designed for workloads that require large amounts of RAM and high memory bandwidth, such as in-memory databases (e.g., Redis, Memcached), real-time big data analytics (e.g., Apache Spark), and high-performance computing (HPC) tasks. These instances offer a high memory-to-vCPU ratio and support for large instance sizes, enabling efficient processing of data sets that reside primarily in memory.

Exam trap

The trap here is that candidates often confuse 'high-performance computing' with compute-optimized instances, but in the context of memory-intensive HPC (e.g., large-scale simulations or in-memory analytics), the bottleneck is memory capacity and bandwidth, not CPU speed, making memory-optimized instances the correct choice.

How to eliminate wrong answers

Option A is wrong because compute-optimized instances (C family) are optimized for high compute power and are best suited for CPU-intensive workloads like batch processing, web servers, and gaming servers, not for memory-intensive tasks. Option C is wrong because storage-optimized instances (I and D families) are designed for workloads that require high, sequential read/write access to large data sets on local storage, such as data warehousing and log processing, not for memory-bound applications. Option D is wrong because accelerated computing instances (P and G families) are optimized for hardware acceleration using GPUs or FPGAs, targeting workloads like machine learning, graphics rendering, and scientific simulations, not general memory-intensive processing.

75
MCQeasy

Which AWS service provides a low-code platform for building mobile and web applications with built-in backend features including authentication, storage, and APIs?

A.AWS AppRunner
B.Amazon Honeycode
C.AWS Amplify
D.AWS Elastic Beanstalk
AnswerC

Amplify provides libraries, UI components, and pre-built backend categories (Auth, Storage, API, Analytics) for building full-stack web and mobile applications.

Why this answer

AWS Amplify is the correct answer because it is a dedicated low-code/frontend development platform that provides built-in backend features such as authentication (via Amazon Cognito), storage (via Amazon S3), and GraphQL/REST APIs (via AWS AppSync and API Gateway). It allows developers to quickly build mobile and web applications without managing infrastructure, directly matching the question's description.

Exam trap

The trap here is that candidates may confuse AWS Amplify with AWS AppRunner or Elastic Beanstalk because all three can deploy web applications, but only Amplify provides the low-code, integrated backend services (auth, storage, APIs) specifically for mobile and web frontend development.

How to eliminate wrong answers

Option A is wrong because AWS AppRunner is a fully managed container service for deploying containerized web applications and APIs, not a low-code platform with built-in authentication, storage, and API features. Option B is wrong because Amazon Honeycode is a no-code spreadsheet-like tool for building simple business applications, but it does not provide the mobile/web app development framework or the specific backend services (e.g., Cognito, AppSync) described. Option D is wrong because AWS Elastic Beanstalk is a PaaS service for deploying and scaling traditional web applications using common programming languages (Java, .NET, PHP, etc.), not a low-code platform with pre-built authentication and storage features.

Page 1 of 14

Page 2