AWS Certified Cloud Practitioner CLF-C02 (CLF-C02) — Questions 676750

1024 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQmedium

A security engineer needs to apply network traffic filtering rules at the subnet level rather than the instance level. The solution must be stateless and must explicitly define both inbound and outbound rules, including allowing return traffic. Which AWS feature provides subnet-level stateless traffic control?

A.Security groups
B.Network Access Control Lists (NACLs)
C.AWS WAF
D.VPC route tables
AnswerB

NACLs are applied at the subnet level and are stateless — each packet is evaluated against the rules independently. Both inbound and outbound rules must explicitly allow traffic, including return traffic for connections initiated from inside the subnet.

Why this answer

Network Access Control Lists (NACLs) are the correct choice because they operate at the subnet level, are stateless (meaning they do not automatically allow return traffic), and require explicit inbound and outbound rules. This matches the requirement for stateless traffic filtering where both directions must be defined separately, including rules for return traffic.

Exam trap

The trap here is that candidates often confuse security groups (stateful, instance-level) with NACLs (stateless, subnet-level), forgetting that the stateless requirement explicitly demands separate inbound and outbound rules for return traffic.

How to eliminate wrong answers

Option A is wrong because security groups are stateful and operate at the instance level, not the subnet level; they automatically allow return traffic, which violates the stateless requirement. Option C is wrong because AWS WAF is a web application firewall that protects against web exploits at the application layer (HTTP/HTTPS), not a subnet-level network traffic filter. Option D is wrong because VPC route tables control the path of network traffic (routing) between subnets and gateways, not traffic filtering or access control.

677
MCQmedium

A company runs a customer-facing web application with an Amazon RDS database. Initially, the database is deployed as a single instance in one Availability Zone (AZ). A power outage occurs in that AZ, causing the database to become unavailable for several hours. After the incident, the company modifies the database to use a Multi-AZ configuration. Shortly after the change, another power outage affects the same primary AZ. This time, the database automatically fails over to the standby instance in the other AZ without any manual intervention, and the application remains available. Which cloud computing concept does this scenario best demonstrate?

A.Elasticity
B.Fault tolerance
C.Scalability
D.Resource pooling
AnswerB

Fault tolerance is the correct concept. The Multi-AZ RDS configuration allows the database to automatically fail over to a standby instance in a different Availability Zone when the primary fails. This ensures continuous operation despite a component failure, which is the definition of fault tolerance.

Why this answer

Fault tolerance is the ability of a system to continue operating without interruption when one or more of its components fail. In this scenario, the Multi-AZ RDS deployment automatically failed over to a standby instance in a different Availability Zone when the primary AZ experienced a power outage, ensuring the application remained available without manual intervention. This demonstrates fault tolerance because the system was designed to withstand the failure of an entire AZ and continue functioning.

Exam trap

The trap here is that candidates often confuse fault tolerance with high availability or elasticity, but fault tolerance specifically implies zero downtime during a failure, whereas high availability may involve a brief interruption, and elasticity is about scaling, not failure recovery.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability to automatically scale resources up or down based on demand, not to survive failures; the scenario describes a failover event, not a scaling event. Option C is wrong because scalability is the ability to handle increased load by adding resources, whereas the scenario focuses on maintaining availability during a failure, not on handling more traffic. Option D is wrong because resource pooling is a multi-tenant model where computing resources are pooled to serve multiple customers, which is unrelated to the failover behavior described.

678
MCQmedium

A company runs a web application across multiple Amazon EC2 instances that are distributed across several Availability Zones. The application needs to share a common set of configuration files and static assets that must be accessible concurrently and consistently from all instances. The company wants a fully managed, scalable file storage solution that does not require provisioning or managing underlying storage hardware. Which AWS service should the company use?

A.Amazon Elastic File System (EFS)
B.Amazon Elastic Block Store (EBS)
C.Amazon Simple Storage Service (S3)
D.Amazon Relational Database Service (RDS)
AnswerA

Correct. Amazon EFS provides a fully managed NFS file system that can be mounted on multiple EC2 instances across multiple Availability Zones simultaneously. It scales automatically and is designed for high availability and durability, making it ideal for shared file access.

Why this answer

Amazon EFS provides a fully managed, scalable, and shared file system that can be mounted concurrently by multiple EC2 instances across different Availability Zones. It uses the NFSv4.1 protocol, ensuring consistent access to configuration files and static assets without any provisioning or management of underlying storage hardware.

Exam trap

The trap here is that candidates often confuse Amazon S3's object storage capabilities with a shared file system, overlooking that S3 does not support POSIX file locking or concurrent mount-based access required for shared configuration files across EC2 instances.

How to eliminate wrong answers

Option B is wrong because Amazon EBS provides block-level storage volumes that can only be attached to a single EC2 instance in a specific Availability Zone, and it does not support concurrent access from multiple instances across zones. Option C is wrong because Amazon S3 is an object storage service accessed via HTTP/HTTPS APIs, not a file system that can be mounted directly as a shared drive with POSIX-style file locking and concurrent read/write consistency required for shared configuration files.

679
MCQmedium

A company is deploying a web application on AWS. The application will run on multiple Amazon EC2 instances distributed across two Availability Zones. An Application Load Balancer will distribute incoming traffic across the instances. The company's primary goal is to ensure the application remains available to users even if one Availability Zone experiences a service disruption. Which cloud computing concept does this architecture primarily demonstrate?

A.Elasticity
B.Scalability
C.High availability
D.Fault tolerance
AnswerC

High availability ensures that applications remain operational with minimal downtime by using redundant components across multiple Availability Zones and a load balancer. This directly matches the company's goal of remaining available even if one zone fails. This option is correct.

Why this answer

This architecture demonstrates high availability because it uses multiple EC2 instances across two Availability Zones with an Application Load Balancer to distribute traffic. If one AZ fails, the load balancer automatically routes traffic to the healthy instances in the other AZ, ensuring the application remains accessible. High availability focuses on minimizing downtime by eliminating single points of failure through redundancy.

Exam trap

The trap here is that candidates confuse high availability with elasticity or scalability, but the key differentiator is that high availability focuses on redundancy and fault tolerance to prevent downtime, not on dynamic resource adjustment or handling increased load.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability to automatically scale resources up or down based on demand, not to maintain uptime during an AZ failure. Option B is wrong because scalability is the capacity to handle increased load by adding resources, whereas the scenario specifically addresses fault tolerance and continuous availability during a disruption.

680
MCQmedium

A company wants to protect their web application from common Layer 7 attacks and also implement rate limiting to prevent API abuse. Which AWS service provides both capabilities?

A.AWS Shield Standard
B.AWS WAF
C.Security Groups
D.Amazon GuardDuty
AnswerB

WAF provides Layer 7 web protection with managed rule groups (OWASP Top 10, bot control) and rate-based rules that block IPs exceeding configurable request thresholds.

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common Layer 7 attacks such as SQL injection and cross-site scripting (XSS). It also supports rate-based rules that automatically block requests from a client IP when the request rate exceeds a defined threshold, enabling API abuse prevention. This makes AWS WAF the correct choice for both capabilities.

Exam trap

The trap here is that candidates often confuse AWS Shield (which handles network-layer DDoS) with AWS WAF (which handles application-layer filtering and rate limiting), leading them to select AWS Shield Standard despite it lacking Layer 7 inspection and rate control capabilities.

How to eliminate wrong answers

Option A is wrong because AWS Shield Standard provides protection against Layer 3 and Layer 4 DDoS attacks (e.g., SYN floods, UDP reflection) and does not include Layer 7 attack filtering or rate limiting. Option C is wrong because Security Groups act as a stateful firewall at the instance level (Layer 3/4) and cannot inspect application-layer payloads or enforce rate-based rules. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events for malicious activity; it does not actively block attacks or provide rate limiting at the application layer.

681
MCQhard

A company has 10 EC2 On-Demand instances running. They purchase a 1-year Compute Savings Plan for a commitment equivalent to 6 instances. What happens to the remaining 4 instances' cost?

A.The remaining 4 instances are free since the Savings Plan covers all usage
B.The remaining 4 instances are charged at On-Demand rates
C.The remaining 4 instances are charged at Spot Instance rates
D.AWS suspends the 4 excess instances to enforce the Savings Plan limit
AnswerB

Savings Plans apply the discount to eligible usage up to the hourly commitment. Usage exceeding the commitment is charged at On-Demand rates — the Savings Plan doesn't cover it.

Why this answer

A Compute Savings Plan applies to any EC2 instance usage up to the committed hourly amount (in this case, equivalent to 6 instances). Usage beyond that commitment is charged at standard On-Demand rates. Therefore, the remaining 4 instances are billed at On-Demand prices because the Savings Plan does not cover usage exceeding the commitment.

Exam trap

The trap here is that candidates often assume a Savings Plan covers all usage or that AWS will automatically adjust pricing or terminate instances to enforce the plan, when in reality AWS simply bills excess usage at On-Demand rates without any service disruption.

How to eliminate wrong answers

Option A is wrong because a Savings Plan does not make all usage free; it only applies a discounted rate up to the committed amount, and any excess usage is charged at On-Demand rates. Option C is wrong because Spot Instance rates are only applicable to Spot Instances, which are not automatically applied to On-Demand instances; the Savings Plan does not convert excess On-Demand instances to Spot pricing. Option D is wrong because AWS does not suspend or terminate instances to enforce a Savings Plan limit; it simply bills any usage beyond the commitment at standard On-Demand rates.

682
MCQmedium

A company runs a critical web application on a single Amazon EC2 instance in a single Availability Zone. The company wants to design the architecture so that the application continues to operate even if the physical server hosting the instance fails. Which AWS Cloud concept does this design objective primarily address?

A.Elasticity
B.Scalability
C.Fault tolerance
D.Cost optimization
AnswerC

Fault tolerance is the correct concept. The objective is to remain operational despite a hardware failure. AWS supports this by allowing resources to be deployed across multiple isolated Availability Zones, so a failure in one zone does not affect instances in another.

Why this answer

Fault tolerance is the correct concept because the design objective is to ensure continuous operation despite the failure of a physical server hosting the EC2 instance. This is achieved by deploying the application across multiple Availability Zones (AZs) using an Auto Scaling group and an Elastic Load Balancer, so that if one instance or AZ fails, traffic is automatically routed to healthy instances in another AZ. The scenario explicitly focuses on surviving infrastructure failure, which is the core definition of fault tolerance.

Exam trap

The trap here is that candidates often confuse fault tolerance with high availability (HA), but the question specifically asks for the concept that ensures operation despite a physical server failure, which is fault tolerance, not just HA.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability to automatically scale resources up or down based on demand, not to survive a physical server failure. Option B is wrong because scalability is the capability to handle increased load by adding resources, which does not inherently ensure continued operation during a failure.

683
MCQmedium

A company needs to monitor their application's performance and identify bottlenecks by tracing requests as they travel through multiple AWS services and microservices. Which AWS service provides distributed tracing?

A.Amazon CloudWatch
B.AWS CloudTrail
C.AWS X-Ray
D.AWS Config
AnswerC

X-Ray traces requests end-to-end through distributed applications, creating service maps that show request flows and identifying latency bottlenecks across microservices.

Why this answer

AWS X-Ray is the correct service because it is specifically designed for distributed tracing, allowing you to trace requests end-to-end as they travel through AWS services and microservices. It provides a service map, traces, and annotations to identify performance bottlenecks and debug errors across distributed applications.

Exam trap

The trap here is that candidates often confuse CloudWatch Logs or CloudTrail with distributed tracing, but X-Ray is the only service that provides trace-level visibility across multiple services and microservices.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms, but it does not provide distributed tracing or trace individual requests across services. Option B is wrong because AWS CloudTrail records API calls for auditing and governance, not for tracing request flows or performance analysis. Option D is wrong because AWS Config evaluates resource configurations and compliance, not request tracing or performance monitoring.

684
MCQmedium

A company has been running multiple workloads on AWS for the past six months. The finance team needs to analyze historical spending to identify month-over-month trends by AWS service and by individual linked accounts. The team requires a graphical, interactive tool that allows them to apply custom date ranges and filters, and view the results as customizable charts and graphs. Which AWS service should the finance team use to meet this requirement?

A.AWS Budgets
B.AWS Cost Explorer
C.AWS Trusted Advisor
D.AWS Consolidated Billing
AnswerB

AWS Cost Explorer provides an intuitive graphical interface to explore and visualize AWS costs and usage over time. You can filter by service, linked account, region, and more, and create custom reports for month-over-month trend analysis. This makes it the correct choice for historical spending analysis.

Why this answer

AWS Cost Explorer provides a graphical interface with pre-built charts and graphs that allow users to visualize historical spending trends. It supports filtering by AWS service and linked accounts, and enables custom date ranges for month-over-month analysis, making it the correct choice for the finance team's requirements.

Exam trap

The trap here is that candidates may confuse AWS Budgets' alerting capabilities with Cost Explorer's analytical features, or assume Trusted Advisor's cost optimization checks include historical trend visualization, when in fact only Cost Explorer provides the required interactive graphical analysis.

How to eliminate wrong answers

Option A is wrong because AWS Budgets is designed for setting spending limits and sending alerts when thresholds are exceeded, not for analyzing historical spending trends with interactive charts and graphs. Option C is wrong because AWS Trusted Advisor provides recommendations for cost optimization, performance, security, and fault tolerance, but it does not offer customizable, graphical historical spending analysis by service or linked account.

685
MCQeasy

Which Amazon S3 feature protects against accidental deletion by maintaining multiple versions of every object in a bucket?

A.S3 Replication
B.S3 Versioning
C.S3 Object Lock
D.S3 Lifecycle policies
AnswerB

S3 Versioning keeps every version of every object — deletions create delete markers, preserving previous versions that can be recovered at any time.

Why this answer

S3 Versioning is the correct answer because it is the specific S3 feature designed to protect against accidental deletion by preserving multiple versions of every object in a bucket. When versioning is enabled, deleting an object does not permanently remove it; instead, S3 inserts a delete marker, and the previous versions remain recoverable. This directly addresses the scenario of preventing permanent data loss from accidental deletions.

Exam trap

The trap here is that candidates often confuse S3 Object Lock with versioning because both involve protection, but Object Lock prevents overwrites and deletions via legal holds or retention periods, not by maintaining a version history for recovery from accidental deletion.

How to eliminate wrong answers

Option A is wrong because S3 Replication (Cross-Region or Same-Region) asynchronously copies objects to a destination bucket for redundancy or compliance, but it does not maintain multiple versions of the same object within the source bucket to protect against accidental deletion. Option C is wrong because S3 Object Lock enforces a write-once-read-many (WORM) model to prevent objects from being deleted or overwritten for a fixed retention period, but it does not inherently maintain multiple versions of every object; it works with versioning but is not the feature that provides version history. Option D is wrong because S3 Lifecycle policies automate the transition or expiration of objects based on age or other rules, but they do not create or maintain multiple versions; in fact, they can permanently delete older versions if configured to do so.

686
MCQhard

According to the AWS Well-Architected Framework, which pillar focuses on the ability to run workloads effectively, gain insight into operations, and continuously improve processes?

A.Reliability
B.Performance Efficiency
C.Operational Excellence
D.Sustainability
AnswerC

Operational Excellence covers running workloads effectively and continuously improving operations.

Why this answer

Operational Excellence is the AWS Well-Architected pillar that focuses on running and monitoring workloads to deliver business value, and on continually improving processes and procedures. It includes the ability to run workloads effectively, gain operational insight through metrics and logs (e.g., Amazon CloudWatch, AWS CloudTrail), and use runbooks and automation (e.g., AWS Systems Manager) to continuously improve. This directly matches the question's description of running workloads effectively, gaining insight into operations, and continuously improving processes.

Exam trap

AWS often tests candidates by making them confuse Operational Excellence with Reliability, because both involve 'running workloads,' but Reliability is about fault tolerance and recovery, not about gaining insight or improving processes.

How to eliminate wrong answers

Option A is wrong because Reliability focuses on a workload's ability to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues—not on operational insight or process improvement. Option B is wrong because Performance Efficiency focuses on using computing resources efficiently to meet system requirements, and maintaining that efficiency as demand changes and technologies evolve—it does not address gaining operational insight or continuously improving processes. Option D is wrong because Sustainability focuses on minimizing the environmental impact of running cloud workloads, including energy consumption and efficiency across compute, storage, and networking—it does not cover operational insight or process improvement.

687
MCQmedium

A company manages 20 AWS accounts and wants employees to log in once with their corporate Active Directory credentials and then access any of their authorised AWS accounts without re-entering credentials for each account. Which AWS service provides this centralised single sign-on capability?

A.AWS Directory Service
B.Amazon Cognito
C.AWS IAM Identity Center
D.AWS Control Tower
AnswerC

IAM Identity Center provides a single sign-on portal where employees authenticate once with corporate credentials and then access any of their authorised AWS accounts. It integrates with Active Directory and other SAML 2.0 identity providers.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) is the correct service because it provides centralized single sign-on (SSO) across multiple AWS accounts and business applications. It integrates with an external identity provider (IdP) such as Active Directory via SAML 2.0 or SCIM, allowing users to authenticate once with their corporate credentials and then access any authorized AWS account without re-entering credentials.

Exam trap

The trap here is that candidates often confuse AWS Directory Service (which provides the directory itself) with the SSO service that uses that directory for cross-account access, leading them to pick Option A instead of the correct IAM Identity Center.

How to eliminate wrong answers

Option A is wrong because AWS Directory Service provides managed Microsoft Active Directory in the cloud, but it does not natively offer SSO across multiple AWS accounts; it requires additional configuration with IAM Identity Center or a federation proxy. Option B is wrong because Amazon Cognito is designed for customer-facing identity and access management for web and mobile apps, not for workforce SSO across AWS accounts. Option D is wrong because AWS Control Tower is a governance and orchestration service for setting up and managing a multi-account AWS environment, but it does not provide SSO capabilities; it relies on IAM Identity Center for identity federation.

688
MCQmedium

A consulting firm has a global team of consultants who frequently travel to client sites. The firm hosts its critical business applications on AWS. The consultants need to access these applications from various locations (hotels, airports, client offices) using a variety of devices, including company laptops, personal smartphones, and tablets. They connect using standard web browsers and internet connections. This ability to access the same cloud resources from anywhere using different devices is an example of which essential characteristic of cloud computing?

A.On-demand self-service
B.Broad network access
C.Resource pooling
D.Rapid elasticity
AnswerB

Broad network access means that resources are available over the network and can be accessed by standard mechanisms from any heterogeneous client platform (e.g., mobile phones, tablets, laptops). This matches the scenario where multiple types of devices access the applications from various locations.

Why this answer

The scenario describes consultants accessing the same cloud-hosted applications from different locations (hotels, airports, client offices) using various devices (laptops, smartphones, tablets) over standard internet connections. This directly matches the 'broad network access' characteristic, which means resources are available over the network and can be accessed by heterogeneous client platforms (e.g., mobile phones, laptops, workstations) using standard protocols (HTTP/HTTPS, TLS).

Exam trap

The trap here is that candidates confuse 'broad network access' (access from anywhere using standard protocols) with 'on-demand self-service' (the ability to provision resources without human intervention), because both involve user-initiated actions, but the former is about network reachability and device heterogeneity, while the latter is about automated resource provisioning.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user's ability to provision computing resources (e.g., spin up EC2 instances) automatically without requiring human interaction with the service provider, not the ability to access applications from multiple devices. Option C is wrong because resource pooling describes the provider's multi-tenant model where physical and virtual resources are dynamically assigned to serve multiple customers, not the client-side access flexibility. Option D is wrong because rapid elasticity is the ability to scale resources up or down quickly in response to demand (e.g., auto-scaling groups), not the capability to access the same application from different devices and locations.

689
MCQeasy

Which AWS storage service is designed for shared file storage accessible simultaneously by multiple EC2 instances using the NFS protocol?

A.Amazon EBS
B.Amazon S3
C.Amazon EFS
D.Amazon FSx for Windows File Server
AnswerC

EFS is a managed NFS file system that can be mounted by multiple EC2 instances across multiple AZs simultaneously, with automatic scaling from gigabytes to petabytes.

Why this answer

Amazon EFS (Elastic File System) is a fully managed, scalable NFS file system that can be mounted concurrently on multiple EC2 instances. It uses the NFSv4.1 protocol, enabling shared access across Availability Zones and instances, which is exactly what the question describes.

Exam trap

The trap here is that candidates confuse EBS (block storage) with a shared file system, not realizing that EBS volumes are single-instance attached by default, while EFS is purpose-built for multi-instance NFS access.

How to eliminate wrong answers

Option A is wrong because Amazon EBS provides block-level storage volumes that can be attached to only one EC2 instance at a time (unless using a multi-attach EBS, which is limited to specific instance types and does not use NFS). Option B is wrong because Amazon S3 is an object storage service accessed via HTTP/HTTPS APIs, not a file system that supports the NFS protocol or concurrent mounting as a shared file system. Option D is wrong because Amazon FSx for Windows File Server uses the SMB protocol, not NFS, and is designed for Windows-based workloads.

690
MCQmedium

A company runs containerised microservices using Amazon ECS. The operations team wants to stop managing EC2 instances, including patching and capacity planning for the container hosts. Which option allows them to run containers on ECS without managing servers?

A.Run ECS tasks on On-Demand EC2 instances
B.Use AWS Fargate as the ECS launch type
C.Use AWS Lambda to run the containers
D.Run ECS tasks on Reserved EC2 instances
AnswerB

Fargate removes the need to manage EC2 instances. The team defines CPU and memory requirements for each container, and AWS provisions and manages the underlying compute automatically.

Why this answer

AWS Fargate is a serverless compute engine for containers that works with Amazon ECS. When you use Fargate as the launch type, you no longer need to provision, patch, or manage EC2 instances; AWS handles the underlying infrastructure, including capacity planning and OS patching. This directly meets the operations team's requirement to stop managing servers.

Exam trap

The trap here is that candidates often confuse the pricing model (Reserved Instances) with the compute management model, or they think Lambda can fully replace ECS for containerised microservices, not realising Fargate is the serverless compute option specifically designed for ECS.

How to eliminate wrong answers

Option A is wrong because running ECS tasks on On-Demand EC2 instances still requires you to manage the EC2 instances themselves, including patching and capacity planning. Option C is wrong because AWS Lambda is designed for short-running, event-driven functions, not for running containerised microservices as a general-purpose compute platform; while Lambda supports container images, it has strict timeout (15 minutes) and resource limits that make it unsuitable for typical long-running microservices. Option D is wrong because Reserved EC2 instances are a pricing model for EC2, not a launch type; they still require you to manage the underlying EC2 instances, including patching and capacity planning.

691
MCQmedium

A company currently pays $50,000/month for on-premises infrastructure. They project that running the equivalent workload on AWS will cost $35,000/month including all data transfer. What is the annual AWS cost savings?

A.$15,000
B.$180,000
C.$420,000
D.$600,000
AnswerB

Monthly savings: $50,000 - $35,000 = $15,000. Annual savings: $15,000 × 12 months = $180,000.

Why this answer

The monthly cost savings are $50,000 - $35,000 = $15,000. Annualizing this gives $15,000 × 12 = $180,000. Option B is correct because it correctly multiplies the monthly savings by 12 to compute the annual savings.

Exam trap

The trap here is that candidates often confuse monthly savings with annual savings, or mistakenly calculate the annual cost of one environment instead of the difference, leading them to pick Option A, C, or D.

How to eliminate wrong answers

Option A is wrong because it represents the monthly savings ($15,000) rather than the annual savings, failing to multiply by 12. Option C is wrong because it incorrectly calculates annual savings as $35,000 × 12 = $420,000, which is the annual AWS cost, not the savings. Option D is wrong because it incorrectly calculates annual savings as $50,000 × 12 = $600,000, which is the annual on-premises cost, not the savings.

692
MCQeasy

Which AWS service makes it easy for developers to create, publish, and manage APIs that act as the front door for applications to access backend services?

A.Amazon CloudFront
B.Elastic Load Balancing
C.Amazon API Gateway
D.AWS App Runner
AnswerC

API Gateway is the managed API platform for creating REST, HTTP, and WebSocket APIs with authentication, throttling, monitoring, and versioning built in.

Why this answer

Amazon API Gateway is a fully managed service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. It acts as a front door for applications to access backend services such as AWS Lambda, Amazon EC2, or any publicly accessible web endpoint, handling all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls.

Exam trap

The trap here is that candidates often confuse Amazon API Gateway with Elastic Load Balancing because both can route traffic to backend services, but ELB lacks API-specific features like API key management, request/response transformation, and usage plans that are central to API lifecycle management.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront is a content delivery network (CDN) that caches and delivers static and dynamic content at the edge, not a service for creating, publishing, or managing APIs as a front door to backend services. Option B is wrong because Elastic Load Balancing distributes incoming traffic across multiple targets (e.g., EC2 instances) but does not provide API creation, publishing, or management capabilities; it operates at the transport or application layer without API-specific features like request transformation or API keys. Option D is wrong because AWS App Runner is a service for deploying containerized web applications and APIs directly from source code or container images, but it does not offer the API management, versioning, throttling, or authorization features that API Gateway provides as a dedicated front door for APIs.

693
MCQmedium

A media company hosts its website on Amazon EC2 instances in the us-east-1 Region. Static assets such as images, CSS, and JavaScript files are stored in an Amazon S3 bucket. Users across the globe report slow page load times due to high latency when fetching these assets. The company wants to deliver the static content with low latency and high transfer speeds to users worldwide, reduce the load on the EC2 instances, and add protection against common DDoS attacks. Which AWS service should the company use?

A.Amazon CloudFront
B.AWS Global Accelerator
C.Amazon Route 53 latency-based routing
D.AWS WAF
AnswerA

Correct. Amazon CloudFront is a CDN that caches content at edge locations to deliver low latency and high throughput to users globally. It also offloads origin servers and provides DDoS protection via AWS Shield.

Why this answer

Amazon CloudFront is a content delivery network (CDN) that caches static assets (images, CSS, JavaScript) at edge locations worldwide, reducing latency for global users. It offloads requests from the EC2 origin by serving cached content directly from the edge, and it integrates with AWS Shield Standard to provide automatic protection against common DDoS attacks. This directly addresses the company's requirements for low latency, reduced EC2 load, and DDoS protection.

Exam trap

The trap here is that candidates confuse AWS Global Accelerator with a CDN, but Global Accelerator does not cache content—it only optimizes network path routing, making it unsuitable for static asset delivery.

How to eliminate wrong answers

Option B (AWS Global Accelerator) is wrong because it improves performance by routing traffic over the AWS global network to the optimal regional endpoint, but it does not cache static content at edge locations; it is designed for dynamic traffic (e.g., TCP/UDP) and does not reduce load on EC2 for static asset delivery. Option C (Amazon Route 53 latency-based routing) is wrong because it only directs DNS queries to the region with the lowest latency, but it does not cache content or reduce the load on EC2 instances; each user still fetches assets directly from the origin S3 bucket or EC2. Option D (AWS WAF) is wrong because it is a web application firewall that filters and monitors HTTP requests for security threats, but it does not cache content or improve latency; it only provides protection, not performance benefits.

694
MCQmedium

A company uses AWS Organizations. The management account receives the consolidated bill. Which statement about Reserved Instance discount sharing in AWS Organizations is correct?

A.Reserved Instance discounts only apply to the account that purchased the RI
B.RI discounts are automatically shared across all member accounts in the organization
C.RI discounts are only shared if the management account explicitly enables sharing for each RI
D.RI discounts cannot be shared across accounts even in an Organization
AnswerB

Consolidated billing enables automatic RI discount sharing — unused RI capacity in any member account offsets On-Demand charges in other member accounts, maximizing discount utilization.

Why this answer

In AWS Organizations, Reserved Instance (RI) discounts are automatically shared across all accounts in the organization, provided the accounts are under the same consolidated billing family and the RIs are in the same AWS region. This means that if one member account purchases an RI, the hourly cost benefit can apply to qualifying usage from any other account in the organization, reducing the overall bill. The management account receives the consolidated bill and can see the aggregated savings, but no explicit sharing configuration is required.

Exam trap

The trap here is that candidates often assume RI discounts are account-specific or require manual sharing, but AWS automatically shares them across all accounts in an organization under consolidated billing, which is a core concept tested in the CLF-C02 exam.

How to eliminate wrong answers

Option A is wrong because RI discounts are not limited to the purchasing account; they are automatically shared across all accounts in the organization under consolidated billing. Option C is wrong because AWS does not require the management account to explicitly enable sharing for each RI; sharing is automatic for all RIs in the organization. Option D is wrong because RI discounts can indeed be shared across accounts within an AWS Organization, which is a key benefit of consolidated billing.

695
MCQmedium

A startup is planning a new web application on AWS. The architecture will use Amazon EC2 for compute, Amazon RDS for the database, and Amazon S3 for static assets. The team needs to estimate the monthly cost of running this application before building it. They want to compare costs across different instance types, regions, and pricing models (On-Demand vs. Reserved Instances), and they also need to account for data transfer costs. Which AWS tool should the team use to create this estimate?

A.AWS Cost Explorer
B.AWS Total Cost of Ownership (TCO) Calculator
C.AWS Budgets
D.AWS Pricing Calculator
AnswerD

The AWS Pricing Calculator enables users to estimate the monthly cost of AWS services by selecting specific configurations (e.g., EC2 instance type, RDS database class, S3 storage class, etc.), regions, and pricing models. It provides a detailed cost breakdown and is the correct tool for pre-deployment cost estimation.

Why this answer

AWS Pricing Calculator (formerly AWS Simple Monthly Calculator) is the correct tool because it allows users to estimate monthly costs by selecting specific EC2 instance types, RDS configurations, S3 storage classes, and data transfer volumes. It supports comparing On-Demand vs. Reserved Instance pricing across different regions, making it ideal for pre-build cost estimation.

Exam trap

The trap here is confusing cost estimation tools (Pricing Calculator) with cost management tools (Cost Explorer, Budgets) or TCO analysis, leading candidates to pick a tool that analyzes past spend rather than future projections.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer analyzes historical cost and usage data, not future estimates for a planned architecture. Option B is wrong because the AWS TCO Calculator compares on-premises vs. AWS costs, not detailed monthly estimates across instance types and pricing models.

Option C is wrong because AWS Budgets sets cost alerts and tracks actual spend against a budget, not for creating upfront cost estimates.

696
MCQmedium

A company needs to ensure that all data transmitted between their on-premises servers and AWS is encrypted during transfer. Which AWS services provide encryption in transit? (Choose the most complete answer.)

A.AWS Direct Connect with dedicated link guarantees
B.AWS Site-to-Site VPN using IPsec encryption
C.Amazon S3 SSE-S3 encryption
D.AWS KMS key rotation
AnswerB

Site-to-Site VPN uses IPsec to encrypt all traffic between on-premises and AWS, ensuring encryption in transit over the public internet.

Why this answer

AWS Site-to-Site VPN is the correct choice because it creates an encrypted tunnel between on-premises servers and AWS using IPsec (Internet Protocol Security) protocol suite. IPsec provides confidentiality, integrity, and authentication for all data packets traversing the public internet, ensuring encryption in transit as required by the question.

Exam trap

The trap here is that candidates confuse encryption in transit with encryption at rest, often selecting S3 SSE-S3 or KMS key rotation because they associate 'encryption' broadly with AWS security, without distinguishing the data state.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect provides a dedicated private network connection but does not inherently encrypt data in transit; encryption must be added separately (e.g., via IPsec over the Direct Connect link). Option C is wrong because Amazon S3 SSE-S3 (Server-Side Encryption with S3-Managed Keys) encrypts data at rest, not during transfer; it protects data stored in S3, not data in transit between on-premises and AWS. Option D is wrong because AWS KMS key rotation manages the lifecycle of encryption keys but does not directly encrypt data in transit; it is a key management feature, not a transport encryption mechanism.

697
Drag & Dropmedium

Drag and drop the steps to set up a VPC with a public subnet and an internet gateway in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VPC creation, subnet, internet gateway, routing, and association are the standard steps for a public subnet.

698
MCQmedium

A company operates a critical e-commerce platform on AWS that generates significant revenue. The management team requires a dedicated Technical Account Manager (TAM) to provide proactive guidance and operational best practices. Additionally, they need the fastest possible response time for critical system failures, targeting a response within 15 minutes. Which AWS Support plan should the company choose?

A.Basic Support
B.Business Support
C.Enterprise On-Ramp Support
D.Enterprise Support
AnswerD

Correct. Enterprise Support provides a dedicated TAM and the fastest response time of 15 minutes for business-critical systems, fully meeting the company's requirements.

Why this answer

The company requires a dedicated Technical Account Manager (TAM) and the fastest possible response time for critical system failures (15-minute response). Only the Enterprise Support plan includes a designated TAM and provides a 15-minute response time for business-critical system failures. The Enterprise On-Ramp Support plan offers a TAM but has a longer 30-minute response time for critical cases, and the Business Support plan does not include a TAM at all.

Exam trap

The trap here is that candidates often confuse Enterprise On-Ramp Support with Enterprise Support, assuming both offer the same response times and TAM access, but Enterprise On-Ramp has a longer 30-minute critical response and a different TAM engagement model.

How to eliminate wrong answers

Option A is wrong because Basic Support provides only account and billing support, no TAM, and no defined response times for technical issues. Option B is wrong because Business Support offers a 1-hour response time for critical system failures and does not include a dedicated TAM. Option C is wrong because Enterprise On-Ramp Support includes a TAM but provides a 30-minute response time for critical cases, not the fastest 15-minute response required.

699
MCQmedium

Which AWS Well-Architected Framework pillar includes recommendations for using a mix of purchase options and rightsizing instances to optimize costs?

A.Operational Excellence
B.Performance Efficiency
C.Cost Optimization
D.Reliability
AnswerC

The Cost Optimization pillar covers right-sizing, instance purchase options (Reserved, Spot, Savings Plans), eliminating waste, and using consumption-based pricing.

Why this answer

Option C is correct because the Cost Optimization pillar of the AWS Well-Architected Framework specifically includes guidance on using a mix of purchase options (e.g., Reserved Instances, Savings Plans, Spot Instances) and rightsizing instances (e.g., selecting the correct instance family and size based on utilization metrics) to reduce overall spending while maintaining performance. This pillar focuses on avoiding unnecessary costs and aligning expenditure with business needs.

Exam trap

The trap here is that candidates often confuse the Cost Optimization pillar with the Performance Efficiency pillar, mistakenly thinking that rightsizing is about improving performance rather than reducing costs, or they associate purchase options with Operational Excellence due to the 'planning' aspect.

How to eliminate wrong answers

Option A is wrong because the Operational Excellence pillar focuses on running and monitoring systems to deliver business value, and on continually improving processes and procedures, not on cost optimization strategies like purchase options or rightsizing. Option B is wrong because the Performance Efficiency pillar deals with using computing resources efficiently to meet system requirements, and maintaining that efficiency as demand changes and technologies evolve, not on cost-saving tactics. Option D is wrong because the Reliability pillar concerns a workload's ability to perform its intended function correctly and consistently when expected, including recovery from failures and meeting demand, not on optimizing costs through purchasing or sizing decisions.

700
MCQmedium

A company migrates its workloads to AWS. After the migration, the company receives a monthly invoice that shows precise charges for each service used, such as the exact number of Amazon EC2 instance hours consumed and the amount of data stored in Amazon S3. The company uses this detailed usage data to allocate costs to different departments. Which essential characteristic of cloud computing does this scenario best demonstrate?

A.Broad network access
B.Resource pooling
C.Measured service
D.Rapid elasticity
AnswerC

Measured service is the correct answer. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer. This allows the company to receive a detailed invoice and perform cost allocation.

Why this answer

The scenario describes how the cloud provider meters and reports usage (e.g., EC2 instance hours, S3 storage amounts) and then bills precisely based on that consumption. This is the definition of 'measured service' — one of the five essential characteristics of cloud computing (NIST SP 800-145), where resource usage is monitored, controlled, and reported, providing transparency for both the provider and consumer.

Exam trap

The trap here is that candidates confuse 'resource pooling' (the multi-tenant sharing of infrastructure) with the ability to see and allocate granular usage costs, but measured service is specifically about metering and billing transparency, not how resources are shared.

How to eliminate wrong answers

Option A is wrong because 'broad network access' refers to resources being available over the network via standard mechanisms (e.g., HTTP, SSH) from various devices (mobile, laptops, workstations), not to billing or usage metering. Option B is wrong because 'resource pooling' describes the provider's multi-tenant model where physical and virtual resources are dynamically assigned and reassigned according to consumer demand, not the ability to see detailed per-service charges for cost allocation.

701
MCQmedium

A manufacturing company collects sensor data from thousands of IoT devices every second. The data includes temperature, pressure, and vibration readings. The company needs to store this time-series data and perform real-time queries to detect anomalies, as well as run historical analysis. The data volume is extremely high and will grow continuously. The company wants a fully managed, serverless solution that can automatically scale to handle the data volume and provide built-in analytics functions for time-series. Which AWS service should the company use?

A.Amazon DynamoDB
B.Amazon Timestream
C.Amazon ElastiCache for Redis
D.Amazon RDS for MySQL
AnswerB

Amazon Timestream is a purpose-built time-series database that can efficiently ingest, store, and analyze trillions of time-stamped data points per day. It is serverless and auto-scaling, with built-in time-series analytics functions such as interpolation, smoothing, and approximation. This makes it the ideal choice for the company's IoT sensor data requirements.

Why this answer

Amazon Timestream is a fully managed, serverless time-series database service designed specifically for IoT and operational applications. It automatically scales to handle trillions of events per day, provides built-in time-series analytics functions (e.g., smoothing, approximation, interpolation), and supports both real-time queries and historical analysis with separate storage tiers (in-memory for recent data and magnetic for historical data). This makes it the ideal choice for the company's high-volume sensor data requirements.

Exam trap

The trap here is that candidates often choose DynamoDB (Option A) because they associate it with high-scale IoT workloads, but they overlook the requirement for built-in time-series analytics functions and automatic tiered storage, which Timestream uniquely provides as a purpose-built time-series database.

How to eliminate wrong answers

Option A is wrong because Amazon DynamoDB is a key-value and document database optimized for low-latency reads/writes at scale, but it lacks native time-series functions, automatic data retention policies, and built-in analytics for time-series queries like interpolation or smoothing. Option C is wrong because Amazon ElastiCache for Redis is an in-memory cache, not a durable storage solution; it is designed for sub-millisecond performance on transient data and does not provide built-in time-series analytics functions or automatic scaling for long-term historical storage. Option D is wrong because Amazon RDS for MySQL is a relational database that requires manual scaling, schema management, and does not offer native time-series functions or automatic tiered storage; it would incur high operational overhead for the extreme write volume and continuous growth described.

702
MCQmedium

A company stores sensitive audit reports in an Amazon S3 bucket. An external auditor needs to download a specific report for a compliance review. The auditor does not have an AWS account and will only need access for 48 hours. The company wants to provide a secure, time-limited link that allows the auditor to download the file directly from S3 without making the bucket public or requiring the auditor to authenticate with AWS. Which AWS feature should the company use to meet these requirements?

A.S3 bucket policy with a condition that restricts access by IP address
B.IAM role with cross-account access for the auditor's AWS account
C.S3 presigned URL generated with a 48-hour expiration
D.CloudFront signed URL using a trusted key group
AnswerC

An S3 presigned URL is the correct solution. It allows the company to generate a URL that provides temporary access to a specific S3 object. The URL includes a signature that expires after the specified time (48 hours). The auditor can simply use the URL to download the file without needing AWS credentials or any other authentication, and the bucket remains private.

Why this answer

An S3 presigned URL allows the company to grant temporary, time-limited access to a specific object in a private S3 bucket without requiring the auditor to have AWS credentials. By generating the URL with a 48-hour expiration, the company meets the exact requirement for secure, time-bound access. The auditor can download the file directly via HTTPS using the presigned URL, which embeds the necessary authentication information.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing CloudFront signed URLs (Option D) because they associate signed URLs with security, but the question explicitly requires a direct S3 download without additional services, making the simpler S3 presigned URL the correct choice.

How to eliminate wrong answers

Option A is wrong because an S3 bucket policy with an IP address condition would require the auditor to have a static, known IP address, which is not specified and does not provide time-limited access; it also makes the bucket publicly accessible to that IP range. Option B is wrong because cross-account IAM role access requires the auditor to have an AWS account and the ability to assume the role, which contradicts the requirement that the auditor does not have an AWS account. Option D is wrong because a CloudFront signed URL requires setting up CloudFront as a CDN in front of the S3 bucket and managing a trusted key group, which adds unnecessary complexity and cost; the simpler S3 presigned URL directly meets the need without additional infrastructure.

703
MCQmedium

A retail company runs a web application on Amazon EC2 instances behind an Application Load Balancer. During a promotional event, traffic spikes to 10 times the normal level. The company configured an Amazon EC2 Auto Scaling group with a scaling policy that adds instances when CPU utilization exceeds 70% and removes instances when it drops below 30%. The application handles the spike without any manual intervention, and after the event ends, the number of instances automatically decreases to the original count, saving costs. This scenario best demonstrates which cloud computing concept?

A.Elasticity
B.Scalability
C.High availability
D.Fault tolerance
AnswerA

Correct. Elasticity is the ability to automatically scale computing resources up and down based on demand, which is exactly what the Auto Scaling group does during the traffic spike and subsequent drop.

Why this answer

The scenario describes the system automatically scaling out to 10 times the normal capacity during a traffic spike and then scaling back down when the spike ends, which is the definition of elasticity—the ability to dynamically provision and de-provision resources to match demand. The use of an EC2 Auto Scaling group with a CPU-based scaling policy (70% threshold to add, 30% to remove) directly demonstrates this cloud computing concept, as it handles variable workloads without manual intervention and optimizes cost by reducing resources when they are no longer needed.

Exam trap

The trap here is that candidates often confuse scalability with elasticity, but scalability only implies the ability to grow (scale up/out), while elasticity explicitly includes the ability to shrink (scale down/in) to match demand and optimize costs.

How to eliminate wrong answers

Option B (Scalability) is wrong because scalability refers to the ability to increase capacity to handle growth, but it does not inherently include the ability to scale down (de-provision) resources when demand decreases; elasticity specifically includes both scaling up and scaling down. Option C (High availability) is wrong because high availability focuses on ensuring the application remains accessible despite failures, typically through redundancy across multiple Availability Zones or health checks, not on dynamic resource adjustment based on load. Option D (Fault tolerance) is wrong because fault tolerance is the ability of a system to continue operating without interruption when one or more components fail, which is not demonstrated by the automatic scaling in response to CPU utilization changes.

704
MCQmedium

A company stores genomics data (several petabytes) on Amazon S3. They need to run complex analytics on this data using standard bioinformatics tools that require a POSIX file system interface. Which AWS solution provides this?

A.Amazon EFS mounted on EC2
B.Amazon FSx for Lustre linked to S3
C.Amazon EBS io2 volumes on EC2
D.Amazon S3 with S3 Select
AnswerB

FSx for Lustre is a high-performance parallel file system that integrates with S3 — it presents S3 data as files with POSIX semantics and delivers the throughput needed for genomics HPC workloads.

Why this answer

Amazon FSx for Lustre is a high-performance file system that provides a POSIX-compliant interface and can be linked directly to an S3 bucket, allowing you to run standard bioinformatics tools on genomics data stored in S3 without needing to copy it. This solution delivers the low-latency, high-throughput file access required for complex analytics on petabyte-scale datasets, while seamlessly integrating with S3 for durable storage.

Exam trap

The trap here is that candidates confuse Amazon EFS (a POSIX file system) with the high-performance requirements of HPC workloads, overlooking that FSx for Lustre is specifically optimized for low-latency, parallel access to large datasets, while EFS is designed for general-purpose, throughput-oriented use cases.

How to eliminate wrong answers

Option A is wrong because Amazon EFS provides a POSIX file system but is designed for general-purpose, NFS-based workloads with moderate throughput, not for the high-performance computing (HPC) demands of complex genomics analytics on petabytes of data; it lacks the parallel, low-latency access that FSx for Lustre offers. Option C is wrong because Amazon EBS io2 volumes provide block storage with high IOPS but are limited to a single EC2 instance and cannot be directly linked to S3, requiring manual data movement and lacking the shared, scalable file system needed for distributed bioinformatics tools. Option D is wrong because Amazon S3 with S3 Select is an object storage service that does not provide a POSIX file system interface; S3 Select only allows server-side filtering of data using SQL expressions and cannot run standard bioinformatics tools that require a file system.

705
MCQmedium

A company uses multiple AWS accounts and needs to perform granular cost and usage analysis using standard SQL queries. The cloud operations team requires the most detailed data possible, including resource-level attributes such as instance type, usage quantity, and cost allocation tags. This data must be automatically delivered to an Amazon S3 bucket on a daily basis for long-term retention and querying. Which AWS service should the company use to generate this dataset?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Cost and Usage Report
D.AWS Pricing Calculator
AnswerC

The AWS Cost and Usage Report (CUR) contains the most detailed billing and usage data, including individual resource IDs, tags, and hourly usage. It is delivered to an Amazon S3 bucket in a structured format (CSV or Parquet) and can be queried with Amazon Athena, making it the correct choice for granular SQL-based cost analysis.

Why this answer

AWS Cost and Usage Report (CUR) is the correct choice because it provides the most detailed cost and usage data available, including resource-level attributes like instance type, usage quantity, and cost allocation tags. It can be automatically delivered to an Amazon S3 bucket on a daily basis and supports querying with standard SQL via AWS Athena or Amazon Redshift Spectrum, meeting the requirements for granular analysis and long-term retention.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's visual analytics with the raw data export capability of CUR, assuming Cost Explorer can provide the same detailed, queryable dataset when it only offers aggregated views.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer provides visual dashboards and high-level cost trends, but it does not generate raw, resource-level datasets that can be automatically delivered to S3 for SQL querying. Option B is wrong because AWS Budgets is used for setting cost thresholds and sending alerts, not for generating detailed cost and usage reports with resource-level attributes. Option D is wrong because AWS Pricing Calculator is a tool for estimating costs of AWS services before deployment, not for generating historical cost and usage data.

706
MCQmedium

A startup company is developing a new mobile application. The development team needs to quickly provision and tear down test environments to experiment with different backend configurations. They want to try new features, run performance tests for a few hours, and then delete all resources without any upfront commitment. They only pay for the compute and storage resources consumed during each test. Which benefit of cloud computing does this scenario BEST represent?

A.Agility
B.Elasticity
C.High availability
D.Fault tolerance
AnswerA

Correct. Agility in the cloud allows organizations to quickly provision and decommission resources, enabling rapid experimentation and innovation without long-term commitments.

Why this answer

The scenario describes provisioning test environments on demand, running experiments for a few hours, and then tearing everything down with no upfront commitment. This directly maps to agility—the cloud's ability to rapidly create, modify, and delete resources to adapt to changing business or technical needs. The pay-as-you-go model further reinforces agility by removing the need for long-term contracts or hardware procurement.

Exam trap

The trap here is confusing agility (the ability to rapidly provision and deprovision resources for experimentation) with elasticity (automatic scaling based on load), which is a common misconception because both involve dynamic resource management but serve fundamentally different purposes.

How to eliminate wrong answers

Option B (Elasticity) is wrong because elasticity refers to automatically scaling resources up or down in response to real-time demand (e.g., adding EC2 instances during a traffic spike), not the ability to quickly provision and tear down entire test environments for experimentation. Option C (High availability) is wrong because high availability focuses on keeping applications running continuously despite failures, typically through redundant infrastructure across multiple Availability Zones, which is unrelated to the temporary test environment lifecycle described. Option D (Fault tolerance) is wrong because fault tolerance ensures zero downtime by masking component failures (e.g., active-passive failover with synchronous replication), whereas the scenario emphasizes rapid creation and deletion of resources, not resilience to failures.

707
MCQmedium

A company runs a web application on an Application Load Balancer (ALB) in the us-east-1 Region. The application serves HTTPS traffic. The company uses a third-party certificate authority to issue SSL/TLS certificates, but these certificates expire every year and require manual renewal. The company wants to use a managed AWS service to automatically provision, renew, and manage the SSL/TLS certificates for the ALB at no additional cost (no extra charge beyond the ALB usage). Which AWS service should the company use?

A.AWS Key Management Service (AWS KMS)
B.AWS WAF
C.AWS Certificate Manager (ACM)
D.AWS Secrets Manager
AnswerC

ACM is the correct service. It provisions, manages, and automatically renews SSL/TLS certificates. ACM integrates directly with ALB at no additional cost, simplifying HTTPS configuration.

Why this answer

AWS Certificate Manager (ACM) is the correct service because it can provision, manage, and automatically renew public SSL/TLS certificates for use with an Application Load Balancer at no additional cost. ACM integrates directly with ALB to handle certificate deployment and renewal, eliminating the need for manual renewal of third-party certificates. The service is free for public certificates used with supported AWS services like ALB, CloudFront, and API Gateway.

Exam trap

The trap here is that candidates may confuse AWS KMS as a certificate management service because it deals with encryption, but KMS manages symmetric and asymmetric keys for data encryption, not SSL/TLS certificates for HTTPS termination.

How to eliminate wrong answers

Option A is wrong because AWS Key Management Service (AWS KMS) is a managed service for creating and controlling encryption keys used to encrypt data, not for managing SSL/TLS certificates or their renewal. Option B is wrong because AWS WAF is a web application firewall that protects web applications from common exploits, but it does not provision, renew, or manage SSL/TLS certificates.

708
MCQmedium

A company is migrating its customer-facing web application to AWS. The Chief Information Security Officer (CISO) is reviewing the division of security responsibilities. The CISO understands that AWS is responsible for the security of the physical data centers, hardware, and network infrastructure. The company, as the customer, is responsible for securing the application code, customer data, and operating system patches on Amazon EC2 instances. This division of security responsibilities is an example of which fundamental cloud computing concept?

A.Resource pooling
B.Shared responsibility model
C.Elasticity
D.Measured service
AnswerB

The shared responsibility model clearly delineates between AWS's responsibility for the security of the underlying cloud infrastructure and the customer's responsibility for securing their data, applications, and configurations. This is the correct concept described in the scenario.

Why this answer

The correct answer is B, the shared responsibility model. This model delineates security obligations between AWS and the customer: AWS secures the cloud infrastructure (physical data centers, hardware, network), while the customer secures what is in the cloud (application code, customer data, OS patches on EC2 instances). The scenario directly describes this division, making it a textbook example of the shared responsibility model.

Exam trap

The trap here is that candidates confuse the shared responsibility model with elasticity or resource pooling, because all three are fundamental cloud concepts, but only the shared responsibility model defines security ownership boundaries.

How to eliminate wrong answers

Option A is wrong because resource pooling refers to the multi-tenant model where AWS dynamically assigns and reassigns physical and virtual resources to serve multiple customers, not the division of security responsibilities. Option C is wrong because elasticity is the ability to automatically scale resources up or down based on demand, which is unrelated to the security responsibility split described in the question.

709
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants a preventive control to ensure that nobody in any account, including account root users, can disable AWS CloudTrail or delete Amazon S3 bucket policies. Which AWS feature should the security team use?

A.IAM roles with multi-factor authentication (MFA)
B.AWS Config rules with automatic remediation
C.Service control policies (SCPs)
D.AWS Shield Advanced
AnswerC

SCPs are a feature of AWS Organizations that allow central administrators to set permission guardrails for all accounts in the organization. SCPs can explicitly deny actions like cloudtrail:StopLogging or s3:DeleteBucketPolicy, even for the root user of member accounts. This provides a preventive control that cannot be overridden by account administrators.

Why this answer

Service control policies (SCPs) are the correct choice because they provide centralized preventive controls over the maximum available permissions for all IAM users, roles, and root users in member accounts within AWS Organizations. SCPs can explicitly deny actions such as cloudtrail:StopLogging, cloudtrail:DeleteTrail, and s3:PutBucketPolicy, ensuring that even root users cannot disable CloudTrail or delete S3 bucket policies. This makes SCPs the only AWS feature that can enforce such restrictions across all accounts in an organization.

Exam trap

The trap here is that candidates often confuse detective/corrective controls (like AWS Config rules) with preventive controls (like SCPs), or they mistakenly think IAM MFA can block API actions, when in reality MFA only adds an authentication requirement and does not restrict specific service operations.

How to eliminate wrong answers

Option A is wrong because IAM roles with multi-factor authentication (MFA) are an authentication mechanism that adds a second factor to user sign-ins, but they do not provide any preventive control to block specific API actions like disabling CloudTrail or deleting S3 bucket policies; they only require MFA for role assumption. Option B is wrong because AWS Config rules with automatic remediation are detective and corrective controls—they detect noncompliant resource changes after they occur and can trigger remediation actions, but they cannot prevent the action from happening in the first place, so they are not a preventive control.

710
MCQmedium

A company operates a global e-commerce website with static assets (product images, CSS, JavaScript) stored in an Amazon S3 bucket. Users in different geographic regions report slow page load times. The company wants to reduce latency without rearchitecting the application or moving the S3 bucket. Which AWS service should the company use to distribute the static assets closer to users?

A.Amazon CloudFront
B.S3 Transfer Acceleration
C.Add more Amazon EC2 instances in different regions
D.Application Load Balancer with cross-zone load balancing
AnswerA

Amazon CloudFront is a global content delivery network (CDN) that caches static assets at edge locations near users, reducing latency and offloading from the origin S3 bucket.

Why this answer

Amazon CloudFront is a content delivery network (CDN) that caches static assets at edge locations worldwide, significantly reducing latency for users by serving content from the nearest edge location rather than from the origin S3 bucket. It integrates directly with S3 without requiring any application rearchitecture or bucket relocation, making it the ideal solution for this use case.

Exam trap

The trap here is that candidates often confuse S3 Transfer Acceleration (which optimizes uploads to S3) with a CDN service (which optimizes downloads to users), leading them to choose Option B even though it does not address the latency problem for end users.

How to eliminate wrong answers

Option B (S3 Transfer Acceleration) is wrong because it accelerates uploads to S3 over long distances using AWS edge locations, but it does not cache or distribute content for low-latency downloads; it only speeds up the transfer of data into the bucket, not the delivery to end users. Option C (Add more Amazon EC2 instances in different regions) is wrong because it would require rearchitecting the application to serve static assets from multiple regions, and EC2 instances are not designed for static asset distribution; they would add complexity, cost, and management overhead without the caching and edge delivery benefits of a CDN.

711
MCQmedium

A global gaming company needs to deploy its application in multiple geographic locations to reduce latency for players worldwide. The application must also remain available even if an entire data center fails. The company plans to run the application on Amazon EC2 instances behind an Application Load Balancer. Which combination of AWS global infrastructure components should the company use to meet these requirements?

A.Deploy the application in a single AWS Region across multiple Availability Zones and use Amazon Route 53 with latency-based routing.
B.Deploy the application in a single AWS Region within a single Availability Zone and use Amazon CloudFront for content caching.
C.Deploy the application in multiple AWS Regions, each with at least two Availability Zones, and use Amazon Route 53 for DNS-based routing.
D.Deploy the application in multiple AWS Regions and use Amazon CloudFront with multiple origins, each pointing to an Application Load Balancer in a single Availability Zone.
AnswerC

Multiple AWS Regions provide geographic distribution to reduce latency globally. Using multiple Availability Zones within each Region ensures that the application remains available if an entire data center (one Availability Zone) fails. Amazon Route 53 can route users to the nearest healthy Region, meeting both requirements.

Why this answer

Option C is correct because deploying the application in multiple AWS Regions, each with at least two Availability Zones, ensures global low latency by placing compute resources closer to players worldwide, while the multi-AZ architecture within each Region provides high availability even if an entire data center (Availability Zone) fails. Amazon Route 53 then enables DNS-based routing (e.g., latency-based or geolocation routing) to direct player traffic to the optimal Region, meeting both latency and fault tolerance requirements.

Exam trap

The trap here is that candidates often confuse high availability within a single Region (multi-AZ) with global low latency, mistakenly thinking that multiple Availability Zones alone solve latency for global users, or that CloudFront caching alone provides application-level fault tolerance.

How to eliminate wrong answers

Option A is wrong because deploying in a single AWS Region, even across multiple Availability Zones, cannot reduce latency for players globally—players far from that Region will experience high latency. Option B is wrong because deploying in a single Availability Zone within a single Region provides no fault tolerance against an entire data center failure, and Amazon CloudFront caching alone does not ensure application availability if the origin fails. Option D is wrong because using only a single Availability Zone per Region creates a single point of failure within each Region, violating the requirement that the application remain available even if an entire data center fails.

712
MCQeasy

A company has a strict data residency policy that requires all customer data to remain stored on-premises at all times. However, the company experiences unpredictable spikes in compute demand and wants to use an AWS cloud environment to handle this additional workload during peak periods. The company needs a solution that allows them to seamlessly run applications across their on-premises infrastructure and AWS, using consistent management tools and APIs. The company also needs a dedicated, private network connection between the two environments for low latency and security. Which cloud deployment model best describes this architecture?

A.Public cloud
B.Private cloud
C.Hybrid cloud
D.Community cloud
AnswerC

A hybrid cloud deployment connects on-premises infrastructure (private cloud) with public cloud services (like AWS) using a secure network connection. This model enables the organization to keep sensitive data on-premises while using AWS for scalable compute capacity during peak demand, meeting both the data residency requirement and the need for burst capacity.

Why this answer

Option C is correct because the architecture described combines on-premises infrastructure with AWS cloud resources, connected via a dedicated private network (likely AWS Direct Connect or VPN), while using consistent management tools and APIs. This is the defining characteristic of a hybrid cloud model, which enables workload portability and unified operations across both environments.

Exam trap

The trap here is that candidates may confuse hybrid cloud with public cloud, overlooking the critical requirement for a dedicated private connection and on-premises data residency, which hybrid cloud uniquely satisfies.

How to eliminate wrong answers

Option A is wrong because a public cloud model would involve running all workloads on AWS infrastructure shared with other customers, which violates the strict data residency policy requiring customer data to remain on-premises at all times. Option B is wrong because a private cloud model is dedicated to a single organization but typically resides entirely within the organization's own data center or a hosted facility, failing to address the need to burst compute demand to a separate AWS environment.

713
MCQmedium

A company has a web application that processes customer orders. The frontend web servers run on Amazon EC2 instances and receive order requests from users. The backend order processing system runs on a separate fleet of EC2 instances. The company wants to decouple these two tiers so that order requests are stored reliably until the backend is ready to process them. The solution must handle occasional traffic spikes without losing any messages and must allow the backend to scale independently. Which AWS service should the company use to meet these requirements?

A.Amazon Simple Notification Service (Amazon SNS)
B.Amazon Simple Queue Service (Amazon SQS)
C.Amazon Kinesis Data Streams
D.AWS Step Functions
AnswerB

Amazon SQS is a fully managed message queuing service that decouples application components. It stores messages durably, handles traffic spikes, and allows independent scaling of producers and consumers. This matches all requirements.

Why this answer

Amazon Simple Queue Service (SQS) is the correct choice because it provides a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS reliably stores messages in a queue until the backend order processing system retrieves and processes them, ensuring no messages are lost even during traffic spikes. The backend can independently scale based on the queue depth, and SQS offers at-least-once delivery and exactly-once processing with FIFO queues if needed.

Exam trap

The trap here is that candidates often confuse SNS with SQS because both are messaging services, but SNS is a push-based pub/sub system that does not durably store messages, whereas SQS is a pull-based queue that provides persistent storage and decoupling, which is exactly what the scenario requires.

How to eliminate wrong answers

Option A is wrong because Amazon Simple Notification Service (SNS) is a pub/sub messaging service that pushes messages to subscribers (e.g., HTTP endpoints, Lambda, SQS) but does not store messages durably; if a subscriber is unavailable, messages are lost unless you configure a dead-letter queue, and it does not provide the reliable, persistent storage required for decoupling with independent scaling. Option C is wrong because Amazon Kinesis Data Streams is designed for real-time streaming of large data volumes (e.g., clickstreams, logs) with a retention period of up to 365 days, but it is not optimized for simple point-to-point decoupling of order processing; it requires consumers to manage shard-level scaling and checkpointing, adding complexity that is unnecessary for this use case.

714
MCQeasy

Which AWS service provides automated security assessments of EC2 instances against a library of security best practices and common vulnerabilities?

A.AWS Trusted Advisor
B.Amazon Inspector
C.AWS Security Hub
D.AWS Config
AnswerB

Inspector continuously scans EC2 instances and container images for software vulnerabilities using CVE databases and checks for network exposure issues.

Why this answer

Amazon Inspector is the correct AWS service because it is specifically designed to perform automated security assessments of EC2 instances. It uses a library of rules mapped to common security best practices (e.g., CIS benchmarks) and common vulnerabilities (e.g., CVEs) to scan the instance's OS and network configuration, generating a detailed findings report.

Exam trap

The trap here is that candidates confuse AWS Security Hub (which aggregates findings) with the service that actually performs the vulnerability scan, leading them to pick Security Hub instead of Amazon Inspector.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides general best-practice checks across your AWS account (e.g., cost optimization, performance, fault tolerance), but it does not perform deep, agent-based vulnerability scanning of EC2 instances. Option C is wrong because AWS Security Hub aggregates and prioritizes security alerts from multiple AWS services (like Amazon Inspector, GuardDuty, etc.) and provides a centralized view, but it does not itself perform automated vulnerability assessments on EC2 instances. Option D is wrong because AWS Config evaluates resource configurations against desired policies (e.g., compliance rules) and tracks configuration changes, but it does not scan for software vulnerabilities or security best practices at the OS/application level.

715
MCQmedium

A company's IT director wants to present a business case for migrating from on-premises infrastructure to AWS. They need to compare the full cost of running on-premises (hardware, facilities, power, labour) against the cost of running equivalent workloads on AWS. Which AWS tool helps create this comparison?

A.AWS Pricing Calculator
B.AWS Cost Explorer
C.AWS TCO Calculator
D.AWS Budgets
AnswerC

The AWS TCO Calculator is designed specifically for comparing on-premises infrastructure total cost of ownership with equivalent AWS costs. It accounts for hardware, software licenses, facilities, networking, and labour costs.

Why this answer

Option C is correct because the AWS TCO (Total Cost of Ownership) Calculator is specifically designed to compare the full costs of running on-premises infrastructure (including hardware, facilities, power, and labor) against the equivalent costs on AWS. It generates a detailed side-by-side cost comparison report, helping IT directors build a business case for migration by quantifying potential savings.

Exam trap

The trap here is that candidates confuse the AWS Pricing Calculator (which only estimates AWS service costs) with the TCO Calculator (which compares on-premises vs. AWS total costs), leading them to select Option A instead of C.

How to eliminate wrong answers

Option A is wrong because the AWS Pricing Calculator estimates the cost of AWS services based on usage inputs, but it does not compare on-premises costs or include facilities, power, or labor expenses. Option B is wrong because AWS Cost Explorer analyzes historical AWS spending and forecasts future costs, but it cannot model on-premises infrastructure costs or perform a TCO comparison. Option D is wrong because AWS Budgets sets custom cost and usage budgets and sends alerts, but it does not provide any cost comparison or TCO analysis between on-premises and AWS environments.

716
MCQmedium

A company needs a managed message queue service that guarantees each message is delivered at least once and supports unlimited message retention. Which AWS service should they use?

A.Amazon SNS
B.Amazon SQS
C.Amazon Kinesis Data Streams
D.AWS Step Functions
AnswerB

SQS provides managed message queuing with at-least-once delivery for standard queues and up to 14-day message retention.

Why this answer

Amazon SQS (Simple Queue Service) is a fully managed message queuing service that guarantees at-least-once delivery by default and supports unlimited message retention (up to 14 days for standard queues, but retention can be extended indefinitely using a dead-letter queue or custom re-queuing logic). This makes it the correct choice for a service that must ensure each message is delivered at least once and can be retained for an unlimited duration.

Exam trap

The trap here is that candidates often confuse SNS (pub/sub) with SQS (queue) because both are messaging services, but SNS does not store messages or guarantee at-least-once delivery, making it unsuitable for this requirement.

How to eliminate wrong answers

Option A is wrong because Amazon SNS is a pub/sub messaging service that does not guarantee at-least-once delivery (it offers at-most-once delivery by default) and does not support message retention—messages are pushed to subscribers immediately and not stored. Option C is wrong because Amazon Kinesis Data Streams is designed for real-time streaming data with a default retention period of 24 hours (up to 365 days with extended retention), but it does not guarantee at-least-once delivery per record; it uses a shard-based model where records can be replayed but not individually acknowledged. Option D is wrong because AWS Step Functions is a serverless orchestration service for coordinating multiple AWS services into workflows, not a message queue service; it does not provide message retention or at-least-once delivery guarantees for individual messages.

717
MCQmedium

A gaming company operates a mobile game with millions of active users. The game stores player profiles and session state in a key-value database. The database must provide single-digit millisecond latency for read and write operations at any scale. The company expects traffic to grow unpredictably, and the database must scale horizontally without downtime. The company wants a fully managed, highly available solution with built-in replication across multiple Availability Zones. Which AWS service should the company use?

A.Amazon RDS for PostgreSQL
B.Amazon Redshift
C.Amazon DynamoDB
D.Amazon ElastiCache for Redis
AnswerC

Correct. Amazon DynamoDB is a fully managed NoSQL key-value and document database that provides single-digit millisecond latency at any scale. It scales horizontally, supports auto scaling, and offers built-in multi-AZ replication for high availability and durability.

Why this answer

Amazon DynamoDB is the correct choice because it is a fully managed, serverless, NoSQL key-value database that delivers single-digit millisecond latency at any scale. It supports horizontal scaling via automatic partitioning and replication across multiple Availability Zones (AZs) for high availability, with no downtime required for scaling. This directly matches the gaming company's requirements for low-latency reads/writes, unpredictable traffic growth, and built-in multi-AZ replication.

Exam trap

The trap here is that candidates often confuse Amazon ElastiCache for Redis with a durable database, but it is an in-memory cache that lacks native multi-AZ replication for persistence and is not designed as a primary key-value store for session state that must survive node failures.

How to eliminate wrong answers

Option A is wrong because Amazon RDS for PostgreSQL is a relational database that does not natively support horizontal scaling for key-value workloads; scaling requires manual sharding or read replicas, and it cannot achieve single-digit millisecond latency at massive scale without significant overhead. Option B is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for complex analytical queries, not for low-latency key-value operations; it uses columnar storage and is not designed for real-time read/write workloads. Option D is wrong because Amazon ElastiCache for Redis is an in-memory cache, not a durable database; while it offers sub-millisecond latency, it lacks built-in multi-AZ replication for persistence and is typically used as a caching layer, not as the primary data store for player profiles and session state.

718
MCQmedium

A company manages multiple AWS accounts using AWS Organizations. The security team needs to enforce a policy that prevents any user, including the root user, in any member account from disabling the 'Block Public Access' setting on Amazon S3 buckets. The policy must be centrally managed and automatically applied to all existing and future member accounts. Which AWS feature should the security team use?

A.AWS Identity and Access Management (IAM) policy
B.AWS Service Control Policy (SCP)
C.AWS Config rule with automatic remediation
D.AWS Trusted Advisor
AnswerB

SCPs are a feature of AWS Organizations that allow you to centrally manage permissions for all accounts in the organization. They can deny specific actions (like disabling S3 Block Public Access) for all users, including the root user, in every member account. SCPs are automatically applied to all existing and future accounts in the organizational unit to which they are attached, meeting all the requirements.

Why this answer

AWS Service Control Policies (SCPs) are the correct choice because they allow central management of permissions across all accounts in an AWS Organization. SCPs can explicitly deny actions like s3:PutBucketPublicAccessBlock at the root, OU, or account level, and they apply to all principals, including the root user, in member accounts. SCPs are automatically inherited by new accounts added to the organization, ensuring consistent enforcement without per-account configuration.

Exam trap

The trap here is that candidates often confuse AWS Config with a preventive control, but Config is detective and reactive, not preventive, and cannot block the root user or centrally enforce policies across accounts like an SCP can.

How to eliminate wrong answers

Option A is wrong because IAM policies are account-specific and cannot be centrally applied across multiple accounts; they also cannot restrict the root user. Option C is wrong because AWS Config rules can detect noncompliant resources and trigger remediation, but they do not prevent the action from being taken in the first place and can be bypassed by users with sufficient permissions; they also do not apply to the root user. Option D is wrong because AWS Trusted Advisor is an advisory tool that provides recommendations and best practice checks, not an enforcement mechanism to block API calls.

719
MCQmedium

A company manages multiple AWS accounts under AWS Organizations. The security team wants to enforce a policy that prohibits launching Amazon EC2 instances of instance families g (GPU) and p (GPU) across all accounts to control costs. The team needs a centralized method to block these instance types at the organization level, and the policy must be applied proactively before any instance is launched. Which AWS solution should the team use?

A.Create an AWS IAM policy with a Deny effect for ec2:RunInstances where the instance type starts with 'g' or 'p' and attach it to a specific IAM role in each account.
B.Use an AWS Config managed rule to detect GPU instance launches and trigger an auto-remediation action that terminates the instances.
C.Apply an AWS Organizations Service Control Policy (SCP) that denies ec2:RunInstances when the requested instance type belongs to the g or p families.
D.Use AWS Trusted Advisor cost optimization checks to identify GPU instances and then manually disable them in each account.
AnswerC

SCPs are permission guardrails that can be applied at the organization, organizational unit, or account level. They proactively deny API actions before the resource is created, making them ideal for enforcing restrictions like prohibited instance types across multiple accounts. This is the correct centralized and preventive solution.

Why this answer

Option C is correct because AWS Organizations Service Control Policies (SCPs) are the only centralized mechanism that can proactively deny API actions across all accounts in the organization before the action occurs. By creating an SCP with a Deny effect on ec2:RunInstances where the instance type matches 'g*' or 'p*', the security team enforces the restriction at the root, OU, or account level, preventing any user or role from launching GPU instances regardless of their IAM permissions.

Exam trap

The trap here is confusing reactive services like AWS Config with preventive controls; candidates often pick Option B because it 'detects and fixes' the issue, but the question explicitly requires a proactive block before launch, which only SCPs or IAM permission boundaries can achieve at the organization level.

How to eliminate wrong answers

Option A is wrong because IAM policies attached to a role in each account are not centralized—they must be manually deployed per account and can be overridden by other IAM policies that allow the action, plus they do not block actions by the root user or users with full admin access. Option B is wrong because AWS Config is a detective service that reacts after the instance is launched, not a preventive control; auto-remediation via Lambda or Systems Manager can terminate instances, but the instance will have already run and incurred costs, violating the proactive requirement.

720
MCQmedium

A company is planning to deploy a multi-tier web application on AWS. The architecture includes Amazon EC2 instances, an Application Load Balancer, an Amazon RDS database, and security groups. The company wants to define and provision these resources as reusable, version-controlled infrastructure so they can consistently deploy the same environment to development, testing, and production accounts. The solution should allow the team to use JSON or YAML templates to describe the resources and their dependencies. Which AWS service should the company use?

A.AWS Elastic Beanstalk
B.AWS CloudFormation
C.AWS OpsWorks
D.AWS CodeDeploy
AnswerB

AWS CloudFormation is an infrastructure as code service that enables you to model and provision AWS resources using templates written in JSON or YAML. These templates can be stored in version control systems, making it possible to deploy identical environments across multiple accounts and regions consistently.

Why this answer

AWS CloudFormation is the correct service because it allows you to define and provision AWS infrastructure as code using JSON or YAML templates. This enables version-controlled, repeatable deployments across multiple accounts (development, testing, production) by describing resources like EC2 instances, ALBs, RDS databases, and security groups along with their dependencies in a declarative template.

Exam trap

The trap here is that candidates confuse AWS Elastic Beanstalk's environment configuration files (e.g., .ebextensions) with infrastructure-as-code, but Elastic Beanstalk does not provide the same level of resource-level control, dependency management, or cross-account stack deployment as CloudFormation.

How to eliminate wrong answers

Option A is wrong because AWS Elastic Beanstalk is a Platform as a Service (PaaS) that abstracts infrastructure management and does not provide native JSON/YAML template-based resource definition for version-controlled, reusable infrastructure across accounts; it focuses on application deployment and scaling rather than granular infrastructure-as-code. Option C is wrong because AWS OpsWorks is a configuration management service that uses Chef and Puppet, not JSON/YAML templates for defining AWS resources, and it is designed for managing server configurations and application stacks, not for declarative infrastructure provisioning with dependency resolution.

721
MCQmedium

A company is evaluating a migration of its on-premises virtualized workloads to AWS. The CFO wants to understand the potential cost savings over a three-year period by shifting from capital expenditure (hardware purchases) to operational expenditure (pay-as-you-go). The team needs a tool that can provide a detailed comparison of the total cost of ownership (TCO) for the current on-premises environment versus running the same workloads on AWS, including hardware, software, labor, and facilities costs. Which AWS tool should the team use?

A.AWS Budgets
B.AWS Cost Explorer
C.AWS Total Cost of Ownership (TCO) Calculator
D.AWS Trusted Advisor
AnswerC

The AWS TCO Calculator is designed to compare the total cost of ownership of an existing on-premises environment with AWS, factoring in hardware, software, labor, facilities, and other costs. It produces a detailed report that helps organizations estimate the cost savings of migrating to AWS.

Why this answer

The AWS Total Cost of Ownership (TCO) Calculator is specifically designed to compare the costs of running workloads on-premises versus on AWS. It allows users to input details about their current on-premises infrastructure—including hardware, software, labor, and facilities—and generates a detailed side-by-side cost comparison over a specified period (e.g., three years). This directly addresses the CFO's need to understand potential savings from shifting from capital expenditure (CapEx) to operational expenditure (OpEx).

Exam trap

The trap here is that candidates confuse the TCO Calculator with AWS Cost Explorer, assuming both provide cost comparisons, but Cost Explorer only shows historical AWS spend, not a forward-looking comparison with on-premises costs.

How to eliminate wrong answers

Option A is wrong because AWS Budgets is a tool for setting custom cost and usage budgets and sending alerts when thresholds are exceeded; it does not provide a comparative TCO analysis between on-premises and AWS environments. Option B is wrong because AWS Cost Explorer is a tool for visualizing, understanding, and managing AWS costs and usage over time, but it only analyzes costs already incurred on AWS, not a comparison with on-premises costs.

722
MCQmedium

A social media company hosts a web application on AWS that serves millions of users worldwide. The application delivers static content such as images, videos, and CSS files. To improve load times for users in different geographic regions, the company wants to cache this content at AWS locations that are as close to end users as possible. Which component of the AWS global infrastructure should the company use?

A.Availability Zones
B.Edge Locations
C.Regional Edge Caches
D.AWS Direct Connect Locations
AnswerB

Edge Locations are a global network of data centers used by Amazon CloudFront to cache copies of content closer to users. By serving content from the nearest edge location, the company reduces latency and improves load times for static assets. This is the correct solution for the described requirement.

Why this answer

Edge Locations are part of the AWS CloudFront content delivery network (CDN) and are specifically designed to cache static content (e.g., images, videos, CSS) at geographically dispersed points of presence (PoPs) close to end users. This reduces latency by serving content from the nearest edge location rather than the origin server, directly addressing the requirement to improve load times for a global user base.

Exam trap

The trap here is that candidates often confuse Regional Edge Caches (which are a mid-tier cache layer) with Edge Locations (the user-facing cache), leading them to select Option C instead of B, even though the question explicitly asks for the component 'closest to end users.'

How to eliminate wrong answers

Option A is wrong because Availability Zones are distinct, isolated locations within an AWS Region that provide high availability and fault tolerance for compute and storage resources, not for caching content at edge locations close to users. Option C is wrong because Regional Edge Caches are a layer of caching between origin servers and Edge Locations, used to reduce load on the origin for less-frequently accessed content, but they are not the closest to end users; Edge Locations are the primary cache layer for user-facing content. Option D is wrong because AWS Direct Connect Locations are physical co-location facilities where customers establish dedicated network connections to AWS, not for caching or content delivery.

723
MCQmedium

A company uses AWS Organizations with multiple accounts. The finance team needs to generate custom cost and usage reports that include every line item, all user-defined cost allocation tags, and resource-level details. The team also needs the ability to query the data using standard SQL tools for in-depth analysis. Which AWS feature should the team use to meet these requirements?

A.AWS Budgets
B.AWS Cost Explorer
C.AWS Cost and Usage Report
D.AWS Trusted Advisor
AnswerC

AWS Cost and Usage Report (CUR) delivers the most detailed cost and usage data, including all tags and resource-level line items. It can be stored in Amazon S3 and queried with Amazon Athena for SQL-based analysis, making it ideal for custom reporting needs.

Why this answer

The AWS Cost and Usage Report (CUR) is the only AWS feature that provides comprehensive, granular cost and usage data including every line item, all user-defined cost allocation tags, and resource-level details. It delivers this data to an Amazon S3 bucket in a CSV or Parquet format, which can then be queried using standard SQL tools via Amazon Athena or other SQL engines. This directly matches the requirement for custom reports and SQL-based analysis.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's filtering and grouping capabilities with the raw, line-item export functionality of the Cost and Usage Report, not realizing that Cost Explorer cannot provide every line item with all user-defined tags or support direct SQL querying.

How to eliminate wrong answers

Option A is wrong because AWS Budgets is a cost monitoring and alerting tool that tracks spending against thresholds, not a reporting service that generates detailed line-item data with tags and resource details. Option B is wrong because AWS Cost Explorer provides pre-built visualizations and filters for cost data, but it does not export every line item with all user-defined tags and cannot be queried directly with standard SQL tools. Option D is wrong because AWS Trusted Advisor is an optimization service that inspects your environment for cost savings, performance, and security best practices, and it does not generate cost and usage reports or support SQL queries.

724
MCQmedium

A company wants to minimise the environmental impact of their AWS workloads by choosing the right instance sizes, maximising utilisation, using graviton processors for better performance per watt, and designing architectures that reduce total compute needed. Which AWS Well-Architected Framework pillar guides these decisions?

A.Cost Optimisation
B.Performance Efficiency
C.Sustainability
D.Reliability
AnswerC

The Sustainability pillar focuses on minimising the environmental impact of running cloud workloads. This includes maximising instance utilisation, using energy-efficient hardware (like Graviton), and eliminating unnecessary compute.

Why this answer

The Sustainability pillar of the AWS Well-Architected Framework focuses on minimizing the environmental impact of cloud workloads. Choosing right-sized instances, maximizing utilization, using Graviton processors for better performance per watt, and designing architectures to reduce total compute directly align with sustainability goals by reducing energy consumption and carbon footprint.

Exam trap

The trap here is that candidates may confuse the Sustainability pillar with Cost Optimization because both involve reducing waste, but Sustainability specifically targets environmental impact and energy efficiency, not just financial savings.

How to eliminate wrong answers

Option A is wrong because Cost Optimization focuses on reducing costs and avoiding unnecessary spending, not specifically on environmental impact or performance per watt. Option B is wrong because Performance Efficiency focuses on using computing resources efficiently to meet system requirements, but it does not explicitly address environmental sustainability or carbon footprint reduction. Option D is wrong because Reliability focuses on ensuring workloads perform their intended functions correctly and consistently, not on minimizing environmental impact through instance sizing or processor choice.

725
MCQeasy

Which AWS service provides an immutable, cryptographically verifiable transaction log for tracking the complete history of changes to application data?

A.Amazon Managed Blockchain
B.Amazon RDS with point-in-time recovery
C.Amazon QLDB (Quantum Ledger Database)
D.AWS CloudTrail
AnswerC

QLDB provides an immutable, cryptographically verifiable journal — every data change is recorded with a hash, making the complete history tamper-evident.

Why this answer

Amazon QLDB (Quantum Ledger Database) provides an immutable, append-only journal that records every change to application data. It uses cryptographic hashing to chain entries together, creating a verifiable history that cannot be altered or deleted, which is exactly what the question describes.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's immutable logging of API calls with an application-level immutable transaction log, but CloudTrail does not track application data changes or provide a cryptographically verifiable ledger.

How to eliminate wrong answers

Option A is wrong because Amazon Managed Blockchain is a fully managed service for creating and managing blockchain networks using Hyperledger Fabric or Ethereum, which is decentralized and requires consensus among multiple parties, not a single immutable ledger for application data. Option B is wrong because Amazon RDS with point-in-time recovery provides the ability to restore a database to any second within a retention period, but it does not offer an immutable, cryptographically verifiable transaction log; changes can be overwritten or deleted. Option D is wrong because AWS CloudTrail records API activity for governance and auditing, but it captures AWS management events, not application-level data changes, and its logs can be configured to be immutable but are not inherently a cryptographically chained ledger.

726
MCQmedium

A company is running their application on EC2 instances behind an Application Load Balancer. They want to ensure the application remains available during an AZ outage. What is the minimum architecture configuration required?

A.Multiple EC2 instances in a single Availability Zone
B.EC2 instances distributed across at least two Availability Zones behind an ALB
C.A single large EC2 instance with enhanced networking
D.EC2 instances in a single Region across multiple subnets in the same AZ
AnswerB

Deploying instances across multiple AZs with an ALB spanning those AZs ensures that an outage in one AZ doesn't take down the application — traffic automatically routes to the surviving AZ.

Why this answer

To remain available during an Availability Zone outage, the application must be resilient to the failure of an entire AZ. An Application Load Balancer distributes traffic across healthy targets, but it cannot route to instances in a failed AZ. Therefore, EC2 instances must be deployed in at least two separate Availability Zones, and the ALB must be configured with subnets in those same AZs to route traffic and perform health checks, ensuring continuous availability if one AZ goes down.

Exam trap

The trap here is that candidates often confuse 'multiple subnets' with 'multiple Availability Zones,' assuming that deploying across subnets within the same AZ provides fault tolerance, but subnets are AZ-scoped and do not offer AZ-level redundancy.

How to eliminate wrong answers

Option A is wrong because multiple EC2 instances in a single Availability Zone cannot survive an outage of that AZ; all instances would be affected simultaneously. Option C is wrong because a single large EC2 instance, even with enhanced networking, represents a single point of failure and cannot provide high availability across AZs. Option D is wrong because multiple subnets within the same Availability Zone do not provide fault isolation; an AZ outage would still take down all instances regardless of subnet count.

727
MCQmedium

A company is developing a REST API that processes customer orders. The API receives JSON payloads via HTTPS and performs short-lived operations, such as data validation, transformation, and writing to a database. The workload is very unpredictable: sometimes there are long periods of inactivity, but during flash sales the API may receive thousands of requests per second for a few minutes. The company wants a fully managed compute service that automatically scales to handle any request volume, charges only for the compute time used during execution, and requires no server provisioning or ongoing infrastructure management. Which AWS service should the company use?

A.Amazon EC2 with Auto Scaling
B.AWS Lambda
C.Amazon ECS with Fargate launch type
D.Amazon Lightsail
AnswerB

AWS Lambda is a serverless compute service that executes code in response to events. It automatically scales to handle any volume of requests, charging only for the compute time consumed during execution (per millisecond). No servers to provision or manage, making it ideal for unpredictable, short-lived workloads.

Why this answer

AWS Lambda is the correct choice because it is a fully managed, event-driven compute service that automatically scales from zero to thousands of concurrent executions in response to incoming HTTPS requests. It charges only for the compute time consumed during execution (in 1ms increments), requires no server provisioning, and is ideal for short-lived operations like data validation, transformation, and database writes. The unpredictable, bursty workload pattern—long idle periods followed by flash sales—maps perfectly to Lambda's pay-per-use model and automatic scaling.

Exam trap

The trap here is that candidates often confuse 'fully managed' with 'container orchestration' and select ECS with Fargate, overlooking that Lambda is the only option that charges strictly per execution (not per provisioned resource) and automatically scales to zero during inactivity without any ongoing cost.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 with Auto Scaling requires provisioning and managing virtual servers (instances), ongoing patching, and capacity planning; it does not charge only for compute time used during execution (you pay for running instances even when idle), and it is not a fully managed service in the sense of zero infrastructure management. Option C is wrong because Amazon ECS with Fargate launch type, while serverless and fully managed, still requires you to define task definitions, manage container images, and pay for the duration that containers are provisioned (even if idle), and it is not optimized for sub-second, short-lived operations triggered by individual HTTP requests—it is better suited for long-running or batch container workloads.

728
MCQmedium

According to the AWS Shared Responsibility Model, which of the following is the customer's responsibility when using AWS Lambda?

A.Patching the Lambda execution environment and runtime
B.Managing the underlying servers that run Lambda functions
C.Writing secure function code and managing IAM permissions for the function
D.Ensuring Lambda scales automatically during traffic spikes
AnswerC

Customers are responsible for their function's code quality and security, the IAM role permissions granted to the function, and the security of data processed by the function.

Why this answer

Under the AWS Shared Responsibility Model, AWS manages the security of the cloud, including the Lambda execution environment, runtime, and underlying servers. The customer is responsible for security in the cloud, which includes writing secure function code and managing IAM permissions to control access to the function and its resources. Option C correctly identifies this customer responsibility.

Exam trap

The trap here is that candidates may confuse operational responsibilities (like patching or scaling) with customer responsibilities, assuming they must manage runtime updates or scaling configuration, when in fact AWS handles these automatically for Lambda.

How to eliminate wrong answers

Option A is wrong because AWS is responsible for patching the Lambda execution environment and runtime, not the customer. Option B is wrong because AWS manages the underlying servers that run Lambda functions as part of the infrastructure-as-a-service abstraction. Option D is wrong because AWS automatically scales Lambda functions in response to traffic spikes; the customer does not need to manage scaling.

729
MCQmedium

A company stores sensitive documents in Amazon S3. The security team wants a preventive control that ensures no S3 bucket in the AWS account can ever be configured with a bucket policy that grants public read or write access. This control must apply automatically to all newly created buckets and to existing buckets, without requiring changes to individual bucket policies. Which AWS feature should the security team use?

A.AWS Config with the s3-bucket-public-read-prohibited managed rule
B.Amazon S3 Block Public Access at the account level
C.AWS Identity and Access Management (IAM) policy with a condition that denies s3:PutBucketPolicy for any action that grants public access
D.Amazon GuardDuty with a finding suppression rule for S3 public access events
AnswerB

Amazon S3 Block Public Access provides centralized controls that can be applied at the account level. When enabled, these settings override any bucket-level policies that grant public access, preventing both new and existing buckets from ever being made publicly accessible. This is the preventive control described in the scenario.

Why this answer

Amazon S3 Block Public Access at the account level is a preventive control that, when enabled, overrides any bucket policies or ACLs that would grant public read or write access. It applies automatically to all existing and newly created buckets in the account without requiring changes to individual bucket policies. This meets the security team's requirement for a blanket, account-wide preventive control.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config rules) with preventive controls (like S3 Block Public Access), or they assume an IAM policy can universally block public access without considering that it must be attached to every principal and does not cover ACL-based public access.

How to eliminate wrong answers

Option A is wrong because AWS Config with the s3-bucket-public-read-prohibited managed rule is a detective control, not a preventive control; it can detect and alert on noncompliant buckets but does not block the creation or modification of public access. Option C is wrong because an IAM policy with a condition that denies s3:PutBucketPolicy for any action that grants public access can be bypassed if the bucket policy is set by a user with full administrative privileges or if public access is granted via ACLs instead of bucket policies, and it does not automatically apply to all principals without explicit attachment.

730
MCQmedium

A company is building a real-time chat application that relies on long-lived WebSocket connections between clients and backend servers. The application runs on Amazon EC2 instances across multiple Availability Zones. The company needs a load balancer that can distribute incoming WebSocket traffic while preserving the connection and supporting sticky sessions. Which AWS load balancing solution should the company use?

A.Application Load Balancer
B.Network Load Balancer
C.Classic Load Balancer
D.Amazon Route 53
AnswerA

Correct. ALB supports WebSocket protocol natively and provides sticky sessions (session affinity) using cookies or source IP. It operates at Layer 7, making it ideal for real-time chat applications that require persistent connections and application-aware routing.

Why this answer

The Application Load Balancer (ALB) supports WebSocket connections natively at the application layer (Layer 7) and can maintain persistent connections via its built-in sticky session (session affinity) feature, which uses a cookie to bind a client to a specific target for the duration of the WebSocket session. This makes ALB the correct choice for a real-time chat application requiring long-lived WebSocket connections and sticky sessions across multiple Availability Zones.

Exam trap

The trap here is that candidates often assume Network Load Balancer is the only option for WebSocket because it operates at Layer 4 and handles long-lived TCP connections, but they overlook that ALB explicitly supports WebSocket at Layer 7 and provides the required sticky session feature via cookies, which NLB lacks.

How to eliminate wrong answers

Option B (Network Load Balancer) is wrong because although NLB supports WebSocket connections at Layer 4 and preserves long-lived connections, it does not natively support application-level sticky sessions (session affinity) based on cookies; NLB's stickiness is limited to source IP hash, which is not as granular or reliable for WebSocket session persistence. Option C (Classic Load Balancer) is wrong because it does not support WebSocket connections at all; it operates at Layer 4/7 but lacks native WebSocket protocol support, and its sticky session feature is limited to HTTP/HTTPS traffic using duration-based cookies, not suitable for WebSocket upgrades.

731
MCQeasy

Which AWS service enables you to create a private, isolated network within the AWS Cloud where you can define your own IP address range, subnets, and routing?

A.AWS Direct Connect
B.Amazon VPC
C.Amazon Route 53
D.AWS Transit Gateway
AnswerB

VPC provides the isolated virtual network in the cloud where customers control IP addressing, subnet design, routing, and connectivity options.

Why this answer

Amazon VPC (Virtual Private Cloud) enables you to provision a logically isolated section of the AWS Cloud where you can define your own IP address range using CIDR notation (e.g., 10.0.0.0/16), create subnets across Availability Zones, and configure custom route tables to control traffic flow. This service gives you full control over your virtual networking environment, including the selection of private and public IP addresses, network gateways, and security settings.

Exam trap

The trap here is that candidates often confuse AWS Transit Gateway with Amazon VPC, thinking Transit Gateway provides the isolated network itself, when in fact Transit Gateway only connects multiple VPCs and does not allow you to define IP ranges or subnets within a single isolated network.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect is a dedicated network connection service that links your on-premises data center to AWS, not a service for creating private, isolated networks with custom IP ranges and subnets. Option C is wrong because Amazon Route 53 is a DNS (Domain Name System) web service that translates domain names to IP addresses and manages traffic routing, not a service for defining IP address ranges or subnets. Option D is wrong because AWS Transit Gateway acts as a central hub to interconnect VPCs and on-premises networks, but it does not itself allow you to define IP address ranges, subnets, or routing within a single isolated network—that is the role of Amazon VPC.

732
MCQeasy

Which AWS Cost Management tool provides daily forecasts and allows customers to track Reserved Instance and Savings Plans utilization and coverage?

A.AWS Pricing Calculator
B.AWS Cost and Usage Report
C.AWS Cost Explorer
D.AWS Budgets
AnswerC

Cost Explorer provides built-in views for daily cost trends, RI/Savings Plans utilization and coverage, forecasts, and right-sizing recommendations.

Why this answer

AWS Cost Explorer provides daily cost and usage forecasts for up to 12 months ahead and includes dedicated views for Reserved Instance (RI) and Savings Plans utilization and coverage. This allows customers to monitor how much of their reserved capacity is being used and whether their commitments are adequately covering actual usage.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's forecasting and utilization tracking capabilities with AWS Budgets, which only provides alerting based on thresholds, not the detailed utilization and coverage analysis for Reserved Instances and Savings Plans.

How to eliminate wrong answers

Option A is wrong because AWS Pricing Calculator is a tool for estimating future costs based on expected usage, not for tracking actual utilization or providing forecasts of existing Reserved Instance or Savings Plans coverage. Option B is wrong because AWS Cost and Usage Report (CUR) is a detailed, raw data export of cost and usage metrics, but it does not offer built-in daily forecasts or pre-built RI/Savings Plans utilization and coverage dashboards. Option D is wrong because AWS Budgets allows you to set cost and usage thresholds and receive alerts, but it does not provide daily forecasts or track RI/Savings Plans utilization and coverage directly.

733
MCQeasy

A company needs to provide business users with self-service business intelligence dashboards and visualizations of data from multiple AWS data sources. Which AWS service enables this?

A.Amazon Athena
B.Amazon Redshift
C.Amazon QuickSight
D.Amazon EMR
AnswerC

QuickSight provides self-service BI with drag-and-drop dashboard creation, ML-powered insights, and pay-per-session pricing for business users.

Why this answer

Amazon QuickSight is a fully managed, serverless business intelligence (BI) service designed specifically for creating interactive dashboards and visualizations. It natively integrates with multiple AWS data sources (e.g., Amazon S3, Amazon RDS, Amazon Redshift, Amazon Athena) and provides self-service capabilities for business users via a web-based interface, without requiring any infrastructure management.

Exam trap

The trap here is that candidates often confuse data querying or warehousing services (Athena, Redshift) with visualization tools, assuming that because a service can run SQL or store data, it can also generate dashboards—but QuickSight is the only AWS-native BI service for self-service visualizations.

How to eliminate wrong answers

Option A is wrong because Amazon Athena is an interactive query service that allows you to analyze data directly in Amazon S3 using standard SQL, but it does not provide built-in dashboarding or visualization capabilities—it only returns query results as raw data. Option B is wrong because Amazon Redshift is a fully managed petabyte-scale data warehouse optimized for complex analytical queries, but it is not a BI visualization tool; it serves as a data source for BI tools like QuickSight. Option D is wrong because Amazon EMR is a big data platform for processing vast amounts of data using frameworks like Apache Spark and Hadoop, but it is designed for data engineering and transformation, not for creating self-service dashboards or visualizations.

734
MCQmedium

An enterprise is planning their cloud adoption strategy. They want to understand how cloud adoption typically progresses. Which framework provides a structured approach to cloud adoption organized around business, people, governance, platform, security, and operations perspectives?

A.AWS Well-Architected Framework
B.AWS Cloud Adoption Framework (CAF)
C.AWS Migration Hub
D.AWS Trusted Advisor
AnswerB

CAF organizes cloud adoption guidance into six perspectives (Business, People, Governance, Platform, Security, Operations) for different stakeholders at different stages of adoption.

Why this answer

The AWS Cloud Adoption Framework (CAF) is specifically designed to guide organizations through their cloud adoption journey by providing structured guidance across six core perspectives: Business, People, Governance, Platform, Security, and Operations. Unlike the Well-Architected Framework, which focuses on architectural best practices for building workloads, the CAF addresses the broader organizational and process changes needed for successful cloud adoption.

Exam trap

The trap here is that candidates often confuse the AWS Well-Architected Framework (which deals with workload architecture) with the AWS Cloud Adoption Framework (which deals with organizational adoption strategy), because both use the term 'framework' and address multiple perspectives, but they serve fundamentally different purposes.

How to eliminate wrong answers

Option A is wrong because the AWS Well-Architected Framework is focused on evaluating and improving cloud workload architectures based on six pillars (Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability), not on organizing cloud adoption around business, people, governance, platform, security, and operations perspectives. Option C is wrong because AWS Migration Hub is a service that provides a single location to track the progress of application migrations across multiple AWS and partner solutions, not a framework for structuring the overall cloud adoption strategy. Option D is wrong because AWS Trusted Advisor is an automated tool that inspects your AWS environment and provides recommendations for cost optimization, performance, security, fault tolerance, and service limits, not a framework for guiding cloud adoption from a business and organizational perspective.

735
MCQmedium

A healthcare company stores patient records in Amazon S3 buckets across multiple accounts and needs to automatically discover and classify any objects containing personally identifiable information (PII) or protected health information (PHI). Which AWS service provides this capability?

A.Amazon GuardDuty
B.AWS CloudTrail
C.Amazon Inspector
D.Amazon Macie
AnswerD

Macie uses machine learning to automatically discover and classify sensitive data including PII and PHI in Amazon S3. It generates findings when it detects sensitive data, allowing the security team to take action.

Why this answer

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to automatically discover, classify, and protect sensitive data stored in Amazon S3. It is specifically designed to identify personally identifiable information (PII) and protected health information (PHI) by analyzing object metadata and content, making it the correct choice for this healthcare compliance use case.

Exam trap

The trap here is that candidates often confuse Amazon Macie with Amazon GuardDuty, assuming both detect threats, but GuardDuty focuses on security threats and anomalies, not on data classification or sensitive content discovery in S3 objects.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using VPC Flow Logs, DNS logs, and CloudTrail events, not for data classification or sensitive content discovery in S3 objects. Option B is wrong because AWS CloudTrail records API activity and governance events for auditing, but it does not inspect or classify the contents of S3 objects for PII or PHI. Option C is wrong because Amazon Inspector is an automated vulnerability management service that scans EC2 instances and container workloads for software vulnerabilities and network exposure, not for data classification in S3 buckets.

736
MCQeasy

A financial institution has regulatory requirements to store sensitive customer data on-premises in its own data center. However, it wants to use AWS for compute-intensive analytics that need to access this data. The company plans to establish a dedicated, encrypted network connection between its data center and AWS. Which cloud deployment model does this scenario describe?

A.Public cloud
B.Private cloud
C.Hybrid cloud
D.Multi-cloud
AnswerC

Correct. Hybrid cloud is the integration of on-premises infrastructure (private cloud) with public cloud services. The company keeps sensitive data on-premises and extends compute capabilities to AWS, connected via a dedicated encrypted link, which is a classic hybrid cloud architecture.

Why this answer

This scenario describes a hybrid cloud deployment model because it combines on-premises infrastructure (the financial institution's own data center for storing sensitive customer data) with AWS public cloud resources (for compute-intensive analytics). The dedicated, encrypted network connection (such as AWS Direct Connect with IPSec or a VPN) securely bridges the two environments, allowing data to be accessed from AWS without being stored there, which meets regulatory requirements. Hybrid cloud is defined as a mixed computing environment where on-premises and public cloud resources are orchestrated together, often via a private network link.

Exam trap

The trap here is that candidates often confuse 'hybrid cloud' with 'multi-cloud' or 'private cloud,' but hybrid cloud specifically requires a mix of on-premises and public cloud resources connected via a private network, not just any combination of cloud providers or exclusive use of a single cloud.

How to eliminate wrong answers

Option A is wrong because public cloud refers to resources owned and operated by a third-party provider (like AWS) and accessible over the public internet, without any on-premises infrastructure integration; this scenario explicitly requires on-premises data storage. Option B is wrong because private cloud involves dedicated cloud infrastructure used exclusively by a single organization, typically hosted on-premises or by a third-party provider, but it does not involve a hybrid mix of on-premises and public cloud; here, the compute is on AWS (public cloud), not a private cloud. Option D is wrong because multi-cloud refers to using multiple public cloud providers (e.g., AWS and Azure) simultaneously, not a combination of on-premises and a single public cloud; this scenario uses only AWS for compute, not multiple public clouds.

737
MCQeasy

A company runs a web application on Amazon EC2 instances. Under the AWS Shared Responsibility Model, who is responsible for patching the operating system on the EC2 instances?

A.AWS, because they own and operate all EC2 infrastructure
B.The customer, because OS patching is in the customer's area of responsibility for IaaS services
C.Both AWS and the customer equally share this responsibility
D.A third-party managed service provider designated by AWS
AnswerB

For EC2 (IaaS), the customer is responsible for the guest OS including patching, security configuration, and updates. AWS manages the hypervisor and physical infrastructure below the OS.

Why this answer

Under the AWS Shared Responsibility Model, for Infrastructure as a Service (IaaS) like EC2, the customer is responsible for managing the guest operating system, including patching and security updates. AWS is responsible for the physical infrastructure and the hypervisor layer, but not for the OS running inside the EC2 instance. Therefore, option B is correct.

Exam trap

The trap here is that candidates often assume AWS handles all patching for EC2 because it is a managed service, but the Shared Responsibility Model clearly assigns guest OS patching to the customer for IaaS services like EC2.

How to eliminate wrong answers

Option A is wrong because AWS is responsible for the physical infrastructure and hypervisor, but not for patching the guest OS on EC2 instances; that is the customer's responsibility under IaaS. Option C is wrong because the responsibility is not shared equally; AWS handles the host OS and hypervisor, while the customer handles the guest OS. Option D is wrong because AWS does not designate a third-party managed service provider for OS patching; customers may choose their own third-party tools, but the responsibility remains with the customer.

738
MCQmedium

A company's security policy requires that all IAM user access keys be rotated every 90 days. The security team wants to automatically identify any IAM user in the company's AWS account whose access keys are older than 90 days and trigger a notification to the security team. They need a managed AWS service that continuously evaluates the access key age against this requirement and generates findings. Which AWS service should the security team use?

A.AWS Trusted Advisor
B.AWS Config
C.Amazon Inspector
D.AWS IAM Access Analyzer
AnswerB

AWS Config is a managed service that evaluates your AWS resource configurations against desired policies. The managed rule 'access-keys-rotated' continuously checks whether active IAM access keys have been rotated within the specified maximum age (e.g., 90 days). Non-compliant resources are identified, and you can configure Amazon SNS notifications to alert the security team. This meets the requirement for continuous evaluation and automated notification.

Why this answer

AWS Config is a managed service that continuously evaluates your AWS resource configurations against desired policies (e.g., access keys older than 90 days) using managed rules like 'iam-user-unused-keys-check'. It generates compliance findings and can trigger notifications via Amazon EventBridge or SNS, meeting the requirement for continuous evaluation and alerting.

Exam trap

The trap here is that candidates confuse AWS Config's continuous compliance evaluation with AWS Trusted Advisor's one-time or periodic checks, or mistakenly think IAM Access Analyzer covers all IAM-related security checks, when it only focuses on external access analysis.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides best-practice checks and recommendations but does not offer continuous, custom rule-based evaluation or generate findings for specific IAM access key age policies; it only reports on overall account-level security gaps like unused keys. Option C is wrong because Amazon Inspector is a vulnerability management service that scans EC2 instances, container images, and Lambda functions for software vulnerabilities and unintended network exposure, not IAM user access key age. Option D is wrong because AWS IAM Access Analyzer analyzes resource-based policies to identify resources shared with external entities (e.g., S3 buckets, KMS keys), not the age or rotation status of IAM user access keys.

739
MCQmedium

A company wants an automated tool that analyses their AWS account and provides recommendations across five categories: cost optimisation, performance, security, fault tolerance, and service limits. Which AWS service provides this analysis?

A.Amazon Inspector
B.AWS Config
C.AWS Trusted Advisor
D.Amazon CloudWatch
AnswerC

Trusted Advisor inspects the AWS account against a set of best practices and provides recommendations across cost optimisation, performance, security, fault tolerance, and service quotas. Higher support tiers unlock more checks.

Why this answer

AWS Trusted Advisor is the correct service because it is specifically designed to analyze an AWS account and provide recommendations across the five categories listed: cost optimization, performance, security, fault tolerance, and service limits. It evaluates resources against AWS best practices and offers actionable guidance, making it the only service that covers all these domains in a single, automated tool.

Exam trap

The trap here is that candidates often confuse AWS Trusted Advisor with AWS Config or Amazon Inspector, because they all involve analysis or checks, but only Trusted Advisor provides the specific five-category recommendation framework described in the question.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not for cost, performance, or service limit recommendations. Option B is wrong because AWS Config is a service for evaluating, auditing, and assessing resource configurations against desired policies, but it does not provide recommendations across the five categories; it focuses on compliance and configuration history. Option D is wrong because Amazon CloudWatch is a monitoring and observability service for metrics, logs, and alarms, not an analysis tool that generates recommendations for cost, performance, security, fault tolerance, or service limits.

740
MCQeasy

Which AWS service enables you to run containerized applications without managing the underlying servers?

A.Amazon EC2 with Docker
B.AWS Fargate
C.AWS Lambda
D.Amazon EKS on EC2
AnswerB

Fargate is serverless compute for containers — no server management required.

Why this answer

AWS Fargate is a serverless compute engine for containers that allows you to run containers without managing the underlying servers or clusters. You define your container images, CPU, memory, and networking, and Fargate automatically handles the infrastructure, including patching and scaling.

Exam trap

The trap here is that candidates confuse AWS Lambda's container image support with a full container orchestration service, or assume that any container service (like ECS or EKS) is serverless by default, when in fact only Fargate removes the server management burden.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 with Docker requires you to provision, configure, and manage the EC2 instances that host the Docker containers, which contradicts the 'without managing servers' requirement. Option C is wrong because AWS Lambda is designed for running code in response to events, not for running containerized applications (though Lambda now supports container images, it is still a function-as-a-service model, not a container orchestrator). Option D is wrong because Amazon EKS on EC2 requires you to manage the worker nodes (EC2 instances) that run the Kubernetes pods, so you are still responsible for server management.

741
MCQmedium

A startup is planning to build and launch a new mobile application on AWS. The team expects very low initial traffic but hopes to scale rapidly. They have a limited budget and want to avoid any upfront costs. They are unsure which AWS services they will need and want to estimate their monthly AWS charges before committing to an architecture. Additionally, they need access to technical support to help troubleshoot issues that arise during development and production, with a guaranteed response time of less than 12 hours for production-impacting issues. Which combination of AWS tool and support plan should the startup choose to meet these requirements?

A.AWS Pricing Calculator + Developer Support
B.AWS Cost Explorer + Basic Support
C.AWS Budgets + Business Support
D.AWS Total Cost of Ownership (TCO) Calculator + Enterprise Support
AnswerA

Correct. The AWS Pricing Calculator lets you estimate monthly costs for AWS services before building the architecture. The Developer Support plan offers a response time of less than 12 hours for production issues that impair the system, which meets the stated requirement. This combination is cost-effective for a startup with limited budget.

Why this answer

The AWS Pricing Calculator allows the startup to estimate monthly costs without any upfront commitment, which aligns with their need to avoid upfront costs and predict charges before architecting. The Developer Support plan provides a response time of less than 12 hours for production-impacting issues (specifically, a response time of 12 hours for impaired production systems under the Developer plan), meeting their support requirement while keeping costs low for a startup with limited budget.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer (a historical analysis tool) with the AWS Pricing Calculator (a future estimation tool), and they may assume Basic Support includes support SLAs when it does not, leading them to choose Option B incorrectly.

How to eliminate wrong answers

Option B is wrong because AWS Cost Explorer is a tool for analyzing historical cost data, not for estimating future charges before committing to an architecture, and Basic Support does not include any guaranteed response times for production-impacting issues (it only provides documentation and community forums). Option C is wrong because AWS Budgets is used to set cost alerts and monitor spending, not to estimate monthly charges upfront, and Business Support provides a 1-hour response time for production-impacting issues, which exceeds the required 12-hour guarantee but is more expensive than needed. Option D is wrong because the AWS Total Cost of Ownership (TCO) Calculator is designed to compare on-premises vs.

AWS costs, not to estimate monthly AWS service charges for a new application, and Enterprise Support includes a 15-minute response time for business-critical issues, which is overkill and costly for a startup with limited budget.

742
MCQmedium

A company runs a production e-commerce application on AWS. The CIO requires that the company have access to AWS technical support with a response time of under 1 hour for critical production system failures. Additionally, the operations team wants to use AWS Trusted Advisor to get recommendations on cost optimization, performance, and security for all AWS resources. The company already pays for AWS Business Support for its development account but wants the minimum-cost support plan that meets these requirements for its production account. Which AWS Support plan should the company choose for the production account?

A.AWS Basic Support
B.AWS Developer Support
C.AWS Business Support
D.AWS Enterprise Support
AnswerC

AWS Business Support provides a 1-hour response time for critical production system failures and includes full access to all AWS Trusted Advisor checks. This matches the company's requirements at a lower cost than Enterprise Support, making it the correct and most cost-effective choice.

Why this answer

AWS Business Support is the minimum plan that provides a 1-hour response time for critical production system failures and full access to AWS Trusted Advisor, including cost optimization, performance, and security checks. AWS Basic and Developer Support do not offer a 1-hour response time for critical failures, and Developer Support only provides limited Trusted Advisor checks. Therefore, Business Support meets both requirements at the lowest cost for the production account.

Exam trap

The trap here is that candidates may assume Developer Support is sufficient because it includes technical support, but they overlook the specific 1-hour response time requirement and the need for full Trusted Advisor recommendations, which only Business Support provides.

How to eliminate wrong answers

Option A is wrong because AWS Basic Support does not provide any technical support response time guarantees or access to Trusted Advisor recommendations beyond the basic security checks. Option B is wrong because AWS Developer Support offers a maximum response time of 12 hours for critical failures, not under 1 hour, and only provides limited Trusted Advisor checks (core security checks), not full cost optimization, performance, and security recommendations.

743
Matchingmedium

Match each AWS pricing concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Pay for compute capacity by the hour/second

Significant discount for 1-3 year commitment

Unused EC2 capacity at steep discount

Flexible pricing model for compute usage

Limited free usage for new customers

Why these pairings

Understanding pricing helps optimize costs.

744
MCQmedium

A company uses Amazon GuardDuty for threat detection, Amazon Inspector for vulnerability scanning, and Amazon Macie for sensitive data discovery. The security team needs a centralized dashboard that aggregates findings from all these services, provides a security score, and tracks compliance against industry standards such as CIS AWS Foundations. Which AWS service should the security team use?

A.AWS Config
B.AWS Security Hub
C.Amazon Detective
D.AWS Trusted Advisor
AnswerB

AWS Security Hub is the correct choice. It aggregates findings from multiple AWS security services and partner integrations, provides a consolidated dashboard with a security score, and supports compliance standards like CIS AWS Foundations.

Why this answer

AWS Security Hub is the correct service because it provides a centralized dashboard that aggregates findings from multiple AWS security services, including GuardDuty, Inspector, and Macie. It also offers a consolidated security score and supports automated compliance checks against standards like CIS AWS Foundations, making it the ideal choice for this use case.

Exam trap

The trap here is that candidates may confuse AWS Security Hub with AWS Config, thinking Config provides a centralized findings dashboard, but Config focuses on resource configuration compliance rather than aggregating security service findings.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating and auditing resource configurations against desired policies, not for aggregating security findings or providing a security score. Option C is wrong because Amazon Detective is designed for investigating and analyzing security incidents by correlating data from multiple sources, but it does not provide a centralized dashboard with a security score or compliance tracking against standards like CIS AWS Foundations. Option D is wrong because AWS Trusted Advisor offers best-practice recommendations for cost optimization, performance, security, and fault tolerance, but it does not aggregate findings from GuardDuty, Inspector, and Macie, nor does it track compliance against industry standards.

745
MCQmedium

A company manages 20 AWS accounts under AWS Organizations. The security team wants to ensure that no security group in any account allows unrestricted inbound RDP access (0.0.0.0/0). They need to automatically detect any security group that violates this rule and receive a notification. They also want to track the configuration history of security group changes for forensic analysis. Which AWS service should they use to achieve these requirements?

A.AWS Config
B.Amazon GuardDuty
C.AWS Security Hub
D.AWS CloudTrail
AnswerA

AWS Config records configuration changes of supported AWS resources, evaluates them against configurable rules (including managed rules for security group permissions), and provides a history of changes. It integrates with Amazon SNS to send notifications when resources are noncompliant.

Why this answer

AWS Config is the correct service because it provides managed rules like 'restricted-common-ports' or a custom Lambda rule to detect security groups with inbound RDP access from 0.0.0.0/0. It continuously evaluates resource configurations, sends Amazon SNS notifications on noncompliant resources, and automatically records a configuration history of all security group changes, enabling forensic analysis. This directly meets the requirements for detection, notification, and historical tracking.

Exam trap

The trap here is that candidates confuse AWS Security Hub's aggregation and dashboard capabilities with the underlying compliance evaluation and history recording that only AWS Config provides, leading them to choose Security Hub instead of the service that actually performs the detection and tracking.

How to eliminate wrong answers

Option B (Amazon GuardDuty) is wrong because it is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events for malicious activity, not for evaluating security group configurations against compliance rules or tracking configuration history. Option C (AWS Security Hub) is wrong because it aggregates findings from multiple services (including AWS Config) and provides a centralized view, but it does not itself perform the continuous compliance evaluation or maintain the configuration history of security groups; it relies on AWS Config for those capabilities.

746
MCQmedium

A company currently uses the AWS Basic Support plan. The CTO wants to access the complete set of AWS Trusted Advisor checks, including those related to cost optimization and performance. Additionally, the CTO requires a guaranteed response time of less than 15 minutes for critical business-impairing issues. Which AWS Support plan should the company choose to meet all of these requirements?

A.AWS Business Support
B.AWS Developer Support
C.AWS Enterprise Support
D.AWS Basic Support
AnswerC

Enterprise Support provides the full set of Trusted Advisor checks (including cost optimization and performance) and guarantees a response time of under 15 minutes for critical business-impairing issues. This plan meets both requirements stated by the CTO.

Why this answer

The AWS Enterprise Support plan is the only plan that provides access to the complete set of AWS Trusted Advisor checks, including cost optimization and performance checks, along with a guaranteed response time of less than 15 minutes for critical business-impairing issues. The Business Support plan offers a 15-minute response time for critical issues but only includes core Trusted Advisor checks, not the full set. The Developer Support plan lacks both the full Trusted Advisor checks and the critical response time guarantee.

Exam trap

The trap here is that candidates often assume AWS Business Support includes the complete Trusted Advisor checks because it offers a 15-minute critical response time, but the full check set is exclusive to Enterprise Support.

How to eliminate wrong answers

Option A is wrong because AWS Business Support provides a 15-minute response time for critical issues but only includes core Trusted Advisor checks (service limits, security groups, and IAM use), not the complete set covering cost optimization and performance. Option B is wrong because AWS Developer Support does not include a guaranteed response time of less than 15 minutes for critical issues (its fastest response is <1 hour for general guidance) and only provides core Trusted Advisor checks, not the full set.

747
MCQmedium

Which AWS service provides a central place to manage security alerts and automate compliance checks across an AWS Organization?

A.Amazon GuardDuty
B.AWS Security Hub
C.AWS Trusted Advisor
D.AWS Config
AnswerB

Security Hub aggregates findings from GuardDuty, Inspector, Macie, and third-party tools, and runs automated compliance standard checks across the organization.

Why this answer

AWS Security Hub is the correct answer because it provides a single, central location for aggregating, organizing, and prioritizing security alerts (findings) from multiple AWS services (like Amazon GuardDuty, Amazon Inspector, and AWS Macie) and third-party tools. It also enables automated compliance checks against standards such as CIS AWS Foundations, PCI DSS, and AWS Foundational Security Best Practices across all accounts in an AWS Organization, using built-in or custom controls.

Exam trap

The trap here is that candidates often confuse AWS Security Hub with Amazon GuardDuty, thinking that GuardDuty's threat detection and alerting also covers compliance checks and centralized management of all security alerts, but GuardDuty only handles threat detection findings and lacks the multi-service aggregation and compliance automation that Security Hub provides.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity using machine learning and threat intelligence, but it does not provide a central place to manage security alerts from multiple sources or automate compliance checks across an organization. Option C is wrong because AWS Trusted Advisor is an advisory service that inspects your AWS environment and makes recommendations for cost optimization, performance, security, fault tolerance, and service limits, but it does not aggregate security alerts from other services or automate compliance checks against specific standards. Option D is wrong because AWS Config is a service that evaluates your resource configurations against desired policies (using rules) and tracks configuration changes, but it does not serve as a central hub for security findings or automate compliance checks across multiple security standards.

748
MCQmedium

A development team wants to deploy a containerized microservices application on AWS. The team wants to minimize operational overhead by not managing any servers or container orchestration control plane. They also want to pay only for the compute and memory resources their containers consume, without needing to provision or scale underlying infrastructure. Which AWS compute service should the team use?

A.Amazon EC2 with Amazon ECS using the EC2 launch type
B.AWS Elastic Beanstalk with a Docker platform
C.Amazon ECS with the AWS Fargate launch type
D.AWS Lambda
AnswerC

Fargate is a serverless compute engine for containers. You define your task definitions, and Fargate runs the containers on shared, AWS-managed infrastructure. No servers to manage, and you pay only for the vCPU and memory resources consumed by your running tasks.

Why this answer

Amazon ECS with the AWS Fargate launch type is the correct choice because Fargate is a serverless compute engine that removes the need to manage servers or the container orchestration control plane. With Fargate, you define your containerized microservices and pay only for the vCPU and memory resources consumed at the task level, without provisioning or scaling underlying EC2 instances. This directly meets the team's requirement for zero operational overhead and pay-per-consumption billing.

Exam trap

The trap here is that candidates often confuse AWS Fargate with AWS Lambda, assuming both are 'serverless' for containers, but Lambda is for functions with strict execution limits and runtime constraints, while Fargate is the true serverless compute engine for containers that supports long-running processes and full Docker images.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 with Amazon ECS using the EC2 launch type requires you to manage and scale a cluster of EC2 instances, which introduces server management and operational overhead, contradicting the 'not managing any servers' requirement. Option B is wrong because AWS Elastic Beanstalk with a Docker platform abstracts some infrastructure but still provisions and manages underlying EC2 instances (or a load balancer) on your behalf, meaning you are paying for provisioned resources rather than only consumed compute and memory, and you do not have the granular per-container billing of Fargate. Option D is wrong because AWS Lambda is designed for short-lived, event-driven functions with a maximum execution timeout of 15 minutes and limited runtime environments, making it unsuitable for long-running containerized microservices that require persistent processes or stateful workloads.

749
MCQmedium

A development team is migrating a monolithic application to a microservices architecture. Each microservice will run in a separate container. The team wants to deploy and scale these containers without managing any underlying servers or clusters. The team also wants to pay only for the vCPU and memory resources consumed by each container, not for any idle capacity. Which AWS compute service should the team use?

A.Amazon ECS with the EC2 launch type
B.AWS Fargate
C.Amazon EKS with managed node groups
D.AWS Lambda
AnswerB

Fargate is a serverless compute engine for containers. You define the tasks and containers, and Fargate manages the infrastructure. You pay only for the vCPU and memory used by each running container, with no idle costs.

Why this answer

AWS Fargate is the correct choice because it is a serverless compute engine for containers that allows you to run containers without managing any underlying servers or clusters. With Fargate, you pay only for the vCPU and memory resources consumed by each container, not for any idle capacity, which directly matches the team's requirements.

Exam trap

The trap here is that candidates often confuse the EC2 launch type with Fargate, thinking that ECS itself is serverless, but the EC2 launch type still requires server management and pays for idle capacity, while Fargate is the truly serverless option.

How to eliminate wrong answers

Option A is wrong because Amazon ECS with the EC2 launch type requires you to manage and provision EC2 instances (the underlying servers) and you pay for the entire EC2 instance, including idle capacity, not just per-container resources. Option C is wrong because Amazon EKS with managed node groups still requires you to manage EC2 instances (the node groups) and you pay for the underlying EC2 instances, not per-container consumption. Option D is wrong because AWS Lambda is designed for event-driven, short-lived functions, not for running long-running microservices in containers; it has a maximum execution timeout of 15 minutes and does not support container-based microservices in the same way as Fargate.

750
MCQmedium

A company runs a MySQL database and wants to migrate to a cloud-native relational database that is fully managed, provides up to 5x the performance of standard MySQL, offers automated backups with point-in-time recovery, and is compatible with MySQL drivers and tools without application changes. Which AWS service meets these requirements?

A.Amazon RDS for MySQL
B.Amazon DynamoDB
C.Amazon Aurora
D.Amazon Redshift
AnswerC

Aurora is AWS's cloud-native relational database that is fully compatible with MySQL and PostgreSQL. It provides up to 5x the performance of standard MySQL, automated backups, and continuous replication to six copies across three AZs.

Why this answer

Amazon Aurora is a fully managed, MySQL-compatible relational database that delivers up to 5x the performance of standard MySQL, provides automated backups with point-in-time recovery, and is designed to work with existing MySQL drivers and tools without requiring application changes. This makes it the ideal choice for migrating a MySQL database to a cloud-native, high-performance relational database service.

Exam trap

The trap here is that candidates may confuse Amazon RDS for MySQL with Aurora, overlooking the specific performance multiplier (up to 5x) and the cloud-native architecture that distinguishes Aurora from standard MySQL on RDS.

How to eliminate wrong answers

Option A is wrong because Amazon RDS for MySQL is a managed MySQL service but does not offer up to 5x the performance of standard MySQL; it runs standard MySQL engines without the performance enhancements of Aurora. Option B is wrong because Amazon DynamoDB is a NoSQL key-value and document database, not a relational database, and is not compatible with MySQL drivers or SQL queries. Option D is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for analytical queries, not a transactional relational database, and it is not compatible with MySQL drivers or tools.

Page 9

Page 10 of 14

Page 11