AWS Certified Cloud Practitioner CLF-C02 (CLF-C02) — Questions 751825

1024 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQmedium

A company has an AWS Basic Support plan. The operations team wants to use AWS Trusted Advisor to receive recommendations for cost optimization, such as identifying idle load balancers and underutilized Amazon EC2 instances. They log into the AWS Management Console and navigate to Trusted Advisor, but they only see a limited set of checks, such as S3 bucket permissions and service limits. Which action should the team take to access the complete library of Trusted Advisor checks, including the cost optimization recommendations?

A.Enable AWS Config to perform the cost optimization and underutilization checks.
B.Upgrade to a Developer Support plan.
C.Upgrade to a Business or Enterprise Support plan.
D.No action is needed; the full set of Trusted Advisor checks is already available for all AWS Support plans.
AnswerC

The full library of Trusted Advisor checks, which includes cost optimization recommendations (e.g., idle load balancers, underutilized EC2 instances), is available only to customers with a Business or Enterprise Support plan. These plans provide access to all checks across security, cost optimization, performance, and fault tolerance.

Why this answer

AWS Trusted Advisor provides a full set of checks, including cost optimization recommendations (e.g., idle load balancers, underutilized EC2 instances), only to customers with a Business or Enterprise Support plan. The Basic Support plan restricts Trusted Advisor to a limited subset of checks, such as S3 bucket permissions and service limits. Therefore, upgrading to a Business or Enterprise Support plan is required to access the complete library of checks.

Exam trap

The trap here is that candidates often assume AWS Config can perform cost optimization checks similar to Trusted Advisor, or that upgrading to a Developer plan is sufficient, when in fact only Business or Enterprise plans unlock the full Trusted Advisor check library.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for resource inventory, configuration history, and compliance auditing, not for performing Trusted Advisor's cost optimization checks; it cannot replace the Trusted Advisor checks for idle load balancers or underutilized EC2 instances. Option B is wrong because the Developer Support plan still limits Trusted Advisor to the same basic set of checks as the Basic plan; only Business or Enterprise Support plans unlock the full set of Trusted Advisor checks, including cost optimization.

752
MCQmedium

A company's security policy prohibits opening SSH (port 22) or RDP (port 3389) to the internet for any Amazon EC2 instance. The operations team needs a way to establish secure shell sessions to manage instances directly from the AWS Management Console without managing bastion hosts or SSH keys. Which AWS service provides this capability?

A.AWS Systems Manager Session Manager
B.AWS Certificate Manager
C.AWS CloudHSM
D.Amazon GuardDuty
AnswerA

Correct. Session Manager offers browser-based shell access to EC2 instances through the AWS Management Console or CLI, using the SSM Agent and without requiring any inbound open ports. It is designed for secure, agent-based instance management.

Why this answer

AWS Systems Manager Session Manager enables secure shell access to EC2 instances directly from the AWS Management Console without opening inbound ports (22 or 3389) or managing bastion hosts. It uses the SSM Agent and AWS Identity and Access Management (IAM) policies to establish a bidirectional connection over HTTPS (port 443), eliminating the need for SSH keys or public IP addresses. This fully satisfies the security policy requirement while providing the desired management capability.

Exam trap

The trap here is that candidates may confuse AWS Certificate Manager (a certificate provisioning service) or AWS CloudHSM (a hardware security module) with a secure access tool, when the correct answer is a systems management service that operates over HTTPS without opening traditional remote access ports.

How to eliminate wrong answers

Option B (AWS Certificate Manager) is wrong because it manages SSL/TLS certificates for securing network traffic (e.g., with Elastic Load Balancing or CloudFront) and does not provide interactive shell sessions or instance management. Option C (AWS CloudHSM) is wrong because it offers hardware-based cryptographic key storage and cryptographic operations, not remote shell access or session management for EC2 instances.

753
MCQmedium

A company runs a customer relationship management (CRM) application on a single Amazon RDS for PostgreSQL instance. The application experiences heavy read traffic during business hours, often causing the primary database to become overloaded with SELECT queries. The company needs a solution that offloads read queries to a separate database endpoint and provides automatic failover to a standby database in a different Availability Zone if the primary fails. Which combination of Amazon RDS features should the company use to meet these requirements?

A.Multi-AZ deployment only
B.Read Replicas only
C.Multi-AZ deployment with one or more Read Replicas
D.Cross-Region Read Replicas only
AnswerC

A Multi-AZ deployment ensures high availability with automatic failover to a standby in a different AZ. Adding Read Replicas offloads read traffic from the primary instance, reducing its load. Both features can be combined.

Why this answer

Option C is correct because it combines Multi-AZ deployment for automatic failover to a standby in a different Availability Zone with Read Replicas to offload SELECT queries to a separate database endpoint. Multi-AZ ensures high availability by synchronously replicating data to a standby instance, while Read Replicas asynchronously replicate data to handle read-heavy traffic without burdening the primary.

Exam trap

The trap here is that candidates often assume Multi-AZ alone can handle read offloading because the standby is available, but AWS explicitly prevents reads from the Multi-AZ standby to maintain consistency, making Read Replicas necessary for read scaling.

How to eliminate wrong answers

Option A is wrong because Multi-AZ deployment alone provides automatic failover and high availability but does not offload read queries; the standby is not accessible for reads. Option B is wrong because Read Replicas alone offload read traffic but do not provide automatic failover to a standby in a different Availability Zone if the primary fails.

754
MCQmedium

A company has committed to a 1-year Compute Savings Plan at $100/hour. During a given hour, their actual compute usage is only worth $80 at On-Demand rates. How does the Savings Plan apply?

A.You pay $80 (actual usage) and the unused $20 commitment carries over to the next hour
B.You pay the committed $100 for the hour, with $20 of the commitment being unused
C.You are refunded the $20 unused portion at end of month
D.You pay $80 discounted at the Savings Plan rate, saving even more than committed
AnswerB

Savings Plans commit you to pay a fixed hourly rate. If actual usage is below commitment, you pay the committed amount — the unused portion doesn't carry over.

Why this answer

With a Compute Savings Plan, you commit to a consistent hourly spend ($100/hour) in exchange for lower compute rates. If your actual usage in an hour is only $80 at On-Demand rates, you still pay the full $100 commitment for that hour; the unused $20 is not refunded or carried over. This is because Savings Plans require you to pay the committed amount regardless of actual usage, ensuring AWS receives the predictable revenue that funds the discount.

Exam trap

The trap here is that candidates assume unused Savings Plan commitment is either refunded or carried over, similar to a prepaid service credit, when in fact it is forfeited per hour, testing your understanding that Savings Plans are a commitment-based discount model, not a usage-based credit.

How to eliminate wrong answers

Option A is wrong because unused commitment does not carry over to the next hour; Savings Plans are measured and billed per hour, and any unused portion is forfeited. Option C is wrong because there is no end-of-month refund for unused Savings Plan commitment; the discount applies only to usage up to the commitment, and unused amounts are not reimbursed. Option D is wrong because the Savings Plan discount applies to the committed amount, not to actual usage; you do not pay a discounted rate on the $80 usage—you pay the full $100 commitment, and the discount reduces the effective rate for usage covered by the plan.

755
MCQmedium

A startup is planning to migrate its web application to AWS. The CTO wants to estimate the monthly cost of running the application on Amazon EC2 and Amazon RDS, including data transfer costs. The team has not yet created any AWS accounts or resources. They need a tool that allows them to input assumptions about instance types, storage, and data transfer to generate a detailed cost estimate. Which AWS tool should they use?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Pricing Calculator
D.AWS Trusted Advisor
AnswerC

The AWS Pricing Calculator is a free web-based tool that lets you estimate the cost of AWS services based on your specific input parameters, such as instance types, storage, and data transfer. It is ideal for planning a migration before any AWS resources are created.

Why this answer

AWS Pricing Calculator (option C) is the correct tool because it allows users to input assumptions about EC2 instance types, RDS configurations, storage, and data transfer to generate a detailed monthly cost estimate before any AWS resources are created. Unlike Cost Explorer, which requires existing usage data, the Pricing Calculator is designed for upfront cost modeling and planning.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer (which requires existing usage data) with the AWS Pricing Calculator (which is specifically designed for pre-provisioning cost estimation), leading them to select Cost Explorer when no AWS account or resources exist yet.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer analyzes historical and current AWS spending using existing cost and usage data, and cannot generate estimates without an active account or resource usage. Option B is wrong because AWS Budgets sets cost thresholds and alerts based on actual or forecasted spending, but does not provide a cost estimation interface for hypothetical resource configurations. Option D is wrong because AWS Trusted Advisor inspects existing AWS environments for best practices in cost optimization, performance, security, and fault tolerance, and cannot produce cost estimates for resources that have not been provisioned.

756
MCQmedium

A company stores database passwords for their RDS instances and API keys for third-party services in their application code, which is a security risk. They want a managed service that securely stores these secrets, makes them available to applications via API, and automatically rotates database passwords. Which AWS service should they use?

A.AWS KMS
B.AWS Systems Manager Parameter Store
C.AWS Secrets Manager
D.Amazon Cognito
AnswerC

Secrets Manager stores secrets securely, provides them to applications via API (eliminating hardcoded credentials), and integrates with RDS to automatically rotate database passwords on a configurable schedule.

Why this answer

AWS Secrets Manager is the correct choice because it is a fully managed service specifically designed to securely store, retrieve, and automatically rotate secrets such as database passwords and API keys. It provides built-in integration with RDS for automatic rotation of database credentials without custom code, and it serves secrets via a secure API call, eliminating the need to hardcode secrets in application code.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store secrets, but Parameter Store lacks native automatic rotation for RDS passwords, which is the key requirement in the question.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a key management service for creating and controlling encryption keys, not for storing or rotating secrets like passwords or API keys. Option B is wrong because AWS Systems Manager Parameter Store can store secrets but lacks native automatic rotation for database passwords; it requires custom Lambda functions to implement rotation, whereas Secrets Manager provides built-in rotation. Option D is wrong because Amazon Cognito is an identity and user management service for authentication and authorization, not a secret storage or rotation service for application credentials.

757
MCQmedium

A media company streams live video to a global audience. The application runs on Application Load Balancers in two AWS Regions (us-east-1 and eu-west-1). The company's clients require the use of a fixed set of static IP addresses for firewall allowlisting. The company needs to route user traffic to the nearest healthy endpoint to minimize latency. Which AWS service should the company use?

A.Amazon CloudFront
B.AWS Global Accelerator
C.Network Load Balancer
D.Amazon Route 53 latency-based routing
AnswerB

AWS Global Accelerator uses the AWS global network to route user traffic to the nearest healthy endpoint, improving performance and reliability. It provides two static anycast IP addresses that remain fixed, allowing clients to add them to firewall allowlists. This meets both the latency and static IP requirements.

Why this answer

AWS Global Accelerator provides two static Anycast IP addresses that serve as fixed entry points for traffic, which are then routed over the AWS global network to the nearest healthy endpoint (e.g., Application Load Balancer in us-east-1 or eu-west-1). This minimizes latency by directing users to the closest Region while preserving the static IPs required for firewall allowlisting. Unlike CloudFront, Global Accelerator does not cache content and is optimized for TCP/UDP traffic, making it ideal for live video streaming where low latency and static IPs are critical.

Exam trap

The trap here is that candidates often confuse Amazon CloudFront's ability to use a custom origin with static IPs (via AWS WAF or origin shield) as providing static IPs for the client-facing side, but CloudFront's edge IPs are dynamic and not suitable for firewall allowlisting, whereas Global Accelerator explicitly provides two static Anycast IPs that remain fixed.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront uses a dynamic set of IP addresses that can change over time, and it is primarily a content delivery network (CDN) for caching static and dynamic content, not for providing fixed static IPs for allowlisting. Option C is wrong because a Network Load Balancer (NLB) operates within a single AWS Region and cannot provide global routing to the nearest healthy endpoint across multiple Regions; it also does not offer static IP addresses that are shared across Regions. Option D is wrong because Amazon Route 53 latency-based routing can route users to the nearest endpoint based on latency, but it does not provide a fixed set of static IP addresses for firewall allowlisting; it relies on DNS resolution, which can change and introduces additional latency due to DNS caching.

758
MCQmedium

A company needs 24/7 phone and chat access to AWS support engineers, full access to all AWS Trusted Advisor checks, and a response time of less than 1 hour for production system outages. Which is the minimum AWS Support plan that meets all these requirements?

A.Basic Support
B.Developer Support
C.Business Support
D.Enterprise On-Ramp Support
AnswerC

Business Support includes 24/7 phone and chat access, full Trusted Advisor checks, a 1-hour response time for production system down, and access to the AWS Support API. This is the minimum plan meeting all stated requirements.

Why this answer

The Business Support plan is the minimum plan that provides 24/7 phone and chat access to AWS support engineers, full access to all AWS Trusted Advisor checks, and a response time of less than 1 hour for production system outages. The Basic and Developer plans lack 24/7 phone/chat and full Trusted Advisor checks, while the Enterprise On-Ramp plan offers these features but is not the minimum because Business Support already meets all requirements.

Exam trap

The trap here is that candidates often confuse Enterprise On-Ramp Support as the minimum because it includes all features, but the question asks for the 'minimum' plan, and Business Support already satisfies every requirement without the higher cost of Enterprise On-Ramp.

How to eliminate wrong answers

Option A is wrong because Basic Support provides only documentation, whitepapers, and limited Trusted Advisor checks (core checks only), with no phone/chat access or defined response times for production outages. Option B is wrong because Developer Support offers business hours email access only, no 24/7 phone/chat, and limited Trusted Advisor checks (core checks only), with a response time of less than 12 hours for production outages, not under 1 hour. Option D is wrong because Enterprise On-Ramp Support does include 24/7 phone/chat, full Trusted Advisor checks, and a 1-hour response time for production outages, but it is not the minimum plan—Business Support is the lowest tier that provides all these features.

759
MCQmedium

A company uses AWS for its development environment. The finance team wants to set a monthly budget of $10,000. They want to receive an email notification when the actual costs reach 80% of the budget ($8,000) and again when costs exceed the budget. The team needs a managed AWS service that can automatically send these alerts without requiring custom code or third-party tools. Which AWS service should the team use?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Trusted Advisor
D.AWS Organizations
AnswerB

AWS Budgets allows you to set custom cost and usage budgets, define alert thresholds (e.g., at 80% of budget), and automatically send email or SNS notifications when those thresholds are met or exceeded. This meets the requirement without custom code.

Why this answer

AWS Budgets is a managed service that allows you to set custom cost and usage budgets and receive alerts when your actual or forecasted costs exceed (or are forecasted to exceed) your budgeted amount. It can automatically send email notifications at specified thresholds (e.g., 80% and 100%) without requiring any custom code or third-party tools, making it the ideal solution for the finance team's requirements.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's cost analysis and forecasting capabilities with automated alerting, but Cost Explorer does not natively send proactive notifications; AWS Budgets is the correct service for threshold-based alerts.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer is a tool for visualizing, understanding, and analyzing your AWS costs and usage over time, but it does not natively send automated email alerts based on budget thresholds. Option C is wrong because AWS Trusted Advisor is a service that inspects your AWS environment and makes recommendations for cost optimization, performance, security, and fault tolerance, but it does not provide budget alerting or notification capabilities.

760
MCQhard

A company runs a payment processing application on AWS that must comply with the Payment Card Industry Data Security Standard (PCI DSS). An external auditor requests a copy of the AWS SOC 2 report and the PCI DSS Attestation of Compliance (AOC) to verify the security controls of the underlying AWS infrastructure. The company needs to obtain these documents directly from AWS. Which AWS service should the company use?

A.AWS Artifact
B.AWS Config
C.AWS Audit Manager
D.AWS Trusted Advisor
AnswerA

AWS Artifact is the correct service. It is a self-service portal for on-demand access to AWS compliance reports and agreements, such as SOC reports and PCI DSS Attestations of Compliance.

Why this answer

AWS Artifact is the correct service because it provides on-demand access to AWS compliance reports, including SOC 2 reports and PCI DSS Attestations of Compliance (AOC). These documents are published directly by AWS and can be downloaded from the AWS Artifact console without needing to contact AWS support, meeting the auditor's requirement for direct retrieval.

Exam trap

The trap here is that candidates may confuse AWS Artifact with AWS Audit Manager, mistakenly thinking Audit Manager provides the same compliance documents, when in fact Audit Manager is for creating custom audit frameworks, not for retrieving AWS's own published reports.

How to eliminate wrong answers

Option B (AWS Config) is wrong because it is a service for recording and evaluating configuration changes of AWS resources, not for accessing compliance reports. Option C (AWS Audit Manager) is wrong because it helps automate evidence collection for internal audits, but it does not host or distribute AWS's own SOC 2 or PCI DSS AOC documents. Option D (AWS Trusted Advisor) is wrong because it provides best-practice recommendations for cost, performance, security, and fault tolerance, not compliance report downloads.

761
MCQeasy

A retail company processes credit card payments and must comply with the Payment Card Industry Data Security Standard (PCI DSS). The company's compliance officer needs to obtain an official document from AWS that details the security controls AWS has implemented to support PCI DSS compliance for services such as Amazon RDS and Amazon EC2. The document must be downloadable as a PDF for review and audit purposes. Which AWS service should the compliance officer use to retrieve this document?

A.AWS Security Hub
B.AWS Artifact
C.AWS Config
D.AWS Trusted Advisor
AnswerB

AWS Artifact is the correct service. It offers on-demand access to AWS compliance reports (e.g., PCI DSS, SOC, ISO) and agreements. Users can download these documents in PDF format to meet audit requirements.

Why this answer

AWS Artifact is the correct service because it provides on-demand access to AWS compliance reports and security documents, including the PCI DSS compliance attestation and responsibility summary. The compliance officer can download the AWS PCI DSS compliance package as a PDF directly from the AWS Artifact console, which is specifically designed for audit and review purposes.

Exam trap

The trap here is that candidates may confuse AWS Security Hub’s ability to run PCI DSS automated checks with the need to obtain the official AWS PCI DSS attestation document, which is only available through AWS Artifact.

How to eliminate wrong answers

Option A is wrong because AWS Security Hub aggregates security alerts and automates compliance checks against standards like PCI DSS, but it does not provide downloadable PDF documents of AWS’s own security controls. Option C is wrong because AWS Config evaluates resource configurations against rules and tracks changes, but it does not host or deliver compliance attestation documents. Option D is wrong because AWS Trusted Advisor offers best-practice recommendations for cost, performance, and security, but it does not provide official PCI DSS compliance documentation.

762
MCQmedium

A company runs a large-scale e-commerce platform on AWS and is preparing for a major product launch. The company needs the highest level of AWS support, including a response time of 15 minutes or less for critical business-impacting issues. Additionally, the company wants a designated Technical Account Manager (TAM) to provide proactive guidance and a personalized onboarding plan. Which AWS Support plan should the company select?

A.AWS Developer Support
B.AWS Business Support
C.AWS Enterprise On-Ramp
D.AWS Enterprise Support
AnswerD

The Enterprise Support plan is the highest level of AWS support. It provides a 15-minute response time for critical business-impacting issues and includes a designated Technical Account Manager (TAM) who offers proactive guidance, architectural best practices, and personalized support. This plan meets all the stated requirements.

Why this answer

AWS Enterprise Support is the only plan that offers a 15-minute response time for critical business-impacting issues and includes a designated Technical Account Manager (TAM) who provides proactive guidance and a personalized onboarding plan. This meets the company's requirements for the highest level of support during a major product launch.

Exam trap

The trap here is that candidates may confuse AWS Enterprise On-Ramp (which offers a TAM but a 30-minute response time) with AWS Enterprise Support (which offers a 15-minute response time and the highest level of support), or assume Business Support includes a TAM when it does not.

How to eliminate wrong answers

Option A is wrong because AWS Developer Support provides only general guidance with a response time of less than 12 hours for critical issues, no TAM, and no personalized onboarding plan. Option B is wrong because AWS Business Support offers a 1-hour response time for critical issues and does not include a designated TAM or personalized onboarding. Option C is wrong because AWS Enterprise On-Ramp provides a TAM and a response time of 30 minutes for critical issues, but not the 15-minute response time required by the company.

763
MCQmedium

A financial institution runs its core banking application on-premises due to regulatory requirements. It has connected its data centre to AWS using AWS Direct Connect and runs analytics workloads on AWS that access data from the on-premises systems. Which cloud deployment model does this describe?

A.Public cloud
B.Hybrid cloud
C.Private cloud
D.Multi-cloud
AnswerB

Hybrid cloud integrates on-premises or private cloud infrastructure with public cloud resources. Running core systems on-premises while using AWS for analytics, connected via Direct Connect, is textbook hybrid cloud.

Why this answer

This scenario describes a hybrid cloud deployment because the financial institution maintains its core banking application on an on-premises data center (private infrastructure) while also running analytics workloads on AWS (public cloud). The two environments are connected via AWS Direct Connect, a dedicated network link that enables secure, low-latency data transfer between the on-premises systems and AWS, allowing the analytics workloads to access on-premises data. Hybrid cloud specifically refers to the integration of on-premises private infrastructure with public cloud services, which matches this setup.

Exam trap

The trap here is that candidates may confuse hybrid cloud with multi-cloud, mistakenly thinking that using any cloud alongside on-premises is multi-cloud, but multi-cloud specifically requires the use of multiple distinct public cloud providers, not a mix of on-premises and a single public cloud.

How to eliminate wrong answers

Option A is wrong because a public cloud deployment would mean all workloads and data reside solely on AWS infrastructure, but here the core banking application remains on-premises. Option C is wrong because a private cloud deployment would involve dedicated cloud infrastructure used exclusively by the institution, either on-premises or hosted, but the analytics workloads run on AWS, which is a shared public cloud environment. Option D is wrong because multi-cloud involves using multiple public cloud providers (e.g., AWS and Azure), but this scenario uses only AWS alongside on-premises infrastructure, not multiple public clouds.

764
MCQmedium

A company's security team wants to automatically remediate non-compliant AWS Config rules, such as automatically enabling S3 server-side encryption on any bucket found without it. Which AWS Config feature enables this?

A.AWS Config rule compliance reporting only
B.AWS Config Rules with Automatic Remediation using SSM Automation
C.AWS Security Hub findings export to S3
D.Amazon GuardDuty threat response
AnswerB

Config's remediation actions use AWS Systems Manager Automation documents to automatically fix non-compliant resources — e.g., enabling S3 encryption or enabling VPC flow logs.

Why this answer

AWS Config Rules with Automatic Remediation using SSM Automation (Option B) is the correct feature because it allows you to associate an SSM Automation document with a non-compliant AWS Config rule. When a resource is evaluated as non-compliant, Config can automatically invoke the SSM Automation runbook to remediate the issue—for example, enabling S3 server-side encryption on a bucket that lacks it. This directly satisfies the security team's requirement for automated, policy-driven remediation without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance reporting (Option A) with its remediation capabilities, assuming that reporting alone can fix issues, or they mistakenly think Security Hub (Option C) or GuardDuty (Option D) can perform automated compliance remediation, when in fact those services are for aggregation and threat detection, not for executing configuration changes.

How to eliminate wrong answers

Option A is wrong because AWS Config rule compliance reporting only provides visibility into which resources are non-compliant; it does not include any mechanism to automatically remediate the non-compliant resources. Option C is wrong because AWS Security Hub findings export to S3 is a feature for centralizing security alerts and findings into an S3 bucket for analysis or archival, not for triggering automated remediation actions on AWS Config rule violations. Option D is wrong because Amazon GuardDuty threat response focuses on detecting and responding to malicious activity (e.g., compromised credentials or API calls) using threat intelligence, not on enforcing compliance rules like enabling S3 server-side encryption.

765
MCQmedium

A company runs a containerized application on Amazon ECS using a mix of Amazon EC2 On-Demand instances from different instance families (e.g., M5, C5, R5). The workload is consistent, and the company is willing to commit to a 1-year term to reduce costs. However, the team expects to change instance families within the next 12 months due to new hardware requirements and wants the flexibility to switch instance families without incurring a financial penalty. Which pricing option best meets these requirements?

A.Compute Savings Plans
B.EC2 Instance Savings Plans
C.Convertible Reserved Instances
D.Standard Reserved Instances
AnswerA

Correct. Compute Savings Plans apply to any EC2 instance usage across any region (when scoped to region), regardless of instance family, and provide the flexibility to change instance families without any penalty, while offering substantial discounts over On-Demand pricing.

Why this answer

Compute Savings Plans provide the most flexibility by applying a discounted hourly commitment (e.g., $10/hour) across any EC2 instance family, region, OS, or tenancy, and also cover Fargate and Lambda usage. Since the company expects to change instance families within the 1-year term, Compute Savings Plans allow switching without penalty, unlike instance-specific plans.

Exam trap

The trap here is that candidates often confuse EC2 Instance Savings Plans with Compute Savings Plans, assuming instance-specific plans offer the same flexibility, but they fail to recognize that only Compute Savings Plans allow family changes without penalty or manual exchange.

How to eliminate wrong answers

Option B is wrong because EC2 Instance Savings Plans lock the discount to a specific instance family (e.g., M5) within a region; switching families would forfeit the discounted rate and incur on-demand charges. Option C is wrong because Convertible Reserved Instances require a 1:1 or 1:many exchange to a different instance family, which is possible but involves a manual modification process and potential upfront payment changes, and they do not cover Fargate or Lambda; the question emphasizes flexibility without financial penalty, and Convertible RIs still require an exchange that may result in a different upfront cost or term adjustment.

766
MCQmedium

A company is developing a web application that uses Node.js, Express, and a MySQL database. The development team wants to deploy the application to AWS without manually configuring Amazon EC2 instances, load balancers, or Auto Scaling groups. They want AWS to automatically manage the underlying infrastructure, monitor application health, and allow them to deploy new versions by simply uploading a zip file. Which AWS service should the team use to meet these requirements?

A.AWS Elastic Beanstalk
B.Amazon EC2 Auto Scaling
C.AWS CloudFormation
D.AWS OpsWorks
AnswerA

Correct. Elastic Beanstalk is a fully managed service that automatically provisions and manages the infrastructure for web applications, including EC2 instances, load balancers, and Auto Scaling groups. Developers simply upload their code, and Elastic Beanstalk handles the deployment, capacity provisioning, load balancing, and health monitoring.

Why this answer

AWS Elastic Beanstalk is the correct choice because it provides a Platform-as-a-Service (PaaS) offering that automatically handles the provisioning of EC2 instances, load balancers, and Auto Scaling groups based on the application's environment configuration. The team can upload a zip file containing their Node.js/Express application code, and Elastic Beanstalk will deploy it, monitor health via integrated CloudWatch alarms, and manage the underlying infrastructure without manual intervention.

Exam trap

The trap here is that candidates may confuse AWS Elastic Beanstalk with AWS CloudFormation, thinking both are equally automated, but CloudFormation requires manual resource definition and does not handle application deployment or health monitoring out of the box.

How to eliminate wrong answers

Option B (Amazon EC2 Auto Scaling) is wrong because it only manages the scaling of EC2 instances based on demand, but it does not automatically provision load balancers, deploy application code from a zip file, or monitor application health at the service level; it requires manual setup of the entire stack. Option C (AWS CloudFormation) is wrong because it is an Infrastructure as Code (IaC) service that requires the team to manually define all resources (EC2, load balancers, Auto Scaling groups) in a template, and it does not automatically deploy application code from a zip file or monitor application health without additional configuration.

767
MCQmedium

A company wants to review its AWS spending for the past six months to identify which services and business units are driving costs. The finance team needs to interactively examine cost trends, filter by service and account, and visualize the data without setting up complex reports. Which AWS service or tool should the company use to meet these requirements?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Trusted Advisor
D.AWS Cost and Usage Reports
AnswerA

AWS Cost Explorer offers a ready-to-use graphical interface to explore and analyze your AWS costs and usage over custom time periods, with filters by service, account, region, and tags. It directly meets the need for interactive trend analysis without requiring additional setup.

Why this answer

AWS Cost Explorer provides a pre-built, interactive dashboard that allows you to visualize and analyze your AWS cost and usage data over the past 12 months. You can filter by service, linked account (business unit), and time range, and drill down into trends without needing to set up complex reports or queries. This directly meets the requirement for interactive examination of cost trends by service and account.

Exam trap

The trap here is that candidates confuse AWS Cost Explorer (interactive visualization) with AWS Cost and Usage Reports (raw data export), assuming both provide the same interactive experience, but CUR requires additional tools like Athena or QuickSight to visualize the data.

How to eliminate wrong answers

Option B (AWS Budgets) is wrong because it is used to set spending limits and receive alerts when costs exceed thresholds, not for interactive exploration or visualization of historical cost trends. Option C (AWS Trusted Advisor) is wrong because it provides best-practice recommendations for cost optimization, security, and performance, but does not offer interactive cost visualization or filtering by service and account. Option D (AWS Cost and Usage Reports) is wrong because it delivers raw, detailed CSV/Parquet data to an S3 bucket for programmatic analysis or integration with tools like Athena or QuickSight, but it does not provide an interactive visual interface for ad-hoc exploration.

768
MCQmedium

A startup is deploying a web application on Amazon EC2 instances across multiple Availability Zones (AZs). The architecture must ensure that the application remains fully operational and available to users even if one entire AZ fails. Which cloud computing concept does this requirement MOST directly represent?

A.Elasticity
B.Fault tolerance
C.Scalability
D.Resource pooling
AnswerB

Correct. Fault tolerance describes a system that continues operating without interruption despite the failure of one or more components. Distributing workloads across multiple Availability Zones is a key method to achieve fault tolerance in AWS.

Why this answer

Fault tolerance is the correct concept because the requirement specifies that the application must remain fully operational and available even if an entire Availability Zone fails. By deploying EC2 instances across multiple AZs and using an Elastic Load Balancer to distribute traffic, the architecture can withstand the failure of one AZ without any interruption in service, which is the essence of fault tolerance.

Exam trap

The trap here is that candidates often confuse fault tolerance with high availability, but fault tolerance specifically implies zero downtime and no data loss during a failure, whereas high availability may allow for brief interruptions or degraded performance.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability to automatically scale resources up or down based on demand, not to maintain operation during a failure. Option C is wrong because scalability is the ability to handle increased load by adding resources, not the ability to survive a component failure. Option D is wrong because resource pooling is a characteristic of cloud computing where computing resources are pooled to serve multiple customers, not a mechanism for ensuring availability during an AZ failure.

769
MCQeasy

Which AWS service automatically generates password policies, reviews IAM users, and provides a security score to help assess the security posture of an AWS account?

A.Amazon GuardDuty
B.AWS Trusted Advisor
C.Amazon Inspector
D.Amazon Macie
AnswerB

Trusted Advisor's security checks evaluate MFA on root, IAM password policies, access key rotation, and other security configurations, providing color-coded security recommendations.

Why this answer

AWS Trusted Advisor is the correct service because it provides automated checks that include password policy recommendations (e.g., minimum length, expiration), IAM user reviews (e.g., unused keys, MFA status), and a security score that aggregates findings to assess overall account security posture. This directly matches the question's description of generating password policies, reviewing IAM users, and providing a security score.

Exam trap

The trap here is that candidates confuse AWS Trusted Advisor's security checks with Amazon Inspector's vulnerability scanning, because both have 'security' in their descriptions, but Inspector focuses on EC2/container vulnerabilities while Trusted Advisor handles account-level IAM and password policy reviews.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events for malicious activity; it does not generate password policies, review IAM users, or provide a security score. Option C is wrong because Amazon Inspector is an automated vulnerability management service that scans EC2 instances and container images for software vulnerabilities and unintended network exposure; it does not evaluate IAM users or password policies. Option D is wrong because Amazon Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data in S3 buckets; it does not perform IAM user reviews or generate password policies.

770
MCQmedium

According to the AWS Shared Responsibility Model, which of the following is AWS responsible for?

A.Encrypting customer data stored in Amazon S3
B.Configuring security groups for EC2 instances
C.Physical security of data center facilities
D.Managing IAM user access policies
AnswerC

AWS is fully responsible for the physical security of its data centers — customers have no access or control over this layer.

Why this answer

AWS is responsible for the physical security of data center facilities, including access controls, surveillance, and environmental systems. This is a foundational component of the Shared Responsibility Model, where AWS secures the infrastructure that runs all AWS services, while the customer secures their data and configurations within those services.

Exam trap

The trap here is that candidates confuse AWS's responsibility for providing security features (like encryption or IAM) with the customer's responsibility to configure and manage those features, leading them to select options like A, B, or D instead of the correct physical security answer.

How to eliminate wrong answers

Option A is wrong because encrypting customer data stored in Amazon S3 is a customer responsibility; AWS provides server-side encryption (SSE-S3, SSE-KMS, SSE-C) as features, but the customer must enable and manage the encryption keys and policies. Option B is wrong because configuring security groups for EC2 instances is a customer responsibility; security groups act as virtual firewalls that the customer defines to control inbound and outbound traffic. Option D is wrong because managing IAM user access policies is a customer responsibility; AWS provides the IAM service, but the customer creates and manages users, groups, roles, and policies to control access to their resources.

771
MCQmedium

A company wants to allow its developers to provision virtual servers in AWS without needing to submit a ticket to an IT administrator or wait for manual approval. The developers need to be able to spin up instances directly from the AWS Management Console, CLI, or SDKs, and the resources should be available immediately after the request is submitted. Which essential characteristic of cloud computing does this scenario best describe?

A.Rapid elasticity
B.On-demand self-service
C.Resource pooling
D.Measured service
AnswerB

Correct. On-demand self-service allows consumers to unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.

Why this answer

The scenario describes developers provisioning virtual servers directly from the AWS Management Console, CLI, or SDKs without manual intervention or approval. This aligns with the on-demand self-service characteristic of cloud computing, where users can provision computing resources automatically as needed without requiring human interaction with the service provider. The key is that the resources are available immediately after the request, which is the hallmark of self-service, not elasticity.

Exam trap

The trap here is that candidates confuse 'immediate availability' with 'rapid elasticity,' but rapid elasticity is about scaling existing resources up/down automatically, not about the initial provisioning workflow without manual approval.

How to eliminate wrong answers

Option A is wrong because rapid elasticity refers to the ability to scale resources up or down automatically in response to demand, not the ability to provision resources without manual approval. Option C is wrong because resource pooling describes the provider's multi-tenant model where physical and virtual resources are dynamically assigned to multiple consumers, which is unrelated to the self-provisioning workflow. Option D is wrong because measured service involves metering and billing for resource usage (e.g., pay-per-use), which does not address the lack of manual approval or immediate availability.

772
MCQmedium

A development team is building a web application and wants to minimize operational overhead. The team wants to focus solely on writing and deploying code without managing the underlying operating system, runtime, or middleware. The team needs the ability to simply upload their application code and have it run, with the cloud provider automatically handling capacity provisioning, load balancing, and patching of the platform. Which cloud computing service model best describes this approach?

A.Infrastructure as a Service (IaaS)
B.Platform as a Service (PaaS)
C.Software as a Service (SaaS)
D.Function as a Service (FaaS)
AnswerB

PaaS offers a managed platform where the provider handles the operating system, runtime, and middleware. Developers can upload code and let the provider manage capacity and patching, matching the team's requirement to minimize overhead.

Why this answer

Platform as a Service (PaaS) is the correct model because it abstracts the underlying infrastructure, runtime, and middleware, allowing the team to simply upload code and have it executed. The cloud provider automatically handles capacity provisioning, load balancing, and patching, which directly matches the requirement to minimize operational overhead by focusing solely on code.

Exam trap

The trap here is that candidates often confuse PaaS with FaaS, mistakenly thinking that serverless functions (FaaS) inherently include full web application hosting with load balancing and capacity provisioning, whereas FaaS is event-driven and typically requires additional services (e.g., API Gateway, auto-scaling configuration) to achieve the same level of abstraction as PaaS.

How to eliminate wrong answers

Option A is wrong because Infrastructure as a Service (IaaS) provides virtualized compute, storage, and networking resources, but the team would still need to manage the operating system, runtime, and middleware, which contradicts the goal of minimizing operational overhead. Option C is wrong because Software as a Service (SaaS) delivers a fully managed application to end users, not a platform for the team to deploy and run their own custom code. Option D is wrong because Function as a Service (FaaS) is a subset of serverless computing that runs individual functions in response to events, but it does not inherently provide a full platform for deploying a web application with built-in load balancing and capacity provisioning; the team would need to assemble additional services for those capabilities.

773
MCQmedium

A company manages multiple AWS accounts using AWS Organizations. The company wants employees to sign in using their existing corporate credentials from an on-premises Microsoft Active Directory. The company also needs a single sign-on (SSO) experience so that each employee can access the AWS Management Console for any authorized account without needing separate passwords. Additionally, the company wants to centrally manage permissions across all accounts. Which AWS service should the company use to meet these requirements?

A.AWS Identity and Access Management (IAM)
B.AWS IAM Identity Center (AWS SSO)
C.AWS Directory Service
D.Amazon Cognito
AnswerB

AWS IAM Identity Center is the service that centrally manages single sign-on access to multiple AWS accounts and applications. It integrates with Microsoft Active Directory and allows employees to use their existing corporate credentials to access the AWS Management Console across all authorized accounts with a single sign-on experience, and it centralizes permission management.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) is the correct service because it provides a centralized place to manage single sign-on (SSO) access to multiple AWS accounts and applications. It integrates with an on-premises Microsoft Active Directory via the AWS Directory Service or an external identity provider, allowing employees to use their existing corporate credentials. IAM Identity Center also enables you to centrally define and manage permissions across all accounts in AWS Organizations, meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse AWS Directory Service with a complete SSO solution, but Directory Service only provides the directory infrastructure, not the centralized permission management or SSO portal that IAM Identity Center delivers.

How to eliminate wrong answers

Option A is wrong because AWS Identity and Access Management (IAM) is designed for managing users and permissions within a single AWS account, not for providing SSO across multiple accounts or integrating with an on-premises Active Directory for federated access. Option C is wrong because AWS Directory Service provides managed Microsoft Active Directory in the cloud, but it does not itself offer a single sign-on experience or centrally manage permissions across multiple AWS accounts; it is a building block that can be used with IAM Identity Center for identity federation.

774
MCQmedium

A company runs development and test environments on Amazon EC2 instances in separate AWS accounts. The finance team wants to automatically stop all non-production EC2 instances if the monthly development account costs exceed $1,000. The team needs a solution that requires no manual intervention and uses only AWS-native features. Which AWS feature should the team configure to meet these requirements?

A.AWS Cost Explorer with a cost allocation tag filter
B.AWS Budgets with a cost action
C.AWS Trusted Advisor with the cost optimization check
D.Amazon CloudWatch with a billing metric alarm
AnswerB

AWS Budgets allows you to set cost or usage budgets and attach actions (such as stopping EC2 instances) that are automatically triggered when the budget threshold is reached. This meets the requirement for no manual intervention.

Why this answer

AWS Budgets allows you to set a cost budget with a cost action that automatically stops EC2 instances when the threshold is exceeded. This meets the requirement for no manual intervention and uses only AWS-native features, as the cost action can be configured to trigger an IAM policy or a service control policy (SCP) to stop instances in the development account.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's reporting capabilities with the ability to trigger automated responses, but only AWS Budgets with cost actions can execute predefined actions based on budget thresholds.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer is a visualization and analysis tool for historical cost data; it cannot trigger automated actions like stopping instances. Option C is wrong because AWS Trusted Advisor provides cost optimization recommendations but does not have the capability to execute automated actions such as stopping EC2 instances based on cost thresholds.

775
MCQmedium

A company is deploying a mission-critical application on AWS. The application requires the highest level of support available, including a designated Technical Account Manager (TAM) and a response time of 15 minutes or less for production system down cases. Which AWS Support plan should the company choose?

A.Developer
B.Business
C.Enterprise On-Ramp
D.Enterprise
AnswerD

The Enterprise Support plan is the only plan that includes a designated Technical Account Manager (TAM) and provides a 15-minute response time for production system down cases, meeting all stated requirements.

Why this answer

The Enterprise support plan is the only AWS Support plan that includes a designated Technical Account Manager (TAM) and a 15-minute response time for production system down cases. The company's requirement for the highest level of support with these specific features directly maps to the Enterprise plan, which is designed for mission-critical workloads.

Exam trap

The trap here is that candidates may confuse the Enterprise On-Ramp plan (which includes a TAM but has a 30-minute response time) with the full Enterprise plan (which has a 15-minute response time), overlooking the specific response time requirement in the question.

How to eliminate wrong answers

Option A is wrong because the Developer plan provides only business hours email access and no TAM, with a response time of 12 hours for system impaired cases, not 15 minutes. Option B is wrong because the Business plan offers 1-hour response for production system down but does not include a designated TAM, which is a key requirement. Option C is wrong because the Enterprise On-Ramp plan includes a TAM but has a 30-minute response time for production system down, not the required 15 minutes.

776
MCQmedium

A company uses AWS Organizations to manage multiple AWS accounts. The security team must ensure that all API activity across all accounts, including any new accounts added in the future, is recorded and delivered to a centralized S3 bucket for auditing. The solution should require minimal ongoing manual effort. Which AWS feature should the security team use?

A.Enable AWS CloudTrail in each account individually and configure the S3 bucket to allow cross-account access from the audit account.
B.Create an AWS CloudTrail organization trail that logs events for all accounts in the organization.
C.Use AWS Config to record API calls and deliver configuration history to an S3 bucket.
D.Set up Amazon GuardDuty to monitor API activity and send findings to a centralized S3 bucket.
AnswerB

An organization trail is a single trail that logs API activity for all current and future member accounts in AWS Organizations, automatically delivering logs to a centralized S3 bucket. This meets the requirements with minimal ongoing manual effort.

Why this answer

Option B is correct because AWS CloudTrail organization trails automatically log events for all accounts in an AWS Organization, including any new accounts added in the future, and deliver them to a single S3 bucket without requiring per-account configuration. This satisfies the requirement for minimal ongoing manual effort and centralized auditing.

Exam trap

The trap here is that candidates confuse AWS Config (which records configuration history) with CloudTrail (which records API activity), or assume that individual account trails with cross-account access are simpler, overlooking the automatic future-account coverage of an organization trail.

How to eliminate wrong answers

Option A is wrong because it requires manual configuration in each account individually and does not automatically include new accounts, leading to high ongoing effort and potential gaps. Option C is wrong because AWS Config records resource configuration changes, not API activity; it cannot capture API calls like CloudTrail does. Option D is wrong because Amazon GuardDuty monitors for threats and suspicious behavior, not API activity logging; it sends findings to S3 but does not record all API calls for auditing.

777
MCQeasy

A company wants all IAM users to verify their identity with both a password and a one-time code from an authenticator app before accessing the AWS Management Console. Which security control should the company enable?

A.AWS Shield
B.Multi-Factor Authentication (MFA)
C.AWS WAF
D.Amazon Cognito
AnswerB

MFA requires users to provide a second authentication factor — a time-based one-time password (TOTP) from an authenticator app — in addition to their password. This significantly reduces the risk of compromised credentials.

Why this answer

Multi-Factor Authentication (MFA) is the correct security control because it requires users to present two independent factors: something they know (password) and something they have (a one-time code from an authenticator app). This satisfies the company's requirement for both a password and a one-time code before accessing the AWS Management Console, significantly reducing the risk of unauthorized access even if a password is compromised.

Exam trap

The trap here is that candidates may confuse AWS WAF or Amazon Cognito with IAM MFA, but the question specifically asks for the security control that enforces both a password and a one-time code for IAM users, which is exclusively Multi-Factor Authentication (MFA) within IAM.

How to eliminate wrong answers

Option A is wrong because AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS, not an identity verification mechanism. Option C is wrong because AWS WAF (Web Application Firewall) monitors and controls HTTP/HTTPS traffic to web applications based on rules, but it does not enforce user authentication or MFA. Option D is wrong because Amazon Cognito provides user sign-up, sign-in, and access control for web and mobile applications, but it is not the native IAM feature for requiring MFA on IAM users; the correct control is enabling MFA directly on IAM users or groups.

778
MCQeasy

Which AWS service provides a Web Application Firewall that protects web applications from common exploits like SQL injection and cross-site scripting?

A.AWS Shield
B.AWS WAF
C.Amazon GuardDuty
D.Security Groups
AnswerB

WAF inspects HTTP/HTTPS requests and applies rules to block web attacks including SQL injection, XSS, and bad bots at the application layer (Layer 7).

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common web exploits like SQL injection and cross-site scripting (XSS). It allows you to create custom rules that block, allow, or monitor web requests based on conditions such as IP addresses, HTTP headers, URI strings, and request body content. This makes it the correct service for the described use case.

Exam trap

The trap here is that candidates often confuse AWS Shield (DDoS protection) with AWS WAF (application-layer filtering), but Shield operates at the network/transport layer while WAF inspects application-layer payloads for exploits like SQL injection and XSS.

How to eliminate wrong answers

Option A is wrong because AWS Shield is a managed Distributed Denial of Service (DDoS) protection service, not a web application firewall; it does not inspect application-layer payloads for SQL injection or XSS. Option C is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity using VPC Flow Logs, DNS logs, and CloudTrail events, but it does not actively filter or block web application exploits. Option D is wrong because Security Groups act as a virtual firewall at the instance or subnet level, filtering traffic based on IP addresses and ports, not application-layer content like HTTP request bodies or headers.

779
MCQmedium

A company's security team needs to receive near-real-time notifications whenever an IAM user in their AWS account performs an action that violates a defined baseline of expected behavior. Examples include launching an Amazon EC2 instance in an unauthorized AWS Region or modifying a security group to allow public SSH access from the internet. The solution must analyze continuous streams of AWS API activity to identify suspicious patterns and known malicious IP addresses. Which AWS service should the security team use?

A.Amazon GuardDuty
B.AWS CloudTrail
C.AWS Config
D.Amazon Inspector
AnswerA

Correct. Amazon GuardDuty uses threat intelligence and machine learning to analyze continuous streams of AWS API activity (via CloudTrail), VPC Flow Logs, and DNS logs. It detects suspicious patterns, unauthorized behavior, and known malicious IP addresses, and can send near-real-time alerts.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors AWS API activity, including CloudTrail management events, VPC Flow Logs, and DNS logs, to identify suspicious patterns and known malicious IP addresses. It uses machine learning and integrated threat intelligence to detect anomalous behavior such as launching EC2 instances in unauthorized regions or modifying security groups for public SSH access, and can deliver near-real-time notifications via Amazon EventBridge or SNS. This makes it the correct choice for analyzing continuous streams of API activity and alerting on violations of a defined baseline.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging capability with GuardDuty's threat detection, assuming that simply recording API calls is sufficient for near-real-time security analysis, but CloudTrail lacks the built-in machine learning and threat intelligence needed to identify suspicious patterns or malicious IPs automatically.

How to eliminate wrong answers

Option B (AWS CloudTrail) is wrong because CloudTrail is a governance, compliance, and auditing service that records API activity but does not analyze streams for suspicious patterns, detect known malicious IP addresses, or provide near-real-time threat detection—it requires additional services like GuardDuty to interpret the logs. Option C (AWS Config) is wrong because AWS Config evaluates resource configurations against rules for compliance and change management, not for analyzing continuous API activity streams or detecting malicious IP addresses; it focuses on configuration drift rather than threat detection.

780
MCQeasy

A startup can now test a new application idea by provisioning cloud resources in minutes, run the experiment for a week, and tear down the resources if the idea fails — spending only a few dollars. Previously, the same experiment would have required months of procurement and significant capital expenditure. Which cloud benefit does this illustrate?

A.Economies of scale
B.Elimination of capital expense
C.Global reach
D.Increased agility
AnswerD

Agility is the cloud benefit that allows organisations to experiment quickly with minimal investment. Provisioning resources in minutes, experimenting for a week, and discarding failures cost-effectively exemplifies cloud agility.

Why this answer

Option D is correct because the scenario describes the ability to rapidly provision, experiment with, and decommission cloud resources in minutes, which directly illustrates increased agility. Agility in cloud computing refers to the speed at which resources can be deployed, scaled, and released, enabling fast experimentation without long procurement cycles.

Exam trap

The trap here is that candidates often confuse 'elimination of capital expense' (Option B) with agility, but the question explicitly highlights speed and experimentation, not cost savings from CapEx to OpEx conversion.

How to eliminate wrong answers

Option A is wrong because economies of scale refer to cost advantages from large-scale operations (e.g., AWS buying hardware in bulk), not the ability to quickly provision and tear down resources. Option B is wrong because elimination of capital expense (CapEx) is a benefit of converting upfront hardware costs to variable operational expenses (OpEx), but the question focuses on speed and flexibility, not cost structure. Option C is wrong because global reach describes deploying resources in multiple geographic regions to reduce latency, not the rapid provisioning and decommissioning of resources for experimentation.

781
MCQmedium

A company operates a social media analytics platform that runs on AWS. The platform experiences unpredictable traffic spikes during major events. The company wants to ensure that compute capacity automatically increases during these spikes without any manual intervention, and decreases when traffic subsides to avoid paying for idle resources. Which characteristic of cloud computing does this business requirement directly rely on?

A.On-demand self-service
B.Broad network access
C.Rapid elasticity
D.Resource pooling
AnswerC

Rapid elasticity is the cloud characteristic that enables resources to be provisioned and released automatically, quickly scaling out during demand spikes and scaling in when demand drops. This directly satisfies the requirement for automatic capacity adjustment and cost optimization.

Why this answer

The requirement to automatically scale compute capacity up during traffic spikes and down when traffic subsides directly relies on rapid elasticity, a key characteristic of cloud computing defined by the NIST SP 800-145 standard. Rapid elasticity enables resources to be provisioned and released elastically, often automatically, to match demand at any scale, which is essential for handling unpredictable traffic on a social media analytics platform without manual intervention.

Exam trap

The trap here is that candidates often confuse on-demand self-service with automatic scaling, but on-demand self-service only covers the ability to manually request resources at any time, not the automatic, elastic adjustment of capacity based on real-time demand.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user's ability to provision computing resources (e.g., EC2 instances) unilaterally via a web console or API without requiring human interaction with the provider, but it does not inherently include automatic scaling based on load; it requires manual action or additional services like Auto Scaling to achieve elasticity. Option B is wrong because broad network access describes the ability of resources to be accessed over the network by standard protocols (e.g., HTTPS, SSH) from heterogeneous client platforms (e.g., mobile, laptops), which is unrelated to the automatic scaling of compute capacity in response to traffic spikes.

782
MCQeasy

A finance team wants to view and analyse their AWS spending patterns over the past 12 months, filter costs by service and linked account, and identify which teams are spending the most. Which AWS tool provides this historical cost analysis?

A.AWS Pricing Calculator
B.AWS Budgets
C.AWS Trusted Advisor
D.AWS Cost Explorer
AnswerD

Cost Explorer provides interactive graphs and filtering of up to 13 months of historical AWS costs. The finance team can filter by service, linked account, region, and cost allocation tag to identify spending trends and cost drivers.

Why this answer

AWS Cost Explorer is the correct tool because it provides a pre-built, customizable dashboard for visualizing, analyzing, and filtering historical AWS cost and usage data over the past 12 months. It allows you to group costs by service, linked account, or tag, making it ideal for identifying which teams are spending the most.

Exam trap

The trap here is that candidates often confuse AWS Budgets (which is for setting alerts) with Cost Explorer (which is for historical analysis), or they mistakenly think AWS Trusted Advisor provides detailed cost breakdowns when it only offers high-level optimization checks.

How to eliminate wrong answers

Option A is wrong because AWS Pricing Calculator is a cost estimation tool for future usage, not a historical cost analysis tool. Option B is wrong because AWS Budgets is used to set spending thresholds and send alerts, not to view or analyze past spending patterns. Option C is wrong because AWS Trusted Advisor provides best-practice recommendations for cost optimization, security, and performance, but it does not offer granular historical cost analysis or filtering by service and linked account.

783
MCQmedium

A company running large-scale scientific simulations needs EC2 instances with exclusive access to a physical host for software licensing reasons (per-socket licensing). Which EC2 option provides this?

A.Dedicated Instances
B.Dedicated Hosts
C.Reserved Instances
D.EC2 Bare Metal instances
AnswerB

Dedicated Hosts provide an entire physical server with visibility into sockets, cores, and instance slots — enabling per-socket or per-core software license compliance and consistent placement.

Why this answer

Dedicated Hosts (Option B) provide EC2 instances with exclusive access to a physical host, allowing you to control instance placement on a specific server. This is required for per-socket software licensing because you can see and manage the physical sockets and cores of the host, ensuring compliance with licensing terms that are tied to physical hardware.

Exam trap

The trap here is confusing Dedicated Instances with Dedicated Hosts: candidates often think 'dedicated' means full hardware control, but Dedicated Instances only provide single-tenant isolation without exposing socket/core information, which is insufficient for per-socket licensing compliance.

How to eliminate wrong answers

Option A (Dedicated Instances) is wrong because they run on a physical host dedicated to a single AWS account but do not provide visibility or control over the underlying physical sockets and cores, so per-socket licensing compliance cannot be verified. Option C (Reserved Instances) is wrong because they are a billing discount model that applies to instance usage, not a physical isolation or hardware visibility feature; they do not grant exclusive access to a physical host. Option D (EC2 Bare Metal instances) is wrong because while they provide direct access to the underlying hardware, they are designed for workloads that require a non-virtualized environment (e.g., hypervisor-level licensing), not specifically for per-socket licensing visibility; Dedicated Hosts are the correct service for socket-level control.

784
MCQmedium

A developer wants to run code in response to an S3 object upload without managing any servers. The code runs for less than 5 minutes. Which AWS service is most appropriate?

A.Amazon EC2
B.AWS Fargate
C.AWS Lambda
D.Amazon ECS
AnswerC

Lambda triggers directly on S3 events, runs the code without server management, and is cost-effective for short-duration processing.

Why this answer

AWS Lambda is the most appropriate service because it is a serverless compute service that automatically runs code in response to events, such as an S3 object upload, without requiring any server management. Lambda supports code execution up to 15 minutes per invocation, which easily accommodates the less-than-5-minute requirement, and it integrates natively with S3 event notifications via the S3 bucket notification configuration.

Exam trap

The trap here is that candidates may confuse AWS Fargate (serverless containers) with AWS Lambda (serverless functions), but Fargate still requires container management and is not event-driven by S3 uploads without additional services like EventBridge or S3 Event Notifications to a custom endpoint.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 requires provisioning and managing virtual servers, which contradicts the requirement of not managing any servers. Option B is wrong because AWS Fargate is a serverless compute engine for containers, but it still requires defining a task definition and container image, and it is not directly triggered by S3 events without additional orchestration (e.g., EventBridge). Option D is wrong because Amazon ECS is a container orchestration service that requires managing a cluster of EC2 instances or using Fargate, and it does not natively respond to S3 events without custom integration.

785
MCQmedium

A company runs a customer-facing web application on Amazon EC2 instances. The company wants to have access to technical support with a guaranteed response time of 1 hour for critical production system failures. The company also needs access to AWS Trusted Advisor to get cost optimization recommendations. Which AWS Support plan meets these requirements?

A.AWS Basic Support
B.AWS Developer Support
C.AWS Business Support
D.AWS Enterprise Support
AnswerC

AWS Business Support offers a 1-hour response time for critical production system failures and includes the full set of Trusted Advisor checks, including cost optimization recommendations. This matches the company's requirements.

Why this answer

AWS Business Support is the minimum tier that provides a 1-hour response time for critical production system failures and includes full access to AWS Trusted Advisor, which offers cost optimization recommendations. Basic and Developer Support plans either lack Trusted Advisor or have slower response times, making Business Support the correct choice.

Exam trap

The trap here is that candidates often confuse AWS Developer Support's limited Trusted Advisor access and slower response times with the full-featured Business Support plan, assuming any paid plan meets all requirements.

How to eliminate wrong answers

Option A is wrong because AWS Basic Support does not include any technical support with guaranteed response times or access to AWS Trusted Advisor for cost optimization; it only provides access to documentation, whitepapers, and the AWS Health Dashboard. Option B is wrong because AWS Developer Support offers a 12-hour response time for critical failures (not 1 hour) and only provides Trusted Advisor checks for basic security and service limits, not the full set of cost optimization recommendations.

786
MCQmedium

A company is deploying a three-tier web application on AWS. The security team requires a network-level firewall that operates at the subnet level and can evaluate both inbound and outbound traffic using stateless rules. Which AWS feature should the company use to meet this requirement?

A.Security Groups
B.Network ACLs
C.AWS WAF
D.AWS Shield
AnswerB

Network ACLs are a stateless firewall operating at the subnet level, supporting both inbound and outbound rules. They evaluate traffic based on rule order and allow or deny traffic without maintaining connection state, matching the requirement.

Why this answer

Network ACLs (NACLs) are a stateless, subnet-level firewall that evaluates both inbound and outbound traffic based on numbered rules. Unlike security groups, NACLs do not maintain connection state, so rules must be explicitly defined for both directions, meeting the requirement for stateless inspection at the subnet boundary.

Exam trap

The trap here is confusing stateful security groups (which automatically track connection state) with stateless network ACLs, leading candidates to choose Security Groups when the question explicitly requires stateless, subnet-level filtering.

How to eliminate wrong answers

Option A is wrong because Security Groups are stateful firewalls that operate at the instance level, not the subnet level, and they automatically allow return traffic without explicit outbound rules, which contradicts the stateless requirement. Option C is wrong because AWS WAF is a web application firewall that operates at the application layer (Layer 7) to filter HTTP/S requests, not a network-layer firewall for subnet-level traffic inspection.

787
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The finance team needs to perform a detailed cost analysis by joining AWS usage data with their internal accounting system. They require hourly-level billing data that includes resource IDs, operation types, and cost allocation tags. The data must be available in a CSV file that can be imported into their financial software. Which AWS tool or service should the finance team use to meet this requirement?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Cost and Usage Report
D.AWS Trusted Advisor
AnswerC

AWS Cost and Usage Report (CUR) delivers the most comprehensive billing data, including hourly usage, resource IDs, operation types, and tags. It can be configured to deliver CSV files to an S3 bucket, enabling integration with external financial systems.

Why this answer

The AWS Cost and Usage Report (CUR) is the correct choice because it provides the most granular billing data available, including hourly-level usage, resource IDs, operation types, and cost allocation tags. The report can be delivered to an Amazon S3 bucket in CSV format, making it directly importable into the finance team's financial software for detailed cost analysis.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's ability to filter by resource IDs and tags with the ability to export raw hourly-level data, but Cost Explorer only provides aggregated views and cannot deliver the granular CSV file required for external system import.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer provides visual dashboards and high-level cost trends, but it does not export hourly-level billing data with resource IDs and operation types in a CSV file for external system integration. Option B is wrong because AWS Budgets is used to set spending limits and send alerts, not to generate detailed usage reports with hourly granularity and cost allocation tags. Option D is wrong because AWS Trusted Advisor is a service that inspects your AWS environment for best practices in cost optimization, security, and performance, but it does not produce billing data or CSV exports for cost analysis.

788
MCQmedium

A company is migrating its on-premises application to AWS. The application currently runs on a single server and experiences occasional traffic spikes that cause performance degradation. The company wants to take advantage of cloud computing benefits to handle these spikes automatically without manual intervention. Which AWS Cloud concept would directly address this requirement?

A.Elasticity
B.High availability
C.Fault tolerance
D.Durability
AnswerA

Elasticity allows AWS resources to automatically scale in response to changing demand. This directly meets the requirement of handling traffic spikes without manual intervention.

Why this answer

Elasticity is the correct concept because it refers to the ability of an AWS infrastructure to automatically scale resources up or down based on demand. In this scenario, the company needs to handle occasional traffic spikes without manual intervention, which is directly addressed by AWS Auto Scaling groups and services like Amazon EC2 Auto Scaling or AWS Lambda's concurrency scaling. This ensures that additional compute capacity is provisioned during spikes and released when demand decreases, optimizing both performance and cost.

Exam trap

The trap here is that candidates often confuse elasticity with high availability or fault tolerance, mistakenly thinking that any redundancy or failover mechanism automatically handles traffic spikes, but elasticity specifically addresses dynamic scaling to match demand, not just maintaining uptime during failures.

How to eliminate wrong answers

Option B (High availability) is wrong because high availability focuses on ensuring that an application remains accessible and operational during failures, typically through redundancy across multiple Availability Zones, not on automatically handling traffic spikes. Option C (Fault tolerance) is wrong because fault tolerance is designed to keep an application running without interruption even when components fail, often requiring redundant systems that can take over instantly, which is a different concern than scaling to meet variable demand. Neither high availability nor fault tolerance directly addresses the need to automatically scale resources in response to traffic spikes.

789
MCQeasy

A company wants to deploy their application to users in North America, Europe, and Asia Pacific to reduce latency. Using AWS, they can provision infrastructure in new geographic regions within minutes using the same tools and templates. Which cloud benefit does this illustrate?

A.Increased agility
B.Trade capital expense for variable expense
C.Go global in minutes
D.Stop guessing about capacity
AnswerC

AWS's global infrastructure lets companies deploy to any of its regions worldwide rapidly using automation. Expanding to three continents using the same CloudFormation templates is the 'go global in minutes' benefit.

Why this answer

Option C is correct because the scenario describes deploying infrastructure across multiple geographic regions (North America, Europe, Asia Pacific) using the same tools and templates, which directly illustrates the 'Go global in minutes' benefit of AWS. This benefit leverages AWS's global infrastructure—such as Regions, Availability Zones, and CloudFront edge locations—to reduce latency for users worldwide without the need to negotiate with data center providers or build physical facilities.

Exam trap

The trap here is that candidates confuse 'increased agility' (rapid provisioning of resources in general) with the specific ability to deploy globally in minutes, but the question explicitly mentions geographic regions and latency reduction, which maps directly to the 'Go global in minutes' benefit.

How to eliminate wrong answers

Option A is wrong because 'increased agility' refers to the ability to quickly experiment, iterate, and provision resources on demand (e.g., launching EC2 instances in minutes), not specifically to deploying across multiple geographic regions. Option B is wrong because 'trade capital expense for variable expense' describes the shift from upfront hardware purchases to pay-as-you-go pricing (e.g., paying per hour for compute), which is unrelated to geographic distribution. Option D is wrong because 'stop guessing about capacity' relates to auto-scaling and elasticity to match demand (e.g., using Amazon EC2 Auto Scaling), not to deploying infrastructure in new regions to reduce latency.

790
MCQmedium

A company is developing a microservices-based application using Docker containers. The development team wants to run these containers on AWS without having to provision or manage any servers. The solution must automatically scale the containers based on demand and integrate with an Application Load Balancer for traffic distribution. Which AWS service should the team use to meet these requirements?

A.AWS Lambda
B.Amazon ECS on Amazon EC2
C.AWS Fargate
D.Amazon Lightsail
AnswerC

AWS Fargate is a serverless compute engine for containers. It automatically manages the underlying infrastructure, scales containers based on demand, and integrates with Application Load Balancers. This meets all the stated requirements.

Why this answer

AWS Fargate is the correct choice because it is a serverless compute engine for containers that allows you to run Docker containers without provisioning or managing servers. It automatically scales containers based on demand and integrates natively with an Application Load Balancer (ALB) for traffic distribution, meeting all the stated requirements.

Exam trap

The trap here is that candidates often confuse AWS Lambda with serverless container services, but Lambda is for functions, not long-running containers, and Amazon ECS on EC2 is serverless in terms of orchestration but still requires server management, which the question explicitly excludes.

How to eliminate wrong answers

Option A is wrong because AWS Lambda is a serverless compute service for running code in response to events, not for running Docker containers; it supports custom runtimes but is not designed for container orchestration or ALB integration in the same way. Option B is wrong because Amazon ECS on Amazon EC2 requires you to provision and manage EC2 instances (servers) as the underlying infrastructure, which contradicts the requirement to not provision or manage any servers.

791
MCQmedium

A company's security team is concerned about the risk of compromised Amazon EC2 instances being used for crypto-mining activities. They want a managed AWS service that can automatically detect unusual outbound network traffic patterns that are characteristic of crypto-mining, without requiring the installation of any agents on the instances. The team needs continuous monitoring and the ability to receive findings that include details about the suspicious activity. Which AWS service should the security team use?

A.Amazon GuardDuty
B.Amazon Macie
C.AWS Config
D.Amazon Detective
AnswerA

Correct. Amazon GuardDuty uses machine learning and threat intelligence to analyze network traffic and logs for suspicious activity, including crypto-mining behavior, without requiring any agents.

Why this answer

Amazon GuardDuty is a managed threat detection service that uses machine learning and integrated threat intelligence to continuously monitor for malicious activity, including unusual outbound network traffic patterns like those associated with crypto-mining. It operates at the AWS account and VPC level by analyzing DNS logs, VPC Flow Logs, and CloudTrail events, and it does not require any agents to be installed on EC2 instances. When suspicious activity is detected, GuardDuty generates detailed findings that include information about the affected resource, the type of threat, and recommended remediation steps.

Exam trap

The trap here is that candidates may confuse Amazon Detective's investigative capabilities with proactive detection, but Detective requires existing findings to analyze and does not perform continuous monitoring for crypto-mining traffic patterns on its own.

How to eliminate wrong answers

Option B (Amazon Macie) is wrong because Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data stored in Amazon S3, not to detect network traffic anomalies or crypto-mining activity. Option C (AWS Config) is wrong because AWS Config is a service for evaluating and auditing the configuration of AWS resources against desired policies, not for real-time threat detection or analyzing network traffic patterns. Option D (Amazon Detective) is wrong because Detective is a post-incident investigation tool that ingests and analyzes log data to help identify the root cause of security findings, but it does not proactively detect unusual outbound traffic patterns on its own; it relies on findings from other services like GuardDuty.

792
MCQeasy

Which AWS service provides a managed in-memory caching layer to reduce database load and improve application response times?

A.Amazon DynamoDB Accelerator (DAX)
B.Amazon ElastiCache
C.Amazon CloudFront
D.AWS Global Accelerator
AnswerB

ElastiCache provides managed Redis and Memcached clusters as caching layers, reducing database read latency from milliseconds to microseconds.

Why this answer

Amazon ElastiCache is the correct answer because it provides a managed in-memory caching service that supports both Redis and Memcached, allowing applications to retrieve data from a fast, in-memory cache instead of querying a slower disk-based database. This reduces database load and improves application response times by serving frequently accessed data directly from the cache.

Exam trap

The trap here is that candidates may confuse DAX (a DynamoDB-specific cache) with a general-purpose caching solution, but ElastiCache is the correct managed service for reducing database load across various database engines.

How to eliminate wrong answers

Option A is wrong because Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache specifically for Amazon DynamoDB, not a general-purpose caching layer for any database. Option C is wrong because Amazon CloudFront is a content delivery network (CDN) that caches static and dynamic content at edge locations to reduce latency for end users, not a caching layer to reduce database load. Option D is wrong because AWS Global Accelerator improves availability and performance by directing traffic over the AWS global network using Anycast, but it does not provide an in-memory caching layer for databases.

793
MCQeasy

A startup company is using the AWS Free Tier to run a small web application. They want to ensure they receive a notification if their usage is about to exceed the Free Tier limits for any service, to avoid unexpected charges. Which AWS service or feature should they use to set up this alert?

A.AWS Budgets
B.AWS Cost Explorer
C.AWS Trusted Advisor
D.AWS Billing Conductor
AnswerA

Correct. AWS Budgets can monitor Free Tier usage and send alerts when usage exceeds or is forecasted to exceed Free Tier limits.

Why this answer

AWS Budgets allows you to set custom cost and usage budgets, and you can configure alerts to notify you when your actual or forecasted usage exceeds a defined threshold. For a startup on the Free Tier, you can create a budget with a zero-spend limit or a specific usage amount, and receive email notifications when you are about to exceed the Free Tier limits, helping you avoid unexpected charges.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer (a retrospective analysis tool) with AWS Budgets (a proactive alerting tool), or mistakenly think AWS Trusted Advisor can send custom usage alerts when it only provides general cost optimization checks without configurable thresholds.

How to eliminate wrong answers

Option B (AWS Cost Explorer) is wrong because it is a visualization and analysis tool for exploring historical cost and usage data, not a proactive alerting mechanism for setting threshold-based notifications. Option C (AWS Trusted Advisor) is wrong because it provides best-practice recommendations across cost optimization, performance, security, and fault tolerance, but it does not allow you to set custom usage alerts for Free Tier limits. Option D (AWS Billing Conductor) is wrong because it is a billing customization tool for grouping and adjusting billing data for internal chargebacks or showbacks, not for setting usage alerts or notifications.

794
MCQmedium

A company wants to deploy a static website with global low-latency delivery and automatic SSL/TLS certificates. Which combination of AWS services best satisfies both requirements?

A.Amazon EC2 + Elastic Load Balancing
B.Amazon S3 + Amazon CloudFront
C.AWS Amplify only
D.Amazon Lightsail + Route 53
AnswerB

S3 stores static assets; CloudFront distributes them from 400+ edge locations worldwide with ACM-managed SSL.

Why this answer

Amazon S3 provides durable, cost-effective storage for static website content, while Amazon CloudFront acts as a global content delivery network (CDN) that caches content at edge locations for low-latency delivery. CloudFront also integrates with AWS Certificate Manager (ACM) to automatically provision and renew SSL/TLS certificates at no additional cost, enabling HTTPS without manual certificate management.

Exam trap

The trap here is that candidates may think AWS Amplify (Option C) is sufficient because it can deploy static sites, but they overlook that Amplify does not provide automatic SSL/TLS certificates and global low-latency delivery as a native feature—it relies on CloudFront, making S3 + CloudFront the simpler and more direct solution.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 with Elastic Load Balancing requires manual configuration of SSL/TLS certificates (e.g., via ACM or third-party CAs) and does not provide global low-latency delivery out of the box; it relies on a single region and requires additional services like CloudFront for CDN capabilities. Option C is wrong because AWS Amplify is a full-stack development platform that can host static websites, but it does not natively offer automatic SSL/TLS certificate provisioning with global low-latency delivery via a CDN; it relies on CloudFront under the hood but adds unnecessary complexity for a simple static site. Option D is wrong because Amazon Lightsail is a simplified VPS service that requires manual SSL/TLS setup and lacks a built-in global CDN; Route 53 is a DNS service that does not provide content caching or automatic certificate management.

795
MCQmedium

A company is evaluating a move to the AWS Cloud. The finance team learns that AWS can offer lower per-unit prices for compute and storage because AWS purchases hardware in very large volumes and operates at a massive scale. This cost advantage, which is then passed on to customers, is a direct benefit of which fundamental cloud computing concept?

A.Elasticity
B.Economies of scale
C.High availability
D.Resource pooling
AnswerB

Correct. Economies of scale occur when AWS purchases large volumes of hardware and negotiates better prices from suppliers, then passes these savings to customers through lower service pricing.

Why this answer

The scenario describes AWS leveraging its massive purchasing power to negotiate lower hardware costs, which are then passed to customers as lower per-unit prices. This is the direct definition of economies of scale, a fundamental cloud concept where average costs decrease as the scale of operations increases. Elasticity, high availability, and resource pooling are distinct concepts that do not inherently create the cost advantage described.

Exam trap

The trap here is that candidates confuse 'resource pooling' (multi-tenancy) with 'economies of scale,' but resource pooling is about sharing infrastructure to increase utilization, not about the direct cost reduction from bulk hardware purchasing.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability to automatically scale resources up or down based on demand, not to the cost advantage gained from bulk purchasing. Option C is wrong because high availability ensures that applications remain accessible despite failures, typically through redundancy across Availability Zones, and does not address hardware procurement cost savings. Option D is wrong because resource pooling allows multiple customers to share the same physical infrastructure, which improves utilization but does not directly explain the lower per-unit hardware costs from volume purchasing.

796
MCQmedium

A company runs a global e-commerce website hosted on Amazon EC2 instances in the us-west-2 Region. The website includes static assets (product images, CSS, JavaScript) and dynamic content generated by the application. The company wants to improve page load times for users in Europe and Asia by caching static content at edge locations, while also reducing the direct load on the EC2 instances. Which AWS service should the company use?

A.Amazon CloudFront
B.AWS Global Accelerator
C.Amazon Route 53
D.AWS Direct Connect
AnswerA

CloudFront is a CDN that caches static content at edge locations, reducing latency for users and reducing load on origin servers. It also accelerates dynamic content routing over the AWS backbone.

Why this answer

Amazon CloudFront is a content delivery network (CDN) that caches static assets (images, CSS, JavaScript) at edge locations worldwide, reducing latency for users in Europe and Asia. By offloading static content delivery from the origin EC2 instances, CloudFront directly reduces the load on those servers, improving overall performance and scalability.

Exam trap

The trap here is confusing Global Accelerator (which optimizes network routing for dynamic content) with CloudFront (which caches static content at edge locations), leading candidates to pick Global Accelerator for a caching use case.

How to eliminate wrong answers

Option B (AWS Global Accelerator) is wrong because it improves performance by routing traffic over the AWS global network to the optimal regional endpoint, but it does not cache content at edge locations—it only optimizes network path and provides static IP addresses. Option C (Amazon Route 53) is wrong because it is a DNS service that resolves domain names to IP addresses; it does not cache or serve static content. Option D (AWS Direct Connect) is wrong because it establishes a dedicated private network connection from on-premises to AWS, which is irrelevant for caching static content at edge locations for global users.

797
MCQmedium

A company runs multiple containerized applications on a single Amazon ECS cluster using AWS Fargate. The company's compliance team asks whether sharing the same underlying physical hardware with other AWS customers introduces security risks. The company explains that AWS isolates each customer's compute environment, even though resources are drawn from a shared pool. Which essential characteristic of cloud computing does this arrangement best illustrate?

A.Rapid elasticity
B.Resource pooling
C.Measured service
D.On-demand self-service
AnswerB

Resource pooling is the correct answer. AWS pools its compute resources across many customers and uses virtualization to isolate each customer's workloads. This allows AWS to serve multiple customers efficiently while maintaining security and isolation.

Why this answer

Resource pooling is the cloud characteristic where a provider's computing resources are pooled to serve multiple customers using a multi-tenant model, with physical and virtual resources dynamically assigned and reassigned according to consumer demand. AWS Fargate abstracts the underlying infrastructure, so even though containers run on shared physical hardware, each customer's compute environment is isolated at the hypervisor and kernel level. This arrangement directly illustrates resource pooling because the provider manages the shared pool while ensuring logical separation between tenants.

Exam trap

The trap here is that candidates confuse 'resource pooling' with 'rapid elasticity' because both involve shared resources, but resource pooling is about multi-tenant isolation while elasticity is about scaling speed.

How to eliminate wrong answers

Option A is wrong because rapid elasticity refers to the ability to quickly scale resources up or down based on demand, not to the isolation of shared infrastructure. Option C is wrong because measured service involves metering and billing for resource usage (e.g., per-second billing for Fargate tasks), not the multi-tenant sharing of physical hardware. Option D is wrong because on-demand self-service describes a customer's ability to provision resources without human interaction, not the underlying pooling and isolation of compute environments.

798
MCQmedium

A company needs to grant an EC2 instance permission to write to an S3 bucket. What is the most secure way to accomplish this?

A.Hardcode the IAM user access keys in the application code
B.Store IAM access keys in environment variables on the EC2 instance
C.Attach an IAM role with the appropriate S3 permissions to the EC2 instance
D.Create an IAM user and configure the instance with its credentials
AnswerC

IAM roles provide automatically rotated temporary credentials via instance metadata — no long-term keys to manage, no credentials to steal, and the minimal permissions pattern is enforced.

Why this answer

Option C is correct because attaching an IAM role to an EC2 instance allows the instance to securely obtain temporary credentials via the instance metadata service (IMDS). These credentials are automatically rotated by AWS, eliminating the need to hardcode or store long-term access keys. The role's policy grants only the necessary S3 write permissions, following the principle of least privilege.

Exam trap

The trap here is that candidates may think storing credentials in environment variables is secure because they are not in code, but AWS explicitly recommends IAM roles over any form of long-term access key storage for EC2 instances.

How to eliminate wrong answers

Option A is wrong because hardcoding IAM user access keys in application code exposes them to source code leaks, version control exposure, and requires manual rotation, violating security best practices. Option B is wrong because storing IAM access keys in environment variables on the EC2 instance still uses long-term credentials that can be compromised if the instance is accessed or if the environment is dumped, and they lack automatic rotation. Option D is wrong because creating an IAM user and configuring the instance with its credentials involves distributing long-term access keys that must be securely stored and rotated, increasing the attack surface compared to using an IAM role with temporary credentials.

799
MCQeasy

Which AWS service provides managed threat detection that analyzes VPC Flow Logs, AWS CloudTrail events, and DNS logs to identify malicious activity and unauthorized behavior?

A.AWS Security Hub
B.Amazon Inspector
C.Amazon GuardDuty
D.AWS Config
AnswerC

GuardDuty uses ML and threat intelligence to analyze VPC Flow Logs, CloudTrail, and DNS logs for active threats like compromised instances and account takeovers.

Why this answer

Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious activity and unauthorized behavior by analyzing VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. It uses machine learning, anomaly detection, and integrated threat intelligence to identify threats such as credential compromise, cryptocurrency mining, and API abuse without requiring additional security software or infrastructure.

Exam trap

The trap here is that candidates confuse AWS Security Hub (a central dashboard for findings) with GuardDuty (the actual threat detection engine), or assume Amazon Inspector performs network traffic analysis when it only scans for software vulnerabilities and network reachability.

How to eliminate wrong answers

Option A is wrong because AWS Security Hub is a centralized security posture management service that aggregates findings from multiple AWS services (including GuardDuty) and performs compliance checks, but it does not itself analyze VPC Flow Logs, CloudTrail, or DNS logs for threat detection. Option B is wrong because Amazon Inspector is a vulnerability management service that scans EC2 instances and container images for software vulnerabilities and unintended network exposure, not for analyzing flow logs or DNS logs to detect malicious activity. Option D is wrong because AWS Config is a resource inventory and compliance auditing service that evaluates resource configurations against desired policies and tracks configuration changes, but it does not perform threat detection or analyze network traffic or API logs for malicious behavior.

800
MCQmedium

A security team wants to automatically scan their Amazon EC2 instances for known software vulnerabilities (CVEs) and assess whether any instances have unintended network access paths open. Which AWS service performs these automated security assessments?

A.Amazon GuardDuty
B.Amazon Macie
C.Amazon Inspector
D.AWS Shield
AnswerC

Inspector automatically scans EC2 instances for software vulnerabilities (using the CVE database) and assesses network reachability to identify open paths that could allow unintended access. It continuously provides findings ranked by severity.

Why this answer

Amazon Inspector is the correct service because it is specifically designed to perform automated vulnerability scans (including CVEs) and network reachability assessments on EC2 instances. It uses a combination of AWS security best practices and common vulnerability databases to identify software vulnerabilities and unintended network access paths, such as open ports or overly permissive security groups.

Exam trap

The trap here is that candidates often confuse Amazon GuardDuty's threat detection with vulnerability scanning, but GuardDuty focuses on behavioral anomalies and known malicious IPs, not on identifying software CVEs or network configuration exposures.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using machine learning and threat intelligence, not for scanning known software vulnerabilities or network access paths. Option B is wrong because Amazon Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data (e.g., PII) in S3 buckets, not for vulnerability scanning of EC2 instances. Option D is wrong because AWS Shield is a managed DDoS protection service that safeguards against distributed denial-of-service attacks, not for automated vulnerability or network access assessments.

801
MCQhard

A customer is evaluating moving to AWS and asks about the total cost of ownership (TCO) benefits. Which of the following is NOT a factor that reduces TCO when migrating to AWS?

A.Eliminating hardware refresh cycles
B.Reducing data center facility costs
C.Staff training costs for cloud technologies
D.Pay-as-you-go pricing model
AnswerC

Staff training is an upfront cost of migration that may increase TCO initially, not reduce it.

Why this answer

Option C is correct because staff training costs for cloud technologies are an additional investment required when migrating to AWS, not a factor that reduces total cost of ownership (TCO). While AWS reduces hardware and facility costs, training represents a new expense for upskilling teams on cloud services like EC2, S3, and IAM, which increases rather than decreases TCO.

Exam trap

The trap here is that candidates may mistakenly view staff training as a cost-saving measure (e.g., reducing need for specialized on-premises administrators), but the question specifically asks for factors that reduce TCO, and training is an added cost, not a reduction.

How to eliminate wrong answers

Option A is wrong because eliminating hardware refresh cycles directly reduces TCO by removing the need to purchase new servers, storage, and networking equipment every 3-5 years, which is a core benefit of moving to AWS's virtualized infrastructure. Option B is wrong because reducing data center facility costs (e.g., power, cooling, physical security, real estate) is a key TCO reduction when migrating to AWS, as the customer no longer operates their own on-premises data centers. Option D is wrong because the pay-as-you-go pricing model reduces TCO by allowing customers to pay only for consumed resources (e.g., per-hour EC2 instances, per-GB S3 storage) instead of over-provisioning for peak capacity, eliminating idle resource waste.

802
MCQmedium

A company uses an IAM role to allow an application running on Amazon EC2 to decrypt data stored in Amazon S3. The security team wants to enforce that the application can only use the decryption permission when the IAM role has a specific tag (e.g., 'Environment=Production'). Which approach should the security team implement to meet this requirement?

A.Add a condition to the KMS key policy that uses the 'kms:RequestTag/ConditionKey' to require the tag on the caller.
B.Add a condition to the IAM role's trust policy that denies the 'kms:Decrypt' action unless the role has the tag.
C.Add a condition to the IAM policy that grants the 'kms:Decrypt' permission with a condition on 'aws:PrincipalTag' to require the tag.
D.Add a condition to the S3 bucket policy that denies all access unless the IAM role has the required tag.
AnswerC

Correct. IAM policies support the 'aws:PrincipalTag' condition key, which checks the tags attached to the IAM principal (user or role) making the request. By adding a condition like 'StringEquals': {'aws:PrincipalTag/Environment': 'Production'} to the IAM policy that grants 'kms:Decrypt', the decryption action is only allowed when the role has the specified tag. This is a form of attribute-based access control (ABAC).

Why this answer

Option C is correct because the condition key 'aws:PrincipalTag' in an IAM policy allows you to control access based on tags attached to the IAM principal (the role). By adding a condition that requires 'aws:PrincipalTag/Environment' to equal 'Production', the 'kms:Decrypt' permission is only effective when the IAM role has that specific tag. This directly enforces the security team's requirement at the IAM policy level, which is the appropriate place to restrict permissions based on principal attributes.

Exam trap

The trap here is confusing which policy document (IAM policy vs. key policy vs. bucket policy) and which condition key (PrincipalTag vs. RequestTag) is appropriate for restricting actions based on the caller's tags.

How to eliminate wrong answers

Option A is wrong because 'kms:RequestTag/ConditionKey' is used to check tags on the KMS key itself or tags specified in the request, not tags on the calling IAM role. Option B is wrong because the IAM role's trust policy controls which principals can assume the role, not what actions the role can perform; denying 'kms:Decrypt' in the trust policy is ineffective and misapplied. Option D is wrong because an S3 bucket policy controls access to S3 objects, not to KMS decryption actions; it cannot enforce conditions on the KMS 'Decrypt' API call.

803
Drag & Dropmedium

Drag and drop the steps to set up a cross-region read replica for Amazon RDS in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cross-region read replica: enable backups, configure, create replica, wait, and optionally promote.

804
MCQmedium

A company wants to receive a notification whenever a new AWS root account sign-in occurs. Which combination of services achieves this?

A.AWS Config + AWS Lambda
B.CloudTrail + EventBridge + SNS notification
C.AWS Budgets + SES email
D.Amazon GuardDuty finding + S3 export
AnswerB

CloudTrail captures the root sign-in event; EventBridge matches the event pattern and triggers an SNS notification — providing real-time alerting on root account usage.

Why this answer

AWS CloudTrail logs all root account sign-in events as `ConsoleLogin` events in the management events trail. Amazon EventBridge can be configured with a rule that matches this specific event pattern (e.g., `detail.userIdentity.type` = `Root` and `detail.eventName` = `ConsoleLogin`). The rule then triggers an Amazon SNS topic to send a notification (email, SMS, etc.) to the designated recipients.

This combination provides a real-time, event-driven notification for root account activity.

Exam trap

The trap here is that candidates often confuse AWS Config (which audits resource configurations) with CloudTrail (which records API activity), leading them to pick Option A, or they mistakenly think AWS Budgets can monitor security events, when it is strictly for cost and usage alerts.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating resource configurations against rules (e.g., checking if an S3 bucket is public), not for capturing or reacting to API call events like root sign-ins; AWS Lambda could process events but Config does not generate the required sign-in event. Option C is wrong because AWS Budgets monitors cost and usage against budget thresholds, not security events like root account sign-ins; SES email is for sending transactional or marketing emails, not for event-driven notifications triggered by CloudTrail events. Option D is wrong because Amazon GuardDuty generates security findings (e.g., unusual API calls, compromised credentials) but does not specifically detect or report root account sign-ins as a native finding; S3 export is a storage action, not a notification mechanism.

805
MCQmedium

A company is migrating a critical database to Amazon RDS. The database must run continuously for the next 3 years to support the company's operations. The finance team wants to minimize compute costs for this database. However, they have a limited budget and cannot make large upfront payments. They want to commit to a 3-year term to receive the highest possible discount without paying anything upfront. Which pricing option should the finance team select for the DB instance?

A.On-Demand DB instances
B.1-Year All Upfront Reserved DB instances
C.3-Year Partial Upfront Reserved DB instances
D.3-Year No Upfront Reserved DB instances
AnswerD

3-Year No Upfront Reserved Instances provide the highest discount for a 3-year commitment while requiring zero upfront payment. This option minimizes compute costs without violating the budget constraint of no large upfront payment.

Why this answer

The finance team wants to commit to a 3-year term to receive the highest possible discount without paying anything upfront. AWS Reserved Instances offer three payment options: All Upfront, Partial Upfront, and No Upfront. The No Upfront option provides a significant discount over On-Demand pricing (typically around 40-60% for a 3-year term) while requiring no upfront payment, making it the most cost-effective choice given the budget constraint.

Option D (3-Year No Upfront Reserved DB instances) satisfies both the requirement for a 3-year commitment and the inability to make large upfront payments.

Exam trap

The trap here is that candidates often assume 'No Upfront' means no commitment or no discount, but in reality, it offers a substantial discount with a monthly payment obligation, making it the best choice for minimizing costs without upfront capital.

How to eliminate wrong answers

Option A is wrong because On-Demand DB instances have no upfront cost but also provide no discount, resulting in the highest compute costs over 3 years, which fails to minimize costs. Option B is wrong because 1-Year All Upfront Reserved DB instances require a large upfront payment, which violates the 'cannot make large upfront payments' constraint, and the 1-year term does not match the required 3-year commitment. Option C is wrong because 3-Year Partial Upfront Reserved DB instances still require an upfront payment (though smaller than All Upfront), which the finance team cannot afford, and while it offers a discount, it does not provide the highest possible discount without upfront payment.

806
MCQmedium

A company runs multiple workloads on AWS and must ensure that all Amazon S3 buckets have server-side encryption enabled. The compliance team wants to automatically detect any S3 bucket that is created without encryption and receive an alert. They also want to continuously monitor existing buckets for compliance. Which AWS service should they use?

A.AWS Config
B.Amazon GuardDuty
C.AWS CloudTrail
D.Amazon Inspector
AnswerA

Correct. AWS Config evaluates resource configurations against rules defined by the user (such as 's3-bucket-server-side-encryption-enabled') and can automatically detect non-compliant resources, including S3 buckets without encryption, and send alerts.

Why this answer

AWS Config is the correct service because it provides continuous monitoring and evaluation of AWS resource configurations against desired policies. You can create an AWS Config rule, such as the managed rule 's3-bucket-server-side-encryption-enabled', which automatically checks whether each S3 bucket has server-side encryption enabled. When a non-compliant bucket is detected (either newly created or existing), AWS Config can trigger an Amazon SNS notification to alert the compliance team, meeting both the detection and alerting requirements.

Exam trap

The trap here is that candidates often confuse AWS Config (configuration auditing) with AWS CloudTrail (API auditing), thinking that CloudTrail can detect non-compliant configurations, but CloudTrail only logs actions and does not evaluate the resulting state of resources against compliance rules.

How to eliminate wrong answers

Option B (Amazon GuardDuty) is wrong because it is a threat detection service that monitors for malicious activity and unauthorized behavior using anomaly detection and threat intelligence, not for checking resource configuration compliance like encryption settings. Option C (AWS CloudTrail) is wrong because it records API activity and provides audit logs of actions taken on S3 buckets (e.g., who created a bucket), but it does not continuously evaluate the configuration state of resources or alert on compliance violations. Option D (Amazon Inspector) is wrong because it is an automated vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not for evaluating S3 bucket encryption policies.

807
MCQmedium

A solutions architect implements IAM least-privilege policies, enables encryption for all data at rest and in transit, configures VPC security groups and NACLs to limit network access, and sets up automated security incident detection. Which Well-Architected Framework pillar covers these activities?

A.Operational Excellence
B.Reliability
C.Security
D.Cost Optimisation
AnswerC

The Security pillar encompasses identity and access management, detective controls, infrastructure protection, data protection, and incident response — all of which the architect is implementing.

Why this answer

The Security pillar of the AWS Well-Architected Framework focuses on protecting data, systems, and assets through identity and access management (IAM least-privilege policies), data protection (encryption at rest and in transit), infrastructure protection (VPC security groups and NACLs), and detective controls (automated security incident detection). These activities directly map to the Security pillar's design principles and best practices.

Exam trap

The trap here is that candidates may confuse the Security pillar with Operational Excellence because both involve monitoring and automation, but Security specifically addresses data protection, identity, and network controls, not operational runbooks or deployment pipelines.

How to eliminate wrong answers

Option A is wrong because Operational Excellence focuses on running and monitoring systems to deliver business value, including operations as code and incident response, not on implementing IAM policies, encryption, or network access controls. Option B is wrong because Reliability focuses on ensuring a workload performs its intended function correctly and consistently, including recovery planning and scaling, not on security controls like encryption or least-privilege access. Option D is wrong because Cost Optimisation focuses on avoiding unnecessary costs, such as right-sizing resources and using Reserved Instances, not on security configurations like NACLs or encryption.

808
MCQmedium

A company's development team frequently needs temporary test environments. A developer can log into the AWS Management Console, select an Amazon EC2 instance type, configure storage, and launch the instance within minutes without any interaction with the IT infrastructure team. This capability is an example of which essential characteristic of cloud computing?

A.Resource pooling
B.On-demand self-service
C.Measured service
D.Rapid elasticity
AnswerB

Correct. On-demand self-service means a user can provision computing capabilities automatically without requiring human interaction with the service provider. The developer using the AWS Management Console to launch an EC2 instance without contacting IT perfectly illustrates this characteristic.

Why this answer

The scenario describes a developer independently provisioning EC2 instances without requiring IT intervention. This directly matches the 'on-demand self-service' characteristic of cloud computing, where users can provision computing resources as needed automatically, without requiring human interaction with each service provider.

Exam trap

The trap here is confusing 'rapid elasticity' (the ability to scale resources quickly) with 'on-demand self-service' (the ability to provision resources without human intervention), as both involve speed but address different aspects of cloud computing.

How to eliminate wrong answers

Option A is wrong because resource pooling refers to the provider's multi-tenant model where physical and virtual resources are dynamically assigned and reassigned according to consumer demand, not the user's ability to self-provision. Option C is wrong because measured service involves metering and reporting resource usage for billing and optimization, not the act of provisioning. Option D is wrong because rapid elasticity describes the ability to scale resources up or down quickly in response to demand, not the self-service provisioning capability.

809
MCQmedium

A company has a serverless architecture on AWS for its order processing system. The system uses AWS Lambda functions to validate payment, check inventory, update the database, and send email notifications. The company needs a managed service to coordinate these functions into a workflow, implement retry logic in case of failures, and manage the execution of each step sequentially. Which AWS service should the company use?

A.AWS Step Functions
B.Amazon Simple Workflow Service (Amazon SWF)
C.Amazon Simple Queue Service (Amazon SQS)
D.AWS AppSync
AnswerA

AWS Step Functions is the correct service because it is purpose-built for orchestrating serverless workflows, providing state machines, retry logic, and error handling to coordinate Lambda functions and other AWS services.

Why this answer

AWS Step Functions is a fully managed service designed to coordinate multiple AWS services into a serverless workflow. It allows you to define state machines that execute Lambda functions sequentially, implement built-in retry logic with exponential backoff, and handle error conditions, making it the ideal choice for orchestrating the order processing steps (payment validation, inventory check, database update, and email notification).

Exam trap

The trap here is that candidates often confuse Amazon SWF with Step Functions because both are workflow services, but SWF is designed for human-in-the-loop processes and requires custom workers, while Step Functions is serverless-native and directly integrates with Lambda for automated orchestration.

How to eliminate wrong answers

Option B (Amazon SWF) is wrong because it is a legacy service designed for long-running, human-interactive workflows and requires managing workers and deciders, whereas the question specifies a serverless architecture with Lambda functions and a managed coordination service. Option C (Amazon SQS) is wrong because it is a message queue service for decoupling components and does not provide workflow orchestration, sequential step execution, or built-in retry logic for coordinating multiple functions. Option D (AWS AppSync) is wrong because it is a managed GraphQL service for real-time data synchronization and API management, not a workflow orchestrator for sequential Lambda execution.

810
MCQmedium

Which AWS service provides a managed blockchain network using open-source frameworks like Hyperledger Fabric and Ethereum?

A.Amazon DynamoDB
B.AWS Quantum Ledger Database (QLDB)
C.Amazon Managed Blockchain
D.Amazon Neptune
AnswerC

Amazon Managed Blockchain provides fully managed blockchain networks using Hyperledger Fabric and Ethereum, handling node provisioning, network configuration, and certificate management.

Why this answer

Amazon Managed Blockchain is the correct AWS service because it is specifically designed to create and manage blockchain networks using popular open-source frameworks like Hyperledger Fabric and Ethereum. It handles the heavy lifting of setting up the blockchain infrastructure, including peer nodes, ordering service, and certificate authorities, allowing developers to focus on building decentralized applications.

Exam trap

The trap here is that candidates often confuse AWS QLDB (a centralized ledger) with a blockchain service, but QLDB does not support decentralized consensus or open-source blockchain frameworks like Hyperledger Fabric and Ethereum.

How to eliminate wrong answers

Option A is wrong because Amazon DynamoDB is a fully managed NoSQL key-value and document database, not a blockchain service; it does not support distributed ledger frameworks like Hyperledger Fabric or Ethereum. Option B is wrong because AWS Quantum Ledger Database (QLDB) is a centralized, immutable ledger database that provides a cryptographically verifiable transaction log, but it is not a blockchain network and does not use open-source blockchain frameworks; it is owned by a single authority. Option D is wrong because Amazon Neptune is a fully managed graph database service optimized for storing and querying highly connected data, not a blockchain or distributed ledger service.

811
MCQeasy

A small startup wants to launch a new application on AWS without any upfront investment in servers. Which cloud computing deployment model allows them to use AWS infrastructure without owning any physical hardware?

A.Private cloud
B.Hybrid cloud
C.Public cloud
D.Community cloud
AnswerC

Public cloud (AWS) provides on-demand infrastructure over the internet with no upfront hardware investment — resources are shared, provisioned in minutes, and billed per use.

Why this answer

The public cloud deployment model, such as AWS, provides on-demand access to shared computing resources over the internet, allowing the startup to provision virtual servers (e.g., EC2 instances) and other services without any upfront capital expenditure or ownership of physical hardware. This model is ideal for startups because it offers a pay-as-you-go pricing structure, eliminating the need for server procurement, maintenance, and data center management.

Exam trap

The trap here is that candidates often confuse 'public cloud' with 'hybrid cloud' because they think hybrid also avoids hardware ownership, but hybrid typically requires some on-premises or dedicated infrastructure, failing the 'no physical hardware' condition.

How to eliminate wrong answers

Option A is wrong because a private cloud involves dedicated infrastructure for a single organization, often requiring upfront investment in physical hardware or leased colocation space, which contradicts the 'no upfront investment' requirement. Option B is wrong because a hybrid cloud combines public and private clouds, and while it can reduce some hardware costs, it still typically involves owning or leasing private infrastructure, failing to meet the 'no physical hardware' condition. Option D is wrong because a community cloud is shared by several organizations with common concerns (e.g., compliance), but it still usually requires participants to invest in or manage physical infrastructure, not eliminating upfront hardware costs.

812
MCQeasy

Which statement about AWS data transfer pricing is correct?

A.All data transfer into and out of AWS is free
B.Data transfer into AWS from the internet is free; outbound data transfer to the internet is charged
C.Data transfer between EC2 instances in different Availability Zones is free
D.Data transfer between AWS Regions is free because it stays within AWS infrastructure
AnswerB

AWS charges for data leaving AWS to the internet (egress). Inbound data transfer from the internet to AWS is free. Cross-AZ and cross-Region transfers also incur charges.

Why this answer

Option B is correct because AWS does not charge for data transfer into AWS from the internet, but it does charge for outbound data transfer from AWS to the internet. This pricing model is fundamental to AWS's cost structure, encouraging data ingestion while charging for egress. For example, data uploaded to Amazon S3 is free, but downloading that data to the internet incurs per-GB charges.

Exam trap

The trap here is that candidates often assume all data transfer within AWS is free, but AWS charges for inter-AZ and inter-region traffic, and only inbound data from the internet is free.

How to eliminate wrong answers

Option A is wrong because while data transfer into AWS is free, outbound data transfer to the internet is charged, so not all data transfer is free. Option C is wrong because data transfer between EC2 instances in different Availability Zones incurs standard inter-AZ data transfer charges (typically $0.01 per GB in each direction), not free. Option D is wrong because data transfer between AWS Regions is charged at standard inter-region data transfer rates, even though it stays within the AWS global infrastructure.

813
MCQmedium

A company is planning to migrate its on-premises data center to AWS. The finance team needs to compare the current on-premises infrastructure costs (including servers, storage, networking, and personnel) against the projected costs of running identical workloads on AWS over a three-year period. The team wants to input detailed specifications of their existing hardware and get a comprehensive report that highlights potential savings and provides a total cost of ownership (TCO) comparison. Which AWS tool should the finance team use?

A.AWS Pricing Calculator
B.AWS Cost Explorer
C.AWS Total Cost of Ownership (TCO) Calculator
D.AWS Simple Monthly Calculator
AnswerC

The AWS TCO Calculator is specifically designed to help organizations compare the costs of running their current on-premises workloads against AWS. It accepts detailed on-premises specifications and produces a comparative TCO report, including potential savings over multiple years.

Why this answer

The AWS Total Cost of Ownership (TCO) Calculator is specifically designed to compare the costs of on-premises infrastructure with AWS, allowing users to input detailed hardware specifications (servers, storage, networking) and generate a comprehensive report that highlights potential savings over a chosen period (e.g., three years). This tool directly addresses the finance team's need for a TCO comparison, including personnel costs, which is not a feature of other AWS calculators.

Exam trap

The trap here is that candidates often confuse the AWS Pricing Calculator (for estimating future AWS costs) with the TCO Calculator (for comparing on-premises vs. AWS costs), leading them to select option A instead of the correct C.

How to eliminate wrong answers

Option A is wrong because the AWS Pricing Calculator is used to estimate the cost of AWS services based on usage assumptions, but it does not accept on-premises hardware specifications or provide a direct comparison with existing infrastructure costs. Option B is wrong because AWS Cost Explorer analyzes historical AWS spending and forecasts future costs, but it cannot compare on-premises costs or accept hardware input. Option D is wrong because the AWS Simple Monthly Calculator (now deprecated) only estimated monthly AWS service costs without supporting on-premises input or TCO analysis.

814
MCQeasy

Which cloud computing characteristic allows a company to pay only for the compute resources they actually use, without upfront commitments?

A.High availability
B.Elasticity
C.Pay-as-you-go pricing
D.Economies of scale
AnswerC

Pay-as-you-go eliminates upfront commitments, charging only for resources consumed — a core advantage of cloud computing.

Why this answer

Option C is correct because pay-as-you-go pricing is the cloud computing characteristic that enables a company to pay only for the compute resources they actually consume, with no upfront commitments or long-term contracts. This model aligns costs directly with usage, allowing organizations to avoid capital expenditure and scale spending based on demand. AWS implements this through services like EC2 On-Demand instances, where billing is per second (or per hour) with no minimum purchase required.

Exam trap

The trap here is that candidates often confuse elasticity (the ability to scale) with the pricing model itself, assuming that scaling automatically means pay-per-use, but elasticity is about resource adjustment while pay-as-you-go is the billing mechanism that charges only for consumed resources.

How to eliminate wrong answers

Option A is wrong because high availability refers to the ability of a system to remain operational and accessible despite failures, typically achieved through redundancy across multiple Availability Zones, not a pricing or payment model. Option B is wrong because elasticity describes the ability to automatically scale resources up or down based on demand, which affects cost efficiency but does not itself define the payment structure of paying only for what is used. Option D is wrong because economies of scale is a cost advantage that AWS passes to customers due to its massive infrastructure purchasing power, resulting in lower variable costs, but it is not a direct billing mechanism that allows pay-per-use without upfront commitments.

815
MCQmedium

A security team wants to automatically detect unusual activity in their AWS account, such as EC2 instances communicating with known malicious IP addresses, unusual API calls indicating credential compromise, or cryptocurrency mining activity. Which AWS service uses machine learning to detect these threats?

A.Amazon Inspector
B.AWS Security Hub
C.Amazon GuardDuty
D.Amazon Macie
AnswerC

GuardDuty continuously analyses CloudTrail API logs, VPC Flow Logs, and DNS logs using machine learning and threat intelligence feeds. It detects threats like compromised EC2 instances, unusual API calls, and communication with malicious IPs.

Why this answer

Amazon GuardDuty is a threat detection service that uses machine learning, anomaly detection, and integrated threat intelligence to continuously monitor for malicious or unauthorized behavior in AWS accounts and workloads. It specifically analyzes VPC Flow Logs, AWS CloudTrail management and data events, and DNS logs to detect patterns such as EC2 instances communicating with known malicious IP addresses, unusual API calls indicative of credential compromise, and cryptocurrency mining activity. This makes it the correct choice for the described use case.

Exam trap

The trap here is that candidates often confuse Amazon GuardDuty with Amazon Inspector or AWS Security Hub, mistakenly thinking that vulnerability scanning or centralized security findings equate to active threat detection, whereas GuardDuty is the only service that continuously monitors for malicious behavior using machine learning and threat intelligence.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability management service that scans EC2 instances and container images for software vulnerabilities and unintended network exposure, not for detecting malicious activity like communication with known bad IPs or credential compromise. Option B is wrong because AWS Security Hub is a centralized security posture management service that aggregates findings from multiple AWS services (including GuardDuty) and checks compliance against standards, but it does not itself perform machine learning-based threat detection. Option D is wrong because Amazon Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data (e.g., PII, financial records) stored in Amazon S3, not to detect threats like malicious IP communication or cryptocurrency mining.

816
MCQmedium

A company has been using AWS for six months and wants to predict their expected spending for the next quarter. They have historical cost data and need to use an AWS tool that can analyze past usage patterns and generate a monthly cost forecast. Which AWS tool should they use?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Trusted Advisor
D.AWS Cost and Usage Report
AnswerA

AWS Cost Explorer includes a forecasting feature that automatically generates monthly cost predictions based on historical usage, making it the correct tool for this requirement.

Why this answer

AWS Cost Explorer provides a pre-built dashboard with historical cost data and the ability to generate forecasts for future spending based on past usage patterns. It uses machine learning models to analyze your historical usage and produce a monthly cost forecast, making it the correct tool for predicting expected spending for the next quarter.

Exam trap

The trap here is that candidates often confuse AWS Budgets (which only alerts on thresholds) with Cost Explorer (which actually analyzes trends and generates forecasts), leading them to select Budgets because they think 'budgeting' implies future planning.

How to eliminate wrong answers

Option B (AWS Budgets) is wrong because it is designed to set spending limits and send alerts when costs exceed thresholds, not to analyze historical data or generate forecasts. Option C (AWS Trusted Advisor) is wrong because it inspects your AWS environment for best practices in cost optimization, security, and performance, but it does not provide cost forecasting capabilities. Option D (AWS Cost and Usage Report) is wrong because it delivers raw, granular cost and usage data in a CSV or Parquet format for custom analysis, but it does not include built-in forecasting functionality.

817
MCQmedium

A company wants to run containerized applications without managing the underlying EC2 instances or clusters. Which AWS service enables this?

A.Amazon EC2 with Docker installed
B.Amazon ECS on EC2
C.AWS Fargate
D.AWS Lambda
AnswerC

Fargate removes all EC2 instance management — developers specify container requirements and Fargate provisions and manages the underlying infrastructure invisibly.

Why this answer

AWS Fargate is a serverless compute engine for containers that allows you to run containerized applications without managing the underlying EC2 instances or clusters. You define your task definitions and Fargate automatically provisions and scales the compute infrastructure, abstracting away the need to handle instance patching, capacity planning, or cluster management.

Exam trap

The trap here is that candidates often confuse Amazon ECS on EC2 (which still requires instance management) with AWS Fargate (which is serverless), or they incorrectly assume AWS Lambda can run any containerized application despite its execution time and resource constraints.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 with Docker installed still requires you to manually provision, configure, patch, and manage the underlying EC2 instances, which contradicts the requirement of not managing instances or clusters. Option B is wrong because Amazon ECS on EC2 (the EC2 launch type) requires you to manage a cluster of EC2 instances, including scaling, patching, and cluster optimization, which does not meet the 'without managing' condition. Option D is wrong because AWS Lambda is designed for event-driven, short-running functions (max 15 minutes execution time and limited to 10 GB memory) and is not optimized for running general containerized applications, especially those requiring persistent or long-running processes.

818
MCQeasy

Which AWS service provides a hybrid cloud storage solution that allows on-premises applications to seamlessly access data stored in AWS cloud storage using standard file protocols?

A.AWS DataSync
B.AWS Direct Connect
C.AWS Storage Gateway
D.Amazon FSx
AnswerC

Storage Gateway bridges on-premises and AWS storage — File Gateway presents S3 as NFS/SMB, Volume Gateway provides iSCSI block storage, and Tape Gateway replaces physical tape.

Why this answer

AWS Storage Gateway provides a hybrid cloud storage solution by offering on-premises appliances that expose standard file protocols (NFS, SMB) to local applications, while storing data durably in Amazon S3 or Amazon EBS. This allows seamless access to AWS cloud storage without modifying existing workflows, as the gateway caches frequently accessed data locally and asynchronously transfers data to the cloud.

Exam trap

The trap here is that candidates often confuse AWS DataSync (a transfer tool) with Storage Gateway (a hybrid storage appliance), because both involve moving data to AWS, but DataSync lacks the on-premises file protocol access and local caching that define a hybrid storage solution.

How to eliminate wrong answers

Option A is wrong because AWS DataSync is a data transfer service for moving large datasets between on-premises storage and AWS, but it does not provide real-time, protocol-based access to cloud storage; it operates as a scheduled or one-time migration tool. Option B is wrong because AWS Direct Connect establishes a dedicated network connection from on-premises to AWS, but it is a connectivity service, not a storage service, and does not expose file protocols or provide storage access on its own. Option D is wrong because Amazon FSx is a fully managed file system service that runs within AWS, not a hybrid solution; it does not include an on-premises gateway component for local caching or protocol bridging.

819
MCQmedium

A company wants to protect their S3 buckets from accidental or malicious data exfiltration by ensuring that data can only leave the VPC through S3 endpoint conditions. Which IAM policy condition controls this?

A.S3 Block Public Access
B.VPC endpoint policy with aws:SourceVpc condition
C.S3 CORS configuration
D.Amazon Macie sensitive data classification
AnswerB

The `aws:SourceVpc` or `aws:SourceVpce` condition in an S3 bucket policy restricts access to only requests coming through a specific VPC or VPC endpoint, preventing exfiltration via compromised credentials outside the VPC.

Why this answer

Option B is correct because the `aws:SourceVpc` condition key in a VPC endpoint policy restricts access to S3 buckets so that requests must originate from the specified VPC. This ensures that data can only leave the VPC through the S3 VPC endpoint, preventing accidental or malicious data exfiltration via the public internet. By combining this condition with a VPC endpoint policy, the company enforces network-level control over S3 access.

Exam trap

The trap here is that candidates confuse S3 Block Public Access (a bucket-level permission control) with network-level exfiltration prevention, or they mistakenly think Macie or CORS can enforce data flow restrictions, when only VPC endpoint policies with the `aws:SourceVpc` condition can restrict traffic to a specific VPC.

How to eliminate wrong answers

Option A is wrong because S3 Block Public Access only prevents public access to S3 buckets at the account or bucket level, but it does not control how data leaves a VPC or enforce that traffic must go through a VPC endpoint. Option C is wrong because S3 CORS configuration controls cross-origin HTTP requests from web browsers, not network-level data exfiltration or VPC endpoint routing. Option D is wrong because Amazon Macie is a data classification and discovery service that identifies sensitive data, but it does not enforce network access controls or restrict data exfiltration paths.

820
MCQmedium

A company stores sensitive financial data in Amazon S3 and must encrypt it at rest. The compliance team mandates that the encryption key must be rotated at least once per year, and the key material must be generated and managed by the company within AWS. The company wants a fully automated solution that requires no manual intervention for key rotation. Which AWS service or feature should the company use?

A.Use Amazon S3 server-side encryption with customer-provided encryption keys (SSE-C).
B.Create an AWS KMS customer managed key and enable automatic annual rotation.
C.Use an AWS KMS AWS managed key (aws/s3) which automatically rotates the key every year.
D.Use AWS CloudHSM to generate and manage the key, and implement a custom cron job to rotate the key.
AnswerB

Correct. AWS KMS customer managed keys (CMKs) can have automatic key rotation enabled, which rotates the key material once per year without any manual effort. The company retains control and ownership of the key.

Why this answer

Option B is correct because AWS KMS customer managed keys support automatic annual rotation, which satisfies the compliance requirement for key rotation without manual intervention. The company retains control over the key material since it is generated and managed within AWS KMS, meeting the mandate that the company manages the keys within AWS.

Exam trap

The trap here is that candidates may confuse AWS managed keys (which rotate automatically but are not customer-managed) with customer managed keys, or assume that SSE-C or CloudHSM are simpler solutions without realizing they fail the 'fully automated' or 'within AWS' requirements.

How to eliminate wrong answers

Option A is wrong because SSE-C requires the customer to provide and manage their own encryption keys outside of AWS, which contradicts the requirement that the key material be generated and managed by the company within AWS, and it does not offer automated rotation. Option C is wrong because AWS managed keys (aws/s3) are managed by AWS, not the company, and while they rotate automatically, the company does not have control over the key material or rotation schedule. Option D is wrong because AWS CloudHSM requires custom implementation for key rotation (e.g., a cron job), which introduces manual intervention and does not provide a fully automated solution as mandated.

821
MCQmedium

A company stores compliance logs in Amazon S3. After 90 days, logs are never accessed again but must be retained for 7 years to meet regulatory requirements. Which S3 storage class provides the lowest storage cost for this long-term archival requirement?

A.S3 Standard
B.S3 Standard-IA
C.S3 Glacier Flexible Retrieval
D.S3 Glacier Deep Archive
AnswerD

S3 Glacier Deep Archive offers the lowest storage cost in Amazon S3, purpose-built for data retained for 7–10 years that is rarely or never retrieved. It meets the 7-year compliance requirement at the minimum cost.

Why this answer

Amazon S3 Glacier Deep Archive is designed for long-term retention of data that is accessed extremely rarely, with a retrieval time of 12 hours or more. It offers the lowest storage cost among all S3 storage classes, making it the most cost-effective choice for compliance logs that must be retained for 7 years but are never accessed after 90 days.

Exam trap

The trap here is that candidates often choose S3 Glacier Flexible Retrieval (Option C) because they see 'Glacier' and assume it is the cheapest archival option, but they overlook that Glacier Deep Archive is specifically designed for even lower-cost, longer-term archival with retrieval times of 12+ hours.

How to eliminate wrong answers

Option A is wrong because S3 Standard is optimized for frequently accessed data with millisecond retrieval and incurs higher storage costs, making it unsuitable for archival data that is never accessed. Option B is wrong because S3 Standard-IA is designed for infrequently accessed data but still has higher storage costs than archival classes and charges retrieval fees, making it more expensive for long-term retention. Option C is wrong because S3 Glacier Flexible Retrieval offers retrieval times from minutes to hours and has higher storage costs than Glacier Deep Archive, so it is not the lowest-cost option for data that is never accessed.

822
MCQmedium

A company runs a web application that processes customer orders. During flash sales, the application's backend servers become overwhelmed because orders are submitted faster than they can be processed. The company needs a fully managed, highly available service that can buffer incoming orders so that the backend can process them at its own pace without losing any data. The service must automatically scale to handle any volume of orders without requiring manual provisioning. Which AWS service meets these requirements?

A.Amazon Simple Notification Service (Amazon SNS)
B.Amazon Simple Queue Service (Amazon SQS)
C.Amazon Kinesis Data Streams
D.Amazon MQ
AnswerB

Amazon SQS is a fully managed message queuing service that stores messages until a consumer processes them. It decouples the order submission from order processing, allowing the backend to process at its own pace. SQS automatically scales to handle any volume of messages and provides high availability and durability by replicating messages across Availability Zones.

Why this answer

Amazon Simple Queue Service (SQS) is a fully managed, highly available message queuing service that decouples application components. It buffers incoming orders by storing them in a queue, allowing the backend to process messages at its own pace without losing data. SQS automatically scales to handle any volume of messages, eliminating the need for manual provisioning.

Exam trap

The trap here is that candidates confuse Amazon SNS (push-based) with Amazon SQS (pull-based), failing to recognize that buffering and decoupling require a queue, not a notification service.

How to eliminate wrong answers

Option A is wrong because Amazon SNS is a pub/sub messaging service that pushes messages to subscribers in real time; it does not buffer messages or allow the backend to process at its own pace, and messages are lost if subscribers are unavailable. Option C is wrong because Amazon Kinesis Data Streams is designed for real-time streaming of large data streams (e.g., clickstreams, logs) with a retention window of up to 365 days, not for simple buffering of discrete order messages; it requires consumers to track shard offsets and does not guarantee exactly-once processing without additional complexity. Option D is wrong because Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ, which requires provisioning of broker instances and does not automatically scale to handle variable workloads without manual intervention.

823
MCQmedium

A company runs a critical e-commerce application on a single Amazon EC2 instance in one Availability Zone. The company wants to ensure that if the entire Availability Zone becomes unavailable, the application continues to run without manual intervention. Which AWS cloud concept best describes this requirement?

A.Scalability
B.High availability
C.Elasticity
D.Disaster recovery
AnswerB

High availability ensures that the system remains operational even when components fail, such as an entire Availability Zone, by designing with redundancy and automatic failover.

Why this answer

High availability (B) is the correct concept because it ensures that an application remains operational even when an entire Availability Zone fails. By deploying the EC2 instance across multiple Availability Zones (e.g., using an Auto Scaling group with a minimum of two instances and an Application Load Balancer), the application can automatically fail over to a healthy instance in another zone without manual intervention. This directly addresses the requirement for continuous operation during a zone outage.

Exam trap

The trap here is that candidates often confuse high availability with disaster recovery, but high availability focuses on automatic, immediate failover within a region (e.g., across Availability Zones), while disaster recovery involves restoring services after a major disruption, often with recovery time objectives (RTOs) measured in minutes or hours.

How to eliminate wrong answers

Option A is wrong because scalability refers to the ability to increase or decrease resources based on demand, not to maintain uptime during a zone failure. Option C is wrong because elasticity is the ability to dynamically scale resources up or down automatically, which does not inherently provide fault tolerance across Availability Zones. Option D is wrong because disaster recovery involves restoring systems after a catastrophic event (e.g., region-wide failure) and typically requires manual steps or complex automation, not the automatic, immediate failover that high availability provides.

824
MCQmedium

A company is migrating its on-premises applications to the AWS Cloud. The Chief Security Officer wants to confirm the division of security responsibilities. According to the AWS Shared Responsibility Model, which of the following tasks is the customer's responsibility?

A.Ensuring the physical security of AWS data centers
B.Patching the hypervisor layer that runs Amazon EC2 instances
C.Managing network access control lists (ACLs) for the customer's VPC
D.Replacing defective hardware components in the AWS global infrastructure
AnswerC

Network ACLs are stateless firewall rules that control inbound and outbound traffic at the subnet level within a VPC. Configuring and managing these rules is the customer's responsibility as part of managing security in the cloud.

Why this answer

Option C is correct because managing network access control lists (ACLs) for a customer's VPC is explicitly a customer responsibility under the AWS Shared Responsibility Model. Customers control inbound and outbound traffic at the subnet level by configuring NACLs, which are stateless firewall rules. AWS provides the infrastructure and the VPC service, but the customer must define and manage the ACL rules to enforce network segmentation and security.

Exam trap

The trap here is that candidates often confuse the customer's responsibility for managing network ACLs with AWS's responsibility for managing the underlying network infrastructure, such as the hypervisor or physical hardware, leading them to incorrectly select options A, B, or D.

How to eliminate wrong answers

Option A is wrong because ensuring the physical security of AWS data centers is AWS's responsibility, not the customer's; AWS implements physical controls such as biometric access, surveillance, and security guards. Option B is wrong because patching the hypervisor layer that runs Amazon EC2 instances is AWS's responsibility, as the hypervisor is part of the virtualized infrastructure managed by AWS. Option D is wrong because replacing defective hardware components in the AWS global infrastructure is AWS's responsibility, as they manage the underlying hardware, including servers, storage, and networking gear.

825
MCQmedium

A company runs an e-commerce application on AWS that experiences unpredictable traffic spikes during flash sales. The application currently runs on a fixed number of Amazon EC2 instances, which leads to performance degradation during spikes and wasted capacity during low traffic. The company wants to automatically adjust the number of instances based on real-time demand, only paying for the resources it uses. This need best represents which cloud computing concept?

A.High availability
B.Elasticity
C.Fault tolerance
D.Durability
AnswerB

Correct. Elasticity refers to the ability to dynamically provision and de-provision resources to match workload changes. This scenario describes exactly that: automatically increasing instances during spikes and decreasing them during low traffic to optimize cost and performance.

Why this answer

Option B (Elasticity) is correct because the scenario describes automatically scaling EC2 instances up and down based on real-time demand, which is the definition of elasticity in cloud computing. AWS Auto Scaling and Amazon EC2 Auto Scaling groups enable this by adding or removing instances in response to CloudWatch metrics, ensuring the application only pays for resources consumed during traffic spikes and low traffic periods.

Exam trap

The trap here is that candidates often confuse elasticity with high availability, thinking that adding more instances automatically ensures uptime, but elasticity is specifically about dynamic scaling to match demand, not about redundancy or failure recovery.

How to eliminate wrong answers

Option A (High availability) is wrong because it focuses on ensuring the application remains accessible despite failures, typically through multi-AZ deployments and load balancing, not on dynamically adjusting capacity based on demand. Option C (Fault tolerance) is wrong because it refers to the ability of a system to continue operating without interruption when a component fails, often using redundant resources, not on scaling resources to match variable load. Option D (Durability) is wrong because it concerns the long-term preservation of data, such as through replication in Amazon S3 (99.999999999% durability), and has no relation to adjusting compute capacity for traffic spikes.

Page 10

Page 11 of 14

Page 12