AWS Certified Cloud Practitioner CLF-C02 (CLF-C02) — Questions 901975

1024 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQeasy

A company wants to provide employees with secure, managed virtual Windows or Linux desktops accessible from any device, without purchasing physical computers or managing on-premises VDI infrastructure. Which AWS service provides cloud-based virtual desktops?

A.Amazon AppStream 2.0
B.Amazon WorkSpaces
C.Amazon EC2 with Remote Desktop
D.AWS Connect
AnswerB

WorkSpaces provides fully managed, persistent virtual desktops (Windows or Linux) in the cloud. Employees access them from any device. AWS manages the underlying infrastructure, security, and availability.

Why this answer

Amazon WorkSpaces is a fully managed, cloud-based virtual desktop infrastructure (VDI) service that provides secure, persistent Windows or Linux desktops accessible from any supported device. It eliminates the need to purchase physical hardware or manage on-premises VDI, aligning directly with the scenario described.

Exam trap

The trap here is confusing Amazon WorkSpaces (full virtual desktop) with Amazon AppStream 2.0 (application streaming), as both provide remote access but serve fundamentally different use cases — one delivers an entire OS desktop, the other delivers individual applications.

How to eliminate wrong answers

Option A is wrong because Amazon AppStream 2.0 is a non-persistent application streaming service that delivers individual applications to a user's browser or device, not full virtual desktops with a persistent operating system environment. Option C is wrong because Amazon EC2 with Remote Desktop requires manual configuration, patching, and management of the underlying EC2 instances, security groups, and Remote Desktop Protocol (RDP) access, which does not provide the managed, turnkey VDI experience described. Option D is wrong because AWS Connect is a cloud-based contact center service for managing customer interactions, not a virtual desktop solution.

902
MCQeasy

Which AWS Well-Architected Framework pillar focuses on protecting information, systems, and assets while delivering business value through risk assessments and mitigation strategies?

A.Reliability
B.Security
C.Operational Excellence
D.Performance Efficiency
AnswerB

The Security pillar covers IAM, detection controls, infrastructure protection, data protection, and incident response to protect assets while enabling business value.

Why this answer

The Security pillar of the AWS Well-Architected Framework is specifically designed to protect information, systems, and assets through the implementation of risk assessments and mitigation strategies. It encompasses practices such as identity and access management (IAM), detective controls (e.g., AWS CloudTrail, Amazon GuardDuty), infrastructure protection (e.g., AWS WAF, security groups), data protection (e.g., encryption at rest and in transit), and incident response. This pillar directly aligns with the question's focus on delivering business value while managing security risks.

Exam trap

The trap here is that candidates often confuse the Security pillar with the Reliability pillar because both involve 'protection'—but Security protects against unauthorized access and data breaches, while Reliability protects against service failures and downtime.

How to eliminate wrong answers

Option A is wrong because the Reliability pillar focuses on a workload's ability to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues—not on protecting information or risk assessments. Option C is wrong because the Operational Excellence pillar concentrates on running and monitoring systems to deliver business value, and on continually improving processes and procedures—it does not primarily address security risk assessments or asset protection. Option D is wrong because the Performance Efficiency pillar focuses on using computing resources efficiently to meet system requirements and maintain efficiency as demand changes and technologies evolve—it does not cover information protection or risk mitigation strategies.

903
MCQmedium

A company has an on-premises file server that stores large datasets. The company wants to reduce its on-premises storage footprint by moving cold data to AWS. However, users need low-latency access to frequently used files, and the applications must be able to access the data using the standard SMB protocol. The company wants to cache frequently accessed data locally on-premises for low latency, while securely storing all data in Amazon S3. Which AWS service should the company use?

A.AWS Storage Gateway File Gateway
B.Amazon FSx for Windows File Server
C.AWS DataSync
D.Amazon S3 with AWS Direct Connect
AnswerA

Correct. File Gateway provides an on-premises file share that caches active data locally and stores all data durably in Amazon S3. It supports SMB protocol, enabling existing applications to access the cloud storage seamlessly while maintaining low latency for frequently used files.

Why this answer

AWS Storage Gateway File Gateway is the correct choice because it provides on-premises caching of frequently accessed files for low-latency access via the standard SMB protocol, while all data is stored durably in Amazon S3. This directly meets the requirement to reduce on-premises storage footprint by moving cold data to AWS, while keeping hot data cached locally for performance.

Exam trap

The trap here is that candidates confuse AWS DataSync (a transfer tool) with a storage service that provides ongoing local caching and SMB access, or assume Amazon FSx for Windows File Server can be deployed on-premises when it is a cloud-only service.

How to eliminate wrong answers

Option B (Amazon FSx for Windows File Server) is wrong because it is a fully managed native Windows file server in the cloud, not an on-premises caching solution; it does not cache data locally on-premises or reduce the on-premises storage footprint. Option C (AWS DataSync) is wrong because it is a data transfer and synchronization tool, not a storage service; it can move data to S3 but does not provide on-premises caching or SMB access to cached files.

904
MCQeasy

A small business owner wants to host a simple WordPress website on AWS with a predictable flat monthly price, without learning about VPCs, security groups, instance types, or other AWS complexity. Which AWS service is designed for this simplified use case?

A.Amazon EC2 with a t3.micro
B.AWS Elastic Beanstalk
C.Amazon Lightsail
D.AWS Lambda
AnswerC

Lightsail provides pre-configured virtual servers with fixed monthly pricing that includes compute, SSD storage, DNS, and data transfer. It is specifically designed for simple websites and small applications without requiring AWS expertise.

Why this answer

Amazon Lightsail is designed specifically for users who need a simple, predictable monthly pricing model without managing underlying AWS infrastructure like VPCs, security groups, or instance types. It provides pre-configured virtual private servers (VPS) with a fixed monthly cost, including a one-click WordPress deployment, making it ideal for a small business owner who wants to avoid AWS complexity.

Exam trap

The trap here is that candidates often confuse AWS Elastic Beanstalk with a simplified solution, but Elastic Beanstalk still requires understanding of environments and scaling, and its pricing is not a flat monthly fee; Lightsail is the only service explicitly designed for predictable flat-rate pricing and zero infrastructure management.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 with a t3.micro requires the user to manually configure VPCs, security groups, and instance management, and its pricing is per-hour (or per-second) with variable costs, not a predictable flat monthly price. Option B is wrong because AWS Elastic Beanstalk is a PaaS service that abstracts some infrastructure but still requires understanding of environments, scaling, and underlying EC2 instances, and its costs are not a simple flat monthly fee; it also does not offer a one-click WordPress deployment. Option D is wrong because AWS Lambda is a serverless compute service for event-driven code execution, not designed for hosting a full WordPress website with persistent storage and a web server; it lacks a flat monthly pricing model and requires knowledge of functions, triggers, and stateless architecture.

905
MCQeasy

Which AWS service provides a fully managed, scalable search service that allows you to set up, manage, and scale a search solution for your website or application?

A.Amazon Athena
B.Amazon OpenSearch Service
C.Amazon RDS with full-text search
D.AWS Glue
AnswerB

OpenSearch Service provides managed Elasticsearch/OpenSearch clusters for full-text search, log analytics, and application monitoring with automatic cluster management.

Why this answer

Amazon OpenSearch Service is a fully managed service that makes it easy to deploy, operate, and scale OpenSearch clusters in the AWS Cloud. It provides built-in integrations with tools like Kibana for visualization and Logstash for data ingestion, and it supports full-text search, structured search, and analytics, making it the correct choice for a scalable search solution.

Exam trap

The trap here is that candidates often confuse Amazon Athena's SQL-based querying of S3 data with a search service, but Athena is not designed for low-latency, full-text search or real-time indexing required for website or application search.

How to eliminate wrong answers

Option A is wrong because Amazon Athena is an interactive query service that analyzes data directly in Amazon S3 using standard SQL, not a search service for websites or applications. Option C is wrong because Amazon RDS with full-text search is a relational database service that requires manual scaling and management, and its full-text search capabilities are limited compared to a dedicated search engine like OpenSearch. Option D is wrong because AWS Glue is a serverless data integration service used for ETL (extract, transform, load) jobs and data cataloging, not for powering search functionality.

906
MCQmedium

A company stores log files in Amazon S3 Standard. After 30 days, the logs are rarely accessed. After 365 days, they should be archived and almost never retrieved. The company wants to automatically move objects between storage classes to minimise cost. Which S3 feature enables this automated transition?

A.S3 Versioning
B.S3 Lifecycle policy
C.S3 Intelligent-Tiering
D.S3 Event Notification
AnswerB

S3 Lifecycle policies automate the transition of objects between storage classes based on defined rules (e.g., move to Standard-IA after 30 days, then to Glacier after 365 days). This reduces cost without manual intervention.

Why this answer

S3 Lifecycle policies allow you to define rules that automatically transition objects between storage classes based on age or other criteria. In this scenario, a lifecycle rule can move logs from S3 Standard to a lower-cost infrequent access class after 30 days, and then to S3 Glacier Deep Archive after 365 days, minimizing storage costs without manual intervention.

Exam trap

The trap here is that candidates confuse S3 Intelligent-Tiering with a scheduled lifecycle policy, but Intelligent-Tiering does not allow you to specify exact day-based transitions — it only adapts to access patterns, making it unsuitable for fixed archiving schedules.

How to eliminate wrong answers

Option A is wrong because S3 Versioning is a feature that preserves, retrieves, and restores every version of an object, not for automating transitions between storage classes. Option C is wrong because S3 Intelligent-Tiering automatically moves data between access tiers based on changing access patterns, but it does not support a fixed schedule like 'after 30 days' or 'after 365 days' — it relies on monitoring access, not predefined time-based rules. Option D is wrong because S3 Event Notification sends alerts or triggers actions (e.g., Lambda functions) when specific events occur in a bucket, but it does not directly manage storage class transitions.

907
MCQmedium

A company processes large amounts of data with Amazon EC2 and exports the results to customers globally via the internet. Which AWS cost component will be their largest variable cost?

A.Data transfer into AWS (inbound)
B.Data transfer out of AWS to the internet (outbound)
C.Data transfer between EC2 instances in the same Availability Zone
D.API calls to AWS services
AnswerB

Outbound data transfer to the internet is charged per GB, making it a significant cost for applications that export large amounts of data to end users.

Why this answer

Data transfer out of AWS to the internet (outbound) is typically the largest variable cost for workloads that export large results to global customers. AWS charges per GB for outbound data transfer, and rates increase with volume, while inbound data transfer is free. For a company processing large datasets on EC2 and sending results to customers via the internet, outbound traffic dominates the data transfer bill.

Exam trap

The trap here is that candidates often assume inbound data transfer is costly or that inter-instance traffic incurs charges, but AWS specifically makes inbound free and same-AZ traffic free, so outbound internet transfer is the only significant variable cost among the options.

How to eliminate wrong answers

Option A is wrong because data transfer into AWS (inbound) is always free, so it cannot be the largest variable cost. Option C is wrong because data transfer between EC2 instances in the same Availability Zone is free (no charge), so it contributes nothing to variable costs. Option D is wrong because API calls to AWS services are billed per request (e.g., $0.01 per 1,000 requests for certain APIs), but these costs are negligible compared to the volume of outbound data transfer in a data-heavy export scenario.

908
MCQmedium

A company runs a web application on Amazon EC2 instances. The company wants to ensure that they are billed only for the exact compute capacity they consume, down to the second, for each running instance. They also want to receive a detailed breakdown of their usage, including CPU time, storage, and data transfer, so they can analyze costs per department. Which essential characteristic of cloud computing enables this granular tracking and billing?

A.Rapid elasticity
B.Resource pooling
C.Measured service
D.On-demand self-service
AnswerC

Measured service is the essential characteristic where cloud systems automatically control and optimize resource use by metering usage. This provides transparency and granular billing, allowing customers to pay per unit consumed and receive detailed usage reports.

Why this answer

Measured service is the correct answer because it is the cloud characteristic that enables providers to monitor, control, and report on resource usage (CPU time, storage, data transfer) with granularity down to the second. This metering capability allows AWS to bill customers only for the exact compute capacity consumed and provide detailed usage breakdowns for cost analysis per department.

Exam trap

The trap here is that candidates confuse 'rapid elasticity' with the ability to scale to meet demand, but the question specifically asks about granular tracking and billing, which is a direct function of 'measured service'—a distinct pillar of cloud computing that is often overlooked in favor of more commonly discussed characteristics like elasticity or self-service.

How to eliminate wrong answers

Option A is wrong because rapid elasticity refers to the ability to automatically scale resources up or down quickly based on demand, not to the tracking or billing of consumed resources. Option B is wrong because resource pooling describes how the provider serves multiple customers from shared physical resources using multi-tenant models, which does not directly enable per-second billing or detailed usage breakdowns. Option D is wrong because on-demand self-service allows users to provision resources automatically without human interaction, but it does not provide the metering and billing granularity required for per-second consumption tracking.

909
MCQeasy

Which AWS service provides private connectivity between VPCs and supported AWS services without requiring internet gateway, NAT device, VPN, or Direct Connect?

A.Internet Gateway
B.NAT Gateway
C.VPC Endpoints
D.VPC Peering
AnswerC

VPC Endpoints enable private connectivity to AWS services from within a VPC — traffic stays on the AWS network, never traversing the public internet.

Why this answer

VPC Endpoints (specifically Gateway Endpoints for S3/DynamoDB and Interface Endpoints for other services) enable private connectivity between a VPC and supported AWS services using the AWS network, without requiring an internet gateway, NAT device, VPN, or Direct Connect. Traffic stays within the AWS backbone and never traverses the public internet, leveraging AWS PrivateLink for interface endpoints or route table entries for gateway endpoints.

Exam trap

The trap here is that candidates often confuse VPC Peering (Option D) as a way to access AWS services privately, but VPC Peering only connects VPCs, not services, and does not eliminate the need for internet gateways or NAT devices for service access.

How to eliminate wrong answers

Option A is wrong because an Internet Gateway is a horizontally scaled, redundant component that allows communication between a VPC and the internet, not private connectivity to AWS services without internet exposure. Option B is wrong because a NAT Gateway enables outbound internet traffic from private subnets but does not provide private connectivity to AWS services without internet transit. Option D is wrong because VPC Peering connects two VPCs directly using AWS infrastructure, but it does not provide connectivity to AWS services themselves; it only links VPCs.

910
MCQmedium

A company is migrating a legacy application from an on-premises server to AWS Lambda. The Lambda function needs to connect to an Amazon RDS for MySQL database that stores sensitive customer data. The security team requires that database credentials are never stored in the function's code, environment variables, or configuration files. The solution must follow AWS best practices for securing database access. Which approach should the company use?

A.Store the database password in AWS Secrets Manager and retrieve it from within the Lambda function code.
B.Store the database password in AWS Systems Manager Parameter Store as a SecureString and retrieve it from within the Lambda function.
C.Configure the Lambda function to use an IAM role with permissions to connect to the RDS database using IAM database authentication.
D.Encrypt the database password using AWS KMS and hardcode the encrypted password in the Lambda function code.
AnswerC

IAM database authentication allows the Lambda function to connect to the RDS database using an authentication token generated from the function's IAM role. No password or secret is stored anywhere in the function code, environment variables, or configuration files. This approach fully meets the security requirement and follows AWS best practices for securing database connections from AWS Lambda. It also provides the added benefit of centralized access control through IAM policies.

Why this answer

Option C is correct because IAM database authentication eliminates the need to store any credentials in code, environment variables, or configuration files. The Lambda function assumes an IAM role that generates an authentication token using the AWS Signature Version 4 process, which is then used as a password to connect to the RDS MySQL database. This approach meets the security team's requirement and follows AWS best practices by leveraging short-term, rotated credentials without embedding secrets.

Exam trap

The trap here is that candidates often assume Secrets Manager or Parameter Store are the only secure options, but the question explicitly requires that credentials are never stored anywhere, making IAM database authentication the only valid choice because it uses temporary tokens instead of stored secrets.

How to eliminate wrong answers

Option A is wrong because while AWS Secrets Manager securely stores the password, the Lambda function code must still retrieve it at runtime, which introduces a dependency on secret retrieval and does not eliminate the need for a static password in the database. Option B is wrong because AWS Systems Manager Parameter Store as a SecureString similarly requires the Lambda function to retrieve the password programmatically, still relying on a stored static secret that could be exposed if the retrieval call is compromised, and it does not use the native IAM-based authentication that avoids credentials entirely.

911
MCQeasy

Which AWS service provides a managed customer relationship management (CRM) platform for sales and customer service teams?

A.Amazon Connect
B.Amazon Pinpoint
C.Amazon QuickSight
D.AWS AppFlow
AnswerA

Amazon Connect is AWS's managed cloud contact center service that enables customer service operations including agent workspaces, IVR, and customer interaction management.

Why this answer

Amazon Connect is a managed cloud-based contact center service that provides a CRM platform for sales and customer service teams. It enables organizations to set up omnichannel customer interactions (voice, chat, tasks) with AI-powered capabilities like Amazon Lex for chatbots and Amazon Polly for speech, all without managing underlying infrastructure.

Exam trap

The trap here is that candidates may confuse Amazon Connect (a contact center/CRM service) with Amazon Pinpoint (a marketing communication service) because both involve customer engagement, but Pinpoint is for outbound campaigns, not inbound sales/service workflows.

How to eliminate wrong answers

Option B (Amazon Pinpoint) is wrong because it is a targeted marketing communications service for sending push notifications, emails, and SMS campaigns, not a CRM platform for sales and customer service. Option C (Amazon QuickSight) is wrong because it is a business analytics and visualization service for creating dashboards and reports, not a CRM system. Option D (AWS AppFlow) is wrong because it is a fully managed integration service for securely transferring data between SaaS applications and AWS services, not a CRM platform.

912
MCQeasy

A developer needs to read objects from a specific Amazon S3 bucket. Following AWS security best practices, which approach should be used when creating the IAM policy for this developer?

A.Grant AdministratorAccess to ensure all required permissions are included
B.Grant AmazonS3FullAccess to cover all S3 operations
C.Grant only s3:GetObject permission on the specific bucket
D.Use the root account credentials since they guarantee access
AnswerC

Granting only s3:GetObject on the specific S3 bucket ARN follows the principle of least privilege. The developer can perform exactly what is needed and nothing more.

Why this answer

Option C is correct because the principle of least privilege dictates granting only the specific permissions required for the task. By attaching an IAM policy with only the s3:GetObject action on the specific bucket ARN, the developer can read objects without having unnecessary permissions that could lead to accidental or malicious changes. This approach aligns with AWS security best practices for IAM policies.

Exam trap

The trap here is that candidates often choose broad managed policies like AmazonS3FullAccess because they seem 'safe' or 'easier to manage,' overlooking that AWS explicitly recommends least-privilege policies and that over-permissioning is a common cause of data breaches.

How to eliminate wrong answers

Option A is wrong because AdministratorAccess grants full administrative permissions to all AWS services and resources, which violates the principle of least privilege and exposes the account to significant security risks. Option B is wrong because AmazonS3FullAccess allows all S3 operations (including PutObject, DeleteObject, and bucket configuration changes) on all buckets, far exceeding the read-only requirement and creating unnecessary attack surface. Option D is wrong because using root account credentials is explicitly against AWS security best practices; root credentials should be reserved for limited account management tasks and never used for routine operations due to their unrestricted power and lack of MFA protection.

913
MCQeasy

Which statement best describes 'high availability' in the context of AWS cloud architecture?

A.The ability to handle any amount of traffic by adding more resources
B.A design that minimizes downtime by eliminating single points of failure and enabling automatic recovery
C.Using the largest available instance types for maximum performance
D.Storing multiple copies of data in Amazon S3
AnswerB

High availability architectures eliminate single points of failure through redundancy and enable automatic failover — ensuring the application remains accessible despite component failures.

Why this answer

High availability in AWS is achieved by designing architectures that eliminate single points of failure and enable automatic recovery, typically using services like Elastic Load Balancing (ELB) to distribute traffic across multiple Availability Zones (AZs) and Auto Scaling to replace failed instances. This ensures that if one component fails, another takes over seamlessly, minimizing downtime. Option B correctly captures this core principle of fault tolerance and automated failover.

Exam trap

The trap here is confusing 'high availability' with 'scalability' (Option A) or 'durability' (Option D), as candidates often think adding more resources or storing extra copies automatically ensures uptime, but high availability specifically requires redundant, fault-tolerant components with automatic failover mechanisms.

How to eliminate wrong answers

Option A is wrong because it describes 'elasticity' (the ability to scale resources up or down based on demand), not high availability; high availability focuses on uptime and redundancy, not just scaling. Option C is wrong because using the largest instance types does not inherently provide high availability; it may actually increase the blast radius of a single failure and ignores the need for redundancy across AZs. Option D is wrong because storing multiple copies of data in Amazon S3 is a durability feature (ensuring data is not lost), not a high availability design for compute or application services; S3's 11 nines of durability does not equate to application-level uptime.

914
MCQmedium

A company runs a critical web application on AWS behind an Application Load Balancer. The security team is concerned about the risk of Distributed Denial of Service (DDoS) attacks that could deplete application resources and incur high costs due to auto scaling. The company wants a managed service that provides enhanced DDoS detection, access to the AWS DDoS Response Team (DRT), and financial protection against scaling costs associated with DDoS attacks. Which AWS service should the company use?

A.AWS Shield Standard
B.AWS Shield Advanced
C.AWS WAF
D.AWS Firewall Manager
AnswerB

Correct. AWS Shield Advanced provides enhanced DDoS detection and mitigation, 24/7 access to the AWS DDoS Response Team (DRT), and financial protection (cost reimbursement) for scaling costs incurred due to a DDoS attack.

Why this answer

AWS Shield Advanced is the correct choice because it provides enhanced DDoS detection and mitigation beyond what Shield Standard offers, includes 24/7 access to the AWS DDoS Response Team (DRT) for custom mitigations, and offers financial protection (cost protection) against scaling costs incurred due to DDoS attacks on resources like Application Load Balancers. This directly addresses the company's need for a managed service that covers detection, expert support, and cost coverage.

Exam trap

The trap here is that candidates often confuse AWS Shield Standard (free, basic) with AWS Shield Advanced (paid, enhanced) or mistakenly think AWS WAF alone can handle DDoS cost protection and DRT access, when in fact WAF lacks those specific features.

How to eliminate wrong answers

Option A is wrong because AWS Shield Standard provides only basic network-layer DDoS protection (e.g., SYN floods, UDP floods) at no extra cost, but it does not include access to the DRT or financial protection against scaling costs. Option C is wrong because AWS WAF is a web application firewall that protects against application-layer attacks (e.g., SQL injection, cross-site scripting) but does not provide DDoS-specific detection, DRT access, or cost protection for auto scaling. Option D is wrong because AWS Firewall Manager is a policy management service that centrally manages firewall rules (e.g., WAF rules, security groups) across accounts, but it does not offer DDoS detection, DRT access, or financial protection against scaling costs.

915
MCQmedium

A financial services company must keep customer financial records on-premises to comply with data residency regulations. The company wants to use AWS services such as Amazon SageMaker and Amazon Athena to run analytics on anonymized subsets of the data. The company establishes a dedicated AWS Direct Connect connection between its on-premises data center and its VPC, and uses AWS Storage Gateway to cache frequently accessed data locally while storing all data in Amazon S3. Which cloud deployment model does this architecture represent?

A.Public cloud
B.Private cloud
C.Hybrid cloud
D.Community cloud
AnswerC

Hybrid cloud is the correct model. It uses a mix of on-premises private cloud resources and public cloud services (AWS) connected via networking (like Direct Connect). This allows the company to keep sensitive data on-premises while taking advantage of AWS analytics services.

Why this answer

This architecture combines on-premises infrastructure (customer data center with AWS Storage Gateway caching) with AWS cloud services (SageMaker, Athena, S3) connected via AWS Direct Connect, which is the defining characteristic of a hybrid cloud deployment. A hybrid cloud model integrates private on-premises resources with public cloud services, allowing data to remain on-premises for compliance while leveraging cloud analytics.

Exam trap

The trap here is that candidates may confuse 'hybrid cloud' with 'private cloud' because the on-premises component is dedicated to one organization, but the use of AWS public cloud services (SageMaker, Athena, S3) over Direct Connect makes it a hybrid model, not a private cloud.

How to eliminate wrong answers

Option A is wrong because public cloud would mean all resources and data reside solely in AWS cloud, but here customer financial records remain on-premises due to data residency regulations. Option B is wrong because private cloud refers to a cloud environment dedicated to a single organization, typically hosted on-premises or in a provider's data center, but this architecture uses AWS public cloud services (SageMaker, Athena, S3) alongside on-premises infrastructure. Option D is wrong because community cloud is a shared infrastructure for several organizations with common concerns (e.g., compliance, security), but this scenario involves only one financial services company using its own on-premises and AWS resources.

916
MCQmedium

A company is developing a mobile application backend. The backend needs to process REST API requests that are triggered by user actions in the app. Usage is expected to start low but may spike unpredictably. The development team wants to focus solely on writing code and does not want to manage any servers or containers. The team also wants to only pay for compute time when requests are being processed. Which AWS service should the team use to meet these requirements?

A.Amazon EC2 Auto Scaling
B.AWS Lambda
C.AWS Fargate
D.Amazon API Gateway
AnswerB

Correct. AWS Lambda is a serverless compute service that runs your code only when triggered (e.g., via Amazon API Gateway). It automatically scales to handle any number of requests and you pay only for the compute time consumed during execution (per millisecond). There are no servers or containers to manage, aligning perfectly with the team's focus on writing code and minimizing operational overhead.

Why this answer

AWS Lambda is the correct choice because it is a serverless compute service that runs code in response to REST API requests via Amazon API Gateway, automatically scaling from zero to thousands of concurrent executions. The team pays only for the compute time consumed while requests are being processed, with no charges when idle, and they never need to manage servers or containers.

Exam trap

The trap here is that candidates often confuse AWS Fargate as a 'serverless' option, but Fargate still requires container management and incurs costs for provisioned vCPU and memory even when idle, whereas Lambda is truly serverless with no idle costs.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 Auto Scaling requires managing virtual servers (EC2 instances) and their scaling policies, which contradicts the requirement to avoid managing servers and containers. Option C is wrong because AWS Fargate is a serverless container engine that still requires the team to define and manage container images and task definitions, and it incurs costs for provisioned resources even when no requests are being processed.

917
MCQmedium

A company hosts a web application behind an Application Load Balancer (ALB). The security team wants to protect the application from common web exploits such as SQL injection and cross-site scripting (XSS), using a managed service that requires no underlying infrastructure management. Which AWS service should they use?

A.AWS Shield Advanced
B.AWS WAF
C.Amazon Inspector
D.Amazon GuardDuty
AnswerB

AWS WAF is a managed web application firewall that enables you to create customizable rules to block common attack patterns like SQL injection and cross-site scripting. It integrates directly with Application Load Balancers, Amazon CloudFront, and API Gateway, and requires no server or software management.

Why this answer

AWS WAF is a managed web application firewall that protects web applications from common exploits like SQL injection and cross-site scripting (XSS). It integrates directly with Application Load Balancers and requires no underlying infrastructure management, making it the correct choice for this use case.

Exam trap

The trap here is that candidates confuse AWS WAF (application-layer filtering) with AWS Shield (network-layer DDoS protection) or Amazon Inspector (vulnerability scanning), overlooking that only WAF provides managed, rule-based protection against web exploits like SQL injection and XSS.

How to eliminate wrong answers

Option A is wrong because AWS Shield Advanced provides DDoS protection, not application-layer threat detection for SQL injection or XSS. Option C is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and network exposures, not a real-time web exploit filter.

918
MCQmedium

A company runs separate AWS accounts for development, testing, and production workloads. The finance team wants a single view that shows the total spending across all accounts. Additionally, the team wants to benefit from volume discount pricing by aggregating usage across all accounts. The team also needs to allocate costs to individual projects based on custom tags applied to resources. Which AWS feature should the finance team use to meet all these requirements?

A.AWS Cost Explorer
B.AWS Organizations consolidated billing
C.AWS Budgets
D.AWS Trusted Advisor
AnswerB

Consolidated billing is a feature of AWS Organizations that aggregates costs across all member accounts, enabling volume discounts based on combined usage. It also supports cost allocation tags, allowing the finance team to track costs by project. This meets all the stated requirements.

Why this answer

AWS Organizations consolidated billing allows you to aggregate usage across all linked accounts, enabling volume discount pricing (e.g., lower S3 storage rates or EC2 Reserved Instance tiers) based on combined usage. It also provides a single payer account that can view total spending across all accounts, and supports cost allocation using custom tags (e.g., Project or CostCenter) via AWS Cost Explorer or AWS Cost and Usage Reports. This directly meets the finance team's requirements for unified spending visibility, volume discounts, and tag-based cost allocation.

Exam trap

The trap here is that candidates often pick AWS Cost Explorer because it shows spending, but they miss that it cannot aggregate accounts or provide volume discounts without consolidated billing being enabled first.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer is a visualization and analysis tool for viewing historical and forecasted costs, but it does not aggregate accounts into a single bill or enable volume discount pricing; it relies on consolidated billing already being set up. Option C is wrong because AWS Budgets is used to set spending limits and receive alerts, not to aggregate accounts for billing or apply volume discounts; it also cannot allocate costs to projects based on tags without consolidated billing and Cost Explorer.

919
MCQmedium

A company uses AWS to run its web application. A developer needs to add additional storage capacity to an Amazon EC2 instance that hosts the application's database. The developer logs in to the AWS Management Console, navigates to the Amazon EC2 dashboard, creates a new Amazon EBS volume, attaches it to the instance, and mounts it within the operating system. The entire process takes less than 10 minutes and does not require any interaction with AWS support or approval from the IT department. Which essential characteristic of cloud computing does this scenario best demonstrate?

A.Resource pooling
B.On-demand self-service
C.Broad network access
D.Measured service
AnswerB

This is correct because on-demand self-service allows users to provision and manage computing resources automatically, without requiring human interaction with the service provider. The developer created and attached an EBS volume in minutes using only the AWS Management Console, with no support tickets or approvals needed.

Why this answer

The developer was able to provision and attach an EBS volume to an EC2 instance entirely through the AWS Management Console without requiring any human interaction with AWS support or IT approval. This ability to independently request and configure computing resources as needed is the defining characteristic of on-demand self-service, as defined by the NIST definition of cloud computing.

Exam trap

The trap here is that candidates confuse the ability to provision resources quickly (on-demand self-service) with the multi-tenant or shared infrastructure aspect of resource pooling, or with the network accessibility of the service.

How to eliminate wrong answers

Option A is wrong because resource pooling refers to the provider's multi-tenant model where physical and virtual resources are dynamically assigned to multiple customers, not to a single user's ability to provision resources without manual intervention. Option C is wrong because broad network access describes capabilities being available over the network via standard mechanisms (e.g., HTTPS, SSH) that promote use by heterogeneous client platforms, not the self-service provisioning action itself. Option D is wrong because measured service involves monitoring, controlling, and reporting resource usage (e.g., CloudWatch metrics, billing reports) for transparency and optimization, which is not demonstrated by the act of creating and attaching a volume.

920
MCQmedium

A company runs a mix of Amazon EC2 instances, AWS Fargate containers, and AWS Lambda functions across multiple AWS Regions. The company wants to reduce costs by making a 1-year commitment for compute usage. The company needs a flexible purchasing option that automatically applies the discounted rate to any EC2 instance, Fargate, or Lambda usage, regardless of region, instance family, or size. Which AWS purchasing option should the company use?

A.Compute Savings Plan
B.EC2 Instance Savings Plan
C.Standard Reserved Instance
D.Convertible Reserved Instance
AnswerA

A Compute Savings Plan applies to any EC2 instance (any family, size, region), as well as to AWS Fargate and AWS Lambda usage. It provides the highest flexibility and matches the requirement of covering all compute services across regions.

Why this answer

A Compute Savings Plan is the correct choice because it offers the most flexibility, automatically applying discounted rates to any EC2 instance, Fargate, or Lambda usage across any AWS Region, instance family, or size. This matches the company's requirement for a 1-year commitment that covers diverse compute services without regional or instance constraints.

Exam trap

The trap here is that candidates often confuse Savings Plans with Reserved Instances, assuming Reserved Instances offer similar flexibility, but Reserved Instances are tied to specific instance attributes and do not cover Fargate or Lambda, making them unsuitable for this multi-service, multi-Region scenario.

How to eliminate wrong answers

Option B (EC2 Instance Savings Plan) is wrong because it only applies to EC2 instances within a specific instance family in a Region, not covering Fargate or Lambda, and lacks the cross-region flexibility required. Option C (Standard Reserved Instance) is wrong because it locks to a specific instance family, size, and Region, and does not cover Fargate or Lambda usage. Option D (Convertible Reserved Instance) is wrong because while it allows changing instance families, it still only applies to EC2 instances, not Fargate or Lambda, and requires manual exchange rather than automatic application.

921
MCQmedium

A development team is building a serverless image processing application. When a user uploads an image to Amazon S3, the application must perform three sequential steps: first, resize the image; second, generate a thumbnail; third, store metadata in Amazon DynamoDB. The team wants to define this workflow as a visual state machine, handle errors with retries, and manage the execution flow without writing custom orchestration code. Which AWS service should the team use?

A.AWS Step Functions
B.Amazon Simple Queue Service (SQS)
C.Amazon EventBridge
D.AWS Lambda
AnswerA

Correct. AWS Step Functions allows you to define workflows as state machines that can orchestrate multiple AWS services, manage sequencing, error handling, and retries without custom code.

Why this answer

AWS Step Functions is the correct choice because it allows you to define a visual state machine that orchestrates three sequential steps (resize, thumbnail, metadata storage) without writing custom orchestration code. It natively supports error handling with retries and manages execution flow, making it ideal for serverless workflows that require coordination across multiple AWS services like Lambda and DynamoDB.

Exam trap

AWS often tests the distinction between orchestration and messaging services, and the trap here is that candidates confuse Amazon SQS or EventBridge as workflow orchestrators because they handle events, but they lack the sequential state management and retry logic that Step Functions provides.

How to eliminate wrong answers

Option B (Amazon SQS) is wrong because SQS is a message queuing service for decoupling components and does not provide a visual state machine or built-in orchestration for sequential steps with error handling and retries. Option C (Amazon EventBridge) is wrong because EventBridge is an event bus for routing events between services, not a workflow orchestrator that can define sequential steps or manage retries. Option D (AWS Lambda) is wrong because Lambda is a compute service for running code in response to events, but it lacks native orchestration capabilities for multi-step workflows and would require custom code to manage sequencing, error handling, and retries.

922
MCQmedium

A company is designing a cloud architecture for a critical customer-facing application. The CTO requires that the architecture automatically recover from infrastructure failures without manual intervention. The solution must be able to withstand the failure of individual components, such as an Amazon EC2 instance or an entire Availability Zone. Which design principle from the AWS Well-Architected Framework's Reliability pillar should the company implement to meet this requirement?

A.Implement a monolithic architecture to reduce complexity and minimize points of failure.
B.Use a single large EC2 instance to minimize the number of components that could fail.
C.Test recovery procedures by simulating infrastructure failures in a staging environment.
D.Scale horizontally to increase aggregate system availability.
AnswerD

Horizontal scaling involves adding more instances (e.g., EC2 instances) to distribute the load. If one instance or even an entire Availability Zone fails, the remaining healthy instances continue serving traffic. Combined with automated health checks and Auto Scaling, this design principle ensures automatic recovery from component failures, directly meeting the requirement.

Why this answer

Scaling horizontally (adding more EC2 instances behind a load balancer) increases aggregate system availability because if one instance fails, traffic is redistributed to the remaining healthy instances. This design also supports multi-AZ deployments, allowing the application to survive an entire Availability Zone failure without manual intervention, which directly meets the CTO's requirement for automatic recovery.

Exam trap

The trap here is that candidates may confuse 'testing recovery procedures' (a design principle for validating resilience) with 'implementing automatic recovery' (which requires architectural choices like horizontal scaling and multi-AZ deployment).

How to eliminate wrong answers

Option A is wrong because a monolithic architecture concentrates all functionality into a single process, creating a single point of failure; if any component within the monolith fails, the entire application becomes unavailable, and it cannot withstand an AZ failure without manual intervention. Option B is wrong because using a single large EC2 instance creates a single point of failure; if that instance fails (e.g., due to hardware issues or AZ outage), the application is completely unavailable until manual recovery is performed. Option C is wrong because while testing recovery procedures is a good practice (part of the Reliability pillar's 'Test Recovery Procedures' design principle), it does not itself provide automatic recovery from failures; it only validates that manual or automated recovery plans work, but the question specifically requires automatic recovery without manual intervention.

923
MCQeasy

Which AWS compute service allows developers to run code in response to HTTP requests without managing servers, using a simple programming model based on functions?

A.Amazon EC2
B.AWS Lambda
C.Amazon ECS
D.AWS Fargate
AnswerB

Lambda runs code functions in response to events without infrastructure management, automatic scaling, and per-millisecond billing — the serverless compute service for event-driven architectures.

Why this answer

AWS Lambda is the correct answer because it is a serverless compute service that executes code in response to events such as HTTP requests via Amazon API Gateway. Developers upload functions and Lambda automatically scales and manages the underlying infrastructure, aligning with the question's requirement of running code without managing servers using a function-based model.

Exam trap

The trap here is that candidates may confuse AWS Fargate's 'serverless containers' with serverless functions, but Fargate still requires container orchestration and does not use a function-based programming model triggered directly by HTTP requests.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 requires developers to provision, configure, and manage virtual servers, which contradicts the 'without managing servers' requirement. Option C is wrong because Amazon ECS is a container orchestration service that still requires management of the underlying EC2 instances or a control plane, not a function-based model. Option D is wrong because AWS Fargate is a serverless compute engine for containers, but it runs containerized applications, not individual functions triggered by HTTP requests, and still involves container image management.

924
MCQmedium

A company runs a multi-tier web application on Amazon EC2 instances across multiple Availability Zones. The application has separate backend services for serving images and handling API requests, each running on different sets of EC2 instances. The company needs a load balancer that can inspect incoming HTTP/HTTPS requests and route them to the correct target group based on the URL path (e.g., /images to one group, /api to another). The solution must also offload SSL/TLS termination and perform health checks on the instances. Which AWS service should the company use?

A.Application Load Balancer
B.Network Load Balancer
C.Classic Load Balancer
D.AWS CloudFront
AnswerA

Correct. Application Load Balancer (ALB) is a Layer 7 load balancer that can route traffic based on URL path, host header, and other request attributes. It also offloads SSL/TLS and performs health checks.

Why this answer

The Application Load Balancer (ALB) operates at Layer 7 of the OSI model, allowing it to inspect HTTP/HTTPS headers and route traffic based on URL path patterns (e.g., /images vs /api). It natively supports SSL/TLS termination and can perform health checks on target instances, making it the correct choice for this multi-tier web application.

Exam trap

The trap here is that candidates often confuse the Network Load Balancer's ability to handle high throughput with the need for Layer 7 routing, forgetting that NLB cannot inspect URL paths, or they mistakenly think CloudFront can perform path-based routing to multiple origins without an ALB.

How to eliminate wrong answers

Option B is wrong because the Network Load Balancer operates at Layer 4 (TCP/UDP) and cannot inspect HTTP/HTTPS request paths or perform content-based routing; it only forwards traffic based on IP and port. Option C is wrong because the Classic Load Balancer (now legacy) does not support path-based routing; it can only route traffic to a single target group per listener and lacks native HTTP path inspection. Option D is wrong because AWS CloudFront is a content delivery network (CDN) that caches and distributes content at edge locations, not a load balancer; it cannot route traffic to different target groups based on URL paths within a single distribution without an ALB as origin.

925
MCQeasy

Which AWS support plan provides access to a Technical Account Manager (TAM) and proactive guidance for workload optimization?

A.Developer Support
B.Business Support
C.Enterprise Support
D.Basic Support
AnswerC

Enterprise Support includes a dedicated TAM and proactive guidance for workload optimization.

Why this answer

The Enterprise Support plan is the only AWS support plan that includes a designated Technical Account Manager (TAM) who provides proactive guidance, including architectural reviews and workload optimization recommendations. This plan is designed for large-scale enterprises that require personalized, ongoing support to align AWS services with business outcomes.

Exam trap

The trap here is that candidates often confuse the Business Support plan's access to Cloud Support Engineers with the dedicated TAM and proactive guidance that only the Enterprise Support plan provides.

How to eliminate wrong answers

Option A is wrong because Developer Support provides best-practice guidance and general support but does not include a TAM or proactive workload optimization. Option B is wrong because Business Support offers 24/7 access to Cloud Support Engineers and third-party software support, but it lacks a dedicated TAM and the proactive guidance found in Enterprise Support. Option D is wrong because Basic Support only includes access to documentation, whitepapers, and the AWS Health Dashboard; it provides no technical support, TAM, or proactive guidance.

926
MCQmedium

A company is preparing for an annual compliance audit. The auditor requests a copy of the AWS SOC 2 Type II report to review AWS's controls. Which AWS service or tool can the company use to obtain this report?

A.AWS Config
B.AWS Artifact
C.AWS Trusted Advisor
D.AWS Security Hub
AnswerB

AWS Artifact is the correct service. It is a self-service portal for on-demand access to AWS compliance reports and agreements. This allows customers to download reports like SOC 2 Type II directly.

Why this answer

AWS Artifact is the correct service because it provides on-demand access to AWS compliance reports, including SOC reports, PCI reports, and ISO certifications. The company can use AWS Artifact to download the SOC 2 Type II report directly, fulfilling the auditor's request without needing to contact AWS support.

Exam trap

The trap here is that candidates confuse AWS Artifact with AWS Config, thinking Config can generate compliance reports, but Config only evaluates resource compliance, not AWS's own control reports.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service that evaluates and records resource configurations against desired policies, not a repository for compliance reports like SOC 2. Option C is wrong because AWS Trusted Advisor provides recommendations for cost optimization, performance, security, and fault tolerance, but it does not host or distribute compliance audit reports.

927
MCQmedium

A company has been running multiple workloads on AWS for over six months. The finance team needs to gain visibility into historical cost and usage data, identify which services are driving the most spend, forecast future monthly costs, and receive recommendations for purchasing Reserved Instances to achieve the highest savings. The team wants to use a native AWS tool that provides this functionality without requiring any third-party software. Which AWS tool should the finance team use?

A.AWS Trusted Advisor
B.AWS Budgets
C.AWS Cost Explorer
D.AWS Pricing Calculator
AnswerC

AWS Cost Explorer has a default dashboard that gives you a view of your cost and usage over time. It enables you to filter by service, linked account, or tags, and provides forecasting up to 12 months ahead. Cost Explorer also provides Reserved Instance purchase recommendations based on your actual usage patterns, helping you maximize savings. This matches the finance team's requirements exactly.

Why this answer

AWS Cost Explorer is the correct choice because it provides a native interface for visualizing historical cost and usage data, identifying top spend drivers, forecasting future costs up to 12 months, and generating Reserved Instance (RI) purchase recommendations based on actual usage patterns. It meets all the finance team's requirements without any third-party software.

Exam trap

The trap here is that candidates often confuse AWS Budgets with Cost Explorer because both deal with cost management, but Budgets is for setting limits and alerts, not for in-depth historical analysis, forecasting, or RI recommendations.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor is a service that inspects your AWS environment and provides best-practice recommendations in categories like cost optimization, performance, security, and fault tolerance, but it does not provide historical cost and usage data, forecasting, or Reserved Instance purchase recommendations. Option B is wrong because AWS Budgets allows you to set custom cost and usage budgets and receive alerts when you exceed or are forecasted to exceed them, but it does not provide historical cost and usage analysis, identify top spend drivers, or generate Reserved Instance recommendations.

928
MCQmedium

A company runs a customer-facing web application on Amazon EC2 instances. The application experiences unpredictable traffic patterns, with occasional spikes during marketing campaigns and lulls at other times. The company configures an Auto Scaling group to automatically add EC2 instances when CPU utilization exceeds 70% and remove instances when it drops below 30%. This ability to scale computing resources up and down in response to demand best represents which essential characteristic of cloud computing?

A.Elasticity
B.High availability
C.Security
D.Cost management
AnswerA

Elasticity is the correct characteristic because the Auto Scaling group automatically adjusts the number of EC2 instances based on real-time CPU utilization, matching supply to demand without manual intervention.

Why this answer

The scenario describes an Auto Scaling group that dynamically adjusts the number of EC2 instances based on CPU utilization thresholds (70% scale-up, 30% scale-down). This ability to automatically provision and de-provision computing resources to match demand is the defining characteristic of elasticity in cloud computing, which allows resources to scale out during spikes and scale in during lulls, optimizing cost and performance.

Exam trap

The trap here is that candidates confuse elasticity with high availability, but elasticity is specifically about scaling resources up and down to match demand, while high availability is about maintaining uptime through redundancy and fault tolerance.

How to eliminate wrong answers

Option B (High availability) is wrong because high availability focuses on ensuring the application remains accessible despite failures, typically through redundant infrastructure across Availability Zones, not on dynamically adjusting capacity based on load. Option C (Security) is wrong because security encompasses measures like encryption, IAM policies, and network controls, which are unrelated to the automatic scaling of compute resources in response to demand.

929
MCQmedium

A company's security team wants to continuously monitor their AWS environment for potential security threats such as unusual API calls, traffic from known malicious IP addresses, and anomalous behavior that might indicate a compromised resource. They need a managed threat detection service that uses machine learning to identify suspicious activity and generates detailed findings. The service should integrate with AWS Organizations to monitor multiple accounts and with Amazon CloudWatch Events to trigger automated responses. Which AWS service should the security team use?

A.Amazon Inspector
B.AWS Config
C.Amazon GuardDuty
D.AWS CloudTrail
AnswerC

Amazon GuardDuty is the correct service. It continuously monitors AWS accounts and workloads for malicious activity, using machine learning and integrated threat intelligence. It can monitor multiple accounts via AWS Organizations and send findings to CloudWatch Events for automated actions.

Why this answer

Amazon GuardDuty is a managed threat detection service that uses machine learning and integrated threat intelligence to continuously monitor AWS environments for suspicious activity, such as unusual API calls, traffic from known malicious IP addresses, and anomalous behavior. It integrates natively with AWS Organizations to enable multi-account monitoring and with Amazon CloudWatch Events to trigger automated remediation workflows, directly matching all requirements in the question.

Exam trap

The trap here is confusing a vulnerability scanning service (Inspector) or a configuration auditing service (Config) with a dedicated threat detection service that uses machine learning and threat intelligence to identify active threats like compromised credentials or malicious IP traffic.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not a continuous threat detection service for API calls or malicious IP traffic. Option B is wrong because AWS Config is a resource inventory and compliance auditing service that evaluates resource configurations against rules, not a threat detection service that uses machine learning to identify suspicious activity or integrates with threat intelligence feeds.

930
MCQmedium

A financial services company needs to maintain a tamper-proof audit log of all financial transactions for regulatory compliance. Which AWS service is most appropriate?

A.Amazon RDS with transaction logging
B.Amazon DynamoDB with global tables
C.Amazon QLDB
D.AWS CloudTrail with log file integrity validation
AnswerC

QLDB's journal is immutable and cryptographically verifiable — every change is hash-chained so any alteration to historical records can be mathematically detected, satisfying financial regulatory requirements.

Why this answer

Amazon QLDB (Quantum Ledger Database) is purpose-built to provide a cryptographically verifiable, immutable, and tamper-proof transaction log. It uses a journal that stores every change as a series of entries, and each entry is chained using a hash, making it impossible to alter or delete past records without detection. This aligns directly with the financial services requirement for an audit log that must be tamper-proof for regulatory compliance.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's log file integrity validation with a tamper-proof ledger, but CloudTrail is for API activity logging and does not provide the immutable, cryptographically chained journal that QLDB offers for application-level transaction records.

How to eliminate wrong answers

Option A is wrong because Amazon RDS with transaction logging provides database-level logging but does not offer cryptographic verification or immutability; logs can be altered or deleted by an administrator with sufficient permissions. Option B is wrong because Amazon DynamoDB with global tables is a multi-region, multi-master NoSQL database designed for high availability and scalability, not for providing a tamper-proof, immutable audit trail; it lacks built-in cryptographic chaining and journaling. Option D is wrong because AWS CloudTrail with log file integrity validation records API activity for governance and auditing, but it is designed for operational auditing of AWS API calls, not for storing financial transaction records with a cryptographically verifiable, append-only ledger; its integrity validation uses digital signatures on log files, but the underlying data can still be altered if the log files are compromised before validation.

931
MCQmedium

A company collects clickstream data from millions of users in real time and needs to process and analyse this data as it arrives — not after storing it — to detect patterns within seconds. Which AWS service is designed for real-time data streaming and processing?

A.Amazon SQS
B.Amazon S3
C.Amazon Kinesis Data Streams
D.Amazon DynamoDB Streams
AnswerC

Kinesis Data Streams is designed for real-time streaming of large data volumes. Multiple applications can consume the same stream simultaneously, enabling real-time analytics, pattern detection, and dashboards with sub-second latency.

Why this answer

Amazon Kinesis Data Streams is purpose-built for real-time data streaming and processing, enabling you to ingest and analyze clickstream data as it arrives with sub-second latency. It supports custom processing using AWS Lambda, Kinesis Data Analytics, or Kinesis Data Firehose, making it ideal for detecting patterns in real-time without waiting for data to be stored.

Exam trap

The trap here is that candidates often confuse Amazon SQS or DynamoDB Streams as streaming services, but SQS is a queue for decoupling and DynamoDB Streams is a change data capture mechanism, neither of which is designed for real-time, high-throughput data streaming and processing like Kinesis Data Streams.

How to eliminate wrong answers

Option A is wrong because Amazon SQS is a message queue service designed for decoupling application components and asynchronous message delivery, not for real-time streaming analytics or processing of high-throughput clickstream data. Option B is wrong because Amazon S3 is an object storage service that stores data after it is collected, not designed for real-time processing or streaming ingestion. Option D is wrong because Amazon DynamoDB Streams captures changes to DynamoDB tables in near-real-time but is limited to change data capture from a single table, not designed for ingesting and processing high-volume, real-time clickstream data from millions of users.

932
MCQmedium

A company runs a real-time bidding platform for online advertising. The platform requires a database that can handle millions of requests per second with single-digit millisecond latency for both reads and writes. The data model is simple key-value pairs, and the database must be fully managed so that the company does not have to provision or maintain servers. Which AWS database service should the company use to meet these requirements?

A.Amazon RDS
B.Amazon DynamoDB
C.Amazon Redshift
D.Amazon ElastiCache
AnswerB

Amazon DynamoDB is a fully managed NoSQL key-value and document database that delivers single-digit millisecond latency at any scale. It automatically scales to handle millions of requests per second and requires no server provisioning, making it the perfect fit for a real-time bidding platform with high-throughput, low-latency key-value access.

Why this answer

Amazon DynamoDB is the correct choice because it is a fully managed NoSQL key-value and document database that delivers single-digit millisecond latency at any scale, handling millions of requests per second. Its serverless architecture eliminates the need to provision or manage servers, making it ideal for real-time bidding platforms with simple key-value data models and high-throughput, low-latency requirements.

Exam trap

The trap here is that candidates often confuse ElastiCache (a caching layer) with a primary database, overlooking DynamoDB's fully managed, serverless nature and its native support for high-throughput key-value workloads with persistent storage.

How to eliminate wrong answers

Option A is wrong because Amazon RDS is a relational database service that requires provisioning and managing server instances, and it cannot achieve single-digit millisecond latency for millions of requests per second with a simple key-value model. Option C is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for complex analytical queries, not for real-time key-value workloads with high write throughput. Option D is wrong because Amazon ElastiCache is a managed in-memory caching service that is not fully serverless (it requires provisioning nodes) and is typically used as a cache layer, not as a primary durable database for persistent key-value storage.

933
MCQmedium

A company's compliance framework requires that all AWS API calls must be logged and that log integrity must be validated. Which AWS service with which feature satisfies this requirement?

A.Amazon CloudWatch Logs with metric filters
B.AWS CloudTrail with Log File Integrity Validation enabled
C.AWS Config with conformance packs
D.VPC Flow Logs stored in S3
AnswerB

CloudTrail records all API calls and Log File Integrity Validation creates cryptographically signed digest files — auditors can verify that no log files were altered, deleted, or forged.

Why this answer

AWS CloudTrail Log File Integrity Validation uses industry-standard algorithms (SHA-256 hashing and digital signatures with SHA-256 with RSA) to ensure that CloudTrail log files have not been tampered with after delivery. This feature enables you to validate that log files were not modified, deleted, or changed without authorization, directly meeting the compliance requirement for logging all AWS API calls and validating log integrity.

Exam trap

The trap here is that candidates often confuse logging (CloudTrail) with monitoring (CloudWatch) or configuration tracking (AWS Config), and overlook the specific integrity validation feature that is unique to CloudTrail.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Logs with metric filters can monitor log data and trigger alarms, but it does not provide any mechanism to validate the integrity of log files (i.e., detect tampering or unauthorized modification). Option C is wrong because AWS Config with conformance packs evaluates resource configurations against compliance rules, but it does not log API calls nor validate log file integrity. Option D is wrong because VPC Flow Logs capture IP traffic information for network interfaces, not AWS API calls, and storing them in S3 does not include built-in integrity validation.

934
MCQmedium

A company runs compute-intensive batch processing jobs that require high CPU performance. The workload is not memory-intensive and does not require GPU acceleration. Which Amazon EC2 instance family is the most appropriate choice?

A.Memory optimised (R family)
B.Compute optimised (C family)
C.Storage optimised (I family)
D.Accelerated computing (P family)
AnswerB

Compute optimised instances deliver the highest performance per CPU core on AWS. They are designed for batch processing, scientific computing, and other CPU-intensive workloads that are not memory-bound.

Why this answer

The compute-optimized (C family) EC2 instances are designed for workloads that benefit from high-performance processors, such as batch processing, scientific modeling, and gaming servers. Since the job requires high CPU performance and is not memory-intensive or GPU-accelerated, the C family provides the best price-performance ratio for compute-bound tasks.

Exam trap

The trap here is that candidates often confuse 'compute-intensive' with 'memory-intensive' and select memory-optimized instances, or they assume all high-performance workloads require GPU acceleration and pick accelerated computing instances.

How to eliminate wrong answers

Option A is wrong because memory-optimized instances (R family) are designed for memory-intensive workloads like large in-memory databases or real-time analytics, not for high CPU performance. Option C is wrong because storage-optimized instances (I family) are optimized for high sequential I/O performance for storage-heavy workloads like NoSQL databases or data warehousing, not CPU-bound tasks. Option D is wrong because accelerated computing instances (P family) include GPUs or FPGAs for parallel processing or machine learning, which is unnecessary for a workload that does not require GPU acceleration.

935
MCQmedium

A company's IT team manually provisions S3 buckets, EC2 instances, security groups, and IAM roles for each new project using the AWS Management Console. This process often results in configuration errors, such as overly permissive security rules or incorrect tagging, which the security team then has to fix manually. The company wants to define its entire infrastructure in a declarative template file, store it in version control, and have AWS automatically create or update the resources based on that template. Which AWS service should the company use to meet these requirements?

A.AWS CloudFormation
B.AWS Elastic Beanstalk
C.AWS OpsWorks
D.AWS CodeDeploy
AnswerA

AWS CloudFormation is the correct service for infrastructure as code. It allows you to define all AWS resources in a declarative template, version-control the template, and automatically create or update the resources as a stack.

Why this answer

AWS CloudFormation is the correct service because it allows you to define your entire infrastructure—including S3 buckets, EC2 instances, security groups, and IAM roles—in a declarative JSON or YAML template. You can store this template in version control, and CloudFormation automatically provisions or updates the resources to match the template, eliminating manual configuration errors like overly permissive security rules or incorrect tagging.

Exam trap

The trap here is that candidates confuse AWS Elastic Beanstalk as an infrastructure-as-code solution because it automates deployment, but it does not provide the declarative template control over all AWS resources that CloudFormation offers.

How to eliminate wrong answers

Option B is wrong because AWS Elastic Beanstalk is a Platform-as-a-Service (PaaS) that automates application deployment and scaling, but it abstracts away the underlying infrastructure and does not allow you to define and manage arbitrary resources like S3 buckets or IAM roles in a declarative template. Option C is wrong because AWS OpsWorks is a configuration management service that uses Chef or Puppet to manage server configurations and application stacks, but it is not designed for declarative infrastructure-as-code templates stored in version control; it focuses on automating operational tasks on EC2 instances rather than provisioning all AWS resources from a template.

936
MCQmedium

A company's security team discovers that database credentials are stored in plaintext in application configuration files. The team wants to implement a secure way to store, manage, and automatically rotate these credentials every 90 days. The solution must provide fine-grained IAM policies to control which users and applications can access the secrets and must integrate with AWS services like Amazon RDS for automatic rotation. Which AWS service should the company use to meet these requirements?

A.AWS Systems Manager Parameter Store
B.AWS Secrets Manager
C.AWS Key Management Service (AWS KMS)
D.AWS Identity and Access Management (IAM)
AnswerB

Secrets Manager is the correct service. It provides native support for automatic rotation of credentials, including built-in integration with Amazon RDS. It also offers fine-grained IAM policies and central management of secrets, meeting all stated requirements.

Why this answer

AWS Secrets Manager is the correct service because it is purpose-built for securely storing, managing, and automatically rotating database credentials. It supports automatic rotation every 90 days for Amazon RDS, Aurora, Redshift, and DocumentDB with built-in Lambda rotation functions, and it integrates with IAM for fine-grained access control via resource-based and identity-based policies.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets but lacks native rotation) with Secrets Manager, leading them to choose Parameter Store when the question explicitly requires automatic rotation.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store does not natively support automatic rotation of secrets; it requires custom automation via AWS Lambda or EventBridge, and its advanced tier lacks the same built-in rotation integration for RDS. Option C is wrong because AWS KMS is a key management service for encryption keys, not a secrets storage service; it cannot store, manage, or rotate database credentials directly. Option D is wrong because IAM is an access management and authentication service, not a secrets storage service; it cannot store secrets or perform automatic rotation.

937
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to enforce a policy that prevents any user or role in any member account from disabling AWS CloudTrail or deleting CloudTrail log files from Amazon S3. The team needs a solution that is centrally managed from the management account and applies to all current and future member accounts automatically. Which AWS feature should the security team use to meet these requirements?

A.AWS Config conformance packs
B.Service Control Policies (SCPs)
C.IAM permissions boundaries
D.AWS CloudTrail data events
AnswerB

Correct. SCPs are the correct choice because they allow centralized control over the maximum permissions for all accounts in an AWS Organization. They can explicitly deny actions such as disabling CloudTrail or deleting S3 objects in the log bucket. SCPs apply across the entire organization, including new accounts, and cannot be overridden by member account administrators. This provides the preventive enforcement the security team requires.

Why this answer

Service Control Policies (SCPs) are a feature of AWS Organizations that allow you to centrally control the maximum available permissions for all accounts within an organization. By attaching an SCP that explicitly denies the actions to disable CloudTrail or delete CloudTrail log files from S3, the security team can enforce this policy across all current and future member accounts from the management account, as SCPs automatically apply to new accounts added to the organization.

Exam trap

The trap here is that candidates often confuse SCPs with IAM permissions boundaries, not realizing that SCPs operate at the organization level and apply to all accounts automatically, while permissions boundaries are account-specific and require manual configuration per user/role.

How to eliminate wrong answers

Option A is wrong because AWS Config conformance packs are used to evaluate resource compliance against rules and remediate non-compliant resources, but they cannot prevent actions from being performed in the first place; they only detect and report violations after the fact. Option C is wrong because IAM permissions boundaries set the maximum permissions for IAM users and roles within a single account, but they are not centrally managed from the management account and do not automatically apply to all member accounts in an AWS Organization.

938
MCQmedium

A company needs to connect multiple VPCs and on-premises networks through a single hub, simplifying network management. Which AWS service acts as a cloud router to interconnect these networks?

A.VPC Peering
B.AWS Transit Gateway
C.AWS Direct Connect
D.Internet Gateway
AnswerB

Transit Gateway is a managed cloud router that enables any-to-any connectivity between VPCs and on-premises networks through a single hub, with route tables controlling traffic flow.

Why this answer

AWS Transit Gateway acts as a cloud router, using a hub-and-spoke model to interconnect multiple VPCs and on-premises networks through a single gateway. It simplifies network management by centralizing routing, supporting transitive routing between all attached networks, and integrating with AWS Direct Connect and VPN connections.

Exam trap

The trap here is that candidates often confuse VPC Peering (which is free but non-transitive and requires full mesh) with Transit Gateway (which provides transitive routing and central management), leading them to choose VPC Peering for multi-VPC connectivity without considering the hub-and-spoke requirement.

How to eliminate wrong answers

Option A is wrong because VPC Peering provides only a one-to-one, non-transitive connection between two VPCs, requiring a full mesh of peering connections for multiple VPCs and cannot connect to on-premises networks directly. Option C is wrong because AWS Direct Connect is a dedicated physical network connection from on-premises to AWS, not a router that interconnects multiple VPCs; it requires a Transit Gateway or Virtual Private Gateway to enable multi-VPC connectivity. Option D is wrong because an Internet Gateway is a horizontally scaled, redundant component that allows VPC communication with the internet, not a router for interconnecting VPCs or on-premises networks.

939
MCQmedium

A company runs a customer-facing web application on AWS. To ensure the application remains available if a fire or flood destroys one of the company's data centers, the IT team deploys the application across multiple physically separate facilities within the same AWS Region. Each facility has independent power, cooling, and physical security. Which component of the AWS global infrastructure does this deployment strategy primarily use?

A.AWS Regions
B.Availability Zones
C.Edge Locations
D.Local Zones
AnswerB

Availability Zones are physically separate and isolated data centers within an AWS Region. Each has independent power, cooling, and physical security. By deploying across multiple Availability Zones, the application can survive the failure of one data center, meeting the requirement for high availability within the same Region.

Why this answer

Availability Zones are distinct, physically separated locations within an AWS Region, each with independent power, cooling, and physical security. Deploying across multiple Availability Zones protects against data center-level failures like fires or floods, ensuring high availability for the application.

Exam trap

The trap here is confusing Availability Zones with AWS Regions, as candidates often think 'physically separate facilities' must mean different Regions, but the question explicitly states 'within the same AWS Region,' which directly points to Availability Zones.

How to eliminate wrong answers

Option A is wrong because AWS Regions are separate geographic areas (e.g., us-east-1 vs. eu-west-1) that are hundreds of miles apart, not multiple facilities within the same Region; using multiple Regions would provide disaster recovery across large distances, not the described scenario of physically separate facilities within one Region. Option C is wrong because Edge Locations are content delivery endpoints used by Amazon CloudFront to cache data closer to users for low latency, not for hosting compute or storage resources to achieve high availability against data center failures.

940
MCQmedium

A company runs a multi-step order fulfilment process that includes payment verification, inventory check, warehouse notification, and shipping label generation. Each step is implemented as a Lambda function. They need a service to coordinate these steps, handle retries on failure, and visualise workflow state. Which AWS service should they use?

A.Amazon SQS
B.Amazon EventBridge
C.AWS Step Functions
D.Amazon SNS
AnswerC

Step Functions orchestrates multi-step workflows using a state machine model. It manages the sequence of Lambda invocations, retries failed steps, handles errors, and provides a visual console showing the current state of each workflow execution.

Why this answer

AWS Step Functions is a serverless orchestration service that lets you coordinate multiple AWS services, including Lambda functions, into a visual workflow. It natively supports sequential execution, parallel branches, retries on failure, and state visualization, making it the ideal choice for a multi-step order fulfillment process.

Exam trap

The trap here is that candidates confuse message/event services (SQS, SNS, EventBridge) with orchestration services, failing to recognize that only Step Functions provides the stateful coordination, retry logic, and visual workflow required for multi-step processes.

How to eliminate wrong answers

Option A is wrong because Amazon SQS is a message queue service for decoupling application components, not a workflow orchestrator; it cannot coordinate multi-step logic, handle retries based on business logic, or visualize workflow state. Option B is wrong because Amazon EventBridge is an event bus for routing events between services, not a stateful workflow engine; it lacks built-in support for sequential step coordination, retry policies, and state visualization. Option D is wrong because Amazon SNS is a pub/sub notification service for sending messages to subscribers, not a workflow orchestrator; it cannot manage multi-step processes, retries, or provide a visual representation of workflow state.

941
MCQmedium

A company hosts a public-facing web application behind an Application Load Balancer (ALB). The development team has recently identified that the application is vulnerable to common web attacks such as SQL injection and cross-site scripting (XSS). The security team wants to deploy a managed solution that can inspect incoming HTTP requests and block malicious traffic before it reaches the application. The solution must integrate directly with the existing ALB and provide pre-configured rule sets that can be customized. Which AWS service should the company use?

A.AWS Shield Advanced
B.Amazon GuardDuty
C.AWS WAF
D.AWS Firewall Manager
AnswerC

AWS WAF is a web application firewall that allows you to monitor and control HTTP and HTTPS requests forwarded to your protected resources. It integrates directly with ALB and provides managed rule sets for common threats like SQL injection and XSS. You can customize rules to meet specific requirements.

Why this answer

AWS WAF is a managed web application firewall that integrates directly with Application Load Balancers to inspect HTTP/HTTPS requests. It provides pre-configured rule sets, such as those for SQL injection and cross-site scripting (XSS), which can be customized to block malicious traffic before it reaches the application. This makes it the correct choice for the described use case.

Exam trap

The trap here is that candidates may confuse AWS Shield Advanced (which handles DDoS) with AWS WAF (which handles application-layer attacks like SQLi and XSS), but Shield does not inspect request payloads for malicious content.

How to eliminate wrong answers

Option A is wrong because AWS Shield Advanced provides DDoS protection against volumetric and state-exhaustion attacks, but it does not inspect application-layer payloads for SQL injection or XSS. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for anomalous behavior, not a web application firewall that inspects and blocks HTTP requests at the ALB level.

942
MCQmedium

A retail company's order processing system receives large bursts of orders during flash sales. The order intake API gets overwhelmed because it directly calls a downstream processing service that is slower. The company wants to decouple the API from the processing service so orders are not lost during spikes. Which AWS service should they use?

A.Amazon SNS
B.Amazon SQS
C.Amazon EventBridge
D.AWS Step Functions
AnswerB

SQS is a durable message queue that stores messages until they are processed. The intake API enqueues orders, and the processing service dequeues and processes them at its own pace. Messages persist even if the processor is temporarily unavailable.

Why this answer

Amazon SQS (Simple Queue Service) is the correct choice because it provides a fully managed message queue that decouples the order intake API from the downstream processing service. When the API receives a burst of orders, it can immediately push each order message into an SQS queue, and the processing service can poll and consume messages at its own pace, ensuring no orders are lost even during traffic spikes.

Exam trap

The trap here is that candidates often confuse SNS (push-based pub/sub) with SQS (pull-based queue), assuming any decoupling service works the same, but SNS cannot buffer messages or allow the consumer to control the consumption rate, making it unsuitable for handling bursts from a slower downstream service.

How to eliminate wrong answers

Option A is wrong because Amazon SNS is a pub/sub messaging service that pushes notifications to subscribers; it does not provide a durable buffer or allow the consumer to control the processing rate, so it cannot decouple the API from a slower downstream service without risking message loss or overload. Option C is wrong because Amazon EventBridge is a serverless event bus for routing events between AWS services and custom applications; it is not designed for point-to-point decoupling with a queue-like buffer and does not offer the same message retention and polling mechanics as SQS. Option D is wrong because AWS Step Functions is a serverless orchestration service for coordinating multiple AWS services into workflows; it does not inherently provide a message queue for buffering bursts of requests and would not prevent the API from being overwhelmed by direct calls.

943
MCQeasy

Which AWS service provides a marketplace where customers can find, buy, and deploy software from third-party vendors that runs on AWS infrastructure?

A.AWS Service Catalog
B.AWS Marketplace
C.AWS Partner Network
D.Amazon AppFlow
AnswerB

AWS Marketplace is the digital catalog for purchasing and deploying third-party software (SaaS, AMIs, containers, CloudFormation templates) with AWS-consolidated billing.

Why this answer

AWS Marketplace is a digital catalog with thousands of software listings from independent software vendors (ISVs). Customers can find, buy, and deploy software with flexible pricing options including hourly, annual, and multi-year contracts. AWS Marketplace handles billing consolidation — charges appear on the AWS bill alongside other AWS charges.

944
MCQmedium

A security audit found that an S3 bucket is publicly readable. Which IAM/S3 mechanism should be reviewed to identify what grants the public access?

A.IAM identity-based policies attached to the root user
B.Bucket policies and S3 Block Public Access settings
C.AWS Organizations Service Control Policies
D.Amazon Macie classification rules
AnswerB

Public S3 access is granted through bucket policies with Principal '*' and/or bucket/object ACLs. Block Public Access settings can override these to prevent public exposure.

Why this answer

Bucket policies are resource-based policies that explicitly define who has access to an S3 bucket, including public access grants like `"Principal": "*"`. S3 Block Public Access settings act as an overarching security control that can override bucket policies to prevent public access. Reviewing both mechanisms together identifies exactly how public readability was granted and whether any block was misconfigured or absent.

Exam trap

The trap here is that candidates often confuse IAM identity-based policies (which control user permissions) with resource-based policies (like bucket policies) that directly grant public access, leading them to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because IAM identity-based policies attached to the root user control actions the root user can perform, not who can access the bucket from the public; public access is granted via resource-based policies, not identity-based policies. Option C is wrong because AWS Organizations Service Control Policies (SCPs) set permission boundaries for accounts within an organization but do not directly grant or deny public access to a specific S3 bucket. Option D is wrong because Amazon Macie classification rules are used to discover and classify sensitive data in S3 buckets, not to control or audit access permissions.

945
MCQmedium

A retail company expects 10x normal traffic during Black Friday. They want to ensure their application can handle this peak load automatically. Which AWS services should they configure to handle this requirement?

A.Launch the maximum number of instances before Black Friday and keep them running year-round
B.EC2 Auto Scaling + Application Load Balancer with CloudWatch scaling policies
C.Increase the EC2 instance size to the largest available type
D.Use AWS Snowball to temporarily add compute capacity
AnswerB

Auto Scaling dynamically adds EC2 instances as demand rises and removes them as it falls. ALB distributes traffic evenly. CloudWatch metrics trigger scaling policies — the canonical elastic scaling architecture.

Why this answer

EC2 Auto Scaling automatically adjusts the number of EC2 instances based on demand, and an Application Load Balancer distributes incoming traffic across those instances. CloudWatch scaling policies monitor metrics like CPU utilization or request count to trigger scaling actions, ensuring the application can handle the 10x traffic spike without manual intervention.

Exam trap

AWS often tests the misconception that vertical scaling (increasing instance size) is sufficient for handling traffic spikes, but the exam emphasizes horizontal scaling with Auto Scaling and load balancers as the correct approach for elasticity and high availability.

How to eliminate wrong answers

Option A is wrong because launching the maximum number of instances year-round leads to unnecessary cost and resource waste, as the company only needs the extra capacity during the Black Friday peak, not constantly. Option C is wrong because simply increasing the instance size to the largest available type does not provide horizontal scaling; a single large instance can still be overwhelmed by a 10x traffic spike and creates a single point of failure. Option D is wrong because AWS Snowball is a petabyte-scale data transfer service for moving large amounts of data into or out of AWS, not a compute capacity solution; it cannot handle real-time traffic spikes.

946
MCQmedium

A company has 50 TB of on-premises file server data that must be transferred to Amazon S3. The company's internet connection is limited to 100 Mbps, and the data transfer must not impact daily business operations. The company needs a physical device to securely copy the data and then ship it to AWS for ingestion. Which AWS service should the company use?

A.AWS Snowball
B.AWS DataSync
C.Amazon S3 Transfer Acceleration
D.AWS Direct Connect
AnswerA

Correct. AWS Snowball is a physical device service for offline data transfer. It is ideal for moving large datasets (terabytes to petabytes) when network bandwidth is limited, costly, or unavailable. The device is shipped to the customer, data is copied locally, and the device is returned to AWS for ingestion into Amazon S3.

Why this answer

AWS Snowball is a physical data transport solution designed for large-scale data transfers when network bandwidth is limited or unreliable. With 50 TB of data and a 100 Mbps connection, transferring over the network would take approximately 46 days and saturate the link, impacting business operations. Snowball provides a rugged, secure device that you copy data to locally and ship to AWS, bypassing the network entirely.

Exam trap

The trap here is that candidates may choose DataSync or S3 Transfer Acceleration because they are familiar AWS data transfer services, but they overlook the explicit requirement for a physical device and the need to avoid impacting business operations on a low-bandwidth link.

How to eliminate wrong answers

Option B (AWS DataSync) is wrong because it is a network-based data transfer service that requires a stable, high-bandwidth internet connection to move data online, and it would still saturate the 100 Mbps link, impacting daily operations. Option C (Amazon S3 Transfer Acceleration) is wrong because it only accelerates uploads over the internet by using AWS edge locations, but it does not eliminate the bandwidth bottleneck or provide a physical device; the transfer would still be constrained by the 100 Mbps connection.

947
MCQmedium

A company runs a containerized application that uses multiple Docker containers. The development team wants to run these containers on AWS without provisioning or managing any EC2 instances. They also do not want to manage the container orchestration control plane. The application requires consistent access to persistent storage volumes that can be attached to containers. Which AWS service should the team use to run the containers with the least operational overhead?

A.Amazon EC2 with a container-optimized AMI
B.AWS Lambda
C.AWS Fargate
D.Amazon ECR (Amazon Elastic Container Registry)
AnswerC

AWS Fargate is a serverless compute engine for containers. It eliminates the need to provision and manage EC2 instances or the container orchestration control plane. You define your containerized application (task definition) and Fargate launches and runs the containers. Fargate also supports persistent storage through Amazon EFS or Docker volumes, meeting the storage requirement with minimal operational overhead.

Why this answer

AWS Fargate is a serverless compute engine for containers that allows you to run containers without provisioning or managing EC2 instances or the underlying container orchestration control plane (Amazon EKS or Amazon ECS). It directly meets the requirement of zero infrastructure management while supporting persistent storage through Amazon EFS filesystems or Docker volumes that can be attached to Fargate tasks, providing consistent access to storage volumes.

Exam trap

The trap here is that candidates often confuse AWS Fargate with Amazon ECS or EKS, thinking they must choose a managed orchestration service that still requires EC2 management, but Fargate eliminates both instance and control plane management.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 with a container-optimized AMI still requires the team to provision, patch, and manage EC2 instances, violating the requirement to not manage any EC2 instances. Option B is wrong because AWS Lambda is designed for short-lived, event-driven functions with a maximum execution duration of 15 minutes and does not support running multiple Docker containers with persistent storage volumes attached; it also lacks native support for container orchestration and long-running containerized applications.

948
MCQmedium

A company has a mobile application that allows users to upload profile photos. When a new photo is uploaded to an Amazon S3 bucket, the application must automatically create a thumbnail version and store it in another S3 bucket. The company wants a solution that runs only when needed, scales automatically, and requires no management of underlying servers. Which AWS service should the company use to meet these requirements?

A.AWS Lambda
B.AWS Batch
C.Amazon EC2
D.Amazon ECS with EC2 launch type
AnswerA

AWS Lambda is correct. It executes code in response to S3 events, scales automatically, and is serverless, meaning no server management is needed.

Why this answer

AWS Lambda is the correct choice because it is a serverless compute service that runs code in response to events, such as an S3 PUT object event. It automatically scales from zero to thousands of concurrent executions based on the number of incoming uploads, and requires no server management, perfectly meeting the requirement for an on-demand, auto-scaling thumbnail generation solution.

Exam trap

The trap here is that candidates may confuse AWS Batch with event-driven processing, but Batch is optimized for scheduled or queued batch jobs, not for real-time, per-object triggers like S3 uploads.

How to eliminate wrong answers

Option B (AWS Batch) is wrong because AWS Batch is designed for batch computing workloads that run as jobs on a managed cluster of EC2 instances or Fargate containers, not for real-time, event-driven processing of individual S3 object uploads. Option C (Amazon EC2) is wrong because EC2 requires provisioning, managing, and scaling underlying virtual servers, which contradicts the requirement for a solution that requires no management of underlying servers and runs only when needed.

949
MCQmedium

A company runs an application with variable workloads. During business hours, they need 10 EC2 instances; overnight they only need 2. Which combination minimizes cost while meeting this requirement?

A.10 On-Demand Instances running 24/7
B.10 Reserved Instances
C.2 Reserved Instances + Auto Scaling with On-Demand for variable demand
D.10 Spot Instances with Auto Scaling
AnswerC

Reserved Instances cover the predictable 2-instance baseline at lowest cost, while Auto Scaling adds On-Demand capacity during business hours and removes it overnight.

Why this answer

Option C is correct because it uses 2 Reserved Instances to cover the baseline workload (overnight) at a lower cost, and Auto Scaling with On-Demand Instances to dynamically add capacity during business hours. Reserved Instances provide a significant discount over On-Demand for steady-state usage, while On-Demand instances handle variable demand without upfront commitment, minimizing total cost.

Exam trap

The trap here is that candidates may choose Spot Instances (Option D) for cost savings without recognizing their lack of reliability for a workload requiring consistent availability during business hours, or they may over-purchase Reserved Instances (Option B) assuming all capacity must be reserved, ignoring the variable nature of the workload.

How to eliminate wrong answers

Option A is wrong because running 10 On-Demand Instances 24/7 incurs the highest cost, as On-Demand pricing is premium and does not leverage any discount for steady-state usage. Option B is wrong because 10 Reserved Instances lock in capacity for a 1- or 3-year term, but only 2 are needed overnight; the additional 8 Reserved Instances would be underutilized during off-peak hours, wasting money. Option D is wrong because Spot Instances can be terminated by AWS with little notice (2-minute warning) when capacity is reclaimed, making them unsuitable for a workload that must be available during business hours; they lack the reliability needed for consistent daytime operation.

950
MCQmedium

A company has multiple IAM users. The security policy requires that every user must have an MFA device assigned and must use it for console sign-in. The security team wants to automatically detect any IAM user that does not have MFA enabled and receive an email alert. Which combination of AWS services should the team use to meet these requirements?

A.AWS CloudTrail and Amazon CloudWatch Logs
B.AWS Trusted Advisor and Amazon Simple Email Service (Amazon SES)
C.AWS Config and Amazon Simple Notification Service (Amazon SNS)
D.AWS IAM Access Analyzer and Amazon Inspector
AnswerC

This option is correct. AWS Config can evaluate IAM users against the managed rule 'iam-user-mfa-enabled'. When a user is non-compliant, Config can publish a compliance change notification to an Amazon SNS topic. Subscribers (e.g., email endpoints) receive alerts automatically.

Why this answer

AWS Config can continuously monitor IAM users for compliance with the security policy by using a managed rule such as IAM_USER_MFA_ENABLED. When a non-compliant user is detected, AWS Config can trigger an Amazon SNS topic to send an email alert, meeting the requirement for automatic detection and notification.

Exam trap

The trap here is that candidates confuse AWS Trusted Advisor's root account MFA check with IAM user MFA enforcement, or assume CloudTrail can detect configuration state rather than just API events.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity (e.g., sign-in events) but does not evaluate the state of MFA configuration on IAM users; CloudWatch Logs can store logs but cannot trigger alerts based on MFA status without custom metric filters and alarms, which is not the simplest or intended approach. Option B is wrong because AWS Trusted Advisor checks for MFA on the root account, not on individual IAM users, and Amazon SES is an email-sending service that requires custom integration, whereas Amazon SNS is the standard service for publishing notifications from AWS Config.

951
MCQmedium

A company needs to process and analyze streaming log data from thousands of servers in near real-time, loading the results into Amazon Redshift for dashboards. Which AWS service is designed for this streaming ETL delivery use case?

A.Amazon Kinesis Data Streams
B.Amazon Kinesis Data Firehose
C.AWS Glue
D.Amazon MSK
AnswerB

Kinesis Data Firehose is the managed streaming delivery service that loads data into Redshift, S3, and OpenSearch automatically — including optional Lambda transformation, with no consumer code needed.

Why this answer

Amazon Kinesis Data Firehose is the correct choice because it is a fully managed service designed specifically for streaming ETL (extract, transform, load) delivery. It can capture, transform (e.g., convert to Parquet/ORC, perform Lambda-based data transformation), and automatically load streaming data into Amazon Redshift, Amazon S3, or Amazon OpenSearch Service in near real-time, with no ongoing administration required.

Exam trap

The trap here is that candidates often confuse Kinesis Data Streams (raw ingestion) with Kinesis Data Firehose (managed ETL delivery), assuming both can directly load into Redshift, but only Firehose provides the built-in COPY command integration and automatic transformation capabilities.

How to eliminate wrong answers

Option A is wrong because Amazon Kinesis Data Streams is a raw data ingestion service that stores streaming data in shards for custom consumers to process; it does not natively perform ETL transformations or directly load data into Redshift without additional custom code. Option C is wrong because AWS Glue is a serverless data integration service primarily for batch ETL jobs and cataloging, not designed for continuous near-real-time streaming ingestion into Redshift. Option D is wrong because Amazon MSK (Managed Streaming for Apache Kafka) provides a managed Kafka cluster for building custom streaming applications, but it lacks built-in ETL transformation and direct Redshift delivery capabilities, requiring additional infrastructure and code.

952
MCQmedium

A company is deploying a new web application on AWS. The operations team needs to provision and manage AWS resources such as Amazon EC2 instances, Amazon RDS databases, and Amazon S3 buckets in a repeatable, consistent manner across development, test, and production environments. The team wants to define the entire infrastructure as code using declarative templates that can be version-controlled and reviewed. Which AWS service should the team use to meet this requirement?

A.AWS Elastic Beanstalk
B.AWS CloudFormation
C.AWS OpsWorks
D.AWS CodeDeploy
AnswerB

AWS CloudFormation is the correct service. It enables you to define and provision AWS infrastructure using declarative templates. You can version control these templates, review them, and deploy consistent environments across development, test, and production. This is the ideal solution for infrastructure as code on AWS.

Why this answer

AWS CloudFormation is the correct service because it allows you to define your entire infrastructure as code using declarative templates (JSON or YAML). These templates can be version-controlled and reviewed, enabling repeatable and consistent provisioning of resources like EC2 instances, RDS databases, and S3 buckets across multiple environments. CloudFormation manages the lifecycle of these resources as stacks, ensuring idempotent deployments.

Exam trap

The trap here is that candidates often confuse AWS Elastic Beanstalk (a PaaS for application deployment) with infrastructure-as-code, but Elastic Beanstalk does not provide the declarative, version-controlled resource templates that CloudFormation offers for managing individual AWS resources like EC2, RDS, and S3 across environments.

How to eliminate wrong answers

Option A is wrong because AWS Elastic Beanstalk is a Platform-as-a-Service (PaaS) that abstracts infrastructure management and automates deployment, but it does not provide the granular, declarative infrastructure-as-code templates for defining individual resources like EC2, RDS, and S3 in a version-controlled manner; it focuses on application deployment rather than explicit resource provisioning. Option C is wrong because AWS OpsWorks is a configuration management service that uses Chef or Puppet to manage server configurations and application stacks, but it is not a declarative infrastructure-as-code service for defining and provisioning AWS resources directly; it relies on recipes and cookbooks for server state, not on declarative templates for resource orchestration.

953
MCQhard

A company has unpredictable, short-lived batch processing workloads that can be interrupted. Which EC2 purchasing option would provide the lowest cost for these workloads?

A.On-Demand Instances
B.Reserved Instances (1-year, No Upfront)
C.Spot Instances
D.Dedicated Hosts
AnswerC

Spot Instances offer up to 90% discount for interruptible workloads. Batch jobs that can checkpoint and resume are the ideal fit — they tolerate interruption in exchange for the lowest possible compute cost.

Why this answer

Spot Instances (Option C) are the correct choice because they offer unused EC2 capacity at steep discounts (up to 90% off On-Demand) and are ideal for fault-tolerant, flexible, short-lived, or interruptible workloads. Since the company's batch processing jobs are unpredictable and can be interrupted, Spot Instances provide the lowest cost while tolerating the risk of termination when AWS needs the capacity back.

Exam trap

The trap here is that candidates often choose On-Demand Instances (Option A) because they assume 'unpredictable' workloads require full pricing flexibility, but they overlook that Spot Instances are explicitly designed for interruptible, short-lived workloads at the lowest cost.

How to eliminate wrong answers

Option A is wrong because On-Demand Instances provide full pricing flexibility but are significantly more expensive than Spot Instances, making them unsuitable for cost-sensitive interruptible workloads. Option B is wrong because Reserved Instances require a 1-year or 3-year commitment and are designed for steady-state, predictable usage, not for short-lived, unpredictable batch jobs that can be interrupted. Option D is wrong because Dedicated Hosts provide physical servers dedicated for your use, which is the most expensive option and is intended for regulatory or licensing requirements, not for cost optimization on interruptible workloads.

954
MCQmedium

A company manages multiple AWS accounts using AWS Organizations. The company has an on-premises Microsoft Active Directory (AD) that contains employee credentials and group memberships. The company wants to grant employees access to the AWS Management Console and command-line interface (CLI) using their existing AD credentials, without creating IAM users for each employee. Additionally, the company wants to centrally manage permissions across all accounts by assigning policies to AD groups. Which AWS service should the company use to meet these requirements?

A.AWS Identity and Access Management (IAM)
B.AWS Directory Service for Microsoft Active Directory
C.AWS IAM Identity Center (AWS Single Sign-On)
D.AWS Resource Access Manager (AWS RAM)
AnswerC

IAM Identity Center is the correct service for this use case. It connects to an existing identity provider (such as on-premises Active Directory), enables single sign-on to the AWS Management Console and CLI, and centrally manages permissions across all accounts in AWS Organizations by assigning permission sets to groups.

Why this answer

AWS IAM Identity Center (formerly AWS Single Sign-On) is the correct service because it allows centralized management of user access to multiple AWS accounts and applications using existing corporate credentials from Microsoft Active Directory. It supports federation with AD via SAML 2.0 or SCIM, enabling employees to sign in to the AWS Management Console and CLI without creating IAM users. Permissions can be assigned to AD groups through permission sets, which map to IAM roles, ensuring consistent policy enforcement across all accounts in AWS Organizations.

Exam trap

The trap here is that candidates often confuse AWS Directory Service for Microsoft Active Directory with IAM Identity Center, thinking that a managed AD alone can provide cross-account access and SSO, but Directory Service only provides the directory backend and lacks the centralized permission assignment and federation capabilities that IAM Identity Center offers for multi-account environments.

How to eliminate wrong answers

Option A is wrong because AWS IAM is used to create and manage individual IAM users and policies, but the requirement explicitly states the company does not want to create IAM users for each employee; IAM cannot natively federate with on-premises AD without additional services like IAM Identity Center or SAML identity providers. Option B is wrong because AWS Directory Service for Microsoft Active Directory provides a managed AD domain in the cloud, but it does not natively integrate with AWS Organizations to centrally assign permissions across multiple accounts; it would require additional configuration with IAM roles and does not replace the need for IAM Identity Center's multi-account permission management.

955
MCQmedium

A company runs an e-commerce platform on AWS. The platform experiences unpredictable traffic, with occasional large spikes. The company wants to automatically adjust compute capacity to match demand exactly, ensuring consistent performance while only paying for the resources consumed. Which benefit of the AWS Cloud does this scenario primarily describe?

A.High availability
B.Elasticity
C.Disaster recovery
D.Resource pooling
AnswerB

Elasticity is the ability to automatically provision and release compute resources to match the current workload. This directly supports the described requirement for adjusting capacity in response to traffic spikes while minimizing costs.

Why this answer

Elasticity is the ability of AWS to automatically scale compute resources up or down based on demand. In this scenario, the e-commerce platform experiences unpredictable traffic spikes, and elasticity ensures that EC2 instances or Auto Scaling groups adjust capacity in real time, matching demand exactly while only charging for resources consumed. This directly aligns with the 'pay-as-you-grow' model and the operational benefit of scaling without manual intervention.

Exam trap

The trap here is that candidates often confuse elasticity with high availability, thinking that automatically adding more servers during a spike also ensures fault tolerance, but elasticity is specifically about matching capacity to demand, not about maintaining uptime during failures.

How to eliminate wrong answers

Option A is wrong because high availability focuses on ensuring applications remain accessible during failures through redundancy across Availability Zones, not on dynamically adjusting capacity to match demand. Option C is wrong because disaster recovery involves backup and restoration strategies (e.g., RPO/RTO targets) to recover from catastrophic events, not real-time scaling to handle traffic spikes. Option D is wrong because resource pooling refers to the multi-tenant model where AWS shares physical infrastructure among customers, not the ability to automatically scale compute resources based on load.

956
MCQmedium

Which cloud concept describes the ability of cloud services to remain operational even when individual components fail, through techniques like redundancy, replication, and automatic failover?

A.Scalability
B.Elasticity
C.Fault tolerance
D.Agility
AnswerC

Fault tolerance ensures system continuity despite component failures through redundancy, replication, and automatic failover — a core cloud design principle.

Why this answer

Fault tolerance is the correct answer because it directly refers to a system's ability to continue operating without interruption when one or more of its components fail. This is achieved through techniques such as redundancy (e.g., deploying multiple EC2 instances across Availability Zones), replication (e.g., synchronously replicating data in Amazon RDS Multi-AZ), and automatic failover (e.g., Route 53 health checks triggering a switch to a standby resource). The core goal is to eliminate single points of failure and maintain service availability despite underlying failures.

Exam trap

AWS often tests the distinction between fault tolerance and high availability (HA), where the trap is that candidates confuse 'remaining operational during failures' (fault tolerance) with 'quickly recovering from failures' (HA), but in this question the explicit mention of redundancy, replication, and automatic failover points directly to fault tolerance.

How to eliminate wrong answers

Option A is wrong because scalability refers to the ability to increase or decrease resources (e.g., compute, storage) to handle varying load, not to remain operational during component failures. Option B is wrong because elasticity is the ability to automatically scale resources up or down based on demand, often using services like Auto Scaling, and does not inherently address fault tolerance or failure recovery. Option D is wrong because agility describes the speed and ease with which IT resources can be provisioned and deprovisioned, enabling rapid experimentation and deployment, not the resilience of services against failures.

957
MCQmedium

A company runs a steady, predictable workload on a diverse mix of Amazon EC2 instances spanning multiple instance families (e.g., M5, C5, R5) and AWS Regions. The company wants to maximize cost savings while retaining the ability to freely change instance families and Regions during the commitment term without losing the discount. Which AWS pricing model should the company use?

A.On-Demand Instances
B.Reserved Instances
C.Spot Instances
D.Compute Savings Plans
AnswerD

Compute Savings Plans provide the same discounts as Reserved Instances but with greater flexibility. They apply to any EC2 instance usage regardless of instance family, size, or Region, as long as the usage is within the committed dollar-per-hour amount. This matches the company's need for both cost savings and flexibility.

Why this answer

Compute Savings Plans (D) offer the highest flexibility by applying a discounted hourly commitment across any EC2 instance family, size, OS, tenancy, and region, automatically covering usage changes without losing the discount. This matches the requirement to freely change instance families and regions during the term while maximizing savings over On-Demand pricing.

Exam trap

The trap here is that candidates often confuse Reserved Instances with Savings Plans, assuming RIs offer similar flexibility, but RIs are region- and family-specific, whereas Compute Savings Plans provide full flexibility across families and regions.

How to eliminate wrong answers

Option A is wrong because On-Demand Instances provide no discount and thus cannot maximize cost savings. Option B is wrong because Reserved Instances lock the discount to a specific instance family and region; changing families or regions forfeits the discount. Option C is wrong because Spot Instances offer deep discounts but can be interrupted with two-minute notices, making them unsuitable for a steady, predictable workload that requires reliability.

958
MCQmedium

A company is deploying a multi-tier application on AWS. Which AWS service provides layer 4 (TCP/UDP) load balancing with ultra-high performance and static IP addresses?

A.Application Load Balancer (ALB)
B.Network Load Balancer (NLB)
C.Gateway Load Balancer (GWLB)
D.Classic Load Balancer
AnswerB

NLB operates at Layer 4 with ultra-low latency, supporting millions of requests per second, static Elastic IP addresses per AZ, and preservation of client source IP.

Why this answer

Network Load Balancer (NLB) operates at Layer 4 (TCP/UDP) and is designed to handle millions of requests per second with ultra-low latency. It provides static IP addresses per Availability Zone, which is essential for applications requiring fixed endpoints for whitelisting or DNS stability.

Exam trap

The trap here is that candidates often confuse ALB's Layer 7 features with NLB's Layer 4 capabilities, or assume Classic Load Balancer still provides static IPs, but only NLB offers both Layer 4 operation and static IP addresses for ultra-high performance scenarios.

How to eliminate wrong answers

Option A is wrong because Application Load Balancer (ALB) operates at Layer 7 (HTTP/HTTPS) and does not provide static IP addresses; it uses a DNS name that resolves to changing IPs. Option C is wrong because Gateway Load Balancer (GWLB) operates at Layer 3 (IP) and Layer 4, but it is specifically designed for transparent network gateways (e.g., firewalls, intrusion detection) and does not provide static IP addresses for client-facing load balancing. Option D is wrong because Classic Load Balancer (CLB) is a legacy option that supports Layer 4 and Layer 7 but does not offer static IP addresses and lacks the ultra-high performance and scalability of NLB.

959
MCQmedium

A solutions architect is planning a new web application on AWS. The workload will include 3 Amazon EC2 instances (t3.medium) running 24/7, an Application Load Balancer, and an Amazon RDS for MySQL db.t3.small database. The architect needs to estimate the monthly cost for the first year, considering different purchasing options (On-Demand, 1-year All Upfront Reserved Instance, and Compute Savings Plan). Which AWS tool should the architect use to create this estimate?

A.AWS Total Cost of Ownership (TCO) Calculator
B.AWS Pricing Calculator
C.AWS Cost Explorer
D.AWS Budgets
AnswerB

The AWS Pricing Calculator is the correct tool. It enables you to estimate AWS service costs before deployment, supporting various services, configurations, regions, and purchasing options (On-Demand, Reserved, Savings Plans).

Why this answer

The AWS Pricing Calculator (formerly Simple Monthly Calculator) is the correct tool for estimating monthly costs for specific AWS resources like EC2 instances, ALB, and RDS under different purchasing options (On-Demand, Reserved Instances, Savings Plans). It allows you to input exact instance types, quantities, and commitment terms to generate a detailed cost estimate for the first year.

Exam trap

The trap here is that candidates confuse the AWS Pricing Calculator (for future estimates) with AWS Cost Explorer (for past analysis) or the TCO Calculator (for on-premises comparison), leading them to select a tool that cannot generate a forward-looking cost estimate for a planned workload.

How to eliminate wrong answers

Option A is wrong because the AWS Total Cost of Ownership (TCO) Calculator is designed to compare on-premises infrastructure costs with AWS cloud costs, not to estimate monthly costs for a specific AWS workload with different purchasing options. Option C is wrong because AWS Cost Explorer is a tool for analyzing historical cost and usage data, not for creating upfront estimates for a planned architecture; it requires existing usage data to generate reports.

960
MCQeasy

A company needs to deploy their application in multiple geographic locations to ensure data sovereignty compliance and reduce latency for users in different continents. What is the AWS infrastructure concept that represents a distinct geographic area with multiple isolated locations?

A.Availability Zone
B.Edge Location
C.AWS Region
D.Local Zone
AnswerC

An AWS Region is a geographic area (like us-east-1 or eu-west-1) containing multiple AZs. Each region is isolated from others, making them ideal for data sovereignty and geographic distribution.

Why this answer

An AWS Region is a distinct geographic area that contains multiple, isolated Availability Zones. This design allows customers to deploy applications across separate locations within a region for high availability, while also choosing specific regions to meet data sovereignty requirements and reduce latency for users on different continents.

Exam trap

The trap here is that candidates often confuse an Availability Zone (a single data center) with a Region (a geographic area containing multiple zones), leading them to select Option A when the question explicitly asks for a 'distinct geographic area with multiple isolated locations.'

How to eliminate wrong answers

Option A is wrong because an Availability Zone is a single, isolated data center within a region, not a geographic area with multiple isolated locations. Option B is wrong because an Edge Location is a site used by AWS CloudFront for content caching and delivery, not for compute or storage deployments that ensure data sovereignty. Option D is wrong because a Local Zone is an extension of a region that places compute and storage closer to end users, but it is not a distinct geographic area with multiple isolated locations; it is a single zone within a region.

961
MCQmedium

A company is migrating to AWS and wants to understand the different types of cloud service models. Which model describes a service where the provider manages everything including the application, and the customer only manages their data and user access?

A.Infrastructure as a Service (IaaS)
B.Platform as a Service (PaaS)
C.Software as a Service (SaaS)
D.Function as a Service (FaaS)
AnswerC

SaaS provides complete applications through the internet — the provider manages everything (hardware through application) and customers only manage their data and user access settings.

Why this answer

In the Software as a Service (SaaS) model, the cloud provider manages the entire application stack, including infrastructure, platform, and application software. The customer is responsible only for their data and user access, typically through a web browser or API. This aligns with the description where the provider manages everything including the application.

Exam trap

The trap here is that candidates often confuse PaaS with SaaS because both involve managed services, but PaaS still requires the customer to manage the application code and data, whereas SaaS offloads the entire application management to the provider.

How to eliminate wrong answers

Option A is wrong because Infrastructure as a Service (IaaS) provides only virtualized computing resources (e.g., EC2 instances, VPCs), and the customer must manage the operating system, middleware, and applications themselves. Option B is wrong because Platform as a Service (PaaS) provides a managed runtime environment (e.g., AWS Elastic Beanstalk) where the customer deploys their own application code, but still manages the application and data, not just data and user access. Option D is wrong because Function as a Service (FaaS) (e.g., AWS Lambda) is a serverless compute model where the customer writes and uploads function code, and the provider manages the runtime, but the customer still manages the code and data, not just data and user access.

962
MCQmedium

A financial services company runs a high-frequency trading application that must process transactions with sub-millisecond latency. The application must run in the company's own data center to meet strict latency requirements, but the company wants to use the same AWS management APIs, control plane, and tools (such as AWS CloudFormation and Amazon CloudWatch) for consistency across on-premises and cloud environments. The company also needs the ability to seamlessly run Amazon EBS-backed Amazon EC2 instances locally. Which AWS service should the company use to meet these requirements?

A.AWS Outposts
B.AWS Wavelength
C.AWS Local Zones
D.AWS Direct Connect
AnswerA

Correct. AWS Outposts extends AWS infrastructure and services to on-premises facilities, allowing the company to run EC2 instances with EBS storage using the same AWS APIs and management tools, while keeping the application in the local data center for ultra-low latency.

Why this answer

AWS Outposts is correct because it extends AWS infrastructure, services, APIs, and tools to on-premises data centers, enabling the company to run Amazon EBS-backed EC2 instances locally with sub-millisecond latency while using the same AWS management APIs, CloudFormation, and CloudWatch for consistency.

Exam trap

The trap here is confusing AWS Outposts with AWS Local Zones or Wavelength, as candidates often think any edge or local compute service can run in their own data center, but only Outposts provides the fully managed, on-premises AWS infrastructure with local EBS-backed EC2 instances.

How to eliminate wrong answers

Option B (AWS Wavelength) is wrong because it embeds AWS compute and storage at the edge of 5G networks for ultra-low latency mobile applications, not for on-premises data center use. Option C (AWS Local Zones) is wrong because they place AWS infrastructure closer to end users in metropolitan areas but still within the AWS cloud, not in the customer's own data center. Option D (AWS Direct Connect) is wrong because it only provides a dedicated network connection from on-premises to AWS, not local compute or storage capabilities.

963
MCQmedium

A company runs a web application on a single Amazon EC2 instance. As the application gains popularity, the instance frequently reaches 100% CPU utilization during peak hours, causing slow response times. The operations team is evaluating two approaches: (1) migrate the application to a larger EC2 instance type with more CPU and memory, or (2) add multiple smaller EC2 instances behind a load balancer and distribute the traffic. Which cloud computing concept does approach (1) represent?

A.Elasticity
B.High availability
C.Vertical scaling
D.Horizontal scaling
AnswerC

Vertical scaling (scaling up) increases the capacity of an existing resource—in this case, upgrading the EC2 instance to a larger type with more CPU and memory. This is correct for approach (1).

Why this answer

Approach (1) involves moving the application to a larger EC2 instance type with more CPU and memory, which is the definition of vertical scaling (scaling up). This increases the capacity of a single resource rather than adding more instances.

Exam trap

The trap here is that candidates often confuse vertical scaling with elasticity, but elasticity specifically refers to the dynamic, automated adjustment of resources (both up and down) to match demand, not a manual one-time upgrade to a larger instance.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability to automatically scale resources up or down based on demand, not simply moving to a larger instance. Option B is wrong because high availability ensures the application remains accessible despite failures, typically achieved through redundancy across multiple instances and Availability Zones, not by resizing a single instance. Option D is wrong because horizontal scaling (scaling out) involves adding more instances to distribute the load, which is approach (2), not approach (1).

964
MCQmedium

A company needs to migrate 80 TB of on-premises data to Amazon S3. Their internet connection is 100 Mbps and transferring this much data over the internet would take months. Which AWS service allows them to migrate this data physically without relying on internet bandwidth?

A.AWS DataSync
B.AWS Direct Connect
C.Amazon S3 Transfer Acceleration
D.AWS Snowball Edge
AnswerD

Snowball Edge is a physical device with up to 80 TB capacity. Data is copied locally at the customer's site, then the device is shipped to AWS. This bypasses internet bandwidth limitations entirely.

Why this answer

AWS Snowball Edge is a physical data transport solution designed for large-scale data migrations when network transfer is impractical. With 80 TB of data and a 100 Mbps connection, internet transfer would take over 80 days, making Snowball Edge the correct choice as it allows you to ship the data on a ruggedized device directly to AWS, bypassing internet bandwidth entirely.

Exam trap

The trap here is that candidates may confuse AWS DataSync or S3 Transfer Acceleration as solutions for large data volumes, not realizing that these services still depend on network bandwidth and cannot physically transport data when the connection is too slow.

How to eliminate wrong answers

Option A is wrong because AWS DataSync is a network-based data transfer service that relies on your internet or Direct Connect connection, not a physical device, so it would still be constrained by the 100 Mbps bandwidth. Option B is wrong because AWS Direct Connect establishes a dedicated network connection but does not eliminate the bandwidth limitation; it would still require weeks to transfer 80 TB over a 100 Mbps link. Option C is wrong because Amazon S3 Transfer Acceleration uses optimized network paths and edge locations but still depends on your internet connection speed, so it cannot overcome the fundamental bandwidth bottleneck of 100 Mbps.

965
MCQmedium

A startup is evaluating cloud vs. on-premises for their new product. Which cloud characteristic means they can experiment with 10 servers for a week, then scale to 1,000 servers for a product launch, and back to 10 afterward — paying only for what they use?

A.Durability
B.Elasticity and pay-as-you-go pricing
C.Multi-tenancy
D.Service Level Agreement (SLA)
AnswerB

Elasticity enables scaling from 10 to 1,000 servers on demand; pay-as-you-go ensures billing only for actual server-hours consumed — eliminating waste from idle capacity.

Why this answer

Elasticity is the cloud characteristic that allows resources to automatically scale up or down based on demand, while pay-as-you-go pricing ensures you only incur costs for resources actually consumed. In this scenario, the startup can provision 10 servers for a week, scale to 1,000 servers for a launch, and then scale back to 10 — paying only for the compute hours used during each period. This combination of rapid scaling and consumption-based billing is unique to cloud computing and directly supports the described experimental and production workloads.

Exam trap

The trap here is that candidates often confuse elasticity with durability or high availability, mistakenly thinking that data persistence or uptime guarantees enable scaling, when in fact elasticity is specifically about dynamic resource adjustment and pay-as-you-go is about cost alignment.

How to eliminate wrong answers

Option A is wrong because durability refers to the long-term protection of data against loss or corruption, typically achieved through replication (e.g., Amazon S3's 99.999999999% durability), not the ability to scale compute resources up and down or pay per use. Option C is wrong because multi-tenancy is a model where multiple customers share the same physical infrastructure while being logically isolated (e.g., AWS Nitro System), but it does not enable dynamic scaling or usage-based billing. Option D is wrong because a Service Level Agreement (SLA) is a contractual commitment for uptime and performance (e.g., Amazon EC2 99.99% monthly uptime SLA), not a mechanism for elastic resource provisioning or pay-as-you-go pricing.

966
MCQeasy

A company's internal audit team needs to download the latest AWS SOC 2 Type II report and ISO 27001 certificate to include in their compliance documentation for an upcoming external audit. The team requires a centralized, self-service portal where they can access these reports and any other relevant AWS compliance artifacts. They do not want to contact AWS Support or manage any infrastructure to obtain these documents. Which AWS service should the audit team use?

A.AWS Config
B.AWS Artifact
C.AWS Audit Manager
D.AWS Trusted Advisor
AnswerB

AWS Artifact is the correct service. It is a self-service portal that provides on-demand access to AWS compliance reports, such as SOC reports and ISO certifications, without requiring manual requests or infrastructure management.

Why this answer

AWS Artifact is the correct service because it provides a centralized, self-service portal for on-demand access to AWS compliance reports, such as SOC 2 Type II and ISO 27001 certificates, without requiring any infrastructure management or contacting AWS Support. The audit team can simply log in, browse the available artifacts, and download the latest versions directly, meeting their requirement for a no-touch, self-service solution.

Exam trap

The trap here is that candidates may confuse AWS Audit Manager's role in audit evidence collection with the ability to download pre-existing AWS compliance reports, but AWS Artifact is the only service designed specifically for self-service access to those artifacts.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating, auditing, and assessing the configuration of AWS resources against desired policies, not for downloading compliance reports or certificates. Option C is wrong because AWS Audit Manager helps automate evidence collection and risk assessment for audits, but it does not serve as a repository for downloading pre-existing AWS compliance artifacts like SOC or ISO reports. Option D is wrong because AWS Trusted Advisor provides best-practice recommendations for cost optimization, performance, security, and fault tolerance, but it does not offer access to compliance documentation or downloadable reports.

967
MCQmedium

A company runs a customer-facing web application on a single Amazon EC2 instance. To improve resilience, the solutions architect decides to deploy a second EC2 instance in a different Availability Zone and configure an Application Load Balancer to distribute traffic. The goal is to ensure that the application remains accessible even if one instance or one Availability Zone becomes unavailable. Which cloud computing benefit does this architecture primarily aim to achieve?

A.Elasticity
B.High availability
C.Scalability
D.Cost optimization
AnswerB

High availability ensures that a system remains operational even when components fail. Deploying EC2 instances in multiple Availability Zones behind a load balancer eliminates single points of failure and keeps the application accessible if an instance or an Availability Zone goes down. This directly addresses the requirement for resilience.

Why this answer

By deploying a second EC2 instance in a different Availability Zone and using an Application Load Balancer (ALB) to distribute traffic, the architecture ensures that if one instance or one Availability Zone fails, the ALB automatically routes traffic to the healthy instance in the other AZ. This design directly achieves high availability by eliminating a single point of failure and maintaining application uptime during infrastructure failures.

Exam trap

The trap here is that candidates confuse high availability with scalability or elasticity, mistakenly thinking adding more instances is always about handling more traffic rather than ensuring fault tolerance across Availability Zones.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability to automatically scale resources up or down based on demand (e.g., using Auto Scaling groups), not to maintaining uptime during failures. Option C is wrong because scalability is the ability to handle increased load by adding resources, whereas this scenario focuses on fault tolerance and redundancy, not load growth. Option D is wrong because cost optimization involves minimizing expenses while meeting requirements, but this architecture adds a second instance and an ALB, which increases cost; the primary goal is resilience, not cost savings.

968
MCQmedium

A company wants to provide their data analysts with a way to run SQL queries on their S3 data lake using familiar BI tools like Tableau or Power BI. Which AWS service provides an ODBC/JDBC connection to S3 data?

A.Amazon QuickSight
B.Amazon Athena with JDBC/ODBC drivers
C.Amazon EMR with Hive
D.AWS Glue Data Catalog only
AnswerB

Athena provides official JDBC and ODBC drivers enabling Tableau, Power BI, and other BI tools to query S3 data via standard SQL interfaces as if connecting to a traditional database.

Why this answer

Amazon Athena is a serverless interactive query service that allows you to run standard SQL directly against data stored in Amazon S3. It provides JDBC and ODBC drivers that enable BI tools like Tableau and Power BI to connect to Athena and query the S3 data lake without needing to move or transform the data.

Exam trap

The trap here is that candidates may confuse Amazon QuickSight (a visualization tool) with the query engine that provides the actual JDBC/ODBC connectivity, or think that AWS Glue Data Catalog alone enables SQL queries, when in fact Athena is the service that combines the Data Catalog with a serverless SQL engine and JDBC/ODBC support.

How to eliminate wrong answers

Option A is wrong because Amazon QuickSight is a BI visualization service, not a SQL query engine that provides JDBC/ODBC connectivity to S3 data; it can use Athena as a data source but does not itself expose an ODBC/JDBC interface. Option C is wrong because Amazon EMR with Hive can query S3 data, but it requires provisioning and managing a Hadoop cluster, and while Hive has a JDBC driver, the question specifically asks for a service that provides an ODBC/JDBC connection to S3 data in a serverless, familiar BI tool context—Athena is the simpler, direct answer. Option D is wrong because AWS Glue Data Catalog is a metadata repository that stores table definitions and schema information; it does not provide a query engine or ODBC/JDBC connectivity on its own.

969
MCQmedium

A company is deploying a multi-tier web application that includes a VPC, subnets, security groups, EC2 instances, and an Application Load Balancer. The team needs to define the entire infrastructure in a version-controlled template so that it can be consistently deployed across development, test, and production environments with minimal manual effort. Which AWS service should the team use to meet this requirement?

A.AWS CloudFormation
B.AWS Elastic Beanstalk
C.AWS OpsWorks
D.AWS Systems Manager
AnswerA

Correct. AWS CloudFormation is a service that allows you to model and provision AWS resources using templates. This enables Infrastructure as Code (IaC), ensuring consistent and repeatable deployments across environments.

Why this answer

AWS CloudFormation is the correct choice because it is an Infrastructure as Code (IaC) service that allows you to define your entire multi-tier web application infrastructure—including VPC, subnets, security groups, EC2 instances, and an Application Load Balancer—in a version-controlled template (JSON or YAML). This enables consistent, repeatable deployments across development, test, and production environments with minimal manual effort, as CloudFormation handles the provisioning and updates in an orderly, predictable manner.

Exam trap

The trap here is that candidates often confuse AWS Elastic Beanstalk (a PaaS that simplifies deployment) with CloudFormation (an IaC service), but Elastic Beanstalk does not provide the granular, version-controlled control over network components like VPCs and subnets required by the question.

How to eliminate wrong answers

Option B (AWS Elastic Beanstalk) is wrong because it is a Platform as a Service (PaaS) that abstracts away the underlying infrastructure; while it can deploy web applications, it does not give you fine-grained control over VPC, subnets, security groups, and other network components in a version-controlled template—it manages the environment for you, not the raw infrastructure. Option C (AWS OpsWorks) is wrong because it is a configuration management service that uses Chef or Puppet to manage server configurations and deployments, but it is not designed for defining and provisioning the entire network and compute infrastructure (VPC, subnets, ALB) as a single, version-controlled template; it focuses on application configuration and lifecycle management. Option D (AWS Systems Manager) is wrong because it is an operations management service for patching, automation, and monitoring of existing instances, not for defining and deploying infrastructure from a template; it lacks the ability to provision VPCs, subnets, security groups, and load balancers as a cohesive, version-controlled stack.

970
MCQmedium

A company stores sensitive financial reports in an Amazon S3 bucket. The company's security policy mandates that all objects be encrypted at rest using an AWS KMS customer-managed key. The security team wants to ensure that only the 'Auditors' IAM role can decrypt the objects, even though the S3 bucket policy allows read access to a broader set of users. Which of the following steps must the security team take to enforce this access control?

A.Configure the S3 bucket to use SSE-KMS encryption with the customer-managed key, and modify the KMS key policy to grant the kms:Decrypt permission only to the 'Auditors' role.
B.Configure an S3 bucket policy that denies s3:GetObject requests unless the request is encrypted in transit using HTTPS.
C.Enable S3 Block Public Access on the bucket and attach an IAM policy to the 'Auditors' role that allows s3:GetObject.
D.Use S3 object-level logging to monitor access and revoke permissions for any role that attempts to decrypt objects without authorization.
AnswerA

This is correct. SSE-KMS encrypts objects at rest using a KMS key. The KMS key policy controls who can use the key to decrypt objects. By restricting kms:Decrypt to the 'Auditors' role, only that role can decrypt the objects, regardless of broader S3 read permissions.

Why this answer

Option A is correct because SSE-KMS with a customer-managed key separates encryption key management from S3 bucket policies. The KMS key policy is the authoritative access control for decryption operations. By granting kms:Decrypt only to the 'Auditors' role, even if the S3 bucket policy allows s3:GetObject to other users, they cannot decrypt the objects without the key permission.

This enforces the security requirement that only the Auditors role can decrypt the sensitive financial reports.

Exam trap

The trap here is that candidates often assume S3 bucket policies alone can control decryption, but AWS enforces KMS key policies as a separate authorization layer, so without explicitly restricting kms:Decrypt in the key policy, any user with s3:GetObject can decrypt the objects if they have KMS permissions through their IAM role or user.

How to eliminate wrong answers

Option B is wrong because enforcing HTTPS encryption in transit (s3:GetObject with aws:SecureTransport condition) does not control decryption at rest; it only ensures data is encrypted during transmission, not who can decrypt the objects after retrieval. Option C is wrong because S3 Block Public Access prevents public access but does not restrict decryption permissions; attaching an IAM policy to the Auditors role that allows s3:GetObject does not prevent other roles with read access from decrypting objects if they have KMS decrypt permissions. Option D is wrong because monitoring and revoking permissions after the fact is a detective control, not a preventive control; it does not enforce the mandatory access control that only the Auditors role can decrypt objects.

971
MCQmedium

A company has a compliance policy requiring that all data at rest in Amazon S3 be encrypted with a key that is automatically rotated every year. The company wants to manage the encryption keys themselves, maintain control over access policies, and have AWS handle the key rotation automatically. Which AWS service should the company use?

A.AWS Key Management Service (AWS KMS)
B.AWS CloudHSM
C.AWS Secrets Manager
D.AWS Certificate Manager
AnswerA

AWS KMS allows you to create customer managed keys (CMKs) and enables automatic annual key rotation, meeting the compliance requirement while maintaining customer control over key policies.

Why this answer

AWS KMS allows you to create customer managed keys (CMKs) with automatic annual rotation enabled. You retain control over key policies and access permissions, while AWS handles the rotation of the key material. This satisfies the compliance requirement for encrypted data at rest in S3 with automatic yearly key rotation.

Exam trap

The trap here is confusing AWS KMS with AWS CloudHSM, as both involve encryption keys, but CloudHSM requires you to manage key rotation manually, failing the automatic rotation requirement.

How to eliminate wrong answers

Option B (AWS CloudHSM) is wrong because it provides dedicated hardware security modules (HSMs) that you manage yourself, including key rotation, which does not meet the requirement for AWS to handle rotation automatically. Option C (AWS Secrets Manager) is wrong because it is designed to manage secrets like database credentials, not encryption keys for S3 data at rest, and it does not provide key rotation for S3 encryption. Option D (AWS Certificate Manager) is wrong because it manages SSL/TLS certificates for network encryption, not data at rest encryption keys for S3.

972
MCQmedium

A company needs to provide secure, scalable file storage for thousands of concurrent users accessing the same shared file system from Linux-based EC2 instances. Which AWS service is most appropriate?

A.Amazon EBS Multi-Attach
B.Amazon EFS
C.Amazon S3
D.Amazon FSx for Windows File Server
AnswerB

EFS scales automatically to support thousands of concurrent NFS connections from Linux instances across multiple AZs, with no capacity planning required.

Why this answer

Amazon EFS (Elastic File System) is the correct choice because it provides a fully managed, scalable, and elastic NFS file system that can be concurrently accessed by thousands of Linux-based EC2 instances. It automatically scales storage capacity up and down as files are added or removed, and it supports the NFSv4.1 and NFSv4.0 protocols, making it ideal for shared file workloads on Linux.

Exam trap

The trap here is that candidates often confuse Amazon EBS Multi-Attach with a true shared file system, not realizing it is limited to a small number of instances in the same AZ and requires application-level coordination for writes, making it unsuitable for thousands of concurrent users.

How to eliminate wrong answers

Option A is wrong because Amazon EBS Multi-Attach only allows a single EBS volume to be attached to up to 16 Nitro-based EC2 instances in the same Availability Zone, and it does not support concurrent write access from multiple instances—it is designed for clustered applications that manage I/O coordination themselves, not for thousands of concurrent users. Option C is wrong because Amazon S3 is an object storage service accessed via HTTP/HTTPS APIs (REST/SOAP), not a file system; it does not provide a POSIX-compliant file system interface and cannot be mounted directly as a shared file system by EC2 instances without additional software (e.g., S3FS FUSE), which introduces performance and consistency limitations. Option D is wrong because Amazon FSx for Windows File Server provides SMB-based file storage for Windows-based workloads, not Linux; it does not natively support NFS and is not designed for Linux-based EC2 instances.

973
MCQmedium

A company runs a mix of Amazon EC2 instances across multiple AWS Regions to support its e-commerce platform. The finance team wants to reduce compute costs by right-sizing resources. They need a managed tool that analyzes historical CPU and memory utilization over 30 days, uses machine learning to identify over-provisioned and under-provisioned instances, and provides actionable recommendations to adjust instance sizes. Which AWS tool should the finance team use?

A.AWS Trusted Advisor
B.AWS Cost Explorer
C.AWS Compute Optimizer
D.AWS Budgets
AnswerC

AWS Compute Optimizer is a service that uses machine learning to analyze historical utilization metrics (CPU, memory, network throughput) for EC2 instances and other resources. It identifies over- and under-provisioned instances and provides specific recommendations to change instance types or sizes to reduce costs or improve performance. This directly matches the finance team's requirement for ML-based right-sizing based on 30-day utilization data.

Why this answer

AWS Compute Optimizer is the correct choice because it is a managed service that uses machine learning to analyze historical utilization metrics (CPU, memory, etc.) over up to 93 days, identifies over-provisioned and under-provisioned EC2 instances, and generates actionable rightsizing recommendations. The question specifically requires a tool that analyzes 30 days of historical CPU and memory data with ML-driven insights, which aligns exactly with Compute Optimizer's core functionality.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's cost-based rightsizing recommendations (which are purely financial) with Compute Optimizer's utilization-based ML recommendations, leading them to select Cost Explorer despite the question explicitly requiring CPU and memory analysis.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides general best-practice checks (e.g., idle instances, reserved instance optimization) but does not perform ML-based analysis of historical CPU and memory utilization over 30 days, nor does it generate specific rightsizing recommendations for instance sizes. Option B is wrong because AWS Cost Explorer focuses on cost and usage visualization, forecasting, and Reserved Instance recommendations, but it does not analyze CPU or memory utilization data or use machine learning to identify over-provisioned or under-provisioned instances. Option D is wrong because AWS Budgets is a cost monitoring and alerting tool that tracks spending against budgets, not a resource optimization service that analyzes utilization metrics or provides instance rightsizing recommendations.

974
MCQmedium

A company runs a web application on a single Amazon EC2 instance. To improve the application's ability to remain operational even if an entire data center becomes unavailable, the company deploys identical application instances across three AWS Availability Zones and places them behind an Application Load Balancer. Which characteristic of cloud computing does this architecture best demonstrate?

A.Elasticity
B.High availability
C.Scalability
D.Agility
AnswerB

High availability ensures that applications remain operational by eliminating single points of failure. Deploying across multiple Availability Zones with a load balancer directly achieves this cloud computing characteristic.

Why this answer

Deploying identical application instances across three Availability Zones and placing them behind an Application Load Balancer ensures that if an entire data center (AZ) becomes unavailable, traffic is automatically rerouted to healthy instances in the remaining AZs. This architecture directly demonstrates high availability, which is the ability of a system to remain operational despite component failures, by eliminating a single point of failure at the data center level.

Exam trap

The trap here is that candidates often confuse high availability with elasticity or scalability, but high availability specifically focuses on fault tolerance and uptime through redundancy across isolated failure domains, not on dynamic resource adjustment or load handling.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability to automatically scale resources up or down based on demand, not to distributing workloads across AZs for fault tolerance. Option C is wrong because scalability is the capability to handle increased load by adding resources, which is a separate concern from maintaining uptime during failures. Option D is wrong because agility refers to the speed and ease of provisioning and deploying IT resources, not to the architectural design for fault tolerance.

975
MCQmedium

A company wants to implement governance controls that prevent their developers from provisioning expensive instance types. Which approach is most effective?

A.Set an AWS Budget alert for when expensive instances are launched
B.Apply an SCP or IAM policy that denies launching specific expensive instance types
C.Enable AWS Cost Explorer recommendations
D.Enable Trusted Advisor and review weekly
AnswerB

IAM condition keys (ec2:InstanceType) can restrict which instance types can be launched. At the org level, SCPs enforce this across all accounts without override.

Why this answer

Option B is correct because Service Control Policies (SCPs) or IAM policies can explicitly deny the launch of specific expensive instance types (e.g., `p3.2xlarge` or `x1e.32xlarge`) at the API level, preventing the action before any resources are created. This proactive governance approach enforces compliance in real time, unlike reactive or advisory methods. By attaching a deny effect for `ec2:RunInstances` with a condition on `ec2:InstanceType`, the policy blocks unauthorized instance provisioning regardless of the user's role or account.

Exam trap

The trap here is that candidates confuse reactive cost management tools (like budgets and Cost Explorer) with proactive governance controls, assuming alerts or recommendations can prevent actions rather than just monitor or advise.

How to eliminate wrong answers

Option A is wrong because AWS Budget alerts are reactive notifications that only inform after an instance is launched and costs are incurred, not a preventive control that stops provisioning. Option C is wrong because AWS Cost Explorer recommendations are advisory tools that suggest cost optimizations based on historical data, but they do not enforce any restrictions on instance type selection. Option D is wrong because Trusted Advisor provides best-practice checks and weekly reviews, but it does not actively block API calls or prevent developers from launching expensive instances.

Page 12

Page 13 of 14

Page 14