AWS Certified Cloud Practitioner CLF-C02 (CLF-C02) — Questions 9761024

1024 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQmedium

A company hosts a static website on Amazon S3. Users in different geographic locations experience high latency when accessing the website. The company wants to reduce latency for all users and also minimize the number of direct requests to the S3 bucket. Which AWS service should the company use?

A.AWS Global Accelerator
B.Amazon CloudFront
C.Amazon Route 53 latency-based routing
D.AWS Direct Connect
AnswerB

Amazon CloudFront is a content delivery network (CDN) that caches static content at edge locations worldwide. This reduces latency by serving content from a nearby edge location and reduces the number of direct requests to the S3 bucket, thereby offloading the origin.

Why this answer

Amazon CloudFront is a content delivery network (CDN) that caches static content at edge locations worldwide, significantly reducing latency for users regardless of their geographic location. By serving content from the edge, CloudFront also offloads direct requests to the S3 bucket, reducing the load on the origin and potentially lowering costs.

Exam trap

The trap here is that candidates often confuse AWS Global Accelerator (which optimizes network path but does not cache) with CloudFront (which caches content at the edge), leading them to choose Global Accelerator for a static website latency problem.

How to eliminate wrong answers

Option A is wrong because AWS Global Accelerator improves performance by routing traffic over the AWS global network using anycast IPs, but it is designed for TCP/UDP applications (e.g., HTTP(S) behind ALB/NLB) and does not cache content or reduce direct requests to an S3 bucket. Option C is wrong because Amazon Route 53 latency-based routing directs DNS queries to the region with the lowest latency, but it does not cache content and still results in direct requests to the S3 bucket from the chosen region, failing to minimize direct requests. Option D is wrong because AWS Direct Connect establishes a dedicated network connection from on-premises to AWS, which does not reduce latency for geographically distributed users accessing a public S3 website and does not cache content.

977
MCQmedium

A company runs hundreds of Amazon EC2 instances across multiple accounts. The finance team wants to identify over-provisioned instances that are using more memory or CPU than necessary, so that they can downsize them and reduce monthly costs. The team needs automated, ongoing recommendations based on the actual utilization metrics of the instances. Which AWS service should the team use to meet these requirements?

A.AWS Cost Explorer
B.AWS Compute Optimizer
C.AWS Trusted Advisor
D.AWS Budgets
AnswerB

AWS Compute Optimizer uses machine learning to analyze historical utilization metrics of EC2 instances (CPU, memory, network, etc.) and delivers actionable recommendations to downsize or modify instance types to lower costs while maintaining performance. It provides ongoing, automated recommendations.

Why this answer

AWS Compute Optimizer is the correct service because it uses machine learning to analyze historical utilization metrics (CPU, memory, and network) of EC2 instances and generates automated, ongoing recommendations for right-sizing or downsizing over-provisioned instances. This directly meets the finance team's requirement for automated, continuous recommendations based on actual utilization to reduce monthly costs.

Exam trap

The trap here is that candidates often confuse AWS Trusted Advisor's cost optimization checks (which are static and limited to idle instances) with Compute Optimizer's dynamic, ML-driven right-sizing recommendations, leading them to choose Trusted Advisor instead of the more precise Compute Optimizer.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer provides cost and usage reports but does not analyze instance utilization metrics or generate right-sizing recommendations. Option C is wrong because AWS Trusted Advisor offers cost optimization checks (e.g., idle instances) but does not provide ongoing, machine-learning-based recommendations for downsizing based on memory and CPU utilization. Option D is wrong because AWS Budgets allows you to set cost thresholds and alerts but does not analyze instance performance metrics or suggest instance size changes.

978
MCQmedium

A startup is migrating a web application to AWS. The application runs on Amazon EC2 instances that use a custom Amazon Machine Image (AMI) with the company's proprietary software. The security team needs to understand which security tasks the company must perform. Under the AWS Shared Responsibility Model, which of the following is the customer's responsibility?

A.Patching the hypervisor that hosts the EC2 instances
B.Configuring security groups to control inbound traffic to the instances
C.Physical security of the data center where the instances run
D.Maintaining the underlying network infrastructure
AnswerB

Configuring security groups is the customer's responsibility. Security groups act as virtual firewalls for EC2 instances, and customers define the rules for allowed traffic, making this a task the customer must perform.

Why this answer

Configuring security groups is a customer responsibility because security groups act as a virtual firewall for EC2 instances, controlling inbound and outbound traffic at the instance level. Under the AWS Shared Responsibility Model, the customer is responsible for configuring network access controls, while AWS manages the underlying infrastructure. This includes defining rules based on IP protocols, ports, and source/destination CIDR ranges.

Exam trap

The trap here is that candidates often confuse 'patching the hypervisor' (AWS responsibility) with 'patching the guest OS' (customer responsibility), leading them to incorrectly select Option A as a customer task.

How to eliminate wrong answers

Option A is wrong because patching the hypervisor is an AWS responsibility, as the hypervisor is part of the virtualization layer that AWS manages to isolate customer instances. Option C is wrong because physical security of the data center is entirely AWS's responsibility under the model, covering guards, access controls, and environmental systems. Option D is wrong because maintaining the underlying network infrastructure, including routers, switches, and cabling, is AWS's responsibility as part of the 'Security of the Cloud'.

979
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team needs to enforce a consistent set of security group rules across all accounts. For example, they want to ensure that no security group in any account allows inbound SSH (port 22) from the internet (0.0.0.0/0). If a non-compliant security group is created, the service should automatically remediate by removing the offending rule or by applying a corrective policy. The company wants a managed AWS service that centrally applies these rules and requires no custom scripting. Which AWS service should the security team use?

A.AWS Firewall Manager
B.AWS Config
C.AWS Organizations
D.AWS Shield Advanced
AnswerA

Correct. AWS Firewall Manager enables central management of security group rules across multiple accounts in AWS Organizations. It can automatically enforce policies and remediate non-compliant resources, exactly as required.

Why this answer

AWS Firewall Manager is the correct service because it provides a centralized, managed way to apply security group rules across all accounts in an AWS Organization. It can automatically detect non-compliant security groups (e.g., those allowing SSH from 0.0.0.0/0) and remediate them by removing the offending rule or applying a corrective policy, all without custom scripting.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation and remediation capabilities with Firewall Manager's centralized policy enforcement, forgetting that Config requires custom scripting for automatic remediation, whereas Firewall Manager provides it as a managed service.

How to eliminate wrong answers

Option B is wrong because AWS Config is a service for evaluating resource compliance against rules, but it does not provide automatic remediation out-of-the-box without custom AWS Lambda functions or Systems Manager Automation documents; it requires custom scripting for remediation, which the question explicitly wants to avoid. Option C is wrong because AWS Organizations is a service for centrally managing multiple AWS accounts, including policy-based controls like SCPs, but it cannot enforce or remediate security group rules directly; SCPs can only deny API actions, not modify existing or newly created security group rules. Option D is wrong because AWS Shield Advanced is a DDoS protection service that safeguards against network and application layer attacks; it has no capability to manage or enforce security group rules.

980
MCQmedium

A company operates multiple AWS accounts under AWS Organizations. The security team needs to record all management events (for example, creating Amazon EC2 instances, modifying security groups, and deleting Amazon S3 buckets) across all accounts. The logs must be delivered to a single Amazon S3 bucket that is encrypted with an AWS KMS key and protected from modification. Which AWS feature should the team enable to achieve this centralized logging requirement?

A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch Logs
D.AWS Audit Manager
AnswerA

AWS CloudTrail records API calls and can be configured as an organization trail to log activity across all accounts in AWS Organizations. It delivers log files to a specified S3 bucket, where encryption and immutability can be applied.

Why this answer

AWS CloudTrail is the correct service because it records all management events (API calls) across AWS accounts, and when configured as an organization trail in AWS Organizations, it automatically logs events from all member accounts to a single S3 bucket. This meets the requirement for centralized logging with encryption using AWS KMS and protection from modification via S3 bucket policies and versioning.

Exam trap

The trap here is that candidates often confuse CloudTrail for management events with AWS Config for configuration changes, or assume CloudWatch Logs can aggregate all account logs, but only CloudTrail provides the required centralized API activity logging across an organization.

How to eliminate wrong answers

Option B is wrong because AWS Config evaluates resource configurations against rules and records configuration changes, but it does not capture management events like API calls or provide centralized logging to a single S3 bucket. Option C is wrong because Amazon CloudWatch Logs is designed for monitoring and storing log data from applications and services, not for recording AWS management events across multiple accounts, and it does not natively aggregate logs from all accounts in an organization to a single bucket. Option D is wrong because AWS Audit Manager helps automate evidence collection for audits but does not directly record management events or deliver logs to an S3 bucket; it relies on CloudTrail for event data.

981
MCQmedium

A company wants to use AWS free tier for testing new services. Which statement about the AWS Free Tier is accurate?

A.The Free Tier is available indefinitely for all AWS services
B.The Free Tier includes a mix of 12-month free, always free, and short-term trial offers
C.The Free Tier applies equally to all AWS accounts including Enterprise support customers
D.AWS does not charge if you stay within Free Tier limits for any service
AnswerB

AWS Free Tier has three categories: 12 months free (e.g., EC2 t2.micro), always free (e.g., Lambda), and trials (e.g., 30-day Amazon Redshift trial).

Why this answer

Option B is correct because the AWS Free Tier is structured into three categories: 12-month free offers (e.g., 750 hours of EC2 t2.micro per month), always free offers (e.g., 1 million Lambda requests per month), and short-term trials (e.g., 30-day free trial of Amazon Inspector). This mix allows customers to test services without incurring costs for the specified limits and durations.

Exam trap

The trap here is that candidates assume the Free Tier covers all usage within limits for any service, but AWS explicitly excludes certain services (e.g., data transfer out beyond 1 GB) and imposes time-bound offers, leading to unexpected charges if not carefully monitored.

How to eliminate wrong answers

Option A is wrong because the Free Tier is not available indefinitely for all services; only 'always free' offers are permanent, while 12-month free offers expire after one year and short-term trials have a fixed duration. Option C is wrong because the Free Tier does not apply equally to all accounts; Enterprise support customers may have additional costs (e.g., support fees) and the Free Tier limits are per account, not per support plan. Option D is wrong because AWS does charge if you exceed the Free Tier limits for any service, and some services (e.g., data transfer out) may incur costs even within Free Tier limits if usage patterns violate the terms.

982
MCQmedium

A company is refactoring its monolithic e-commerce application into multiple microservices. The order-processing service must send messages to the inventory service to reserve stock. The company needs a fully managed service that can durably store these messages, handle high throughput, and allow the inventory service to poll for messages at its own pace. The company wants to avoid any message loss. Which AWS service should the company use?

A.Amazon Simple Queue Service (SQS)
B.Amazon Simple Notification Service (SNS)
C.Amazon Kinesis Data Streams
D.Amazon MQ
AnswerA

Correct. Amazon SQS is a fully managed message queue service designed for decoupling application components. It stores messages durably, supports high throughput, and allows consumers to poll for messages, ensuring no message loss. This fits the requirement perfectly.

Why this answer

Amazon SQS is the correct choice because it is a fully managed message queuing service that durably stores messages across multiple Availability Zones, ensuring no message loss. It supports high throughput and allows the inventory service to poll for messages at its own pace using long or short polling, decoupling the order-processing and inventory services.

Exam trap

The trap here is that candidates might choose Amazon SNS because they confuse push-based notifications with durable message queuing, overlooking that SNS does not store messages or allow polling, which is essential for decoupled, loss-free communication.

How to eliminate wrong answers

Option B (Amazon SNS) is wrong because it is a pub/sub messaging service that pushes messages to subscribers (e.g., HTTP endpoints, Lambda, SQS) and does not provide durable message storage or allow the inventory service to poll at its own pace; messages are not retained if the subscriber is unavailable. Option C (Amazon Kinesis Data Streams) is wrong because it is designed for real-time streaming of large data volumes (e.g., clickstreams, logs) and requires consumers to track shard offsets, not for simple point-to-point message queuing with polling; it also has a 24-hour default retention and is more complex and costly for this use case.

983
MCQeasy

Which AWS service helps you manage and deploy infrastructure as code using templates?

A.AWS Elastic Beanstalk
B.AWS CloudFormation
C.AWS OpsWorks
D.AWS CodeDeploy
AnswerB

CloudFormation is AWS's IaC service for provisioning and managing resources using JSON/YAML templates.

Why this answer

AWS CloudFormation is the correct service because it allows you to model and provision AWS resources using declarative templates (JSON or YAML). This enables Infrastructure as Code (IaC) by treating infrastructure as version-controlled, repeatable code, which can be used to create, update, and delete entire stacks of resources in a predictable manner.

Exam trap

The trap here is that candidates often confuse AWS Elastic Beanstalk (which also uses a 'template' concept for environment configuration) with CloudFormation, but Elastic Beanstalk is a higher-level abstraction for application deployment, not a general-purpose IaC tool for managing all AWS resources.

How to eliminate wrong answers

Option A is wrong because AWS Elastic Beanstalk is a Platform as a Service (PaaS) that automates application deployment and scaling, but it does not use templates for IaC; it uses a managed environment with limited customization. Option C is wrong because AWS OpsWorks is a configuration management service that uses Chef or Puppet recipes, not declarative templates, and is more focused on server configuration than IaC. Option D is wrong because AWS CodeDeploy is a deployment automation service that handles code deployment to compute instances, but it does not manage infrastructure provisioning or use templates for resource creation.

984
MCQmedium

A company has a security policy that requires all Amazon EBS volumes attached to production Amazon EC2 instances to be encrypted at rest using customer-managed encryption keys. The policy also mandates that the encryption keys must be automatically rotated every 365 days. The company wants to minimize operational overhead by using a managed AWS service for key management and automatic rotation. Which AWS service should the company use to meet these requirements?

A.AWS CloudHSM
B.AWS Certificate Manager (ACM)
C.AWS Key Management Service (AWS KMS)
D.AWS Secrets Manager
AnswerC

AWS KMS is a fully managed service that enables you to create, control, and rotate customer-managed keys. It supports automatic annual key rotation for customer managed keys with a simple checkbox, and integrates seamlessly with Amazon EBS for encryption at rest, meeting the policy requirements with minimal overhead.

Why this answer

AWS KMS is the correct choice because it provides managed customer master keys (CMKs) that can be used to encrypt EBS volumes at rest, and it supports automatic annual key rotation (every 365 days) with no additional operational overhead. KMS integrates directly with EBS to enforce encryption using customer-managed keys, meeting both the encryption and rotation requirements.

Exam trap

The trap here is that candidates may confuse AWS CloudHSM with KMS, thinking CloudHSM also provides automatic rotation, but CloudHSM requires manual rotation and does not natively integrate with EBS encryption policies.

How to eliminate wrong answers

Option A is wrong because AWS CloudHSM provides dedicated hardware security modules (HSMs) for key storage but does not offer automatic key rotation; you must manually manage rotation, increasing operational overhead. Option B is wrong because AWS Certificate Manager (ACM) is designed for managing SSL/TLS certificates, not for encrypting EBS volumes or managing encryption keys for storage services.

985
MCQeasy

A company runs multiple EC2 instances across several applications and wants to centralise all application log files in one place for searching, analysis, and long-term retention. Which AWS service provides centralised log storage and querying?

A.Amazon S3
B.AWS CloudTrail
C.Amazon CloudWatch Logs
D.Amazon Kinesis Data Firehose
AnswerC

CloudWatch Logs centralises log collection from EC2 instances, Lambda, and AWS services. It supports log group organisation, metric filters to create CloudWatch metrics from log patterns, and CloudWatch Logs Insights for querying.

Why this answer

Amazon CloudWatch Logs is the correct service because it is designed to centralize log storage from multiple sources, including EC2 instances, via the CloudWatch agent. It provides built-in querying with Logs Insights, supports real-time monitoring, and offers configurable retention policies for long-term storage, meeting all requirements for searching, analysis, and retention.

Exam trap

The trap here is that candidates often confuse CloudWatch Logs with CloudTrail, mistakenly thinking CloudTrail handles application logs, when in fact CloudTrail only records AWS API calls, not application-generated log data.

How to eliminate wrong answers

Option A is wrong because Amazon S3 is an object storage service, not a log querying service; while logs can be stored in S3, it lacks native querying capabilities without additional services like Athena. Option B is wrong because AWS CloudTrail records API activity for governance and auditing, not application log files; it captures control-plane events, not application-level logs. Option D is wrong because Amazon Kinesis Data Firehose is a data ingestion and delivery service that streams data to destinations like S3 or Redshift, but it does not provide native log storage or querying capabilities.

986
MCQmedium

A company wants to create a hybrid cloud architecture where their on-premises applications can access AWS services as if they were running locally. Which AWS service extends AWS infrastructure and services to on-premises locations?

A.AWS Direct Connect
B.AWS VPN
C.AWS Outposts
D.AWS Local Zones
AnswerC

Outposts physically extends AWS infrastructure to on-premises locations, running AWS services locally with the same APIs, tools, and management as the AWS cloud.

Why this answer

AWS Outposts is the correct answer because it is a fully managed service that extends AWS infrastructure, services, APIs, and tools to virtually any on-premises or edge location. This allows customers to run AWS services locally, enabling a true hybrid cloud experience where on-premises applications can access AWS services with low latency and local data processing, as if they were running in an AWS Region.

Exam trap

The trap here is that candidates often confuse AWS Direct Connect or VPN as the solution for extending AWS services on-premises, but those only provide network connectivity, not the actual deployment of AWS infrastructure locally.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect is a dedicated network connection from on-premises to AWS, but it does not extend AWS infrastructure or services locally; it only provides a private, high-bandwidth link to AWS Regions. Option B is wrong because AWS VPN creates an encrypted tunnel over the public internet to connect on-premises networks to AWS, but it does not bring AWS services or infrastructure on-premises. Option D is wrong because AWS Local Zones are extensions of AWS Regions that place compute, storage, and database services closer to end users for low-latency applications, but they are still within the AWS network and not deployed on customer premises.

987
MCQeasy

A developer needs to launch a test server for a new application prototype. The developer logs into the AWS Management Console, selects an Amazon EC2 instance type, configures the security group, and starts the instance. The instance is running within two minutes, and the developer did not need to submit a formal request to the company's IT procurement team or wait for approval from a cloud administrator. Which essential characteristic of cloud computing does this scenario best demonstrate?

A.On-demand self-service
B.Broad network access
C.Resource pooling
D.Rapid elasticity
AnswerA

Correct. On-demand self-service means a user can provision computing capabilities as needed automatically without requiring human interaction with each service provider. The developer launched an EC2 instance directly via the console with no IT intervention, perfectly matching this characteristic.

Why this answer

The scenario demonstrates on-demand self-service because the developer was able to provision and launch an EC2 instance directly through the AWS Management Console without any human interaction with IT procurement or a cloud administrator. This characteristic, defined by NIST as a core pillar of cloud computing, allows users to unilaterally provision computing capabilities as needed automatically, which is exactly what happened when the instance was running within two minutes of the console action.

Exam trap

The trap here is that candidates often confuse 'on-demand self-service' with 'resource pooling' because both involve rapid provisioning, but the key differentiator is the absence of human interaction versus the multi-tenant sharing of underlying infrastructure.

How to eliminate wrong answers

Option B (Broad network access) is wrong because the scenario does not describe network connectivity from multiple heterogeneous client platforms (e.g., mobile phones, laptops, or workstations) or mention any specific protocols like HTTPS, SSH, or RDP being used to access the instance. Option C (Resource pooling) is wrong because the scenario does not illustrate the provider's computing resources being pooled to serve multiple consumers using a multi-tenant model, nor does it mention physical or virtual resources dynamically assigned and reassigned according to consumer demand.

988
MCQmedium

A company uses AWS Organizations and manages hundreds of AWS accounts. The security policy requires that all Amazon S3 buckets be encrypted using a specific AWS KMS customer-managed key (CMK). The security team wants to automatically detect any S3 bucket that is not encrypted with the required CMK and automatically apply the correct encryption configuration without manual intervention. Which AWS service should the security team use to implement this automated compliance enforcement?

A.Amazon GuardDuty
B.AWS Config
C.AWS CloudTrail
D.AWS Trusted Advisor
AnswerB

AWS Config is designed to assess, audit, and evaluate the configurations of AWS resources. It can detect S3 buckets that do not have the required encryption and trigger automatic remediation actions (e.g., using AWS Systems Manager Automation to enable server-side encryption with the designated KMS key). This satisfies both the detection and automatic correction requirements.

Why this answer

AWS Config is the correct service because it provides managed rules (e.g., s3-bucket-server-side-encryption-enabled and s3-bucket-kms-encryption-specific-key) that can evaluate whether S3 buckets are encrypted with the required KMS customer-managed key. When a noncompliant bucket is detected, AWS Config can trigger an AWS Lambda function via an Amazon EventBridge rule to automatically apply the correct encryption configuration, enabling automated remediation without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation and remediation capabilities with GuardDuty's threat detection or CloudTrail's audit logging, assuming any security-related service can enforce encryption policies.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior, not for compliance with encryption policies or automated remediation. Option C is wrong because AWS CloudTrail records API activity for auditing and governance, but it cannot evaluate resource configurations or automatically enforce compliance rules. Option D is wrong because AWS Trusted Advisor provides best-practice recommendations and checks, but it does not offer automated enforcement or remediation capabilities for specific encryption key requirements.

989
MCQmedium

A company operates separate AWS accounts for its engineering, marketing, and finance departments. The CFO wants to consolidate billing to receive a single monthly invoice and to benefit from volume pricing discounts. The security team also requires a centralized mechanism to prevent users in any department from launching Amazon EC2 instances outside of the us-east-1 and eu-west-1 Regions to meet data residency compliance. Which AWS service or feature should the company use to meet both requirements?

A.AWS Budgets
B.AWS Organizations with Service Control Policies (SCPs)
C.AWS Identity and Access Management (IAM) cross-account roles
D.AWS Cost and Usage Reports
AnswerB

AWS Organizations provides consolidated billing for a single invoice and volume discounts, and SCPs allow you to centrally define and enforce permission guardrails (e.g., restricting Regions) across all member accounts. This directly meets both requirements.

Why this answer

AWS Organizations allows the company to consolidate multiple AWS accounts under a single management account, enabling consolidated billing for a single monthly invoice and volume pricing discounts. Service Control Policies (SCPs) provide centralized governance by restricting the AWS services and Regions that member accounts can use, such as preventing EC2 instances from being launched outside us-east-1 and eu-west-1. This combination directly addresses both the CFO's billing consolidation needs and the security team's data residency compliance requirements.

Exam trap

The trap here is that candidates may confuse AWS Budgets with billing consolidation, or think IAM cross-account roles can enforce regional restrictions, but only AWS Organizations with SCPs provides both centralized billing control and policy-based resource governance across multiple accounts.

How to eliminate wrong answers

Option A is wrong because AWS Budgets is a cost monitoring and alerting service that tracks spending against defined budgets, but it cannot consolidate billing across accounts or enforce regional restrictions on EC2 instance launches. Option C is wrong because IAM cross-account roles allow users in one account to assume roles in another account for access to resources, but they do not provide consolidated billing or the ability to centrally prevent EC2 launches in unauthorized Regions across all accounts.

990
MCQmedium

A company wants to implement zero-trust network security for their AWS environment. Which AWS service enables access to EC2 instances without requiring open inbound network ports or bastion hosts?

A.AWS Bastion Host on EC2
B.AWS Systems Manager Session Manager
C.AWS Direct Connect
D.Amazon VPC Endpoints
AnswerB

Session Manager provides browser and CLI-based shell access to instances without any inbound ports open or bastion hosts — access controlled entirely by IAM, with full session logging.

Why this answer

AWS Systems Manager Session Manager provides secure, auditable shell access to EC2 instances without requiring open inbound ports (e.g., SSH port 22 or RDP port 3389) or a bastion host. It uses the AWS Systems Manager agent to initiate a session via the AWS API, leveraging IAM policies for authentication and authorization, and can optionally encrypt session data using AWS KMS.

Exam trap

The trap here is that candidates often confuse 'no open inbound ports' with 'no network connectivity at all,' leading them to choose VPC Endpoints (which only connect to AWS services, not EC2 instances) or Direct Connect (which is a network link, not an access method).

How to eliminate wrong answers

Option A is wrong because AWS Bastion Host on EC2 is a traditional jump server that requires open inbound ports (e.g., SSH/RDP) and a public IP, which contradicts the zero-trust principle of eliminating network-based access. Option C is wrong because AWS Direct Connect establishes a dedicated network connection from on-premises to AWS, but it does not provide EC2 instance access without open ports; it still requires SSH/RDP or a bastion host to reach instances. Option D is wrong because Amazon VPC Endpoints (Gateway or Interface endpoints) enable private connectivity to AWS services (e.g., S3, DynamoDB) without traversing the internet, but they do not provide shell or remote desktop access to EC2 instances.

991
MCQmedium

A media company processes user-uploaded images to generate thumbnails and metadata. The current solution runs a script on a single Amazon EC2 instance, which becomes overloaded during peak hours, causing delays. The company wants a solution that automatically scales to handle spikes in upload volume, requires no server management, and charges only for the processing time consumed. Which AWS service should the company use?

A.AWS Lambda
B.Amazon EC2 Auto Scaling
C.AWS Batch
D.Amazon Lightsail
AnswerA

Correct. AWS Lambda is a serverless compute service that executes code in response to triggers (e.g., S3 uploads) and automatically scales based on incoming traffic. It requires no server management and charges only for the compute time used, meeting all stated requirements.

Why this answer

AWS Lambda is the correct choice because it provides a serverless compute service that automatically scales with incoming upload volume, requires no server management, and charges only for the actual processing time (in 1ms increments). The media company's need for automatic scaling, zero server management, and pay-per-use billing aligns perfectly with Lambda's event-driven architecture, where each image upload can trigger a Lambda function to generate thumbnails and metadata without provisioning or managing any underlying infrastructure.

Exam trap

The trap here is that candidates often confuse 'auto scaling' with 'serverless' and choose Amazon EC2 Auto Scaling (Option B) because it scales, but they overlook the requirement for 'no server management' and 'pay only for processing time,' which EC2 Auto Scaling does not satisfy.

How to eliminate wrong answers

Option B (Amazon EC2 Auto Scaling) is wrong because it still requires managing EC2 instances (e.g., patching, scaling policies, instance types) and charges for running instances even when idle, not just for processing time. Option C (AWS Batch) is wrong because it is designed for batch computing jobs (e.g., large-scale parallel processing) and typically runs on EC2 instances or Fargate, which either requires server management or incurs costs for idle resources, and it is not optimized for event-driven, per-request processing like image thumbnails. Option D (Amazon Lightsail) is wrong because it provides pre-configured virtual private servers (VPS) that require manual scaling, do not auto-scale, and charge a fixed monthly fee regardless of actual usage, contradicting the 'no server management' and 'pay only for processing time' requirements.

992
MCQmedium

A gaming company runs a multiplayer game backend on Amazon EC2 instances. The game experiences variable traffic patterns: low usage during weekday mornings and high usage during evenings and weekends. The company uses an Auto Scaling group to automatically add instances during peak hours and remove them during low traffic. The company is billed only for the compute capacity actually consumed during each hour. Which characteristic of cloud computing does this usage-based billing model best illustrate?

A.Rapid elasticity
B.Measured service
C.Resource pooling
D.On-demand self-service
AnswerB

Measured service is the correct characteristic. Cloud providers meter usage at a granular level (e.g., per hour or per GB) and bill customers only for what they consume. In this scenario, the company pays only for the compute capacity used each hour, which is a textbook example of measured service.

Why this answer

The usage-based billing model, where the company pays only for the compute capacity consumed each hour, is a direct example of measured service. This characteristic of cloud computing involves metering resource usage (e.g., CPU hours, data transfer) and charging based on that consumption, which is exactly what the Auto Scaling group enables by dynamically adjusting instance count and billing only for active hours.

Exam trap

The trap here is that candidates confuse the scaling behavior (rapid elasticity) with the billing model (measured service), but the question specifically asks which characteristic the usage-based billing model best illustrates, not the scaling mechanism.

How to eliminate wrong answers

Option A is wrong because rapid elasticity refers to the ability to quickly scale resources up or down in response to demand, which is demonstrated by the Auto Scaling group adding/removing instances, but it does not describe the billing model itself. Option C is wrong because resource pooling describes the provider's multi-tenant model where compute resources are shared across customers, not the per-hour billing mechanism. Option D is wrong because on-demand self-service allows users to provision resources without human interaction, which is a prerequisite for the scenario but not the billing characteristic illustrated by paying only for consumed capacity.

993
MCQeasy

A startup runs an application on AWS and receives a monthly bill that charges exactly for the number of compute hours used, the gigabytes of data stored, and the gigabytes of data transferred. The company pays nothing for resources they did not use. Which cloud computing characteristic does this represent?

A.Measured service
B.Rapid elasticity
C.On-demand self-service
D.Resource pooling
AnswerA

Measured service is the cloud characteristic where resource usage is metered and customers are billed only for what they consume — compute hours, storage bytes, data transfer — with transparent reporting.

Why this answer

This scenario describes a pay-per-use model where costs directly correlate with actual consumption of compute hours, storage, and data transfer. Measured service is the cloud characteristic that enables this by automatically monitoring, controlling, and reporting resource usage, providing transparency for both the provider and consumer. AWS implements this through services like AWS CloudTrail and detailed billing reports, ensuring customers are charged only for what they consume.

Exam trap

The trap here is that candidates often confuse 'measured service' with 'on-demand self-service' because both involve user control, but measured service specifically focuses on the metering and billing aspect, not the provisioning mechanism.

How to eliminate wrong answers

Option B (Rapid elasticity) is wrong because it refers to the ability to scale resources up or down automatically in response to demand, not to the metering and billing of consumed resources. Option C (On-demand self-service) is wrong because it describes a user's ability to provision resources without human interaction, typically via a web console or API, not the usage-based billing model. Option D (Resource pooling) is wrong because it involves the provider's multi-tenant model where physical and virtual resources are dynamically assigned to multiple customers, which does not directly relate to charging only for used resources.

994
MCQmedium

A company uses AWS Organizations with separate accounts for development, testing, and production. The finance team wants to track monthly spending by internal project, but a single project may use resources across multiple accounts. The team has applied a 'Project' tag to all resources. They need a detailed billing report that shows costs grouped by this Project tag, combining data from all accounts. Which AWS feature should they enable to meet this requirement?

A.AWS Consolidated Billing
B.AWS Cost Explorer with tag filtering
C.AWS Budgets with tag-based alerts
D.AWS Cost and Usage Reports with cost allocation tags activated
AnswerD

The AWS Cost and Usage Reports (CUR) provides the most detailed billing data available. When cost allocation tags are activated and the CUR is configured to include those tags, the resulting CSV report contains line items tagged with the 'Project' values. This report can be generated regularly and includes data from all accounts in the organization, allowing the finance team to group and analyze costs by project across all accounts.

Why this answer

AWS Cost and Usage Reports (CUR) with cost allocation tags activated is the correct choice because it provides the most detailed billing data, including all tags, and can be delivered to an S3 bucket for analysis. This allows the finance team to group costs by the 'Project' tag across all accounts in the AWS Organization, meeting the requirement for a detailed, combined report.

Exam trap

The trap here is that candidates confuse the ability to filter or visualize costs in Cost Explorer with the need for a detailed, exportable report that groups costs by tags across all accounts, which only CUR provides.

How to eliminate wrong answers

Option A is wrong because AWS Consolidated Billing is a feature that combines usage across accounts for volume discounts and a single bill, but it does not provide a detailed report grouped by tags. Option B is wrong because AWS Cost Explorer with tag filtering provides visual analysis and filtering by tags, but it does not generate a detailed billing report that can be exported for custom grouping; it is more for ad-hoc exploration. Option C is wrong because AWS Budgets with tag-based alerts monitors spending against budgets and sends alerts based on tag values, but it does not produce a detailed billing report showing costs grouped by tags.

995
MCQmedium

A company is developing a microservices application on AWS. The application has multiple independent services that must communicate asynchronously. The company needs a fully managed service to reliably store and deliver messages between these services, ensuring that each message is processed at least once and allowing the services to scale independently. Which AWS service should the company use?

A.Amazon Simple Queue Service (SQS)
B.Amazon Simple Notification Service (SNS)
C.Amazon MQ
D.Amazon Kinesis Data Streams
AnswerA

Correct. Amazon SQS is a fully managed message queue service that decouples microservices. It stores messages in a queue and delivers them to consumers, ensuring at-least-once processing and independent scaling.

Why this answer

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables asynchronous communication between microservices. It reliably stores messages in queues and ensures each message is delivered at least once, allowing services to poll and process messages independently, which supports decoupling and independent scaling.

Exam trap

The trap here is that candidates confuse SNS (push-based pub/sub) with SQS (pull-based queue), overlooking that the requirement for at-least-once processing and independent scaling points to a queue-based service, not a notification fan-out service.

How to eliminate wrong answers

Option B is wrong because Amazon Simple Notification Service (SNS) is a pub/sub messaging service that pushes messages to multiple subscribers (e.g., SQS queues, Lambda, HTTP endpoints) but does not guarantee at-least-once processing per message; it is designed for fan-out notifications, not for reliable point-to-point queuing with individual message processing. Option C is wrong because Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ, which provides JMS-compatible messaging but is not fully serverless and requires provisioning of broker instances; it is intended for migrating existing message brokers, not for a fully managed, serverless at-least-once queue pattern.

996
MCQeasy

A developer wants to send real-time notifications to mobile app users when new content is available. Which AWS service enables push notifications to iOS and Android devices?

A.Amazon SES
B.Amazon Pinpoint
C.Amazon SNS
D.AWS AppSync
AnswerC

SNS directly integrates with Apple APNs, Google FCM, and Amazon ADM to deliver push notifications to mobile devices at scale.

Why this answer

Amazon SNS (Simple Notification Service) is the correct choice because it provides a fully managed pub/sub messaging service that supports push notifications to mobile endpoints via platform application endpoints for iOS (APNs) and Android (FCM). It enables real-time delivery of messages directly to mobile apps without requiring polling or additional infrastructure.

Exam trap

The trap here is that candidates may confuse Amazon Pinpoint as the only service for push notifications due to its marketing focus, but Amazon SNS is the core service for direct programmatic push notification delivery to mobile devices.

How to eliminate wrong answers

Option A is wrong because Amazon SES (Simple Email Service) is designed for sending transactional and marketing emails, not push notifications to mobile devices; it lacks the ability to send to mobile push endpoints. Option B is wrong because Amazon Pinpoint is a customer engagement service that can send push notifications, but it is primarily a multi-channel marketing and analytics tool, not the simplest or most direct service for a developer to send real-time push notifications programmatically; SNS is the more appropriate service for this specific use case. Option D is wrong because AWS AppSync is a managed GraphQL service for building real-time and offline-capable applications, but it does not directly send push notifications to mobile devices; it can trigger notifications via other services like SNS but is not the push notification delivery mechanism itself.

997
MCQeasy

Which statement best describes the concept of 'infrastructure as code' (IaC) in the context of AWS?

A.Using the AWS Management Console to provision resources manually
B.Writing scripts to install software on EC2 instances
C.Defining and provisioning cloud resources using version-controlled configuration files
D.Backing up AWS resource configurations to Amazon S3
AnswerC

IaC treats infrastructure provisioning as a software engineering discipline — resources are defined in files, version-controlled in git, and applied through automated pipelines.

Why this answer

Option C is correct because Infrastructure as Code (IaC) is the practice of defining and managing cloud resources through machine-readable definition files (e.g., AWS CloudFormation templates or Terraform HCL) that are stored in version control. This allows for automated, repeatable, and consistent provisioning of AWS infrastructure, enabling change management, peer review, and rollback capabilities.

Exam trap

The trap here is confusing IaC with configuration management (e.g., installing software on instances) or manual provisioning, leading candidates to pick options that describe operational tasks rather than the core IaC practice of defining infrastructure in version-controlled files.

How to eliminate wrong answers

Option A is wrong because manually provisioning resources via the AWS Management Console is the opposite of IaC; it is a manual, error-prone process that lacks version control and repeatability. Option B is wrong because writing scripts to install software on EC2 instances is configuration management (e.g., using AWS Systems Manager or user data scripts), not IaC; IaC focuses on provisioning the infrastructure itself (networks, compute, storage), not post-deployment software configuration. Option D is wrong because backing up AWS resource configurations to Amazon S3 is a backup or snapshot activity, not a method for defining and provisioning resources; IaC uses declarative or imperative templates to create resources, not just archive their state.

998
MCQmedium

A company runs a web application on Amazon EC2 instances. The finance team wants to set a monthly spending limit for the application and receive email alerts when the actual cost exceeds 80% of that limit. Additionally, they want the system to automatically stop non-critical EC2 instances if the cost exceeds the limit. Which AWS service should they use to meet these requirements?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Trusted Advisor
D.AWS Pricing Calculator
AnswerB

AWS Budgets enables you to set custom budgets (e.g., monthly spending limits) and receive alerts when your actual or forecasted costs exceed defined thresholds. With budget actions, you can also automate responses such as stopping EC2 instances when a budget is exceeded. This directly meets both requirements.

Why this answer

AWS Budgets allows you to set a monthly spending limit (budget) and configure cost alerts that trigger when actual or forecasted costs exceed a specified threshold (e.g., 80% of the limit). It also integrates with AWS Actions to automatically stop non-critical EC2 instances when the budget limit is exceeded, meeting both the alert and automated remediation requirements.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's forecasting capabilities with the ability to set budgets and trigger automated actions, but Cost Explorer is read-only and lacks alerting and remediation features.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer provides historical cost and usage analysis and forecasting, but it does not support setting spending limits, sending email alerts based on thresholds, or triggering automated actions to stop EC2 instances. Option C is wrong because AWS Trusted Advisor offers best-practice checks for cost optimization, security, and performance, but it cannot enforce spending limits, send threshold-based alerts, or automatically stop resources.

999
MCQmedium

A company stores historical sales data in Amazon S3. The data is accessed only once a month for generating quarterly reports. When accessed, the data must be available for retrieval within seconds. The company wants to minimize storage costs while meeting the retrieval latency requirement. Which S3 storage class should the company use?

A.S3 Standard
B.S3 Intelligent-Tiering
C.S3 Standard-IA (Infrequent Access)
D.S3 Glacier Deep Archive
AnswerC

S3 Standard-IA is optimized for infrequently accessed data that requires millisecond retrieval. It offers lower storage costs than S3 Standard, with a retrieval fee. This matches the scenario: monthly access with seconds retrieval latency and lowest cost.

Why this answer

S3 Standard-IA (Infrequent Access) is the correct choice because it offers the same low-latency retrieval (milliseconds) as S3 Standard but at a lower storage cost, making it ideal for data accessed infrequently (e.g., once a month) yet requiring immediate availability. The company's requirement of 'within seconds' is fully met by S3 Standard-IA, which provides the same first-byte latency as S3 Standard, while minimizing storage costs for data that is not accessed frequently.

Exam trap

The trap here is that candidates often confuse 'infrequent access' with 'archival access' and incorrectly choose S3 Glacier Deep Archive, overlooking the critical retrieval latency requirement of 'within seconds' that only S3 Standard-IA (or S3 Standard) can meet.

How to eliminate wrong answers

Option A is wrong because S3 Standard is designed for frequently accessed data and has a higher storage cost than necessary for data accessed only once a month, leading to unnecessary expense. Option B is wrong because S3 Intelligent-Tiering automatically moves data between access tiers based on changing access patterns, but it incurs a monthly monitoring and automation fee per object, which is not cost-effective for a predictable, infrequent access pattern like once a month. Option D is wrong because S3 Glacier Deep Archive has retrieval times ranging from 12 to 48 hours (not within seconds), which fails the company's requirement for data to be available within seconds.

1000
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to continuously monitor the configurations of all AWS resources across the organization and receive alerts when a resource violates a compliance rule. For example, they want to ensure that all Amazon RDS databases are not publicly accessible, and that any new RDS instance created with public access enabled is automatically flagged. The team does not want to build custom scripts for monitoring. Which AWS service should the security team use to meet these requirements?

A.AWS CloudTrail
B.AWS Config
C.AWS Trusted Advisor
D.Amazon GuardDuty
AnswerB

AWS Config provides continuous monitoring and evaluation of AWS resource configurations against desired rules. It supports managed rules for common compliance checks (e.g., public RDS instances) and can automatically trigger remediation, meeting the requirement without custom scripts.

Why this answer

AWS Config is the correct service because it provides continuous monitoring and recording of AWS resource configurations, and it can evaluate those configurations against custom or managed rules (e.g., 'rds-instance-public-access-check'). When a resource like an RDS instance violates a rule (e.g., being publicly accessible), AWS Config can automatically flag it and trigger an alert via Amazon SNS, all without requiring custom scripts.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (which logs API calls) with AWS Config (which tracks resource state), leading them to choose CloudTrail because they think monitoring 'configurations' means tracking changes, but CloudTrail does not evaluate compliance rules or alert on resource state violations.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity (who did what, when) but does not monitor the state or configuration of resources over time; it cannot detect that an RDS instance is publicly accessible unless an API call is made to change it, and it cannot evaluate compliance rules continuously. Option C is wrong because AWS Trusted Advisor provides best-practice checks and recommendations (e.g., for RDS public access) but does not offer continuous, customizable compliance monitoring or automated alerting for resource configuration violations; it is a one-time or periodic assessment tool, not a real-time configuration recorder. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity (e.g., unusual API calls or network traffic), not for resource configuration compliance like RDS public accessibility.

1001
MCQeasy

Which AWS feature allows multiple AWS accounts to be managed under one umbrella, receive a single consolidated bill, and potentially share volume discounts?

A.AWS Control Tower
B.AWS Organizations
C.AWS IAM Identity Center
D.AWS Cost Explorer
AnswerB

AWS Organizations provides consolidated billing (single bill across all accounts), automatic sharing of RI and Savings Plans discounts, and centralized governance for multi-account AWS environments.

Why this answer

AWS Organizations is the correct service because it provides centralized management of multiple AWS accounts, enabling a single consolidated bill and the ability to aggregate usage across accounts to qualify for volume discounts. It allows you to create a hierarchy of accounts with organizational units (OUs) and apply service control policies (SCPs) for governance, while the consolidated billing feature combines all usage into a single payer account for pricing benefits.

Exam trap

The trap here is that candidates often confuse AWS Control Tower (which manages account governance) with AWS Organizations (which handles billing consolidation and account management), leading them to pick Control Tower because it sounds like a broader management umbrella.

How to eliminate wrong answers

Option A is wrong because AWS Control Tower is a service for setting up and governing a secure, multi-account AWS environment using AWS Organizations as a foundation, but it does not itself provide consolidated billing or volume discount sharing—it orchestrates account creation and compliance policies. Option C is wrong because AWS IAM Identity Center (formerly AWS SSO) is a service for managing user identities and single sign-on across AWS accounts and applications, not for billing consolidation or discount aggregation. Option D is wrong because AWS Cost Explorer is a tool for visualizing and analyzing your AWS costs and usage over time, but it does not manage multiple accounts under one umbrella or enable consolidated billing—it only reports on existing cost data.

1002
MCQmedium

A company is using several AWS services and has noticed their bill has been increasing. They want to identify which team or project is responsible for each cost. Which AWS feature enables tracking costs by team, project, or environment?

A.AWS Organizations consolidated billing
B.AWS Cost Allocation Tags
C.AWS Budgets
D.AWS Config tags
AnswerB

Cost Allocation Tags tag resources with metadata (team, project, environment) that appears in billing reports, enabling cost breakdown and accountability by business dimension.

Why this answer

AWS Cost Allocation Tags allow you to tag AWS resources with metadata (e.g., team, project, environment) and then activate those tags in the Billing and Cost Management console. Once activated, AWS generates cost reports that break down charges by those tag values, enabling you to attribute costs to specific teams or projects. This is the native AWS feature designed specifically for cost allocation and tracking.

Exam trap

The trap here is that candidates confuse AWS Config tags (used for compliance and resource tracking) with Cost Allocation Tags, or assume that consolidated billing alone provides per-team cost visibility without the need for tagging.

How to eliminate wrong answers

Option A is wrong because AWS Organizations consolidated billing aggregates costs across multiple accounts for a single monthly bill, but it does not provide granular tagging or per-team cost breakdowns without additional tagging features. Option C is wrong because AWS Budgets is a tool for setting spending limits and receiving alerts when costs exceed thresholds; it does not track or attribute costs to specific teams or projects. Option D is wrong because AWS Config tags are used for resource configuration compliance and auditing, not for cost allocation or billing analysis.

1003
MCQmedium

A company runs a monthly batch data analytics job that requires 50 compute instances for exactly 2 hours. On AWS, the company launches 50 Amazon EC2 instances, runs the job, and then terminates all instances. The company's AWS bill shows a charge for only 100 instance-hours (50 instances × 2 hours). Which essential characteristic of cloud computing does this billing model best demonstrate?

A.Resource pooling
B.Measured service
C.On-demand self-service
D.Rapid elasticity
AnswerB

Measured service means that cloud resource usage is metered, monitored, controlled, and reported, enabling a pay-per-use billing model. In this scenario, the company is charged exactly for the 100 instance-hours consumed, which is a direct application of measured service.

Why this answer

The billing model charges only for the actual compute time consumed (100 instance-hours), which is a direct application of the 'measured service' characteristic. Measured service means cloud providers meter and bill customers based on actual resource usage (e.g., EC2 instance-hours, storage GB-months), enabling pay-as-you-go pricing. In this scenario, the company is charged precisely for the 50 instances × 2 hours of runtime, with no upfront or fixed costs, demonstrating usage-based metering.

Exam trap

The trap here is that candidates confuse 'measured service' (usage-based billing) with 'rapid elasticity' (scaling speed), but the question explicitly focuses on the billing charge for exactly the hours used, not the ability to scale quickly.

How to eliminate wrong answers

Option A is wrong because resource pooling refers to the provider's ability to serve multiple customers from shared physical resources (e.g., hypervisor-level multi-tenancy), not to billing granularity. Option C is wrong because on-demand self-service describes the ability to provision resources automatically without human interaction (e.g., via AWS Console or API), not the metered billing model. Option D is wrong because rapid elasticity is the ability to scale resources up or down quickly in response to demand (e.g., Auto Scaling groups), not the per-hour billing granularity shown here.

1004
MCQmedium

A company wants to use Amazon S3 to store objects that must not be deleted or overwritten for a specified period for regulatory compliance. Which S3 feature enforces this?

A.S3 Versioning
B.S3 Lifecycle policies
C.S3 Object Lock
D.S3 Block Public Access
AnswerC

Object Lock enforces WORM storage with Governance or Compliance retention modes — Compliance mode is immutable even to root users, satisfying strict regulatory requirements.

Why this answer

Amazon S3 Object Lock is designed specifically to prevent objects from being deleted or overwritten for a fixed period or indefinitely. It enforces a write-once-read-many (WORM) model by applying retention modes (Governance or Compliance) or legal holds, which block both DELETE and PUT operations on locked objects until the retention period expires. This directly meets the regulatory compliance requirement described in the question.

Exam trap

The trap here is that candidates often confuse S3 Versioning with immutability, assuming that keeping multiple versions prevents deletion, but versioning alone does not block the ability to delete the latest version or permanently delete all versions.

How to eliminate wrong answers

Option A is wrong because S3 Versioning creates multiple versions of an object but does not prevent deletion or overwriting; a user can still delete the current version or overwrite it, and versioning alone offers no WORM protection. Option B is wrong because S3 Lifecycle policies automate transitions or expirations of objects based on age or rules, but they do not enforce a retention lock that blocks user-initiated deletions or overwrites. Option D is wrong because S3 Block Public Access only restricts public access to buckets and objects via ACLs or bucket policies; it has no mechanism to prevent deletion or overwriting of objects.

1005
MCQmedium

A company is adopting the cloud and wants to improve operational efficiency by treating their infrastructure as code. Which AWS service allows them to define and provision AWS infrastructure using JSON or YAML templates?

A.AWS Systems Manager
B.AWS CloudFormation
C.AWS OpsWorks
D.AWS Config
AnswerB

CloudFormation templates define all AWS resources declaratively in JSON/YAML — CloudFormation provisions, updates, and deletes them in a consistent, repeatable way.

Why this answer

AWS CloudFormation is the correct service because it allows you to define and provision AWS infrastructure as code using JSON or YAML templates. This enables repeatable, version-controlled deployments, directly supporting the goal of improving operational efficiency through infrastructure as code.

Exam trap

The trap here is that candidates may confuse AWS CloudFormation with AWS OpsWorks or AWS Systems Manager, as both can manage infrastructure but use different paradigms (declarative templates vs. configuration management) and are not designed for JSON/YAML-based infrastructure provisioning.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager is a management service for operational tasks like patching and configuration, not for defining infrastructure as code with templates. Option C is wrong because AWS OpsWorks is a configuration management service using Chef and Puppet, not JSON/YAML templates for infrastructure provisioning. Option D is wrong because AWS Config is a service for evaluating and auditing resource compliance, not for defining or provisioning infrastructure.

1006
MCQeasy

A global company has employees who work from various locations and use different devices such as laptops, tablets, and smartphones to access corporate applications. The company plans to migrate its applications to AWS and wants all employees to access these applications directly from the internet using standard web browsers without requiring any dedicated hardware or software at each branch. Which essential characteristic of cloud computing does this scenario BEST demonstrate?

A.Measured service
B.Resource pooling
C.Broad network access
D.Rapid elasticity
AnswerC

Broad network access is a core cloud characteristic that allows resources to be accessed over the network using standard protocols (such as HTTP/HTTPS) from a wide range of client devices (laptops, tablets, smartphones). This aligns directly with the requirement for employees to access applications via standard web browsers from various devices without dedicated hardware or software.

Why this answer

The scenario describes employees accessing corporate applications from various devices and locations using only standard web browsers, without dedicated hardware or software. This directly aligns with the cloud computing characteristic of broad network access, which mandates that resources are accessible over the network by standard mechanisms (e.g., HTTPS, TLS 1.2/1.3) from heterogeneous client platforms (laptops, tablets, smartphones). The key is that no site-to-site VPN appliances or thick client software are required—just a browser and an internet connection.

Exam trap

The trap here is that candidates confuse 'broad network access' with 'resource pooling' because both involve multi-device scenarios, but broad network access is specifically about the accessibility of services over the internet using standard protocols, not about how resources are shared among tenants.

How to eliminate wrong answers

Option A is wrong because measured service refers to the metering and billing of cloud resource usage (e.g., per-hour or per-GB charges), not to the method of access. Option B is wrong because resource pooling describes the multi-tenant model where physical and virtual resources are dynamically assigned to multiple customers; it does not address how users connect from diverse devices. Option D is wrong because rapid elasticity is the ability to automatically scale resources up or down based on demand; it is unrelated to the access method or client diversity.

1007
MCQeasy

Which AWS database service is best suited for storing and querying data with complex relationships using structured query language?

A.Amazon DynamoDB
B.Amazon RDS
C.Amazon ElastiCache
D.Amazon Neptune
AnswerB

RDS provides fully managed relational databases with SQL support, making it ideal for structured relational data.

Why this answer

Amazon RDS is the correct choice because it provides managed relational database services (e.g., MySQL, PostgreSQL, Oracle, SQL Server) that use structured query language (SQL) and are designed to handle complex relationships through foreign keys, joins, and normalized schemas. This makes it ideal for applications requiring ACID transactions and complex queries across multiple tables.

Exam trap

The trap here is that candidates often confuse Amazon DynamoDB's ability to store JSON documents with relational capabilities, but DynamoDB lacks SQL support and cannot efficiently handle complex multi-table joins or referential integrity constraints.

How to eliminate wrong answers

Option A is wrong because Amazon DynamoDB is a NoSQL key-value and document database that does not support complex relational queries or SQL; it is optimized for high-scale, low-latency access with simple query patterns. Option C is wrong because Amazon ElastiCache is an in-memory caching service (supporting Redis and Memcached) that is not designed for persistent relational data storage or complex SQL queries. Option D is wrong because Amazon Neptune is a graph database that uses query languages like Gremlin and SPARQL, not SQL, and is specialized for highly connected data (e.g., social networks, recommendation engines) rather than general relational data.

1008
MCQmedium

A startup wants to receive alerts when their AWS spending approaches a set threshold. Which AWS service should they use?

A.AWS Cost Explorer
B.AWS Billing Dashboard
C.AWS Budgets
D.AWS Trusted Advisor
AnswerC

AWS Budgets sends alerts when costs approach or exceed defined thresholds.

Why this answer

AWS Budgets allows you to set custom cost and usage budgets and receive alerts when your actual or forecasted spending exceeds (or is forecasted to exceed) the budgeted amount. For this startup, they can configure a cost budget with a threshold (e.g., 80% of the set amount) and have Amazon SNS send notifications via email or SMS when spending approaches that threshold.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's ability to view cost trends with the proactive alerting capability of AWS Budgets, assuming that a visualization tool can also send notifications, but AWS Budgets is the only service that provides configurable threshold-based alerts.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer is a visualization and analysis tool for exploring historical cost data and usage patterns, but it does not natively send proactive alerts when spending approaches a threshold. Option B is wrong because the AWS Billing Dashboard provides a high-level overview of current month-to-date charges and invoices, but it lacks the ability to configure custom threshold-based alerts. Option D is wrong because AWS Trusted Advisor inspects your AWS environment for cost optimization, performance, security, and fault tolerance recommendations, but it does not provide configurable spending threshold alerts.

1009
MCQmedium

A company's microservices application consists of 10 services. When a user request is slow, the development team cannot determine which service in the chain is the bottleneck. Which AWS service provides distributed tracing so they can see the full path of a request and identify the slow component?

A.Amazon CloudWatch Metrics
B.AWS CloudTrail
C.AWS X-Ray
D.Amazon Inspector
AnswerC

X-Ray instruments applications with the X-Ray SDK to capture trace data for each request. It builds a service map showing latency at each service hop, making it straightforward to identify the bottleneck in a multi-service chain.

Why this answer

AWS X-Ray is the correct service because it provides end-to-end distributed tracing, allowing developers to trace a request as it travels through multiple microservices. It generates a service map that shows the full path of a request, including latency breakdowns for each service, enabling identification of the slow component. This directly addresses the need to pinpoint bottlenecks in a chain of 10 services.

Exam trap

The trap here is that candidates confuse Amazon CloudWatch Metrics (which shows aggregate performance data) with distributed tracing, not realizing that only X-Ray can trace a single request's full path across multiple services to identify the specific slow component.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Metrics aggregates and monitors performance metrics (e.g., CPU, memory) but does not trace individual requests across services or show the request path through a microservices chain. Option B is wrong because AWS CloudTrail records API calls for auditing and governance, not application-level request tracing or latency analysis. Option D is wrong because Amazon Inspector is a vulnerability management service that scans for software vulnerabilities and unintended network exposure, not a distributed tracing tool.

1010
MCQmedium

A company needs to replicate their Amazon S3 data to a different AWS Region automatically to meet disaster recovery requirements. Which S3 feature enables this?

A.S3 Intelligent-Tiering
B.S3 Cross-Region Replication (CRR)
C.S3 Lifecycle policies
D.S3 Transfer Acceleration
AnswerB

CRR automatically replicates new and updated objects to a destination bucket in another Region, supporting DR, compliance, and latency optimization use cases.

Why this answer

Amazon S3 Cross-Region Replication (CRR) is the correct feature because it automatically and asynchronously replicates objects across S3 buckets in different AWS Regions, meeting disaster recovery requirements by ensuring data is available in a secondary geographic location. CRR requires versioning to be enabled on both source and destination buckets, and it replicates new objects and object metadata by default, with optional configuration for replicating delete markers or objects from specific prefixes.

Exam trap

The trap here is that candidates often confuse S3 Lifecycle policies (which manage storage tiers) with replication features, or mistakenly think S3 Transfer Acceleration provides replication because it improves transfer speed, but neither performs automatic cross-region copying.

How to eliminate wrong answers

Option A is wrong because S3 Intelligent-Tiering is a storage class that optimizes costs by moving data between access tiers based on usage patterns, not a replication feature; it does not copy data to another Region. Option C is wrong because S3 Lifecycle policies automate transitioning objects between storage classes or expiring them, but they do not replicate data across Regions. Option D is wrong because S3 Transfer Acceleration speeds up uploads over long distances using AWS edge locations and optimized network paths, but it does not provide automatic replication or disaster recovery.

1011
MCQmedium

A company's compliance team needs to enforce a policy that all Amazon S3 buckets must have 'Block all public access' enabled. If a bucket is created without this setting, the company wants the policy to be automatically remediated within minutes without manual intervention. The solution must check for compliance continuously and apply the fix automatically. Which AWS service should the company use to meet these requirements?

A.AWS Config with an AWS Config rule and an automatic remediation action
B.Amazon GuardDuty
C.AWS CloudTrail
D.AWS Identity and Access Management (IAM)
AnswerA

AWS Config can evaluate resource configurations against rules (e.g., 's3-bucket-public-read-prohibited') and automatically trigger a remediation action, such as an SSM Automation document, to fix non-compliant resources like S3 buckets without manual intervention. This matches the requirement.

Why this answer

AWS Config can continuously evaluate the configuration of S3 buckets against a managed rule like 's3-bucket-public-read-prohibited' or 's3-bucket-public-write-prohibited'. When a noncompliant bucket is detected, AWS Config can automatically trigger a remediation action using an AWS Systems Manager Automation document (e.g., 'AWS-DisableS3BucketPublicReadWrite') to enable 'Block all public access' within minutes, without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance and remediation capabilities with CloudTrail's logging or GuardDuty's threat detection, failing to recognize that only AWS Config provides continuous evaluation with automatic remediation actions.

How to eliminate wrong answers

Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using anomaly detection and threat intelligence; it does not evaluate resource compliance against internal policies or perform automated remediation. Option C is wrong because AWS CloudTrail records API activity for auditing and governance, but it cannot continuously check compliance or automatically remediate misconfigurations; it only provides logs for post-event analysis. Option D is wrong because AWS Identity and Access Management (IAM) manages user permissions and access control, but it does not monitor or enforce S3 bucket-level configuration settings like public access blocks.

1012
MCQhard

A company is designing a cloud architecture and wants to follow the Well-Architected Framework principle of 'stop guessing capacity.' Which AWS feature directly supports this principle?

A.AWS CloudFormation for repeatable deployments
B.Amazon EC2 Auto Scaling based on CloudWatch metrics
C.AWS Trusted Advisor cost optimization checks
D.AWS Cost Explorer right-sizing recommendations
AnswerB

Auto Scaling automatically adjusts EC2 capacity based on actual demand metrics, eliminating both over-provisioning (waste) and under-provisioning (performance degradation).

Why this answer

Amazon EC2 Auto Scaling directly supports the 'stop guessing capacity' principle by automatically adjusting the number of EC2 instances in response to real-time demand using CloudWatch metrics (e.g., CPU utilization, memory). This eliminates the need to manually provision for peak loads, ensuring you only pay for what you need while maintaining performance.

Exam trap

The trap here is that candidates confuse 'stop guessing capacity' with cost optimization tools like Cost Explorer or Trusted Advisor, but the principle is specifically about dynamic scaling to match demand, not about analyzing or reducing costs after the fact.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation enables repeatable infrastructure deployments via templates, but it does not dynamically adjust capacity based on demand; it provisions static resources. Option C is wrong because AWS Trusted Advisor cost optimization checks provide recommendations to reduce costs (e.g., idle instances), but they do not automatically scale capacity to match workload changes. Option D is wrong because AWS Cost Explorer right-sizing recommendations analyze historical usage to suggest instance type changes, but they are advisory and do not provide real-time, automated scaling to handle fluctuating demand.

1013
MCQmedium

A company has 200 IAM users. The security team needs to automatically verify that every IAM user has enabled multi-factor authentication (MFA) for console access. They also need to receive a notification whenever a new user is created without MFA so they can enforce the policy. Which AWS service should the security team use to meet these requirements?

A.AWS Config
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Trusted Advisor
AnswerA

AWS Config provides managed rules to evaluate the configuration of AWS resources. The 'iam-user-mfa-enabled' rule checks MFA status on every IAM user and can trigger notifications for non-compliant resources.

Why this answer

AWS Config is correct because it provides managed rules like 'iam-user-mfa-enabled' that can continuously evaluate whether all IAM users have MFA enabled. When a new user is created without MFA, AWS Config can trigger an Amazon SNS notification via its compliance change event, meeting both the verification and notification requirements automatically.

Exam trap

The trap here is that candidates confuse CloudTrail's API logging with Config's continuous compliance evaluation, assuming that recording user creation events is sufficient to enforce MFA, but CloudTrail lacks the ability to assess resource state or trigger notifications based on compliance status.

How to eliminate wrong answers

Option B (AWS CloudTrail) is wrong because CloudTrail records API calls (e.g., CreateUser) but does not perform ongoing compliance checks or send notifications based on resource state; it is an audit trail, not a configuration compliance evaluator. Option C (Amazon GuardDuty) is wrong because GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity, not for verifying IAM user MFA settings or sending policy enforcement notifications.

1014
MCQmedium

A company wants to automatically evaluate its AWS resource configurations against internal security policies. The company has defined rules such as 'EBS volumes must be encrypted' and 'S3 buckets must not be publicly accessible'. They need a service that continuously monitors resource configurations, identifies noncompliant resources, and provides a dashboard of compliance status over time. Which AWS service should the company use?

A.AWS Config
B.Amazon Inspector
C.AWS Trusted Advisor
D.AWS CloudTrail
AnswerA

Correct. AWS Config continuously monitors and records AWS resource configurations and evaluates them against rules you define, such as encryption or public access policies. It provides a compliance dashboard and notifications for noncompliant resources.

Why this answer

AWS Config is the correct service because it continuously monitors and records AWS resource configurations, evaluates them against custom rules (like 'EBS volumes must be encrypted' and 'S3 buckets must not be publicly accessible'), and provides a compliance dashboard that shows historical compliance status over time. It directly addresses the need for automated, ongoing evaluation of resource configurations against internal security policies.

Exam trap

The trap here is confusing AWS Config's configuration compliance monitoring with Amazon Inspector's vulnerability scanning or Trusted Advisor's best-practice checks, leading candidates to choose a service that does not support custom rule definitions or continuous compliance dashboards.

How to eliminate wrong answers

Option B is wrong because Amazon Inspector is an automated vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not for evaluating resource configurations against custom security policies. Option C is wrong because AWS Trusted Advisor provides best-practice recommendations based on AWS Well-Architected Framework checks, but it does not allow you to define custom rules or continuously monitor compliance against your own internal security policies. Option D is wrong because AWS CloudTrail records API activity and provides audit logs of actions taken on AWS resources, but it does not evaluate resource configurations for compliance or provide a compliance dashboard.

1015
MCQeasy

A company is migrating its IT operations to AWS. Previously, when a developer needed a new server for a project, the developer had to submit a formal request to the IT department. The request would be reviewed, approved, and then a physical server would be procured, configured, and deployed—a process that often took several weeks. After migrating to AWS, the developer can log in to the AWS Management Console and launch a new Amazon EC2 instance with the exact required configuration within minutes, without any interaction with IT staff. Which essential characteristic of cloud computing does this scenario BEST demonstrate?

A.On-demand self-service
B.Broad network access
C.Resource pooling
D.Measured service
AnswerA

Correct. On-demand self-service allows users to provision and manage computing resources as needed without requiring human interaction with the service provider. The developer's ability to launch an EC2 instance directly from the AWS Management Console without IT involvement is a clear example of this characteristic.

Why this answer

The scenario describes a developer provisioning an EC2 instance directly via the AWS Management Console without any human intervention from IT staff. This aligns with the NIST-defined characteristic of on-demand self-service, where a consumer can unilaterally provision computing capabilities as needed automatically without requiring human interaction with each service provider.

Exam trap

The trap here is that candidates confuse 'on-demand self-service' with 'resource pooling' because both involve rapid provisioning, but the key differentiator is the absence of human interaction with the provider (IT staff) versus the multi-tenant sharing of resources.

How to eliminate wrong answers

Option B (Broad network access) is wrong because that characteristic refers to capabilities being available over the network and accessed through standard mechanisms (e.g., HTTPS, SSH) that promote use by heterogeneous client platforms (mobile phones, laptops, etc.), not the ability to self-provision without IT approval. Option C (Resource pooling) is wrong because that characteristic describes the provider’s computing resources being pooled to serve multiple consumers using a multi-tenant model, with physical and virtual resources dynamically assigned and reassigned according to consumer demand; it does not address the self-service provisioning workflow described.

1016
MCQmedium

A company uses Amazon S3 to store raw data files for a data analytics platform. The company requires that files remain immediately accessible for the first 30 days after upload. After 30 days, files must be automatically moved to a lower-cost storage class for archival access. After 7 years, files must be automatically deleted. The company wants to implement this data management strategy with minimal ongoing effort. Which AWS S3 feature should the company use?

A.S3 Lifecycle policies
B.S3 Intelligent-Tiering
C.S3 Object Lock
D.S3 Versioning
AnswerA

This is correct. S3 Lifecycle policies allow you to define rules for transitioning objects to other storage classes after a specified number of days and for expiring (deleting) objects after a set period. This automates the company's data management requirements.

Why this answer

S3 Lifecycle policies allow you to define rules that automatically transition objects between storage classes (e.g., from S3 Standard to S3 Glacier Deep Archive) and expire (delete) objects based on object age. This directly meets the requirement to keep files immediately accessible for 30 days, move them to a lower-cost archival class after 30 days, and delete them after 7 years, all with minimal ongoing effort.

Exam trap

The trap here is that candidates often confuse S3 Intelligent-Tiering (which automates cost optimization based on access patterns) with S3 Lifecycle policies (which enforce a fixed, time-based data management schedule), leading them to choose Intelligent-Tiering even though it cannot enforce a mandatory deletion date.

How to eliminate wrong answers

Option B (S3 Intelligent-Tiering) is wrong because it automatically moves objects between access tiers based on changing access patterns, not on a fixed time-based schedule, and it does not support automatic deletion after a specific period. Option C (S3 Object Lock) is wrong because it is designed to prevent object deletion or overwrites for a fixed retention period (write-once-read-many, WORM), not to automate transitions or deletions based on age. Option D (S3 Versioning) is wrong because it preserves multiple versions of an object to protect against accidental deletion or overwrite, but it does not provide any automated lifecycle transitions or time-based deletion.

1017
MCQmedium

A company uses multiple AWS accounts within AWS Organizations. The security team needs to automatically check that no Amazon S3 bucket in any account has public read or write access. They want to define a security rule once and have it evaluated continuously across all accounts. The team also needs to view the overall compliance status from a single dashboard. Which AWS service should they use to meet these requirements?

A.AWS Config
B.AWS Trusted Advisor
C.Amazon Inspector
D.AWS Shield
AnswerA

AWS Config provides continuous monitoring and evaluation of resource configurations against desired policies. It supports multi-account aggregation via AWS Organizations, allowing you to apply rules centrally and view compliance across all accounts.

Why this answer

AWS Config is the correct service because it provides managed rules (such as 's3-bucket-public-read-prohibited' and 's3-bucket-public-write-prohibited') that can be defined once in a delegated administrator account and automatically evaluated across all member accounts in AWS Organizations. It continuously monitors S3 bucket configurations and aggregates compliance results into a single dashboard (the AWS Config aggregator), meeting the requirement for a unified view of overall compliance status.

Exam trap

The trap here is that candidates often confuse AWS Config (which evaluates resource configurations against rules) with AWS Trusted Advisor (which provides best-practice checks but lacks custom rule definition and multi-account aggregation), leading them to select Trusted Advisor because it also checks S3 bucket permissions.

How to eliminate wrong answers

Option B is wrong because AWS Trusted Advisor provides best-practice checks (including S3 bucket permissions) but does not allow you to define custom security rules or continuously evaluate them across all accounts from a single dashboard; it only offers a point-in-time check per account and cannot aggregate results across multiple accounts. Option C is wrong because Amazon Inspector is designed for vulnerability assessment of EC2 instances, container images, and Lambda functions, not for monitoring S3 bucket configurations or public access settings. Option D is wrong because AWS Shield is a managed Distributed Denial of Service (DDoS) protection service and has no capability to check S3 bucket public access permissions or provide compliance dashboards for resource configurations.

1018
MCQmedium

A company is moving its workloads to AWS. The compliance team requires that all data must reside within the European Union (EU) and must not be stored on any physical server located outside the EU. The team also understands that AWS does not provide information about the specific physical server or data center where their data is stored. Which essential characteristic of cloud computing does this situation best describe?

A.On-demand self-service
B.Broad network access
C.Resource pooling
D.Rapid elasticity
AnswerC

Resource pooling means the provider's compute, storage, network, and other resources are pooled to serve many customers, with the customer having no knowledge or control over the exact physical location of the resources. The customer can specify location at a higher level (e.g., a specific Region or country), which meets the compliance requirement of keeping data within the EU.

Why this answer

Option C is correct because resource pooling allows AWS to serve multiple customers from shared physical resources, with the provider abstracting the exact physical server location. The compliance requirement that data must reside only in the EU is satisfied by selecting an EU Region (e.g., eu-west-1), but AWS does not disclose the specific physical server or data center within that Region, which is a direct consequence of resource pooling—the provider's multi-tenant model hides the underlying hardware details from the customer.

Exam trap

The trap here is that candidates confuse 'resource pooling' with 'data residency' or 'compliance controls,' mistakenly thinking that choosing a Region alone satisfies the requirement, when the question specifically tests the cloud characteristic that explains why AWS does not disclose the exact physical server—resource pooling.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user's ability to provision resources automatically without human interaction, not to data residency or physical server location abstraction. Option B is wrong because broad network access describes the capability to access resources over the network using standard protocols (e.g., HTTPS, SSH), which is unrelated to where the physical servers are located. Option D is wrong because rapid elasticity is the ability to scale resources up or down quickly in response to demand, not a characteristic that governs data storage location or the hiding of physical server details.

1019
MCQmedium

A development team needs to deploy a web application on AWS quickly. The team wants a fully managed service that automatically handles capacity provisioning, load balancing, auto-scaling, and application health monitoring. The team does not want to manage the underlying Amazon EC2 instances or the application stack manually. Which AWS service should the team use?

A.AWS Elastic Beanstalk
B.AWS CloudFormation
C.AWS OpsWorks
D.Amazon EC2 Auto Scaling
AnswerA

Correct. AWS Elastic Beanstalk is a PaaS service that automatically manages capacity provisioning, load balancing, auto-scaling, and application health monitoring for deployed web applications. You simply upload your code and the service handles the underlying infrastructure.

Why this answer

AWS Elastic Beanstalk is the correct choice because it is a fully managed Platform as a Service (PaaS) that automatically handles capacity provisioning, load balancing, auto-scaling, and application health monitoring without requiring the team to manage the underlying EC2 instances or application stack. It abstracts away infrastructure management, allowing developers to simply upload their code and have the service handle deployment, scaling, and monitoring out of the box.

Exam trap

The trap here is that candidates often confuse AWS Elastic Beanstalk with AWS CloudFormation, mistakenly thinking that CloudFormation provides the same level of automated management, when in fact CloudFormation only provisions resources based on templates and does not include built-in application health monitoring or auto-scaling logic without additional configuration.

How to eliminate wrong answers

Option B (AWS CloudFormation) is wrong because it is an Infrastructure as Code (IaC) service that provisions and manages AWS resources declaratively, but it does not automatically handle capacity provisioning, load balancing, auto-scaling, or health monitoring; it requires manual configuration of each resource. Option C (AWS OpsWorks) is wrong because it is a configuration management service that uses Chef or Puppet to manage EC2 instances and application stacks, but it still requires the team to manage the underlying instances and does not provide fully automated capacity provisioning or health monitoring without manual setup. Option D (Amazon EC2 Auto Scaling) is wrong because it only handles automatic scaling of EC2 instances based on defined policies, but it does not provide load balancing, application health monitoring, or a fully managed application stack; it is a component that must be combined with other services like Elastic Load Balancing and Amazon CloudWatch.

1020
MCQmedium

A company is migrating an on-premises MySQL database to Amazon RDS for MySQL. The security team needs to understand their responsibilities under the AWS Shared Responsibility Model. Which of the following tasks is the customer's responsibility?

A.Applying minor version patches to the MySQL database engine
B.Managing the physical security of the data center where the RDS instance is hosted
C.Configuring security group rules to control network access to the database
D.Replacing failed hardware components in the RDS host server
AnswerC

This is correct. Security groups act as virtual firewalls for RDS instances. Configuring inbound and outbound rules to allow only necessary traffic is a customer responsibility under the Shared Responsibility Model.

Why this answer

Under the AWS Shared Responsibility Model, the customer is responsible for configuring security group rules to control network access to the database. Security groups act as a virtual firewall that controls inbound and outbound traffic at the instance level, and the customer must define the rules (e.g., source IP, port 3306 for MySQL) to restrict access appropriately.

Exam trap

The trap here is confusing 'patching the database engine' (which is AWS's responsibility for RDS) with 'configuring network access controls' (which is the customer's responsibility), leading candidates to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because applying minor version patches to the MySQL database engine is an AWS responsibility under the 'Security of the Cloud' — AWS manages the RDS service, including automatic minor version upgrades unless the customer explicitly opts out, but the actual patching is performed by AWS. Option B is wrong because managing the physical security of the data center where the RDS instance is hosted is entirely AWS's responsibility under the 'Security of the Cloud' — AWS controls physical access, surveillance, and environmental controls at their data centers.

1021
MCQmedium

A company runs a batch processing workload on an on-premises data center. The servers are powerful machines that are used at maximum capacity only for a few days each month during financial reporting periods. For the rest of the month, the servers run at very low utilization. The CFO wants to migrate this workload to AWS to reduce costs. Which characteristic of AWS cloud computing is most directly aligned with the CFO's goal of paying only for the compute capacity actually used?

A.High availability across multiple Availability Zones
B.Elasticity to automatically scale resources up and down
C.Pay-as-you-go pricing model
D.The ability to choose from a wide variety of instance types
AnswerC

The pay-as-you-go model lets customers pay only for the compute capacity they actually use, with no upfront capital expenditure or charges for idle resources. This directly meets the CFO's objective of eliminating costs for underutilized on-premises servers.

Why this answer

The pay-as-you-go pricing model (Option C) directly aligns with the CFO's goal because it allows the company to pay only for the compute capacity they actually consume, with no upfront costs or long-term commitments. In this scenario, the batch processing workload runs at maximum capacity only a few days per month, so the company can provision resources during those peaks and stop them during low-utilization periods, avoiding the cost of idle on-premises servers. This model eliminates the need to pay for unused capacity, directly reducing costs as the CFO desires.

Exam trap

The trap here is that candidates confuse elasticity (the ability to scale) with the pay-as-you-go pricing model, but elasticity is a characteristic that enables cost optimization, while pay-as-you-go is the specific billing mechanism that directly ensures you pay only for what you use.

How to eliminate wrong answers

Option A is wrong because high availability across multiple Availability Zones is a resilience and fault-tolerance feature, not a pricing or cost-reduction mechanism; it ensures workload uptime during failures but does not directly enable paying only for used compute capacity. Option B is wrong because elasticity is the ability to automatically scale resources up and down based on demand, which supports cost efficiency but is not itself a pricing model; the CFO's goal is specifically about the payment structure (pay-as-you-go), not the scaling mechanism, and elasticity without pay-as-you-go pricing could still incur costs for provisioned resources even if scaled down.

1022
MCQmedium

A company is moving its on-premises workloads to AWS. The company's chief financial officer notes that AWS can provide computing resources at a lower cost per unit because AWS spreads the cost of building and maintaining vast data centers across millions of customers. This cost advantage is best described as an example of which concept?

A.Resource pooling
B.Economies of scale
C.Measured service
D.Broad network access
AnswerB

Correct. Economies of scale occur when the average cost per unit decreases as the scale of operations increases. AWS spreads its massive infrastructure investments across millions of customers, enabling lower per-unit costs than a single company could achieve on its own.

Why this answer

Economies of scale occur when a provider like AWS spreads the fixed costs of building and operating massive data centers across a huge number of customers, reducing the per-unit cost of compute, storage, and networking. This allows AWS to offer lower prices than a single company could achieve by running its own on-premises infrastructure. The CFO's observation directly describes this principle: AWS's aggregated demand drives down the average cost per resource.

Exam trap

The trap here is confusing economies of scale with resource pooling, as both involve shared infrastructure, but economies of scale specifically refer to the cost reduction from large-scale operations, not the multi-tenant resource allocation model.

How to eliminate wrong answers

Option A is wrong because resource pooling refers to the multi-tenant model where computing resources are dynamically assigned and reassigned to serve multiple customers, not the cost advantage from scale. Option C is wrong because measured service is the metering and billing of cloud resource usage (e.g., per-hour or per-GB charges), not the underlying cost efficiency from large-scale operations. Option D is wrong because broad network access describes the ability to access cloud resources over the network via standard protocols (e.g., HTTPS, SSH), not the economic benefit of shared infrastructure costs.

1023
MCQmedium

A company has been running workloads on AWS for over a year. The finance team needs to analyze historical spending patterns. They want a graphical dashboard that shows costs by service (e.g., EC2, S3), by AWS Region, and by custom cost allocation tags over the last 12 months. Additionally, they need to generate a 3-month cost forecast based on this historical data. Which AWS tool should the finance team use to meet these requirements?

A.AWS Budgets
B.AWS Cost Explorer
C.AWS Trusted Advisor
D.AWS Consolidated Billing
AnswerB

AWS Cost Explorer is the correct tool for this scenario. It offers pre-built reports, filters, and graphs to view cost and usage data by service, region, and tags. It also includes cost forecasting capabilities based on historical usage patterns.

Why this answer

AWS Cost Explorer provides a pre-built graphical dashboard that allows you to visualize, understand, and manage AWS costs and usage over time. It supports filtering by service (e.g., EC2, S3), AWS Region, and custom cost allocation tags, and it includes a built-in forecasting feature that can generate a 3-month cost forecast based on historical data. This directly meets all the requirements for analyzing historical spending patterns and generating a forecast.

Exam trap

The trap here is that candidates often confuse AWS Budgets (which only alerts on thresholds) with Cost Explorer (which provides historical analysis and forecasting), leading them to select AWS Budgets for a task it cannot perform.

How to eliminate wrong answers

Option A is wrong because AWS Budgets is designed for setting cost and usage alerts and tracking against a budget threshold, not for analyzing historical spending patterns or generating graphical dashboards with forecasts over 12 months. Option C is wrong because AWS Trusted Advisor is a service that inspects your AWS environment to provide best practice recommendations in areas like cost optimization, performance, security, and fault tolerance, but it does not provide a graphical dashboard for historical cost analysis by service, region, or tags, nor does it generate cost forecasts.

1024
MCQmedium

A company runs a data-intensive workload in a colocation facility and wants to establish a dedicated, private network connection to its Amazon VPC. The connection must bypass the public internet to provide consistent high throughput and low latency. The company also wants to avoid data transfer costs associated with internet-based connections. Which AWS service should the company use?

A.AWS Site-to-Site VPN
B.AWS Direct Connect
C.AWS VPN CloudHub
D.AWS Transit Gateway
AnswerB

Correct. AWS Direct Connect establishes a dedicated private connection between an on-premises data center and AWS. This connection bypasses the public internet, resulting in more consistent network performance, lower latency, and potentially lower data transfer costs. It is the appropriate service for the described requirements.

Why this answer

AWS Direct Connect is the correct service because it provides a dedicated, private network connection from an on-premises or colocation facility directly to an Amazon VPC, bypassing the public internet entirely. This ensures consistent high throughput, low latency, and eliminates data transfer costs associated with internet-based connections, as traffic flows over a private physical link.

Exam trap

The trap here is that candidates often confuse AWS Site-to-Site VPN with a private connection, but VPNs still traverse the public internet and cannot guarantee the consistent performance or cost savings of a dedicated physical link like Direct Connect.

How to eliminate wrong answers

Option A is wrong because AWS Site-to-Site VPN uses the public internet to establish an encrypted tunnel (IPsec), which cannot guarantee consistent high throughput or low latency and incurs internet data transfer costs. Option C is wrong because AWS VPN CloudHub is a hub-and-spoke VPN architecture that connects multiple remote sites over the public internet, not a dedicated private connection to a VPC. Option D is wrong because AWS Transit Gateway is a network transit hub that interconnects VPCs and on-premises networks, but it does not itself provide a dedicated physical connection; it requires an underlying connection like Direct Connect or VPN to function.

Page 13

Page 14 of 14