AWS Certified Cloud Practitioner CLF-C02 (CLF-C02) — Questions 76150

1024 questions total · 14pages · All types, answers revealed

Page 1

Page 2 of 14

Page 3
76
MCQmedium

Which AWS service acts as a centralized firewall for traffic inspection between VPCs, between VPCs and on-premises networks, and for internet traffic?

A.Security Groups
B.Network Access Control Lists (NACLs)
C.AWS Network Firewall
D.AWS WAF
AnswerC

Network Firewall provides centralized, managed stateful packet inspection at the VPC level with domain-based filtering and integration with Firewall Manager for multi-account governance.

Why this answer

AWS Network Firewall is a managed service that provides a centralized firewall to inspect and filter traffic across VPCs, between VPCs and on-premises networks (via AWS Transit Gateway or VPN/Direct Connect), and for internet-bound traffic. It supports stateful and stateless rules, intrusion prevention (IPS), and domain filtering, making it the correct choice for a unified traffic inspection solution.

Exam trap

The trap here is that candidates often confuse AWS Network Firewall with Security Groups or NACLs, thinking those can provide centralized traffic inspection across VPCs and hybrid networks, but they are limited to instance-level or subnet-level filtering and lack the centralized, stateful inspection capabilities required for this use case.

How to eliminate wrong answers

Option A is wrong because Security Groups are stateful virtual firewalls that operate at the instance level (ENI) and cannot inspect traffic between VPCs or between VPCs and on-premises networks; they lack centralized management and do not support traffic inspection for internet-bound traffic across multiple VPCs. Option B is wrong because Network Access Control Lists (NACLs) are stateless, operate at the subnet level, and cannot provide centralized firewall capabilities across VPCs or hybrid connections; they also do not support stateful inspection or advanced threat detection. Option D is wrong because AWS WAF is a web application firewall that protects web applications from common exploits (e.g., SQL injection, XSS) at the application layer (HTTP/HTTPS), not a network-layer firewall for general traffic inspection between VPCs, on-premises, or internet traffic.

77
MCQmedium

A company runs a web application on AWS that experiences unpredictable traffic spikes. The company wants to configure its infrastructure to automatically increase compute capacity during peak times and decrease it during low traffic, minimizing costs. Which cloud computing concept does this scenario BEST represent?

A.Elasticity
B.High availability
C.Fault tolerance
D.Vertical scaling
AnswerA

Correct. Elasticity allows automatic scaling of resources to match demand, which directly addresses the need to handle traffic spikes and reduce costs during low usage.

Why this answer

Elasticity is the ability of a cloud system to automatically provision and de-provision compute resources in response to real-time demand. In this scenario, AWS Auto Scaling groups can dynamically launch EC2 instances during traffic spikes and terminate them when demand drops, directly matching capacity to load while minimizing cost. This contrasts with static provisioning, which would either over-provision (wasting money) or under-provision (causing outages).

Exam trap

The trap here is that candidates confuse elasticity with high availability, because both involve handling increased load, but elasticity specifically addresses dynamic resource scaling to match demand, not just distributing traffic across redundant components.

How to eliminate wrong answers

Option B (High availability) is wrong because it focuses on ensuring application uptime across multiple Availability Zones using services like Elastic Load Balancing and Route 53 health checks, not on dynamically adjusting capacity to match workload changes. Option C (Fault tolerance) is wrong because it describes the ability to continue operating without interruption after a component failure (e.g., using Multi-AZ RDS or EC2 Auto Recovery), not the scaling of resources in response to traffic. Option D (Vertical scaling) is wrong because it involves increasing the size of a single instance (e.g., moving from t3.medium to t3.large), which has a hard upper limit and does not automatically handle unpredictable spikes or reduce costs by removing resources.

78
Drag & Dropmedium

Drag and drop the steps to migrate an on-premises database to Amazon RDS using AWS DMS in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DMS requires a replication instance, endpoints, connection testing, task creation, and then migration execution.

79
MCQeasy

Which type of Elastic Load Balancer routes HTTP/HTTPS traffic based on content such as URL path, hostname, and HTTP headers, enabling advanced request routing rules?

A.Network Load Balancer (NLB)
B.Application Load Balancer (ALB)
C.Gateway Load Balancer (GWLB)
D.Classic Load Balancer
AnswerB

ALB operates at Layer 7 and supports content-based routing rules for URLs, hostnames, headers, and methods — ideal for microservices and container-based architectures.

Why this answer

The Application Load Balancer (ALB) operates at Layer 7 of the OSI model and can route HTTP/HTTPS traffic based on request-level attributes such as URL path, hostname, HTTP headers, and query strings. This enables advanced routing rules like path-based routing (e.g., /api to one target group, /images to another) and host-based routing (e.g., app1.example.com vs app2.example.com). ALB also supports features like WebSocket, HTTP/2, and AWS WAF integration, making it the correct choice for content-based routing.

Exam trap

The trap here is that candidates often confuse the Network Load Balancer (NLB) with the Application Load Balancer (ALB) because both can handle HTTPS traffic, but NLB cannot inspect HTTP/HTTPS content for routing decisions—it only forwards TCP traffic, making ALB the only correct answer for content-based routing.

How to eliminate wrong answers

Option A is wrong because a Network Load Balancer (NLB) operates at Layer 4 (TCP/UDP) and routes traffic based solely on IP address and port, not on HTTP/HTTPS content like URL paths or headers. Option C is wrong because a Gateway Load Balancer (GWLB) operates at Layer 3 (network layer) and is designed for transparent network gateway appliances (e.g., firewalls, intrusion detection), not for HTTP/HTTPS content-based routing. Option D is wrong because the Classic Load Balancer (now legacy) operates at both Layer 4 and Layer 7 but lacks native support for advanced content-based routing rules like path or hostname patterns; it only supports simple HTTP/HTTPS forwarding without the rich rule engine of ALB.

80
MCQeasy

Which Amazon S3 storage class is most cost-effective for data that is accessed frequently?

A.S3 Standard-IA
B.S3 Glacier Instant Retrieval
C.S3 Standard
D.S3 One Zone-IA
AnswerC

S3 Standard has no retrieval fee and no minimum storage duration, making it the most cost-effective choice when data is accessed frequently.

Why this answer

S3 Standard is the most cost-effective storage class for frequently accessed data because it offers low latency and high throughput with no retrieval costs or minimum storage duration charges. For data accessed often, the per-GB storage cost of S3 Standard is lower than the combined storage plus retrieval costs of infrequent access classes like S3 Standard-IA or One Zone-IA.

Exam trap

The trap here is that candidates often confuse 'cost-effective' with 'lowest storage price per GB' and overlook retrieval fees and minimum storage duration charges, leading them to choose S3 Standard-IA or Glacier Instant Retrieval instead of S3 Standard for frequently accessed data.

How to eliminate wrong answers

Option A is wrong because S3 Standard-IA is designed for infrequently accessed data and incurs a per-GB retrieval fee, making it more expensive than S3 Standard for frequent access patterns. Option B is wrong because S3 Glacier Instant Retrieval is optimized for long-lived, rarely accessed data with a higher storage cost than S3 Standard and a minimum 90-day storage charge, making it cost-ineffective for frequent access. Option D is wrong because S3 One Zone-IA also has retrieval costs and a minimum 30-day storage charge, and it is intended for infrequently accessed data, not for frequent access scenarios.

81
MCQmedium

A company archives compliance records that must be retained for 7 years but will almost never be accessed. They need the absolute lowest storage cost with retrieval times of several hours being acceptable. Which S3 storage class should they use?

A.S3 Glacier Instant Retrieval
B.S3 Standard-IA
C.S3 Glacier Flexible Retrieval
D.S3 Glacier Deep Archive
AnswerD

Deep Archive is the lowest-cost S3 storage class with 12-48 hour retrieval times — perfect for long-term compliance archives that are rarely accessed.

Why this answer

S3 Glacier Deep Archive is designed for long-term retention of data that is accessed rarely, with retrieval times of 12 hours or more, making it the lowest-cost S3 storage class. For compliance records that must be retained for 7 years and almost never accessed, with acceptable retrieval times of several hours, this class provides the absolute minimum storage cost while meeting the retrieval time requirement.

Exam trap

The trap here is that candidates often confuse 'Glacier Flexible Retrieval' with the lowest-cost option, but the question explicitly states 'absolute lowest storage cost' and 'retrieval times of several hours being acceptable,' which points to Glacier Deep Archive as the correct choice due to its significantly lower storage price.

How to eliminate wrong answers

Option A is wrong because S3 Glacier Instant Retrieval is optimized for data accessed once per quarter with millisecond retrieval, not for rarely accessed archives, and costs more than Deep Archive. Option B is wrong because S3 Standard-IA is designed for infrequently accessed data requiring millisecond retrieval, not for archival data with multi-hour retrieval tolerance, and has higher storage costs. Option C is wrong because S3 Glacier Flexible Retrieval offers retrieval times from minutes to hours but has higher storage costs than Deep Archive, and is intended for data that may need occasional access rather than near-zero access over 7 years.

82
MCQmedium

A healthcare organization stores sensitive patient records in Amazon S3. The organization's compliance team learns that AWS stores data from multiple customers on the same physical hardware. They are concerned that data from different customers could be mixed or accessed by another customer. Which fundamental characteristic of cloud computing explains how AWS allows customers to share physical infrastructure while keeping each customer's data logically isolated?

A.Rapid elasticity
B.Resource pooling
C.On-demand self-service
D.Measured service
AnswerB

Resource pooling allows the provider to serve multiple customers from a shared pool of physical resources while logically isolating each customer's data and workloads. AWS uses multi-tenant architectures and security controls to ensure that one customer cannot access another customer's data, even when stored on the same hardware.

Why this answer

Resource pooling is the correct answer because it describes how AWS aggregates computing resources (including storage) from multiple customers into a shared pool, then logically isolates each customer's data through software-defined boundaries. In Amazon S3, this isolation is achieved via bucket policies, IAM roles, and object ACLs that enforce strict access controls, ensuring that even though physical hardware is shared, no customer can access another's data. This characteristic directly addresses the compliance team's concern about data mixing or unauthorized cross-tenant access.

Exam trap

The trap here is that candidates confuse 'resource pooling' with 'multi-tenancy' or assume it means data is physically separated, but the exam tests that resource pooling specifically enables logical isolation through software controls, not physical hardware separation.

How to eliminate wrong answers

Option A is wrong because rapid elasticity refers to the ability to quickly scale resources up or down based on demand, not to the logical isolation of data on shared infrastructure. Option C is wrong because on-demand self-service describes a customer's ability to provision resources automatically without human interaction, which does not explain how data isolation is maintained across tenants. Option D is wrong because measured service involves metering resource usage for billing and optimization, not the mechanisms that prevent data leakage between customers on shared hardware.

83
MCQmedium

A company is building a serverless order-processing application. The workflow consists of several steps that must run in a defined order: validate the order, check inventory, process payment, and then update the database. Some steps, such as shipping notification and invoice generation, can run in parallel after payment is confirmed. The company needs a managed service to orchestrate these steps, automatically handle retries if a step fails, and provide a visual representation of the workflow's execution state. Which AWS service should the company use?

A.AWS Step Functions
B.Amazon Simple Workflow Service (SWF)
C.Amazon MQ
D.AWS Glue
AnswerA

AWS Step Functions is a serverless orchestration service that allows you to define workflows as state machines. It can coordinate sequential and parallel steps, handle retries and errors, and provides a visual console to track execution. This directly matches the requirement to orchestrate the order-processing steps with defined order and parallel branches.

Why this answer

AWS Step Functions is the correct choice because it is a fully managed serverless orchestration service that allows you to define workflows as state machines, specifying sequential steps (validate, check inventory, process payment, update database) and parallel branches (shipping notification, invoice generation). It automatically handles retries on failures with configurable backoff rates and provides a visual execution console to track the state of each workflow instance in real time, meeting all the company's requirements.

Exam trap

The trap here is that candidates confuse Amazon SWF with Step Functions because both orchestrate workflows, but SWF requires custom deciders and workers for coordination, whereas Step Functions is fully managed and serverless, making it the correct choice for this use case.

How to eliminate wrong answers

Option B (Amazon Simple Workflow Service, SWF) is wrong because SWF is a legacy service designed for long-running, human-interactive workflows and requires you to manage workers and deciders manually, whereas the question specifies a need for a managed service that automatically handles retries and provides a visual representation of execution state without custom code. Option C (Amazon MQ) is wrong because Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ, used for asynchronous message passing between applications, not for orchestrating a defined sequence of steps with retries and visual workflow tracking.

84
MCQmedium

A company's finance team wants to receive an email alert when monthly AWS costs exceed 80% of the budgeted amount. Additionally, they want to automatically apply a specific IAM policy to restrict further resource provisioning if costs exceed 100% of the budget. Which AWS feature should the team configure to meet both requirements?

A.AWS Budgets with budget actions
B.AWS Cost Explorer
C.AWS Trusted Advisor
D.AWS Organizations Service Control Policies (SCPs)
AnswerA

Correct. AWS Budgets allows you to set cost budgets and configure actions that fire when actual or forecasted usage exceeds thresholds. Actions include sending notifications (via SNS) and applying IAM policies or SCPs to restrict new resource provisioning.

Why this answer

AWS Budgets allows you to set cost budgets and configure budget actions that trigger when actual or forecasted costs exceed a threshold. In this scenario, you can create a budget with an alert action to send an email when costs reach 80% of the budget, and a separate budget action (using an IAM policy) to automatically restrict resource provisioning when costs hit 100%. This meets both requirements natively without additional services.

Exam trap

The trap here is that candidates often confuse AWS Budgets with AWS Cost Explorer, thinking Cost Explorer can send alerts, but Cost Explorer is purely analytical and lacks the ability to trigger automated actions or notifications based on thresholds.

How to eliminate wrong answers

Option B (AWS Cost Explorer) is wrong because it provides visualization and analysis of cost and usage data, but it cannot trigger automated actions or send email alerts based on thresholds. Option C (AWS Trusted Advisor) is wrong because it inspects your AWS environment for best practices (cost optimization, performance, security, fault tolerance) and provides recommendations, but it does not support threshold-based alerts or automated IAM policy application. Option D (AWS Organizations Service Control Policies) is wrong because SCPs are used to centrally manage permissions across accounts in an organization, not to trigger actions based on cost thresholds; they cannot send email alerts or automatically apply IAM policies based on budget utilization.

85
MCQmedium

A company must encrypt all data at rest stored in Amazon S3 and wants AWS to manage the encryption keys. Which S3 encryption option requires the least operational overhead?

A.SSE-C (Customer-Provided Keys)
B.SSE-KMS (AWS KMS-Managed Keys)
C.SSE-S3 (Amazon S3-Managed Keys)
D.Client-side encryption
AnswerC

SSE-S3 has zero operational overhead — AWS handles all key management transparently. It is the default encryption method for S3 and requires no customer key management.

Why this answer

SSE-S3 uses Amazon S3-managed keys, where AWS fully handles key creation, management, and rotation with no configuration required from the user. This option provides the least operational overhead because you simply enable server-side encryption on the bucket or object, and AWS manages the entire encryption process transparently.

Exam trap

The trap here is that candidates often confuse 'AWS managed keys' with SSE-KMS, assuming KMS is the default AWS-managed option, but SSE-S3 is the true fully managed key service with zero configuration overhead.

How to eliminate wrong answers

Option A is wrong because SSE-C requires you to provide and manage your own encryption keys, including key storage, rotation, and secure transmission, which adds significant operational overhead. Option B is wrong because SSE-KMS uses AWS KMS-managed keys, which still requires you to create, manage, and control key policies, permissions, and key rotation schedules, increasing operational complexity compared to SSE-S3. Option D is wrong because client-side encryption requires you to encrypt data before uploading to S3, manage encryption keys locally, and handle decryption on retrieval, resulting in the highest operational overhead of all options.

86
MCQmedium

A startup is running a pilot application on AWS and wants to control costs strictly. The finance team sets a monthly budget of $1,000. They need to receive an email notification when actual or forecasted spending reaches 80% of the budget. Additionally, if the budget is exceeded, they want to automatically stop a non-critical Amazon EC2 instance to prevent further cost overruns. Which combination of AWS services should they use to meet all these requirements with minimal operational overhead?

A.AWS Cost Explorer with Amazon SNS notifications to send alerts at 80% spending, and an AWS Lambda function to stop the EC2 instance
B.AWS Budgets with a budget alert set at 80% of the $1,000 limit, and an AWS Trusted Advisor check to stop the instance when costs exceed the budget
C.AWS Budgets with a budget action configured to stop the EC2 instance when the budget limit is exceeded
D.Amazon CloudWatch cost metric alarms combined with AWS Auto Scaling to reduce instance capacity when spending exceeds the budget
AnswerC

AWS Budgets can set cost thresholds and send alerts. Budget actions allow you to define automated responses, such as stopping an EC2 instance, applying IAM policies, or running a Lambda function. This meets all requirements in a fully managed way with minimal operational overhead.

Why this answer

Option C is correct because AWS Budgets natively supports budget actions that can automatically stop an EC2 instance when the actual or forecasted spending exceeds a defined threshold. This eliminates the need for custom scripting or additional services, meeting the requirements with minimal operational overhead. The budget alert at 80% can be configured via AWS Budgets' notification feature to send an email through Amazon SNS.

Exam trap

The trap here is that candidates may overcomplicate the solution by combining multiple services (e.g., Cost Explorer, Lambda, Trusted Advisor) when AWS Budgets alone, with its built-in budget action capability, directly satisfies both the notification and automated EC2 stop requirements with minimal operational overhead.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer does not provide native alerting or automated actions; it is an analytical tool for visualizing costs, not for triggering notifications or EC2 stop actions. Option B is wrong because AWS Trusted Advisor checks are for best-practice recommendations (e.g., idle instances, security gaps) and cannot automatically stop an EC2 instance based on budget thresholds. Option D is wrong because Amazon CloudWatch cost metric alarms can send notifications but cannot directly stop an EC2 instance; AWS Auto Scaling manages instance capacity based on scaling policies, not budget limits, and would not stop a specific non-critical instance.

87
MCQmedium

A company runs database servers that require consistent EC2 capacity 24/7 for the next 3 years. Which EC2 purchasing option provides the greatest discount compared to On-Demand pricing?

A.Spot Instances
B.On-Demand Instances
C.Reserved Instances (3-year, all upfront)
D.Dedicated Hosts
AnswerC

3-year Reserved Instances with all-upfront payment provide the maximum EC2 discount. For database servers with consistent, predictable 24/7 use over 3 years, this commitment results in the greatest cost savings.

Why this answer

Reserved Instances (RIs) with a 3-year term and all upfront payment provide the highest discount compared to On-Demand pricing because they commit to a consistent, predictable workload for an extended period. AWS offers significant pricing tiers for RIs, with the 3-year all upfront option yielding up to 72% discount over On-Demand, which is the greatest among all purchasing options for steady-state usage.

Exam trap

The trap here is that candidates often confuse Spot Instances as the cheapest option overall, but the question specifies 'consistent EC2 capacity 24/7 for the next 3 years,' which disqualifies Spot Instances due to their lack of reliability and potential for termination, making Reserved Instances the correct choice for maximum discount under those constraints.

How to eliminate wrong answers

Option A is wrong because Spot Instances offer discounts of up to 90% but are designed for fault-tolerant, interruptible workloads and can be terminated by AWS with a 2-minute warning, making them unsuitable for 24/7 database servers that require consistent capacity. Option B is wrong because On-Demand Instances provide no discount and are priced at the full rate, which is the baseline for comparison, not a cost-saving option. Option D is wrong because Dedicated Hosts provide physical server isolation for licensing compliance but do not inherently offer a discount over On-Demand; they are priced per host and can be more expensive than standard Reserved Instances.

88
MCQmedium

A company wants to set up a new multi-account AWS environment with pre-configured security guardrails, a logging account, an audit account, and a predefined structure for creating new accounts — all based on AWS best practices — with minimal manual configuration. Which AWS service provides this automated account setup?

A.AWS CloudFormation StackSets
B.AWS Organizations
C.AWS Control Tower
D.AWS Security Hub
AnswerC

Control Tower automates the entire landing zone setup: creates the management account structure, configures a log archive account, sets up an audit account, and applies mandatory guardrails (preventive SCPs and detective Config rules) following AWS best practices.

Why this answer

AWS Control Tower is the correct answer because it provides a fully automated, best-practices-based setup for a multi-account AWS environment, including pre-configured security guardrails (using Service Control Policies), a logging account, an audit account, and a predefined account structure via Account Factory. This eliminates the need for manual configuration of these foundational components.

Exam trap

The trap here is that candidates often confuse AWS Organizations (which provides the raw capability to manage multiple accounts) with AWS Control Tower (which automates the entire setup with best-practice guardrails and account factory), leading them to pick Organizations as the 'automated' solution when it actually requires significant manual configuration.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation StackSets allow you to deploy infrastructure across multiple accounts and regions, but they do not automatically set up the initial multi-account structure, guardrails, or dedicated logging/audit accounts — they require you to manually define and manage the stack instances. Option B is wrong because AWS Organizations provides the underlying organizational hierarchy and policy management (SCPs) but does not include pre-configured guardrails, a logging account, an audit account, or a predefined account creation workflow — it is a building block, not a turnkey solution. Option D is wrong because AWS Security Hub is a security posture management service that aggregates findings from various AWS services (like GuardDuty, Inspector, etc.) but does not automate the setup of a multi-account environment, guardrails, or account structure.

89
MCQeasy

Which AWS service provides a fully managed workflow orchestration service that coordinates multiple AWS services into serverless workflows using visual state machines?

A.Amazon EventBridge
B.Amazon SQS
C.AWS Step Functions
D.AWS Batch
AnswerC

Step Functions orchestrates multi-step workflows as visual state machines, with built-in error handling, retry logic, parallel execution, and integration with 200+ AWS services.

Why this answer

AWS Step Functions is a fully managed orchestration service that allows you to coordinate multiple AWS services into serverless workflows using visual state machines. It enables you to define complex, multi-step processes as a series of states (tasks, choices, parallel branches) that execute in order, with built-in error handling and retry logic, making it the correct choice for workflow orchestration.

Exam trap

The trap here is that candidates often confuse Amazon EventBridge's event routing capabilities with workflow orchestration, but EventBridge lacks the sequential state machine logic and visual workflow designer that Step Functions provides.

How to eliminate wrong answers

Option A is wrong because Amazon EventBridge is a serverless event bus service used for routing events between AWS services and applications, not for orchestrating multi-step workflows with state machines. Option B is wrong because Amazon SQS is a fully managed message queuing service for decoupling application components, not a workflow orchestration tool with visual state machines. Option D is wrong because AWS Batch is a service for running batch computing jobs at scale, but it does not provide visual state machine-based orchestration; it focuses on job scheduling and execution, not coordinating multiple services in a workflow.

90
MCQmedium

A company uses AWS Organizations to manage multiple AWS accounts. The security team wants to ensure that no Amazon EC2 instance can be launched with a public IPv4 address in any member account. The team needs a preventive control that centrally blocks the launch action if a public IP is assigned, and the control must automatically apply to all existing and future accounts in the organization. Which AWS feature should the security team use to meet these requirements?

A.AWS Config rule with an automatic remediation action that terminates the instance after launch
B.IAM policy with a condition key to deny ec2:RunInstances when a public IP is assigned
C.Service control policy (SCP) in AWS Organizations
D.AWS Firewall Manager security group policy
AnswerC

An SCP can be attached to the root organizational unit (OU) or the entire organization to deny the ec2:RunInstances action when the request includes a parameter for a public IP address (e.g., condition key 'ec2:AssociatePublicIpAddress'). SCPs are preventive policies that apply to all principals (including the root user) in all member accounts, and they are automatically inherited by new accounts added to the organization. This meets all the requirements.

Why this answer

Service control policies (SCPs) in AWS Organizations allow you to centrally define the maximum available permissions for all accounts in the organization. By creating an SCP that denies the ec2:RunInstances action when the request includes a public IP address assignment (using the ec2:AssociatePublicIpAddress condition key), you can prevent any EC2 instance from being launched with a public IPv4 address. This control applies automatically to all existing and future member accounts without requiring per-account configuration.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, not realizing that SCPs are the only mechanism in AWS Organizations that can centrally and preventively restrict actions across all accounts, including future ones, without requiring per-account configuration.

How to eliminate wrong answers

Option A is wrong because AWS Config rules are detective, not preventive; they can only trigger remediation after the instance is launched, which does not meet the requirement for a preventive control that blocks the launch action. Option B is wrong because IAM policies are account-specific and cannot be centrally applied to all accounts in an organization; they would need to be deployed individually to each member account, and they do not automatically apply to future accounts. Option D is wrong because AWS Firewall Manager security group policies manage security group rules across accounts, but they do not control the assignment of public IP addresses during EC2 instance launch.

91
MCQmedium

A company runs a stateless web application on a single Amazon EC2 instance in the us-east-1a Availability Zone. The application stores session data in an external Amazon ElastiCache cluster. Due to a power failure in the data center hosting us-east-1a, the EC2 instance becomes unavailable. The company wants to redesign the architecture so that the application recovers automatically in minutes if a single Availability Zone fails. Which design principle should the company implement?

A.Deploy the application across multiple AWS Regions and use Amazon Route 53 latency-based routing to failover.
B.Place the EC2 instance in an Auto Scaling group with a minimum capacity of 1, and configure the Auto Scaling group to span multiple Availability Zones.
C.Use a larger EC2 instance type with dedicated tenancy to reduce the risk of hardware failure.
D.Enable termination protection on the EC2 instance to prevent accidental stopping.
AnswerB

This is correct because an Auto Scaling group that spans multiple Availability Zones will automatically replace a failed instance in a healthy Availability Zone, ensuring the application remains available even if one AZ goes down.

Why this answer

Option B is correct because placing the EC2 instance in an Auto Scaling group with a minimum capacity of 1 and spanning multiple Availability Zones ensures that if us-east-1a fails, the Auto Scaling group automatically launches a new instance in a healthy Availability Zone (e.g., us-east-1b). Since the application is stateless and session data is stored externally in ElastiCache, the new instance can immediately serve traffic without data loss, achieving recovery within minutes.

Exam trap

The trap here is that candidates may confuse high-availability designs (multi-AZ Auto Scaling) with disaster recovery designs (multi-Region), or mistakenly think that instance-level protections like termination protection or larger instance types can mitigate an Availability Zone failure.

How to eliminate wrong answers

Option A is wrong because deploying across multiple AWS Regions and using Route 53 latency-based routing is overkill for a single-AZ failure and introduces unnecessary complexity and cost; it does not address the immediate need for automatic recovery within minutes from an AZ failure. Option C is wrong because using a larger EC2 instance type with dedicated tenancy does not protect against an Availability Zone power failure; it only reduces the risk of hardware failure on a single host, not the entire AZ. Option D is wrong because termination protection prevents accidental termination of the instance, but it does not help recover from an AZ failure—the instance remains unavailable and cannot be automatically replaced.

92
MCQeasy

Which AWS service provides a private, dedicated network connection between an organization's on-premises environment and AWS through a colocation facility or telecommunications partner?

A.AWS VPN CloudHub
B.AWS Direct Connect
C.Amazon CloudFront Private Content
D.AWS PrivateLink
AnswerB

Direct Connect provides private, dedicated 1/10/100 Gbps connections to AWS through partner locations, bypassing the public internet for consistent performance and lower data transfer costs.

Why this answer

AWS Direct Connect is the correct answer because it provides a private, dedicated network connection from an on-premises data center to AWS, bypassing the public internet. This connection is established through a colocation facility or a telecommunications partner using industry-standard 802.1Q VLANs, offering consistent latency and higher bandwidth than internet-based VPNs.

Exam trap

The trap here is confusing AWS Direct Connect with AWS VPN solutions (like VPN CloudHub) because both can connect on-premises networks, but only Direct Connect offers a private, dedicated physical link that avoids the public internet entirely.

How to eliminate wrong answers

Option A is wrong because AWS VPN CloudHub uses IPsec VPN tunnels over the public internet to connect multiple on-premises sites to AWS, not a private dedicated physical connection. Option C is wrong because Amazon CloudFront Private Content is a content delivery service that restricts access to cached objects using signed URLs or cookies, not a network connectivity solution. Option D is wrong because AWS PrivateLink provides private connectivity between VPCs and AWS services using Elastic Network Interfaces and VPC endpoints, but it does not extend to on-premises environments via a colocation facility.

93
MCQeasy

Which AWS storage type provides the lowest latency storage for a single EC2 instance, with data stored on NVMe SSDs physically attached to the host computer?

A.Amazon EBS (Elastic Block Store)
B.Amazon EFS (Elastic File System)
C.EC2 Instance Store
D.Amazon S3
AnswerC

Instance store provides physically attached NVMe SSDs with the lowest possible latency for EC2 storage — ideal for temporary data like buffers, caches, and scratch data. Data is lost when the instance stops.

Why this answer

EC2 Instance Store provides temporary block-level storage for an EC2 instance, with data stored on NVMe SSDs that are physically attached to the host computer. This direct attachment eliminates network latency, offering the lowest possible latency for a single EC2 instance compared to any network-attached storage option.

Exam trap

The trap here is that candidates often confuse Amazon EBS with local storage, but EBS is network-attached and cannot match the latency of physically attached NVMe SSDs, which is the key differentiator for this question.

How to eliminate wrong answers

Option A is wrong because Amazon EBS is network-attached block storage accessed over the AWS network, which introduces higher latency than locally attached NVMe SSDs. Option B is wrong because Amazon EFS is a network file system (NFS) that provides shared file storage across multiple instances, not low-latency block storage for a single instance. Option D is wrong because Amazon S3 is object storage accessed via HTTP/S endpoints, designed for durability and scalability, not for low-latency block-level access from a single EC2 instance.

94
Drag & Dropmedium

Drag and drop the steps to launch an EC2 instance in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Launching an EC2 instance involves selecting the OS (AMI), hardware (instance type), networking, storage, and security before launch.

95
MCQmedium

A company manages 15 AWS accounts through AWS Organizations. The finance team needs to perform custom analysis of monthly costs across all accounts. They want to download a detailed, hourly-level CSV file that breaks down usage and costs by service, by member account, and by user-defined cost allocation tags. The file must be delivered to an Amazon S3 bucket daily, and the team will then query the data using Amazon Athena and create dashboards in Amazon QuickSight. Which AWS feature should they configure to meet these requirements?

A.AWS Budgets
B.AWS Cost Explorer
C.AWS Cost and Usage Report (CUR)
D.AWS Trusted Advisor
AnswerC

The AWS Cost and Usage Report contains the most detailed billing data available, including hourly usage and costs, broken down by service, member account, and cost allocation tags. It can be delivered to an S3 bucket on a daily basis, making it ideal for custom analysis with Amazon Athena and Amazon QuickSight.

Why this answer

The AWS Cost and Usage Report (CUR) is the only feature that delivers a detailed, hourly-level CSV file with granular breakdowns by service, member account, and user-defined cost allocation tags. It can be automatically published to an S3 bucket daily, enabling downstream analysis with Athena and QuickSight.

Exam trap

The trap here is that candidates confuse AWS Cost Explorer's manual CSV export capability with the automated, granular, S3-delivered reporting that only CUR provides, especially when the question emphasizes hourly detail and daily delivery to S3.

How to eliminate wrong answers

Option A is wrong because AWS Budgets is a cost monitoring and alerting tool, not a data export mechanism; it cannot generate hourly-level CSV files or deliver them to S3. Option B is wrong because AWS Cost Explorer provides on-demand visualizations and CSV exports of cost data, but it does not support automated daily delivery of hourly-level, tag-detailed reports to an S3 bucket for Athena querying.

96
MCQmedium

A company is migrating its workloads to AWS. The IT team is concerned that they will lose visibility into which specific physical server is running their application. A solutions architect explains that AWS abstracts the underlying hardware, allowing customers to focus on their applications without managing physical infrastructure. The architect also notes that AWS pools resources from a large number of data centers to serve multiple customers, and changes the physical location of resources dynamically. Which essential characteristic of cloud computing does this scenario best describe?

A.Rapid elasticity
B.Measured service
C.Resource pooling
D.On-demand self-service
AnswerC

Correct. This scenario directly illustrates resource pooling. The cloud provider combines physical resources from multiple data centers into a shared pool, dynamically allocating them to customers. Customers do not know the exact physical server hosting their workload, which matches the IT team's concern and the architect's explanation.

Why this answer

The scenario describes AWS pooling compute resources from multiple data centers to serve multiple customers, with the physical location of resources changing dynamically. This directly aligns with the 'resource pooling' characteristic of cloud computing, where the provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with physical and virtual resources dynamically assigned and reassigned according to consumer demand. The customer has no knowledge or control over the exact physical location of the provided resources (e.g., which specific server runs their application), which matches the concern in the question.

Exam trap

The trap here is that candidates confuse 'resource pooling' (the multi-tenant sharing of physical infrastructure) with 'rapid elasticity' (the ability to scale resources), because both involve dynamic resource changes, but the key distinction is that pooling is about shared physical hardware and location abstraction, not scaling speed.

How to eliminate wrong answers

Option A is wrong because rapid elasticity refers to the ability to quickly scale resources up or down based on demand, not the abstraction of physical hardware or pooling of resources across data centers. Option B is wrong because measured service involves metering and billing for resource usage (e.g., pay-per-use), not the multi-tenant pooling of infrastructure or the lack of visibility into physical servers.

97
MCQmedium

A company has multiple AWS accounts consolidated under AWS Organizations. The finance team wants to set a hard monthly cost limit for a development account. If the forecasted costs for the month exceed that limit, the team wants AWS to automatically stop all non-critical Amazon EC2 instances in that account to prevent overspending. The team also needs to receive an email alert when the cost threshold is first crossed. Which AWS service or feature should the team use to define the budget and configure the automated action?

A.AWS Budgets with an Amazon EC2 action
B.AWS Cost Explorer
C.AWS Trusted Advisor
D.AWS Organizations
AnswerA

AWS Budgets supports creating budget actions that can automatically stop or terminate Amazon EC2 instances when a cost or usage threshold is exceeded. This meets the requirement for both the automated action and the email alert.

Why this answer

AWS Budgets allows you to set a cost budget with a threshold and, when forecasted costs exceed that threshold, trigger an AWS Budgets action to stop specific Amazon EC2 instances. This meets the requirement for a hard monthly cost limit and automated instance stoppage, while also sending an email alert via Amazon SNS when the threshold is first crossed.

Exam trap

The trap here is that candidates may confuse AWS Cost Explorer's cost monitoring capabilities with the ability to set budgets and automate actions, but Cost Explorer lacks the action trigger feature that AWS Budgets provides.

How to eliminate wrong answers

Option B is wrong because AWS Cost Explorer provides cost visualization and analysis but does not support defining budgets or triggering automated actions to stop EC2 instances. Option C is wrong because AWS Trusted Advisor offers cost optimization recommendations and checks but cannot enforce hard cost limits or automatically stop resources based on budget thresholds.

98
MCQmedium

A media company stores video files in Amazon S3 and needs to transcode them into multiple formats for different devices. Which AWS service is purpose-built for this workflow?

A.Amazon Kinesis Video Streams
B.Amazon Elastic Transcoder
C.AWS Lambda
D.Amazon Rekognition
AnswerB

Elastic Transcoder transcodes media files in S3 into multiple output formats optimized for different playback devices, integrated natively with S3.

Why this answer

Amazon Elastic Transcoder is a purpose-built media transcoding service that converts video files stored in Amazon S3 into the formats required by various devices. It handles the complexities of transcoding, including format conversion, resolution scaling, and bitrate adjustment, without requiring you to manage underlying infrastructure.

Exam trap

The trap here is that candidates may confuse Amazon Kinesis Video Streams (which deals with video but is for streaming/ingestion) with a transcoding service, or think AWS Lambda can easily handle transcoding without recognizing the specialized, managed nature of Elastic Transcoder.

How to eliminate wrong answers

Option A is wrong because Amazon Kinesis Video Streams is designed for real-time video ingestion and analytics from devices, not for batch transcoding of stored video files. Option C is wrong because AWS Lambda is a serverless compute service for running code in response to events, not a dedicated transcoding service; while you could build a transcoding workflow with Lambda, it is not purpose-built for this task and would require significant custom code and dependencies. Option D is wrong because Amazon Rekognition is a computer vision service for image and video analysis (e.g., object detection, facial recognition), not for transcoding media into different formats.

99
MCQeasy

Which AWS compute service is best suited for running batch processing jobs that require specific compute resources and can run for hours or days without user interaction?

A.AWS Lambda
B.Amazon EC2 with manual provisioning
C.AWS Batch
D.Amazon ECS with Fargate
AnswerC

AWS Batch manages job queues, schedules jobs, provisions appropriate EC2 or Spot Instances, and terminates resources when done — ideal for long-running batch processing.

Why this answer

AWS Batch is purpose-built for running batch computing workloads that can run for extended durations without user interaction. It dynamically provisions the optimal quantity and type of compute resources (e.g., EC2 instances or Spot Instances) based on the volume and specific resource requirements of the submitted jobs, making it ideal for hours- or days-long batch processing.

Exam trap

The trap here is that candidates often confuse AWS Lambda's serverless model with batch processing, overlooking Lambda's hard 15-minute timeout and lack of support for long-running, resource-intensive workloads.

How to eliminate wrong answers

Option A is wrong because AWS Lambda has a maximum execution timeout of 15 minutes and is designed for short-lived, event-driven functions, not for batch jobs that run for hours or days. Option B is wrong because Amazon EC2 with manual provisioning requires you to manually manage instance lifecycle, scaling, and job scheduling, which is inefficient and error-prone for long-running batch workloads compared to a fully managed batch service. Option D is wrong because Amazon ECS with Fargate is a container orchestration service that abstracts server management but lacks native batch job scheduling, queue management, and dependency handling that AWS Batch provides out of the box.

100
MCQmedium

A financial services company runs a high-frequency stock trading platform on AWS. The platform must continue processing trades without any interruption, even if an entire AWS Availability Zone experiences a complete outage. The architecture is designed with duplicate infrastructure in multiple Availability Zones, and all components are active simultaneously. The system is engineered so that if one AZ fails, the remaining AZs continue processing trades instantly, with zero downtime for end users. Which cloud computing concept does this requirement BEST represent?

A.Elasticity
B.High availability
C.Fault tolerance
D.Durability
AnswerC

Fault tolerance is the property that enables a system to continue functioning correctly even when some of its components fail. The scenario's demand for 'zero downtime' and 'instant' continuation of processing after an AZ failure directly matches the definition of fault tolerance. This is typically achieved through active-active redundant deployments.

Why this answer

This requirement describes a system that continues to operate without any interruption even when an entire AWS Availability Zone fails. That is the definition of fault tolerance: the system is designed to survive component failures with zero impact on service. The architecture uses duplicate active infrastructure in multiple AZs so that if one AZ fails, the remaining AZs instantly take over with no downtime, which is fault tolerance, not just high availability.

Exam trap

The trap here is that candidates often confuse high availability with fault tolerance, but high availability allows for a brief failover period (e.g., seconds of downtime), while fault tolerance requires zero downtime and instant continuity, which is the exact requirement in this question.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability to automatically scale resources up or down based on demand, not to survive failures. Option B is wrong because high availability ensures minimal downtime (e.g., 99.99% uptime) but typically allows for a brief failover delay, whereas this requirement demands zero downtime and instant continuity, which is fault tolerance. Option D is wrong because durability refers to the long-term preservation of data without loss, not to the system's ability to continue processing during a failure.

101
MCQmedium

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer. The security team wants to protect the application from common web attacks such as SQL injection and cross-site scripting (XSS) at the edge, before the requests reach the application. The company wants to use pre-built rule sets maintained by AWS to quickly enable protection, and the solution should be fully managed with no servers to manage. Which AWS service should the company use?

A.AWS Shield Advanced
B.Amazon GuardDuty
C.AWS WAF
D.AWS Network Firewall
AnswerC

AWS WAF is a fully managed web application firewall that enables customers to monitor and control HTTP(S) requests to their applications. It provides managed rule groups for common threats like SQL injection and cross-site scripting (XSS). The service integrates seamlessly with Application Load Balancers, allowing traffic to be inspected at the edge before reaching the backend instances, and requires no server management.

Why this answer

AWS WAF is a fully managed web application firewall that helps protect web applications from common web exploits like SQL injection and cross-site scripting (XSS). It integrates with Application Load Balancers (ALBs) and allows you to use pre-built, AWS-managed rule sets (e.g., the AWS Managed Rules for SQL injection and XSS) to quickly enable protection at the edge, before traffic reaches the EC2 instances. This meets the requirement for a serverless, managed solution with no infrastructure to maintain.

Exam trap

The trap here is that candidates often confuse AWS WAF with AWS Shield Advanced, mistakenly thinking Shield Advanced handles application-layer attacks like SQL injection, when in fact it focuses on DDoS mitigation at the network and transport layers.

How to eliminate wrong answers

Option A is wrong because AWS Shield Advanced provides protection against Distributed Denial of Service (DDoS) attacks, not against application-layer attacks like SQL injection or XSS. Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using VPC Flow Logs, DNS logs, and CloudTrail events; it does not actively block or filter web requests at the application layer.

102
MCQeasy

A startup runs its web application on a few Amazon EC2 instances. Over time, the company scales its infrastructure, adding hundreds more instances to support a growing user base. The company notices that the per-hour cost per instance does not increase as it uses more resources. In fact, AWS has steadily lowered prices for compute and storage services over the years. Which cloud computing concept does this scenario best illustrate?

A.Elasticity
B.Pay-as-you-go pricing
C.Economies of scale
D.High availability
AnswerC

Correct. Economies of scale describe how AWS, by serving millions of customers worldwide, can purchase hardware, operate data centers, and negotiate contracts at massive volumes, achieving lower costs per unit. These savings are then reflected in lower prices for all customers, regardless of their individual consumption level.

Why this answer

Option C is correct because the scenario describes how AWS's per-hour cost per instance does not increase as usage scales, and AWS has steadily lowered prices over time. This directly illustrates economies of scale, where AWS's massive infrastructure investments and operational efficiencies allow it to pass cost savings to customers as usage grows. The key is that the cost per unit (instance-hour) decreases or remains stable at scale, which is the hallmark of economies of scale, not just the ability to scale resources.

Exam trap

The trap here is that candidates confuse 'pay-as-you-go pricing' (a billing model) with 'economies of scale' (a cost advantage from large-scale operations), because both involve cost savings, but the question specifically describes the per-hour cost per instance not increasing and AWS lowering prices over time, which is a direct result of economies of scale, not the pay-as-you-go model itself.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability to automatically scale resources up or down based on demand, not the cost behavior per instance. Option B is wrong because pay-as-you-go pricing means you only pay for what you use, but the question specifically highlights that the per-hour cost per instance does not increase and AWS lowers prices over time, which is a separate concept from the billing model. Option D is wrong because high availability ensures that applications remain accessible despite failures, typically through redundancy across Availability Zones, and has no direct relation to cost per instance or price reductions.

103
MCQmedium

A company runs a customer-facing web application on a single Amazon EC2 instance. To ensure the application remains accessible if the instance fails, the company launches a second EC2 instance in a different Availability Zone and configures an Application Load Balancer to distribute traffic. The application continues to serve users with minimal downtime during the failure of any single instance. This scenario best demonstrates which cloud computing concept?

A.Elasticity
B.High availability
C.Scalability
D.Fault tolerance
AnswerB

Correct. High availability is the ability to keep applications running with minimal downtime by eliminating single points of failure. Placing instances in multiple Availability Zones behind a load balancer ensures that the application remains accessible even if one instance fails.

Why this answer

High availability is the correct concept because the architecture uses redundant EC2 instances in separate Availability Zones behind an Application Load Balancer to eliminate a single point of failure. If one instance fails, the load balancer automatically routes traffic to the healthy instance, ensuring the application remains accessible with minimal downtime. This design specifically addresses fault tolerance and uptime, not the ability to handle variable load or scale resources.

Exam trap

The trap here is that candidates confuse high availability with elasticity or scalability because all three involve multiple instances, but high availability is specifically about redundancy and fault tolerance to minimize downtime, not about adjusting capacity to meet demand.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability to automatically scale resources up or down based on demand, such as adding instances during traffic spikes and removing them when traffic decreases; the scenario describes static redundancy, not dynamic scaling. Option C is wrong because scalability is the capacity to increase resources to handle growing workloads, typically by adding more instances or upgrading instance types; the scenario focuses on maintaining availability during a failure, not on handling increased load.

104
MCQmedium

A company hosts a web application on an Amazon EC2 instance. The company installs its own application software and configures the operating system. The company also uses AWS Key Management Service (AWS KMS) to create a customer-managed key to encrypt data on the Amazon Elastic Block Store (Amazon EBS) volume attached to the instance. According to the AWS shared responsibility model, which of the following is the responsibility of AWS?

A.Encrypting the data on the Amazon EBS volume using the customer-managed key.
B.Patching the operating system of the Amazon EC2 instance.
C.Ensuring the physical security of the data center where the Amazon EC2 instance runs.
D.Configuring the security group rules to restrict traffic to the Amazon EC2 instance.
AnswerC

This is an AWS responsibility. AWS operates and controls the physical security of its data centers, including access controls, surveillance, and environmental systems. This falls under 'security of the cloud.'

Why this answer

Option C is correct because under the AWS shared responsibility model, AWS is responsible for the security of the cloud, which includes the physical security of data centers, hardware, networking, and facilities where EC2 instances run. This is a foundational layer that customers cannot manage or control.

Exam trap

The trap here is that candidates often confuse 'encryption at rest' as an AWS responsibility, but the shared responsibility model clearly assigns the management of customer-managed keys and the decision to encrypt to the customer, while AWS only provides the encryption infrastructure.

How to eliminate wrong answers

Option A is wrong because encrypting data on the EBS volume using a customer-managed key is a customer action: the customer creates the KMS key, configures the EBS volume to use it, and manages key rotation and permissions. Option B is wrong because patching the operating system of the EC2 instance is the customer's responsibility under the 'security in the cloud' model, as the customer configures and maintains the OS and installed software. Option D is wrong because configuring security group rules to restrict traffic is a customer-controlled network security task; AWS provides the security group infrastructure, but the customer defines and applies the rules.

105
MCQmedium

A hospital is evaluating a move of its patient records system to the AWS Cloud. The hospital's compliance officer is concerned that the underlying physical servers in the cloud are shared with other customers, which could potentially expose sensitive patient data. The hospital wants a clear explanation of how AWS prevents one customer from accessing another customer's data even though they reside on the same physical hardware. Which essential characteristic of cloud computing best describes the mechanism that achieves this isolation?

A.On-demand self-service
B.Resource pooling
C.Rapid elasticity
D.Measured service
AnswerB

Resource pooling is the cloud characteristic where the provider's computing resources are pooled to serve multiple customers using a multi-tenant model. Virtualization provides strong logical isolation between customers, preventing data access across tenants. This directly addresses the compliance officer's concern about data security on shared hardware.

Why this answer

Resource pooling is the correct answer because it describes how AWS multi-tenancy works: physical resources like servers and storage are pooled to serve multiple customers, but strict logical isolation is enforced through hypervisor-level virtualization. The hypervisor (e.g., Xen or Nitro) ensures each customer's virtual machines operate in separate memory spaces and cannot access another customer's data, even on the same physical host. This isolation is a fundamental design of cloud computing, not a security flaw.

Exam trap

The trap here is that candidates confuse 'resource pooling' with security vulnerabilities, thinking shared hardware implies shared data, when in fact resource pooling is the very characteristic that enables secure multi-tenancy through hypervisor isolation.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to the ability to provision resources automatically without human interaction, not to data isolation mechanisms. Option C is wrong because rapid elasticity describes the ability to scale resources up or down quickly based on demand, which has nothing to do with preventing cross-customer data access. Option D is wrong because measured service involves metering and billing for resource usage (e.g., pay-per-use), not the logical separation of customer data on shared hardware.

106
MCQhard

A company recently migrated to AWS and needs to ensure their S3 buckets are not publicly accessible. Which combination of controls best prevents accidental public S3 exposure?

A.Enable S3 server-side encryption on all buckets
B.Enable S3 Block Public Access at the account level and use AWS Config to detect violations
C.Enable S3 versioning on all buckets
D.Enable S3 Transfer Acceleration for all buckets
AnswerB

Account-level Block Public Access prevents any bucket from being made public (overrides all bucket policies/ACLs), while Config provides ongoing compliance monitoring to detect any policy drift.

Why this answer

Option B is correct because S3 Block Public Access at the account level provides a centralized, enforceable guardrail that prevents any bucket or object from being made publicly accessible, overriding any bucket-level policies or ACLs. AWS Config can then continuously monitor for configuration violations, such as a bucket policy that grants public access, and trigger remediation or alerts. Together, these controls create a defense-in-depth approach that both prevents accidental exposure and detects non-compliance.

Exam trap

The trap here is that candidates often confuse data protection features (encryption, versioning, acceleration) with access control mechanisms, leading them to select options that secure data in transit or at rest but do not prevent public exposure.

How to eliminate wrong answers

Option A is wrong because S3 server-side encryption protects data at rest but does not control access permissions; a bucket can be encrypted yet still publicly readable. Option C is wrong because S3 versioning preserves object versions and aids in recovery from accidental deletion or overwrites, but it has no effect on public access controls. Option D is wrong because S3 Transfer Acceleration speeds up uploads over long distances using edge locations, but it does not modify or enforce bucket access policies.

107
MCQmedium

A company runs multiple workloads in separate Amazon VPCs within the same AWS Region. The networking team needs to enable connectivity between all VPCs using private IP addresses. Additionally, the team must connect all VPCs to the company's on-premises data center through a single AWS Site-to-Site VPN connection to minimize costs and simplify management. The solution must support transitive routing so that any VPC can communicate with any other VPC and with the on-premises network. Which AWS service should the networking team use to meet these requirements?

A.VPC Peering with a VPN attachment to a Virtual Private Gateway
B.AWS Transit Gateway with VPN attachments
C.AWS Direct Connect gateway with VPC associations
D.A Network Load Balancer with VPN endpoints
AnswerB

Correct. AWS Transit Gateway acts as a central hub, enabling transitive routing between all attached VPCs and VPN connections. By attaching a single Site-to-Site VPN to the Transit Gateway, all VPCs can communicate with each other and with the on-premises network using private IP addresses, simplifying management and reducing costs.

Why this answer

AWS Transit Gateway acts as a central hub that connects multiple VPCs and on-premises networks through a single VPN attachment, supporting transitive routing between all connected networks. This meets the requirements for private IP connectivity, cost minimization, and simplified management by avoiding the need for full-mesh VPC peering or multiple VPN connections.

Exam trap

The trap here is that candidates often confuse VPC Peering with transitive routing, assuming that multiple peering connections can forward traffic between VPCs, but AWS explicitly does not support transitive routing through VPC peering.

How to eliminate wrong answers

Option A is wrong because VPC Peering does not support transitive routing; each peering connection is a one-to-one relationship, and traffic cannot flow through an intermediate VPC to reach another VPC or the on-premises network. Option C is wrong because AWS Direct Connect gateway is designed for connecting Direct Connect virtual interfaces to VPCs, not for transitive routing between multiple VPCs, and it does not natively support Site-to-Site VPN attachments. Option D is wrong because a Network Load Balancer operates at Layer 4 for distributing traffic to targets, not as a routing hub for VPC-to-VPC or VPC-to-on-premises connectivity, and it cannot provide transitive routing or VPN termination.

108
MCQmedium

A company is deploying an application that processes payment card data. Which AWS compliance program provides assurance that AWS infrastructure meets Payment Card Industry Data Security Standard requirements?

A.SOC 2 Type II
B.PCI DSS Level 1 compliance
C.HIPAA compliance
D.ISO 27001 certification
AnswerB

AWS maintains PCI DSS Level 1 certification (the highest level) for its infrastructure and services. Customers can access AWS's Attestation of Compliance via AWS Artifact to support their own PCI compliance programs.

Why this answer

PCI DSS Level 1 compliance is the highest level of validation for organizations that process payment card data, and AWS has been validated as a Level 1 service provider. This means AWS infrastructure has undergone the required on-site assessments and annual audits to meet the Payment Card Industry Data Security Standard (PCI DSS) requirements, providing assurance for the company's deployment.

Exam trap

The trap here is that candidates often confuse general security certifications (like SOC 2 or ISO 27001) with the specific, mandatory compliance program for payment card data, which is PCI DSS Level 1.

How to eliminate wrong answers

Option A is wrong because SOC 2 Type II reports focus on controls related to security, availability, processing integrity, confidentiality, and privacy, but they do not specifically certify compliance with PCI DSS requirements. Option C is wrong because HIPAA compliance is specific to the healthcare industry and protects protected health information (PHI), not payment card data. Option D is wrong because ISO 27001 certification is a general information security management standard that does not specifically address the 12 requirements of PCI DSS.

109
MCQmedium

An application running on an Amazon EC2 instance needs to access an Amazon S3 bucket. The security team requires that no long-term access keys be stored on the instance. Which IAM feature should be used to grant the EC2 instance permission to access S3?

A.Create an IAM user and embed the access key in the application code
B.Store the access key in an EC2 environment variable
C.Attach an IAM role to the EC2 instance
D.Use an IAM group to assign the permissions to the EC2 instance
AnswerC

An IAM role attached to an EC2 instance (via an instance profile) provides temporary, automatically rotating credentials. The EC2 metadata service delivers these credentials to the application, eliminating the need to store any long-term access keys.

Why this answer

Option C is correct because an IAM role can be attached to an EC2 instance, allowing the instance to obtain temporary security credentials from AWS STS via the instance metadata service. This eliminates the need to store long-term access keys on the instance, satisfying the security team's requirement. The EC2 instance automatically rotates these temporary credentials before they expire, providing secure, programmatic access to the S3 bucket.

Exam trap

The trap here is that candidates may confuse IAM roles with IAM users or groups, thinking that any IAM entity can be attached to an EC2 instance, but only IAM roles support the temporary credential workflow required for secure, keyless access.

How to eliminate wrong answers

Option A is wrong because embedding an IAM user's access key in application code stores long-term credentials on the instance, directly violating the security requirement. Option B is wrong because storing the access key in an EC2 environment variable still persists long-term credentials on the instance, which is insecure and contradicts the no-long-term-keys policy. Option D is wrong because an IAM group is used to manage permissions for IAM users, not for EC2 instances; it cannot be directly attached to an EC2 instance to grant permissions.

110
MCQmedium

A company has a web application deployed on AWS in the us-west-2 Region. The application is accessed by users across the globe, including Europe, Asia, and South America. The company wants to improve the application's performance for international users by reducing latency and packet loss. The solution must route user traffic over the AWS global network to the closest edge location. Which AWS service should the company use?

A.Amazon CloudFront
B.AWS Global Accelerator
C.Amazon Route 53 (with latency-based routing)
D.AWS Direct Connect
AnswerB

AWS Global Accelerator is designed to improve the performance of global applications by directing user traffic over the AWS global network to the closest edge location. It uses anycast IP addresses and routes traffic to the optimal endpoint based on location, network conditions, and health. This reduces latency and packet loss for global users, making it the correct choice for the described requirements.

Why this answer

AWS Global Accelerator is the correct choice because it uses the AWS global network to route user traffic to the closest edge location via Anycast IP addresses, reducing latency and packet loss. It optimizes the path from users to the application by directing traffic to the nearest edge endpoint, then forwarding it over the AWS backbone to the application in us-west-2. This improves performance for international users without caching content, unlike a CDN.

Exam trap

The trap here is that candidates often confuse Amazon CloudFront's edge caching with Global Accelerator's network path optimization, assuming a CDN is always the best choice for reducing latency, but CloudFront does not improve the network path for non-cacheable traffic or dynamic API calls.

How to eliminate wrong answers

Option A (Amazon CloudFront) is wrong because it is a content delivery network (CDN) that caches static and dynamic content at edge locations, but the question focuses on reducing latency and packet loss for a web application that likely requires real-time, non-cacheable traffic; CloudFront does not optimize the network path for all TCP/UDP traffic like Global Accelerator does. Option C (Amazon Route 53 with latency-based routing) is wrong because it only resolves DNS queries to the endpoint with the lowest latency, but it does not route traffic over the AWS global network or provide a fixed entry point; it relies on client DNS resolvers and can be affected by DNS caching, leading to suboptimal paths. Option D (AWS Direct Connect) is wrong because it establishes a dedicated private connection from an on-premises data center to AWS, not for global user traffic; it does not route users to the closest edge location and is designed for hybrid cloud connectivity, not internet-facing application performance.

111
MCQmedium

A company runs a read-heavy web application on Amazon EC2 instances that queries an Amazon RDS database. As traffic grows, the database CPU utilization is consistently high, causing slow response times for users. The company wants to reduce the load on the database by caching frequently accessed query results. They need a fully managed, in-memory caching service that can be set up quickly and integrates with common programming languages. Which AWS service should they use?

A.Amazon DynamoDB Accelerator (DAX)
B.Amazon ElastiCache
C.Amazon CloudFront
D.Amazon S3 Transfer Acceleration
AnswerB

Amazon ElastiCache is a fully managed in-memory caching service that supports Redis and Memcached. It can be used to cache frequently accessed database query results, reducing the load on Amazon RDS and improving application response times.

Why this answer

Amazon ElastiCache is a fully managed, in-memory caching service that supports Redis and Memcached, both of which integrate with common programming languages via standard client libraries. It can be deployed quickly to cache frequently accessed database query results, offloading read traffic from the Amazon RDS instance and reducing CPU utilization.

Exam trap

The trap here is that candidates may confuse DAX (a DynamoDB-specific cache) with a general-purpose cache, or think CloudFront can cache database query results, when in fact ElastiCache is the correct service for caching RDS query outputs in a read-heavy application.

How to eliminate wrong answers

Option A is wrong because Amazon DynamoDB Accelerator (DAX) is an in-memory cache specifically for Amazon DynamoDB tables, not for an Amazon RDS database. Option C is wrong because Amazon CloudFront is a content delivery network (CDN) that caches static and dynamic web content at edge locations, not a database query result cache, and it does not integrate directly with application code to cache RDS query outputs. Option D is wrong because Amazon S3 Transfer Acceleration speeds up uploads to S3 over long distances using optimized network paths and edge locations; it is not an in-memory caching service for database queries.

112
MCQmedium

A company is launching a new application and expects user demand to grow gradually over the next 12 months. To control upfront costs, the company plans to start with a small number of Amazon EC2 instances and manually add more instances each month as the user base increases. The operations team will monitor usage and adjust capacity based on observed trends. Which cloud computing concept does this approach BEST illustrate?

A.Elasticity
B.Scalability
C.High availability
D.Fault tolerance
AnswerB

Scalability is the ability to increase capacity to handle greater load. The company's approach of manually adding EC2 instances as user demand grows is a direct example of scaling up over time, making this the correct answer.

Why this answer

The scenario describes manually adding EC2 instances over time to match growing demand, which is a classic example of scalability—the ability to increase or decrease resources to handle changing workloads. Scalability focuses on planned capacity adjustments, whereas elasticity involves automatic, real-time scaling in response to demand fluctuations. Here, the manual, monthly additions based on observed trends align with scalability, not the automated provisioning that defines elasticity.

Exam trap

The trap here is that candidates confuse scalability with elasticity, assuming any capacity adjustment is elasticity, but the key differentiator is automation—elasticity requires automatic, real-time scaling, while manual, planned adjustments are scalability.

How to eliminate wrong answers

Option A is wrong because elasticity refers to automatically scaling resources up or down in real time based on demand, not manually adding instances on a monthly schedule. Option C is wrong because high availability ensures that applications remain accessible despite failures, typically through redundant infrastructure across multiple Availability Zones, not through capacity scaling. Option D is wrong because fault tolerance is the ability to continue operating without interruption after a component failure, often using redundant systems and failover mechanisms, which is unrelated to adding capacity for growth.

113
MCQmedium

A company wants to take advantage of AWS's global infrastructure to replicate their database to a second geographic region for disaster recovery. Which benefit of cloud computing does this leverage?

A.Economies of scale
B.Trade capital expense for variable expense
C.Go global in minutes
D.Increase speed and agility for experiments
AnswerC

AWS's presence in dozens of regions worldwide means deploying in a new geographic location takes minutes via the same console and APIs — not months of hardware procurement.

Why this answer

Option C is correct because AWS's global infrastructure allows you to deploy resources, such as database replicas, across multiple geographic regions in minutes. By using services like Amazon RDS Cross-Region Read Replicas or Aurora Global Database, you can replicate data to a second region for disaster recovery, leveraging the cloud's ability to rapidly expand globally without provisioning physical data centers.

Exam trap

The trap here is that candidates confuse 'go global in minutes' with 'economies of scale' or 'speed and agility,' but the question specifically asks about leveraging global infrastructure for geographic replication, not cost savings or experimental speed.

How to eliminate wrong answers

Option A is wrong because economies of scale refer to cost advantages from massive infrastructure purchasing, not the ability to replicate data across regions for disaster recovery. Option B is wrong because trading capital expense for variable expense describes the shift from upfront hardware costs to pay-as-you-go pricing, which is unrelated to geographic replication. Option D is wrong because increasing speed and agility for experiments focuses on rapid prototyping and testing, not on deploying a disaster recovery solution across regions.

114
MCQmedium

A company operates in three separate AWS accounts: one for development, one for testing, and one for production. The company wants to take advantage of volume pricing discounts across all accounts for services such as Amazon S3 and Amazon EC2. The finance team also wants to view a single, consolidated monthly bill that aggregates charges from all accounts. Which AWS feature should the company implement?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Organizations with consolidated billing
D.AWS Trusted Advisor
AnswerC

Consolidated billing is a feature of AWS Organizations that aggregates the usage of all member accounts into a single bill for the management (payer) account. This enables volume discounts across all accounts and simplifies billing administration.

Why this answer

AWS Organizations with consolidated billing is the correct feature because it allows the company to combine all three AWS accounts (development, testing, production) into a single organization, enabling volume pricing discounts across accounts for services like Amazon S3 and Amazon EC2. It also aggregates usage from all accounts into a single monthly bill, which the finance team can view. This is the only AWS feature that directly provides both consolidated billing and aggregated usage for pricing benefits.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer or AWS Budgets with billing consolidation, but neither feature aggregates usage or applies volume discounts across accounts—only AWS Organizations with consolidated billing does that.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer is a tool for visualizing and analyzing cost and usage data, but it does not consolidate billing across multiple accounts or enable volume pricing discounts. Option B is wrong because AWS Budgets is used to set custom cost and usage budgets and receive alerts, but it does not aggregate charges or provide volume discounts across accounts. Option D is wrong because AWS Trusted Advisor is an advisory service that inspects your AWS environment and makes recommendations for cost optimization, performance, security, and fault tolerance, but it does not consolidate billing or apply volume pricing discounts across accounts.

115
MCQmedium

A global e-commerce company stores product images and videos in an Amazon S3 bucket located in the us-west-2 Region. Customers worldwide report slow page load times. The company also wants to protect its website against common distributed denial-of-service (DDoS) attacks without incurring additional costs for a dedicated DDoS protection service. Which AWS service should the company use to meet both requirements?

A.Amazon S3 Transfer Acceleration
B.AWS Global Accelerator
C.Amazon CloudFront
D.AWS Shield Advanced
AnswerC

Amazon CloudFront caches content at edge locations globally, significantly reducing latency for users. It also includes AWS Shield Standard, which automatically protects against common DDoS attacks. This combination meets both the performance and security requirements without additional charges.

Why this answer

Amazon CloudFront is a content delivery network (CDN) that caches content at edge locations worldwide, reducing latency for global users. It also includes AWS Shield Standard at no additional cost, which provides always-on protection against common DDoS attacks (e.g., SYN floods, UDP reflection). This combination directly addresses both the slow page load times and the need for cost-effective DDoS protection.

Exam trap

The trap here is that candidates confuse AWS Global Accelerator with a CDN, but Global Accelerator does not cache content—it only optimizes network routing, so it cannot reduce latency for repeated requests to static assets like images and videos.

How to eliminate wrong answers

Option A is wrong because Amazon S3 Transfer Acceleration only speeds up uploads to S3 by using edge locations for TCP optimization, but it does not cache content or provide any DDoS protection. Option B is wrong because AWS Global Accelerator improves performance by routing traffic over the AWS global network and provides some DDoS protection via Shield Standard, but it does not cache content at edge locations, so it cannot reduce latency for static assets like images and videos as effectively as a CDN. Option D is wrong because AWS Shield Advanced is a paid service ($3,000/month plus data transfer costs) that provides enhanced DDoS protection, but the question explicitly states 'without incurring additional costs for a dedicated DDoS protection service,' making it ineligible.

116
MCQmedium

A company's application needs to process streaming data from IoT sensors in real time and store processed results in S3. Which AWS service is designed for ingesting and processing real-time streaming data?

A.Amazon SQS
B.Amazon Kinesis Data Streams
C.AWS Batch
D.Amazon EMR
AnswerB

Kinesis Data Streams is designed for real-time ingestion of large volumes of streaming data, supporting real-time analytics, dashboards, and continuous processing from IoT and other sources.

Why this answer

Amazon Kinesis Data Streams is purpose-built for ingesting and processing real-time streaming data at scale. It can continuously capture gigabytes of data per second from hundreds of thousands of sources, such as IoT sensors, and integrate with downstream consumers like AWS Lambda or Kinesis Data Analytics for real-time processing before storing results in Amazon S3.

Exam trap

The trap here is that candidates often confuse Amazon SQS (a message queue) with a streaming service, but SQS does not support real-time ordered processing or high-throughput data ingestion from continuous streams like IoT sensors.

How to eliminate wrong answers

Option A is wrong because Amazon SQS is a message queue service designed for decoupling application components and asynchronous message delivery, not for real-time streaming data ingestion or ordered processing of continuous data streams. Option C is wrong because AWS Batch is a batch computing service for running large-scale batch jobs, not for real-time stream processing or continuous data ingestion. Option D is wrong because Amazon EMR is a big data platform for processing large datasets using frameworks like Apache Spark and Hadoop, typically in batch or near-real-time modes, but it is not a dedicated service for ingesting and processing real-time streaming data directly.

117
MCQmedium

A company operates its own data center with physical servers that are purchased outright every three years. The company is migrating its entire infrastructure to AWS. The CFO notes that the company will no longer need to make large upfront purchases of hardware and instead will pay monthly for the compute and storage resources used. Which cloud computing benefit does this scenario best illustrate?

A.High availability
B.Resource elasticity
C.Security compliance
D.Shifting capital expense to variable operational expense
AnswerD

Correct. AWS's pay-as-you-go pricing model eliminates the need for large upfront hardware purchases. Instead, costs become variable operational expenses based on actual usage, which is the key financial advantage illustrated in this migration scenario.

Why this answer

This scenario illustrates the shift from capital expenditure (CapEx) to variable operational expenditure (OpEx). In the on-premises model, the company makes large upfront purchases of physical servers every three years, which is a capital expense. By migrating to AWS, the company pays only for the compute and storage resources it consumes on a monthly basis, converting that fixed, upfront cost into a variable operating cost that scales with usage.

Exam trap

The trap here is that candidates often confuse the financial benefit of shifting from CapEx to OpEx with the operational benefit of resource elasticity, but the question specifically focuses on the change in how costs are incurred (upfront vs. monthly usage-based).

How to eliminate wrong answers

Option A is wrong because high availability refers to systems that are designed to remain operational with minimal downtime, typically through redundancy across multiple Availability Zones, not to the financial model of paying for resources. Option B is wrong because resource elasticity describes the ability to automatically scale compute and storage resources up or down based on demand, which is a separate benefit from the change in cost structure. Option C is wrong because security compliance involves adhering to regulatory standards and frameworks (e.g., SOC, PCI DSS) through AWS shared responsibility model, not the transformation of hardware procurement costs.

118
MCQmedium

A company is migrating a business-critical workload to AWS. The company wants to ensure it has access to a dedicated Technical Account Manager (TAM) who will provide proactive guidance, architectural reviews, and operational support. Additionally, the company requires the Infrastructure Event Management (IEM) service to assist with the migration launch, and it wants the full set of AWS Trusted Advisor best practice checks across all categories (cost optimization, performance, security, fault tolerance, service limits). Which AWS Support plan should the company select?

A.AWS Basic Support
B.AWS Developer Support
C.AWS Business Support
D.AWS Enterprise Support
AnswerD

AWS Enterprise Support is the correct choice. It includes a dedicated Technical Account Manager (TAM) for proactive guidance, includes Infrastructure Event Management (IEM) for migration support, and provides full access to all AWS Trusted Advisor best practice checks. This plan meets all the specified requirements.

Why this answer

AWS Enterprise Support is the only plan that provides a dedicated Technical Account Manager (TAM) for proactive guidance, architectural reviews, and operational support. It also includes Infrastructure Event Management (IEM) for migration launches and full access to all AWS Trusted Advisor best practice checks across all categories, including cost optimization, performance, security, fault tolerance, and service limits. Lower-tier plans lack one or more of these critical features.

Exam trap

The trap here is that candidates may confuse AWS Business Support with Enterprise Support because both offer full Trusted Advisor checks and IEM, but only Enterprise Support includes a dedicated TAM, which is explicitly required in the question.

How to eliminate wrong answers

Option A is wrong because AWS Basic Support does not include a TAM, IEM, or any Trusted Advisor checks beyond basic service limits. Option B is wrong because AWS Developer Support provides only general guidance via email and limited Trusted Advisor checks (only service limits), with no TAM or IEM. Option C is wrong because AWS Business Support offers full Trusted Advisor checks and IEM (for an additional fee), but it does not include a dedicated TAM, which is a requirement in the question.

119
MCQmedium

A company runs 200 Amazon EC2 instances for its web application. The finance team wants to identify instances that are over-provisioned or underutilized to reduce costs. The team needs automated recommendations that consider the instance's CPU, memory, and network utilization patterns over the past 14 days. Which AWS service should the team use?

A.AWS Compute Optimizer
B.AWS Trusted Advisor
C.AWS Cost Explorer
D.AWS Budgets
AnswerA

This option is correct because AWS Compute Optimizer analyzes utilization patterns over a configurable lookback period (up to 93 days, default 14 days) and delivers actionable rightsizing recommendations to help reduce costs.

Why this answer

AWS Compute Optimizer is the correct service because it uses machine learning to analyze historical utilization metrics (CPU, memory, network) over a specified lookback period (up to 93 days, but 14 days is supported) and generates actionable recommendations to right-size EC2 instances. It specifically identifies over-provisioned and underutilized instances, directly addressing the finance team's cost-reduction goal with automated, metric-driven insights.

Exam trap

The trap here is that candidates often choose AWS Trusted Advisor because it is a well-known cost optimization tool, but they overlook that it only checks CPU utilization and ignores memory and network metrics, which are explicitly required in the question.

How to eliminate wrong answers

Option B (AWS Trusted Advisor) is wrong because while it provides cost optimization checks (e.g., underutilized EC2 instances), it only checks CPU utilization over a 14-day period and does not consider memory or network utilization patterns, making it insufficient for the team's requirement. Option C (AWS Cost Explorer) is wrong because it focuses on visualizing and analyzing historical cost and usage data, not on providing specific right-sizing recommendations based on resource utilization metrics like CPU, memory, and network. Option D (AWS Budgets) is wrong because it is used to set custom cost and usage budgets and send alerts when thresholds are exceeded, not to analyze instance utilization or generate optimization recommendations.

120
MCQmedium

A start-up is evaluating cloud providers for its new application. The company's CTO learns that the cloud provider negotiates bulk discounts with hardware vendors and data center operators, and passes these savings on to customers through lower service prices. The CTO also notes that the provider's vast infrastructure allows customers to benefit from the provider's operational expertise in running large-scale data centers. Which benefit of cloud computing does this scenario BEST represent?

A.Pay-as-you-go pricing
B.Resource pooling
C.Economies of scale
D.High availability
AnswerC

Correct. Economies of scale allow cloud providers to reduce costs through massive infrastructure operations and volume discounts, and they pass these cost reductions on to customers.

Why this answer

Economies of scale occur when a cloud provider achieves lower per-unit costs by operating at a massive scale. The provider purchases hardware in bulk, optimizes data center operations, and leverages expertise across many customers. These savings are then reflected in lower prices for all customers.

The scenario directly describes this benefit—lower prices from bulk purchasing and operational expertise passed on to the customer.

121
MCQmedium

A company runs a data analytics application on an Amazon EC2 instance. The application needs to read CSV files from an Amazon S3 bucket to process them. The security team requires that no long-term AWS credentials (access key ID and secret access key) be stored on the instance. The instance is already launched in a private subnet within a VPC. Which solution meets the security requirement and provides the necessary access?

A.Store the AWS access key ID and secret access key in a configuration file on the instance's local disk.
B.Create an IAM role with the required S3 read permissions. Attach the role to the EC2 instance profile.
C.Write a resource-based policy on the S3 bucket that allows access based on the private IP address of the EC2 instance.
D.Create a new IAM user with the required permissions. Store the IAM user's access key and secret key in AWS Systems Manager Parameter Store, and configure the application to retrieve them at runtime.
AnswerB

This is the correct and most secure method. The EC2 instance assumes the IAM role, obtaining temporary, automatically-rotated credentials. No long-term secrets are stored on the instance, complying with the security policy.

Why this answer

Option B is correct because it uses an IAM role attached to an EC2 instance profile, which allows the application to obtain temporary AWS credentials via the instance metadata service (IMDS). This eliminates the need to store long-term access keys on the instance, satisfying the security requirement while granting the necessary S3 read permissions.

Exam trap

The trap here is that candidates may think storing credentials in a secure service like Systems Manager Parameter Store (Option D) is sufficient, but it still involves long-term IAM user keys, whereas the IAM role approach provides fully temporary credentials that are automatically rotated and never stored on the instance.

How to eliminate wrong answers

Option A is wrong because storing the AWS access key ID and secret access key in a configuration file on the instance's local disk directly violates the security requirement by persisting long-term credentials. Option C is wrong because S3 bucket policies cannot grant access based on an EC2 instance's private IP address; they support conditions like aws:SourceIp but only for public IPs, and private IPs are not routable or verifiable by S3. Option D is wrong because while it retrieves credentials from Systems Manager Parameter Store at runtime, the IAM user's access key and secret key are still long-term credentials that must be stored or transmitted, and the application would need to manage them, which does not fully eliminate the risk of credential exposure.

122
MCQeasy

Which AWS support plan is the minimum level required to access the full set of AWS Trusted Advisor checks?

A.Basic
B.Developer
C.Business
D.Enterprise
AnswerC

Business support unlocks all Trusted Advisor checks across cost optimization, performance, security, fault tolerance, and service limits.

Why this answer

The Business support plan is the minimum level required to access the full set of AWS Trusted Advisor checks. While the Basic and Developer plans provide access to only a subset of seven core checks (such as service limits and security groups), the Business plan unlocks all Trusted Advisor checks, including cost optimization, performance, and fault tolerance checks. The Enterprise plan also provides full access but is not the minimum level required.

Exam trap

The trap here is that candidates often assume the Developer plan provides full Trusted Advisor access because it is the first paid support plan, but AWS deliberately restricts full checks to Business and above, testing your knowledge of the specific plan boundaries.

How to eliminate wrong answers

Option A is wrong because the Basic support plan only includes the seven core Trusted Advisor checks (service limits, security groups, etc.) and does not provide access to the full set of checks. Option B is wrong because the Developer support plan, like Basic, only includes the seven core Trusted Advisor checks and does not unlock the full set. Option D is wrong because the Enterprise support plan does provide full Trusted Advisor checks, but it is not the minimum level required; the Business plan is the minimum.

123
MCQmedium

A data analyst needs to run SQL queries directly against log files stored in Amazon S3 without loading the data into a database and without provisioning any servers. Which AWS service enables this?

A.Amazon RDS
B.Amazon Redshift
C.Amazon Athena
D.Amazon DynamoDB
AnswerC

Athena is a serverless service that queries data directly in S3 using standard SQL. No database loading or server provisioning is required — the analyst defines a schema over the S3 data and runs SQL immediately.

Why this answer

Amazon Athena is a serverless interactive query service that allows you to analyze data directly in Amazon S3 using standard SQL. It requires no infrastructure to manage and charges only for the data scanned per query, making it ideal for ad-hoc analysis of log files without loading data into a database.

Exam trap

The trap here is that candidates often confuse Amazon Athena with Amazon Redshift Spectrum, but the question explicitly states 'without provisioning any servers,' which eliminates Redshift because it requires a provisioned cluster even when using Spectrum.

How to eliminate wrong answers

Option A is wrong because Amazon RDS is a managed relational database service that requires provisioning database instances and loading data into them, not querying data directly from S3. Option B is wrong because Amazon Redshift is a petabyte-scale data warehouse that requires provisioning a cluster and loading data into it, and it does not natively support querying data directly from S3 without using features like Redshift Spectrum, which still requires a provisioned cluster. Option D is wrong because Amazon DynamoDB is a NoSQL key-value and document database that requires loading data into tables and does not support SQL queries against files in S3.

124
MCQmedium

A company is evaluating whether to use AWS Compute Savings Plans or EC2 Instance Savings Plans. Which statement correctly describes when EC2 Instance Savings Plans provide the highest discount?

A.When the workload spans multiple AWS Regions
B.When the workload uses a consistent instance family within a single Region
C.When the workload uses multiple instance families
D.When the workload runs on AWS Fargate
AnswerB

EC2 Instance Savings Plans provide the deepest discounts when committed to a specific instance family in a single region, trading flexibility for lower cost.

Why this answer

EC2 Instance Savings Plans offer the highest discount (up to 72% compared to On-Demand) because they require a commitment to a specific instance family within a single AWS Region. This allows AWS to optimize capacity planning and pass greater savings to the customer, whereas Compute Savings Plans are more flexible but provide lower discounts (up to 66%).

Exam trap

The trap here is that candidates often assume 'highest discount' always means 'most flexible,' but EC2 Instance Savings Plans trade flexibility for deeper savings, so the correct answer requires recognizing that commitment to a single instance family and Region yields the maximum discount.

How to eliminate wrong answers

Option A is wrong because EC2 Instance Savings Plans are Region-specific and cannot span multiple Regions; Compute Savings Plans can cover multiple Regions but with a lower discount. Option C is wrong because EC2 Instance Savings Plans lock you into a single instance family; if you use multiple instance families, you would need Compute Savings Plans or separate plans, which yield lower discounts. Option D is wrong because EC2 Instance Savings Plans do not apply to AWS Fargate; Fargate is only covered by Compute Savings Plans.

125
MCQmedium

A retail company runs a legacy application on a single on-premises server. The application experiences unpredictable traffic surges that degrade performance. The company is considering migrating to the AWS Cloud. Which cloud computing characteristic MOST directly addresses the ability to automatically adjust resources to meet changing demand without manual intervention?

A.Elasticity
B.Scalability
C.High availability
D.Durability
AnswerA

Correct. Elasticity is the ability to automatically provision and release cloud resources in response to changing demand. This directly addresses the company's need to handle traffic surges without manual intervention.

Why this answer

Elasticity is the cloud computing characteristic that enables automatic resource provisioning and de-provisioning to match demand in real time, without manual intervention. For the retail company's legacy application with unpredictable traffic surges, elasticity directly addresses the need to dynamically scale resources up during spikes and down during lulls, which is distinct from the planned, manual scaling of scalability.

Exam trap

The trap here is that candidates often confuse scalability with elasticity, but the question's emphasis on 'automatically adjust resources to meet changing demand without manual intervention' specifically tests the definition of elasticity, not the broader concept of scalability.

How to eliminate wrong answers

Option B (Scalability) is wrong because scalability refers to the ability to handle increased load by adding resources, but it often implies manual or planned scaling (e.g., adding more servers ahead of time), not the automatic, real-time adjustment that the question specifies. Option C (High availability) is wrong because high availability focuses on minimizing downtime through redundancy and failover mechanisms (e.g., multi-AZ deployments), not on automatically adjusting resources to meet changing demand. Option D (Durability) is wrong because durability pertains to data persistence and protection against loss (e.g., Amazon S3's 99.999999999% durability), which is unrelated to dynamic resource adjustment for traffic surges.

126
MCQeasy

Which AWS IAM object should be used to grant permissions to an AWS service (like EC2 or Lambda) to access other AWS services on behalf of the application?

A.IAM User with access keys
B.IAM Group
C.IAM Role
D.IAM Policy
AnswerC

IAM Roles provide temporary credentials to AWS services without long-term access keys. EC2 instances assume the role via instance profile; Lambda has an execution role — the secure way to grant AWS service-to-service permissions.

Why this answer

An IAM Role is the correct AWS identity to grant permissions to an AWS service (e.g., EC2, Lambda) because it provides temporary security credentials via AWS Security Token Service (STS). Unlike IAM Users, roles are designed to be assumed by trusted entities, including AWS services, enabling them to access other AWS resources on behalf of the application without long-lived access keys.

Exam trap

The trap here is that candidates often confuse IAM Policies with IAM Roles, thinking a policy alone can grant permissions to a service, but a policy is just a permission document and must be attached to an identity (like a Role) that the service can assume.

How to eliminate wrong answers

Option A is wrong because an IAM User with access keys is a long-lived identity intended for human users or programmatic access, not for granting permissions to an AWS service; using access keys for services like EC2 or Lambda would require embedding static credentials, which is a security anti-pattern. Option B is wrong because an IAM Group is a container for IAM Users and cannot be directly assigned to an AWS service; groups are used to manage permissions for multiple users, not for service-to-service access. Option D is wrong because an IAM Policy is a document that defines permissions (e.g., JSON policy statements) but is not an identity that can be assumed; a policy must be attached to an IAM User, Group, or Role to grant permissions, and only a Role can be assumed by an AWS service.

127
MCQmedium

A company is designing a highly available application on AWS. The architect plans to deploy application instances across multiple Availability Zones and implement health checks to automatically route traffic away from failed instances. These design decisions primarily contribute to which pillar of the AWS Well-Architected Framework?

A.Operational Excellence
B.Security
C.Reliability
D.Performance Efficiency
AnswerC

Correct. The Reliability pillar encompasses the ability of a workload to recover from infrastructure or service failures, dynamically acquire computing resources to meet demand, and mitigate disruptions. Deploying across multiple Availability Zones and using health checks with automatic failover are fundamental reliability techniques that ensure the application continues to operate when single components fail.

Why this answer

Deploying application instances across multiple Availability Zones and using health checks to route traffic away from failed instances directly increases the system's ability to recover from failures and remain operational. This aligns with the Reliability pillar of the AWS Well-Architected Framework, which focuses on ensuring a workload performs its intended function correctly and consistently when expected, including the ability to recover from infrastructure or service disruptions.

Exam trap

The trap here is that candidates may confuse 'health checks and multi-AZ deployments' with Operational Excellence or Performance Efficiency, but the primary Well-Architected pillar addressed by these specific design decisions is Reliability, as they directly improve fault tolerance and recovery.

How to eliminate wrong answers

Option A is wrong because Operational Excellence focuses on running and monitoring systems to deliver business value, and while health checks and multi-AZ deployments support operations, the primary goal here is fault tolerance and recovery, not operational processes. Option B is wrong because Security focuses on protecting data and systems through mechanisms like encryption, access control, and network boundaries; health checks and multi-AZ deployments do not directly address security controls. Option D is wrong because Performance Efficiency focuses on using computing resources efficiently to meet system requirements and maintain efficiency as demand changes; routing traffic away from failed instances is about availability and fault tolerance, not resource optimization.

128
MCQmedium

A company wants to centralize backup management across multiple AWS services (EC2, RDS, EFS, DynamoDB) from a single place. Which AWS service provides centralized backup management with policy-based scheduling?

A.Amazon S3 Lifecycle policies
B.AWS Backup
C.AWS DataSync
D.Amazon EBS Snapshots
AnswerB

AWS Backup provides centralized backup management with policy-based scheduling, cross-account and cross-region backup, and compliance reporting across multiple AWS services.

Why this answer

AWS Backup is the correct service because it provides a fully managed, centralized backup solution that supports multiple AWS services including EC2, RDS, EFS, and DynamoDB. It allows you to define backup policies with schedule-based automation, retention rules, and lifecycle management from a single console, eliminating the need for custom scripts or per-service manual snapshots.

Exam trap

The trap here is that candidates often confuse AWS Backup with individual snapshot services (like EBS Snapshots) or data transfer tools (like DataSync), failing to recognize that AWS Backup is the only service that provides centralized, policy-based backup management across multiple AWS services.

How to eliminate wrong answers

Option A is wrong because Amazon S3 Lifecycle policies are used to manage object lifecycle transitions (e.g., moving data to S3 Glacier or deleting objects) and do not provide backup scheduling or support for EC2, RDS, EFS, or DynamoDB. Option C is wrong because AWS DataSync is a data transfer service for moving large datasets between on-premises storage and AWS (or between AWS services), not a backup management or policy-based scheduling tool. Option D is wrong because Amazon EBS Snapshots are a point-in-time backup mechanism for EBS volumes only, and they lack centralized policy-based scheduling across multiple AWS services like RDS, EFS, or DynamoDB.

129
MCQmedium

A company is launching a critical production application on AWS. The operations team requires technical support with a response time of less than 1 hour for urgent system issues. They also need access to AWS Trusted Advisor best practice checks for cost optimization and security. Which AWS Support plan meets these requirements at the lowest cost?

A.AWS Developer Support
B.AWS Business Support
C.AWS Enterprise On-Ramp Support
D.AWS Enterprise Support
AnswerB

The Business Support plan offers a 1-hour response for urgent (severity 1) cases and full access to Trusted Advisor best practice checks. This meets the requirements at the lowest cost among plans that satisfy these needs.

Why this answer

AWS Business Support provides a response time of less than 1 hour for urgent system issues (production system impaired) and includes full access to AWS Trusted Advisor best practice checks for cost optimization and security. This meets all stated requirements at the lowest cost among the plans that offer these features.

Exam trap

The trap here is that candidates may assume Enterprise On-Ramp or Enterprise Support are required for full Trusted Advisor checks, but Business Support already provides all checks and the 1-hour response time, making it the most cost-effective choice for these specific needs.

How to eliminate wrong answers

Option A is wrong because AWS Developer Support does not include a response time of less than 1 hour for urgent issues (its fastest response is 12 hours for general guidance) and provides only limited Trusted Advisor checks (core checks only, not cost optimization or security). Option C is wrong because AWS Enterprise On-Ramp Support includes the required response time and full Trusted Advisor checks but is more expensive than Business Support, making it not the lowest-cost option. Option D is wrong because AWS Enterprise Support also meets the requirements but is the most expensive plan, designed for large-scale enterprises with additional features like a Technical Account Manager (TAM) and infrastructure event management, which are not needed here.

130
MCQeasy

A solutions architect needs to isolate an application in its own virtual network within AWS, with full control over IP address ranges, subnet definitions, route tables, and internet gateway configuration. Which AWS service provides this capability?

A.Amazon Route 53
B.Amazon CloudFront
C.AWS Direct Connect
D.Amazon VPC
AnswerD

Amazon VPC is the AWS networking service that provides a logically isolated virtual network. Customers define IP CIDR blocks, create public and private subnets, configure route tables, and attach internet gateways to control traffic flow.

Why this answer

Amazon VPC (Virtual Private Cloud) enables you to provision a logically isolated section of the AWS cloud where you can define your own IP address range (using CIDR notation, e.g., 10.0.0.0/16), create subnets, configure route tables, and attach an Internet Gateway for public internet access. This gives you full control over the virtual networking environment, exactly matching the requirement.

Exam trap

The trap here is that candidates often confuse AWS Direct Connect (a physical or virtual private network connection) with the ability to create and control a virtual network, when Direct Connect merely extends an existing VPC and does not provide the foundational network isolation and control that VPC does.

How to eliminate wrong answers

Option A is wrong because Amazon Route 53 is a DNS (Domain Name System) web service that translates domain names to IP addresses, not a service for creating isolated virtual networks. Option B is wrong because Amazon CloudFront is a content delivery network (CDN) that caches and delivers content at edge locations, not a service for managing IP ranges, subnets, or route tables. Option C is wrong because AWS Direct Connect is a dedicated network connection from on-premises to AWS, which operates over an existing VPC or VPN, but it does not itself provide the capability to define IP ranges, subnets, or route tables.

131
MCQmedium

A company is assessing their on-premises environment before migrating to AWS. Which AWS service helps discover on-premises servers, profile their utilization, and create a business case for cloud migration?

A.AWS Migration Hub
B.AWS Application Discovery Service
C.AWS Database Migration Service
D.AWS Server Migration Service
AnswerB

Application Discovery Service discovers and profiles on-premises servers (configuration, utilization, dependencies) to help plan migration waves and create a business case for cloud adoption.

Why this answer

AWS Application Discovery Service is designed to gather information about on-premises data centers, including server specifications, utilization metrics, and network dependencies. It provides this data to help build a detailed business case for migration, including cost projections and migration planning. This directly matches the requirement to discover servers, profile utilization, and create a business case.

Exam trap

The trap here is that candidates confuse AWS Migration Hub as the discovery tool, when in fact Migration Hub only aggregates and tracks data from other services like Application Discovery Service, but does not perform the discovery itself.

How to eliminate wrong answers

Option A is wrong because AWS Migration Hub is a central tracking service that monitors migration progress across multiple AWS and partner tools, but it does not perform the initial discovery or utilization profiling of on-premises servers. Option C is wrong because AWS Database Migration Service (DMS) is specifically for migrating databases to AWS, not for discovering or profiling on-premises servers or creating a general business case for cloud migration. Option D is wrong because AWS Server Migration Service (SMS) is used to replicate and migrate live on-premises virtual machines to AWS, but it does not perform discovery or utilization profiling, nor does it generate a business case.

132
MCQmedium

A company uses AWS Organizations. They want to ensure that member accounts cannot turn off CloudTrail or AWS Config in their accounts. What is the most effective way to enforce this?

A.Configure IAM policies in each account to deny these actions
B.Apply Service Control Policies (SCPs) at the organization level
C.Use AWS Config rules to detect and alert on violations
D.Enable MFA delete on all accounts
AnswerB

SCPs applied at the root or OU level create a permission boundary that applies to all member accounts — even root users in member accounts cannot perform actions denied by SCPs.

Why this answer

Service Control Policies (SCPs) are the most effective way to enforce guardrails across all member accounts in AWS Organizations. SCPs can deny the ability to disable CloudTrail or AWS Config at the organization, organizational unit (OU), or account level, and they cannot be overridden by IAM policies in member accounts. This ensures that even account administrators cannot turn off these services, providing a centralized security control.

Exam trap

The trap here is that candidates often confuse IAM policies with SCPs, thinking that IAM policies in each account can enforce organization-wide controls, but they fail to recognize that SCPs are the only mechanism that can prevent account administrators from disabling security services.

How to eliminate wrong answers

Option A is wrong because IAM policies in each account can be overridden by the account administrator, who can modify or remove them, making this approach unreliable for enforcing a mandatory security baseline. Option C is wrong because AWS Config rules only detect and alert on violations after they occur; they do not prevent the action of disabling CloudTrail or AWS Config, so they are reactive rather than proactive. Option D is wrong because MFA delete is a feature for Amazon S3 versioning to require multi-factor authentication for deleting object versions, and it has no relevance to controlling CloudTrail or AWS Config settings.

133
MCQmedium

A company's development team has written a Python web application using the Flask framework. The team wants to deploy the application to the AWS Cloud without managing the underlying servers, operating system, or web server software. They want AWS to automatically handle the deployment, from provisioning EC2 instances to configuring the web server and load balancer, and to scale the application based on traffic. They also want the ability to upload new code versions directly from their Git repository. Which AWS service should the team use?

A.AWS Elastic Beanstalk
B.AWS CloudFormation
C.Amazon EC2 Auto Scaling
D.AWS CodeDeploy
AnswerA

AWS Elastic Beanstalk is correct because it is a PaaS service that automatically provisions the underlying infrastructure (EC2 instances, load balancer, scaling policies), deploys the application, manages the web server, and supports Git-based deployment workflows.

Why this answer

AWS Elastic Beanstalk is the correct choice because it is a Platform as a Service (PaaS) offering that automatically handles the deployment, capacity provisioning, load balancing, and auto-scaling of web applications. The team can upload code directly from a Git repository using the EB CLI or integrated CodePipeline, and Elastic Beanstalk manages the underlying EC2 instances, operating system, and web server (e.g., Apache or Nginx) without requiring manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Elastic Beanstalk with AWS CloudFormation, assuming both are 'automation' services, but CloudFormation requires explicit resource definitions and does not automatically configure the web server or deploy application code.

How to eliminate wrong answers

Option B (AWS CloudFormation) is wrong because it is an Infrastructure as Code (IaC) service that requires the team to manually define and manage all AWS resources (EC2, load balancer, scaling policies) in templates, which contradicts the requirement of not managing underlying servers or software. Option C (Amazon EC2 Auto Scaling) is wrong because it only handles the scaling of EC2 instances based on demand but does not provision the instances, configure the web server, deploy the application code, or set up a load balancer automatically. Option D (AWS CodeDeploy) is wrong because it is a deployment service that automates code deployment to existing compute instances (EC2, on-premises) but does not provision infrastructure, configure the web server, or manage load balancing and scaling.

134
MCQmedium

A multi-national company needs to ensure their AWS resources in Europe comply with GDPR by keeping all data within EU regions. Which approach ensures data remains in Europe?

A.AWS automatically keeps EU customer data in EU regions without any configuration
B.Deploy resources only in EU AWS Regions and use SCPs to prevent deployment outside EU
C.Enable CloudTrail in all regions to monitor data movement
D.GDPR compliance requires using only AWS GovCloud Regions
AnswerB

Deploying in EU Regions keeps data in the EU (AWS doesn't cross-Region replicate automatically). SCPs with aws:RequestedRegion conditions enforce that no resources can be created outside approved EU Regions.

Why this answer

Option B is correct because deploying resources only in EU AWS Regions (such as eu-west-1, eu-central-1) combined with Service Control Policies (SCPs) that explicitly deny actions outside those regions ensures data residency. SCPs are organization-level policies in AWS Organizations that can restrict member accounts from launching resources in non-EU regions, providing a preventive control to enforce GDPR data localization requirements.

Exam trap

The trap here is that candidates may confuse detective controls (like CloudTrail or Config) with preventive controls (like SCPs or IAM policies), or mistakenly believe AWS automatically enforces data residency without customer configuration.

How to eliminate wrong answers

Option A is wrong because AWS does not automatically keep EU customer data in EU regions; customers must explicitly choose EU regions for resource deployment, and AWS offers global services (e.g., IAM, Route 53) that may process metadata outside the EU. Option C is wrong because CloudTrail is a detective control that logs API activity but does not prevent data from leaving EU regions; it only provides visibility after the fact. Option D is wrong because AWS GovCloud Regions are designed for US government workloads and compliance (e.g., ITAR, FedRAMP), not for GDPR compliance in Europe, and they are located in the US.

135
MCQmedium

A company is migrating its legacy Java web application to AWS. The application consists of a stateless web tier that receives HTTP traffic. The company wants to minimize operational overhead. The development team wants to simply upload a WAR file and have AWS automatically handle the deployment, capacity provisioning, load balancing, and auto-scaling based on traffic. The team does not want to manage the underlying EC2 instances or configure the load balancer manually. Which AWS service should the company use?

A.Amazon EC2 Auto Scaling
B.AWS Elastic Beanstalk
C.AWS OpsWorks
D.Amazon Lightsail
AnswerB

AWS Elastic Beanstalk is a fully managed service that automatically handles the deployment, capacity provisioning, load balancing, and auto-scaling of applications. Simply upload your WAR file and Elastic Beanstalk manages the underlying infrastructure, making it the ideal choice for this scenario.

Why this answer

AWS Elastic Beanstalk is the correct choice because it provides a Platform as a Service (PaaS) offering that automatically handles deployment, capacity provisioning, load balancing, and auto-scaling for Java web applications. The team can simply upload a WAR file, and Elastic Beanstalk manages the underlying EC2 instances and Application Load Balancer (ALB) without requiring manual configuration. This directly meets the requirement to minimize operational overhead while supporting stateless web tiers.

Exam trap

The trap here is that candidates often confuse EC2 Auto Scaling (Option A) as a complete solution for deployment and load balancing, but it only handles scaling and requires separate manual setup for the load balancer and application deployment, which does not satisfy the 'simply upload a WAR file' requirement.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 Auto Scaling only manages the scaling of EC2 instances based on policies, but it does not handle deployment of the WAR file, load balancer configuration, or application lifecycle management, requiring the team to manually set up and manage those components. Option C is wrong because AWS OpsWorks is a configuration management service based on Chef and Puppet that requires the team to define cookbooks or recipes and manage the underlying infrastructure, which contradicts the goal of minimizing operational overhead and avoiding manual EC2 management. Option D is wrong because Amazon Lightsail is a simplified virtual private server (VPS) service that offers pre-configured instances but does not provide automated deployment, load balancing, or auto-scaling out of the box; it requires manual setup for scaling and load balancing, and it does not natively support WAR file deployment.

136
MCQmedium

A company runs a diverse workload on AWS that includes Amazon EC2 instances of various families and sizes across multiple regions, Amazon RDS databases, and a serverless application using AWS Lambda and AWS Fargate. The finance team wants to reduce compute costs by making a 1-year hourly spend commitment, but they need the flexibility to change instance families, sizes, regions, or switch between EC2, Fargate, and Lambda without losing the discount. Which AWS pricing model should the finance team choose to meet these requirements?

A.Compute Savings Plan
B.Reserved Instances (Standard)
C.Reserved Instances (Convertible)
D.On-Demand
AnswerA

Correct. Compute Savings Plans apply to any EC2 instance (any family, size, region), AWS Fargate, and AWS Lambda. They provide significant discounts in exchange for a consistent hourly spend commitment and offer the maximum flexibility to change instance attributes or move between compute services.

Why this answer

A Compute Savings Plan is the correct choice because it offers a 1-year hourly spend commitment with the flexibility to change instance families, sizes, regions, and even switch between EC2, Fargate, and Lambda while still receiving the discount. This plan applies to any compute usage across these services, automatically adjusting the discount to the most cost-effective instance type or compute option, meeting the finance team's need for both cost reduction and operational flexibility.

Exam trap

The trap here is that candidates often confuse Convertible Reserved Instances with Compute Savings Plans, assuming the ability to change instance families is sufficient, but they overlook that Convertible RIs do not cover Fargate or Lambda, which is a key requirement in this question.

How to eliminate wrong answers

Option B (Reserved Instances - Standard) is wrong because it locks you into a specific instance family, size, and region for the entire term, and it does not cover AWS Fargate or Lambda, so it lacks the required flexibility. Option C (Reserved Instances - Convertible) is wrong because although it allows changing instance families or sizes, it still requires a 1-year or 3-year term and does not cover Fargate or Lambda, and the conversion process is manual and limited to EC2 instances only. Option D (On-Demand) is wrong because it provides no discount or commitment, so it does not reduce compute costs as required by the finance team.

137
MCQmedium

A company manages multiple AWS accounts using AWS Organizations and maintains hundreds of Amazon S3 buckets across these accounts. The security team wants a service that automatically scans all S3 bucket policies and identifies any bucket that grants access to an external AWS account (an account outside the organization). The team needs to receive findings when such policies are detected and wants to review the findings in a centralized dashboard. Which AWS service should the security team use to meet these requirements?

A.AWS Trusted Advisor
B.AWS IAM Access Analyzer
C.AWS Config
D.AWS Service Catalog
AnswerB

IAM Access Analyzer analyzes resource-based policies across supported resources (including S3 buckets) and identifies when access is granted to an external entity, such as an AWS account outside the organization. It provides a centralized console to review findings and can send alerts via AWS Security Hub or Amazon EventBridge. This directly meets the requirement to automatically detect buckets accessible to external accounts.

Why this answer

AWS IAM Access Analyzer helps identify resources shared with external principals by analyzing resource-based policies (such as S3 bucket policies). It can be configured to use a trusted zone (e.g., the AWS Organizations management account or a specific OU) so that any policy granting access to an AWS account outside that zone generates a finding. These findings are aggregated in the IAM Access Analyzer console, providing a centralized dashboard for review.

Exam trap

The trap here is that candidates often confuse AWS Config's ability to monitor resource changes with the specific need to analyze policy content for external access, but Config requires custom Lambda rules or conformance packs to replicate what IAM Access Analyzer does natively.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides best-practice checks (e.g., S3 bucket permissions, security groups) but does not automatically scan all bucket policies across multiple accounts for external access and does not offer a centralized findings dashboard for cross-account policy analysis. Option C is wrong because AWS Config evaluates resource configurations against rules and can detect changes, but it does not natively analyze S3 bucket policies for external account access and does not generate findings specifically for cross-account sharing; it requires custom rules or additional logic. Option D is wrong because AWS Service Catalog is used to create and manage a catalog of approved IT services (e.g., pre-configured products) and has no capability to scan S3 bucket policies or detect external access.

138
MCQmedium

A company runs a globally distributed web application on Amazon EC2 instances behind Network Load Balancers in two AWS Regions: us-east-1 and eu-west-1. Users around the world access the application over the internet. The company wants to improve latency for all users by directing each user to the nearest healthy application endpoint. Additionally, the company requires two static IP addresses that clients can use for firewall whitelisting and that do not change even if the underlying infrastructure changes. Which AWS service should the company use?

A.Amazon CloudFront
B.AWS Global Accelerator
C.Amazon Route 53 latency-based routing
D.AWS Direct Connect
AnswerB

AWS Global Accelerator improves application performance by directing user traffic to the nearest healthy endpoint using the AWS global network. It provides two static anycast IP addresses that act as a fixed entry point, so clients can whitelist these IPs without worrying about changes. It supports TCP and UDP traffic and can route to endpoints in multiple Regions, making it an ideal choice for this use case.

Why this answer

AWS Global Accelerator is the correct choice because it provides two static anycast IP addresses that serve as fixed entry points, and it directs user traffic to the nearest healthy application endpoint via the AWS global network, reducing latency. Unlike CloudFront, it does not cache content but optimizes TCP/UDP traffic, making it ideal for non-HTTP or dynamic applications behind Network Load Balancers.

Exam trap

The trap here is that candidates often confuse latency-based routing (DNS) with Global Accelerator, not realizing that DNS caching can prevent immediate failover and that Global Accelerator provides fixed anycast IPs, not just DNS resolution.

How to eliminate wrong answers

Option A (Amazon CloudFront) is wrong because it is a content delivery network (CDN) that caches static and dynamic content at edge locations, but it does not provide static IP addresses for firewall whitelisting; its IP addresses can change and are not fixed. Option C (Amazon Route 53 latency-based routing) is wrong because it is a DNS-based routing policy that resolves to the IP addresses of the load balancers, but DNS responses can be cached by clients and ISPs, causing stale routing and no guarantee of static IP addresses for whitelisting. Option D (AWS Direct Connect) is wrong because it is a dedicated network connection from on-premises to AWS, not a service for directing internet users to the nearest endpoint or providing static anycast IP addresses.

139
MCQeasy

A company wants to automatically detect and label objects in photos uploaded by users — such as identifying if a photo contains a person, a car, or an outdoor scene — without building their own machine learning model. Which AWS service provides this pre-built computer vision capability?

A.Amazon SageMaker
B.Amazon Comprehend
C.Amazon Rekognition
D.Amazon Polly
AnswerC

Rekognition provides pre-trained computer vision via an API. It detects objects, scenes, people, text, and faces in images and video without requiring any ML model training.

Why this answer

Amazon Rekognition is the correct choice because it is a fully managed, pre-trained computer vision service that can automatically detect and label objects, scenes, and faces in images without requiring any custom machine learning model development. It provides APIs for image analysis, including object and scene detection, which directly matches the requirement to identify if a photo contains a person, car, or outdoor scene.

Exam trap

The trap here is that candidates often confuse Amazon Rekognition with Amazon SageMaker, assuming SageMaker is the go-to for all AI/ML tasks, but SageMaker requires custom model building, whereas Rekognition provides pre-built computer vision capabilities out of the box.

How to eliminate wrong answers

Option A is wrong because Amazon SageMaker is a machine learning platform for building, training, and deploying custom models, not a pre-built computer vision service; it would require the company to develop their own model. Option B is wrong because Amazon Comprehend is a natural language processing (NLP) service for analyzing text, not images, so it cannot detect objects in photos. Option D is wrong because Amazon Polly is a text-to-speech service that converts text into lifelike speech, and it has no capability for image analysis or object detection.

140
MCQmedium

A media processing company runs multiple Amazon EC2 instances in different Availability Zones. All instances need to read and write to a shared file system simultaneously. The file system must be fully managed, automatically replicated across multiple Availability Zones for durability, and accessible by all instances using standard file access protocols. The company does not want to provision or manage any file servers. Which AWS service should the company use to meet these requirements?

A.Amazon S3
B.Amazon EBS Multi-Attach
C.Amazon EFS
D.Amazon FSx for Windows File Server
AnswerC

Correct. Amazon EFS provides a fully managed, elastic NFS file system that can be mounted on multiple EC2 instances across different Availability Zones simultaneously. It automatically replicates data across zones within a region for durability and is ideal for shared file storage.

Why this answer

Amazon EFS (Elastic File System) is a fully managed, scalable NFS file system that can be mounted concurrently by multiple EC2 instances across different Availability Zones. It automatically replicates data across multiple AZs for durability and uses standard NFSv4.1 and NFSv4.0 protocols, meeting all requirements without any server provisioning or management.

Exam trap

The trap here is that candidates often confuse Amazon EBS Multi-Attach (Option B) as a solution for shared storage across AZs, but it is strictly limited to a single AZ and requires Nitro-based instances, making it unsuitable for multi-AZ access.

How to eliminate wrong answers

Option A is wrong because Amazon S3 is an object storage service, not a file system; it does not support standard file access protocols like NFS or SMB and cannot be mounted as a shared file system by EC2 instances simultaneously. Option B is wrong because Amazon EBS Multi-Attach only allows a single EBS volume to be attached to up to 16 Nitro-based EC2 instances in the same Availability Zone, not across multiple AZs, and it requires manual management of the volume. Option D is wrong because Amazon FSx for Windows File Server is a fully managed Windows file server that uses SMB protocol, but it is not automatically replicated across multiple Availability Zones for durability by default; it requires a Multi-AZ deployment configuration, and the question specifies the company does not want to provision or manage any file servers, which FSx still involves some server management overhead.

141
MCQmedium

A security team needs to analyze VPC network traffic to detect anomalies and investigate security incidents. Which AWS service captures and stores network flow data for VPCs?

A.AWS CloudTrail
B.VPC Flow Logs
C.Amazon Inspector
D.Amazon GuardDuty
AnswerB

VPC Flow Logs capture network traffic metadata (IPs, ports, protocols, bytes, action) for all network interfaces in a VPC, essential for network forensics and anomaly detection.

Why this answer

VPC Flow Logs capture IP traffic information for network interfaces within a VPC, including metadata such as source/destination IPs, ports, protocols, and packet accept/reject decisions. This data is stored in Amazon CloudWatch Logs or Amazon S3, enabling security teams to analyze traffic patterns, detect anomalies, and investigate incidents. AWS CloudTrail, Amazon Inspector, and Amazon GuardDuty serve different purposes—auditing API calls, assessing vulnerabilities, and threat detection, respectively—but do not directly capture raw network flow data.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (network traffic metadata) with AWS CloudTrail (API activity logs), often selecting CloudTrail because both involve logging, but CloudTrail does not capture network-level flow data.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity and user actions within AWS, not network traffic flow data; it captures who did what and when, not the IP packets traversing VPCs. Option C is wrong because Amazon Inspector is a vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, but it does not capture or store ongoing network flow logs. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events to identify malicious activity, but it does not itself capture or store the raw flow data—it consumes it from VPC Flow Logs.

142
MCQmedium

A company must maintain audit records of all user actions and configuration changes across their AWS accounts. Which AWS service should they enable to capture this information?

A.Amazon CloudWatch Logs
B.AWS Config
C.AWS CloudTrail
D.VPC Flow Logs
AnswerC

CloudTrail records every API call with caller identity, timestamp, source IP, and parameters — enabling complete audit trails for user actions and configuration changes across all AWS accounts.

Why this answer

AWS CloudTrail is the correct service because it records API activity and user actions across AWS accounts, providing a complete audit trail of all management and data plane operations. This includes who made changes, what actions were performed, and when they occurred, which is essential for maintaining audit records of user actions and configuration changes.

Exam trap

The trap here is that candidates confuse AWS Config's resource configuration tracking with CloudTrail's API activity logging, but Config records the 'what' (resource state) while CloudTrail records the 'who, what, when, and how' (API calls and user identity).

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Logs is designed for monitoring, storing, and accessing log files from applications and AWS services, but it does not natively capture API-level user actions or configuration changes; it requires logs to be sent to it from other sources. Option B is wrong because AWS Config focuses on evaluating and recording resource configuration changes and compliance against rules, but it does not capture user identity or API call details—it records the state of resources, not the actions that changed them. Option D is wrong because VPC Flow Logs capture IP traffic metadata (source/destination IP, ports, protocol) for network interfaces, not user actions or configuration changes; they are used for network analysis and security, not audit trails of user activity.

143
MCQmedium

Which AWS service provides quantum computing hardware as a cloud service, enabling researchers to run algorithms on actual quantum processors?

A.AWS Inferentia
B.Amazon Braket
C.AWS Wavelength
D.Amazon EC2 High Performance Computing
AnswerB

Amazon Braket provides access to quantum computing hardware (from multiple quantum computing providers) and simulators through a managed cloud service for quantum algorithm research.

Why this answer

Amazon Braket is the correct answer because it is a fully managed AWS service that provides access to quantum computing hardware from multiple providers, including IonQ, Rigetti, and D-Wave, in a single environment. It allows researchers to design, test, and run quantum algorithms on actual quantum processors without managing the underlying infrastructure, making it the only option that directly offers quantum computing as a cloud service.

Exam trap

The trap here is that candidates often confuse 'quantum computing' with 'high-performance computing' (HPC) and select Amazon EC2 HPC, not realizing that quantum processors require specialized hardware and a dedicated service like Braket, not traditional CPU/GPU clusters.

How to eliminate wrong answers

Option A is wrong because AWS Inferentia is a custom machine learning inference chip designed to accelerate deep learning models, not quantum computing hardware. Option C is wrong because AWS Wavelength is a service that embeds AWS compute and storage at the edge of 5G networks for ultra-low-latency applications, not quantum processing. Option D is wrong because Amazon EC2 High Performance Computing (HPC) provides traditional CPU/GPU-based compute clusters for parallel workloads, but it does not offer access to quantum processors or quantum algorithms.

144
MCQmedium

The AWS Well-Architected Framework's Reliability pillar recommends automatically recovering from failure. Which AWS feature directly enables automated recovery when an EC2 instance status check fails?

A.EC2 Auto Scaling
B.Amazon EC2 Auto Recovery
C.Elastic Load Balancing health checks
D.AWS Systems Manager Patch Manager
AnswerB

EC2 Auto Recovery is a CloudWatch alarm action that automatically restores a failed instance with its original configuration, same instance ID, and attached volumes.

Why this answer

Amazon EC2 Auto Recovery is a feature that automatically recovers an impaired EC2 instance by restarting it on a new healthy host when a system status check fails. This directly aligns with the Reliability pillar's recommendation to automatically recover from failure without manual intervention.

Exam trap

The trap here is that candidates confuse EC2 Auto Recovery with EC2 Auto Scaling, assuming that Auto Scaling's health check replacement is the same as recovering the same instance, but Auto Recovery preserves the instance identity while Auto Scaling terminates and creates a new one.

How to eliminate wrong answers

Option A is wrong because EC2 Auto Scaling replaces instances based on scaling policies or health checks from load balancers, but it does not directly recover the same instance when a status check fails; it terminates and launches a new instance, which is a different mechanism. Option C is wrong because Elastic Load Balancing health checks monitor the health of instances behind a load balancer and route traffic away from unhealthy instances, but they do not perform automated recovery of the instance itself. Option D is wrong because AWS Systems Manager Patch Manager automates the patching of operating systems and applications, not the recovery of failed instances from status check failures.

145
MCQmedium

A company is migrating its on-premises data analytics workload to AWS. Previously, the company had to purchase and maintain dedicated servers with fixed capacity to handle peak workloads, resulting in low utilization during off-peak hours. On AWS, the company can launch compute resources, run the analytics job, and terminate the resources when done. The company only pays for the compute time and storage used during the job. Which essential characteristic of cloud computing does this scenario BEST demonstrate?

A.Rapid elasticity
B.Measured service
C.Resource pooling
D.On-demand self-service
AnswerB

Measured service is the correct answer. Cloud providers meter usage (compute time, storage, etc.) and bill customers based on actual consumption. This eliminates the need to pay for idle capacity and aligns cost directly with usage, as described in the scenario.

Why this answer

Measured service is the cloud characteristic that enables pay-as-you-go pricing by metering resource usage (compute time, storage) and billing only for what is consumed. In this scenario, the company launches resources for the analytics job, runs it, and terminates them, paying solely for the compute time and storage used — a direct demonstration of metered usage and cost transparency.

Exam trap

The trap here is confusing 'pay only for what you use' (measured service) with the ability to scale resources up/down automatically (rapid elasticity), as both involve dynamic resource management but address different cloud characteristics.

How to eliminate wrong answers

Option A is wrong because rapid elasticity refers to the ability to automatically scale resources up or down in response to demand, not to the pay-per-use billing model. Option C is wrong because resource pooling describes how a cloud provider serves multiple customers from shared physical resources using multi-tenancy, which is unrelated to the billing mechanism. Option D is wrong because on-demand self-service allows users to provision resources without human interaction, but the scenario's focus is on paying only for what is used, not the provisioning method.

146
MCQmedium

A company wants to implement a serverless web application with no server management. They need a database that scales automatically without managing cluster capacity. Which combination best supports this?

A.Amazon EC2 + RDS MySQL
B.AWS Lambda + API Gateway + Amazon DynamoDB on-demand
C.AWS Fargate + Amazon Aurora Serverless
D.Amazon EC2 + DynamoDB on-demand
AnswerB

Lambda handles compute serverlessly, API Gateway provides HTTP routing, and DynamoDB on-demand mode scales automatically with zero capacity management — a fully serverless stack.

Why this answer

AWS Lambda + API Gateway + Amazon DynamoDB on-demand provides a fully serverless architecture where Lambda handles compute without server management, API Gateway serves as the HTTP endpoint, and DynamoDB on-demand scales automatically based on traffic without requiring capacity planning or cluster management. This combination meets the requirement for zero server management and automatic scaling of the database.

Exam trap

The trap here is that candidates often confuse 'serverless' with 'managed services'—for example, assuming Amazon RDS or Aurora Serverless are fully serverless when they still require some capacity management or have scaling limitations, whereas DynamoDB on-demand truly eliminates all capacity planning.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 requires manual server management (patching, scaling, OS maintenance) and RDS MySQL, while managed, still requires managing instance sizes and read replicas, not fully serverless. Option C is wrong because AWS Fargate, though serverless for containers, still requires managing container images, task definitions, and Amazon Aurora Serverless, while scaling compute, still involves managing database storage and has a warm-up time for scaling, not fully automatic like DynamoDB on-demand. Option D is wrong because Amazon EC2 requires server management, and while DynamoDB on-demand scales automatically, the compute layer is not serverless, violating the 'no server management' requirement.

147
MCQmedium

A company runs an e-commerce platform on Amazon EC2 instances in a single AWS Region. The company wants to ensure that the platform remains available even if a natural disaster disrupts the entire geographic area of that Region. Which approach should the company take to meet this requirement?

A.Deploy the application across multiple Availability Zones within the same Region.
B.Deploy the application across multiple Edge Locations of Amazon CloudFront.
C.Deploy the application across multiple AWS Regions.
D.Deploy the application on a larger instance type within the same Availability Zone.
AnswerC

Deploying across multiple AWS Regions is the correct approach for geographic disaster recovery. Each Region is completely independent, with separate power, cooling, and physical infrastructure. If one Region is affected by a disaster, the application can fail over to another Region, ensuring business continuity.

Why this answer

Option C is correct because deploying the application across multiple AWS Regions ensures fault tolerance and disaster recovery even if an entire geographic area is disrupted. A natural disaster affecting a single Region would impact all Availability Zones within that Region, so multi-Region deployment is the only approach that provides geographic isolation and continuous availability.

Exam trap

The trap here is that candidates often confuse high availability within a Region (using multiple AZs) with disaster recovery across Regions, mistakenly thinking that AZ-level redundancy is sufficient to withstand a full Regional outage.

How to eliminate wrong answers

Option A is wrong because deploying across multiple Availability Zones within the same Region protects against failures of individual data centers but not against a disaster that affects the entire Region, as all AZs share the same geographic area. Option B is wrong because Amazon CloudFront Edge Locations are content delivery endpoints that cache static and dynamic content for low-latency delivery; they do not run compute workloads like EC2 instances and cannot provide active application availability in the event of a Regional disaster. Option D is wrong because using a larger instance type within the same Availability Zone does not introduce any redundancy or geographic separation; it only increases compute capacity and leaves the application vulnerable to both AZ-level and Regional failures.

148
MCQeasy

Which AWS service provides a simple way to deploy, manage, and scale containerized applications without requiring Kubernetes or deep container expertise?

A.Amazon ECS
B.Amazon EKS
C.AWS App Runner
D.AWS Lambda
AnswerC

App Runner provides the simplest path to deploying containerized web apps — just provide the image or source code and App Runner handles everything else automatically.

Why this answer

AWS App Runner is the correct answer because it provides a fully managed service that automatically builds, deploys, and scales containerized web applications and APIs from source code or a container image, without requiring any knowledge of Kubernetes or container orchestration. It abstracts away the underlying infrastructure, making it ideal for developers who want to deploy containers quickly without managing clusters or control planes.

Exam trap

The trap here is that candidates often confuse Amazon ECS with a 'simple' container service, but the question explicitly requires 'without requiring Kubernetes or deep container expertise,' and ECS still requires understanding of container orchestration concepts, whereas App Runner is the only option that completely abstracts that complexity.

How to eliminate wrong answers

Option A is wrong because Amazon ECS (Elastic Container Service) requires users to manage or configure a cluster of EC2 instances or use AWS Fargate, and while it simplifies container orchestration, it still demands understanding of task definitions, services, and cluster management, not a 'simple way' that avoids container expertise. Option B is wrong because Amazon EKS (Elastic Kubernetes Service) is a managed Kubernetes service that explicitly requires knowledge of Kubernetes concepts such as pods, deployments, and services, which contradicts the 'without requiring Kubernetes' requirement. Option D is wrong because AWS Lambda is a serverless compute service for running code in response to events, not for deploying and managing containerized applications; while it supports container images, it is designed for short-lived, stateless functions, not long-running containerized applications.

149
MCQmedium

A company runs a web application on Amazon EC2 instances that connect to an Amazon RDS MySQL database. The application requires database credentials to authenticate. The security team wants to eliminate the practice of storing database credentials in the application code or configuration files. Additionally, the team needs a managed service that can automatically rotate the database credentials on a regular schedule without any manual intervention. Which AWS service should the security team use to store and manage these database credentials?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.AWS Identity and Access Management (IAM) roles
D.AWS Key Management Service (AWS KMS)
AnswerA

AWS Secrets Manager is the correct choice because it is designed specifically for storing secrets (like database credentials) and supports automatic rotation of secrets for Amazon RDS databases without manual effort.

Why this answer

AWS Secrets Manager is the correct choice because it is a managed service specifically designed to store, manage, and automatically rotate database credentials (such as those for Amazon RDS MySQL) on a scheduled basis without manual intervention. It natively integrates with Amazon RDS to rotate credentials, eliminating the need to embed secrets in application code or configuration files, which directly addresses the security team's requirements.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store secrets, but Parameter Store lacks native automatic rotation, which is the key requirement in this question.

How to eliminate wrong answers

Option B is wrong because AWS Systems Manager Parameter Store can store database credentials as secure strings, but it does not provide built-in automatic rotation of those credentials; rotation would require custom automation via AWS Lambda or other services. Option C is wrong because AWS Identity and Access Management (IAM) roles are used to grant permissions to AWS resources, not to store or rotate database credentials; database authentication requires credentials (username/password), not IAM roles, unless using IAM database authentication, which is not mentioned and does not eliminate the need for credential storage. Option D is wrong because AWS Key Management Service (AWS KMS) is a managed service for creating and controlling encryption keys, not for storing or rotating database credentials; it can encrypt secrets but does not manage or rotate the secrets themselves.

150
MCQmedium

Which AWS service enables developers to add user sign-up, sign-in, and access control to web and mobile applications quickly?

A.AWS Directory Service
B.AWS IAM Identity Center
C.Amazon Cognito
D.AWS IAM
AnswerC

Cognito provides user pools for web/mobile app authentication with built-in UI, social login, MFA, and SAML federation.

Why this answer

Amazon Cognito is the correct AWS service for adding user sign-up, sign-in, and access control to web and mobile applications. It provides identity pools and user pools that handle authentication, authorization, and user management, including social identity providers (e.g., Google, Facebook) and enterprise federation via SAML 2.0 or OIDC. This allows developers to quickly integrate these features without building custom backend infrastructure.

Exam trap

The trap here is confusing AWS IAM (which manages internal AWS users and permissions) with Amazon Cognito (which manages external application users), leading candidates to pick IAM for customer-facing authentication.

How to eliminate wrong answers

Option A is wrong because AWS Directory Service is designed for managing Microsoft Active Directory in the cloud or connecting on-premises directories to AWS, not for providing user sign-up/sign-in for web/mobile apps. Option B is wrong because AWS IAM Identity Center (formerly AWS SSO) centralizes access management for multiple AWS accounts and business applications, but it is not optimized for adding customer-facing sign-up/sign-in to custom applications. Option D is wrong because AWS IAM is used for managing permissions for AWS resources and users within an AWS account, not for handling external user authentication or sign-up flows for web/mobile applications.

Page 1

Page 2 of 14

Page 3