AWS Certified Cloud Practitioner CLF-C02 (CLF-C02) — Questions 151225

1024 questions total · 14pages · All types, answers revealed

Page 2

Page 3 of 14

Page 4
151
MCQmedium

A healthcare company needs to extract structured medical data from clinical notes and medical documents. Which AWS service provides ML-powered extraction of medical information from unstructured text?

A.Amazon Textract
B.Amazon Comprehend
C.Amazon Comprehend Medical
D.Amazon Rekognition
AnswerC

Comprehend Medical uses pre-trained models for medical text understanding, extracting medications, conditions, dosages, and PHI from clinical notes and medical documents.

Why this answer

Amazon Comprehend Medical is specifically designed to extract structured medical information such as diagnoses, medications, and test results from unstructured clinical text using natural language processing (NLP) and machine learning. It is the only AWS service purpose-built for healthcare use cases like parsing clinical notes and medical documents.

Exam trap

The trap here is that candidates confuse Amazon Comprehend (general NLP) with Amazon Comprehend Medical (healthcare-specific), assuming the general service can handle medical text without the specialized medical ontology and compliance features.

How to eliminate wrong answers

Option A is wrong because Amazon Textract is an OCR service that extracts text, tables, and forms from scanned documents, but it does not perform medical-specific NLP or understand clinical concepts. Option B is wrong because Amazon Comprehend is a general-purpose NLP service for sentiment, entities, and key phrases, but it lacks the medical ontology and HIPAA-eligible compliance required for healthcare data extraction. Option D is wrong because Amazon Rekognition is a computer vision service for image and video analysis, such as face detection and object recognition, and cannot process unstructured text or medical information.

152
MCQmedium

Which IAM best practice helps prevent unauthorized access if an IAM user's long-term credentials are compromised?

A.Using IAM roles instead of IAM users
B.Granting least privilege permissions
C.Enabling Multi-Factor Authentication (MFA)
D.Rotating access keys quarterly
AnswerC

MFA requires a second factor, preventing access even when long-term credentials (passwords/access keys) are stolen.

Why this answer

Option C is correct because Multi-Factor Authentication (MFA) adds a second layer of security beyond the password or access key. Even if long-term credentials (e.g., password or access key) are compromised, an attacker cannot access the AWS console or API without the MFA device (e.g., hardware token or virtual TOTP). This directly prevents unauthorized access from credential theft.

Exam trap

The trap here is that candidates confuse 'preventing unauthorized access' with 'limiting damage after compromise' and incorrectly choose least privilege (Option B) or key rotation (Option D), but MFA is the only option that directly blocks the attacker from using stolen credentials at the authentication step.

How to eliminate wrong answers

Option A is wrong because IAM roles issue temporary credentials via AWS STS, which reduces the risk of long-term credential exposure but does not prevent unauthorized access if the role's trust policy is misconfigured or if the user's session is hijacked; MFA is still needed for critical operations. Option B is wrong because least privilege permissions limit the scope of damage after a compromise but do not prevent the initial unauthorized access from stolen credentials. Option D is wrong because rotating access keys quarterly reduces the window of exposure but does not prevent an attacker from using the compromised key until the rotation occurs; MFA provides immediate protection regardless of rotation schedule.

153
MCQmedium

A company handles credit card transactions and must comply with the Payment Card Industry Data Security Standard (PCI DSS). The company's compliance officer needs to review AWS's PCI DSS compliance reports and also download and sign the AWS Business Associate Addendum (BAA) for HIPAA eligibility. The company wants a single, managed AWS service that provides on-demand access to these compliance documents and agreements. Which AWS service should the compliance officer use?

A.AWS Trusted Advisor
B.AWS Config
C.AWS Artifact
D.Amazon Inspector
AnswerC

AWS Artifact is the correct service because it provides on-demand access to AWS compliance reports and agreements, including PCI DSS reports and the Business Associate Addendum (BAA). It allows users to review, download, and sign these documents from a single central location.

Why this answer

AWS Artifact is the correct service because it provides on-demand, self-service access to AWS compliance reports (including PCI DSS reports) and agreements such as the Business Associate Addendum (BAA) for HIPAA. It allows the compliance officer to review, download, and sign these documents directly from the AWS Management Console, meeting the requirement for a single managed service.

Exam trap

The trap here is that candidates may confuse AWS Artifact with AWS Config or Trusted Advisor, thinking those services also handle compliance documents, but they are designed for configuration auditing and best-practice recommendations, not document repository and agreement signing.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor is an advisory service that inspects your AWS environment and provides recommendations to optimize costs, improve performance, increase security, and close gaps in fault tolerance; it does not provide access to compliance reports or agreements like PCI DSS reports or BAAs. Option B is wrong because AWS Config is a service that evaluates your AWS resource configurations against desired policies and tracks configuration changes over time; it does not host or provide access to compliance documents or agreements.

154
MCQmedium

A company wants to implement multi-factor authentication for all IAM users across their AWS Organization without requiring individual account administrators to configure MFA for each user. Which approach enables organization-wide MFA enforcement?

A.Enable MFA on the root account only
B.Apply an SCP that denies all actions unless MFA is authenticated
C.Configure IAM password policies to require MFA
D.Enable AWS Config rule to check MFA status
AnswerB

An MFA enforcement SCP at the org root denies all AWS actions when `aws:MultiFactorAuthPresent` is false — IAM users must authenticate with MFA or they can't perform any actions.

Why this answer

Option B is correct because Service Control Policies (SCPs) can be applied at the root or organizational unit level to enforce a condition that denies all AWS API actions unless the request includes multi-factor authentication (MFA). This ensures that every IAM user across the entire AWS Organization must authenticate with MFA before performing any action, without requiring individual account administrators to configure MFA per user.

Exam trap

The trap here is that candidates confuse detective controls (like AWS Config rules) with preventive controls (like SCPs), or assume that password policies can enforce MFA at the API level when they only manage device assignment.

How to eliminate wrong answers

Option A is wrong because enabling MFA on the root account only protects the root user, not IAM users; it does not enforce MFA for any other principal in the organization. Option C is wrong because IAM password policies can require an MFA device to be assigned, but they do not enforce MFA at the API call level—users can still make requests without MFA if they have valid access keys or session tokens. Option D is wrong because an AWS Config rule can only detect and report non-compliant MFA status, not actively deny actions; it is a detective control, not a preventive enforcement mechanism.

155
MCQmedium

A company runs an e-commerce website on Amazon EC2 instances. The website experiences unpredictable traffic spikes during flash sales and returns to normal traffic levels afterward. To handle this, the company configures an Auto Scaling group that adds EC2 instances when the average CPU utilization exceeds 70% and removes instances when it drops below 30%. Which essential characteristic of cloud computing does this configuration primarily demonstrate?

A.Elasticity
B.High availability
C.Fault tolerance
D.Durability
AnswerA

Correct. Elasticity is the ability to automatically scale resources up or down to match demand. The Auto Scaling group adjusts the number of EC2 instances based on CPU utilization, which is a clear example of elasticity.

Why this answer

This configuration demonstrates elasticity because it automatically scales EC2 instances up during flash sales (when CPU exceeds 70%) and scales them down when traffic normalizes (CPU below 30%). Elasticity is the ability to dynamically provision and de-provision resources to match demand, which is exactly what Auto Scaling groups with CPU utilization thresholds achieve.

Exam trap

The trap here is that candidates confuse elasticity with high availability or fault tolerance, but the question specifically tests the ability to match resource capacity to fluctuating demand, which is elasticity, not the ability to withstand failures or remain operational.

How to eliminate wrong answers

Option B is wrong because high availability focuses on ensuring the system remains operational despite failures (e.g., using multiple Availability Zones, load balancers, or health checks), not on scaling resources based on demand. Option C is wrong because fault tolerance is about the system's ability to continue operating without interruption when a component fails (e.g., redundant instances, automatic failover), not about adjusting capacity to match workload changes.

156
MCQeasy

What is the principle of least privilege in AWS IAM?

A.Giving all users administrator access to simplify management
B.Granting users only the minimum permissions required to perform their tasks
C.Allowing users to request additional permissions as needed
D.Restricting all access by default and never granting permissions
AnswerB

Least privilege means granting only the permissions necessary for a specific job function.

Why this answer

The principle of least privilege in AWS IAM dictates that users, roles, and services should be granted only the minimum permissions necessary to perform their intended functions. This is implemented by creating fine-grained IAM policies that specify exactly which actions are allowed on which resources, reducing the attack surface and limiting the blast radius of a potential compromise. Option B correctly captures this core security concept.

Exam trap

AWS often tests the principle of least privilege by presenting Option D as a distractor, where candidates confuse 'deny by default' (which is the implicit behavior of IAM) with 'never granting permissions' (which would make the system unusable), leading them to incorrectly select the absolute denial option instead of the balanced minimum-permissions approach.

How to eliminate wrong answers

Option A is wrong because granting all users administrator access violates the principle of least privilege by providing excessive permissions, which increases security risk and contradicts the goal of minimizing access. Option C is wrong because allowing users to request additional permissions as needed describes a process for privilege escalation or just-in-time access, not the principle itself, which focuses on granting only the minimum permissions from the start. Option D is wrong because restricting all access by default and never granting permissions is an extreme interpretation that would prevent any legitimate work; the principle requires granting the minimum necessary permissions, not a complete denial of access.

157
MCQeasy

Which statement best describes the AWS global infrastructure concept of an Availability Zone (AZ)?

A.A geographic location where AWS hosts data centers, such as North America or Europe
B.One or more discrete data centers with redundant power, networking, and connectivity within a Region
C.A CDN edge location used to cache content close to end users
D.A logically isolated section of the AWS Cloud where customers launch resources
AnswerB

An AZ is physically isolated from other AZs in the same Region, providing fault isolation while maintaining low-latency interconnects.

Why this answer

An Availability Zone (AZ) consists of one or more discrete data centers with independent power, cooling, and physical networking, connected to each other through low-latency links within a single AWS Region. This design ensures that if one AZ fails, applications can continue operating in other AZs, providing high availability and fault tolerance. Option B correctly captures this definition, as it emphasizes the discrete, redundant infrastructure that makes an AZ distinct from a Region or a data center.

Exam trap

The trap here is that candidates often confuse an Availability Zone with a single data center or with a Region, but AWS explicitly defines an AZ as one or more discrete data centers, not just one, and it is a subset of a Region, not the Region itself.

How to eliminate wrong answers

Option A is wrong because it describes an AWS Region, not an Availability Zone; a Region is a separate geographic area containing multiple AZs, while an AZ is a specific set of data centers within that Region. Option C is wrong because it describes an Amazon CloudFront edge location, which is a CDN cache point used for content delivery, not an Availability Zone that hosts compute and storage resources. Option D is wrong because it describes a Virtual Private Cloud (VPC), which is a logically isolated section of the AWS Cloud where you launch resources, whereas an AZ is a physical location composed of data centers.

158
MCQmedium

A company runs a global gaming application on Amazon EC2 instances behind an Application Load Balancer in the us-east-1 Region. Players in Europe and Asia report high latency and intermittent connection drops. The company wants to improve the application's performance for global users by routing traffic over the AWS global network. The company also needs two static IP addresses that users can whitelist in their firewalls for consistent access, and the solution must provide health checks to automatically route traffic away from unhealthy endpoints. Which AWS service should the company use?

A.Amazon CloudFront
B.AWS Global Accelerator
C.AWS WAF
D.Amazon Route 53
AnswerB

AWS Global Accelerator uses the AWS global network to route traffic from users to the closest healthy endpoint. It provides two static anycast IP addresses that serve as fixed entry points, which can be whitelisted in firewalls. It also performs health checks and automatically reroutes traffic away from unhealthy endpoints, making it ideal for global performance improvement and reliable access.

Why this answer

AWS Global Accelerator is correct because it uses the AWS global network to route traffic from users to the application, reducing latency and jitter by avoiding the public internet. It provides two static anycast IP addresses that remain consistent for firewall whitelisting, and it integrates with health checks to automatically reroute traffic away from unhealthy EC2 endpoints behind the Application Load Balancer.

Exam trap

The trap here is that candidates often confuse Amazon CloudFront's edge caching with Global Accelerator's network path optimization, assuming CloudFront can provide static IPs and accelerate any TCP/UDP traffic, but CloudFront only accelerates HTTP/HTTPS and does not offer static IP addresses for whitelisting.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront is a content delivery network (CDN) that caches content at edge locations, but it does not provide static IP addresses for whitelisting and is not designed to optimize TCP/UDP traffic for dynamic applications like gaming; it primarily accelerates HTTP/HTTPS content delivery. Option C is wrong because AWS WAF is a web application firewall that filters HTTP/HTTPS requests based on rules, but it does not provide global traffic acceleration, static IP addresses, or health-check-based routing. Option D is wrong because Amazon Route 53 is a DNS service that resolves domain names to IP addresses and can perform health checks, but it does not provide static anycast IP addresses for whitelisting and does not optimize traffic routing over the AWS global network; DNS-based routing can be affected by client-side caching and does not offer the same low-latency path optimization as Global Accelerator.

159
MCQmedium

A company processes millions of customer records and needs to query data in Amazon S3 without loading it into a database. The data is stored in Parquet format. Which AWS service enables this with no infrastructure to manage?

A.Amazon Redshift Spectrum
B.Amazon Athena
C.Amazon EMR
D.AWS Glue ETL
AnswerB

Athena queries S3 data directly using SQL with no infrastructure management — Parquet's columnar format minimizes data scanned and query cost, making it ideal for Athena.

Why this answer

Amazon Athena is a serverless interactive query service that allows you to analyze data directly in Amazon S3 using standard SQL, with no infrastructure to manage. It natively supports Parquet format, which is columnar and optimized for efficient querying, making it ideal for querying millions of customer records without loading them into a database.

Exam trap

The trap here is that candidates often confuse Amazon Redshift Spectrum (which also queries S3) with a serverless service, but it still requires a managed Redshift cluster, whereas Athena is truly serverless with zero infrastructure management.

How to eliminate wrong answers

Option A is wrong because Amazon Redshift Spectrum is a feature of Amazon Redshift that queries data in S3, but it requires an active Redshift cluster (provisioned infrastructure) to manage, not serverless. Option C is wrong because Amazon EMR requires you to provision and manage EC2 instances and clusters, even if transient, which contradicts the 'no infrastructure to manage' requirement. Option D is wrong because AWS Glue ETL is primarily a data transformation and cataloging service, not an interactive query engine; it runs extract-transform-load jobs on provisioned resources, not ad-hoc SQL queries without infrastructure.

160
MCQmedium

A retail company is migrating its e-commerce platform to AWS. The company's financial controller notes that AWS can offer lower pay-as-you-go prices than what it would cost the company to build and operate its own data center at the same scale. Which cloud computing concept best explains this pricing advantage?

A.Agility
B.Economies of scale
C.Elasticity
D.High availability
AnswerB

Economies of scale allow AWS to spread fixed costs over a massive customer base, reducing per-unit costs and enabling lower pay-as-you-go prices compared to a single organization building its own data center.

Why this answer

The correct answer is B, economies of scale. AWS operates at a massive global scale, allowing it to negotiate lower prices for hardware, data center power, and network bandwidth. These savings are passed on to customers as lower pay-as-you-go prices, which a single company building its own data center cannot match due to its smaller procurement volume.

Exam trap

The trap here is that candidates confuse elasticity (scaling to match demand) with the underlying cost advantage of shared infrastructure, but elasticity reduces waste, not the base price per unit of compute or storage.

How to eliminate wrong answers

Option A is wrong because agility refers to the ability to rapidly provision and deploy resources, not to cost savings from scale. Option C is wrong because elasticity is the ability to automatically scale resources up or down based on demand, which optimizes usage but does not inherently explain lower per-unit pricing. Option D is wrong because high availability ensures systems remain operational despite failures, typically through redundancy across multiple Availability Zones, and does not directly address the cost advantage of shared infrastructure.

161
MCQmedium

A company runs a web application on a fleet of Amazon EC2 instances. The application experiences unpredictable traffic patterns with sudden spikes. The company configures an Auto Scaling group with dynamic scaling policies to automatically add instances when CPU utilization exceeds 70% and remove instances when it drops below 30%. This design is an example of which key characteristic of cloud computing?

A.High availability
B.Fault tolerance
C.Elasticity
D.Durability
AnswerC

Elasticity is the ability to automatically provision and deprovision computing resources to match current demand. The dynamic scaling policy that adds and removes instances based on CPU utilization is a direct implementation of elasticity in AWS.

Why this answer

Option C is correct because the Auto Scaling group's dynamic scaling policy, which adds instances when CPU utilization exceeds 70% and removes them when it drops below 30%, directly demonstrates elasticity. Elasticity is the ability to automatically provision and de-provision resources in response to real-time demand, matching capacity to workload without manual intervention. This contrasts with static provisioning, where resources are fixed regardless of load.

Exam trap

The trap here is that candidates confuse elasticity with high availability or fault tolerance, but elasticity specifically refers to dynamic scaling of resources to match demand, not redundancy or failure recovery.

How to eliminate wrong answers

Option A is wrong because high availability focuses on ensuring the application remains accessible despite failures, typically achieved through multi-AZ deployments, load balancers, and health checks—not by scaling based on CPU utilization. Option B is wrong because fault tolerance is the ability to continue operating without interruption when a component fails, often via redundant systems like standby instances or failover mechanisms, whereas the described scaling policy adjusts capacity for performance, not to mask failures.

162
MCQeasy

A company has migrated its customer-facing web application to AWS. The application is deployed on Amazon EC2 instances behind an Application Load Balancer. The company's customers access the application from various devices—desktop computers, laptops, tablets, and smartphones—using standard web browsers without any additional configuration or proprietary software. The ability for customers to reach the application over the internet from any device with a standard browser best demonstrates which essential characteristic of cloud computing?

A.On-demand self-service
B.Broad network access
C.Resource pooling
D.Rapid elasticity
AnswerB

Broad network access means cloud resources are accessible over the network via standard mechanisms (e.g., HTTPS) from a wide range of devices. The question describes customers using standard web browsers on various devices to reach the application, which is a direct example of broad network access.

Why this answer

Broad network access is the correct answer because the scenario describes customers accessing the application from various devices (desktops, laptops, tablets, smartphones) using standard web browsers over the internet without any proprietary software. This directly matches the NIST definition of broad network access: resources are available over the network and accessed through standard mechanisms (e.g., HTTP/HTTPS) that promote use by heterogeneous thin or thick client platforms.

Exam trap

The trap here is that candidates confuse 'broad network access' with 'on-demand self-service' because both involve user interaction, but the key distinction is that broad network access is about heterogeneous device reachability via standard protocols, while on-demand self-service is about automated resource provisioning without provider intervention.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user's ability to provision computing resources (e.g., launch an EC2 instance) automatically without requiring human interaction with the cloud provider, not the ability to access an application from multiple device types. Option C is wrong because resource pooling describes the provider's ability to serve multiple customers from shared physical and virtual resources dynamically assigned according to demand, which is an internal infrastructure characteristic, not a customer-facing access capability.

163
MCQmedium

A company operates 10 AWS accounts, each managed by a different department. The finance team wants to combine the usage of all accounts to qualify for lower volume-based pricing tiers for services such as Amazon S3 and Amazon EC2. Additionally, they want a single monthly bill that aggregates charges from all accounts. Which AWS feature should the company use to meet these requirements?

A.AWS Budgets
B.AWS Cost Explorer
C.AWS Organizations with consolidated billing
D.AWS Trusted Advisor
AnswerC

AWS Organizations with consolidated billing aggregates usage across all member accounts, enabling you to benefit from volume pricing discounts and receive a single monthly bill.

Why this answer

AWS Organizations with consolidated billing is the correct feature because it allows the company to combine usage across all 10 AWS accounts into a single aggregated bill. This enables the finance team to qualify for lower volume-based pricing tiers for services like Amazon S3 and Amazon EC2, as AWS aggregates usage across all accounts in the organization. Consolidated billing also provides a single monthly bill that itemizes charges from each account, meeting both requirements.

Exam trap

The trap here is that candidates may confuse cost management tools like AWS Budgets or Cost Explorer with billing aggregation features, not realizing that only AWS Organizations with consolidated billing can combine usage across accounts to qualify for volume pricing tiers and produce a single monthly bill.

How to eliminate wrong answers

Option A is wrong because AWS Budgets is a cost management tool that allows you to set custom budgets and receive alerts when costs or usage exceed your thresholds, but it does not combine usage across accounts or produce a single aggregated bill. Option B is wrong because AWS Cost Explorer is a visualization and analysis tool for exploring your AWS costs and usage over time, but it does not aggregate usage across multiple accounts into a single billing entity or enable volume pricing discounts.

164
MCQeasy

Under the AWS Shared Responsibility Model, which scenario correctly demonstrates the customer's responsibility?

A.AWS ensuring the physical data center is protected from unauthorized entry
B.A customer configuring security groups to restrict unnecessary inbound traffic to EC2 instances
C.AWS patching the underlying hypervisor on EC2 hosts
D.AWS ensuring S3 storage hardware is replaced when it fails
AnswerB

Security group configuration is the customer's responsibility — AWS provides the security group mechanism, but configuring appropriate rules is the customer's job.

Why this answer

Option B is correct because configuring security groups to restrict inbound traffic is a customer responsibility under the Shared Responsibility Model. Security groups act as a virtual firewall for EC2 instances, and customers must define rules to control traffic at the instance level. AWS manages the underlying network infrastructure but does not configure customer-specific access controls.

Exam trap

The trap here is that candidates often confuse 'patching the hypervisor' (AWS responsibility) with 'patching the guest OS' (customer responsibility), leading them to incorrectly assign hypervisor patching to the customer under the Shared Responsibility Model.

How to eliminate wrong answers

Option A is wrong because AWS is responsible for physical security of data centers, including controlling physical access, which is part of AWS's responsibility 'Security of the Cloud'. Option C is wrong because patching the hypervisor is an AWS responsibility, as it falls under the underlying infrastructure that customers cannot access or modify. Option D is wrong because AWS handles hardware maintenance and replacement for S3 storage, which is part of the 'Security of the Cloud' where AWS manages the physical components.

165
MCQmedium

Which benefit of cloud computing allows a company to experiment with new ideas and quickly spin down failed experiments without financial penalty?

A.Economies of scale
B.Elasticity
C.Agility
D.Durability
AnswerC

Cloud agility means provisioning resources in minutes, experimenting at low cost, and terminating failed experiments without the financial penalty of stranded hardware.

Why this answer

Agility (Option C) is correct because cloud computing enables rapid experimentation by allowing companies to provision and de-provision resources on demand. This means a company can quickly spin up infrastructure to test a new idea and, if it fails, tear it down immediately without incurring ongoing costs. The pay-as-you-go model ensures there is no long-term financial penalty for failed experiments, directly supporting innovation and iterative development.

Exam trap

The trap here is that candidates often confuse elasticity with agility, but elasticity is about automatic scaling to meet demand, while agility is about the speed and low cost of provisioning and de-provisioning resources for experimentation.

How to eliminate wrong answers

Option A is wrong because economies of scale refer to the cost advantages that cloud providers achieve through massive infrastructure, which are passed to customers as lower per-unit prices, but this does not specifically enable quick experimentation or cost-free teardown of failed projects. Option B is wrong because elasticity is the ability to automatically scale resources up or down based on demand, which handles variable workloads but does not inherently address the financial penalty of failed experiments; it focuses on performance scaling rather than cost avoidance for short-lived tests. Option D is wrong because durability is a data protection concept, typically related to storage systems ensuring data remains intact and recoverable (e.g., Amazon S3's 99.999999999% durability), and has no relevance to the financial or operational aspects of experimenting with new ideas.

166
MCQeasy

A company wants to run code that automatically resizes images whenever a new image is uploaded to an Amazon S3 bucket. The code runs for less than 60 seconds per image. The company wants to pay only for the compute time used and does not want to provision or manage any servers. Which AWS service best meets these requirements?

A.Amazon EC2
B.AWS Elastic Beanstalk
C.AWS Lambda
D.Amazon ECS
AnswerC

Lambda is the ideal solution for event-driven, short-lived tasks like image processing. It is triggered by S3 events, runs the code, and charges only for execution time in millisecond increments. No servers to manage.

Why this answer

AWS Lambda is the correct choice because it is a serverless compute service that runs code in response to events, such as an S3 object creation event, and automatically scales. It charges only for the compute time consumed (rounded to the nearest 1 ms) and requires no server provisioning or management. The 60-second execution limit per invocation is well within the 15-minute maximum duration of Lambda, making it ideal for short-lived image resizing tasks.

Exam trap

The trap here is that candidates may choose AWS Elastic Beanstalk because it automates deployment and scaling, but they overlook that it still runs on EC2 instances that incur costs continuously, not per execution, and does not provide the event-driven, pay-per-use billing model required by the question.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 requires provisioning, managing, and paying for virtual servers even when idle, which violates the requirement to pay only for compute time used and to avoid server management. Option B is wrong because AWS Elastic Beanstalk abstracts server management but still runs on provisioned EC2 instances that incur costs continuously, not just per execution, and does not provide the event-driven, pay-per-use model needed. Option D is wrong because Amazon ECS (Elastic Container Service) requires managing a cluster of EC2 instances or using AWS Fargate, which, while serverless, is designed for containerized workloads and typically incurs costs for running containers continuously, not for sub-60-second event-driven tasks; it also adds unnecessary complexity compared to Lambda.

167
MCQmedium

A financial services company is undergoing an external audit. The auditor requests copies of AWS SOC 2, ISO 27001, and PCI DSS compliance reports to validate the company's cloud infrastructure controls. Where can the company's compliance team obtain these reports in a centralized manner?

A.AWS Config
B.AWS Artifact
C.AWS Audit Manager
D.AWS Security Hub
AnswerB

AWS Artifact is the correct service. It is a self-service portal that provides on-demand access to AWS compliance reports, such as SOC, ISO, and PCI DSS, as well as agreements like the Business Associate Addendum (BAA).

Why this answer

AWS Artifact is the correct service because it provides a centralized, self-service portal for on-demand access to AWS compliance reports, including SOC 2, ISO 27001, and PCI DSS. The compliance team can download these reports directly without needing to contact AWS support, making it the single source of truth for audit evidence.

Exam trap

The trap here is that candidates confuse AWS Artifact with AWS Audit Manager, thinking that Audit Manager’s evidence collection feature also provides the raw compliance reports, when in fact Audit Manager only helps you gather your own evidence while Artifact is the sole source for AWS’s pre-existing certifications.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service that evaluates and records resource configurations against desired policies, not a repository for downloading third-party compliance reports. Option C is wrong because AWS Audit Manager helps automate evidence collection and risk assessment for audits, but it does not host or provide direct access to AWS’s own compliance certifications like SOC 2 or ISO 27001. Option D is wrong because AWS Security Hub aggregates security alerts and compliance status from multiple AWS services, but it does not store or serve downloadable compliance reports such as SOC 2 or PCI DSS.

168
MCQmedium

A company has deployed a web application on Amazon EC2 instances. The company's security team wants to ensure that the underlying host operating system is patched against a newly discovered vulnerability. According to the AWS Shared Responsibility Model, who is responsible for applying the patch to the host operating system?

A.The company, because patches for underlying infrastructure are always the customer's responsibility in EC2.
B.AWS, because the hypervisor and host OS are part of the 'Security of the Cloud'.
C.The company, because EC2 is an Infrastructure as a Service (IaaS) offering and the customer manages the OS.
D.Both the company and AWS share responsibility equally for host OS patching.
AnswerB

Correct. AWS is responsible for protecting the infrastructure that runs all AWS services, including the host OS, hypervisor, physical servers, and networking. Patching the host OS falls under this responsibility.

Why this answer

Under the AWS Shared Responsibility Model, AWS is responsible for the security of the cloud, which includes the physical infrastructure, hypervisor, and host operating system that runs EC2 instances. When a vulnerability is discovered in the host OS (the OS that runs the hypervisor and manages the physical hardware), AWS must apply the patch because the customer has no access to or control over the host OS. The customer is only responsible for patching the guest OS (the OS running inside the EC2 instance) and any applications deployed on it.

Exam trap

The trap here is that candidates mistakenly apply the IaaS model's general rule (customer manages the OS) to the host OS, forgetting that in virtualized EC2, the host OS is part of the hypervisor layer managed solely by AWS.

How to eliminate wrong answers

Option A is wrong because it incorrectly states that patches for underlying infrastructure are always the customer's responsibility in EC2; in reality, AWS patches the host OS and hypervisor, while the customer patches the guest OS. Option C is wrong because it confuses the customer's responsibility for the guest OS (which they manage in IaaS) with the host OS, which is managed by AWS as part of the virtualized infrastructure.

169
MCQmedium

A financial services company is required by regulation to keep all customer transaction data on-premises. However, they want to use AWS to run analytics workloads on this data using Amazon EMR and Amazon S3 for temporary storage of intermediate results. They need a solution that connects their on-premises network to AWS securely and allows them to extend their on-premises environment into the AWS Cloud. Which cloud computing deployment model does this scenario BEST describe?

A.Public cloud
B.Private cloud
C.Hybrid cloud
D.Community cloud
AnswerC

A hybrid cloud deployment combines on-premises infrastructure (private cloud) with public cloud services, connected securely. This matches the scenario where sensitive data stays on-premises while analytics run on AWS.

Why this answer

Option C is correct because the scenario describes a hybrid cloud deployment model, where the company maintains on-premises infrastructure for regulatory compliance (keeping customer transaction data on-premises) while leveraging AWS public cloud services (Amazon EMR and Amazon S3) for analytics workloads. The requirement to connect the on-premises network to AWS securely and extend the on-premises environment into the AWS Cloud is a defining characteristic of hybrid cloud, often implemented using AWS Direct Connect or VPN connections to create a unified network.

Exam trap

The trap here is that candidates may confuse 'hybrid cloud' with 'public cloud' because the company uses AWS services, but the key differentiator is the integration with on-premises infrastructure to meet regulatory data residency requirements.

How to eliminate wrong answers

Option A is wrong because a public cloud model would involve running all workloads, including the customer transaction data, on AWS infrastructure, which violates the regulatory requirement to keep data on-premises. Option B is wrong because a private cloud model would require the company to host all resources, including the analytics workloads, within their own data center or a dedicated single-tenant environment, contradicting the use of AWS public cloud services like Amazon EMR and Amazon S3. Option D is wrong because a community cloud is designed for use by a specific group of organizations with shared concerns (e.g., compliance or security requirements), but the scenario does not involve multiple organizations sharing the infrastructure; it is a single company extending its on-premises environment into AWS.

170
MCQmedium

A company wants to identify sensitive data (such as PII and credit card numbers) stored in Amazon S3 buckets across their organization. Which AWS service automates this discovery?

A.Amazon Inspector
B.AWS Config
C.Amazon Macie
D.Amazon GuardDuty
AnswerC

Macie uses ML to discover and classify sensitive data in S3 including PII, financial data, and credentials, generating actionable findings.

Why this answer

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover, classify, and protect sensitive data stored in Amazon S3. It automatically identifies personally identifiable information (PII), credit card numbers, and other sensitive data types, making it the correct choice for this use case.

Exam trap

The trap here is that candidates often confuse Amazon Macie with Amazon Inspector or GuardDuty because all three are security services, but only Macie is designed for content-aware data discovery and classification of sensitive data in S3.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is an automated vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not for discovering sensitive data in S3 buckets. Option B is wrong because AWS Config is a service that evaluates and records resource configurations against desired policies, but it does not inspect the content of S3 objects for sensitive data. Option D is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using VPC Flow Logs, DNS logs, and CloudTrail events, not for scanning S3 object content for sensitive data.

171
MCQmedium

Which AWS service provides a fully managed message broker supporting ActiveMQ and RabbitMQ protocols for migrating on-premises messaging systems to the cloud?

A.Amazon SQS
B.Amazon SNS
C.Amazon MQ
D.Amazon Kinesis Data Streams
AnswerC

Amazon MQ provides managed ActiveMQ and RabbitMQ brokers that support standard messaging protocols, enabling lift-and-shift of existing on-premises messaging systems.

Why this answer

Amazon MQ is a fully managed message broker service that supports industry-standard protocols like AMQP (ActiveMQ) and MQTT/STOMP (RabbitMQ), making it ideal for migrating on-premises messaging systems without rewriting code. Unlike Amazon SQS or SNS, which are proprietary AWS services, Amazon MQ provides compatibility with existing ActiveMQ and RabbitMQ-based applications, enabling a seamless lift-and-shift migration to the cloud.

Exam trap

The trap here is that candidates confuse Amazon MQ with Amazon SQS or SNS because all three are messaging services, but only Amazon MQ supports the specific ActiveMQ and RabbitMQ protocols needed for migrating existing on-premises brokers without code changes.

How to eliminate wrong answers

Option A is wrong because Amazon SQS is a fully managed queue service that uses a proprietary API and does not support ActiveMQ or RabbitMQ protocols; it is designed for decoupling microservices, not for migrating existing message brokers. Option B is wrong because Amazon SNS is a pub/sub notification service that uses HTTP/S, email, or SMS endpoints, not the AMQP or MQTT protocols required for ActiveMQ/RabbitMQ compatibility. Option D is wrong because Amazon Kinesis Data Streams is a real-time data streaming service for ingesting large volumes of data, not a message broker that supports ActiveMQ or RabbitMQ protocols.

172
MCQeasy

Which AWS service provides a managed Kubernetes service that removes the overhead of installing, operating, and maintaining a Kubernetes control plane?

A.Amazon ECS
B.Amazon EKS
C.AWS Fargate
D.AWS App Mesh
AnswerB

EKS provides managed Kubernetes clusters where AWS fully manages the control plane, enabling customers to run Kubernetes workloads without control plane operational overhead.

Why this answer

Amazon EKS (Elastic Kubernetes Service) is the correct answer because it is a managed Kubernetes service that handles the provisioning, scaling, and maintenance of the Kubernetes control plane (including the API server, etcd, and controller manager). This removes the operational overhead of installing and operating the control plane yourself, allowing you to focus on deploying and managing containerized applications.

Exam trap

The trap here is that candidates often confuse Amazon ECS (a proprietary AWS container service) with Amazon EKS (a managed Kubernetes service), or mistakenly think AWS Fargate is a standalone Kubernetes service rather than a compute engine that can be used with EKS.

How to eliminate wrong answers

Option A is wrong because Amazon ECS is a container orchestration service that uses its own proprietary control plane and task definitions, not Kubernetes. Option C is wrong because AWS Fargate is a serverless compute engine for containers that can run tasks for both ECS and EKS, but it does not provide a managed Kubernetes control plane itself. Option D is wrong because AWS App Mesh is a service mesh that provides application-level networking (using Envoy proxies) for microservices, not a container orchestration or Kubernetes management service.

173
MCQeasy

Which AWS service provides a domain name system (DNS) that routes end-user requests to AWS infrastructure and external resources?

A.AWS Global Accelerator
B.Amazon CloudFront
C.Amazon Route 53
D.Elastic Load Balancing
AnswerC

Route 53 is AWS's managed DNS service, handling domain registration, DNS resolution, and intelligent routing with health checks.

Why this answer

Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service. It is designed to route end-user requests to AWS infrastructure (such as EC2 instances, ELBs, and S3 buckets) and to external resources by translating human-readable domain names into IP addresses. This directly matches the question's requirement for a DNS-based routing service.

Exam trap

The trap here is confusing a content delivery network (CloudFront) or a traffic accelerator (Global Accelerator) with a DNS service, since both can improve performance and route traffic, but only Route 53 provides actual domain name resolution and DNS record management.

How to eliminate wrong answers

Option A is wrong because AWS Global Accelerator uses the AWS global network and Anycast IPs to improve performance and reliability for TCP/UDP traffic, but it does not provide DNS resolution or domain name management; it operates at the network layer (Layer 3/4). Option B is wrong because Amazon CloudFront is a content delivery network (CDN) that caches content at edge locations for faster delivery, but it does not function as a DNS service; it uses DNS only to resolve its own distribution domain names. Option D is wrong because Elastic Load Balancing (ELB) distributes incoming application or network traffic across multiple targets (e.g., EC2 instances) within a single region, but it does not provide DNS resolution for domain names; it only provides a DNS name for its own endpoint.

174
MCQeasy

Which AWS feature protects S3 buckets from having their versioned objects permanently deleted without multi-factor authentication approval?

A.S3 Block Public Access
B.S3 Object Lock
C.S3 MFA Delete
D.S3 Access Points
AnswerC

MFA Delete requires a valid MFA code to permanently delete versioned objects or suspend versioning, providing an additional layer of protection against accidental or unauthorized permanent deletion.

Why this answer

S3 MFA Delete is the correct answer because it is the specific S3 versioning feature that requires multi-factor authentication (MFA) to permanently delete versioned objects or suspend versioning on a bucket. When enabled, any DeleteObject request that includes a version ID (permanent delete) or a PUT request to suspend versioning must include the x-amz-mfa header with a valid MFA code from a hardware or virtual MFA device. This prevents unauthorized or accidental permanent deletion of object versions, even by users with full S3 permissions.

Exam trap

The trap here is that candidates often confuse S3 Object Lock's WORM protection with MFA Delete, but Object Lock prevents deletion based on time-based retention, not by requiring a second authentication factor, while MFA Delete specifically mandates MFA approval for permanent deletion of versioned objects.

How to eliminate wrong answers

Option A is wrong because S3 Block Public Access is a set of settings that prevents public access to S3 buckets and objects, but it has no mechanism to require MFA for deletions or to protect versioned objects from permanent deletion. Option B is wrong because S3 Object Lock provides write-once-read-many (WORM) protection to prevent object deletion or overwrite for a specified retention period, but it does not require MFA authentication for deletion operations; it relies on retention modes (Governance/Compliance) and legal holds. Option D is wrong because S3 Access Points are network endpoints attached to buckets that simplify managing data access at scale, but they do not enforce MFA for deletions and have no role in protecting versioned objects from permanent deletion.

175
MCQmedium

A company wants to use AWS for a short-term proof-of-concept project lasting one month. They need EC2 instances and RDS databases but don't want any long-term commitment. Which pricing model is most appropriate?

A.Reserved Instances (1-year, All Upfront)
B.On-Demand pricing
C.Savings Plans (3-year commitment)
D.Spot Instances for all workloads
AnswerB

On-Demand pricing requires no commitment, allows termination at any time, and provides full flexibility — perfect for a time-bounded proof-of-concept.

Why this answer

On-Demand pricing is the most appropriate for a short-term proof-of-concept lasting only one month because it requires no upfront payment or long-term commitment. You pay for compute and database capacity by the hour or second, and you can stop or terminate resources at any time without penalty. This aligns perfectly with the temporary, flexible nature of a one-month project.

Exam trap

The trap here is that candidates might choose Spot Instances thinking they are always the cheapest option, but they overlook the fact that Spot Instances can be interrupted and are not supported for RDS, making them inappropriate for a proof-of-concept that requires consistent database availability.

How to eliminate wrong answers

Option A is wrong because Reserved Instances require a 1-year or 3-year commitment, which is excessive and costly for a one-month proof-of-concept; you would be locked into paying for resources you don't need after the project ends. Option C is wrong because Savings Plans also require a 1-year or 3-year commitment (the 3-year option is even longer), and they are designed for steady-state usage, not short-term, flexible workloads. Option D is wrong because Spot Instances can be interrupted with only a 2-minute warning when AWS needs capacity back, making them unsuitable for RDS databases (which require persistent, reliable storage) and for any workload that cannot tolerate interruptions, such as a proof-of-concept that needs consistent availability.

176
MCQmedium

A company needs to manage multiple Kubernetes clusters across different AWS Regions and on-premises environments from a single control plane. Which AWS service provides this?

A.Amazon ECS
B.Amazon EKS with EKS Connector
C.AWS Fargate
D.Amazon EC2 with self-managed Kubernetes
AnswerB

EKS Connector registers any conformant Kubernetes cluster with Amazon EKS for unified visibility and management in the AWS console, spanning EKS, EKS Anywhere, and third-party clusters.

Why this answer

Amazon EKS with EKS Connector allows you to register and connect any Kubernetes cluster—whether running in AWS, on-premises, or in other clouds—to the AWS EKS console. This provides a single control plane view for managing multiple clusters across different AWS Regions and on-premises environments, fulfilling the requirement exactly.

Exam trap

The trap here is that candidates often confuse Amazon ECS with Kubernetes management, or assume that AWS Fargate can serve as a multi-cluster management plane, when in fact only EKS with EKS Connector provides the specific capability to register and manage external Kubernetes clusters from a single AWS console.

How to eliminate wrong answers

Option A is wrong because Amazon ECS is a container orchestration service for Docker containers, not Kubernetes, and it does not provide a single control plane for managing multiple Kubernetes clusters across regions and on-premises. Option C is wrong because AWS Fargate is a serverless compute engine for containers that works with ECS or EKS, but it is not a service for managing multiple Kubernetes clusters from a single control plane. Option D is wrong because Amazon EC2 with self-managed Kubernetes requires you to manually set up and manage the Kubernetes control plane on EC2 instances, which does not offer a built-in single control plane for multiple clusters across different environments.

177
MCQmedium

A company manages multiple AWS accounts under a single AWS Organizations organization. The security team wants to implement a preventive control that blocks any action that would disable AWS CloudTrail or delete CloudTrail log files across all accounts, including the management account. The solution must be centrally managed and must not require changes to individual account permissions. Which AWS feature should the security team use?

A.IAM permission boundaries
B.AWS Service Control Policies (SCPs)
C.AWS Identity and Access Management (IAM) roles with a trust policy
D.AWS Config conformance packs
AnswerB

SCPs are a feature of AWS Organizations that allow you to centrally control the maximum permissions for all accounts in your organization. They can be used to deny specific API actions (such as disabling CloudTrail) across all accounts, including the management account, providing a preventive security guardrail.

Why this answer

AWS Service Control Policies (SCPs) are the correct choice because they allow the security team to define preventive guardrails at the AWS Organizations root, OU, or account level that apply to all principals, including the management account. An SCP can explicitly deny any action that would disable CloudTrail (e.g., cloudtrail:StopLogging, cloudtrail:DeleteTrail) or delete log files (e.g., s3:DeleteObject on the CloudTrail S3 bucket), and because SCPs are inherited by all accounts in the organization, no individual account permission changes are required.

Exam trap

The trap here is that candidates often confuse SCPs with IAM permission boundaries, thinking both can centrally manage permissions across accounts, but SCPs are the only AWS Organizations feature that applies preventive controls to all accounts, including the management account, without requiring per-account configuration.

How to eliminate wrong answers

Option A is wrong because IAM permission boundaries are applied to individual IAM users or roles within a single account and cannot centrally enforce controls across multiple accounts or the management account; they also do not block actions by the root user or service-linked roles. Option C is wrong because IAM roles with a trust policy only define who can assume a role and do not provide any preventive control to block API actions; they are used for granting cross-account access, not for enforcing organization-wide deny rules.

178
MCQmedium

Which AWS service is used to centrally manage and enforce policies across multiple AWS accounts in an organization, such as restricting which AWS services member accounts can use?

A.AWS IAM policies
B.AWS Organizations with Service Control Policies
C.AWS Config rules
D.Amazon GuardDuty
AnswerB

SCPs applied through AWS Organizations define maximum permission boundaries across all member accounts, providing centralized governance and guardrails.

Why this answer

AWS Organizations with Service Control Policies (SCPs) is the correct service because SCPs enable central governance of the maximum available permissions for all accounts within an organization. SCPs act as a permission guardrail, allowing administrators to restrict which AWS services, actions, and resources member accounts can use, regardless of the IAM policies attached to those accounts. This makes SCPs the appropriate tool for enforcing organization-wide restrictions across multiple accounts.

Exam trap

The trap here is that candidates often confuse IAM policies with SCPs, not realizing that IAM policies are account-specific and cannot enforce restrictions across multiple accounts, while SCPs provide centralized, organization-wide guardrails without granting permissions themselves.

How to eliminate wrong answers

Option A is wrong because AWS IAM policies are attached to individual IAM users, groups, or roles within a single account and cannot centrally enforce restrictions across multiple AWS accounts in an organization. Option C is wrong because AWS Config rules evaluate resource configurations for compliance against desired policies but do not actively enforce or restrict which services member accounts can use. Option D is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior, not a policy enforcement mechanism for restricting service usage across accounts.

179
MCQhard

Which AWS service provides a petabyte-scale data transfer solution for moving large amounts of data into AWS when network transfer is not feasible?

A.AWS DataSync
B.AWS Transfer Family
C.AWS Snowball
D.Amazon S3 Multipart Upload
AnswerC

Snowball is a physical appliance for petabyte-scale offline data transfer into AWS.

Why this answer

AWS Snowball is a petabyte-scale data transport solution that uses physical storage devices to transfer large amounts of data into and out of AWS when network transfer is not feasible due to high latency, low bandwidth, or high costs. It is specifically designed for moving massive datasets (up to 80 TB per device) where network uploads would take weeks or months, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates often confuse AWS DataSync or S3 Multipart Upload as viable options for offline data transfer, but these services require network connectivity and are not designed for petabyte-scale data movement when the network is not feasible.

How to eliminate wrong answers

Option A is wrong because AWS DataSync is an online data transfer service that automates moving data over the network between on-premises storage and AWS, but it does not provide a physical, petabyte-scale solution for when network transfer is not feasible. Option B is wrong because AWS Transfer Family provides managed file transfer protocols (SFTP, FTPS, FTP) for transferring data over the network, not a physical offline transfer mechanism. Option D is wrong because Amazon S3 Multipart Upload is a feature for uploading large objects to S3 over the network by breaking them into parts, but it still relies on network connectivity and does not solve the problem of network transfer being infeasible.

180
MCQeasy

A financial services company keeps sensitive customer data in an on-premises data center. Regulatory requirements prohibit this data from being stored in the cloud. However, the company needs to run compute-intensive analytics jobs that periodically require more processing power than its on-premises servers can provide. The company wants to use AWS for these burst capacity needs while keeping the sensitive data on premises. Which cloud deployment model best describes this approach?

A.Public cloud
B.Private cloud
C.Hybrid cloud
D.Community cloud
AnswerC

Hybrid cloud connects on-premises infrastructure with public cloud services. This enables the company to keep sensitive data on-premises for compliance while leveraging AWS for burst compute capacity, matching the described requirements.

Why this answer

The hybrid cloud model is correct because it combines on-premises infrastructure (private cloud) with public cloud resources (AWS) while keeping sensitive data on-premises. The company uses AWS for burst compute capacity via services like AWS Batch or EC2 Auto Scaling, but the data never leaves the on-premises data center, satisfying regulatory requirements.

Exam trap

The trap here is that candidates often confuse 'hybrid cloud' with 'public cloud' because they see AWS usage, but the key distinction is that sensitive data stays on-premises, making it a hybrid model, not a pure public cloud deployment.

How to eliminate wrong answers

Option A is wrong because a public cloud model would store all data and workloads in AWS, violating the regulatory prohibition against storing sensitive data in the cloud. Option B is wrong because a private cloud is entirely on-premises or hosted in a dedicated environment, which cannot provide the burst capacity from AWS that the company needs. Option D is wrong because a community cloud is shared by multiple organizations with common concerns (e.g., compliance), but it does not specifically address the hybrid burst capacity requirement between on-premises and AWS.

181
MCQmedium

Which cloud deployment model involves running applications on AWS infrastructure managed entirely by AWS, where the customer does not manage any physical hardware?

A.Private cloud
B.Hybrid cloud
C.Public cloud
D.Community cloud
AnswerC

Public cloud means AWS owns and manages all hardware; customers consume services without managing physical infrastructure.

Why this answer

The public cloud deployment model is defined by infrastructure that is owned, managed, and maintained by a third-party cloud provider (in this case, AWS). The customer has no responsibility for the physical hardware, such as servers, storage, or networking equipment, and accesses resources on-demand via the internet. This matches the scenario where AWS manages everything, and the customer only interacts with virtualized services.

Exam trap

AWS often tests the misconception that a private cloud means the customer manages no hardware, but in reality, private clouds can be on-premises with the customer owning the hardware, or hosted with dedicated hardware, which still involves customer control or visibility into physical resources.

How to eliminate wrong answers

Option A is wrong because a private cloud involves dedicated infrastructure used exclusively by a single organization, which may be managed by the organization itself or a third party, but the customer often retains control over physical hardware or has dedicated hardware. Option B is wrong because a hybrid cloud combines public and private cloud models, meaning the customer still manages or controls some physical hardware (e.g., on-premises servers) that are connected to AWS. Option D is wrong because a community cloud is shared by several organizations with common concerns (e.g., security, compliance), and while it may be managed by a third party, it does not imply that the customer has zero management of physical hardware; the model is about shared governance, not full provider management.

182
MCQmedium

A company's finance team needs the most granular AWS billing data available, including cost and usage data at the hourly level, broken down by resource ID and cost allocation tags, delivered to Amazon S3 for analysis with their BI tools. Which AWS service provides this?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Cost and Usage Report
D.Amazon CloudWatch Billing Metrics
AnswerC

The CUR is the most comprehensive billing data product AWS offers. It delivers hourly or daily cost and usage data with resource-level detail and cost allocation tags to an S3 bucket, enabling analysis with tools like Athena or QuickSight.

Why this answer

AWS Cost and Usage Report (CUR) is the correct choice because it provides the most granular billing data available, including hourly-level cost and usage, broken down by resource ID and cost allocation tags, and can be delivered to Amazon S3 for analysis with BI tools. This service is designed for detailed, customizable reports that meet the finance team's requirements for granularity and integration.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's export feature with the granularity of CUR, but Cost Explorer exports are limited to monthly or daily granularity and lack the full resource-level and tag breakdowns that CUR provides.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer provides visualizations and insights into cost and usage data, but it does not deliver raw, hourly-level data to S3 with resource ID and tag breakdowns; it offers aggregated views and exports at a higher level. Option B is wrong because AWS Budgets is used to set spending limits and receive alerts, not to generate detailed cost and usage reports with hourly granularity and resource-level details. Option D is wrong because Amazon CloudWatch Billing Metrics provides basic billing metrics (e.g., estimated charges) at a high level, not the granular, hourly, resource-tagged data that CUR offers, and it does not deliver data to S3.

183
MCQmedium

A company wants to test a new version of their application by sending 10% of user traffic to the new version and 90% to the existing version, gradually increasing traffic to the new version as confidence grows. Which Amazon Route 53 routing policy supports this?

A.Failover routing
B.Geolocation routing
C.Weighted routing
D.Latency routing
AnswerC

Weighted routing assigns relative weights to route records. A weight of 10 for the new version and 90 for the existing version routes approximately 10% of requests to the new version — ideal for gradual canary deployments.

Why this answer

Weighted routing (C) is correct because it allows you to assign a percentage of traffic to each resource, such as 10% to the new version and 90% to the existing version. As confidence grows, you can adjust the weights to gradually shift more traffic to the new version. This policy is specifically designed for load balancing between multiple endpoints in a controlled, proportional manner.

Exam trap

The trap here is that candidates often confuse weighted routing with latency routing, thinking that latency-based routing can also distribute traffic proportionally, but latency routing only optimizes for response time and cannot enforce a fixed percentage split.

How to eliminate wrong answers

Option A is wrong because failover routing is used for active-passive disaster recovery, where traffic is sent to a primary resource unless it becomes unhealthy, then all traffic fails over to a secondary resource — it does not support percentage-based traffic splitting. Option B is wrong because geolocation routing directs traffic based on the geographic location of the user (e.g., country or continent), not based on a percentage split between versions. Option D is wrong because latency routing routes traffic to the endpoint with the lowest latency for the user, which is useful for performance optimization but cannot enforce a specific percentage distribution of traffic.

184
MCQmedium

A company has been running multiple workloads on AWS for several months. The finance team notices that monthly costs have increased significantly but cannot identify which services or linked accounts are driving the increase. The team needs a tool that provides interactive graphs and filters to visualize cost and usage data over time, allows filtering by service or linked account, and identifies the top cost contributors. They also need to create custom reports that can be emailed on a weekly schedule. Which AWS tool should the finance team use to meet these requirements?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Trusted Advisor
D.Amazon QuickSight
AnswerA

Correct. AWS Cost Explorer provides intuitive graphs and filtering to analyze cost and usage data. It allows you to create custom reports and schedule them for regular email delivery, directly addressing the team's needs.

Why this answer

AWS Cost Explorer is the correct tool because it provides interactive graphs and filters to visualize cost and usage data over time, allows filtering by service or linked account, and identifies top cost contributors. It also supports creating custom reports that can be scheduled and emailed weekly, directly meeting all the stated requirements.

Exam trap

The trap here is that candidates often confuse AWS Budgets (which only sends alerts) with Cost Explorer (which provides full visualization and reporting), leading them to select Budgets because they see 'cost' and 'alerts' in the question, while missing the need for interactive graphs and scheduled emailed reports.

How to eliminate wrong answers

Option B (AWS Budgets) is wrong because it is designed for setting cost and usage thresholds and sending alerts when those thresholds are exceeded, not for providing interactive graphs, filtering by service or linked account, or creating scheduled emailed reports. Option C (AWS Trusted Advisor) is wrong because it inspects your AWS environment for best practices in cost optimization, performance, security, and fault tolerance, but it does not offer interactive cost visualization, filtering by service or linked account, or the ability to create and email custom cost reports on a schedule.

185
MCQeasy

A company's employees access AWS services using the AWS Management Console from their office laptops, the AWS mobile app on their smartphones, and the AWS CLI from their home computers. Which cloud computing characteristic does this illustrate?

A.Rapid elasticity
B.Resource pooling
C.Broad network access
D.Measured service
AnswerC

Broad network access is the cloud characteristic that describes capabilities being available over the network and accessible from heterogeneous client platforms including mobile phones, laptops, and workstations — which is exactly what this scenario describes.

Why this answer

Broad network access is the correct answer because the scenario describes employees accessing AWS services from multiple types of devices (office laptops, smartphones, home computers) using different access methods (AWS Management Console, AWS mobile app, AWS CLI). This directly illustrates the cloud characteristic that resources are available over the network and can be accessed by standard protocols (e.g., HTTPS for the console and mobile app, HTTP/HTTPS for CLI API calls) from a wide range of client platforms, including mobile phones, laptops, and workstations.

Exam trap

The trap here is that candidates often confuse 'broad network access' with 'rapid elasticity' because both involve flexibility, but broad network access is about the variety of access methods and devices, not the ability to scale resources.

How to eliminate wrong answers

Option A is wrong because rapid elasticity refers to the ability to automatically scale resources up or down based on demand, not the variety of access methods or devices. Option B is wrong because resource pooling describes how the provider's computing resources are pooled to serve multiple customers using a multi-tenant model, with physical and virtual resources dynamically assigned; it does not relate to how users access the services. Option D is wrong because measured service means that cloud resource usage is monitored, controlled, and reported (e.g., metering for billing), which is not illustrated by the employees using different devices and access methods.

186
MCQmedium

A company runs an e-commerce website on AWS and expects a high volume of traffic during Black Friday. The security team is concerned about potential DDoS attacks overwhelming the infrastructure. The company wants a managed service that provides always-on detection and automatic inline mitigation of DDoS attacks at the network and transport layers (layer 3 and 4), as well as cost protection against scaling charges due to DDoS attacks. Which AWS service should the company use?

A.AWS Shield Standard
B.AWS Shield Advanced
C.AWS WAF
D.Amazon GuardDuty
AnswerB

AWS Shield Advanced provides always-on detection and automatic inline mitigation of DDoS attacks at layers 3 and 4 (and layer 7 when integrated with AWS WAF). It also includes cost protection that provides financial coverage against scaling charges (e.g., from EC2 or ELB) incurred during a DDoS attack, as well as 24/7 access to the DDoS Response Team (DRT). This matches all the specified requirements.

Why this answer

AWS Shield Advanced is the correct choice because it provides always-on detection and automatic inline mitigation of DDoS attacks at layers 3 and 4 (network and transport layers), such as SYN floods and UDP reflection attacks. Additionally, it offers cost protection against scaling charges incurred due to DDoS-related usage spikes, which directly addresses the company's concern about financial impact from attack-induced scaling.

Exam trap

The trap here is that candidates often confuse AWS Shield Standard (free, basic protection) with AWS Shield Advanced (paid, enhanced protection) or mistakenly think AWS WAF can mitigate network-layer DDoS attacks, when in fact WAF only handles application-layer threats.

How to eliminate wrong answers

Option A is wrong because AWS Shield Standard provides only basic protection against common DDoS attacks (e.g., SYN floods) but lacks automatic inline mitigation at layers 3 and 4, and does not include cost protection against scaling charges. Option C is wrong because AWS WAF operates at the application layer (layer 7) to filter HTTP/HTTPS requests based on rules, not at the network or transport layers (layers 3 and 4), and it does not provide automatic inline DDoS mitigation or cost protection against scaling charges.

187
MCQmedium

A company needs a relational database that automatically scales storage, replicates data across multiple AZs, and can failover automatically without manual intervention. Which AWS service provides these capabilities?

A.Amazon DynamoDB
B.Amazon RDS with Multi-AZ deployment
C.Amazon Redshift
D.Amazon ElastiCache for Redis
AnswerB

RDS Multi-AZ automatically replicates data to a standby in another AZ and performs automatic failover — no manual intervention required for database continuity.

Why this answer

Amazon RDS with Multi-AZ deployment automatically provisions and maintains a synchronous standby replica in a different Availability Zone. This setup provides automatic failover to the standby without manual intervention, and storage scaling can be handled via Amazon EBS or Aurora storage auto-scaling, meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse DynamoDB's built-in Multi-AZ replication and auto-scaling with relational database capabilities, overlooking the explicit requirement for a relational database in the question.

How to eliminate wrong answers

Option A is wrong because Amazon DynamoDB is a NoSQL key-value and document database, not a relational database, so it does not support SQL queries or relational schemas. Option C is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for analytical queries, not a transactional relational database, and its Multi-AZ support is limited to RA3 node types with manual failover steps. Option D is wrong because Amazon ElastiCache for Redis is an in-memory caching service, not a relational database, and it does not provide persistent relational storage or automatic failover for relational workloads.

188
Matchingmedium

Match each AWS management tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Audit API calls and user activity

Monitoring and observability

Track resource configuration changes

Best practice recommendations

Infrastructure as code templates

Why these pairings

Management tools help govern and automate AWS.

189
MCQeasy

Which of the following is NOT one of the five characteristics of cloud computing as defined by NIST?

A.On-demand self-service
B.Resource pooling
C.Dedicated hardware allocation per customer
D.Measured service
AnswerC

Dedicated hardware per customer is NOT a NIST characteristic — it's actually the opposite. Cloud computing uses shared multi-tenant resource pools (though dedicated options like Dedicated Hosts exist as a special case).

Why this answer

Option C is correct because the five essential characteristics of cloud computing as defined by NIST SP 800-145 are on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Dedicated hardware allocation per customer is not a characteristic; instead, cloud computing relies on resource pooling where physical and virtual resources are dynamically assigned and reassigned according to consumer demand, often with multi-tenant models.

Exam trap

AWS often tests the distinction between optional cloud deployment models (e.g., dedicated hosts, private cloud) and the mandatory NIST essential characteristics, leading candidates to mistakenly think dedicated hardware allocation is a required characteristic.

How to eliminate wrong answers

Option A is wrong because on-demand self-service is a core NIST characteristic, allowing a consumer to unilaterally provision computing capabilities (e.g., server time, network storage) without requiring human interaction with each service provider. Option B is wrong because resource pooling is a fundamental NIST characteristic, where the provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to demand. Option D is wrong because measured service is a key NIST characteristic, where cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, active user accounts).

190
MCQmedium

A startup is building a Node.js web application. The development team has limited DevOps experience and wants to focus on writing code. They need a managed platform that automatically deploys their application code, provisions the necessary AWS resources (such as EC2 instances, a load balancer, and Auto Scaling), and handles health monitoring and scaling. However, they want the ability to later customize the underlying EC2 instances and configure environment variables without switching to a different compute service. Which AWS service should the startup use?

A.AWS Lambda
B.AWS Elastic Beanstalk
C.Amazon ECS
D.AWS CloudFormation
AnswerB

AWS Elastic Beanstalk is a PaaS service that automatically deploys application code, manages capacity provisioning, load balancing, and auto scaling for web applications. It provides full control over the underlying AWS resources when needed, making it the best fit for a team that wants a managed platform with the option to customize later.

Why this answer

AWS Elastic Beanstalk is a Platform as a Service (PaaS) that automatically handles deployment, capacity provisioning, load balancing, Auto Scaling, and health monitoring for web applications. It allows developers to upload their Node.js code and have Elastic Beanstalk provision the underlying EC2 instances, load balancer, and Auto Scaling group while still providing the option to later customize the EC2 instances (e.g., via .ebextensions or SSH) and configure environment variables through the Elastic Beanstalk console or CLI. This matches the startup's need for a managed platform with future customization flexibility.

Exam trap

The trap here is that candidates often confuse AWS Elastic Beanstalk with AWS CloudFormation, thinking both are Infrastructure as Code tools, but Elastic Beanstalk is a managed PaaS that abstracts the underlying resources, while CloudFormation requires manual resource definition and does not handle application deployment or health monitoring automatically.

How to eliminate wrong answers

Option A is wrong because AWS Lambda is a serverless compute service that runs code in response to events and does not provision or manage EC2 instances, load balancers, or Auto Scaling groups; it also does not allow customization of underlying EC2 instances. Option C is wrong because Amazon ECS is a container orchestration service that requires users to manage container images, task definitions, and cluster configurations, which demands more DevOps experience than Elastic Beanstalk and does not automatically provision EC2 instances or a load balancer without additional setup. Option D is wrong because AWS CloudFormation is an Infrastructure as Code (IaC) service that provisions resources based on templates but does not automatically deploy application code, handle health monitoring, or provide a managed platform; it requires users to define and manage all resources manually.

191
MCQmedium

A company is designing a highly available web application on AWS. The application must remain available and continue serving traffic even if an entire physical data center experiences a complete outage. Which AWS global infrastructure component should the solutions architect use to meet this requirement?

A.Deploy the application across multiple AWS Regions.
B.Deploy the application across multiple Availability Zones within a single AWS Region.
C.Deploy the application to an AWS Local Zone.
D.Use an AWS Edge Location to cache the application's content.
AnswerB

This is correct. Each Availability Zone is a separate data center. Distributing the application across multiple AZs ensures that if one data center fails, the application continues running in another AZ, achieving high availability and fault tolerance.

Why this answer

Option B is correct because deploying across multiple Availability Zones (AZs) within a single AWS Region protects against the failure of an entire physical data center. Each AZ is a distinct, isolated location with independent power, cooling, and networking, so if one AZ goes down, the application continues serving traffic from the other AZs. This design meets the requirement for high availability without the complexity and cost of multi-Region deployment.

Exam trap

The trap here is that candidates often confuse high availability (which requires multiple AZs) with disaster recovery (which requires multiple Regions), leading them to incorrectly choose multi-Region deployment when the question specifically asks about surviving a single data center outage.

How to eliminate wrong answers

Option A is wrong because deploying across multiple AWS Regions is designed for disaster recovery and global latency optimization, not solely for protecting against a single data center outage; it introduces higher complexity, cross-Region data transfer costs, and potential data residency issues. Option C is wrong because an AWS Local Zone is an extension of a Region that places compute and storage closer to end users for low-latency applications, but it does not provide the independent fault isolation of multiple data centers and is not designed to survive a complete data center outage.

192
MCQeasy

A development team wants to deploy a Python web application to AWS without managing load balancers, auto scaling groups, or the underlying EC2 instance operating systems. They want to upload their code and have AWS handle the infrastructure. Which cloud service model does this represent?

A.Infrastructure as a Service (IaaS)
B.Platform as a Service (PaaS)
C.Software as a Service (SaaS)
D.Serverless
AnswerB

PaaS abstracts infrastructure management. Elastic Beanstalk is PaaS — the developer uploads code and AWS manages the servers, load balancers, auto scaling, and OS patches automatically.

Why this answer

Platform as a Service (PaaS) provides a managed platform where developers can upload code and AWS handles the underlying infrastructure, including load balancing, auto scaling, and OS patching. AWS Elastic Beanstalk is a PaaS service that abstracts EC2 instances, load balancers, and auto scaling groups, allowing the team to focus solely on their Python web application code.

Exam trap

The trap here is that candidates often confuse Serverless (Option D) with PaaS because both abstract infrastructure, but Serverless is specifically event-driven and stateless (e.g., AWS Lambda), whereas PaaS like Elastic Beanstalk runs a long-lived web application with traditional request-response patterns.

How to eliminate wrong answers

Option A is wrong because Infrastructure as a Service (IaaS) requires the team to manage the underlying EC2 instances, including OS updates, security patches, and scaling configurations, which contradicts the requirement to avoid managing these components. Option C is wrong because Software as a Service (SaaS) delivers a fully managed application to end users (e.g., Salesforce, Gmail), not a platform for deploying custom code. Option D is wrong because Serverless (e.g., AWS Lambda) is a subset of PaaS that runs code in stateless compute containers with event-driven triggers, but the question explicitly mentions deploying a Python web application without managing load balancers or auto scaling groups, which is more directly aligned with PaaS (Elastic Beanstalk) rather than the function-as-a-service model of Serverless.

193
Matchingmedium

Match each AWS Well-Architected Framework pillar to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Run and monitor systems to deliver business value

Protect data, systems, and assets

Recover from failures and meet demand

Use computing resources efficiently

Avoid unnecessary costs

Why these pairings

The five pillars guide architectural best practices.

194
MCQmedium

A financial analytics company runs a mission-critical application in its on-premises data center. The application must replicate large volumes of market data to Amazon S3 in real time. The company requires a dedicated, private network connection with consistent low latency and high throughput. The connection must not traverse the public internet. Which AWS service should the company use to meet these requirements?

A.AWS Site-to-Site VPN
B.AWS Direct Connect
C.Amazon VPC peering
D.AWS Transit Gateway
AnswerB

AWS Direct Connect provides a dedicated, private physical link from an on-premises data center to AWS, ensuring low latency, high throughput, and no traversal of the public internet.

Why this answer

AWS Direct Connect provides a dedicated, private network connection from an on-premises data center to AWS, bypassing the public internet. This ensures consistent low latency and high throughput, which is essential for replicating large volumes of market data in real time. The connection uses industry-standard 802.1Q VLANs and can be provisioned at speeds up to 100 Gbps, meeting the requirement for a private, high-performance link.

Exam trap

The trap here is that candidates confuse AWS Site-to-Site VPN as a private connection because it is encrypted, but it still traverses the public internet and lacks the dedicated, low-latency characteristics of Direct Connect.

How to eliminate wrong answers

Option A is wrong because AWS Site-to-Site VPN uses the public internet to establish encrypted tunnels (IPsec), which introduces variable latency and throughput, and does not provide a dedicated private connection. Option C is wrong because Amazon VPC peering connects two VPCs within the AWS cloud, not an on-premises data center to AWS, and it cannot extend to on-premises environments. Option D is wrong because AWS Transit Gateway is a network transit hub that connects VPCs and on-premises networks via VPN or Direct Connect, but it is not a direct connection service itself; it requires an underlying connection like Direct Connect to meet the dedicated private link requirement.

195
MCQmedium

A company wants to use AWS for disaster recovery but wants to minimize costs. They only need backups of their data, with recovery taking several hours if disaster strikes. Which DR strategy requires the least investment?

A.Pilot Light
B.Warm Standby
C.Backup and Restore
D.Multi-Site Active/Active
AnswerC

Backup and Restore has the lowest cost — only backup storage (S3/Glacier) is paid during normal operations, with no running infrastructure. RTO is hours but cost is minimal.

Why this answer

The Backup and Restore strategy (Option C) requires the least investment because it involves periodically copying data to low-cost storage like Amazon S3 (including S3 Glacier for archival) and only restoring infrastructure when needed. This approach has the highest Recovery Time Objective (RTO) and Recovery Point Objective (RPO), often measured in hours, which aligns with the requirement of minimizing costs while tolerating several hours for recovery.

Exam trap

The trap here is that candidates often confuse 'least investment' with 'fastest recovery,' leading them to choose Pilot Light or Warm Standby, but the question explicitly prioritizes minimizing costs over recovery speed, making Backup and Restore the correct choice despite its longer RTO.

How to eliminate wrong answers

Option A (Pilot Light) is wrong because it requires maintaining a minimal, pre-provisioned copy of the core infrastructure (e.g., a small EC2 instance running critical services) that can be scaled up during a disaster, incurring ongoing costs for that running environment. Option B (Warm Standby) is wrong because it involves running a scaled-down but fully functional version of the production environment (e.g., a smaller EC2 Auto Scaling group) that is always on, leading to higher continuous costs than Backup and Restore. Option D (Multi-Site Active/Active) is wrong because it requires running full production capacity in two or more AWS Regions simultaneously, with traffic routing via Route 53, resulting in the highest cost due to duplicate infrastructure and data replication.

196
MCQeasy

A company wants to run a MySQL database on AWS. They require full control over the operating system, MySQL version selection, storage layout, and network configuration. Which cloud service model provides this level of control?

A.Software as a Service (SaaS)
B.Platform as a Service (PaaS)
C.Infrastructure as a Service (IaaS)
D.Function as a Service (FaaS)
AnswerC

IaaS gives customers control over the OS, storage, and deployed applications while AWS manages the physical hardware and virtualisation. Running MySQL on an EC2 instance where the customer selects and patches the OS and controls the MySQL installation is classic IaaS.

Why this answer

C is correct because Infrastructure as a Service (IaaS) provides virtualized computing resources over the internet, giving the customer full control over the operating system, database software (including MySQL version selection), storage layout (e.g., instance store vs. EBS volumes), and network configuration (e.g., VPC, subnets, security groups). This is the only service model that allows you to manage the underlying OS and database stack directly, similar to running a physical server.

Exam trap

The trap here is that candidates often confuse Amazon RDS (a PaaS offering) with full control, but RDS does not allow OS access, custom MySQL version selection outside supported versions, or direct storage layout control, making IaaS the only correct choice for the stated requirements.

How to eliminate wrong answers

Option A is wrong because Software as a Service (SaaS) delivers a fully managed application (e.g., Amazon RDS for MySQL in a managed form) where the provider controls the OS, database version, and infrastructure, and the customer only interacts with the database via SQL, not the underlying OS or storage. Option B is wrong because Platform as a Service (PaaS) provides a managed platform (e.g., Amazon RDS) that abstracts away OS access, MySQL version selection is limited to supported versions, and storage layout and network configuration are largely predefined by the provider. Option D is wrong because Function as a Service (FaaS) (e.g., AWS Lambda) is designed for stateless, event-driven code execution with no persistent storage or OS-level control, and cannot run a MySQL database directly.

197
MCQmedium

A company is planning to migrate its on-premises data center to AWS. The Chief Financial Officer wants to compare the total cost of ownership (TCO) of the current on-premises infrastructure against running equivalent workloads on AWS. The company needs a tool that allows them to input details about their existing servers, storage, and network usage to generate a detailed cost comparison report. Which AWS tool should the company use to meet this requirement?

A.AWS Pricing Calculator
B.AWS Total Cost of Ownership (TCO) Calculator
C.AWS Budgets
D.AWS Cost Explorer
AnswerB

The AWS TCO Calculator is specifically designed to compare the costs of an existing on-premises environment against running equivalent workloads on AWS. It provides a detailed cost comparison report based on user-provided inputs about servers, storage, network, and other operational costs.

Why this answer

The AWS Total Cost of Ownership (TCO) Calculator is specifically designed to compare the costs of on-premises infrastructure with AWS by allowing users to input details about their existing servers, storage, and network usage. It generates a detailed report that highlights potential savings from migrating to AWS, directly addressing the CFO's requirement for a cost comparison.

Exam trap

The trap here is that candidates confuse the AWS Pricing Calculator (which estimates future AWS costs) with the TCO Calculator (which compares existing on-premises costs to AWS), leading them to select Option A when the question explicitly requires a comparison report.

How to eliminate wrong answers

Option A is wrong because the AWS Pricing Calculator is used to estimate the cost of AWS services based on usage assumptions, but it does not accept inputs about existing on-premises infrastructure or generate a comparison report against current TCO. Option C is wrong because AWS Budgets is a tool for setting cost thresholds and monitoring actual spend against budgets, not for comparing on-premises versus cloud costs.

198
MCQeasy

Which AWS Support plan provides 24/7 phone and chat access to Cloud Support Engineers with a 1-hour response time for production system outages?

A.Developer Support
B.Basic Support
C.Business Support
D.Enterprise On-Ramp
AnswerC

Business Support includes 24/7 phone and chat access to Cloud Support Engineers with a 1-hour response for production system outages — the minimum plan for business-critical workloads.

Why this answer

The Business Support plan is the correct answer because it provides 24/7 phone and chat access to Cloud Support Engineers with a 1-hour response time for production system outages. This plan is designed for production workloads and offers a higher level of support than Developer or Basic plans, with faster response times for critical issues.

Exam trap

The trap here is that candidates often confuse the 1-hour response time for production outages with the Enterprise On-Ramp plan, which actually offers a 30-minute response, or they mistakenly think Developer Support includes 24/7 phone access for critical issues.

How to eliminate wrong answers

Option A is wrong because the Developer Support plan does not include 24/7 phone access; it only provides email support during business hours with a 1-hour response time for only system impaired issues, not production outages. Option B is wrong because the Basic Support plan offers only account and billing support with no technical support, no phone or chat access, and no defined response times for production outages. Option D is wrong because the Enterprise On-Ramp plan, while it includes 24/7 phone and chat access, has a 30-minute response time for production outages, not 1 hour, and is targeted at customers transitioning to Enterprise support.

199
MCQmedium

A company has 50 IAM users in a single AWS account. The security policy requires that every IAM user must have a virtual MFA device enabled for AWS Management Console access. The company wants to automatically detect any user who disables or has an inactive MFA device and immediately revoke that user's ability to access AWS resources by disabling their access keys. The solution must be fully managed, require no custom scripts, and use native AWS services. Which AWS service should the company use to define the compliance rule and automatically trigger the remediation action?

A.AWS Config
B.AWS Shield
C.AWS CloudTrail
D.AWS WAF
AnswerA

AWS Config offers managed rules like 'iam-user-mfa-enabled' to check MFA compliance. It can automatically trigger a remediation action (e.g., disabling access keys) when a noncompliant user is detected, meeting the requirement for a fully managed solution without custom scripts.

Why this answer

AWS Config is the correct service because it provides managed rules (such as the `iam-user-mfa-enabled` managed rule) that continuously evaluate IAM user configurations against compliance policies. When a user disables or has an inactive virtual MFA device, AWS Config can detect the non-compliant resource and automatically trigger a remediation action via AWS Systems Manager Automation, which can disable the user's access keys without any custom scripts.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging and monitoring capabilities with AWS Config's compliance evaluation and remediation features, mistakenly thinking that CloudTrail can automatically enforce security policies when it only records events for analysis.

How to eliminate wrong answers

Option B (AWS Shield) is wrong because it is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS, and it has no capability to evaluate IAM user MFA status or perform access key remediation. Option C (AWS CloudTrail) is wrong because it is a service for logging API calls and user activity for auditing and governance, but it does not define compliance rules or automatically trigger remediation actions; it only records events that can be used for manual or separate automated analysis.

200
MCQmedium

Which AWS concept describes the practice of tracking and managing costs using software engineering principles — such as tagging, automation, and real-time visibility — to enable engineers and teams to make cost-aware decisions?

A.Total Cost of Ownership (TCO)
B.Cloud Financial Management (FinOps)
C.Reserved Instance optimization
D.Cost Avoidance
AnswerB

FinOps is the practice of managing cloud costs with engineering rigor — real-time visibility, allocation, optimization, and a cultural shift where cost becomes a first-class engineering concern.

Why this answer

Cloud Financial Management (FinOps) is the correct answer because it specifically refers to the practice of applying software engineering principles—such as tagging resources, automating cost controls, and providing real-time cost visibility—to manage cloud spending. This enables engineers and teams to make cost-aware decisions during development and operations, aligning with the question's description.

Exam trap

The trap here is that candidates confuse 'Cloud Financial Management (FinOps)' with 'Total Cost of Ownership (TCO)' because both involve cost analysis, but TCO is a static comparison metric while FinOps is an active, iterative practice with automation and tagging.

How to eliminate wrong answers

Option A is wrong because Total Cost of Ownership (TCO) is a financial estimate used to compare the direct and indirect costs of a cloud solution versus on-premises infrastructure, not a practice for ongoing cost management with tagging and automation. Option C is wrong because Reserved Instance optimization is a specific cost-saving strategy that involves purchasing reserved capacity for predictable workloads, not a broad framework for applying software engineering principles to cost management. Option D is wrong because Cost Avoidance refers to actions taken to prevent future costs (e.g., right-sizing resources), but it is not a comprehensive practice that includes real-time visibility, tagging, and automation as core components.

201
MCQeasy

Which statement about AWS pricing is accurate?

A.AWS prices are fixed and never change
B.AWS offers pay-as-you-go pricing with volume discounts as usage grows
C.AWS requires annual contracts for all services
D.Data transfer into AWS from the internet is the largest AWS cost component
AnswerB

AWS charges only for what you use (On-Demand), and many services offer tiered pricing where per-unit costs decrease as usage volume increases.

Why this answer

AWS pricing is accurate as pay-as-you-go with volume discounts because customers only pay for the resources they consume, and as usage increases, tiered pricing or volume-based discounts (e.g., AWS Lambda's per-request pricing or S3's storage tiers) automatically reduce the per-unit cost. This model eliminates upfront commitments and aligns cost with actual consumption, which is a core AWS pricing philosophy.

Exam trap

The trap here is that candidates often assume AWS requires long-term contracts or that inbound data transfer is a major cost, but AWS explicitly makes inbound data transfer free to encourage migration, and pay-as-you-go with volume discounts is the foundational pricing model tested in CLF-C02.

How to eliminate wrong answers

Option A is wrong because AWS prices are not fixed; they can change over time (e.g., price reductions for services like EC2 or S3) and vary by region, and AWS frequently introduces new pricing models like Savings Plans. Option C is wrong because AWS does not require annual contracts for all services; most services operate on a pay-as-you-go basis, and while Reserved Instances or Savings Plans offer discounts for 1- or 3-year commitments, they are optional, not mandatory. Option D is wrong because data transfer into AWS from the internet is typically free; the largest cost components are usually compute (e.g., EC2 instances), storage (e.g., S3), and data transfer out to the internet, not inbound transfer.

202
MCQmedium

A company needs to store database passwords and API keys used by their applications, with automatic rotation and audit logging of access. Which AWS service is purpose-built for this?

A.AWS Systems Manager Parameter Store
B.AWS Key Management Service (KMS)
C.AWS Secrets Manager
D.Amazon S3 with bucket policies
AnswerC

Secrets Manager stores, retrieves, and automatically rotates secrets with native RDS integration, IAM-based access control, and CloudTrail audit logging.

Why this answer

AWS Secrets Manager is purpose-built for securely storing, automatically rotating, and auditing access to database passwords, API keys, and other secrets. It natively supports automatic rotation with built-in integrations for Amazon RDS, Redshift, and DocumentDB, and it logs every secret access call in AWS CloudTrail for audit compliance.

Exam trap

The trap here is that candidates confuse AWS Systems Manager Parameter Store (which can store secrets but lacks automatic rotation) with AWS Secrets Manager, leading them to choose Parameter Store when the question explicitly requires automatic rotation and audit logging.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store is a hierarchical store for configuration data and secrets, but it does not support automatic rotation of secrets natively (you must build custom rotation logic with Lambda). Option B is wrong because AWS Key Management Service (KMS) is a managed service for creating and controlling encryption keys, not for storing or rotating secrets like passwords or API keys. Option D is wrong because Amazon S3 with bucket policies is an object storage service that can store encrypted files but lacks built-in secret rotation, automatic expiration, or native audit logging of secret access events.

203
MCQmedium

A company runs mixed workloads on AWS — some on EC2, some on Lambda, and some on Fargate — and wants to commit to a consistent hourly spend on compute to receive discounts similar to Reserved Instances, but with the flexibility to apply those discounts across different compute services and instance types. Which purchasing option provides this flexibility?

A.Reserved Instances
B.Spot Instances
C.Savings Plans
D.Dedicated Hosts
AnswerC

Compute Savings Plans apply discounts on any combination of EC2 instances, Lambda, and Fargate compute spend in exchange for committing to a minimum hourly usage. This provides RI-level discounts with cross-service flexibility.

Why this answer

Savings Plans (C) offer the flexibility to commit to a consistent hourly spend (e.g., $10/hour) and automatically apply the discount across EC2 instances, AWS Lambda, and AWS Fargate usage, regardless of instance family, size, OS, or region. This matches the requirement for a Reserved Instance-like discount with cross-service and cross-instance flexibility, which Reserved Instances cannot provide because they are tied to a specific instance family and region.

Exam trap

The trap here is that candidates often confuse Reserved Instances with Savings Plans, assuming RIs also provide cross-service flexibility, but RIs are locked to a specific instance family and region, whereas Savings Plans (especially Compute Savings Plans) offer the broadest flexibility across EC2, Lambda, and Fargate.

How to eliminate wrong answers

Option A is wrong because Reserved Instances require a commitment to a specific instance family (e.g., m5.large) in a specific region and do not automatically apply discounts to Lambda or Fargate usage. Option B is wrong because Spot Instances offer no commitment or guaranteed discount; they provide variable pricing based on spare capacity and can be terminated at any time, not a consistent hourly spend discount. Option D is wrong because Dedicated Hosts provide physical servers dedicated to your use, but they do not offer a flexible discount across compute services; they are a capacity and licensing solution, not a pricing commitment model.

204
MCQmedium

A company hosts a web application on an Application Load Balancer in the us-east-1 AWS Region. Users are distributed across North America, Europe, and Asia. The company wants to improve application performance and availability for global users by using the AWS global network. The solution must provide two static anycast IP addresses that do not change over time and automatically route incoming traffic to the nearest healthy endpoint in the region. Which AWS service should the company use?

A.Amazon CloudFront with the Application Load Balancer configured as a custom origin
B.AWS Global Accelerator with the Application Load Balancer configured as an endpoint
C.Amazon Route 53 with latency-based routing policy
D.Amazon S3 Transfer Acceleration
AnswerB

AWS Global Accelerator provides two static anycast IP addresses that act as a fixed entry point. It uses the AWS global network to route traffic over UDP and TCP to the nearest healthy endpoint (e.g., an Application Load Balancer). This improves performance by reducing internet latency and provides automatic failover. The solution meets all the requirements: static IPs, global network routing, and health-based routing.

Why this answer

AWS Global Accelerator provides two static anycast IP addresses that serve as fixed entry points to the application. It uses the AWS global network to route traffic to the nearest healthy Application Load Balancer endpoint in us-east-1, automatically rerouting in case of endpoint failure. This meets the requirement for static IPs and performance improvement via the AWS backbone.

Exam trap

The trap here is confusing CloudFront's edge caching with Global Accelerator's static IP and anycast routing; candidates often pick CloudFront because it also improves performance, but it does not provide fixed anycast IP addresses that remain unchanged over time.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront does not provide static anycast IP addresses; it uses a DNS-based distribution of edge locations and the IP addresses can change over time. Option C is wrong because Amazon Route 53 with latency-based routing does not provide static anycast IP addresses; it relies on DNS resolution, which can be cached and does not offer fixed IPs, and it does not provide automatic failover at the IP layer like Global Accelerator does.

205
MCQmedium

A company must store sensitive financial records in Amazon S3. The compliance policy mandates that the encryption key for data at rest must be generated and stored on the company's own on-premises hardware security module (HSM). The company must never allow AWS to have access to the plaintext encryption key. Which Amazon S3 encryption option should the company use?

A.Server-Side Encryption with S3-Managed Keys (SSE-S3)
B.Server-Side Encryption with AWS Key Management Service (SSE-KMS) using a customer managed key
C.Server-Side Encryption with Customer-Provided Keys (SSE-C)
D.Client-side encryption using the AWS Encryption SDK
AnswerC

SSE-C allows you to provide your own encryption key with each request to S3. S3 uses the key to encrypt data but does not store the key. This meets the requirement that the company manages the key on-premises and AWS never has access to the plaintext key.

Why this answer

SSE-C allows the customer to provide their own encryption key, which is used by S3 to encrypt data at rest. AWS temporarily stores the key in memory during the encryption/decryption process but immediately discards it after use, and the key is never stored persistently on AWS infrastructure. This satisfies the compliance requirement that the key must be generated and stored on the company's own on-premises HSM, and AWS never has access to the plaintext key.

Exam trap

The trap here is that candidates often confuse SSE-KMS with customer managed keys as meeting the 'customer-controlled key' requirement, but they overlook the fact that AWS KMS still stores the key material and has access to it for decryption operations, which fails the 'never allow AWS to have access to the plaintext encryption key' condition.

How to eliminate wrong answers

Option A is wrong because SSE-S3 uses AWS-managed keys, where AWS generates, stores, and manages the encryption keys entirely within its infrastructure, violating the requirement that the key must be generated and stored on the company's own on-premises HSM. Option B is wrong because SSE-KMS with a customer managed key still stores the key material within AWS KMS (even if you control key policies and rotation), and AWS has access to the plaintext key material for cryptographic operations, which does not meet the requirement that AWS must never have access to the plaintext encryption key.

206
MCQmedium

A company has bring-your-own-license (BYOL) server software that is licensed per physical CPU socket. They need to run this software on AWS and require visibility into and control over the physical host their instances run on. Which EC2 option meets this requirement?

A.On-Demand Instances
B.Reserved Instances
C.Dedicated Instances
D.Dedicated Hosts
AnswerD

Dedicated Hosts provide physical servers fully dedicated to a single customer with full visibility into the number of sockets and physical cores. This is required for per-socket or per-core BYOL software licensing compliance.

Why this answer

Dedicated Hosts provide you with a physical server fully dedicated to your use, allowing you to see and control the physical host's CPU sockets and cores. This is essential for bring-your-own-license (BYOL) software that is licensed per physical CPU socket, as you must ensure compliance with the license terms by managing the exact hardware configuration.

Exam trap

The trap here is confusing Dedicated Instances with Dedicated Hosts, as both provide hardware isolation, but only Dedicated Hosts give you visibility into and control over the physical host's socket count and placement for per-socket licensing compliance.

How to eliminate wrong answers

Option A is wrong because On-Demand Instances run on shared hardware where you have no visibility or control over the underlying physical host, making it impossible to comply with per-socket licensing. Option B is wrong because Reserved Instances are a billing discount model applied to On-Demand or Dedicated Instances, but they do not provide any physical host visibility or control. Option C is wrong because Dedicated Instances run on hardware dedicated to a single customer but still do not give you control over which physical host is used or visibility into its socket count, which is required for per-socket licensing.

207
MCQmedium

A healthcare company stores sensitive patient data in Amazon S3. The company must comply with a regulation that requires encryption keys to be rotated automatically every 12 months. The security team also needs to use IAM policies to control which users and roles can decrypt specific S3 objects. Which encryption solution should the company use for the S3 objects?

A.Server-side encryption with customer-provided keys (SSE-C)
B.Server-side encryption with AWS KMS managed keys (SSE-KMS) using a customer managed key
C.Client-side encryption using the AWS Encryption SDK
D.Server-side encryption with Amazon S3 managed keys (SSE-S3)
AnswerB

SSE-KMS with a customer managed key allows the company to define IAM and key policies for granular access control. AWS KMS can automatically rotate the key annually (configurable), satisfying the regulation. This is the correct solution.

Why this answer

SSE-KMS with a customer managed key is correct because it allows automatic key rotation every 12 months (configurable via the AWS KMS console) and enables fine-grained access control through IAM policies and key policies. This meets both the regulatory rotation requirement and the security team's need to control decryption of specific S3 objects.

Exam trap

The trap here is that candidates often confuse SSE-S3's automatic key management (which rotates keys but not on a customer-defined schedule) with the automatic rotation and IAM control provided only by SSE-KMS with a customer managed key.

How to eliminate wrong answers

Option A is wrong because SSE-C requires the customer to manage and rotate the encryption keys manually, not automatically every 12 months. Option C is wrong because client-side encryption with the AWS Encryption SDK encrypts data before it reaches S3, so decryption is controlled by the client application, not by IAM policies on S3 objects. Option D is wrong because SSE-S3 uses AWS-managed keys that cannot be rotated on a customer-defined schedule and do not support IAM-based access control for decryption of individual objects.

208
MCQmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company wants to serve traffic over HTTPS to encrypt data in transit between clients and the ALB. The security team requires that the SSL/TLS certificate be automatically renewed before expiration and that AWS manage the entire certificate lifecycle. The company does not want to manually upload or manage private keys. Which AWS service should the company use to meet these requirements?

A.AWS Certificate Manager (ACM)
B.AWS Secrets Manager
C.AWS Identity and Access Management (IAM)
D.AWS Key Management Service (KMS)
AnswerA

ACM is the correct choice. It automates the provisioning, deployment, and renewal of SSL/TLS certificates for use with AWS services such as ALB, CloudFront, and API Gateway. ACM handles the full certificate lifecycle and keeps private keys secure.

Why this answer

AWS Certificate Manager (ACM) is the correct choice because it integrates directly with Application Load Balancers to provision, deploy, and automatically renew SSL/TLS certificates. ACM manages the entire certificate lifecycle, including private key generation and storage, without requiring manual intervention. This meets the security team's requirement for automatic renewal and AWS-managed certificate lifecycle.

Exam trap

The trap here is that candidates may confuse AWS Secrets Manager or KMS with certificate management, but neither service handles SSL/TLS certificate issuance or automatic renewal for load balancers; ACM is the only service that provides fully managed certificate lifecycle for ALB HTTPS termination.

How to eliminate wrong answers

Option B (AWS Secrets Manager) is wrong because it is designed to securely store and rotate database credentials, API keys, and other secrets, not to issue or manage SSL/TLS certificates for HTTPS termination on an ALB. Option C (AWS Identity and Access Management) is wrong because IAM is used for managing user permissions and access control, not for certificate provisioning or lifecycle management; while IAM can store server certificates for use with Classic Load Balancers, it does not support automatic renewal and requires manual private key upload. Option D (AWS Key Management Service) is wrong because KMS is a managed service for creating and controlling encryption keys used to encrypt data at rest, not for SSL/TLS certificates used for data in transit.

209
MCQmedium

A company uses multiple AWS accounts managed under AWS Organizations. Which service allows them to share Reserved Instance discounts and Savings Plans across all accounts in the organization?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Organizations with consolidated billing
D.AWS Cost and Usage Report
AnswerC

Consolidated billing in Organizations automatically shares RI and Savings Plans discounts across all member accounts, maximizing discount utilization at the organization level.

Why this answer

AWS Organizations with consolidated billing enables you to aggregate usage across all member accounts, allowing Reserved Instance (RI) discounts and Savings Plans to be shared. This means that unused capacity from one account can be applied to reduce costs in another account within the same organization, maximizing overall savings.

Exam trap

The trap here is that candidates may confuse AWS Cost Explorer or AWS Budgets with cost management features that actually share discounts, but only consolidated billing within AWS Organizations provides the aggregation needed for discount sharing.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer is a visualization tool for analyzing cost and usage data, not a mechanism for sharing discounts or billing benefits. Option B is wrong because AWS Budgets allows you to set custom cost and usage budgets and receive alerts, but it does not enable the sharing of RI discounts or Savings Plans across accounts. Option D is wrong because the AWS Cost and Usage Report provides detailed billing data for analysis and reporting, but it does not facilitate the sharing of discounts or savings across accounts.

210
MCQhard

According to the AWS Well-Architected Framework, which design principle is most closely associated with the recommendation to 'stop spending money on undifferentiated heavy lifting'?

A.Design for failure
B.Use managed services to reduce operational burden
C.Implement least-privilege access controls
D.Automate infrastructure provisioning
AnswerB

Using managed services (databases, message queues, ML platforms) transfers undifferentiated infrastructure management to AWS, freeing engineering resources for differentiating business features.

Why this answer

The AWS Well-Architected Framework's principle of 'stop spending money on undifferentiated heavy lifting' directly advocates for using managed services to offload operational tasks like patching, scaling, and hardware maintenance. By leveraging services such as Amazon RDS (instead of self-managed databases) or AWS Lambda (instead of managing servers), you reduce the operational burden and focus on business differentiation. This aligns with the Operational Excellence pillar's goal of minimizing manual overhead.

Exam trap

The trap here is that candidates confuse 'automation' (Option D) with 'managed services,' but automation still requires you to manage the underlying infrastructure (e.g., patching EC2 instances), whereas managed services offload that entire responsibility to AWS.

How to eliminate wrong answers

Option A is wrong because 'Design for failure' is a principle of the Reliability pillar, focusing on building resilient architectures (e.g., multi-AZ deployments, health checks), not on reducing operational overhead from undifferentiated tasks. Option C is wrong because 'Implement least-privilege access controls' is a Security pillar best practice for minimizing attack surface via IAM policies, not a cost or operational efficiency concept. Option D is wrong because 'Automate infrastructure provisioning' (e.g., using AWS CloudFormation or Terraform) reduces manual effort but still requires managing the underlying infrastructure; it does not eliminate the undifferentiated heavy lifting of patching, scaling, and hardware maintenance that managed services address.

211
MCQmedium

A company traditionally operated an on-premises data center and purchased all server hardware and software licenses with upfront capital expenditure. After migrating its workloads to AWS, the company now receives a monthly invoice that reflects only the compute hours, storage, and data transfer that it actually used. The company can also stop paying for resources when they are no longer needed. Which key characteristic of cloud computing does this scenario best illustrate?

A.Elasticity
B.Pay-as-you-go pricing (variable expense)
C.Global reach
D.Security
AnswerB

This is correct. The scenario describes transitioning from a CAPEX model (buying hardware upfront) to an OPEX model where the company pays only for the resources it actually uses each month. This is the 'pay-as-you-go' characteristic of cloud computing, which avoids large upfront investments and matches costs to usage.

Why this answer

The scenario describes a shift from upfront capital expenditure (buying hardware and licenses) to a model where the company pays only for the compute hours, storage, and data transfer it actually uses, and can stop paying when resources are no longer needed. This directly illustrates the pay-as-you-go pricing characteristic of cloud computing, where costs are variable expenses based on consumption rather than fixed, upfront investments. This model is a fundamental aspect of AWS's pricing philosophy, enabling customers to align costs directly with usage.

Exam trap

The trap here is that candidates may confuse the ability to stop paying for unused resources with elasticity, but the question specifically highlights the shift from upfront capital expenditure to a variable expense model, which is the defining characteristic of pay-as-you-go pricing.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability to automatically scale resources up or down in response to demand, not to the billing model of paying only for what you use. While the scenario mentions stopping payment for unused resources, the core illustration is about the shift from capital expenditure to variable expense, not the dynamic scaling behavior. Option C is wrong because global reach describes the ability to deploy resources in multiple geographic regions around the world, which is not mentioned or implied in the scenario about billing and cost structure changes.

212
MCQmedium

A company hosts a web application behind an Application Load Balancer (ALB) in AWS. The application must comply with a security policy requiring TLS encryption for all traffic between users and the ALB. The company wants to automate the renewal of TLS certificates and avoid manual certificate management. Which AWS service should the company use to provision and automatically renew the certificates?

A.AWS Certificate Manager (ACM)
B.AWS Key Management Service (KMS)
C.AWS Secrets Manager
D.AWS Identity and Access Management (IAM)
AnswerA

Correct. ACM is the AWS service designed to provision, manage, and automatically renew SSL/TLS certificates for use with AWS services like ALB, CloudFront, and API Gateway.

Why this answer

AWS Certificate Manager (ACM) is the correct service because it integrates directly with Application Load Balancers to provision and automatically renew TLS certificates, eliminating manual certificate management. ACM handles the entire certificate lifecycle, including renewal, which is essential for maintaining TLS encryption compliance without operational overhead.

Exam trap

The trap here is that candidates may confuse AWS Certificate Manager with AWS Secrets Manager or KMS, thinking any 'management' service can handle certificate renewal, but only ACM is purpose-built for provisioning and automatic renewal of TLS certificates for AWS services like ALB, CloudFront, and API Gateway.

How to eliminate wrong answers

Option B (AWS KMS) is wrong because it is a key management service for creating and controlling encryption keys, not for managing TLS certificates or their automatic renewal. Option C (AWS Secrets Manager) is wrong because it is designed to rotate and manage secrets like database credentials or API keys, not to provision or automatically renew TLS certificates for use with an ALB.

213
MCQmedium

Which AWS service provides a managed graph database for use cases like social networks, recommendation engines, and fraud detection?

A.Amazon DynamoDB
B.Amazon Neptune
C.Amazon RDS
D.Amazon Redshift
AnswerB

Neptune is purpose-built for graph workloads, supporting property graph (Gremlin/openCypher) and RDF (SPARQL) data models with optimized graph traversal performance.

Why this answer

Amazon Neptune is a fully managed graph database service optimized for storing and querying highly connected datasets. It supports both property graph (using Apache TinkerPop Gremlin) and RDF (using SPARQL) models, making it ideal for use cases like social networks, recommendation engines, and fraud detection that require traversing complex relationships.

Exam trap

The trap here is that candidates often confuse Amazon DynamoDB (a NoSQL database) with graph databases because both are non-relational, but DynamoDB lacks native graph traversal capabilities and is unsuitable for relationship-heavy queries like those in social networks or fraud detection.

How to eliminate wrong answers

Option A is wrong because Amazon DynamoDB is a key-value and document NoSQL database, not a graph database; it lacks native graph traversal capabilities and is optimized for simple key-based lookups rather than relationship-heavy queries. Option C is wrong because Amazon RDS is a relational database service supporting SQL-based engines (e.g., MySQL, PostgreSQL), which are not designed for efficient graph traversal and require complex joins for connected data. Option D is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for analytical queries on structured data, not for graph-based relationship modeling or real-time traversal.

214
MCQeasy

A company is setting up their AWS account for the first time. What security action should they take immediately after creating the account?

A.Create IAM users for all employees immediately
B.Enable MFA on the root account and create an IAM admin user for daily operations
C.Create root access keys for programmatic access
D.Enable AWS Config in all regions
AnswerB

Enabling MFA on root prevents unauthorized root access even if the password is compromised. Creating an IAM admin user allows daily operations without ever logging in as root.

Why this answer

Option B is correct because the root user has unrestricted access to the AWS account, and enabling Multi-Factor Authentication (MFA) on the root account adds a critical second layer of security to prevent unauthorized access. Creating an IAM admin user for daily operations follows the principle of least privilege, ensuring that routine administrative tasks are performed using IAM roles or users with controlled permissions, rather than the highly privileged root user. This is a foundational security best practice recommended by AWS immediately after account creation.

Exam trap

The trap here is that candidates may think creating IAM users for all employees (Option A) is the immediate priority, but the exam tests the understanding that securing the root account with MFA and creating a single IAM admin user for daily operations is the first and most critical security step, not mass user creation.

How to eliminate wrong answers

Option A is wrong because creating IAM users for all employees immediately is premature and insecure; the first step should be to secure the root account and establish an administrative IAM user, not to create users for everyone without a proper identity and access management strategy. Option C is wrong because creating root access keys for programmatic access is a severe security risk; root access keys provide unrestricted, long-term credentials that cannot be rotated or scoped, and AWS strongly advises against using root access keys for any purpose. Option D is wrong because enabling AWS Config in all regions is not an immediate security action; AWS Config is a governance and compliance service that tracks resource configuration changes, and while valuable, it should be configured after establishing basic identity security and access controls.

215
MCQmedium

A company has deployed a customer relationship management (CRM) application on AWS. Sales representatives use the application from their office laptops, company-issued tablets, and personal smartphones. They access the application securely through a web browser using HTTPS from any location, including client sites and home offices. This capability is an example of which essential characteristic of cloud computing?

A.Rapid elasticity
B.Measured service
C.Broad network access
D.Resource pooling
AnswerC

Broad network access enables cloud resources to be accessed over the network via standard protocols (e.g., HTTPS) from a wide range of client devices such as laptops, tablets, and smartphones. The sales representatives accessing the CRM application from multiple device types and locations directly demonstrates this characteristic.

Why this answer

Broad network access is the correct answer because the scenario describes the ability to access the CRM application from various devices (laptops, tablets, smartphones) over the network using standard protocols (HTTPS). This aligns with the NIST definition of broad network access, which states that capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms.

Exam trap

The trap here is that candidates often confuse broad network access with rapid elasticity because both involve 'access from anywhere' or 'scalability,' but the key distinction is that broad network access is about device and protocol heterogeneity, not automatic scaling.

How to eliminate wrong answers

Option A is wrong because rapid elasticity refers to the ability to automatically and quickly scale resources up or down based on demand, such as adding more EC2 instances during peak traffic; the scenario does not mention any scaling or dynamic provisioning of resources. Option B is wrong because measured service involves monitoring, controlling, and reporting resource usage for billing and optimization (e.g., AWS CloudWatch metrics and billing reports); the scenario focuses on access from multiple devices, not on metering or pay-per-use billing.

216
MCQmedium

A company hosts its website on a single Amazon EC2 instance in the us-east-1 Region. The website includes static assets such as images, CSS, and JavaScript files. Users in Europe and Asia report that the website loads slowly because the static assets must travel from the us-east-1 Region. The company wants to reduce latency for global users and decrease the load on the EC2 instance by serving static content from locations that are closer to the users. Which AWS service should the company use to meet these requirements?

A.Amazon CloudFront
B.AWS Global Accelerator
C.Amazon Route 53 with latency-based routing
D.Amazon S3 Transfer Acceleration
AnswerA

Correct. CloudFront is a global CDN that caches static assets at edge locations, reducing latency and origin load.

Why this answer

Amazon CloudFront is a content delivery network (CDN) that caches static assets (images, CSS, JavaScript) at edge locations worldwide. By serving content from edge locations closer to users in Europe and Asia, CloudFront reduces latency and offloads requests from the origin EC2 instance, decreasing its load. This directly meets the requirements for global latency reduction and reduced EC2 load.

Exam trap

The trap here is that candidates confuse AWS Global Accelerator (which optimizes network path but does not cache) with a CDN, or think Route 53 latency-based routing alone can serve content from edge locations, when in fact it only directs traffic to the same single origin.

How to eliminate wrong answers

Option B (AWS Global Accelerator) is wrong because it improves performance by routing traffic over the AWS global network to the optimal regional endpoint, but it does not cache static content at edge locations; it only optimizes TCP/UDP traffic flow, so it would not reduce load on the EC2 instance or serve static assets from locations closer to users. Option C (Amazon Route 53 with latency-based routing) is wrong because it only directs DNS queries to the EC2 instance with the lowest latency, but the static assets still originate from that single EC2 instance in us-east-1; it does not cache or replicate content, so it does not reduce the load on the instance or serve content from edge locations.

217
MCQmedium

A financial services company is preparing for an annual audit. The auditors have requested a copy of the AWS SOC 2 Type II report to verify the security controls of the AWS infrastructure that the company uses. The company's compliance officer needs to directly download this report from a trusted AWS source. Which AWS service should the compliance officer use to obtain the report?

A.AWS Config
B.AWS Artifact
C.AWS Trusted Advisor
D.Amazon Inspector
AnswerB

AWS Artifact is the correct service. It is the go-to place for on-demand access to AWS compliance reports (e.g., SOC, PCI) and agreements. You can download the SOC 2 Type II report directly from AWS Artifact.

Why this answer

AWS Artifact is the correct service because it provides on-demand access to AWS compliance reports, including SOC 2 Type II reports, ISO certifications, and PCI DSS reports. The compliance officer can directly download the SOC 2 report from the AWS Artifact console or via the AWS Artifact API, ensuring the report comes from a trusted AWS source.

Exam trap

The trap here is that candidates often confuse AWS Artifact with AWS Config or Amazon Inspector, mistakenly thinking that configuration auditing or vulnerability scanning tools can provide compliance reports, when only AWS Artifact is designed to serve as the authoritative source for AWS compliance documentation.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service that evaluates and records resource configurations against desired policies, not a repository for downloading compliance reports like SOC 2. Option C is wrong because AWS Trusted Advisor inspects your AWS environment to provide best-practice recommendations for cost, performance, security, and fault tolerance, but it does not provide downloadable compliance reports. Option D is wrong because Amazon Inspector is a vulnerability assessment service that scans workloads for software vulnerabilities and unintended network exposure, not a source for SOC 2 reports.

218
MCQeasy

Which AWS service provides managed Microsoft Windows file storage that supports SMB protocol, Active Directory integration, and Windows ACL permissions?

A.Amazon EFS
B.Amazon FSx for Windows File Server
C.Amazon S3
D.AWS Storage Gateway
AnswerB

FSx for Windows provides fully managed Windows file shares with SMB support, AD integration, shadow copies, and Windows ACLs — purpose-built for Windows workloads.

Why this answer

Amazon FSx for Windows File Server provides fully managed native Microsoft Windows file storage that supports the Server Message Block (SMB) protocol, integrates with Active Directory for identity-based access, and enforces Windows NTFS ACL permissions. This makes it the only AWS service designed specifically to offer these Windows-native features out of the box.

Exam trap

The trap here is that candidates often confuse Amazon EFS (which is NFS-based) with a Windows file share, or assume S3 can serve as a network drive via SMB, but neither supports the required Windows-specific protocols and permissions.

How to eliminate wrong answers

Option A is wrong because Amazon EFS uses the NFSv4 protocol (not SMB) and does not support Active Directory integration or Windows ACLs; it is designed for Linux-based workloads. Option C is wrong because Amazon S3 is an object storage service that uses RESTful APIs, not the SMB protocol, and does not natively support Active Directory authentication or Windows ACLs. Option D is wrong because AWS Storage Gateway provides hybrid storage connectivity (e.g., file gateway, volume gateway) but does not offer a fully managed, native Windows file server with SMB, Active Directory, and Windows ACL support; it is a gateway appliance, not a managed file system.

219
MCQmedium

A company operates 8 separate AWS accounts for different departments. They want to receive one consolidated monthly bill and benefit from combined usage discounts across all accounts for services like S3 and data transfer. Which AWS feature provides this?

A.AWS Cost Explorer across all accounts
B.AWS Organizations with consolidated billing
C.AWS Budgets across all accounts
D.AWS Support Plan upgrade to Enterprise tier
AnswerB

Consolidated billing in AWS Organizations combines usage from all member accounts into a single payer account. This aggregates usage for volume pricing tiers and produces one monthly invoice for all accounts.

Why this answer

AWS Organizations with consolidated billing allows you to combine usage across all accounts in the organization to receive a single monthly bill and aggregate usage for volume discounts on services like S3 and data transfer. This feature enables you to centrally manage billing and take advantage of tiered pricing based on combined usage, which is exactly what the company needs.

Exam trap

The trap here is that candidates often confuse cost management tools (Cost Explorer, Budgets) or support tiers with the actual billing consolidation feature, which is exclusively provided by AWS Organizations with consolidated billing.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer is a tool for visualizing and analyzing cost and usage data, not for consolidating billing or combining usage discounts. Option C is wrong because AWS Budgets is used to set custom cost and usage budgets and receive alerts, not to consolidate billing or aggregate discounts. Option D is wrong because upgrading to an Enterprise Support plan provides technical support and a Technical Account Manager, but does not enable consolidated billing or combined usage discounts; that requires AWS Organizations.

220
MCQmedium

A company plans to migrate a three-tier web application to AWS. The application will run on Amazon EC2 instances, use an Amazon RDS database, and an Application Load Balancer. The CFO needs a detailed monthly cost estimate before migration. The solutions architect needs to model different instance types, storage sizes, and data transfer volumes, and then share the estimate with the finance team. Which AWS service should the solutions architect use to meet these requirements?

A.AWS Pricing Calculator
B.AWS Cost Explorer
C.AWS Budgets
D.AWS Cost and Usage Report
AnswerA

Correct. The AWS Pricing Calculator allows users to estimate monthly costs for AWS services, model different configurations, and share estimate links with stakeholders. It is designed for pre-migration cost planning.

Why this answer

AWS Pricing Calculator allows the solutions architect to model different EC2 instance types, RDS storage sizes, and data transfer volumes to generate a detailed monthly cost estimate. It provides granular control over pricing assumptions, including reserved vs. on-demand instances, and produces a shareable estimate link for the finance team. This makes it the correct tool for pre-migration cost modeling.

Exam trap

The trap here is that candidates confuse AWS Cost Explorer (a historical analysis tool) with AWS Pricing Calculator (a future estimation tool), or assume AWS Budgets can generate cost estimates when it only monitors and alerts on actual spend against predefined budgets.

How to eliminate wrong answers

Option B (AWS Cost Explorer) is wrong because it analyzes historical cost and usage data after resources have been deployed, not for estimating future costs before migration. Option C (AWS Budgets) is wrong because it sets cost thresholds and alerts on actual spending, not for creating detailed upfront cost estimates for planned architectures.

221
MCQmedium

A company is developing a microservices application on AWS. The application includes a front-end web tier and a backend order processing service. The front-end sends order requests to the backend, which may take several seconds to process. The company wants to ensure that the front-end does not wait for the backend to complete, and that no orders are lost if the backend service is temporarily unavailable. Which AWS service should the company use to decouple the front-end and backend?

A.Amazon ElastiCache
B.Amazon Simple Queue Service (SQS)
C.Amazon Route 53
D.Amazon CloudWatch
AnswerB

Amazon SQS is a message queuing service that decouples application components. It allows the front-end to send messages to a queue, which are then processed by the backend independently, ensuring no data loss and asynchronous processing.

Why this answer

Amazon Simple Queue Service (SQS) is the correct choice because it provides a fully managed message queue that decouples the front-end and backend services. The front-end can send order requests to an SQS queue and immediately return a response, while the backend processes messages asynchronously. SQS also stores messages durably across multiple Availability Zones, ensuring no orders are lost even if the backend is temporarily unavailable.

Exam trap

The trap here is that candidates may confuse ElastiCache's in-memory caching with message queuing, mistakenly thinking it can buffer requests, but ElastiCache has no persistent storage or asynchronous delivery guarantees for decoupling services.

How to eliminate wrong answers

Option A is wrong because Amazon ElastiCache is an in-memory caching service (supporting Redis or Memcached) designed to reduce latency for read-heavy workloads, not to provide durable, asynchronous message queuing for decoupling services. Option C is wrong because Amazon Route 53 is a DNS and traffic management service that resolves domain names to IP addresses and routes end-user requests, but it does not store or buffer application messages between services.

222
MCQhard

A company's cloud finance team wants to implement cloud financial management (FinOps) on AWS. Which combination of AWS services provides the most comprehensive cost visibility, budgeting, and optimization capabilities?

A.AWS Cost Explorer only
B.CUR + Cost Explorer + Budgets + Cost Allocation Tags + Savings Plans
C.AWS Pricing Calculator + CloudWatch Billing Alarms
D.AWS Trusted Advisor only
AnswerB

This combination provides granular billing data (CUR), visual analysis (Cost Explorer), proactive alerting (Budgets), business attribution (tags), and commitment discounts (Savings Plans) — a comprehensive FinOps toolkit.

Why this answer

Option B is correct because it combines AWS Cost and Usage Reports (CUR) for granular cost data, Cost Explorer for visualization and analysis, Budgets for proactive alerts, Cost Allocation Tags for cost attribution, and Savings Plans for discounted rates. This integrated set provides end-to-end FinOps capabilities—visibility, budgeting, and optimization—that no single service or partial combination can achieve.

Exam trap

The trap here is that candidates often assume a single service (like Cost Explorer or Trusted Advisor) is sufficient for FinOps, but the exam requires recognizing that comprehensive cost management demands a suite of integrated services covering visibility, budgeting, and optimization.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer alone provides cost visualization and historical analysis but lacks proactive budgeting (no alerts) and optimization mechanisms (no Savings Plans or rightsizing recommendations). Option C is wrong because AWS Pricing Calculator is a pre-provisioning estimation tool, not a post-deployment cost management service, and CloudWatch Billing Alarms only trigger alerts on a single billing metric without offering cost analysis or optimization features. Option D is wrong because AWS Trusted Advisor provides best-practice checks (including cost optimization recommendations) but does not offer cost visibility dashboards, budgeting alerts, or the ability to track costs by tags or accounts.

223
MCQmedium

A company wants to purchase AWS support for their production environment. They need 24/7 phone support, a response time of less than 1 hour for critical issues, and access to Infrastructure Event Management. Which support plan provides all of these?

A.Business Support
B.Developer Support
C.Enterprise Support
D.Enterprise On-Ramp
AnswerC

Enterprise Support provides 15-minute response for critical issues (better than 1-hour), 24/7 phone access, a dedicated TAM, and IEM at no additional charge.

Why this answer

The Enterprise Support plan is the only AWS support plan that includes 24/7 phone support, a response time of less than 1 hour for critical cases, and Infrastructure Event Management (IEM). The Business Support plan offers 24/7 phone support and a 1-hour response for critical issues but does not include IEM. The Developer Support plan lacks 24/7 phone support and has a 12-hour response for critical issues.

The Enterprise On-Ramp plan includes IEM and a 1-hour response for critical issues but does not provide 24/7 phone support.

Exam trap

The trap here is that candidates often confuse the Business Support plan as sufficient because it meets the phone support and response time requirements, but they overlook that Infrastructure Event Management is exclusively available in the Enterprise and Enterprise On-Ramp plans, and only the Enterprise plan also provides 24/7 phone support.

How to eliminate wrong answers

Option A is wrong because the Business Support plan, while offering 24/7 phone support and a 1-hour response for critical issues, does not include Infrastructure Event Management (IEM). Option B is wrong because the Developer Support plan does not provide 24/7 phone support and has a 12-hour response time for critical issues, far exceeding the required 1-hour threshold. Option D is wrong because the Enterprise On-Ramp plan includes IEM and a 1-hour response for critical issues but does not offer 24/7 phone support, which is a specific requirement in the question.

224
MCQeasy

Which AWS feature provides personalized recommendations about your account's security and cost optimization, available at no cost for all AWS customers?

A.AWS Cost Explorer
B.AWS Trusted Advisor
C.AWS Personal Health Dashboard
D.Amazon CloudWatch
AnswerB

Trusted Advisor provides free best-practice recommendations for all customers (7 core checks), with all checks available for Business/Enterprise support customers.

Why this answer

AWS Trusted Advisor is the correct answer because it provides personalized recommendations across five categories: cost optimization, performance, security, fault tolerance, and service limits. It is available at no additional cost for all AWS customers, with the basic checks included in the Free Tier and Basic Support plan, while more detailed checks require a Business or Enterprise Support plan.

Exam trap

The trap here is that candidates often confuse AWS Trusted Advisor with AWS Cost Explorer or AWS Personal Health Dashboard, mistakenly thinking that cost optimization recommendations come from Cost Explorer or that security recommendations come from Personal Health Dashboard, when in fact Trusted Advisor uniquely combines both security and cost optimization advice in a single service.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer is a tool for visualizing, understanding, and managing AWS costs and usage over time, but it does not provide security recommendations or personalized best-practice guidance across multiple categories like Trusted Advisor does. Option C is wrong because AWS Personal Health Dashboard provides alerts and remediation guidance for AWS service events that may affect your account, but it focuses on service health and incidents, not on security or cost optimization recommendations. Option D is wrong because Amazon CloudWatch is a monitoring and observability service for collecting metrics, logs, and setting alarms, but it does not generate personalized recommendations for security or cost optimization; it is primarily for operational monitoring.

225
MCQmedium

A company needs to run scheduled jobs that execute SQL queries on their Amazon RDS database every night. Which AWS service provides fully managed job scheduling without maintaining dedicated compute resources?

A.Amazon EC2 with cron jobs
B.AWS Lambda triggered by Amazon EventBridge Scheduler
C.Amazon ECS with scheduled tasks
D.AWS OpsWorks
AnswerB

EventBridge Scheduler invokes Lambda on a schedule without any persistent compute — Lambda runs the database query and terminates, with zero idle costs.

Why this answer

AWS Lambda triggered by Amazon EventBridge Scheduler is the correct choice because EventBridge Scheduler provides fully managed, serverless job scheduling that can invoke Lambda functions to execute SQL queries on Amazon RDS. This eliminates the need to provision or maintain any dedicated compute resources, as the scheduling and execution are handled entirely by AWS.

Exam trap

The trap here is that candidates may confuse 'fully managed job scheduling' with services like EC2 cron jobs or ECS scheduled tasks, overlooking that EventBridge Scheduler is the only option that requires zero compute resource management for this specific use case.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 with cron jobs requires you to provision, patch, and manage a dedicated EC2 instance, which contradicts the requirement of 'without maintaining dedicated compute resources'. Option C is wrong because Amazon ECS with scheduled tasks still requires you to manage a cluster of EC2 instances (or use Fargate, which is serverless but not the simplest fully managed scheduling service for this use case) and involves container orchestration overhead. Option D is wrong because AWS OpsWorks is a configuration management service (based on Chef/Puppet) that manages EC2 instances and applications, not a simple scheduled job execution service, and it still requires maintaining compute resources.

Page 2

Page 3 of 14

Page 4