AWS Certified Cloud Practitioner CLF-C02 (CLF-C02) — Questions 226300

1024 questions total · 14pages · All types, answers revealed

Page 3

Page 4 of 14

Page 5
226
MCQmedium

A company runs an e-commerce website on Amazon EC2 instances behind an Application Load Balancer. The marketing team plans to run flash sales several times a year, which cause unpredictable but massive traffic spikes. The operations team wants the infrastructure to automatically add new EC2 instances when traffic increases and remove them when traffic decreases, without any manual intervention. Which cloud computing concept does this requirement MOST directly represent?

A.Elasticity
B.Scalability
C.High availability
D.Fault tolerance
AnswerA

Correct. Elasticity refers to the ability to automatically provision and de-provision resources in response to real-time demand. The described auto-scaling behavior that adds and removes EC2 instances during flash sales is the classic example of elasticity.

Why this answer

The requirement to automatically add EC2 instances during traffic spikes and remove them when traffic decreases directly represents elasticity. Elasticity is the ability to dynamically scale resources up or down based on real-time demand, which is precisely what the operations team needs for unpredictable flash sales. AWS Auto Scaling groups, integrated with the Application Load Balancer, automatically launch or terminate EC2 instances based on CloudWatch alarms (e.g., CPU utilization or request count), matching capacity to load without manual intervention.

Exam trap

The trap here is that candidates often confuse scalability (the ability to grow) with elasticity (the ability to both grow and shrink automatically), but the question explicitly requires automatic addition and removal of instances, which is the defining characteristic of elasticity.

How to eliminate wrong answers

Option B (Scalability) is wrong because scalability refers to the ability to handle increased load by adding resources, but it does not inherently include the ability to automatically remove resources when demand decreases; elasticity specifically includes both scaling up and scaling down. Option C (High availability) is wrong because high availability focuses on ensuring the system remains operational despite failures (e.g., using multiple Availability Zones), not on dynamically adjusting capacity in response to traffic changes. Option D (Fault tolerance) is wrong because fault tolerance is the ability of a system to continue functioning even when a component fails, which is unrelated to automatically adding or removing instances based on traffic spikes.

227
MCQmedium

A company stores sensitive financial data in Amazon S3. The company's security policy requires that all data be encrypted at rest using a key that the company creates and manages, with the ability to rotate the key annually. The company also needs an audit trail of when the key was used and by which AWS service. Which solution should the company use to meet these requirements?

A.Use server-side encryption with S3 managed keys (SSE-S3).
B.Use server-side encryption with AWS KMS customer managed keys (SSE-KMS).
C.Use server-side encryption with customer-provided keys (SSE-C).
D.Use client-side encryption with an AWS KMS managed key.
AnswerB

SSE-KMS with a customer managed key (CMK) allows the company to create, manage, and rotate the key. Key usage is logged in AWS CloudTrail, providing the required audit trail. This is the correct solution.

Why this answer

Option B is correct because SSE-KMS with a customer managed key (CMK) allows the company to create and manage its own encryption key, enable automatic annual key rotation via AWS KMS, and provides detailed CloudTrail audit logs of every KMS API call (e.g., Decrypt, GenerateDataKey) showing which AWS service or user used the key. This satisfies all stated requirements: customer-managed key, annual rotation, and audit trail.

Exam trap

The trap here is that candidates confuse SSE-S3's 'AWS managed' keys with customer managed keys, or assume SSE-C's customer-provided keys satisfy the 'create and manage' requirement, overlooking the need for annual rotation and audit trail capabilities.

How to eliminate wrong answers

Option A is wrong because SSE-S3 uses Amazon S3-managed keys, which the company cannot create, manage, or rotate on its own schedule, and it does not provide a per-key-use audit trail in CloudTrail. Option C is wrong because SSE-C requires the customer to provide their own encryption key with each request, the key is not stored or managed by AWS, and it does not support automatic annual rotation or provide an audit trail of key usage by AWS services.

228
MCQmedium

A development team accidentally deletes important files from an Amazon S3 bucket. The company wants to protect against accidental deletions and overwrites in the future, allowing recovery of previous versions of objects. Which S3 feature should they enable?

A.S3 Object Lock
B.S3 Cross-Region Replication
C.S3 Versioning
D.S3 Intelligent-Tiering
AnswerC

S3 Versioning maintains multiple versions of each object. A deletion adds a delete marker and keeps the previous versions, which can be restored. Overwrites create a new version without removing the old one.

Why this answer

S3 Versioning is the correct feature because it preserves every version of an object, including overwrites and deletions. When versioning is enabled, deleting an object only adds a delete marker, and previous versions remain recoverable. This directly addresses the requirement to protect against accidental deletions and overwrites by allowing restoration of earlier object versions.

Exam trap

The trap here is that candidates often confuse S3 Object Lock with versioning, thinking that locking objects prevents deletion entirely, but Object Lock only enforces retention periods and does not provide the ability to recover from accidental deletions or overwrites after they occur.

How to eliminate wrong answers

Option A is wrong because S3 Object Lock prevents objects from being deleted or overwritten for a fixed retention period, but it does not inherently preserve multiple versions; it works with versioning to enforce write-once-read-many (WORM) compliance, not to recover from accidental deletions after the fact. Option B is wrong because S3 Cross-Region Replication asynchronously copies objects to a different AWS region for redundancy or compliance, but it does not protect against accidental deletions or overwrites in the source bucket; deletions and overwrites are replicated, so they cannot be recovered from the source alone. Option D is wrong because S3 Intelligent-Tiering automatically moves objects between access tiers to optimize storage costs based on changing access patterns; it has no capability to preserve or recover previous object versions.

229
MCQmedium

A company manages a web application that consists of Amazon EC2 instances, an Amazon RDS database, and an Amazon S3 bucket. The team deploys the application to separate development, test, and production environments. Currently, the team manually configures each environment, which has led to configuration drift and deployment errors. The company wants to define the entire infrastructure as code, store the definition in a version control system, and deploy it consistently across all environments with a single template. Which AWS service should the company use to meet these requirements?

A.AWS CloudFormation
B.AWS Elastic Beanstalk
C.AWS OpsWorks
D.AWS CodeDeploy
AnswerA

Correct. AWS CloudFormation is the dedicated Infrastructure as Code service that allows you to define and provision AWS resources using templates, enabling consistent and repeatable deployments across environments.

Why this answer

AWS CloudFormation is the correct choice because it enables you to define your entire infrastructure—including EC2 instances, RDS databases, and S3 buckets—as code in a JSON or YAML template. This template can be stored in a version control system and deployed consistently across development, test, and production environments using a single template, eliminating configuration drift and manual errors.

Exam trap

The trap here is that candidates often confuse AWS Elastic Beanstalk's automated deployment and scaling capabilities with infrastructure-as-code provisioning, overlooking that CloudFormation provides the explicit, version-controlled template required for consistent multi-environment infrastructure management.

How to eliminate wrong answers

Option B is wrong because AWS Elastic Beanstalk is a Platform as a Service (PaaS) that automates application deployment and scaling but does not provide a single template to define and manage all infrastructure resources as code; it abstracts the underlying infrastructure and is less suitable for fine-grained control over resources like RDS and S3. Option C is wrong because AWS OpsWorks is a configuration management service that uses Chef or Puppet to manage server configurations, but it is not designed to define the entire infrastructure as code in a single template; it focuses on server-level automation rather than infrastructure provisioning and orchestration.

230
MCQmedium

Which AWS service provides a continuous integration/continuous deployment (CI/CD) pipeline that automates the build, test, and deploy phases of application release?

A.AWS CodeBuild
B.AWS CodeDeploy
C.AWS CodePipeline
D.AWS CodeCommit
AnswerC

CodePipeline orchestrates the entire CI/CD workflow, connecting source (CodeCommit/GitHub), build (CodeBuild), test, and deployment (CodeDeploy/CloudFormation) stages into an automated release pipeline.

Why this answer

AWS CodePipeline is a fully managed CI/CD service that orchestrates the build, test, and deploy phases of a release process. It integrates with services like AWS CodeBuild for building and testing, and AWS CodeDeploy for deployment, providing a single pipeline to automate the entire workflow.

Exam trap

The trap here is that candidates often confuse the individual CI/CD component services (CodeBuild, CodeDeploy, CodeCommit) with the orchestration service (CodePipeline) that ties them together, leading them to select a service that only handles one phase of the pipeline.

How to eliminate wrong answers

Option A is wrong because AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages, but it does not orchestrate the entire CI/CD pipeline or manage deployment phases. Option B is wrong because AWS CodeDeploy automates code deployments to any instance, including Amazon EC2 and on-premises, but it is only the deploy phase and does not handle build or test automation. Option D is wrong because AWS CodeCommit is a fully managed source control service that hosts Git-based repositories, but it does not provide build, test, or deployment automation.

231
MCQmedium

Which AWS service enables event-driven architectures by acting as a central event bus that routes events from AWS services, SaaS applications, and custom applications to configured targets?

A.Amazon SNS
B.Amazon SQS
C.Amazon EventBridge
D.AWS Step Functions
AnswerC

EventBridge is the serverless event bus for building event-driven architectures, routing events from AWS services, SaaS providers, and custom apps to targets based on declarative rules.

Why this answer

Amazon EventBridge is a serverless event bus that ingests events from AWS services, SaaS partners, and custom applications, then routes them to targets like Lambda, Step Functions, or SQS based on configurable rules. It decouples event producers from consumers, enabling event-driven architectures without polling or custom middleware. This matches the question's description of a central event bus for cross-domain event routing.

Exam trap

The trap here is that candidates confuse Amazon SNS (pub/sub) with an event bus, but SNS lacks rule-based filtering and multi-source event ingestion from SaaS and custom apps, which is the defining feature of EventBridge.

How to eliminate wrong answers

Option A is wrong because Amazon SNS is a pub/sub messaging service that pushes notifications to subscribers (e.g., email, SMS, HTTP endpoints), but it does not act as a central event bus with rule-based routing from multiple sources like SaaS or custom apps. Option B is wrong because Amazon SQS is a fully managed message queue for decoupling microservices, not an event bus; it stores messages for polling consumers and lacks built-in event routing rules. Option D is wrong because AWS Step Functions is a serverless orchestration service for coordinating workflows (state machines), not an event bus for routing events from diverse sources to targets.

232
MCQmedium

A company's leadership team wants a structured framework for planning their AWS cloud migration that addresses organisational change management, skills development, governance, platform, security, and operations. Which AWS framework provides guidance across these perspectives?

A.AWS Well-Architected Framework
B.AWS Cloud Adoption Framework (CAF)
C.AWS Migration Hub
D.AWS Trusted Advisor
AnswerB

The AWS CAF provides a structured approach to cloud adoption with six perspectives: Business (value realisation), People (culture and skills), Governance (risk and compliance), Platform (technical infrastructure), Security (protection), and Operations (running and managing cloud services).

Why this answer

The AWS Cloud Adoption Framework (CAF) is specifically designed to guide organizations through their cloud migration journey by providing structured guidance across six core perspectives: Business, People, Governance, Platform, Security, and Operations. This framework directly addresses the leadership team's requirements for organizational change management, skills development, governance, platform, security, and operations, making it the correct choice.

Exam trap

The trap here is that candidates often confuse the AWS Well-Architected Framework (which is about optimizing existing architectures) with the AWS Cloud Adoption Framework (which is about planning and executing the migration journey itself), leading them to select Option A instead of the correct Option B.

How to eliminate wrong answers

Option A is wrong because the AWS Well-Architected Framework focuses on reviewing and improving existing cloud architectures against five pillars (Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization), not on providing a structured migration planning framework that includes organizational change management and skills development. Option C is wrong because AWS Migration Hub is a service that provides a single location to track the progress of application migrations across multiple AWS and partner solutions, but it does not offer guidance on organizational change management, skills development, or governance perspectives. Option D is wrong because AWS Trusted Advisor is an automated tool that inspects your AWS environment and provides recommendations for cost optimization, performance, security, and fault tolerance, but it does not provide a strategic framework for planning cloud migration or addressing organizational change.

233
MCQmedium

A company has multiple AWS accounts managed through AWS Organizations. The finance team wants to set a monthly cost budget of $5,000 for the 'Project Alpha' account. They want to receive an email notification when the actual costs reach 80% of the budget and again when the forecasted costs are expected to exceed the budget. The team also needs to centrally manage these budgets from the management account. Which AWS service should the team use to meet these requirements?

A.AWS Budgets
B.AWS Cost Explorer
C.AWS Trusted Advisor
D.AWS Organizations
AnswerA

This is correct. AWS Budgets allows you to set custom cost and usage budgets and configure alerts based on actual or forecasted spending. You can centrally manage budgets from the management account when using AWS Organizations.

Why this answer

AWS Budgets allows you to set custom cost and usage budgets, and configure threshold-based alerts via Amazon SNS (email or other notifications). In this scenario, the finance team can create a monthly cost budget of $5,000 for the 'Project Alpha' account, then set an alert at 80% of actual costs and another alert when forecasted costs are expected to exceed the budget. Because the company uses AWS Organizations, budgets can be centrally managed from the management account, enabling the finance team to view and control budgets across member accounts without logging into each one individually.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's forecasting capability with the ability to set proactive alerts, but Cost Explorer only displays forecasts and does not send notifications when forecasted costs exceed a threshold.

How to eliminate wrong answers

Option B (AWS Cost Explorer) is wrong because Cost Explorer is a visualization and analysis tool for exploring historical cost data and forecasting future costs, but it does not allow you to set budgets, configure threshold alerts, or send email notifications when cost limits are reached. Option C (AWS Trusted Advisor) is wrong because Trusted Advisor provides best-practice checks and recommendations across cost optimization, performance, security, and fault tolerance, but it does not support creating custom budgets or sending cost-based threshold alerts.

234
MCQmedium

A company has migrated its IT infrastructure to AWS. The company's finance team receives a monthly bill that itemizes charges based on the number of Amazon EC2 instance hours consumed, the amount of Amazon S3 storage used in gigabyte-months, and the total data transferred out to the internet. The cloud provider automatically tracks and reports this usage data for billing purposes. This scenario best demonstrates which essential characteristic of cloud computing?

A.On-demand self-service
B.Broad network access
C.Measured service
D.Resource pooling
AnswerC

Measured service involves the cloud provider automatically monitoring, controlling, and reporting resource usage, providing transparency for billing. The detailed itemized bill based on actual consumption (instance hours, storage, data transfer) is a direct implementation of measured service.

Why this answer

The correct answer is C because the scenario describes a cloud provider automatically tracking and reporting usage data (EC2 instance hours, S3 storage in gigabyte-months, and data transfer) for billing purposes. This is the essence of measured service, where cloud resources are metered and usage is monitored, controlled, and reported transparently. The pay-per-use billing model relies on this characteristic to provide cost visibility and optimization.

Exam trap

The trap here is that candidates often confuse 'measured service' with 'on-demand self-service' because both involve user interaction with the cloud, but measured service specifically focuses on the automated metering and billing of resource usage, not the ability to provision resources without human intervention.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user's ability to provision computing resources (e.g., launching an EC2 instance or creating an S3 bucket) without requiring human interaction with the provider, not the automated tracking and billing of usage. Option B is wrong because broad network access describes the availability of cloud services over standard network protocols (e.g., HTTPS, SSH) from a wide range of devices (e.g., laptops, smartphones), not the metering and reporting of resource consumption for billing.

235
MCQmedium

A company's compliance team needs to know which AWS resources are not compliant with the company's tagging policy (all resources must have a 'CostCenter' tag). Which AWS service can continuously evaluate and report on this compliance?

A.Amazon CloudWatch
B.AWS Config with the required-tags rule
C.AWS Trusted Advisor
D.AWS CloudTrail
AnswerB

AWS Config continuously evaluates all in-scope resources and the 'required-tags' managed rule flags any resources missing required tags like 'CostCenter', generating non-compliance findings.

Why this answer

AWS Config with the managed 'required-tags' rule can continuously evaluate whether resources have the specified tag (e.g., 'CostCenter') and report non-compliant resources. AWS Config records configuration changes, evaluates them against rules, and provides a compliance dashboard and notifications via Amazon SNS, making it the correct service for ongoing compliance monitoring.

Exam trap

The trap here is that candidates often confuse AWS Config (configuration compliance) with AWS CloudTrail (API auditing) or Amazon CloudWatch (performance monitoring), assuming any 'monitoring' service can handle tag compliance, but only AWS Config provides continuous, rule-based evaluation of resource configurations.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms, not a configuration compliance evaluator; it cannot check resource tagging policies. Option C is wrong because AWS Trusted Advisor provides best-practice recommendations (e.g., cost optimization, security) but does not perform continuous, customizable compliance evaluations against custom tagging policies. Option D is wrong because AWS CloudTrail records API activity for auditing and governance, but it does not evaluate resource configurations or tag compliance in real time.

236
MCQeasy

A company wants to monitor the CPU utilisation of their EC2 instances and automatically send an email alert when utilisation exceeds 80% for more than 5 consecutive minutes. Which AWS service provides this monitoring and alerting capability?

A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch
D.AWS X-Ray
AnswerC

CloudWatch is the AWS monitoring service. It collects EC2 CPU utilisation metrics, allows you to create alarms with configurable thresholds and evaluation periods, and integrates with SNS to send email notifications when alarms fire.

Why this answer

Amazon CloudWatch is the correct service because it provides both monitoring of EC2 CPU utilization metrics and the ability to create CloudWatch Alarms that trigger actions, such as sending an email via Amazon SNS, when a metric like CPUUtilization exceeds a threshold (e.g., 80%) for a specified number of consecutive evaluation periods (e.g., 5 minutes). This directly fulfills the requirement for monitoring and alerting on CPU utilization.

Exam trap

The trap here is that candidates often confuse CloudTrail (audit logging) with CloudWatch (monitoring), or assume AWS Config can handle performance alerts, when in fact only CloudWatch provides metric-based monitoring and alarm actions.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity and governance events, not system-level metrics like CPU utilization; it cannot monitor performance or trigger threshold-based alerts. Option B is wrong because AWS Config evaluates resource configurations against desired policies and tracks configuration changes, but it does not monitor real-time performance metrics or CPU utilization. Option D is wrong because AWS X-Ray is a distributed tracing service for analyzing and debugging application requests and latency, not for monitoring infrastructure metrics like CPU utilization.

237
MCQmedium

A company runs its production web application on a single Amazon EC2 instance located in one Availability Zone. Recently, a power outage in that data center caused the instance to become unavailable, resulting in application downtime. The company wants to redesign the architecture so that the application automatically continues serving users even if a single data center fails, without requiring manual intervention. Which cloud computing concept does this scenario BEST illustrate?

A.Elasticity
B.High availability
C.On-demand self-service
D.Broad network access
AnswerB

High availability refers to systems that are designed to be operational and accessible for a high percentage of time by eliminating single points of failure. Deploying across multiple Availability Zones is a common practice in AWS to achieve high availability.

Why this answer

High availability (B) is the correct concept because the scenario describes designing an architecture that automatically continues serving users even if a single data center (Availability Zone) fails, without manual intervention. This is achieved by deploying the application across multiple Availability Zones, using an Elastic Load Balancer to distribute traffic, and configuring Auto Scaling groups to maintain instance health, ensuring the application remains accessible despite a zonal failure.

Exam trap

The trap here is that candidates confuse high availability with elasticity, mistakenly thinking that automatically adding more instances during a failure is the same as designing for fault tolerance across data centers, whereas elasticity handles scaling based on load, not zonal redundancy.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability to automatically scale resources up or down based on demand, not to maintain service continuity during a data center failure. Option C is wrong because on-demand self-service describes the ability to provision computing resources as needed without human interaction with the provider, which is unrelated to fault tolerance or availability across Availability Zones.

238
MCQeasy

A company wants to create interactive dashboards and charts from data stored in Amazon S3, Amazon RDS, and Amazon Redshift, sharing them with business users across the organisation without managing BI server infrastructure. Which AWS service provides cloud-native business intelligence?

A.Amazon Athena
B.Amazon Redshift
C.Amazon QuickSight
D.Amazon CloudWatch
AnswerC

QuickSight is AWS's managed BI service for creating interactive dashboards and ML-powered insights. It connects to S3, RDS, Redshift, and other sources and shares dashboards with business users at a per-user cost with no server management.

Why this answer

Amazon QuickSight is a cloud-native, serverless business intelligence (BI) service that enables users to create interactive dashboards and visualizations from data sources such as Amazon S3, Amazon RDS, and Amazon Redshift. It requires no BI server infrastructure management, supports SPICE (Super-fast, Parallel, In-memory Calculation Engine) for high-performance data caching, and allows sharing dashboards with business users across an organization via a web browser or mobile app.

Exam trap

The trap here is that candidates confuse query engines (Athena) or data warehouses (Redshift) with full BI services, overlooking that QuickSight is the only AWS service purpose-built for serverless interactive dashboards and sharing with business users.

How to eliminate wrong answers

Option A is wrong because Amazon Athena is an interactive query service that uses standard SQL to analyze data directly in Amazon S3, but it does not provide BI dashboarding, charting, or sharing capabilities—it is a query engine, not a BI tool. Option B is wrong because Amazon Redshift is a cloud data warehouse optimized for large-scale analytics and SQL-based querying, but it does not natively create interactive dashboards or charts; it requires a separate BI tool like QuickSight for visualization. Option D is wrong because Amazon CloudWatch is a monitoring and observability service for AWS resources and applications, designed for metrics, logs, and alarms, not for business intelligence dashboards or ad-hoc analysis of business data from S3, RDS, or Redshift.

239
MCQmedium

Which AWS service provides a concierge-like experience for navigating AWS services and finding the right resources, primarily available to Enterprise Support customers?

A.AWS IQ
B.AWS Support Concierge (Account Team)
C.AWS Marketplace
D.AWS re:Post
AnswerB

Enterprise Support includes a dedicated account team (concierge) providing billing support and account management, plus a TAM for technical guidance.

Why this answer

AWS Support Concierge (Account Team) is a dedicated service provided to Enterprise Support customers that offers a concierge-like experience for navigating AWS services and finding the right resources. It acts as a single point of contact for account-level inquiries, such as billing, account management, and service limit increases, rather than providing technical troubleshooting.

Exam trap

The trap here is that candidates often confuse AWS Support Concierge with AWS IQ or AWS re:Post, assuming any 'concierge' or 'help' feature is community-based or project-based, rather than recognizing it as an exclusive Enterprise Support benefit.

How to eliminate wrong answers

Option A is wrong because AWS IQ is a marketplace for finding and hiring AWS-certified third-party experts for project-based assistance, not a concierge service for navigating AWS services. Option C is wrong because AWS Marketplace is a digital catalog of third-party software and services that can be purchased and deployed on AWS, not a support or concierge function. Option D is wrong because AWS re:Post is a community-driven Q&A service where users can ask and answer questions about AWS, but it does not provide a dedicated, personalized concierge experience.

240
MCQmedium

Which AWS service provides a private connection from an on-premises network to AWS that bypasses the public internet and provides consistent network performance?

A.AWS Site-to-Site VPN
B.Amazon CloudFront
C.AWS Direct Connect
D.AWS Transit Gateway
AnswerC

Direct Connect provides dedicated private network connections to AWS, bypassing the internet for consistent performance, lower latency, and reduced data transfer costs.

Why this answer

AWS Direct Connect is the correct answer because it provides a dedicated, private network connection from an on-premises data center to AWS, completely bypassing the public internet. This ensures consistent network performance, lower latency, and higher bandwidth, as the connection is established through a standard 1 Gbps or 10 Gbps Ethernet fiber-optic cable linked to an AWS Direct Connect location.

Exam trap

The trap here is that candidates often confuse AWS Site-to-Site VPN (which also connects on-premises to AWS) with a private connection, but VPN still traverses the public internet and cannot guarantee consistent performance, whereas Direct Connect is the only option that physically bypasses the internet.

How to eliminate wrong answers

Option A is wrong because AWS Site-to-Site VPN uses the public internet to create an encrypted tunnel (IPsec), which introduces variable latency and potential bandwidth fluctuations due to internet congestion, so it does not bypass the public internet nor guarantee consistent performance. Option B is wrong because Amazon CloudFront is a content delivery network (CDN) that caches content at edge locations to accelerate delivery over the internet; it does not provide a private connection from an on-premises network to AWS. Option D is wrong because AWS Transit Gateway is a network transit hub that connects VPCs and on-premises networks, but it requires an underlying connection method (such as VPN or Direct Connect) to actually reach the on-premises network; it does not itself provide a private, internet-bypassing link.

241
MCQmedium

A company is refactoring its legacy application into a microservices architecture using Docker containers. The operations team wants to deploy and manage these containers on AWS without the need to provision, patch, or manage the underlying servers. The solution must automatically scale containers based on demand and integrate with services like Application Load Balancer and Amazon RDS. Which AWS compute service should the company use?

A.Amazon ECS with Amazon EC2 launch type
B.Amazon ECS with AWS Fargate launch type
C.AWS Lambda
D.Amazon EC2 instances with Docker installed
AnswerB

AWS Fargate is a serverless compute engine for containers. It automatically provisions and scales the underlying infrastructure, so the team does not have to manage servers. It integrates with ECS, ALB, RDS, and other AWS services.

Why this answer

Amazon ECS with AWS Fargate launch type is the correct choice because it is a serverless compute engine for containers that eliminates the need to provision, patch, or manage underlying servers. Fargate automatically scales containers based on demand and integrates natively with services like Application Load Balancer and Amazon RDS, meeting all the stated requirements.

Exam trap

The trap here is that candidates often confuse the EC2 launch type (which still requires server management) with Fargate (which is serverless), or mistakenly think AWS Lambda can run Docker containers as a full microservice platform, ignoring its execution time and invocation model limitations.

How to eliminate wrong answers

Option A is wrong because Amazon ECS with the Amazon EC2 launch type requires the operations team to provision, patch, and manage the underlying EC2 instances, which contradicts the requirement to avoid server management. Option C is wrong because AWS Lambda is designed for event-driven, short-running functions (max 15-minute execution time) and is not suitable for running Docker containers as a general-purpose microservices platform; it also lacks native integration with Application Load Balancer for container-based traffic routing.

242
MCQmedium

Which AWS networking feature prevents resources in a private subnet from directly receiving inbound connections from the internet, while still allowing them to initiate outbound connections?

A.Internet Gateway
B.NAT Gateway
C.Security Groups
D.Network ACLs
AnswerB

NAT Gateway in a public subnet allows private subnet instances to initiate outbound internet connections while dropping all unsolicited inbound connections — one-way internet access for private resources.

Why this answer

A NAT Gateway enables instances in a private subnet to initiate outbound connections to the internet (e.g., for software updates) while preventing any unsolicited inbound connections from the internet. It achieves this by translating the private IP of the instance to the NAT Gateway's Elastic IP for outbound traffic, and only forwarding return traffic that matches an established outbound session.

Exam trap

The trap here is that candidates often confuse a NAT Gateway with an Internet Gateway, assuming both provide internet access, but the key distinction is that an Internet Gateway allows bidirectional inbound connections, while a NAT Gateway specifically prevents unsolicited inbound connections from the internet.

How to eliminate wrong answers

Option A is wrong because an Internet Gateway allows both inbound and outbound traffic directly from the internet to instances in a public subnet, and does not prevent unsolicited inbound connections. Option C is wrong because Security Groups act as a stateful virtual firewall at the instance level, but they do not provide the network address translation needed to allow outbound-only internet access from a private subnet; they can filter traffic but cannot enable internet connectivity without a routing path. Option D is wrong because Network ACLs are stateless subnet-level traffic filters that can block or allow traffic based on rules, but they do not provide outbound-only internet connectivity or address translation for private subnets.

243
MCQmedium

A developer at a company is working on a new feature. The developer needs a test server running a specific version of Linux with certain software pre-installed. Without waiting for approval from the IT team or filling out a request form, the developer logs into the AWS Management Console, chooses an Amazon EC2 instance type, configures the security group, and launches the instance. The instance is fully operational within minutes. Which essential characteristic of cloud computing does this scenario best illustrate?

A.Rapid elasticity
B.On-demand self-service
C.Resource pooling
D.Measured service
AnswerB

Correct. On-demand self-service means a consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. The developer's ability to launch an instance without IT approval is a clear example.

Why this answer

The scenario describes a developer provisioning an EC2 instance directly through the AWS Management Console without any human interaction with the IT team. This is the defining characteristic of on-demand self-service, where a customer can provision computing resources as needed automatically without requiring human interaction with each service provider. The ability to configure the instance type, security group, and launch it in minutes without a request form or approval chain directly maps to this essential cloud characteristic.

Exam trap

The trap here is that candidates confuse 'rapid elasticity' with the speed of provisioning a single resource; rapid elasticity is about automatically scaling resources up and down based on demand, not just the speed of launching one instance, whereas on-demand self-service specifically addresses the lack of human interaction required to provision resources.

How to eliminate wrong answers

Option A is wrong because rapid elasticity refers to the ability to automatically scale resources up or down quickly in response to demand, such as using Auto Scaling groups to add or remove EC2 instances based on CPU utilization; the scenario does not involve any scaling or dynamic adjustment of resources. Option C is wrong because resource pooling describes the provider's multi-tenant model where physical and virtual resources are pooled to serve multiple customers, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand; the developer's single-instance launch does not illustrate this multi-tenant pooling concept. Option D is wrong because measured service means cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth); the scenario does not mention any monitoring, metering, or billing aspects.

244
MCQmedium

Which AWS service provides a fully managed virtual desktop infrastructure (VDI) that allows users to access Windows or Linux desktops from any device?

A.Amazon AppStream 2.0
B.AWS Client VPN
C.Amazon WorkSpaces
D.Amazon EC2 with Remote Desktop Protocol
AnswerC

WorkSpaces provides fully managed persistent virtual desktops (Windows/Linux) as a service, accessible from any device, with AWS managing all underlying infrastructure.

Why this answer

Amazon WorkSpaces is a fully managed, secure virtual desktop infrastructure (VDI) service that provisions either Windows or Linux desktops. Users can access their persistent desktops from any supported device (e.g., PC, Mac, iPad, Chromebook) using the WorkSpaces client application or a web browser, without needing to manage the underlying EC2 instances or operating system.

Exam trap

The trap here is confusing Amazon WorkSpaces (full managed desktop VDI) with Amazon AppStream 2.0 (application streaming), as both involve streaming but serve fundamentally different use cases—one provides a complete desktop OS, the other only streams individual applications.

How to eliminate wrong answers

Option A is wrong because Amazon AppStream 2.0 is a fully managed non-persistent application streaming service that delivers individual applications to a user's browser or device, not a full virtual desktop with a persistent operating system environment. Option B is wrong because AWS Client VPN is a managed OpenVPN-based service that provides secure remote access to AWS or on-premises networks, not a virtual desktop infrastructure. Option D is wrong because Amazon EC2 with Remote Desktop Protocol (RDP) requires manual configuration, patching, and management of the EC2 instance, OS, and RDP settings, and is not a fully managed VDI service like WorkSpaces.

245
MCQmedium

A company uses Amazon RDS to run their production database. Under the AWS Shared Responsibility Model, who is responsible for patching the underlying database engine software?

A.The customer, because they chose to run a relational database
B.AWS, because RDS is a managed service that abstracts OS and engine management
C.A shared responsibility where AWS and the customer each patch different components
D.A third-party DBA contracted by the customer
AnswerB

RDS is a managed database service. AWS is responsible for patching the database engine (MySQL, PostgreSQL, etc.), the underlying OS, and the hardware. This is why RDS sits on the 'AWS manages' side for engine patching, unlike a self-managed DB on EC2.

Why this answer

Amazon RDS is a fully managed database service that automates the patching of the underlying database engine software. Under the AWS Shared Responsibility Model, AWS is responsible for the security of the cloud, which includes managing the host operating system and the database engine patches. The customer is responsible for data, access management, and application-level security, not the engine software patching.

Exam trap

The trap here is that candidates often confuse the customer's responsibility for managing database configuration (e.g., parameter groups, backups) with the engine patching, leading them to incorrectly select option A or C, when in fact AWS handles all underlying infrastructure and engine software patching in RDS.

How to eliminate wrong answers

Option A is wrong because the customer's choice to run a relational database does not shift the responsibility for patching the database engine to them; AWS manages the engine as part of the RDS managed service. Option C is wrong because patching the database engine is not a shared responsibility; AWS handles it entirely, while the customer is responsible for tasks like managing database parameters and backups. Option D is wrong because a third-party DBA contracted by the customer would not be responsible for patching the RDS engine; AWS retains that responsibility as the service provider.

246
MCQmedium

A company plans to deploy a multi-tier web application on AWS. The architecture includes Amazon EC2 instances for the web and application tiers, an Application Load Balancer for traffic distribution, and an Amazon RDS database for the data tier. The company wants to automate the provisioning and configuration of all these AWS resources in a repeatable and predictable manner. The solution should allow the infrastructure definition to be stored in a version control system and be used to create identical environments for development, testing, and production with minimal manual effort. Which AWS service should the company use to define and manage the infrastructure as code?

A.AWS CloudFormation
B.AWS Elastic Beanstalk
C.AWS OpsWorks
D.AWS CodeDeploy
AnswerA

Correct. AWS CloudFormation lets you define your entire infrastructure as code in templates, enabling repeatable and version-controlled provisioning of resources like EC2, ALB, and RDS.

Why this answer

AWS CloudFormation is the correct service because it enables you to define your entire multi-tier infrastructure—EC2 instances, Application Load Balancer, and RDS database—as a declarative JSON or YAML template. This template can be stored in a version control system and used to provision identical environments across development, testing, and production with a single API call, ensuring repeatability and predictability.

Exam trap

The trap here is that candidates confuse AWS Elastic Beanstalk's ease-of-use with infrastructure-as-code, but Elastic Beanstalk manages the environment as a black box and does not allow you to version-control the individual resource definitions in a reusable template like CloudFormation does.

How to eliminate wrong answers

Option B is wrong because AWS Elastic Beanstalk is a Platform-as-a-Service (PaaS) that abstracts away the underlying infrastructure; it does not give you direct control over individual resources like EC2 or RDS in a version-controlled template, and it is designed for application deployment rather than granular infrastructure-as-code management. Option C is wrong because AWS OpsWorks is a configuration management service based on Chef and Puppet, which focuses on server configuration and automation of operating system tasks, not on defining and provisioning the full set of AWS resources (like the ALB and RDS) in a declarative, version-controlled template.

247
MCQmedium

A company's AWS bill has increased significantly. The finance team wants to implement cost governance best practices. Which action represents a foundational cost governance control?

A.Delete all non-production resources immediately
B.Implement a tagging strategy and enforce tags with AWS Config rules
C.Switch all resources to Spot Instances
D.Enable all AWS services to trigger CloudWatch alarms
AnswerB

Tagging provides cost attribution by team/project/environment — the foundation for governance. Config rules enforce tagging compliance so resources can always be traced to a business owner.

Why this answer

Implementing a tagging strategy and enforcing tags with AWS Config rules is a foundational cost governance control because it enables cost allocation, tracking, and accountability. Tags allow the finance team to categorize resources by project, environment, or cost center, and AWS Config rules can automatically enforce tag compliance, preventing untagged resources from being launched. This directly supports cost governance by providing visibility and control over spending, which is the first step in optimizing costs.

Exam trap

The trap here is that candidates may confuse cost-saving mechanisms (like Spot Instances or deleting resources) with cost governance controls, which are about establishing policies and visibility (like tagging and enforcement) rather than immediate cost reduction actions.

How to eliminate wrong answers

Option A is wrong because deleting all non-production resources immediately is an aggressive, non-strategic action that can disrupt development and testing workflows; it does not establish a governance framework and may cause data loss or business impact. Option C is wrong because switching all resources to Spot Instances is not a governance control; Spot Instances are a cost-saving mechanism but are not suitable for all workloads (e.g., stateful or time-critical applications) and can be terminated by AWS with short notice, leading to potential service disruption. Option D is wrong because enabling all AWS services to trigger CloudWatch alarms would generate excessive, noisy alerts without a defined cost governance policy; alarms are monitoring tools, not governance controls, and do not enforce cost allocation or accountability.

248
MCQmedium

A company manages user access to AWS resources using IAM users. The security team wants to automatically detect if an IAM user's access key is being used from a geographic location that is unusual for that user, which could indicate a compromised credential. The team needs a managed threat detection service that monitors API activity and raises alerts for such anomalies. Which AWS service should the security team use?

A.AWS CloudTrail
B.Amazon GuardDuty
C.AWS Trusted Advisor
D.Amazon Inspector
AnswerB

Amazon GuardDuty is the correct choice. It is a managed threat detection service that uses machine learning, anomaly detection, and threat intelligence feeds to monitor for unusual API activity, including compromised credentials and access from suspicious locations. GuardDuty raises findings that can be sent to AWS Security Hub or Amazon EventBridge for automated response.

Why this answer

Amazon GuardDuty is a managed threat detection service that continuously monitors AWS API activity, including IAM user access key usage, and uses machine learning to establish baseline behavior. When it detects access from an unusual geographic location, it generates a finding alerting the security team to a potentially compromised credential. This directly meets the requirement for automated anomaly detection without manual configuration.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging capability with active threat detection, not realizing that CloudTrail only records events and requires an additional service like GuardDuty to analyze and alert on anomalies.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail is a service that records API activity for auditing and compliance, but it does not analyze or detect anomalies in real-time; it requires additional services or custom logic to identify unusual geographic access. Option C is wrong because AWS Trusted Advisor provides best-practice checks for cost optimization, performance, security, and fault tolerance, but it does not monitor IAM user access key usage or detect geographic anomalies in API activity.

249
MCQmedium

A company is building a microservices application on AWS. The application consists of multiple independent services that need to communicate asynchronously. When an order is placed, the order service must send a notification to the inventory service, the shipping service, and the analytics service simultaneously. The company wants a fully managed, durable, and scalable messaging service that supports a fan-out pattern where a single message can be delivered to multiple subscribers. Which AWS service should the company use to meet these requirements?

A.Amazon Simple Queue Service (SQS)
B.Amazon Simple Notification Service (SNS)
C.Amazon Kinesis Data Streams
D.AWS Step Functions
AnswerB

Amazon SNS is a fully managed pub/sub messaging service that supports the fan-out pattern. It can send a single message to multiple subscribers, including other AWS services like Lambda, SQS, and HTTP/S endpoints, making it the ideal choice for this requirement.

Why this answer

Amazon Simple Notification Service (SNS) is a fully managed pub/sub messaging service that supports fan-out, where a single message published to a topic is delivered to multiple subscribers (e.g., SQS queues, Lambda functions, HTTP endpoints) simultaneously. It is durable (persists messages across AZs) and scales automatically to handle high throughput, making it ideal for the asynchronous notification requirements of the order, inventory, shipping, and analytics services.

Exam trap

The trap here is that candidates often confuse SQS (point-to-point queuing) with SNS (pub/sub fan-out), mistakenly thinking SQS can deliver to multiple consumers by using multiple queues, but SNS is the correct service for simultaneous, multi-subscriber delivery without polling.

How to eliminate wrong answers

Option A is wrong because Amazon SQS is a queue-based service designed for point-to-point message delivery between a single producer and a single consumer; it does not natively support fan-out to multiple subscribers. Option C is wrong because Amazon Kinesis Data Streams is a real-time streaming service optimized for ingesting and processing large volumes of data in order (e.g., log analytics), not for pub/sub fan-out messaging with simultaneous delivery to multiple independent services.

250
MCQmedium

A company needs to transfer petabytes of data from an on-premises data center to Amazon S3. The network connection is too slow for online transfer and the data must arrive within two weeks. Which AWS service is most appropriate?

A.AWS DataSync
B.AWS Direct Connect
C.AWS Snowball Edge
D.Amazon S3 Transfer Acceleration
AnswerC

Snowball Edge ships physical storage devices to the customer, data is loaded offline, and devices are returned to AWS for import — ideal for petabyte-scale migrations.

Why this answer

AWS Snowball Edge is the most appropriate service because it provides physical storage devices that can be shipped to the on-premises data center, allowing petabyte-scale data to be loaded locally and shipped back to AWS, bypassing slow network connections entirely. This meets the two-week deadline since network transfer would be infeasible at that scale over a slow link.

Exam trap

The trap here is that candidates often choose AWS DataSync or S3 Transfer Acceleration because they focus on 'fast transfer' without recognizing that physical shipment is the only viable method when the network is too slow for petabyte-scale data within a strict deadline.

How to eliminate wrong answers

Option A is wrong because AWS DataSync is an online data transfer service that relies on network connectivity, making it unsuitable when the network is too slow for petabyte-scale transfers within two weeks. Option B is wrong because AWS Direct Connect establishes a dedicated network connection but still depends on the available bandwidth, which cannot overcome a fundamentally slow or congested link for such large data volumes. Option D is wrong because Amazon S3 Transfer Acceleration uses optimized network paths and edge locations but still requires an internet-based transfer, which would be too slow for petabytes of data over a constrained connection.

251
MCQmedium

A company uses AWS CloudFormation to define and manage its production infrastructure as code. The operations team wants to ensure that any proposed changes to the stack are reviewed and explicitly approved before being applied. Which AWS CloudFormation feature should the company use?

A.AWS CloudFormation StackSets
B.AWS CloudFormation Change Sets
C.AWS CloudFormation Drift Detection
D.AWS CloudFormation Stack Policies
AnswerB

Correct. Change Sets allow you to examine how proposed changes to a stack will impact your running resources before you decide to apply them, providing a mechanism for review and approval.

Why this answer

AWS CloudFormation Change Sets allow you to preview how proposed changes to a stack will impact your running resources before you apply them. This enables the operations team to review and explicitly approve changes, ensuring that modifications are not applied automatically without oversight.

Exam trap

The trap here is that candidates often confuse Change Sets with Stack Policies, thinking that policies can enforce approval workflows, but Stack Policies only restrict updates to specific resources, not provide a review-and-approve mechanism.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation StackSets are used to deploy stacks across multiple accounts and regions, not to review or approve changes to a single stack. Option C is wrong because AWS CloudFormation Drift Detection identifies whether a stack's actual resources have deviated from the template definition, but it does not control or approve proposed changes. Option D is wrong because AWS CloudFormation Stack Policies prevent updates to specific resources during a stack update, but they do not provide a mechanism to review and approve changes before they are applied.

252
MCQeasy

A startup's development team wants to deploy their Node.js web application to AWS without learning about load balancers, auto scaling, or EC2 configuration. They want to simply upload their application code and have AWS handle everything else. Which AWS service is designed for this use case?

A.Amazon EC2 Auto Scaling
B.AWS CloudFormation
C.Amazon ECS
D.AWS Elastic Beanstalk
AnswerD

Elastic Beanstalk is specifically designed for developers who want to deploy applications without managing infrastructure. Upload the code, and Elastic Beanstalk handles load balancing, auto scaling, and health monitoring automatically.

Why this answer

AWS Elastic Beanstalk is the correct service because it is a Platform as a Service (PaaS) offering that automatically handles capacity provisioning, load balancing, auto scaling, and application health monitoring. The development team can simply upload their Node.js application code, and Elastic Beanstalk deploys it on pre-configured EC2 instances without requiring any manual configuration of infrastructure components.

Exam trap

The trap here is that candidates often confuse AWS Elastic Beanstalk with Amazon ECS or EC2 Auto Scaling, mistakenly thinking that container orchestration or raw scaling services provide the same 'upload and go' abstraction, but only Elastic Beanstalk fully automates the entire deployment pipeline from code to running application without requiring infrastructure expertise.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 Auto Scaling is a scaling service that automatically adjusts the number of EC2 instances based on demand, but it does not deploy application code or manage the underlying infrastructure; it requires manual setup of launch configurations and scaling policies. Option B is wrong because AWS CloudFormation is an Infrastructure as Code (IaC) service that provisions AWS resources using templates, but it does not automatically deploy or manage application code; it requires the team to define and manage all resources themselves. Option C is wrong because Amazon ECS is a container orchestration service that requires the team to create a cluster, define task definitions, and manage Docker containers; it does not abstract away EC2 configuration or load balancer setup for a simple code upload.

253
MCQmedium

A financial services company maintains a legacy on-premises database for sensitive customer data that must remain in a physically controlled environment due to regulatory requirements. The company runs its customer-facing web application on AWS to benefit from scalability and global reach. A dedicated encrypted VPN connection securely links the on-premises environment with the AWS cloud. Which cloud deployment model does this scenario BEST represent?

A.Public cloud
B.Private cloud
C.Hybrid cloud
D.Community cloud
AnswerC

Correct. The company combines on-premises infrastructure with AWS public cloud, connected via a VPN. This is the definition of a hybrid cloud deployment model.

Why this answer

This scenario best represents a hybrid cloud because it combines on-premises infrastructure (the legacy database) with public cloud resources (AWS) connected via a dedicated encrypted VPN. The hybrid cloud model allows the company to keep sensitive data in a physically controlled environment while leveraging AWS's scalability for the customer-facing web application.

Exam trap

The trap here is that candidates might confuse a hybrid cloud with a public cloud because the web application runs on AWS, but the key differentiator is the integration with on-premises infrastructure for regulatory compliance.

How to eliminate wrong answers

Option A is wrong because a public cloud model would have all resources, including the sensitive database, hosted on the cloud provider's infrastructure, which does not meet the regulatory requirement for physical control. Option B is wrong because a private cloud model would have all resources dedicated to a single organization, but here the customer-facing web application runs on AWS, which is a public cloud provider, not a private cloud. Option D is wrong because a community cloud is shared by several organizations with common concerns (e.g., compliance), but this scenario involves only one company using its own on-premises and AWS resources, not a multi-tenant community.

254
MCQmedium

A company runs a critical application on Amazon EC2 instances in a specific Availability Zone. The operations team wants to be notified immediately if AWS experiences a service disruption that could affect their instances. They also want a personalized view of the impact of AWS service events on their specific AWS resources. Which AWS tool should they use?

A.AWS Trusted Advisor
B.AWS Personal Health Dashboard
C.AWS Service Health Dashboard
D.AWS CloudTrail
AnswerB

This tool delivers a personalized view of AWS service events that impact your account and resources. It can send immediate notifications via Amazon EventBridge, SNS, or email, and provides a dashboard specific to your resources.

Why this answer

AWS Personal Health Dashboard (AWS Health) provides a personalized view of the impact of AWS service events on your specific AWS resources and subscriptions. It delivers alerts and remediation guidance when AWS experiences issues that may affect your EC2 instances in a particular Availability Zone, enabling immediate notification and a tailored impact assessment.

Exam trap

The trap here is confusing the global, non-personalized AWS Service Health Dashboard (which shows broad service status) with the account-specific AWS Personal Health Dashboard (which provides tailored alerts for your resources).

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor inspects your AWS environment and makes recommendations for cost optimization, performance, security, and fault tolerance, but it does not provide real-time notifications about AWS service disruptions or personalized impact views of ongoing events. Option C is wrong because AWS Service Health Dashboard shows the general status of all AWS services across all regions, but it is not personalized to your specific resources or accounts, and it does not provide targeted alerts for how an event affects your EC2 instances in a particular Availability Zone.

255
MCQeasy

A company needs to verify the identity of users who call into their contact center by comparing their voice against a stored voiceprint. Which AWS service provides speaker identification from voice data?

A.Amazon Transcribe
B.Amazon Rekognition
C.Amazon Connect Voice ID
D.Amazon Lex
AnswerC

Connect Voice ID uses ML to authenticate callers based on their unique voice characteristics, comparing against enrolled voiceprints in real-time during contact center calls.

Why this answer

Amazon Connect Voice ID is the correct AWS service for real-time speaker identification and verification using voice biometrics. It compares a caller's live voice against a stored voiceprint to authenticate their identity, specifically designed for contact center use cases within Amazon Connect.

Exam trap

The trap here is that candidates confuse Amazon Transcribe (speech-to-text) with speaker identification, or assume Amazon Rekognition can handle audio, when in fact Rekognition is strictly for visual media (images and video).

How to eliminate wrong answers

Option A is wrong because Amazon Transcribe is a speech-to-text service that converts audio to text, not a speaker identification service. Option B is wrong because Amazon Rekognition analyzes images and videos for faces, objects, and text, not voice data. Option D is wrong because Amazon Lex is a service for building conversational interfaces (chatbots and IVR) using natural language understanding, not for voice biometric verification.

256
MCQmedium

A data engineering team processes petabytes of raw log data using Apache Spark and Hadoop frameworks. They need a managed AWS service that provisions the cluster, installs the big data frameworks, and terminates the cluster after the job completes to minimise cost. Which service should they use?

A.Amazon Redshift
B.AWS Glue
C.Amazon EMR
D.Amazon Athena
AnswerC

EMR is AWS's managed big data service that provisions and configures Hadoop, Spark, Hive, and other frameworks. It supports transient clusters that terminate after job completion, minimising cost for batch processing workflows.

Why this answer

Amazon EMR is the correct choice because it is a managed big data platform that can provision Apache Spark and Hadoop clusters, install the required frameworks, and automatically terminate the cluster upon job completion using features like transient clusters and step-based lifecycle management. This minimizes cost by only paying for compute resources during active processing.

Exam trap

The trap here is that candidates confuse AWS Glue's use of Apache Spark with the ability to run custom Hadoop/Spark jobs on petabyte-scale data, but Glue is serverless and lacks the cluster management and framework installation capabilities required for this use case.

How to eliminate wrong answers

Option A is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for SQL-based analytics and structured data, not for running Apache Spark or Hadoop jobs on raw log data. Option B is wrong because AWS Glue is a serverless ETL service that uses Apache Spark under the hood but does not provision or manage Hadoop clusters; it is designed for smaller-scale, event-driven data transformation, not for petabyte-scale raw log processing with custom Hadoop frameworks. Option D is wrong because Amazon Athena is a serverless interactive query service that runs SQL directly on data in S3, not a cluster-based big data framework for running Spark or Hadoop jobs.

257
MCQmedium

A company has employees in field offices who need to manage AWS resources (e.g., launch EC2 instances, upload files to S3) using a web browser on their company-issued laptops. The laptops connect to the internet via public Wi-Fi or cellular hotspots. The employees do not have any VPN or direct corporate network connection. They can successfully access the AWS Management Console and perform all actions over standard HTTPS ports. Which essential characteristic of cloud computing does this scenario primarily demonstrate?

A.Resource pooling
B.Broad network access
C.Measured service
D.Rapid elasticity
AnswerB

Broad network access means cloud capabilities are available over the network and accessed through standard mechanisms (e.g., web browsers, HTTPS) from a variety of client devices. This scenario directly demonstrates this characteristic: employees use laptops and public internet connectivity to reach the AWS Management Console without requiring a VPN or dedicated network.

Why this answer

This scenario demonstrates broad network access because the employees can access and manage AWS resources from anywhere using standard web browsers over HTTPS (port 443) on public Wi-Fi or cellular hotspots, without requiring a VPN or dedicated corporate network. Broad network access means that cloud resources are available over the network through standard mechanisms (e.g., web browsers, REST APIs) from heterogeneous client platforms (laptops, phones, tablets). The ability to perform all actions via the AWS Management Console over HTTPS directly illustrates this characteristic.

Exam trap

The trap here is that candidates may confuse 'broad network access' with 'resource pooling' because both involve network connectivity, but broad network access specifically addresses the ability to access services from diverse locations and devices over standard protocols, not the sharing of underlying infrastructure among multiple customers.

How to eliminate wrong answers

Option A is wrong because resource pooling refers to the provider's ability to serve multiple customers from shared physical and virtual resources, dynamically assigning them based on demand; the scenario does not describe multi-tenancy or resource sharing among customers. Option C is wrong because measured service involves metering and monitoring resource usage (e.g., CPU hours, storage GB) for billing and optimization; the scenario focuses on access methods, not usage tracking or pay-per-use billing.

258
MCQeasy

A company needs to implement DevOps practices and wants a fully managed service to store their application source code with version control. Which AWS service provides managed Git repositories?

A.AWS CodeBuild
B.AWS CodeCommit
C.AWS CodeDeploy
D.AWS CodeArtifact
AnswerB

CodeCommit provides managed, private Git repositories with IAM-based access control, encryption, and integration with the AWS developer tools ecosystem.

Why this answer

AWS CodeCommit is a fully managed source control service that hosts secure Git-based repositories. It eliminates the need to operate your own source control system by providing managed Git repositories that integrate with other AWS services, making it the correct choice for storing application source code with version control.

Exam trap

The trap here is that candidates often confuse AWS CodeCommit with AWS CodeBuild or CodeDeploy because all three are part of the AWS Developer Tools suite, but only CodeCommit provides managed Git repositories for version control.

How to eliminate wrong answers

Option A is wrong because AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages, not a Git repository hosting service. Option C is wrong because AWS CodeDeploy is a service that automates code deployments to any instance, including Amazon EC2 and on-premises, and does not provide version-controlled source code storage. Option D is wrong because AWS CodeArtifact is a fully managed artifact repository service for storing and retrieving software packages (e.g., Maven, npm, PyPI), not Git repositories.

259
MCQmedium

A company runs a web application on Amazon EC2 that connects to an Amazon RDS database. The database credentials are currently hardcoded in the application configuration file. The security team requires that the credentials be automatically rotated every 90 days and that the application retrieves them securely from a managed service without storing them in the application code. Which AWS service should the company use to meet these requirements?

A.AWS Key Management Service (AWS KMS)
B.AWS Secrets Manager
C.AWS Systems Manager Parameter Store
D.AWS Certificate Manager (ACM)
AnswerB

AWS Secrets Manager is the correct service because it stores database credentials securely, allows retrieval via API calls, and can automatically rotate credentials for supported services like Amazon RDS on a defined schedule (e.g., every 90 days).

Why this answer

AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, retrieving, and automatically rotating database credentials (including for Amazon RDS) on a schedule. It allows the application to fetch credentials at runtime via API calls, eliminating hardcoded secrets, and supports native rotation every 90 days without custom code.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store secrets, but Parameter Store lacks native automatic rotation, which is explicitly required in the question.

How to eliminate wrong answers

Option A (AWS KMS) is wrong because it is a key management service for creating and controlling encryption keys, not for storing or rotating secrets like database credentials. Option C (AWS Systems Manager Parameter Store) is wrong because while it can securely store parameters, it does not provide built-in automatic rotation of secrets; rotation would require custom AWS Lambda functions and additional setup. Option D (AWS Certificate Manager) is wrong because it manages SSL/TLS certificates for network encryption, not database credentials or secret rotation.

260
MCQmedium

Which AWS support feature provides a dedicated technical contact who provides proactive guidance, acts as an advocate for the customer, and helps with architectural reviews?

A.AWS Solutions Architect
B.Technical Account Manager (TAM)
C.AWS IQ Expert
D.AWS Support Engineer
AnswerB

TAMs (included with Enterprise Support) are dedicated AWS advocates who provide proactive guidance, architectural reviews, and coordinate AWS support resources for their customers.

Why this answer

The Technical Account Manager (TAM) is the correct answer because it is a dedicated AWS support resource, available only with the Enterprise Support plan, that provides proactive guidance, acts as a customer advocate, and conducts architectural reviews. Unlike other support roles, the TAM is assigned to a specific customer to help optimize their AWS environment, coordinate with AWS teams, and ensure the customer gets the most value from their investment.

Exam trap

The trap here is that candidates often confuse the proactive, dedicated role of a TAM with the reactive, ticket-based support provided by an AWS Support Engineer, or mistakenly think an AWS Solutions Architect is a support contact rather than a design consultant.

How to eliminate wrong answers

Option A is wrong because an AWS Solutions Architect is a role focused on designing and recommending cloud architectures, but they are not a dedicated support contact assigned to a specific customer for ongoing proactive guidance and advocacy. Option C is wrong because an AWS IQ Expert is a third-party consultant hired on-demand for specific projects via the AWS IQ marketplace, not a dedicated, ongoing technical contact from AWS. Option D is wrong because an AWS Support Engineer provides reactive technical support for specific issues or tickets, but does not offer proactive guidance, act as a dedicated advocate, or perform regular architectural reviews.

261
MCQmedium

A company wants to provide a virtual contact center for their customer service operations without managing any telephony infrastructure. Which AWS service enables this?

A.Amazon Chime SDK
B.Amazon Connect
C.Amazon Pinpoint
D.Amazon SES
AnswerB

Amazon Connect is a managed cloud contact center that provides telephony, IVR, agent interfaces, and analytics without infrastructure management.

Why this answer

Amazon Connect is a cloud-based contact center service that enables organizations to set up a virtual contact center without managing any underlying telephony infrastructure. It provides built-in telephony, IVR, and agent management, allowing customer service operations to scale on demand without the need for physical PBX or SIP trunking.

Exam trap

The trap here is that candidates may confuse Amazon Chime SDK (a communication API) with a full contact center service, but Amazon Connect is the only AWS service designed specifically for virtual contact centers with built-in telephony management.

How to eliminate wrong answers

Option A is wrong because Amazon Chime SDK is used for embedding real-time audio/video communication into custom applications, not for building a full contact center with telephony infrastructure management. Option C is wrong because Amazon Pinpoint is a marketing and engagement service for sending targeted push notifications, emails, and SMS campaigns, not a contact center solution. Option D is wrong because Amazon SES is a transactional email sending service, not a telephony-based contact center platform.

262
MCQeasy

A media company stores frequently accessed video thumbnails in Amazon S3. The thumbnails are read multiple times every day and must be highly available and durable. Which S3 storage class is most appropriate for this workload?

A.S3 One Zone-IA
B.S3 Glacier Flexible Retrieval
C.S3 Standard
D.S3 Standard-IA
AnswerC

S3 Standard is designed for frequently accessed data with high durability across three AZs and high availability. It provides immediate access with low latency — perfect for frequently read video thumbnails.

Why this answer

S3 Standard is the most appropriate storage class because it offers high durability (99.999999999%) and high availability (99.99%) with low-latency access, making it ideal for frequently accessed, critical data like video thumbnails that are read multiple times daily. It provides automatic replication across a minimum of three Availability Zones, ensuring both high availability and durability without retrieval fees or minimum storage duration penalties.

Exam trap

The trap here is that candidates often choose S3 Standard-IA thinking it saves costs for any infrequently accessed data, but they overlook the per-GB retrieval fee and minimum storage duration that make it more expensive than S3 Standard for data read multiple times daily.

How to eliminate wrong answers

Option A is wrong because S3 One Zone-IA stores data in a single Availability Zone, which does not provide the high availability required for this workload; if that AZ fails, the thumbnails become unavailable. Option B is wrong because S3 Glacier Flexible Retrieval is designed for long-term archival data with retrieval times ranging from minutes to hours, not for frequently accessed thumbnails that require immediate, low-latency access. Option D is wrong because S3 Standard-IA, while durable and cost-effective for infrequently accessed data, incurs a per-GB retrieval fee and a minimum 30-day storage charge, making it more expensive and less suitable for data read multiple times every day.

263
MCQmedium

A company runs several applications in a single AWS account. Each application belongs to a different project (Project Alpha, Project Beta, Project Gamma). The company has already applied tags with the key "Project" and the corresponding project name to all AWS resources used by each project. The finance team wants to use AWS Cost Explorer to view and filter monthly costs by project. However, after tagging all resources, the "Project" tag does not appear as a filter option in Cost Explorer. What must the finance team do to make the "Project" tag available for cost filtering in Cost Explorer?

A.Create a new AWS Budget with a cost filter for the "Project" tag.
B.Activate the "Project" cost allocation tag in the Billing and Cost Management console.
C.Enable the AWS Cost and Usage Reports for the account.
D.Create a custom cost category with a rule that uses the "Project" tag.
AnswerB

Correct. Activating the cost allocation tag in the Billing and Cost Management console makes the tag available for filtering in Cost Explorer and for inclusion in cost reports. This is the required step after applying tags to resources.

Why this answer

The 'Project' tag does not appear in Cost Explorer because AWS does not automatically activate user-defined tags for cost tracking. The finance team must manually activate the 'Project' cost allocation tag in the Billing and Cost Management console under 'Cost Allocation Tags'. Once activated, AWS will process the tag data and make it available as a filter in Cost Explorer within 24 hours.

Exam trap

The trap here is that candidates assume all applied tags are automatically available for cost filtering, but AWS requires a separate activation step for user-defined cost allocation tags in the Billing console.

How to eliminate wrong answers

Option A is wrong because AWS Budgets are used to set spending thresholds and alerts, not to activate tags for cost filtering; budgets can use existing cost allocation tags but cannot make them appear in Cost Explorer. Option C is wrong because enabling AWS Cost and Usage Reports (CUR) provides detailed cost data in an S3 bucket but does not directly make a tag available as a filter in Cost Explorer; CUR is a separate reporting mechanism, not a prerequisite for tag activation.

264
MCQmedium

A company's security team manages AWS accounts for multiple business units using AWS Organizations. The security team needs a single place to view and prioritize all security alerts, including findings from Amazon GuardDuty, Amazon Inspector, and AWS IAM Access Analyzer. The team also wants to automatically run continuous compliance checks against industry standards such as the CIS AWS Foundations Benchmark. The solution must provide a consolidated dashboard with automated findings aggregation and compliance score tracking. Which AWS service should the security team choose?

A.AWS Config
B.AWS Security Hub
C.Amazon Detective
D.AWS Trusted Advisor
AnswerB

AWS Security Hub is designed to aggregate, organize, and prioritize security findings from across AWS services (GuardDuty, Inspector, Macie, IAM Access Analyzer, etc.) and third-party tools. It also performs automated compliance checks against standards like CIS AWS Foundations Benchmark and provides a unified dashboard with compliance scores, meeting all the stated requirements.

Why this answer

AWS Security Hub is the correct choice because it provides a single, consolidated dashboard that aggregates security findings from multiple AWS services, including Amazon GuardDuty, Amazon Inspector, and AWS IAM Access Analyzer. It also performs automated continuous compliance checks against industry standards like the CIS AWS Foundations Benchmark and tracks compliance scores over time, meeting all the stated requirements.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance rules with Security Hub's consolidated findings and compliance scoring, but AWS Config lacks the ability to aggregate findings from multiple security services and track overall compliance scores against industry benchmarks.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating and recording resource configurations against rules, but it does not aggregate findings from GuardDuty, Inspector, or IAM Access Analyzer into a single dashboard, nor does it provide compliance score tracking against CIS benchmarks. Option C is wrong because Amazon Detective is designed for investigating security incidents by analyzing log data and generating visualizations, but it does not aggregate findings from multiple services or perform automated compliance checks against industry standards. Option D is wrong because AWS Trusted Advisor provides best-practice recommendations for cost optimization, performance, security, and fault tolerance, but it does not aggregate security findings from GuardDuty, Inspector, or IAM Access Analyzer, nor does it run continuous compliance checks against CIS benchmarks.

265
MCQmedium

Which cloud computing benefit allows a company's development team to spin up a testing environment in 5 minutes instead of waiting 6 weeks for hardware procurement and data center provisioning?

A.Economies of scale
B.High availability
C.Increase speed and agility
D.Pay-as-you-go pricing
AnswerC

Cloud agility enables developers to provision complete environments in minutes rather than weeks, reducing the cycle time for innovation and experimentation.

Why this answer

Option C is correct because one of the core benefits of cloud computing is the ability to rapidly provision and release resources with minimal management effort. Instead of waiting weeks for hardware procurement and data center provisioning, a development team can spin up a testing environment in minutes using Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) offerings like Amazon EC2 or AWS Elastic Beanstalk. This agility directly reduces time-to-market and enables faster iteration cycles.

Exam trap

The trap here is that candidates often confuse the speed and agility benefit with pay-as-you-go pricing, because both are key cloud advantages, but the question explicitly asks about the time-to-provision benefit, not the billing model.

How to eliminate wrong answers

Option A is wrong because economies of scale refer to the cost advantages that cloud providers achieve through massive infrastructure aggregation, which lowers per-unit costs for customers, not the speed of resource provisioning. Option B is wrong because high availability focuses on ensuring that applications and services remain operational and accessible despite failures, typically through redundancy across Availability Zones, not on the speed of deploying new environments. Option D is wrong because pay-as-you-go pricing is a consumption-based billing model where you pay only for the resources you use, which provides cost flexibility but does not directly address the speed of provisioning hardware or environments.

266
Matchingmedium

Match each AWS storage service to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Object storage for any data

Block storage for EC2 instances

File storage for multiple EC2 instances

Low-cost archival storage

Hybrid cloud storage integration

Why these pairings

Each storage service addresses different storage needs.

267
MCQeasy

Which AWS service enables you to run relational database workloads with up to 5x the throughput of standard MySQL and 3x the throughput of standard PostgreSQL at a lower price point than commercial databases?

A.Amazon RDS for MySQL
B.Amazon Aurora
C.Amazon Redshift
D.Amazon DynamoDB
AnswerB

Aurora's distributed storage architecture delivers 5x MySQL and 3x PostgreSQL throughput while maintaining full compatibility and offering lower cost than Oracle or SQL Server.

Why this answer

Amazon Aurora is a MySQL and PostgreSQL-compatible relational database built for the cloud, offering up to 5x the throughput of standard MySQL and 3x the throughput of standard PostgreSQL. It achieves this performance through a distributed, auto-healing storage subsystem that separates compute from storage, and it is priced lower than commercial databases like Oracle or SQL Server while providing high availability and durability.

Exam trap

The trap here is that candidates confuse Amazon RDS for MySQL with Amazon Aurora, assuming RDS offers the same performance enhancements, but Aurora is a separate engine with a fundamentally different distributed architecture that provides the stated throughput gains.

How to eliminate wrong answers

Option A is wrong because Amazon RDS for MySQL is a managed service for standard MySQL, which does not provide the 5x throughput improvement over itself; Aurora is the enhanced version that delivers that performance boost. Option C is wrong because Amazon Redshift is a petabyte-scale data warehouse for analytical workloads, not a relational database for transactional workloads, and it does not offer MySQL or PostgreSQL compatibility or the stated throughput ratios. Option D is wrong because Amazon DynamoDB is a NoSQL key-value and document database, not a relational database, and it does not support MySQL or PostgreSQL compatibility or the specific throughput claims.

268
MCQhard

A company architect is designing a new system on AWS. They want to implement the Well-Architected Framework principle of 'loosely coupled components.' Which architecture pattern best achieves this?

A.Have all services call each other directly via synchronous API calls
B.Use Amazon SQS or Amazon SNS between services to decouple them
C.Deploy all application components on a single large EC2 instance
D.Use a single shared database for all microservices
AnswerB

Message queues and event buses create loose coupling — producers write to the queue and consumers process independently. Components can be updated, scaled, or fail without directly affecting each other.

Why this answer

Option B is correct because Amazon SQS (message queue) and Amazon SNS (pub/sub) enable asynchronous communication between services, allowing them to operate independently without direct dependencies. This decoupling aligns with the Well-Architected Framework's principle of loosely coupled components, as services can fail, scale, or be updated without impacting others.

Exam trap

The trap here is that candidates often assume synchronous API calls (Option A) are simpler and sufficient for decoupling, but the Well-Architected Framework specifically requires asynchronous messaging (SQS/SNS) to achieve true loose coupling.

How to eliminate wrong answers

Option A is wrong because synchronous API calls create tight coupling—if one service fails or slows down, all dependent services are directly impacted, violating the loose coupling principle. Option C is wrong because deploying all components on a single large EC2 instance creates a monolithic architecture with no separation of concerns, making the system tightly coupled and a single point of failure. Option D is wrong because a single shared database for all microservices introduces tight coupling at the data layer, where schema changes or contention in one service can cascade to others, undermining independence.

269
MCQmedium

A company wants to create RESTful APIs that serve as the front door to their backend Lambda functions and EC2 services. They need features including API key management, throttling to protect backends from overload, and usage plan enforcement. Which AWS service provides this?

A.Amazon CloudFront
B.AWS Direct Connect
C.Amazon API Gateway
D.Amazon Route 53
AnswerC

API Gateway is the AWS service for creating, publishing, and managing APIs. It handles API key management, throttling to protect backend services, usage plans, and integrates natively with Lambda and EC2.

Why this answer

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure RESTful APIs at any scale. It directly provides built-in API key management, throttling (rate limiting and burst limits), and usage plan enforcement to protect backend services like Lambda functions and EC2 instances from overload. These features are core to API Gateway's functionality, making it the correct choice for acting as the front door to the described backend resources.

Exam trap

The trap here is that candidates often confuse Amazon CloudFront's edge caching and origin shielding capabilities with API management features, mistakenly thinking CloudFront can handle API key validation and throttling, when in fact CloudFront lacks native API key management and usage plan enforcement.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront is a content delivery network (CDN) that caches and delivers static and dynamic content at the edge; it does not natively provide API key management, throttling, or usage plan enforcement for RESTful APIs. Option B is wrong because AWS Direct Connect is a dedicated network connection from an on-premises data center to AWS, used for private, low-latency connectivity, not for managing API access, throttling, or usage plans. Option D is wrong because Amazon Route 53 is a DNS (Domain Name System) web service that translates domain names to IP addresses; it does not offer API key management, throttling, or usage plan capabilities.

270
MCQeasy

A company is concerned about Distributed Denial of Service (DDoS) attacks against their website hosted on AWS. They want basic DDoS protection without incurring additional cost. Which AWS service provides automatic DDoS protection at no extra charge?

A.AWS WAF
B.Amazon GuardDuty
C.AWS Shield Advanced
D.AWS Shield Standard
AnswerD

AWS Shield Standard is enabled automatically for every AWS customer at no additional charge. It protects against the most common network and transport layer DDoS attacks.

Why this answer

AWS Shield Standard is automatically enabled for all AWS customers at no additional cost and provides basic protection against common infrastructure-layer DDoS attacks, such as SYN/UDP floods and reflection attacks. This matches the requirement for automatic, no-cost DDoS protection without any manual configuration or subscription.

Exam trap

The trap here is that candidates often confuse AWS WAF (which protects against application-layer threats but is not free) with DDoS protection, or they assume Shield Advanced is the only DDoS service, overlooking the always-on, no-cost Shield Standard.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall that protects against application-layer attacks (e.g., SQL injection, cross-site scripting) and incurs additional costs based on rules and requests; it does not provide automatic infrastructure-layer DDoS protection. Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity using machine learning and threat intelligence, but it does not actively mitigate DDoS attacks and has a cost per volume of log data analyzed. Option C is wrong because AWS Shield Advanced is a paid service (with a monthly commitment and data transfer fees) that provides enhanced DDoS protection, including 24/7 support and cost protection, not a free automatic option.

271
MCQmedium

A company runs multiple workloads on AWS. At the end of each month, the finance team receives a detailed invoice that shows exactly how many GB-hours of Amazon EBS storage each workload used and how many hours each Amazon EC2 instance was running. This granular usage data is used to allocate costs back to the respective business units. Which essential characteristic of cloud computing does this capability best demonstrate?

A.Measured service
B.On-demand self-service
C.Resource pooling
D.Rapid elasticity
AnswerA

This is correct. Measured service means cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service. Usage is monitored, controlled, and reported, providing transparency for both the provider and consumer. The detailed billing and cost allocation precisely illustrate this characteristic.

Why this answer

The correct answer is A because the ability to track and report granular usage data—such as GB-hours of EBS storage and EC2 instance hours—directly corresponds to the measured service characteristic of cloud computing. Measured service means cloud resources are metered at an abstraction level appropriate to the service type (e.g., storage, compute), enabling usage-based billing and cost allocation. In this scenario, the detailed invoice provides precise consumption metrics that allow the finance team to allocate costs to specific business units, which is the core function of measured service.

Exam trap

The trap here is that candidates often confuse measured service with on-demand self-service because both involve user control over resources, but measured service specifically focuses on metering and billing granularity, not the ability to provision resources without human intervention.

How to eliminate wrong answers

Option B is wrong because on-demand self-service refers to a user's ability to provision and manage computing resources automatically without requiring human interaction with the service provider, not to the granular tracking or billing of those resources. Option C is wrong because resource pooling describes the provider's ability to serve multiple customers from shared physical and virtual resources, dynamically assigning and reassigning them according to demand; it does not involve the detailed usage metering or cost allocation described in the question.

272
MCQmedium

Which AWS service provides a fully managed environment to run Apache Spark, Hadoop, and other big data frameworks for data processing and analytics?

A.Amazon Redshift
B.Amazon Athena
C.Amazon EMR
D.AWS Glue
AnswerC

EMR provides managed clusters running Spark, Hadoop, and other big data frameworks, handling all infrastructure setup while customers focus on data processing logic.

Why this answer

Amazon EMR (Elastic MapReduce) is the correct answer because it is a fully managed big data platform that natively supports Apache Spark, Hadoop, Hive, Presto, and other distributed processing frameworks. It automatically provisions EC2 instances, configures the cluster, and handles scaling, patching, and monitoring, allowing you to run large-scale data processing and analytics workloads without manual infrastructure management.

Exam trap

The trap here is that candidates often confuse AWS Glue (which uses Spark for ETL) with a general-purpose Spark/Hadoop platform, but Glue is a serverless ETL service with limited customization, whereas EMR provides full control over cluster configuration, libraries, and frameworks.

How to eliminate wrong answers

Option A is wrong because Amazon Redshift is a fully managed petabyte-scale data warehouse optimized for SQL-based analytics using columnar storage, not a platform for running Apache Spark or Hadoop frameworks. Option B is wrong because Amazon Athena is a serverless interactive query service that uses Presto and standard SQL to analyze data directly in S3, not a managed environment for running Spark or Hadoop jobs. Option D is wrong because AWS Glue is a serverless data integration and ETL service that uses Apache Spark under the hood for job execution, but it is not designed as a general-purpose managed cluster for running arbitrary Hadoop or Spark applications; it focuses on schema discovery, cataloging, and ETL workflows.

273
MCQmedium

A company runs a mix of Amazon EC2 instances and AWS Fargate containers. The CFO wants to reduce costs by committing to a consistent amount of compute usage (measured in $ per hour) for a 1-year term. The company expects to change instance families and regions occasionally and needs the flexibility to apply the savings to both EC2 and ECS Fargate usage. Which AWS pricing option should the company choose?

A.Compute Savings Plans
B.EC2 Instance Savings Plans
C.Reserved Instances (Convertible)
D.On-Demand Instances
AnswerA

Correct. Compute Savings Plans apply to EC2, Fargate, and Lambda usage, allowing flexibility across instance families, regions, and operating systems within a consistent compute commitment measured in $/hour.

Why this answer

Compute Savings Plans offer the flexibility to cover EC2 instance and Fargate usage across any region, instance family, or compute type, while providing a discounted hourly rate in exchange for a 1-year commitment. This matches the CFO's requirement to reduce costs with a consistent $/hour commitment and the need to change instance families and regions occasionally, as Compute Savings Plans automatically apply to any eligible compute usage without requiring specific reservations.

Exam trap

The trap here is that candidates often confuse Compute Savings Plans with EC2 Instance Savings Plans, assuming all Savings Plans are region-specific, but Compute Savings Plans offer the broadest flexibility across instance families, regions, and compute services like Fargate.

How to eliminate wrong answers

Option B is wrong because EC2 Instance Savings Plans are locked to a specific instance family within a region (e.g., m5 in us-east-1), which does not allow changing instance families or regions as needed. Option C is wrong because Convertible Reserved Instances, while offering some flexibility to change instance attributes, require manual exchange and do not cover Fargate usage, only EC2 instances. Option D is wrong because On-Demand Instances provide no discount and no commitment, failing to meet the cost reduction goal entirely.

274
MCQmedium

A company needs to ensure that none of their AWS accounts allow resources to be deployed outside of the us-east-1 and eu-west-1 regions for data sovereignty. Which control achieves this most effectively?

A.Configure AWS Config rules in each account to detect out-of-region deployments
B.Apply an SCP in AWS Organizations that denies resource creation outside approved regions
C.Train developers to only deploy in approved regions
D.Enable IAM permission boundaries restricting regions in each account
AnswerB

An SCP with a `aws:RequestedRegion` condition can prevent any API calls creating resources in non-approved regions across all member accounts, providing proactive enforcement.

Why this answer

B is correct because Service Control Policies (SCPs) in AWS Organizations allow you to centrally deny resource creation in non-approved regions across all member accounts. By applying an SCP with a condition that denies actions unless the `aws:RequestedRegion` is `us-east-1` or `eu-west-1`, you enforce data sovereignty at the organization level, preventing any account from deploying resources outside those regions regardless of individual account permissions.

Exam trap

The trap here is that candidates often confuse detective controls (AWS Config) with preventive controls (SCPs), or assume IAM permission boundaries can enforce region restrictions globally, when in fact SCPs are the only mechanism that applies to all principals in an account, including the root user.

How to eliminate wrong answers

Option A is wrong because AWS Config rules are detective, not preventive — they can detect out-of-region deployments after they occur but cannot block them, leaving a window for non-compliant resources to exist. Option C is wrong because training developers relies on human behavior and provides no technical enforcement, making it ineffective for mandatory compliance. Option D is wrong because IAM permission boundaries restrict what actions an IAM principal can perform but do not inherently limit the region; they would require complex condition keys and per-account configuration, and they cannot override permissions granted to the root user or service-linked roles, leaving gaps in enforcement.

275
MCQmedium

A company's finance team receives a detailed monthly report from AWS that shows the exact number of Amazon EC2 instance hours used, the amount of Amazon S3 storage consumed, and the volume of data transferred out to the internet over the month. The team uses this report to analyze usage trends, allocate costs to different departments, and plan future budgets. This capability is an example of which essential characteristic of cloud computing?

A.On-demand self-service
B.Broad network access
C.Resource pooling
D.Measured service
AnswerD

Correct. Measured service is the cloud characteristic where resource usage is metered, controlled, and reported. The detailed monthly report of EC2 hours, S3 storage, and data transfer is a clear example of measured service, providing transparency for both the cloud provider and the consumer.

Why this answer

The correct answer is D, Measured service. This characteristic means cloud providers automatically meter and report resource usage (e.g., EC2 instance hours, S3 storage, data transfer) for billing, optimization, and planning. The finance team's ability to analyze exact usage data and allocate costs directly demonstrates this metering capability.

Exam trap

The trap here is that candidates confuse 'measured service' with 'resource pooling' because both involve multi-tenancy, but measured service specifically focuses on the metering and reporting of usage for billing and analysis, not the pooling of resources.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user provisioning compute resources without human interaction, not to the reporting or metering of usage after the fact. Option B is wrong because broad network access describes the ability to access cloud services over the network using standard protocols (e.g., HTTPS, SSH), not the detailed usage reporting. Option C is wrong because resource pooling means the provider's computing resources are pooled to serve multiple customers using a multi-tenant model, with physical and virtual resources dynamically assigned; it does not involve the metered reporting of individual resource consumption.

276
MCQmedium

A compliance officer needs to download AWS's SOC 2 Type II report and ISO 27001 certification to provide to their company's auditors as evidence that the AWS infrastructure meets regulatory standards. Where should they access these documents?

A.AWS Trusted Advisor
B.AWS Artifact
C.AWS Security Hub
D.AWS Config
AnswerB

AWS Artifact is the central repository for AWS compliance documentation. It provides access to AWS security and compliance reports (SOC 1, SOC 2, SOC 3, PCI DSS, ISO 27001) and AWS agreements on demand, at no cost.

Why this answer

AWS Artifact is the central resource for downloading AWS compliance reports, including SOC 2 Type II reports and ISO 27001 certifications. It provides on-demand access to these documents, which auditors require as evidence of AWS's adherence to regulatory standards. This service is specifically designed for compliance and audit use cases, making it the correct choice.

Exam trap

The trap here is that candidates confuse AWS Artifact with AWS Security Hub, mistakenly thinking Security Hub's compliance checks provide the actual certification documents, when in fact Security Hub only checks your own resources against compliance frameworks, not AWS's own certifications.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor is an optimization tool that inspects your AWS environment and provides recommendations for cost, performance, security, and fault tolerance, but it does not host or provide access to compliance reports. Option C is wrong because AWS Security Hub aggregates security alerts and automates compliance checks against standards like CIS and PCI DSS, but it does not store or deliver raw compliance certification documents such as SOC 2 or ISO 27001. Option D is wrong because AWS Config evaluates and records resource configurations for compliance with internal policies, but it does not provide access to AWS's own third-party audit reports.

277
MCQeasy

A company discovers they have 30 EC2 instances running 24/7 that are almost never used — CPU utilisation under 1%. Terminating these idle instances would save thousands of dollars per month. Which AWS Well-Architected Framework pillar encourages this practice?

A.Operational Excellence
B.Reliability
C.Performance Efficiency
D.Cost Optimisation
AnswerD

The Cost Optimisation pillar includes identifying and eliminating waste — resources that consume cost but deliver no business value. Terminating 30 idle instances is a cost optimisation action.

Why this answer

Option D is correct because the Cost Optimization pillar of the AWS Well-Architected Framework focuses on avoiding unnecessary costs by matching capacity with demand. Terminating idle EC2 instances (CPU utilization under 1%) directly reduces wasted spend, aligning with the pillar's principle of 'right-sizing' resources and eliminating unused components.

Exam trap

The trap here is that candidates confuse 'Performance Efficiency' (which optimizes resource usage for performance) with 'Cost Optimization' (which minimizes waste and cost), leading them to select Option C instead of D.

How to eliminate wrong answers

Option A is wrong because Operational Excellence focuses on running and monitoring systems to deliver business value, not on cost reduction from idle resources. Option B is wrong because Reliability ensures workloads perform correctly and recover from failures, which is unrelated to terminating unused instances. Option C is wrong because Performance Efficiency deals with using IT and computing resources efficiently to meet system requirements, not with eliminating underutilized assets to save money.

278
MCQeasy

A security auditor needs to know which IAM user deleted a specific S3 bucket last week, from which IP address the action was taken, and at what exact time. Which AWS service captures this information?

A.Amazon CloudWatch
B.AWS Config
C.AWS CloudTrail
D.Amazon GuardDuty
AnswerC

CloudTrail logs every API call to AWS services, capturing the IAM identity, source IP, timestamp, and operation details. Searching CloudTrail for DeleteBucket events would show exactly who deleted the S3 bucket, when, and from which IP.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made to the AWS environment, including S3 bucket deletion actions (DeleteBucket). It captures the identity of the IAM user, the source IP address, and the exact timestamp of each API call, which directly meets the auditor's requirements.

Exam trap

The trap here is that candidates often confuse AWS Config's ability to track resource changes (like bucket deletion) with CloudTrail's ability to log the identity and source of the API call, leading them to select Config instead of CloudTrail.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms; it does not record API-level user activity or capture the specific IAM user, IP address, and timestamp of an S3 bucket deletion. Option B is wrong because AWS Config is a configuration management and compliance service that tracks resource configuration changes over time, but it does not log who performed an action or the source IP address; it focuses on resource state, not API call details. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity; it does not natively store or provide raw API call history with user identity and IP address for forensic auditing.

279
MCQmedium

A company has a compliance policy requiring that all Amazon EC2 instances in its production environment must have the tag "Environment=Production" and must be associated with a security group named "Prod-SG". The company wants to continuously monitor its AWS account and automatically detect any EC2 instances that do not meet these requirements. The IT team needs a service that can evaluate the configuration of resources against these rules and send notifications when a non-compliant resource is detected. Which AWS service should the company use?

A.AWS Trusted Advisor
B.Amazon GuardDuty
C.AWS Config
D.Amazon Inspector
AnswerC

AWS Config allows you to define rules (both managed and custom) that evaluate the configuration of your AWS resources. It continuously monitors for changes and can automatically detect resources that violate your policies, such as missing tags or incorrect security groups, and send notifications through Amazon SNS.

Why this answer

AWS Config is the correct service because it provides continuous monitoring and evaluation of AWS resource configurations against desired rules. You can create a custom AWS Config rule to check that all EC2 instances have the tag 'Environment=Production' and are associated with the security group 'Prod-SG'. When a resource becomes non-compliant, AWS Config can trigger an Amazon SNS notification to alert the IT team.

Exam trap

The trap here is that candidates confuse AWS Config (configuration auditing and compliance) with AWS Trusted Advisor (best-practice recommendations) or Amazon GuardDuty (threat detection), but only AWS Config can evaluate custom rules like tag and security group requirements.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor inspects your AWS environment to make recommendations for cost optimization, performance, security, and fault tolerance, but it does not allow you to define custom compliance rules or continuously evaluate resource configurations against specific tags or security group associations. Option B is wrong because Amazon GuardDuty is a threat detection service that uses machine learning and anomaly detection to identify malicious activity and unauthorized behavior, not to evaluate resource configurations against custom compliance policies.

280
MCQmedium

A company wants to automatically detect potential security threats such as compromised credentials, unauthorized access attempts, and communication with known malicious IP addresses across its AWS environment. The company has enabled AWS CloudTrail, VPC Flow Logs, and DNS logs. Which AWS service should the company use to continuously analyze these logs and generate actionable security findings without requiring manual setup of data sources?

A.Amazon GuardDuty
B.AWS Config
C.AWS Trusted Advisor
D.Amazon Inspector
AnswerA

Amazon GuardDuty is the correct choice because it is designed to continuously analyze supported data sources (CloudTrail, VPC Flow Logs, DNS logs) to detect and generate findings for potential security threats.

Why this answer

Amazon GuardDuty is a threat detection service that continuously analyzes AWS CloudTrail, VPC Flow Logs, and DNS logs using machine learning and anomaly detection to identify compromised credentials, unauthorized access, and communication with known malicious IP addresses. It operates without requiring manual setup of data sources because it automatically ingests these logs once enabled, generating actionable security findings.

Exam trap

The trap here is that candidates often confuse Amazon Inspector (which scans for vulnerabilities) with GuardDuty (which detects threats from logs), or assume AWS Config's compliance rules can detect security threats, when in fact Config only checks configuration drift, not log-based anomalies.

How to eliminate wrong answers

Option B (AWS Config) is wrong because it evaluates resource configurations against compliance rules and tracks configuration changes, but it does not analyze logs for security threats like compromised credentials or malicious IP communication. Option C (AWS Trusted Advisor) is wrong because it provides best-practice recommendations for cost optimization, performance, security, and fault tolerance, but it does not perform continuous log analysis or threat detection. Option D (Amazon Inspector) is wrong because it is an automated vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not for analyzing CloudTrail, VPC Flow Logs, or DNS logs for threat detection.

281
MCQmedium

A company uses AWS Organizations to manage over 50 AWS accounts. The security team has identified a high-priority requirement to prevent any security group rule in any account from allowing inbound RDP (port 3389) access from the internet (0.0.0.0/0). If a rule is created that violates this policy, the team wants it to be automatically removed. The team needs a centralized service that can enforce this policy across all current and new accounts without requiring manual setup in each account. Which AWS service should the team use?

A.AWS Config
B.AWS Firewall Manager
C.AWS IAM Access Analyzer
D.AWS Security Hub
AnswerB

AWS Firewall Manager allows organizations to centrally configure and manage security group rules and AWS WAF rules across all accounts. It can apply a common security group baseline and automatically remove non-compliant rules (e.g., inbound RDP from 0.0.0.0/0), enforcing the policy across current and new accounts without manual intervention.

Why this answer

AWS Firewall Manager is the correct choice because it provides centralized management of firewall rules across all accounts in an AWS Organization. It can enforce a security group policy that automatically removes any inbound RDP rule allowing 0.0.0.0/0, and it applies this policy to both existing and newly created accounts without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config's detection capabilities with Firewall Manager's enforcement capabilities, assuming Config can automatically remediate without realizing it requires custom automation, while Firewall Manager provides native, centralized auto-remediation across all accounts.

How to eliminate wrong answers

Option A is wrong because AWS Config is a configuration auditing and compliance service that can detect non-compliant security group rules but cannot automatically remediate them without custom AWS Config rules and Lambda functions; it lacks native auto-remediation for this specific use case. Option C is wrong because AWS IAM Access Analyzer analyzes resource-based policies for unintended cross-account access, not security group rules or inbound traffic from the internet. Option D is wrong because AWS Security Hub aggregates security findings and compliance status from multiple services but does not have the ability to enforce or automatically remove security group rules.

282
MCQeasy

A startup has a development AWS account and wants the minimum paid AWS Support plan that provides email-based technical support from AWS staff. They do not need 24/7 phone access. Which is the minimum support plan that provides access to AWS technical support engineers?

A.Basic Support
B.Developer Support
C.Business Support
D.Enterprise Support
AnswerB

Developer Support is the minimum paid plan with access to AWS technical support. It provides email-based access to Cloud Support Associates during business hours (up to 12-hour response for system impaired cases).

Why this answer

The Developer Support plan is the minimum AWS Support plan that provides access to AWS technical support engineers via email during business hours. Basic Support offers no technical support from AWS staff, only account and billing assistance. Business and Enterprise Support include 24/7 phone and chat support, which exceeds the stated requirement for email-only access.

Exam trap

The trap here is that candidates often confuse Basic Support as a paid plan or assume it includes technical support, but Basic is free and provides no access to AWS support engineers, making Developer the correct minimum paid option.

How to eliminate wrong answers

Option A is wrong because Basic Support does not include access to AWS technical support engineers; it only provides account and billing support via forums and documentation. Option C is wrong because Business Support includes 24/7 phone and chat support, which is more than the minimum email-based support required and costs more. Option D is wrong because Enterprise Support includes 24/7 phone, chat, and a Technical Account Manager (TAM), which is the highest level of support and far exceeds the minimum email-only requirement.

283
MCQmedium

A company operates five separate AWS accounts for different business units. The finance team wants to aggregate the usage across all accounts to benefit from volume pricing discounts and to receive a single monthly bill. The company does not need to centrally manage permissions or apply service control policies at this time. Which AWS feature should the company use to meet these requirements?

A.Consolidated Billing through AWS Organizations
B.AWS Cost Explorer
C.AWS Budgets
D.AWS Trusted Advisor
AnswerA

Consolidated Billing aggregates usage across multiple accounts, enabling volume discounts and a single monthly invoice. This is the correct feature for the requirement.

Why this answer

AWS Organizations provides Consolidated Billing, which allows a company to aggregate usage across multiple AWS accounts into a single monthly bill. This enables the finance team to benefit from volume pricing discounts because AWS combines usage across all accounts, potentially lowering the overall cost tier. The requirement does not include centralized permission management or service control policies, so the basic Consolidated Billing feature of AWS Organizations is sufficient.

Exam trap

The trap here is that candidates may confuse AWS Organizations (which includes Consolidated Billing) with AWS Control Tower or AWS Single Sign-On, but the question specifically avoids the need for centralized management, so the simplest feature—Consolidated Billing—is the correct answer.

How to eliminate wrong answers

Option B (AWS Cost Explorer) is wrong because it is a cost visualization and analysis tool that helps you view and explore your AWS costs and usage over time, but it does not aggregate billing across accounts or provide volume pricing discounts. Option C (AWS Budgets) is wrong because it allows you to set custom budgets to track your cost and usage, and alerts you when you exceed your thresholds, but it does not combine multiple accounts into a single bill or enable volume discounts.

284
MCQeasy

A solutions architect is designing a new architecture on AWS that includes EC2, RDS, S3, and data transfer. Before deploying anything, they want to estimate the monthly cost of running this architecture. Which AWS tool should they use?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Pricing Calculator
D.AWS Trusted Advisor
AnswerC

AWS Pricing Calculator lets users build a cost estimate for any combination of AWS services without deploying anything. It supports detailed configuration of services and generates a shareable monthly cost estimate.

Why this answer

AWS Pricing Calculator is the correct tool because it allows you to estimate the monthly cost of AWS services before deployment by specifying resource configurations (e.g., EC2 instance type, RDS storage, S3 data transfer). Unlike Cost Explorer, which analyzes historical costs, the Pricing Calculator provides upfront cost projections for new architectures.

Exam trap

The trap here is that candidates confuse AWS Cost Explorer (a historical analysis tool) with the Pricing Calculator (a pre-deployment estimation tool), leading them to pick A instead of C.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer analyzes historical usage and costs, not pre-deployment estimates. Option B is wrong because AWS Budgets sets cost thresholds and alerts based on actual or forecasted spending, not upfront estimation. Option D is wrong because AWS Trusted Advisor inspects your environment for best practices (e.g., security, performance), but does not provide cost estimates for new architectures.

285
MCQhard

A company stores sensitive financial data in Amazon S3. They need to ensure that even if an attacker gains access to the S3 service, they cannot read the data without a customer-controlled encryption key. Which S3 encryption method satisfies this requirement?

A.SSE-S3 (Amazon S3-managed keys)
B.SSE-KMS with an AWS managed CMK (aws/s3)
C.SSE-KMS with a customer-managed CMK
D.S3 Versioning with MFA Delete
AnswerC

Customer-managed CMKs give the customer control over key policies, rotation, and deletion. Disabling or deleting the CMK makes the data unreadable — even by AWS. Key usage is auditable via CloudTrail.

Why this answer

Option C is correct because SSE-KMS with a customer-managed CMK ensures that the encryption key is under the customer's exclusive control, not AWS. Even if an attacker gains access to the S3 service, they cannot decrypt the data without the customer-managed CMK, which is stored in AWS KMS and can be further protected with key policies, IAM policies, and optional key rotation. This satisfies the requirement that the attacker cannot read the data without a customer-controlled encryption key.

Exam trap

The trap here is that candidates confuse 'customer-managed' with 'AWS managed' and assume any KMS key provides customer control, but only a customer-managed CMK gives the customer exclusive control over the key's lifecycle and permissions.

How to eliminate wrong answers

Option A is wrong because SSE-S3 uses Amazon S3-managed keys, where AWS controls the encryption keys, so an attacker with S3 access could potentially decrypt the data using those keys. Option B is wrong because SSE-KMS with an AWS managed CMK (aws/s3) still has the key managed by AWS, not the customer, so the customer does not have exclusive control over the encryption key. Option D is wrong because S3 Versioning with MFA Delete only protects against accidental or malicious deletion of object versions, not against reading encrypted data, and does not involve encryption keys at all.

286
MCQmedium

A company architect uses the Well-Architected Framework to review their workload. Which pillar specifically covers the concepts of selecting the right instance types and sizes, using serverless architectures, and choosing the appropriate storage solution?

A.Cost Optimization
B.Performance Efficiency
C.Operational Excellence
D.Sustainability
AnswerB

Performance Efficiency focuses on using computing resources efficiently — selecting appropriate instance types, architectures (serverless), and storage types are core to this pillar.

Why this answer

Performance Efficiency is the correct pillar because it focuses on using computing resources efficiently to meet system requirements, which includes selecting appropriate instance types and sizes, leveraging serverless architectures to eliminate idle capacity, and choosing the right storage solution based on access patterns and performance needs. The Well-Architected Framework defines this pillar as the ability to adapt to workload changes while maintaining efficiency through resource optimization.

Exam trap

The trap here is that candidates often confuse Performance Efficiency with Cost Optimization, assuming that selecting smaller instance types or serverless is always about saving money, when the pillar's primary goal is to meet performance requirements efficiently, not just reduce spend.

How to eliminate wrong answers

Option A is wrong because Cost Optimization focuses on minimizing costs and avoiding unnecessary spending, not on selecting instance types or storage for performance reasons. Option C is wrong because Operational Excellence covers operational practices like monitoring, incident response, and automation of changes, not the technical selection of compute or storage resources. Option D is wrong because Sustainability aims to minimize environmental impacts, such as reducing energy consumption and carbon footprint, not on choosing instance sizes or serverless architectures for performance.

287
MCQmedium

A company is migrating its internal email system to a cloud-based solution. After the migration, the company's IT team no longer needs to manage the email servers, apply operating system patches, or upgrade the email software. The cloud provider handles all underlying infrastructure, the platform, and the application itself. Users access their email through a web browser or a mobile app. Which cloud service model does this scenario describe?

A.Infrastructure as a Service (IaaS)
B.Platform as a Service (PaaS)
C.Software as a Service (SaaS)
D.On-premises deployment
AnswerC

SaaS delivers a complete application over the internet, fully managed by the provider. The customer only uses the software via a browser or app and has no responsibility for the underlying infrastructure, platform, or application maintenance. This matches the scenario exactly.

Why this answer

This scenario describes Software as a Service (SaaS) because the cloud provider delivers the entire email application, including the underlying infrastructure, platform, and software, to end users. The IT team has no responsibility for managing servers, applying OS patches, or upgrading the email software—users simply access the email via a web browser or mobile app. This matches the SaaS model, where the provider manages everything from the hardware to the application, and the customer only consumes the software.

Exam trap

AWS often tests the misconception that if the customer does not manage the OS, it must be PaaS, but the key differentiator is that SaaS provides a fully functional application (like email) out of the box, whereas PaaS provides a platform for building and running custom applications.

How to eliminate wrong answers

Option A is wrong because Infrastructure as a Service (IaaS) would require the company to still manage the email software, apply OS patches, and upgrade the application—the provider only supplies virtualized compute, storage, and networking, not the email application itself. Option B is wrong because Platform as a Service (PaaS) provides a runtime environment and development tools for building and deploying custom applications, but the customer would still be responsible for managing the email application code and its configuration, not simply consuming a ready-made email service.

288
MCQmedium

A healthcare company is migrating patient records to Amazon S3. The company must comply with HIPAA and needs to automatically identify any S3 buckets that contain protected health information (PHI) and generate alerts. The solution must be fully managed and require no manual effort to scan the data. Which AWS service should the company use?

A.Amazon Macie
B.Amazon Inspector
C.AWS Config
D.AWS Security Hub
AnswerA

Correct. Amazon Macie is designed to automatically discover, classify, and protect sensitive data in Amazon S3, including PHI, using machine learning. It requires no manual scanning and integrates with AWS Security Hub for alerting.

Why this answer

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover, classify, and protect sensitive data in Amazon S3. It automatically identifies protected health information (PHI) such as medical record numbers, diagnosis codes, and patient names, and can generate alerts when such data is found in S3 buckets, meeting HIPAA compliance requirements without any manual scanning effort.

Exam trap

The trap here is that candidates often confuse Amazon Inspector (which sounds like it 'inspects' data) with Macie, but Inspector only scans for vulnerabilities in compute resources, not for sensitive data content in S3 objects.

How to eliminate wrong answers

Option B is wrong because Amazon Inspector is an automated vulnerability management service that scans EC2 instances, container images, and Lambda functions for software vulnerabilities and unintended network exposure, not for data classification or PHI detection in S3. Option C is wrong because AWS Config is a service that evaluates and records resource configurations against desired policies (e.g., checking if S3 buckets are encrypted or publicly accessible), but it cannot inspect the actual data content of objects to identify PHI. Option D is wrong because AWS Security Hub is a centralized security posture management service that aggregates findings from multiple AWS services (like Macie, GuardDuty, Inspector) and applies security standards, but it does not itself perform data scanning or classification of S3 objects.

289
MCQmedium

A company plans to run a fleet of Amazon EC2 instances continuously for 3 years to support a steady-state application. The company wants the lowest possible cost for this predictable workload while maintaining the flexibility to change instance families if needed. Which AWS purchasing option should the company choose?

A.On-Demand Instances
B.Standard Reserved Instances
C.Compute Savings Plans
D.Spot Instances
AnswerC

Compute Savings Plans offer significant discounts (up to 66%) and apply to any EC2 instance, regardless of family, region, or operating system, providing the lowest cost with the desired flexibility.

Why this answer

Compute Savings Plans offer the lowest cost for a predictable, steady-state workload over 3 years while allowing flexibility to change instance families. Unlike Reserved Instances, which lock you to a specific instance family, Compute Savings Plans apply to any EC2 instance (including those in different families) within a chosen region, automatically providing the highest discount (up to 66% vs On-Demand) for consistent compute usage.

Exam trap

The trap here is that candidates often choose Standard Reserved Instances for long-term savings without realizing that they sacrifice instance family flexibility, which Compute Savings Plans uniquely provide while still offering comparable discounts.

How to eliminate wrong answers

Option A is wrong because On-Demand Instances have no upfront commitment and are the most expensive option for continuous 3-year usage, offering no discount. Option B is wrong because Standard Reserved Instances require a commitment to a specific instance family (e.g., m5.large), which contradicts the requirement for flexibility to change instance families if needed.

290
MCQmedium

A company has a strict security policy requiring that no Amazon S3 bucket or IAM role should be accessible to external AWS accounts unless explicitly approved. The security team needs a service that continuously analyzes resource-based policies and can generate findings when an S3 bucket policy allows access to a principal from outside the company's AWS Organization. Which AWS service should the team use?

A.AWS Config
B.IAM Access Analyzer
C.AWS Trusted Advisor
D.Amazon GuardDuty
AnswerB

IAM Access Analyzer continuously analyzes resource-based policies and generates findings when a resource is accessible from outside the AWS Organization. This matches the requirement of detecting unintended external access to S3 buckets and IAM roles.

Why this answer

IAM Access Analyzer is designed to continuously analyze resource-based policies (such as S3 bucket policies and IAM role trust policies) and generate findings when access is granted to principals outside of the trusted AWS Organization. It uses zone of trust logic to identify policies that allow access to external AWS accounts, making it the correct service for this security requirement.

Exam trap

The trap here is that candidates often confuse AWS Config (which audits resource configurations) with IAM Access Analyzer (which specifically analyzes resource-based policies for cross-account access), leading them to choose AWS Config for a use case that requires policy-level access analysis.

How to eliminate wrong answers

Option A is wrong because AWS Config evaluates resource configurations against compliance rules but does not natively analyze resource-based policies for cross-account access or generate findings about external principals; it is a configuration auditing tool, not an access analyzer. Option C is wrong because AWS Trusted Advisor provides high-level best practice checks (e.g., S3 bucket permissions, security groups) but does not continuously analyze resource-based policies for access from outside the AWS Organization and does not generate granular findings for IAM role trust policies.

291
MCQmedium

A company runs a microservices-based application on Amazon ECS. The application stores database credentials and API keys in plaintext configuration files that are baked into container images. A security audit reveals that this practice violates the company's compliance policy, which mandates that secrets must be stored separately from code, centrally managed, and automatically rotated every 90 days. Which AWS service should the company use to meet these requirements?

A.AWS Key Management Service (AWS KMS)
B.AWS CloudHSM
C.AWS Secrets Manager
D.AWS Systems Manager Parameter Store
AnswerC

AWS Secrets Manager is purpose-built for storing, managing, and automatically rotating secrets such as database credentials and API keys. It integrates with Lambda to perform rotation on a schedule and with RDS for automatic credential updates, meeting the compliance requirements.

Why this answer

AWS Secrets Manager is the correct choice because it is designed specifically for storing, managing, and automatically rotating database credentials, API keys, and other secrets throughout their lifecycle. It meets the compliance requirements by storing secrets separately from code, providing a central management console and API, and supporting automatic rotation every 90 days via built-in integration with AWS RDS, Redshift, and DocumentDB, or custom Lambda functions.

Exam trap

The trap here is that candidates often confuse AWS Secrets Manager with AWS Systems Manager Parameter Store, assuming both offer automatic rotation, but Parameter Store lacks native rotation capabilities and is primarily for configuration data, not secrets lifecycle management.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a key management service for creating and controlling encryption keys used to encrypt data, not for storing or automatically rotating secrets like database credentials or API keys. Option B is wrong because AWS CloudHSM provides dedicated hardware security modules for generating and storing cryptographic keys, but it does not offer a managed service for storing application secrets or automatic rotation capabilities. Option D is wrong because AWS Systems Manager Parameter Store can store secrets as SecureString parameters, but it lacks native automatic rotation functionality and is not designed as a dedicated secrets management service with built-in rotation scheduling.

292
MCQmedium

A company spends over $75,000 per month on AWS services and needs ongoing, proactive cost optimization guidance from a designated AWS expert. The company also requires a 15-minute response time for their most critical production incidents. Which AWS Support plan should the company choose?

A.AWS Basic Support
B.AWS Developer Support
C.AWS Business Support
D.AWS Enterprise Support
AnswerD

AWS Enterprise Support includes a dedicated Technical Account Manager (TAM) who provides proactive guidance, including cost optimization, and offers a 15-minute response time for business-critical incidents. This matches all the company's requirements.

Why this answer

AWS Enterprise Support is the correct choice because it provides a designated Technical Account Manager (TAM) for proactive cost optimization guidance and a 15-minute response time for critical production incidents. The company's monthly spend of over $75,000 and need for ongoing, expert-led cost optimization align with the Enterprise-level support features, which include a TAM who conducts regular business reviews and cost optimization workshops.

Exam trap

The trap here is that candidates often confuse the 1-hour response time of Business Support with the 15-minute response time of Enterprise Support, and overlook the requirement for a designated expert (TAM) which is only available in Enterprise Support.

How to eliminate wrong answers

Option A is wrong because AWS Basic Support offers only account and billing support, no technical support, no designated expert, and no proactive cost optimization guidance. Option B is wrong because AWS Developer Support provides only business-hours email access to Cloud Support Associates, with a 12-hour response time for critical issues, and does not include a designated expert or proactive cost optimization. Option C is wrong because AWS Business Support offers 24/7 phone, chat, and email support with a 1-hour response time for critical incidents, but it does not include a designated Technical Account Manager (TAM) or the proactive cost optimization guidance required by the company.

293
MCQeasy

A company's compliance officer needs to provide an external auditor with copies of AWS SOC 2 reports and a PCI DSS attestation of compliance. The officer needs a self-service portal to download these documents directly, without contacting AWS Support. The solution must provide the most current versions of these reports. Which AWS service should the officer use?

A.AWS Artifact
B.AWS Audit Manager
C.Amazon Inspector
D.AWS Config
AnswerA

AWS Artifact is a self-service portal that provides access to AWS compliance reports and agreements, including SOC reports and PCI DSS attestations, without needing to contact AWS Support.

Why this answer

AWS Artifact is the correct service because it provides a self-service portal for on-demand access to AWS compliance reports, including SOC 2 reports and PCI DSS attestations of compliance. It ensures the most current versions are always available without needing to contact AWS Support, directly meeting the compliance officer's requirement for a self-service download solution.

Exam trap

The trap here is that candidates confuse AWS Artifact (a document repository for compliance reports) with AWS Audit Manager (a tool for creating and managing audit evidence), leading them to select Audit Manager for downloading reports instead of Artifact.

How to eliminate wrong answers

Option B is wrong because AWS Audit Manager is a service for continuously auditing AWS usage to simplify risk assessment and compliance, not a repository for downloading pre-existing compliance reports like SOC 2 or PCI DSS attestations. Option C is wrong because Amazon Inspector is an automated vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not a portal for accessing compliance documentation.

294
MCQmedium

A company runs a web application where requests to /api/* should be routed to one group of EC2 instances and requests to /images/* should be routed to another group. Which AWS load balancer type supports this URL path-based routing?

A.Network Load Balancer (NLB)
B.Classic Load Balancer (CLB)
C.Gateway Load Balancer (GWLB)
D.Application Load Balancer (ALB)
AnswerD

ALB operates at Layer 7 and supports rule-based routing based on URL path, host header, HTTP headers, and query strings. Routing /api/* to one target group and /images/* to another is a standard ALB path-based routing configuration.

Why this answer

The Application Load Balancer (ALB) operates at Layer 7 (HTTP/HTTPS) and supports content-based routing, including path-based routing rules that direct requests to different target groups based on URL paths such as /api/* and /images/*. This makes ALB the correct choice for the described use case.

Exam trap

The trap here is that candidates may confuse the Layer 4 capabilities of NLB with Layer 7 routing features, mistakenly thinking NLB can handle URL-based routing because it supports TLS termination, but NLB cannot inspect HTTP path patterns.

How to eliminate wrong answers

Option A is wrong because a Network Load Balancer (NLB) operates at Layer 4 (TCP/UDP/TLS) and cannot inspect HTTP URL paths for routing decisions. Option B is wrong because the Classic Load Balancer (CLB) is a legacy option that only supports simple round-robin or sticky session routing and does not support path-based routing rules. Option C is wrong because a Gateway Load Balancer (GWLB) is designed for transparent network gateway appliances (e.g., firewalls, intrusion detection) at Layer 3/4 and does not provide HTTP path-based routing.

295
MCQmedium

A company manages multiple AWS accounts, each used by a separate business unit. The finance team wants to obtain a single monthly bill that aggregates charges from all accounts and to benefit from volume discount pricing tiers on services like Amazon EC2 and Amazon S3 across the entire organization. Which AWS feature or service should the company use to meet these requirements?

A.AWS Budgets
B.AWS Cost Explorer
C.AWS Organizations consolidated billing
D.AWS Trusted Advisor
AnswerC

AWS Organizations with consolidated billing aggregates all usage and costs from member accounts into a single bill for the management account. This combined usage can qualify for volume discount pricing tiers, reducing overall costs.

Why this answer

AWS Organizations consolidated billing allows you to combine usage across multiple accounts to receive a single monthly bill and aggregate usage for volume discount pricing tiers (e.g., for EC2 and S3). This feature enables the finance team to benefit from lower rates as total usage across all accounts increases, without requiring any architectural changes.

Exam trap

The trap here is that candidates may confuse cost management tools (like AWS Budgets or Cost Explorer) with the actual billing aggregation feature, mistakenly thinking they can achieve consolidated billing and volume discounts through monitoring or analysis alone.

How to eliminate wrong answers

Option A is wrong because AWS Budgets is a cost monitoring and alerting tool that lets you set custom budgets and receive notifications when costs exceed thresholds; it does not aggregate billing or provide volume discounts. Option B is wrong because AWS Cost Explorer is a visualization and analysis tool for exploring historical cost and usage data; it does not combine accounts into a single bill or enable consolidated pricing tiers.

296
MCQmedium

A company uses AWS Organizations with multiple accounts for different departments (Engineering, Marketing, Sales). The finance team needs to create detailed monthly chargeback reports showing each department's usage and costs, broken down by service (e.g., Amazon EC2, Amazon S3) and by custom tags (e.g., Project). The reports must be in a machine-readable format (CSV) so they can be ingested into the company's internal billing system. The team wants the most comprehensive, granular cost data available from AWS, including line items for individual resources. Which AWS tool should the finance team configure to meet these requirements?

A.AWS Budgets
B.AWS Cost and Usage Report
C.AWS Trusted Advisor
D.Consolidated Billing
AnswerB

The AWS Cost and Usage Report (CUR) provides the most granular data available, including line items for each resource, broken down by tags, services, and accounts. It can be delivered to S3 in CSV format, making it ideal for chargeback and integration with internal billing systems.

Why this answer

The AWS Cost and Usage Report (CUR) is the correct choice because it provides the most comprehensive, granular cost data available, including line items for individual resources broken down by service, custom tags, and time period. It can be delivered to an Amazon S3 bucket in CSV format, which is machine-readable and suitable for ingestion into the company's internal billing system for detailed monthly chargeback reports.

Exam trap

The trap here is that candidates often confuse AWS Budgets (which provides cost alerts) with detailed reporting, or assume Consolidated Billing alone provides granular cost breakdowns, but neither offers the line-item, tag-enabled CSV output required for chargeback ingestion.

How to eliminate wrong answers

Option A is wrong because AWS Budgets is a cost monitoring and alerting tool, not a reporting tool that provides detailed line-item cost data in CSV format; it cannot generate the granular, resource-level breakdown required. Option C is wrong because AWS Trusted Advisor is an optimization and best-practices service that inspects your AWS environment for cost savings, performance, security, and fault tolerance, but it does not produce cost and usage reports with line-item detail. Option D is wrong because Consolidated Billing is a feature of AWS Organizations that aggregates costs across accounts for a single bill, but it does not generate detailed, machine-readable reports with service and tag breakdowns; it is a billing mechanism, not a reporting tool.

297
MCQmedium

A company is designing a system where a failure in one component does not cause cascading failures across the entire application. Which architectural concept does this represent?

A.Tight coupling
B.Loose coupling
C.Vertical scaling
D.Monolithic architecture
AnswerB

Loose coupling minimizes dependencies between components so failures don't cascade across the system.

Why this answer

Loose coupling is the architectural concept that ensures components are independent, so a failure in one component does not cascade to others. In AWS, this is achieved through services like Amazon SQS for asynchronous messaging or Amazon SNS for event-driven decoupling, where each component can fail and recover independently without affecting the rest of the system.

Exam trap

AWS often tests the confusion between loose coupling and horizontal scaling, where candidates mistakenly think scaling out instances prevents cascading failures, but scaling alone does not decouple component dependencies.

How to eliminate wrong answers

Option A is wrong because tight coupling means components are highly dependent on each other, so a failure in one component directly causes cascading failures across the entire application, which is the opposite of the desired behavior. Option C is wrong because vertical scaling (increasing the size of a single instance, e.g., from t2.micro to t2.large) addresses capacity but does not prevent cascading failures between components. Option D is wrong because monolithic architecture packages all components into a single deployable unit, where a failure in any part typically brings down the entire application, directly causing cascading failures.

298
MCQmedium

A company wants to implement a hub-and-spoke network architecture where multiple VPCs can communicate with a shared services VPC (containing DNS, monitoring, and security tools) but not with each other. Which AWS networking feature enables this?

A.VPC Peering with route table customization
B.AWS Transit Gateway with route tables
C.Internet Gateway with security groups
D.VPC Endpoints
AnswerB

Transit Gateway supports multiple route tables that control which VPCs can communicate with which. Spoke VPCs route only to the hub's route table, isolating them from each other while allowing shared services access.

Why this answer

AWS Transit Gateway with route tables is the correct choice because it acts as a central hub that connects multiple VPCs (spokes) to a shared services VPC, while using separate route tables to prevent inter-spoke communication. This allows the shared services VPC to be reachable from all other VPCs, but the route tables can be configured to not propagate routes between the spoke VPCs, enforcing the desired isolation.

Exam trap

The trap here is that candidates often confuse VPC Peering with Transit Gateway, assuming that route table customization in peering can achieve transitive routing, but VPC Peering does not support transitive routing (e.g., if VPC A is peered with VPC B and VPC B is peered with VPC C, VPC A cannot reach VPC C through VPC B).

How to eliminate wrong answers

Option A is wrong because VPC Peering with route table customization does not support transitive routing; each peering connection is a one-to-one relationship, so to connect multiple VPCs to a shared services VPC without them communicating with each other, you would need a full mesh of peering connections and complex route table entries, which is not scalable and does not natively prevent inter-spoke traffic without additional network appliances. Option C is wrong because an Internet Gateway is used for internet connectivity, not for private VPC-to-VPC communication; it cannot route traffic between VPCs. Option D is wrong because VPC Endpoints (Gateway or Interface endpoints) are used to privately connect VPCs to AWS services (like S3 or DynamoDB) or to services powered by AWS PrivateLink, not to route traffic between multiple VPCs.

299
MCQmedium

A company's security team wants to identify all Amazon S3 buckets that are shared with external AWS accounts or publicly accessible. The team needs a continuous evaluation that reports findings in a centralized dashboard and sends alerts when new unintended external shares are created. Which AWS service should the security team use to meet these requirements?

A.AWS Config
B.IAM Access Analyzer
C.AWS Trusted Advisor
D.Amazon GuardDuty
AnswerB

IAM Access Analyzer analyzes resource-based policies to identify resources that are shared with external entities (outside your AWS organization). It provides continuous monitoring, a dashboard of findings, and integration with AWS Security Hub and Amazon EventBridge for alerts. This directly meets the requirement.

Why this answer

IAM Access Analyzer is the correct choice because it continuously monitors resource policies, including S3 bucket policies, to identify resources shared with external AWS accounts or publicly. It provides a centralized dashboard in the IAM console to view findings and integrates with Amazon EventBridge to send alerts via Amazon SNS when new unintended external shares are created, meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse AWS Config's ability to detect resource changes with the specific need for continuous policy analysis and centralized findings for external access, leading them to pick AWS Config instead of IAM Access Analyzer.

How to eliminate wrong answers

Option A (AWS Config) is wrong because while AWS Config can evaluate resource configurations against rules and detect changes, it does not natively analyze resource policies for external or public access in a centralized findings dashboard; it requires custom rules and lacks the built-in external access analysis that IAM Access Analyzer provides. Option C (AWS Trusted Advisor) is wrong because it performs a one-time or periodic check for publicly accessible S3 buckets in the 'Security' category but does not provide continuous evaluation, a centralized findings dashboard for all external shares, or automated alerting for new unintended shares; it also does not analyze external AWS account sharing. Option D (Amazon GuardDuty) is wrong because it is a threat detection service that monitors for malicious activity using VPC Flow Logs, DNS logs, and CloudTrail events, not for analyzing S3 bucket policies for external or public access; it does not generate findings for resource-based policy sharing.

300
MCQmedium

A company runs a production workload on Amazon EC2 and Amazon RDS. The operations team needs technical support with a guaranteed response time of less than 1 hour for critical system issues. They also require access to the full set of AWS Trusted Advisor best practice checks, including cost optimization, security, and fault tolerance recommendations. The company does not want to pay for a dedicated Technical Account Manager (TAM). Which AWS Support plan should the company choose?

A.AWS Basic Support
B.AWS Developer Support
C.AWS Business Support
D.AWS Enterprise On-Ramp Support
AnswerC

AWS Business Support provides a 1-hour response time for critical cases and includes full access to AWS Trusted Advisor best practice checks. It does not require a dedicated TAM, matching the company's needs without extra cost.

Why this answer

The AWS Business Support plan provides a guaranteed response time of less than 1 hour for critical system issues and grants access to the full set of AWS Trusted Advisor best practice checks, including cost optimization, security, and fault tolerance. This plan meets the company's requirements without the need for a dedicated Technical Account Manager (TAM), which is only included in higher-tier plans like Enterprise On-Ramp or Enterprise Support.

Exam trap

The trap here is that candidates often confuse the AWS Developer Support plan's faster response times for general guidance with the critical-case SLA, or assume that full Trusted Advisor checks are available in lower tiers, when in fact only Business and above include the complete set.

How to eliminate wrong answers

Option A is wrong because AWS Basic Support offers no technical support with guaranteed response times and only provides access to a limited subset of Trusted Advisor checks (service limits and basic security checks), not the full set. Option B is wrong because AWS Developer Support provides a response time of less than 12 hours for critical issues, not the required less than 1 hour, and still does not include full Trusted Advisor checks. Option D is wrong because AWS Enterprise On-Ramp Support includes a dedicated TAM, which the company explicitly does not want to pay for, and is a higher-cost plan that exceeds the stated requirements.

Page 3

Page 4 of 14

Page 5