AWS Certified Cloud Practitioner CLF-C02 (CLF-C02) — Questions 301375

1024 questions total · 14pages · All types, answers revealed

Page 4

Page 5 of 14

Page 6
301
MCQmedium

A startup wants to deploy their web application to AWS with minimal configuration. They want AWS to handle provisioning, load balancing, scaling, and health monitoring automatically. Which service is most appropriate?

A.Amazon EC2 with Auto Scaling
B.AWS Elastic Beanstalk
C.Amazon EKS
D.AWS CloudFormation
AnswerB

Elastic Beanstalk handles all infrastructure management automatically — developers provide the application code and Beanstalk provisions and manages the environment.

Why this answer

AWS Elastic Beanstalk is the correct choice because it is a Platform-as-a-Service (PaaS) offering that automatically handles provisioning, load balancing, auto scaling, and health monitoring with minimal configuration. The startup simply uploads their web application code, and Elastic Beanstalk manages the underlying infrastructure, including the EC2 instances, Elastic Load Balancer, and CloudWatch health checks, without requiring manual setup.

Exam trap

AWS often tests the distinction between managed services (PaaS) and infrastructure services (IaaS), and the trap here is that candidates confuse Amazon EC2 with Auto Scaling as a 'fully managed' solution when it actually requires significant manual configuration for load balancing and health monitoring.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 with Auto Scaling requires manual configuration of the Auto Scaling group, launch templates, load balancer, and health checks, which contradicts the 'minimal configuration' requirement. Option C is wrong because Amazon EKS is a managed Kubernetes service that demands significant setup and expertise to configure clusters, node groups, and networking, making it overkill for a simple web application deployment. Option D is wrong because AWS CloudFormation is an Infrastructure as Code (IaC) service that requires writing and maintaining templates to define resources, which is not a fully managed platform and does not automatically handle provisioning or scaling without explicit configuration.

302
MCQmedium

A small e-commerce company currently hosts its website on a single physical server in a colocation facility. The company pays a fixed monthly fee for the server, power, and bandwidth, regardless of actual usage. The CTO is evaluating AWS and notes that AWS operates millions of servers across multiple data centers, allowing it to negotiate lower prices for hardware and pass those savings to customers. The CTO expects that migrating to AWS will reduce the company's per-unit costs. Which benefit of cloud computing does this scenario BEST describe?

A.High availability
B.Elasticity
C.Economy of scale
D.Fault tolerance
AnswerC

Economy of scale is the correct answer. The scenario explicitly describes how AWS's massive infrastructure footprint enables lower per-unit costs that are passed to customers. This is a core benefit of cloud computing: customers benefit from the provider's ability to achieve cost efficiencies that are impossible for a single organization to match.

Why this answer

The scenario describes how AWS leverages its massive scale of operations—millions of servers across multiple data centers—to negotiate lower hardware prices from suppliers and pass those savings to customers. This is the definition of economy of scale: as the volume of production increases, the cost per unit decreases. The CTO expects that migrating to AWS will reduce the company's per-unit costs, which directly aligns with this cloud computing benefit.

Exam trap

AWS often tests the distinction between economy of scale (cost reduction from volume) and elasticity (cost reduction from right-sizing usage), so candidates may confuse the two because both can lower costs, but the mechanism is fundamentally different.

How to eliminate wrong answers

Option A is wrong because high availability refers to systems that are designed to remain operational with minimal downtime, often through redundancy across multiple Availability Zones, not cost reduction from scale. Option B is wrong because elasticity is the ability to automatically scale resources up or down based on demand, which can reduce costs but is not the primary mechanism described here—the focus is on lower per-unit hardware costs from AWS's purchasing power. Option D is wrong because fault tolerance is the ability of a system to continue operating without interruption when one or more components fail, which is a resilience feature, not a cost-saving benefit from scale.

303
MCQmedium

An e-commerce company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer and Amazon CloudFront. The application has been experiencing frequent, large-scale DDoS attacks that cause significant compute and data transfer costs. The company wants to implement a managed DDoS protection service that provides financial protection against scaling costs incurred during DDoS attacks, access to a DDoS Response Team (DRT) for real-time attack mitigation support, and integration with AWS WAF for application-layer attack protection. Which AWS service should the company use to meet these requirements?

A.AWS Shield Standard
B.AWS Shield Advanced
C.AWS WAF
D.Amazon GuardDuty
AnswerB

AWS Shield Advanced is a paid service that provides enhanced DDoS protection. It includes cost protection against scaling charges incurred during a DDoS attack, 24/7 access to the DDoS Response Team (DRT) for expert support, and integration with AWS WAF for application-layer attack mitigation. This matches all the requirements described in the scenario.

Why this answer

AWS Shield Advanced is the correct choice because it provides enhanced DDoS protection with financial protection against scaling costs incurred during DDoS attacks (cost protection for EC2, ELB, CloudFront, and Route 53), 24/7 access to the DDoS Response Team (DRT) for real-time attack mitigation, and seamless integration with AWS WAF for application-layer attack protection. This fully managed service meets all three stated requirements, unlike the other options.

Exam trap

The trap here is that candidates often confuse AWS Shield Standard (free, basic protection) with AWS Shield Advanced (paid, enhanced protection with cost protection and DRT access), or mistakenly think AWS WAF alone provides DDoS mitigation and financial safeguards, when in fact WAF is only an application-layer component that must be paired with Shield Advanced for the full solution.

How to eliminate wrong answers

Option A is wrong because AWS Shield Standard provides only basic network-layer DDoS protection (SYN floods, UDP floods) at no additional cost, but it does not offer financial protection against scaling costs, access to the DDoS Response Team (DRT), or integration with AWS WAF for application-layer protection. Option C is wrong because AWS WAF is a web application firewall that protects against application-layer attacks (e.g., SQL injection, cross-site scripting) but does not provide financial protection against DDoS-related scaling costs or access to the DRT; it is a component that integrates with Shield Advanced, not a standalone DDoS protection service. Option D is wrong because Amazon GuardDuty is a threat detection service that uses machine learning to identify malicious activity (e.g., compromised instances, suspicious API calls) but does not provide DDoS mitigation, financial protection, or DRT access.

304
MCQmedium

A company uses AWS Organizations to centrally manage multiple AWS accounts. The security team requires a mechanism to prevent any IAM user or role in any member account from modifying Amazon S3 bucket policies to grant public access. The solution must be enforced centrally and cannot be overridden by account administrators. Which AWS feature should the company use?

A.IAM permissions boundaries
B.Service control policies (SCPs)
C.AWS Config conformance packs
D.AWS CloudTrail Insights
AnswerB

SCPs are used in AWS Organizations to centrally manage permissions across all accounts. They define the maximum available permissions and can explicitly deny actions like modifying S3 bucket policies. SCPs apply to all principals in the account and cannot be bypassed by account administrators.

Why this answer

Service control policies (SCPs) are the correct choice because they allow AWS Organizations to centrally define permission guardrails that apply to all IAM users and roles across member accounts. SCPs can explicitly deny actions like s3:PutBucketPolicy to prevent any account administrator from modifying S3 bucket policies to grant public access, and these restrictions cannot be overridden by any IAM entity within the member account.

Exam trap

The trap here is that candidates often confuse SCPs with IAM permissions boundaries, thinking both are equally enforceable centrally, but SCPs operate at the organization level and cannot be bypassed by account administrators, whereas permissions boundaries are account-level and can be removed or modified by an admin with sufficient privileges.

How to eliminate wrong answers

Option A is wrong because IAM permissions boundaries are applied at the individual IAM user or role level within a single account and can be overridden by an account administrator with sufficient privileges; they do not provide a centralized, unbreakable guardrail across all accounts in an organization. Option C is wrong because AWS Config conformance packs are used to evaluate resource compliance against rules and can trigger remediation actions, but they do not enforce preventive controls that block API calls before they happen; they are detective and reactive, not preventive.

305
MCQmedium

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB) in the us-east-1 Region. The application serves users worldwide, and the company wants to optimize both performance and availability for all users. The solution should use the AWS global network to route traffic from users to the nearest edge location and then over the AWS backbone to the ALB, without caching content at edge locations. Which AWS service should the company use?

A.AWS Global Accelerator
B.Amazon CloudFront
C.AWS Shield
D.Amazon Route 53 latency-based routing
AnswerA

AWS Global Accelerator uses Anycast IP addresses at AWS edge locations to receive user traffic and then routes it over the AWS global network to the application endpoint. This improves performance by reducing internet latency and provides fast failover between regions or endpoints. It does not cache content, making it suitable for dynamic applications.

Why this answer

AWS Global Accelerator uses the AWS global network to route user traffic to the nearest edge location via Anycast IP addresses, then forwards it over the AWS backbone directly to the Application Load Balancer (ALB) in us-east-1. This optimizes performance by reducing latency and jitter, and improves availability by providing static IP addresses and health-check-based traffic shifting, without caching any content at edge locations.

Exam trap

The trap here is that candidates often confuse Global Accelerator with CloudFront because both use edge locations, but the key differentiator is that CloudFront caches content at the edge, while Global Accelerator does not cache and instead optimizes network path routing for dynamic content or non-HTTP traffic.

How to eliminate wrong answers

Option B (Amazon CloudFront) is wrong because CloudFront is a content delivery network (CDN) that caches content at edge locations to reduce origin load, but the question explicitly states 'without caching content at edge locations,' making it unsuitable. Option C (AWS Shield) is wrong because AWS Shield is a managed DDoS protection service that safeguards applications from attacks, but it does not route traffic over the AWS global network or optimize performance and availability for global users.

306
MCQeasy

Which AWS service provides a serverless, fully managed Apache Spark processing engine for big data analytics without managing clusters?

A.Amazon EMR on EC2
B.Amazon Redshift
C.AWS Glue (serverless Apache Spark ETL)
D.Amazon Kinesis Data Analytics
AnswerC

AWS Glue provides a serverless Apache Spark environment for ETL processing — no cluster provisioning or management, automatic scaling, and pay-per-DPU-second pricing.

Why this answer

AWS Glue provides a fully managed, serverless Apache Spark environment for ETL (extract, transform, load) workloads. It automatically provisions, configures, and scales the Spark cluster behind the scenes, so you don't need to manage any infrastructure. This makes it the correct choice for a serverless Apache Spark processing engine for big data analytics.

Exam trap

The trap here is that candidates often confuse Amazon EMR (which can run Spark but requires cluster management) with a fully serverless Spark offering, or they mistakenly think Amazon Kinesis Data Analytics supports Apache Spark when it actually supports Apache Flink and SQL for stream processing.

How to eliminate wrong answers

Option A is wrong because Amazon EMR on EC2 requires you to manage EC2 instances and clusters, even though it can run Apache Spark; it is not serverless. Option B is wrong because Amazon Redshift is a fully managed data warehouse that uses its own SQL-based engine, not Apache Spark, and it is not designed as a serverless Spark processing engine. Option D is wrong because Amazon Kinesis Data Analytics is a serverless service for real-time stream processing using Apache Flink or SQL, not Apache Spark.

307
MCQmedium

A company has predictable workloads running 24/7. Which EC2 pricing option would provide the most significant cost savings compared to On-Demand pricing?

A.Spot Instances
B.On-Demand Instances
C.Reserved Instances
D.Dedicated Hosts
AnswerC

Reserved Instances offer the best savings (up to 72%) for predictable, steady-state 24/7 workloads.

Why this answer

Reserved Instances (RIs) provide a significant discount (up to 72%) over On-Demand pricing in exchange for a one- or three-year commitment. Since the company has predictable, 24/7 workloads, RIs are the ideal choice because they match the steady-state usage pattern and offer the highest cost savings for always-on instances.

Exam trap

The trap here is that candidates often confuse Spot Instances with cost savings for any workload, but Spot Instances are only cost-effective for interruptible, stateless workloads, not for predictable 24/7 operations where reliability is paramount.

How to eliminate wrong answers

Option A is wrong because Spot Instances are designed for fault-tolerant, flexible workloads that can handle interruptions, not for predictable 24/7 workloads where availability is critical. Option B is wrong because On-Demand Instances are the most expensive pricing model, offering no discount and thus no cost savings compared to themselves. Option D is wrong because Dedicated Hosts are a physical server isolation option that incurs additional costs (per-host billing) and is not a pricing model for cost savings; they are chosen for compliance or licensing reasons, not for reducing costs over On-Demand.

308
MCQeasy

Which AWS service allows you to build, train, and deploy machine learning models at scale?

A.Amazon Rekognition
B.Amazon Comprehend
C.Amazon SageMaker
D.AWS DeepLens
AnswerC

SageMaker provides a complete ML platform for building, training, and deploying custom ML models at scale.

Why this answer

Amazon SageMaker is the correct answer because it is a fully managed service that provides every component needed for the machine learning lifecycle, including building, training, and deploying models at scale. It offers integrated Jupyter notebooks for development, built-in algorithms, automatic model tuning, and one-click deployment to a production endpoint with auto-scaling. This makes it the single AWS service designed specifically for end-to-end ML workflows, unlike the other options which serve narrower AI/ML functions.

Exam trap

The trap here is that candidates confuse purpose-built AI services (like Rekognition or Comprehend) with the full ML platform (SageMaker), assuming any service with 'AI' in its name can handle custom model training and deployment.

How to eliminate wrong answers

Option A is wrong because Amazon Rekognition is a pre-trained AI service for image and video analysis (e.g., object detection, facial recognition) and does not allow you to build, train, or deploy custom machine learning models. Option B is wrong because Amazon Comprehend is a natural language processing (NLP) service that uses pre-trained models to extract insights from text (e.g., sentiment, entities) and cannot be used to train or deploy your own ML models. Option D is wrong because AWS DeepLens is a hardware device (a deep learning-enabled video camera) that runs pre-trained models locally for edge inference, not a service for building, training, or deploying models at scale in the cloud.

309
MCQmedium

A company's data scientists want a managed environment for collaborative Jupyter notebooks connected to their AWS data sources and compute without managing infrastructure. Which AWS service provides this?

A.AWS Cloud9
B.Amazon SageMaker Studio
C.Amazon EMR Studio
D.AWS Lambda with Jupyter
AnswerB

SageMaker Studio is the unified ML IDE providing managed Jupyter notebooks with auto-scaling compute, direct AWS service integration, and collaboration features for data science teams.

Why this answer

Amazon SageMaker Studio is a fully managed, web-based visual interface for data scientists to build, train, debug, deploy, and monitor machine learning models. It provides collaborative Jupyter notebooks that can connect directly to AWS data sources (e.g., S3, Athena, Redshift) and compute resources (e.g., SageMaker training instances, endpoints) without requiring any infrastructure management by the user.

Exam trap

The trap here is that candidates may confuse Amazon SageMaker Studio with AWS Cloud9 or Amazon EMR Studio, because all three offer web-based development environments, but only SageMaker Studio is specifically designed for collaborative Jupyter notebooks with integrated ML compute and data source connectivity without infrastructure management.

How to eliminate wrong answers

Option A is wrong because AWS Cloud9 is a cloud-based integrated development environment (IDE) for writing, running, and debugging code, but it is not purpose-built for collaborative Jupyter notebooks with integrated ML workflows and does not natively connect to SageMaker compute or data sources. Option C is wrong because Amazon EMR Studio is a web-based IDE for big data analytics using Apache Spark, Hive, and other open-source frameworks, but it is not designed for Jupyter notebooks in a managed ML environment and focuses on EMR clusters rather than SageMaker. Option D is wrong because AWS Lambda with Jupyter is not a managed service; Lambda is a serverless compute service for running code in response to events, and it does not provide a collaborative notebook interface or persistent compute for interactive data science work.

310
MCQmedium

A startup recently signed up for AWS and is using the AWS Free Tier to run a small web application. The startup's finance lead wants to monitor the team's usage of AWS services to ensure they do not exceed the Free Tier limits and incur unexpected charges. The finance lead needs a tool that can proactively send an alert when the team approaches 80% of the Free Tier limit for a specific service, such as Amazon EC2. Which AWS service or feature should the finance lead use to set up this alert?

A.AWS Budgets
B.AWS Cost Explorer
C.AWS Trusted Advisor
D.AWS Personal Health Dashboard
AnswerA

AWS Budgets allows you to create a budget with a Free Tier usage alert. You can set a threshold (e.g., 80%) for a specific service and receive email notifications when usage reaches that threshold. This is the correct tool for proactive monitoring of Free Tier limits.

Why this answer

AWS Budgets allows you to set custom cost and usage budgets, including alerts for Free Tier usage. You can configure a budget to track your actual Free Tier consumption for a specific service like Amazon EC2 and trigger an alert when usage reaches 80% of the Free Tier limit. This meets the finance lead's requirement for proactive notification before exceeding limits and incurring charges.

Exam trap

The trap here is that candidates confuse AWS Cost Explorer's visualization and forecasting capabilities with the proactive alerting feature of AWS Budgets, assuming Cost Explorer can send threshold-based alerts when it cannot.

How to eliminate wrong answers

Option B (AWS Cost Explorer) is wrong because it provides historical cost and usage visualization and forecasting, but does not support proactive alerts or threshold-based notifications for Free Tier limits. Option C (AWS Trusted Advisor) is wrong because it offers best-practice checks and recommendations, including Free Tier usage limits, but it does not allow you to set custom percentage-based alerts; it only displays current usage status. Option D (AWS Personal Health Dashboard) is wrong because it provides alerts about AWS service health events and scheduled maintenance affecting your account, not about your own usage or billing thresholds.

311
MCQmedium

A company is migrating a legacy on-premises application to AWS. The application requires a shared file system that can be mounted by multiple Amazon EC2 instances concurrently. The EC2 instances run Amazon Linux and are deployed across multiple Availability Zones for high availability. The file system must grow and shrink automatically as files are added or removed, and the company wants to avoid provisioning storage capacity in advance. Which AWS service should the company use to meet these requirements?

A.Amazon S3
B.Amazon EBS
C.Amazon EFS
D.Amazon FSx for Windows File Server
AnswerC

Amazon EFS provides a fully managed, scalable NFS file system that can be mounted by multiple EC2 instances across different Availability Zones. It automatically scales storage capacity on demand and charges only for the storage used, meeting all the stated requirements.

Why this answer

Amazon EFS (Elastic File System) is a fully managed NFS file system that can be mounted concurrently by multiple EC2 instances across different Availability Zones. It automatically scales storage capacity up and down as files are added or removed, eliminating the need to provision storage in advance. EFS supports the NFSv4.1 and NFSv4.0 protocols, making it ideal for shared file workloads on Amazon Linux.

Exam trap

The trap here is that candidates often confuse Amazon EBS with a shared file system, overlooking that EBS volumes are single-instance attachments (except for the limited multi-attach feature) and require upfront capacity provisioning, whereas EFS is designed specifically for shared, elastic file storage across multiple instances and AZs.

How to eliminate wrong answers

Option A is wrong because Amazon S3 is an object storage service, not a file system; it cannot be mounted as a shared file system via NFS or provide POSIX-compliant file locking required for concurrent EC2 mounts. Option B is wrong because Amazon EBS provides block-level storage volumes that can only be attached to a single EC2 instance at a time (except for multi-attach EBS, which is limited to specific instance types and a single Availability Zone), and it requires manual provisioning of capacity in advance, not automatic scaling.

312
MCQmedium

A company is currently running its IT infrastructure in an on-premises data center. The finance department wants to understand how moving to the AWS Cloud would change the company's cost structure. In particular, they want to avoid large upfront hardware purchases and instead pay only for the resources they consume on a monthly basis. Which key cloud computing concept does this shift represent?

A.Elasticity
B.Economies of scale
C.Pay-as-you-go pricing
D.High availability
AnswerC

Pay-as-you-go is a pricing model where customers pay only for the resources they consume, with no upfront commitments. This directly addresses the finance department's desire to avoid large upfront hardware purchases and shift to a variable monthly expense model.

Why this answer

Option C is correct because pay-as-you-go pricing is the cloud computing model that allows a company to avoid large upfront capital expenditures on hardware and instead pay only for the resources they consume on a monthly basis. This directly aligns with the finance department's goal of shifting from a capital expenditure (CapEx) model to an operational expenditure (OpEx) model, where costs are incurred based on actual usage rather than upfront purchases.

Exam trap

The trap here is that candidates often confuse elasticity (the ability to scale) with the pricing model, but the question specifically asks about the shift from upfront hardware purchases to monthly consumption-based billing, which is exclusively a pay-as-you-go concept.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability of a cloud system to automatically scale resources up or down based on demand, not to the pricing model that avoids upfront costs. Option B is wrong because economies of scale describe the cost advantage that AWS gains from massive infrastructure deployments, which allows them to pass savings to customers, but this is a benefit of cloud computing in general, not the specific shift from upfront hardware purchases to consumption-based billing.

313
MCQmedium

A company uses AWS and wants to make their application fault tolerant against the failure of an entire AWS Region. Which approach achieves Region-level fault tolerance?

A.Deploy resources across multiple Availability Zones within a single Region
B.Deploy the application in multiple AWS Regions with Route 53 failover routing
C.Use Reserved Instances in a single Region for guaranteed capacity
D.Enable S3 versioning in a single Region
AnswerB

Multi-Region deployment with Route 53 health-check-based failover routing enables automatic traffic redirection to a healthy Region if the primary Region becomes unavailable.

Why this answer

Option B is correct because deploying the application in multiple AWS Regions and using Route 53 failover routing ensures that if an entire Region becomes unavailable, traffic is automatically redirected to a healthy Region. This is the only approach that provides fault tolerance against a complete Region failure, as Availability Zones within a single Region cannot protect against a Region-wide outage.

Exam trap

The trap here is that candidates often confuse high availability within a Region (using multiple Availability Zones) with disaster recovery across Regions, and incorrectly assume that deploying across Availability Zones alone provides Region-level fault tolerance.

How to eliminate wrong answers

Option A is wrong because deploying across multiple Availability Zones within a single Region protects against the failure of a single data center, but not against the failure of an entire Region, as all Availability Zones in a Region share the same physical infrastructure and can be impacted by a Region-wide event. Option C is wrong because Reserved Instances provide a billing discount and capacity reservation in a single Region, but do not offer any fault tolerance or redundancy against Region failure. Option D is wrong because enabling S3 versioning in a single Region protects against accidental deletion or overwrite of objects, but does not provide any protection against a Region-wide outage, as all data remains in that single Region.

314
MCQmedium

A company has a security policy that requires all SSH connections to Amazon EC2 instances to originate from the company's corporate network IP range (203.0.113.0/24). An administrator is creating an IAM policy to enforce this restriction. Which IAM policy element should the administrator use to specify the allowed IP address range?

A.aws:RequestedRegion condition key
B.aws:SourceIp condition key
C.aws:PrincipalOrgID condition key
D.aws:MultiFactorAuthPresent condition key
AnswerB

The aws:SourceIp condition key is the correct IAM policy element to restrict requests to specific source IP address ranges, such as a corporate network.

Why this answer

The aws:SourceIp condition key is used in IAM policies to restrict access based on the requester's IP address. Since the security policy requires SSH connections to EC2 instances to originate only from the corporate network IP range (203.0.113.0/24), the administrator should use aws:SourceIp in a condition block to enforce this restriction. This key evaluates the source IP address of the API caller, not the destination of the traffic.

Exam trap

The trap here is that candidates may confuse IAM policy conditions (which control API access) with network-level controls (like security groups), leading them to incorrectly think aws:SourceIp can directly restrict SSH traffic to the instance rather than the API calls that manage it.

How to eliminate wrong answers

Option A is wrong because aws:RequestedRegion condition key restricts access to specific AWS regions, not IP addresses, so it cannot enforce the corporate network IP range requirement. Option C is wrong because aws:PrincipalOrgID condition key restricts access based on the AWS Organization ID of the principal, not the source IP address, and is used for cross-account access control within an organization.

315
MCQmedium

A web application queries a relational database for a product catalogue that changes infrequently but is requested thousands of times per second. Database query latency is becoming a bottleneck. Which AWS service can the company use to cache frequently accessed query results in memory and reduce database load?

A.Amazon RDS Read Replica
B.Amazon S3
C.Amazon ElastiCache
D.Amazon DynamoDB
AnswerC

ElastiCache provides fully managed in-memory caching with Redis or Memcached. Caching the product catalogue in ElastiCache means most requests never reach the database, dramatically reducing latency and database load.

Why this answer

Amazon ElastiCache is the correct choice because it provides an in-memory caching layer (using Redis or Memcached) that can store frequently accessed query results, reducing the need to repeatedly query the relational database. This dramatically lowers latency for high-throughput read workloads (thousands of requests per second) and offloads database pressure, directly addressing the bottleneck described.

Exam trap

The trap here is that candidates often confuse a read replica (Option A) with a caching solution, not realizing that a read replica still executes SQL queries against a relational engine and does not provide the in-memory speed needed for thousands of requests per second.

How to eliminate wrong answers

Option A is wrong because Amazon RDS Read Replica is a read-only copy of the database that still requires querying a relational engine, which does not eliminate the latency of disk-based I/O and cannot match the sub-millisecond response times of an in-memory cache. Option B is wrong because Amazon S3 is an object store designed for blob data (images, backups, logs) and does not support low-latency, high-QPS query caching for relational database results; its request rates are limited and latency is higher than in-memory solutions. Option D is wrong because Amazon DynamoDB is a NoSQL key-value and document database that, while fast, is a separate database service and not a caching layer for an existing relational database; using it would require redesigning the data model and does not cache existing query results.

316
MCQmedium

A company runs a nightly batch processing job on AWS that takes exactly 2 hours to complete. The company uses a fixed set of Amazon EC2 instances for the job. AWS automatically tracks the number of instance-hours consumed each month and bills the company precisely for that usage. The company does not need to sign a long-term contract or pay for idle resources. Which essential characteristic of cloud computing does this scenario best illustrate?

A.Resource pooling
B.Measured service
C.Rapid elasticity
D.Broad network access
AnswerB

Correct. Measured service is the characteristic where cloud resources are metered, and customers pay only for what they use. The automatic tracking of instance-hours and pay-per-use billing perfectly illustrate this concept.

Why this answer

The scenario describes AWS automatically tracking and billing precisely for the number of instance-hours consumed each month, without requiring a long-term contract or payment for idle resources. This directly illustrates the 'measured service' characteristic, where cloud resource usage is metered, monitored, and reported transparently, enabling pay-as-you-go billing. The fixed 2-hour nightly job and exact billing per instance-hour confirm that usage is measured and charged accordingly.

Exam trap

The trap here is that candidates may confuse 'measured service' with 'rapid elasticity' because both involve usage-based billing, but measured service focuses on metering and charging for actual consumption, while rapid elasticity is about automatic scaling to match demand.

How to eliminate wrong answers

Option A is wrong because resource pooling refers to the provider's ability to serve multiple customers from shared physical and virtual resources, dynamically assigned based on demand; the scenario does not mention multi-tenancy or resource sharing. Option C is wrong because rapid elasticity involves automatically scaling resources up or down in response to workload changes, but the scenario explicitly states a fixed set of EC2 instances used for a nightly job, with no scaling or elasticity involved.

317
MCQmedium

A media company produces video content and stores all videos in Amazon S3. New videos are accessed frequently for the first 30 days after release. After that, access drops significantly, but the company must retain all videos for 5 years for archival purposes. The company wants to minimize storage costs without compromising retrieval speed for the frequently accessed period. Which S3 storage class strategy should the company implement?

A.Store all videos in S3 Standard for the entire 5-year retention period.
B.Store all videos in S3 Glacier Deep Archive immediately upon upload.
C.Store newly uploaded videos in S3 Standard, then use an S3 Lifecycle policy to transition them to S3 Glacier Deep Archive after 30 days.
D.Store newly uploaded videos in S3 One Zone-IA, then transition to S3 Glacier Flexible Retrieval after 30 days.
AnswerC

S3 Standard provides low-latency access for the first 30 days. An S3 Lifecycle policy automatically moves data to S3 Glacier Deep Archive after that period, minimizing long-term storage costs while meeting the archival retention requirement.

Why this answer

Option C is correct because it uses S3 Standard for the first 30 days to ensure low-latency retrieval for frequently accessed content, then an S3 Lifecycle policy automatically transitions objects to S3 Glacier Deep Archive, which offers the lowest storage cost for long-term archival data. This balances cost and performance by matching the storage class to the access pattern, and the lifecycle transition is seamless with no manual intervention required.

Exam trap

The trap here is that candidates may confuse S3 Glacier Flexible Retrieval with S3 Glacier Deep Archive, or assume that S3 One Zone-IA is suitable for archival data, but the question explicitly requires 5-year retention and minimal cost, making Deep Archive the correct archival tier.

How to eliminate wrong answers

Option A is wrong because storing all videos in S3 Standard for the full 5 years incurs unnecessary high storage costs for data that is rarely accessed after 30 days, violating the cost-minimization goal. Option B is wrong because S3 Glacier Deep Archive has retrieval times of 12–48 hours, which would not meet the requirement of fast retrieval for the first 30 days when videos are accessed frequently. Option D is wrong because S3 One Zone-IA does not provide the same durability as Standard (it stores data in a single Availability Zone) and is not designed for archival retention; additionally, S3 Glacier Flexible Retrieval has retrieval times of minutes to hours, which is not the lowest-cost archival option, and the company needs 5-year retention, making Glacier Deep Archive more cost-effective.

318
MCQmedium

A company stores customer data in Amazon S3 buckets. The compliance team needs to automatically discover which buckets contain personally identifiable information (PII) such as names, addresses, and credit card numbers. The team also wants to receive continuous monitoring and alerts when new sensitive data is uploaded. Which AWS service should the team use to meet these requirements?

A.Amazon Macie
B.AWS Shield
C.Amazon Inspector
D.AWS Config
AnswerA

Amazon Macie is correct because it is designed to automatically discover, classify, and protect sensitive data in Amazon S3. It provides continuous monitoring and alerts for new sensitive data using machine learning.

Why this answer

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to automatically discover, classify, and protect sensitive data in Amazon S3. It can identify PII such as names, addresses, and credit card numbers, and it provides continuous monitoring with alerts when new sensitive data is uploaded, meeting both the discovery and ongoing monitoring requirements.

Exam trap

The trap here is that candidates often confuse Amazon Inspector (which scans for vulnerabilities) with Amazon Macie (which scans for sensitive data), because both involve 'scanning' but for entirely different purposes and resource types.

How to eliminate wrong answers

Option B (AWS Shield) is wrong because it is a managed Distributed Denial of Service (DDoS) protection service, not designed for data classification or PII discovery. Option C (Amazon Inspector) is wrong because it is an automated vulnerability management service that scans EC2 instances and container workloads for software vulnerabilities and unintended network exposure, not S3 buckets or PII. Option D (AWS Config) is wrong because it is a service that evaluates AWS resource configurations against desired policies and tracks configuration changes, but it does not inspect the content of S3 objects for sensitive data like PII.

319
MCQmedium

A company has internal security policies that require all Amazon S3 buckets to be private (not publicly accessible) and all Amazon EC2 security groups to restrict inbound SSH traffic to a specific IP range. The security team needs to continuously monitor all AWS resources across their account to detect any resource that violates these policies. They also need a historical record of configuration changes and a compliance dashboard that shows overall pass/fail status. Which AWS service should the security team use to meet these requirements?

A.AWS Config
B.AWS CloudTrail
C.Amazon GuardDuty
D.Amazon Inspector
AnswerA

AWS Config is designed specifically for resource inventory, configuration history, and compliance evaluation against rules. It tracks changes and shows compliance status, perfectly matching the requirements.

Why this answer

AWS Config is the correct service because it provides continuous monitoring, compliance auditing, and historical recording of configuration changes for AWS resources. It allows you to define rules (e.g., 's3-bucket-public-read-prohibited' and 'restricted-ssh') that automatically evaluate your S3 bucket policies and EC2 security group rules against your security policies, and it offers a compliance dashboard showing pass/fail status for each resource. AWS Config also maintains a configuration history that can be used for auditing and troubleshooting.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (which logs API calls) with AWS Config (which tracks resource configuration state and compliance), leading them to choose CloudTrail because they think 'historical record of changes' refers to API logs rather than configuration item snapshots.

How to eliminate wrong answers

Option B (AWS CloudTrail) is wrong because it records API activity and user actions (who did what, when, and from where) but does not evaluate resource configurations against policies or provide a compliance dashboard for resource-level pass/fail status. Option C (Amazon GuardDuty) is wrong because it is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events for malicious activity, not for monitoring resource configuration compliance or maintaining a historical record of configuration changes.

320
MCQmedium

A company uses multiple AWS accounts for different departments. Which AWS feature enables them to receive a single monthly bill and potentially lower rates through combined usage?

A.AWS Cost Allocation Tags
B.AWS Consolidated Billing
C.AWS Cost Explorer
D.AWS Marketplace
AnswerB

Consolidated Billing combines multiple account bills into one and may unlock volume discounts from aggregated usage.

Why this answer

AWS Consolidated Billing allows organizations to combine usage across multiple AWS accounts into a single monthly bill. This aggregated usage can qualify for volume pricing discounts and lower rates due to combined resource consumption, such as reaching higher tiers of AWS Support or Reserved Instance benefits.

Exam trap

The trap here is that candidates confuse AWS Cost Allocation Tags (which track costs) with Consolidated Billing (which combines costs), or mistakenly think Cost Explorer can consolidate billing, when it only analyzes existing cost data.

How to eliminate wrong answers

Option A is wrong because AWS Cost Allocation Tags are used to track and categorize costs by tagging resources, not to combine billing or lower rates through aggregated usage. Option C is wrong because AWS Cost Explorer is a tool for visualizing and analyzing cost and usage data, not a billing consolidation feature that produces a single bill or reduces rates. Option D is wrong because AWS Marketplace is a digital catalog of third-party software and services, not a billing mechanism for combining multiple account charges.

321
MCQmedium

A company needs a managed service to forecast product demand using machine learning, helping them optimize inventory levels without building a custom ML model. Which AWS AI service provides ready-to-use time-series forecasting?

A.Amazon SageMaker
B.Amazon Forecast
C.Amazon Comprehend
D.Amazon Rekognition
AnswerB

Amazon Forecast delivers managed time-series forecasting — customers provide historical data and Forecast trains models using the same technology that powers Amazon.com's demand forecasting.

Why this answer

Amazon Forecast is a fully managed service that uses machine learning to deliver highly accurate time-series forecasts based on historical data, without requiring any custom model building. It is specifically designed for use cases like product demand forecasting, inventory planning, and resource allocation, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates may confuse Amazon SageMaker as a general-purpose ML service that can do forecasting, overlooking that Amazon Forecast is the purpose-built, fully managed service for time-series forecasting without custom model development.

How to eliminate wrong answers

Option A is wrong because Amazon SageMaker is a platform for building, training, and deploying custom machine learning models, not a ready-to-use forecasting service; it requires significant ML expertise and custom development. Option C is wrong because Amazon Comprehend is a natural language processing (NLP) service for extracting insights from text, such as sentiment or entities, and has no capability for time-series forecasting. Option D is wrong because Amazon Rekognition is a computer vision service for analyzing images and videos, such as facial recognition or object detection, and cannot perform time-series forecasting.

322
MCQmedium

A social media startup plans to launch its application to users across North America, Europe, and Asia. The CTO wants a single deployment approach that minimizes latency for end users in all geographic regions, provides high availability, and allows the company to add new regions within minutes as the user base expands. The startup has no existing data centers outside its home country. Which fundamental benefit of cloud computing does this requirement best illustrate?

A.Pay-as-you-go pricing
B.Economies of scale
C.Global reach
D.Agility
AnswerC

Global reach (or the ability to 'go global in minutes') allows organizations to deploy applications in multiple AWS Regions around the world quickly. This directly supports the requirement to minimize latency for users across different continents and to expand to new regions with minimal effort.

Why this answer

The requirement to deploy a single application across North America, Europe, and Asia with low latency, high availability, and the ability to add new regions within minutes directly illustrates the global reach benefit of cloud computing. AWS provides a global infrastructure with Regions and Edge Locations that allow the startup to serve users from geographically distributed points without building physical data centers. This enables the company to achieve low-latency access and rapid regional expansion, which is a core advantage of cloud over on-premises architectures.

Exam trap

The trap here is that candidates often confuse agility (the ability to quickly provision resources) with global reach (the ability to deploy infrastructure across multiple geographic regions), but the scenario explicitly emphasizes geographic distribution and latency reduction, which is a hallmark of global reach.

How to eliminate wrong answers

Option A is wrong because pay-as-you-go pricing refers to the cost model where you only pay for consumed resources, not to the geographic distribution or latency reduction described in the scenario. Option B is wrong because economies of scale describe the cost advantages AWS gains from massive infrastructure purchasing power, which are passed to customers, but this does not directly address multi-region deployment or latency minimization. Option D is wrong because agility refers to the ability to quickly provision and scale resources (e.g., via AWS CloudFormation or Auto Scaling), but the specific focus of this question is on global infrastructure reach, not general speed of provisioning.

323
MCQmedium

A company runs several Amazon EC2 instances for development and testing purposes. The finance team wants to identify any instances that have been running with very low CPU utilization (less than 10%) over the past two weeks so they can stop or resize them to reduce costs. Which AWS tool provides this specific recommendation as part of its cost optimization checks?

A.AWS Compute Optimizer
B.AWS Cost Explorer
C.AWS Budgets
D.AWS Trusted Advisor
AnswerD

AWS Trusted Advisor includes a cost optimization check for 'Underutilized Amazon EC2 Instances' that identifies instances with low CPU utilization. It provides this recommendation directly as part of its best-practice evaluations.

Why this answer

AWS Trusted Advisor provides cost optimization checks that include identifying Amazon EC2 instances with low utilization. Specifically, the 'Low Utilization Amazon EC2 Instances' check flags instances that have had a CPU utilization of 10% or less for the past 14 days, enabling the finance team to stop or resize them to reduce costs.

Exam trap

The trap here is that candidates often confuse AWS Compute Optimizer's right-sizing recommendations with Trusted Advisor's specific low-utilization check, but Compute Optimizer does not have a dedicated check for instances with less than 10% CPU utilization over two weeks.

How to eliminate wrong answers

Option A is wrong because AWS Compute Optimizer generates recommendations for optimal instance types based on historical utilization patterns, but it does not have a specific check for instances with less than 10% CPU utilization over two weeks; it focuses on right-sizing and performance efficiency. Option B is wrong because AWS Cost Explorer provides cost and usage data visualization and forecasting, but it does not generate specific cost optimization recommendations for low-utilization EC2 instances. Option C is wrong because AWS Budgets allows you to set custom cost and usage budgets and receive alerts, but it does not analyze instance utilization or provide recommendations to stop or resize underutilized instances.

324
MCQmedium

A company uses AWS Organizations to centrally manage multiple AWS accounts. The security team requires that no IAM users can be created in any member account. All access must use federated identities from the company's existing identity provider. The security team needs a single, centralized mechanism to enforce this restriction across all existing and future member accounts. Which AWS feature should the security team use to meet this requirement?

A.AWS Identity and Access Management (IAM) policies
B.AWS Organizations service control policies (SCPs)
C.AWS Config managed rules with automatic remediation
D.IAM Access Analyzer
AnswerB

SCPs are a centralized policy mechanism within AWS Organizations that can deny the IAM:CreateUser action across all member accounts in an organization, OU, or specific account. SCPs apply to all principals, including the root user, and affect both existing and future accounts, making them the correct choice for enforcing this restriction.

Why this answer

AWS Organizations service control policies (SCPs) allow a central administrator to define maximum permissions for all accounts within an organization. By creating an SCP that explicitly denies the `iam:CreateUser` action, the security team can enforce that no IAM users can be created in any member account, including future accounts, because SCPs are inherited by all accounts in the organization. This provides a single, centralized mechanism that cannot be overridden by account-level IAM policies.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking IAM policies can centrally control all accounts, but SCPs are the only mechanism that can enforce restrictions across an entire AWS Organization, including preventing the creation of IAM users.

How to eliminate wrong answers

Option A is wrong because IAM policies are attached to IAM users, groups, or roles within a single account and cannot enforce restrictions across multiple accounts or prevent the creation of IAM users themselves; they only control permissions for existing identities. Option C is wrong because AWS Config managed rules can detect non-compliant resources (e.g., an IAM user being created) and trigger automatic remediation, but they are reactive and cannot prevent the creation of IAM users in the first place; they also require per-account setup and do not centrally block the action. Option D is wrong because IAM Access Analyzer analyzes resource-based policies to identify unintended cross-account access, but it does not enforce restrictions on IAM user creation or provide any preventive control.

325
MCQmedium

A company is building a data lake on AWS. Which AWS service provides a serverless interactive query service that allows analysts to query data stored in Amazon S3 using standard SQL?

A.Amazon Redshift
B.Amazon Athena
C.Amazon EMR
D.AWS Glue
AnswerB

Athena provides serverless SQL queries directly on S3 data with no infrastructure management — pay per query based on data scanned, with results available in seconds to minutes.

Why this answer

Amazon Athena is a serverless interactive query service that enables analysts to query data stored in Amazon S3 using standard SQL. It requires no infrastructure management, as Athena automatically scales and executes queries directly against data in S3, making it the ideal choice for ad-hoc analysis on a data lake.

Exam trap

The trap here is that candidates confuse AWS Glue (an ETL service) with Athena (a query service), or assume Amazon Redshift is serverless because of its recent serverless option, but the question explicitly requires a serverless interactive query service for S3 data using standard SQL, which only Athena fulfills.

How to eliminate wrong answers

Option A is wrong because Amazon Redshift is a fully managed data warehouse that requires provisioning and managing clusters, not a serverless query service; it is designed for structured data and complex analytics, not for directly querying raw data in S3 without loading. Option C is wrong because Amazon EMR is a managed big data platform that uses frameworks like Apache Spark, Hive, or Presto, requiring cluster provisioning and management, and is not serverless nor purely SQL-based without additional configuration. Option D is wrong because AWS Glue is a serverless data integration and ETL service that prepares and transforms data, but it does not provide an interactive SQL query engine; its Glue Data Catalog can be used by Athena, but Glue itself is not the query service.

326
MCQmedium

A company wants to migrate their on-premises applications to AWS but is concerned about losing visibility into their infrastructure. Which AWS service provides a centralized inventory of all AWS resources and tracks configuration changes over time?

A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch
D.AWS Systems Manager Inventory
AnswerB

Config maintains a complete inventory of AWS resources with full configuration history, enabling compliance evaluation, change tracking, and resource relationship mapping.

Why this answer

AWS Config is the correct service because it provides a centralized inventory of all AWS resources and continuously tracks configuration changes over time. It enables you to assess, audit, and evaluate the configurations of your AWS resources against desired policies, giving you full visibility into infrastructure state and history.

Exam trap

The trap here is that candidates often confuse AWS Config with AWS CloudTrail, mistakenly thinking CloudTrail's API logging provides configuration tracking, but CloudTrail only records who made the call, not the resulting configuration state or history.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity and user actions for auditing, but it does not provide a resource inventory or track configuration state changes over time. Option C is wrong because Amazon CloudWatch monitors performance metrics, logs, and alarms, but it is not designed to inventory resources or track configuration history. Option D is wrong because AWS Systems Manager Inventory collects software inventory and patch data from managed instances, but it does not provide a centralized inventory of all AWS resources or track configuration changes across the entire AWS environment.

327
MCQeasy

A company needs a service to translate domain names (like www.example.com) into IP addresses, check the health of their web servers, and automatically redirect traffic to a healthy backup server if the primary server fails. Which AWS service provides all of these capabilities?

A.Amazon VPC
B.Amazon CloudFront
C.Amazon Route 53
D.AWS Direct Connect
AnswerC

Route 53 is AWS's DNS service. It translates domain names to IP addresses, performs health checks on endpoints, and supports failover routing policies that redirect traffic to a healthy resource when the primary fails.

Why this answer

Amazon Route 53 is a DNS web service that translates domain names to IP addresses. It also offers health checks that monitor the availability of web servers and can automatically route traffic away from unhealthy endpoints to healthy ones using DNS failover routing policies.

Exam trap

The trap here is that candidates may confuse CloudFront's edge caching and origin failover (which only works for specific HTTP errors) with Route 53's DNS-level health checks and failover, which operate at the network layer and can redirect traffic before it even reaches the web server.

How to eliminate wrong answers

Option A is wrong because Amazon VPC is a virtual private cloud service for launching AWS resources in a logically isolated network; it does not provide DNS resolution, health checks, or traffic failover. Option B is wrong because Amazon CloudFront is a content delivery network (CDN) that caches and delivers content at edge locations; while it can use DNS, it does not natively perform health checks or automatic failover routing between origin servers. Option D is wrong because AWS Direct Connect is a dedicated network connection from on-premises to AWS; it does not offer DNS resolution, health monitoring, or traffic rerouting capabilities.

328
MCQmedium

A company needs to maintain a secure audit trail of all API calls made against its AWS resources. The audit trail must record the identity of the caller, the time of the call, the source IP address, and the request details. The records must be stored securely with integrity guarantees for a minimum of five years to meet compliance requirements. Which AWS service should the company use to capture and store this information?

A.AWS Config
B.Amazon GuardDuty
C.AWS CloudTrail
D.AWS Trusted Advisor
AnswerC

AWS CloudTrail is the correct service. It records all API calls made to the AWS environment, including details such as the caller's identity, time of the call, source IP address, and request parameters. The logs can be stored durably in Amazon S3 with integrity validation and can be retained for as long as needed.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made to AWS services, capturing the identity of the caller, timestamp, source IP address, and request details. It stores these logs in Amazon S3 with server-side encryption and integrity validation via digest files, and can be configured to retain logs for more than five years using lifecycle policies or by archiving to Amazon S3 Glacier.

Exam trap

The trap here is that candidates confuse AWS Config's configuration tracking with CloudTrail's API activity logging, or assume GuardDuty's threat detection includes a complete audit trail, when in fact only CloudTrail provides the detailed, integrity-protected record of every API call required for compliance.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for recording resource configuration changes and evaluating compliance rules, not for capturing API call audit trails with caller identity and source IP. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes logs and network traffic for malicious activity, but it does not natively store a complete, long-term audit trail of all API calls with integrity guarantees.

329
MCQmedium

A company needs to ensure their containerized applications pass security scans for known vulnerabilities before being deployed to production. Which AWS service scans container images for CVEs?

A.Amazon GuardDuty
B.Amazon Inspector
C.AWS Security Hub
D.Amazon Macie
AnswerB

Inspector continuously scans ECR container images for software vulnerabilities, generating prioritized findings with remediation guidance when CVEs are detected.

Why this answer

Amazon Inspector is the correct service because it is designed to automatically scan container images stored in Amazon Elastic Container Registry (ECR) for software vulnerabilities, including Common Vulnerabilities and Exposures (CVEs). It continuously monitors the images at rest and during deployment, providing a detailed findings report that helps you remediate security issues before the container reaches production.

Exam trap

The trap here is that candidates often confuse Amazon Inspector (which scans for CVEs in container images and EC2 instances) with Amazon GuardDuty (which detects threats but does not perform vulnerability scanning), leading them to select GuardDuty because of its security monitoring name.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using VPC Flow Logs, DNS logs, and CloudTrail events, not for scanning container images for CVEs. Option C is wrong because AWS Security Hub is a centralized security posture management service that aggregates findings from multiple AWS services (including Inspector) and performs compliance checks, but it does not itself scan container images for vulnerabilities. Option D is wrong because Amazon Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data (like PII) in S3 buckets, not for scanning container images for CVEs.

330
MCQmedium

A company hosts its primary web application on Amazon EC2 instances in the us-east-1 AWS Region. To meet disaster recovery requirements, the company has launched an identical set of EC2 instances in the eu-west-1 Region. The company wants to direct all user traffic to the us-east-1 endpoints under normal conditions. If us-east-1 becomes unhealthy due to a regional outage, traffic must be automatically redirected to the eu-west-1 endpoints. The company uses Amazon Route 53 as its DNS service. Which Route 53 routing policy should the company use to meet these requirements?

A.Geolocation routing
B.Latency routing
C.Failover routing
D.Weighted routing
AnswerC

Failover routing is specifically designed for active-passive failover. You configure a primary and a secondary record. Route 53 uses health checks to monitor the primary endpoint; if it fails, traffic is automatically directed to the secondary endpoint. This exactly meets the company's requirement for normal traffic to us-east-1 with automatic redirection to eu-west-1 during a failure.

Why this answer

Failover routing is the correct choice because it allows you to configure an active-passive setup where Route 53 health checks monitor the primary endpoint (us-east-1). If the health check fails, Route 53 automatically routes traffic to the secondary (eu-west-1) endpoint, meeting the disaster recovery requirement.

Exam trap

The trap here is that candidates confuse failover routing with latency routing, assuming latency-based routing will automatically redirect traffic during an outage, but latency routing does not consider endpoint health and will not fail over.

How to eliminate wrong answers

Option A is wrong because geolocation routing directs traffic based on the geographic location of the user, not on the health of the endpoint; it cannot automatically fail over to another region during an outage. Option B is wrong because latency routing directs traffic to the endpoint with the lowest latency for the user, but it does not provide automatic failover based on endpoint health; it would continue sending traffic to an unhealthy endpoint if it still has low latency.

331
MCQmedium

A company uses AWS Organizations with multiple accounts for different departments. The finance team applies tags to resources to track costs by department (e.g., Marketing, Engineering) and environment (e.g., Production, Development). However, many resources lack the required tags. The team needs a tool that can automatically allocate costs for untagged resources to specific departments and environments based on rules, and then generate reports that show cost breakdowns by these custom dimensions. The solution must not require custom scripts or manual allocation. Which AWS feature should the finance team use?

A.AWS Cost Categories
B.AWS Budgets
C.AWS Cost Explorer
D.AWS Resource Groups
AnswerA

Correct. AWS Cost Categories enable you to define custom categories and rules to allocate costs, including for untagged resources, providing the required automated allocation and reporting.

Why this answer

AWS Cost Categories is the correct choice because it allows you to automatically allocate costs for untagged or mis-tagged resources to specific departments and environments based on customizable rules (e.g., using resource tags, account IDs, or even chargeback rules). It then generates detailed cost breakdown reports by these custom dimensions without requiring any custom scripts or manual allocation, directly addressing the need for automated cost allocation and reporting.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's filtering and grouping capabilities with the ability to automatically allocate costs for untagged resources, but Cost Explorer only visualizes existing data and cannot create new allocation rules.

How to eliminate wrong answers

Option B (AWS Budgets) is wrong because it is a cost monitoring and alerting tool that tracks spending against predefined budgets and sends notifications when thresholds are exceeded; it does not perform cost allocation or generate cost breakdown reports by custom dimensions. Option C (AWS Cost Explorer) is wrong because it is a visualization and analysis tool that provides pre-built cost and usage reports, but it cannot automatically allocate costs for untagged resources based on custom rules; it relies on existing tags and does not support rule-based cost redistribution.

332
MCQmedium

A company uses multiple AWS accounts managed through AWS Organizations. The finance team wants to receive a notification when the overall monthly spending in any account reaches 80% of the budgeted amount. Additionally, the team wants to be alerted if there is an unexpected daily spike in costs, such as a 50% increase compared to the previous day, so they can investigate anomalies early. Which AWS feature should the finance team configure to meet both requirements with a single managed service?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Trusted Advisor
D.AWS CloudTrail
AnswerB

AWS Budgets allows you to create cost budgets with threshold alerts (e.g., 80% of budget). It also supports cost anomaly detection budgets that leverage machine learning to detect unexpected daily spending spikes and send alerts. This single service meets both requirements.

Why this answer

AWS Budgets allows you to set custom cost and usage budgets and receive alerts when actual or forecasted costs exceed (or are expected to exceed) your budgeted thresholds. You can configure a cost budget with an alert at 80% of the monthly budgeted amount, and also create a separate budget or use a cost anomaly detection integration to trigger an alert when daily costs spike by 50% compared to the previous day. This meets both requirements using a single managed service.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's visualization capabilities with proactive alerting, or assume Trusted Advisor's cost optimization checks include budget notifications, when in fact only AWS Budgets provides configurable threshold-based and anomaly-based alerts.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer provides interactive charts and historical cost data for analysis, but it does not natively send proactive notifications based on budget thresholds or daily cost spikes. Option C is wrong because AWS Trusted Advisor inspects your AWS environment for best practices in cost optimization, performance, security, and fault tolerance, but it does not support custom budget alerts or daily anomaly-based notifications.

333
MCQmedium

A company hosts a web application on AWS that uses Amazon CloudFront for content delivery and an Application Load Balancer (ALB) in front of Amazon EC2 instances. The security team wants to protect the application against common web exploits such as SQL injection and cross-site scripting (XSS). They need a managed service that can inspect incoming HTTP/HTTPS requests and block malicious traffic before it reaches the application servers. Which AWS service should the company use to meet these requirements?

A.AWS WAF
B.AWS Shield Advanced
C.AWS Firewall Manager
D.Amazon Inspector
AnswerA

AWS WAF is a web application firewall that monitors and filters HTTP/HTTPS traffic to protect against attacks such as SQL injection and cross-site scripting. It integrates directly with CloudFront and ALB, making it the correct choice for this scenario.

Why this answer

AWS WAF is a managed web application firewall that helps protect web applications from common web exploits like SQL injection and cross-site scripting (XSS). It integrates directly with Amazon CloudFront and Application Load Balancers (ALB) to inspect incoming HTTP/HTTPS requests and block malicious traffic before it reaches the application servers. This makes it the correct choice for the security team's requirement to filter and block specific attack patterns at the application layer.

Exam trap

The trap here is that candidates often confuse AWS Shield Advanced (Layer 3/4 DDoS protection) with AWS WAF (Layer 7 application-layer filtering), leading them to select Shield Advanced for web exploit protection instead of the correct service.

How to eliminate wrong answers

Option B is wrong because AWS Shield Advanced provides protection against Distributed Denial of Service (DDoS) attacks, not against application-layer exploits like SQL injection or XSS. Option C is wrong because AWS Firewall Manager is a centralized policy management service that helps manage firewall rules across multiple accounts and resources, but it does not itself inspect HTTP/HTTPS requests for web exploits; it can centrally deploy AWS WAF rules but is not the inspection service itself.

334
MCQmedium

A company needs to analyze its AWS spending at the most granular level, including every resource usage line item and custom tags applied to resources. The company wants to download a raw, uncompressed CSV file of this data for integration with its on-premises business intelligence (BI) tool. The file must be automatically delivered to an Amazon S3 bucket on a daily basis. Which AWS feature should the company use to meet these requirements?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Cost and Usage Report (CUR)
D.AWS Trusted Advisor
AnswerC

The AWS Cost and Usage Report (CUR) contains the most comprehensive set of cost and usage data available, including line items for each resource, tags, and hourly granularity. It can be configured to deliver daily CSV files to an S3 bucket, making it ideal for integration with on-premises BI tools.

Why this answer

AWS Cost and Usage Report (CUR) is the correct choice because it provides the most granular data, including every resource usage line item and custom tags, and can be delivered in raw, uncompressed CSV format to an S3 bucket on a daily basis. This meets the requirement for deep integration with an on-premises BI tool, as CUR supports detailed cost allocation and tag-based analysis that other tools like Cost Explorer or Budgets cannot match.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's ability to export CSV summaries with the granular, line-item-level data provided only by the Cost and Usage Report, leading them to choose Cost Explorer despite its lack of raw, uncompressed, tag-inclusive exports.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer provides a visual interface and pre-aggregated data for cost analysis, but it does not support downloading raw, uncompressed CSV files with every resource line item and custom tags; it only offers summarized data exports in CSV format with limited granularity. Option B is wrong because AWS Budgets is designed for setting cost thresholds and sending alerts, not for generating detailed usage reports; it cannot produce a raw CSV file with line-item-level data or custom tags for BI integration.

335
MCQmedium

A company needs an AWS support plan that provides access to online training, use case guidance, and architectural support for non-production environments. Which is the minimum plan that provides direct technical guidance from AWS engineers (not just documentation)?

A.Basic Support
B.Developer Support
C.Business Support
D.Enterprise Support
AnswerB

Developer Support provides email access to Cloud Support Associates during business hours — the minimum plan for direct technical guidance from AWS engineers.

Why this answer

Developer Support is the minimum AWS support plan that provides direct technical guidance from AWS engineers, including online training, use case guidance, and architectural support for non-production environments. Basic Support only offers documentation and community forums, while Business and Enterprise plans include these features but are higher tiers, making Developer the correct minimum.

Exam trap

The trap here is that candidates often assume Basic Support includes direct engineer access because it is free, but it only provides self-service resources, not technical guidance from AWS engineers.

How to eliminate wrong answers

Option A is wrong because Basic Support provides only access to documentation, whitepapers, and community forums—no direct technical guidance from AWS engineers. Option C is wrong because Business Support includes production-level guidance and is not the minimum plan for non-production environments; it offers faster response times and more features than required. Option D is wrong because Enterprise Support is the highest tier, providing a Technical Account Manager (TAM) and concierge support, which far exceeds the minimum requirement for non-production architectural support.

336
MCQmedium

A financial services company must encrypt all sensitive customer data stored in Amazon S3 using an encryption key that the company manages and rotates annually. The company also needs a complete, tamper-proof record of every time the key is used (including who used it and on which object) to satisfy regulatory audit requirements. Which AWS service should the company use to meet both the key management and audit logging requirements?

A.AWS Certificate Manager (ACM)
B.AWS Key Management Service (AWS KMS)
C.AWS CloudHSM
D.AWS Secrets Manager
AnswerB

KMS enables you to create and manage customer-managed keys (CMKs) for encrypting data at rest in S3. It also integrates with AWS CloudTrail to log every key usage request, providing the required audit trail for compliance.

Why this answer

AWS KMS is the correct choice because it allows the company to create and manage a customer managed key (CMK) with annual rotation, and it integrates with AWS CloudTrail to deliver tamper-proof logs of every KMS API call (e.g., Decrypt, Encrypt, GenerateDataKey). These logs record the key ID, the IAM user or role that made the request, and the S3 object ARN (via encryption context), satisfying both key management and audit logging requirements.

Exam trap

The trap here is that candidates confuse AWS CloudHSM's hardware security with the integrated audit logging and automatic rotation capabilities of AWS KMS, assuming that a dedicated HSM is always required for regulatory compliance, when KMS with CloudTrail fully meets the tamper-proof audit requirement.

How to eliminate wrong answers

Option A (AWS Certificate Manager) is wrong because ACM manages SSL/TLS certificates, not encryption keys for S3 data, and it does not provide key usage audit logs. Option C (AWS CloudHSM) is wrong because while it provides hardware security modules for key management, it does not natively integrate with CloudTrail for tamper-proof audit logging of every key usage; you must build custom logging, and it does not support automatic annual key rotation. Option D (AWS Secrets Manager) is wrong because it is designed to rotate and manage secrets (e.g., database credentials), not encryption keys for S3, and its audit logs focus on secret access, not granular per-object encryption key usage.

337
MCQmedium

A company needs to send transactional emails such as order confirmations and password resets at scale. Which AWS service should they use?

A.Amazon SNS
B.Amazon SQS
C.Amazon SES
D.Amazon Pinpoint
AnswerC

SES is AWS's managed email sending service designed for transactional and bulk emails.

Why this answer

Amazon SES (Simple Email Service) is specifically designed for sending high-volume transactional and marketing emails, such as order confirmations and password resets. It provides reliable delivery with built-in feedback loops, bounce handling, and dedicated IP management, making it the correct choice for this use case.

Exam trap

The trap here is that candidates confuse Amazon SNS's email notification capability with a full transactional email service, overlooking that SNS lacks the dedicated sending infrastructure, bounce handling, and reputation management that SES provides for high-volume email delivery.

How to eliminate wrong answers

Option A is wrong because Amazon SNS (Simple Notification Service) is a pub/sub messaging service for sending notifications via SMS, email, or HTTP endpoints, but it is not optimized for high-volume transactional email delivery with dedicated sending infrastructure and bounce/complaint handling. Option B is wrong because Amazon SQS (Simple Queue Service) is a message queuing service for decoupling application components, not for sending emails. Option D is wrong because Amazon Pinpoint is a customer engagement service focused on targeted marketing campaigns, analytics, and multi-channel messaging (SMS, push, email), but it is overkill and not the primary service for straightforward transactional email sending at scale.

338
MCQmedium

A company wants to automatically detect anomalies in their application metrics, such as unusual spikes in error rates, without manually setting thresholds. Which AWS service provides ML-powered anomaly detection for CloudWatch metrics?

A.Amazon GuardDuty
B.Amazon DevOps Guru
C.Amazon CloudWatch Anomaly Detection
D.AWS X-Ray
AnswerC

CloudWatch Anomaly Detection uses ML to model normal metric behavior based on historical data, automatically detecting deviations without requiring manually set thresholds.

Why this answer

Amazon CloudWatch Anomaly Detection applies machine learning algorithms to analyze historical CloudWatch metric data and establish a baseline of expected values. It then continuously evaluates new data points against this baseline to automatically detect anomalies, such as unusual spikes in error rates, without requiring manual threshold configuration. This makes it the correct choice for the described use case.

Exam trap

The trap here is that candidates may confuse Amazon DevOps Guru's ML-powered anomaly detection for operational issues with CloudWatch Anomaly Detection, but DevOps Guru works at a higher level across multiple AWS services and does not directly provide anomaly detection on individual CloudWatch metrics.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior in AWS accounts and workloads using VPC Flow Logs, DNS logs, and CloudTrail events, not application metrics. Option B is wrong because Amazon DevOps Guru is an ML-powered service for detecting operational issues and anomalies in application performance and resource utilization, but it analyzes operational data from multiple AWS services (e.g., Amazon RDS, Amazon DynamoDB) and provides insights via a separate console, not directly on CloudWatch metrics. Option D is wrong because AWS X-Ray is a distributed tracing service that helps analyze and debug application requests as they travel through microservices, focusing on request latency and errors, not on anomaly detection in CloudWatch metrics.

339
MCQmedium

A solutions architect is reviewing a system to ensure the right instance types are selected for each workload, that resource selection is based on data rather than assumptions, and that performance is monitored and improved over time. Which pillar of the AWS Well-Architected Framework is being applied?

A.Reliability
B.Performance Efficiency
C.Cost Optimisation
D.Operational Excellence
AnswerB

Performance Efficiency is about selecting the right resources for each workload, monitoring performance, and continuously improving efficiency as AWS introduces new services and features.

Why this answer

The Performance Efficiency pillar focuses on using computing resources efficiently to meet system requirements and maintaining that efficiency as demand changes and technologies evolve. The scenario describes selecting instance types based on data, monitoring performance, and iteratively improving—all core activities of this pillar. It directly aligns with the AWS Well-Architected Framework's design principle of 'democratizing advanced technologies' and the pillar's focus on right-sizing and continuous improvement.

Exam trap

The trap here is that candidates confuse 'monitoring and improving performance over time' with Operational Excellence, but Operational Excellence is about process improvement and automation, not specifically about data-driven resource selection and right-sizing for performance.

How to eliminate wrong answers

Option A is wrong because Reliability focuses on a system's ability to recover from failures and meet demand, not on selecting instance types based on performance data or iterative improvement. Option C is wrong because Cost Optimization focuses on minimizing costs and avoiding unnecessary spend, not on monitoring performance metrics or ensuring resource selection is data-driven for performance. Option D is wrong because Operational Excellence focuses on running and monitoring systems to deliver business value and continuously improve processes and procedures, not specifically on selecting the right instance types for performance or data-driven resource selection.

340
MCQmedium

A company runs a fleet of Amazon EC2 instances that host a customer-facing web application. The security team wants to automatically identify software vulnerabilities, such as missing patches and common vulnerabilities and exposures (CVEs), in the operating system and applications running on these instances. The team also needs visibility into unintended network accessibility, such as instances with ports open to the internet. The solution must be natively integrated with AWS and should provide findings that can be viewed in a central dashboard. Which AWS service should the security team use?

A.Amazon GuardDuty
B.Amazon Inspector
C.AWS Security Hub
D.AWS Trusted Advisor
AnswerB

Correct. Amazon Inspector automatically assesses EC2 instances for software vulnerabilities (CVEs) and network exposure (e.g., open ports). It integrates with AWS Systems Manager to perform deep scans of the OS and application packages.

Why this answer

Amazon Inspector is the correct choice because it is a vulnerability management service that automatically scans EC2 instances for software vulnerabilities (missing patches, CVEs) and unintended network accessibility (e.g., open ports to the internet). It is natively integrated with AWS and provides findings in a central dashboard via the AWS Management Console or AWS Security Hub. This directly matches the security team's requirements for automated identification of OS/application vulnerabilities and network exposure.

Exam trap

The trap here is that candidates often confuse Amazon GuardDuty (threat detection) with Amazon Inspector (vulnerability scanning), or assume AWS Security Hub performs the scanning itself rather than aggregating findings from other services.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using anomaly detection and threat intelligence, not for scanning software vulnerabilities or CVEs in OS/applications. Option C is wrong because AWS Security Hub is a centralized security findings aggregator that collects and prioritizes findings from multiple AWS services (including Inspector), but it does not perform vulnerability scanning itself. Option D is wrong because AWS Trusted Advisor is an advisory service that inspects your AWS environment for best practices in cost, performance, security, and fault tolerance, but it does not perform deep vulnerability scanning for CVEs or open port analysis on EC2 instances.

341
MCQmedium

An operations team documents all operational procedures as runbooks, deploys infrastructure using AWS CloudFormation templates stored in version control, and continuously refines their processes based on lessons learned from incidents. Which pillar of the AWS Well-Architected Framework does this represent?

A.Reliability
B.Security
C.Operational Excellence
D.Cost Optimisation
AnswerC

Operational Excellence is characterised by operations as code (CloudFormation templates in version control), annotated documentation (runbooks), and refining operations procedures through lessons learned — exactly what this team is doing.

Why this answer

Operational Excellence focuses on running and monitoring systems to deliver business value, and continually improving processes and procedures. Documenting runbooks, using infrastructure as code (CloudFormation) with version control, and refining processes from incident lessons are core practices of this pillar, as they enable repeatable, auditable, and continuously improving operations.

Exam trap

The trap here is that candidates often confuse 'operational documentation and process improvement' with 'reliability' because both involve incident response, but Reliability is about system resilience and recovery, not the continuous improvement of operational procedures themselves.

How to eliminate wrong answers

Option A is wrong because Reliability focuses on a workload's ability to recover from failures and meet demand, not on documenting procedures or continuous process improvement. Option B is wrong because Security focuses on protecting data, systems, and assets through identity, access controls, and encryption, not on operational runbooks or version-controlled infrastructure templates. Option D is wrong because Cost Optimisation focuses on avoiding unnecessary costs and maximizing resource efficiency, not on operational documentation or process refinement.

342
MCQmedium

A company needs to generate a pre-signed URL to allow a business partner to download a specific S3 object for 24 hours without requiring AWS credentials. Which S3 feature enables this?

A.S3 Bucket Policy with IP-based restrictions
B.S3 Access Points
C.S3 Pre-signed URLs
D.S3 Bucket public-read ACL
AnswerC

Pre-signed URLs embed the generator's credentials and expiration time — the recipient accesses the specific object without needing AWS credentials, and access expires automatically.

Why this answer

Pre-signed URLs grant temporary access to a specific S3 object by embedding credentials in a URL signed with the bucket owner's AWS signature. The URL is valid for a specified duration (up to 7 days, here 24 hours) and allows the partner to download the object without having AWS credentials. This is the only S3 feature that provides time-limited, object-specific access without requiring the partner to authenticate with AWS.

Exam trap

The trap here is that candidates confuse pre-signed URLs with bucket policies or ACLs, thinking those can also grant temporary access, but they lack the time-limited, credential-free delegation that pre-signed URLs uniquely provide.

How to eliminate wrong answers

Option A is wrong because a bucket policy with IP-based restrictions controls access based on source IP addresses, not time-limited access, and still requires the request to be authenticated (e.g., via IAM credentials) unless combined with other settings. Option B is wrong because S3 Access Points simplify managing data access for large datasets but do not generate temporary URLs; they enforce policies at the access point level but still require AWS credentials or a pre-signed URL for anonymous access. Option D is wrong because a bucket public-read ACL makes the object publicly readable for everyone, indefinitely, without any time restriction or the ability to limit access to a specific partner.

343
MCQmedium

A company uses multiple AWS security services — GuardDuty, Inspector, Macie, and IAM Access Analyzer — across multiple accounts. The security team needs a single console to view, prioritise, and manage all security findings from these services and third-party tools. Which AWS service provides this aggregated view?

A.Amazon GuardDuty
B.Amazon CloudWatch
C.AWS Security Hub
D.AWS Config
AnswerC

Security Hub aggregates findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager, and third-party tools into a unified dashboard. It uses the AWS Security Finding Format (ASFF) to normalise findings and allows centralised management across accounts.

Why this answer

AWS Security Hub is the correct service because it provides a single, consolidated view of security alerts and compliance status across multiple AWS accounts and services, including GuardDuty, Inspector, Macie, and IAM Access Analyzer. It aggregates findings from these native services and third-party tools into a standardized format using the AWS Security Finding Format (ASFF), enabling centralized prioritization and management. This directly addresses the requirement for a unified console to view, prioritize, and manage all security findings.

Exam trap

The trap here is that candidates often confuse AWS Security Hub with Amazon GuardDuty or AWS Config, mistakenly thinking that GuardDuty's threat detection or Config's compliance checks already provide a consolidated view, when in fact Security Hub is the dedicated aggregation service that ingests findings from multiple sources.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity using VPC Flow Logs, DNS logs, and CloudTrail events, but it does not aggregate findings from other security services or third-party tools; it only generates its own findings. Option B is wrong because Amazon CloudWatch is a monitoring and observability service for metrics, logs, and alarms, not a security findings aggregator; it lacks the standardized security finding format (ASFF) and cross-service consolidation capabilities of Security Hub. Option D is wrong because AWS Config is a resource inventory and compliance auditing service that evaluates resource configurations against rules, but it does not ingest or aggregate security findings from GuardDuty, Inspector, Macie, or third-party tools; it focuses on configuration compliance, not security alert management.

344
MCQmedium

A company has a global user base that uploads images to an Amazon S3 bucket in the us-east-1 Region. Users report slow upload speeds and frequent timeouts when uploading large files from distant locations. The company wants to use the AWS global network and edge locations to accelerate uploads to the S3 bucket. The solution must require minimal infrastructure changes on the client side and must be configured at the bucket level. Which AWS feature should the company enable?

A.Amazon S3 Transfer Acceleration
B.Amazon CloudFront with an origin access identity
C.AWS Global Accelerator using a custom routing accelerator
D.Amazon S3 cross-region replication
AnswerA

Correct. S3 Transfer Acceleration uses AWS edge locations to accelerate uploads over the AWS global network. It is configured at the bucket level and requires only a simple URL change on the client side.

Why this answer

Amazon S3 Transfer Acceleration (A) uses AWS edge locations to route uploads over the AWS global network, reducing latency and timeouts for large files from distant locations. It is enabled at the bucket level and requires only a simple client-side change (using the accelerated endpoint instead of the standard S3 endpoint), meeting the requirement for minimal client-side modifications.

Exam trap

The trap here is confusing CloudFront's edge caching for downloads with S3 Transfer Acceleration's edge-based upload optimization, leading candidates to select CloudFront even though it does not accelerate client-to-S3 uploads.

How to eliminate wrong answers

Option B (CloudFront with an origin access identity) is wrong because CloudFront is a content delivery network (CDN) optimized for caching and delivering static content to end users, not for accelerating uploads to an S3 bucket; it does not improve upload speeds from clients. Option C (AWS Global Accelerator using a custom routing accelerator) is wrong because Global Accelerator improves traffic flow for TCP/UDP applications via edge locations but is designed for application endpoints like ALB or NLB, not for S3 bucket-level upload acceleration, and it requires client-side configuration changes that violate the minimal infrastructure change requirement.

345
MCQmedium

A company runs a web application that allows users to upload images. After each upload, the application must perform several background processing tasks (e.g., resizing, generating thumbnails) that take up to 30 seconds each. Users should receive an immediate response and the processing should continue asynchronously. The company wants a solution that scales automatically with the number of uploads and requires no server management. Which AWS service should the company use to run these background processing tasks?

A.AWS Lambda
B.Amazon EC2 with Auto Scaling
C.Amazon ECS with AWS Fargate
D.AWS Batch
AnswerA

Correct. AWS Lambda is a serverless compute service that runs code in response to events like an S3 upload. It scales automatically, requires no server management, and supports execution times up to 15 minutes, easily covering the 30-second tasks.

Why this answer

AWS Lambda is the correct choice because it is a serverless compute service that executes code in response to events, such as an image upload to Amazon S3. It scales automatically with the number of uploads, requires no server management, and can run background tasks like resizing and thumbnail generation within its 15-minute maximum execution time, easily accommodating the 30-second processing requirement. Users receive an immediate response because the upload triggers Lambda asynchronously, decoupling the frontend from the processing.

Exam trap

The trap here is that candidates may choose Amazon ECS with AWS Fargate because they think containerization is required for complex processing, but Lambda is simpler, cheaper, and more appropriate for short-lived, event-driven tasks that fit within its execution limits.

How to eliminate wrong answers

Option B (Amazon EC2 with Auto Scaling) is wrong because it requires manual server management, including patching, scaling policies, and capacity planning, which contradicts the 'no server management' requirement; it also incurs costs even when idle. Option C (Amazon ECS with AWS Fargate) is wrong because while Fargate is serverless for containers, it introduces unnecessary complexity for simple background tasks that do not require container orchestration, and it has a higher cold start latency compared to Lambda for short-lived, event-driven workloads.

346
MCQmedium

A retail company runs its e-commerce platform on AWS. The platform uses multiple Amazon EC2 instances behind an Application Load Balancer. To ensure the application remains available during an Availability Zone failure, the company distributes the instances across three Availability Zones. The load balancer automatically reroutes traffic away from an unhealthy zone. This design primarily addresses which pillar of the AWS Well-Architected Framework?

A.Security
B.Performance Efficiency
C.Cost Optimization
D.Reliability
AnswerD

The Reliability pillar encompasses the ability of a workload to perform its intended function correctly and consistently when it is expected to. This includes building resilience to withstand failures, such as deploying across multiple Availability Zones and using automatic failover. This design directly supports the Reliability pillar.

Why this answer

Distributing EC2 instances across multiple Availability Zones and using an Application Load Balancer to automatically reroute traffic away from unhealthy zones ensures that the application remains available even if an entire AZ fails. This design directly addresses the 'Reliability' pillar of the AWS Well-Architected Framework, which focuses on the ability of a workload to recover from infrastructure or service disruptions and dynamically acquire computing resources to meet demand.

Exam trap

The trap here is that candidates may confuse high availability (a Reliability concept) with elasticity (a Performance Efficiency concept) or assume that distributing across AZs is a cost-saving measure, when in fact it increases cost but is a fundamental Reliability best practice.

How to eliminate wrong answers

Option A is wrong because Security focuses on protecting data, systems, and assets through identity and access management, detective controls, and infrastructure protection, not on distributing instances across AZs for high availability. Option B is wrong because Performance Efficiency focuses on using computing resources efficiently to meet system requirements and maintaining that efficiency as demand changes and technologies evolve, not on fault tolerance or disaster recovery. Option C is wrong because Cost Optimization focuses on avoiding unnecessary costs, matching supply with demand, and using the most cost-effective resources, not on designing for availability zone failure recovery.

347
MCQmedium

A company stores sensitive customer data in Amazon S3 buckets. The company's security policy requires that all objects in these buckets be encrypted at rest using an encryption key that the company can rotate annually and audit for usage. The company also needs to control which IAM users and roles can use, create, and manage these keys. The security team wants to use an AWS managed service to handle the key management lifecycle. Which AWS service should the company use to meet these requirements?

A.AWS Key Management Service (KMS)
B.Amazon S3 server-side encryption with customer-provided keys (SSE-C)
C.AWS Certificate Manager (ACM)
D.AWS Secrets Manager
AnswerA

Correct. AWS KMS is a managed service that allows you to create, rotate, control access to, and audit the use of encryption keys used to protect data in AWS services such as Amazon S3.

Why this answer

AWS Key Management Service (KMS) is the correct choice because it is a managed service that allows you to create, rotate, and audit customer-managed keys (CMKs) used for encrypting S3 objects at rest. KMS integrates with AWS CloudTrail to log every key usage, enabling the required audit trail, and supports annual key rotation via automatic or manual rotation. It also provides fine-grained IAM policies and key policies to control which users and roles can use, create, and manage the keys, meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse AWS Secrets Manager with KMS because both manage secrets, but Secrets Manager is for rotating application secrets like database passwords, not for managing encryption keys used for S3 server-side encryption, which is a core KMS function.

How to eliminate wrong answers

Option B (SSE-C) is wrong because while it encrypts objects at rest, the customer provides and manages the encryption keys themselves, not an AWS managed service, and AWS does not support automatic key rotation or audit logging for customer-provided keys. Option C (ACM) is wrong because it is designed to manage SSL/TLS certificates for securing network traffic, not for encrypting data at rest in S3 or for key management lifecycle. Option D (AWS Secrets Manager) is wrong because it is intended for securely storing and rotating secrets such as database credentials and API keys, not for managing encryption keys used for S3 server-side encryption.

348
MCQmedium

A company uses multiple AWS accounts. The security team wants to enforce two requirements for all Amazon S3 buckets: first, server-side encryption must be enabled using AWS KMS; second, no bucket can be publicly accessible. The team needs a service that continuously monitors the configuration of S3 buckets across all accounts, detects when a bucket violates either requirement, and automatically applies corrective actions (such as enabling default encryption or removing public access). Which AWS service should the security team use to meet these requirements?

A.AWS Config
B.AWS Trusted Advisor
C.AWS IAM Access Analyzer
D.AWS CloudTrail
AnswerA

AWS Config is the correct choice because it continuously evaluates resource configurations against desired policies (e.g., S3 bucket encryption and public access) and can automatically remediate non-compliant resources using pre-defined actions, meeting all requirements.

Why this answer

AWS Config is the correct service because it provides continuous monitoring, evaluation, and automated remediation of resource configurations across multiple accounts. With AWS Config rules (e.g., managed rules like `s3-bucket-server-side-encryption-enabled` and `s3-bucket-public-read-prohibited`), you can detect noncompliant S3 buckets and trigger AWS Systems Manager Automation documents or Lambda functions to automatically enable default encryption or remove public access. AWS Config also supports multi-account aggregation via an aggregator, allowing the security team to enforce these requirements across all accounts from a single management account.

Exam trap

The trap here is that candidates confuse AWS Config's continuous compliance monitoring and automated remediation with AWS Trusted Advisor's advisory checks or AWS IAM Access Analyzer's policy analysis, failing to recognize that only AWS Config provides both detection and automatic corrective actions.

How to eliminate wrong answers

Option B is wrong because AWS Trusted Advisor provides best-practice checks and recommendations but does not support continuous monitoring or automated corrective actions; it only offers periodic checks and manual remediation guidance. Option C is wrong because AWS IAM Access Analyzer analyzes resource-based policies to identify unintended public or cross-account access, but it does not enforce server-side encryption requirements or automatically apply corrective actions. Option D is wrong because AWS CloudTrail records API activity for auditing and governance but does not monitor current resource configurations or trigger automated remediation.

349
MCQeasy

Which AWS tool provides recommendations to help reduce costs, improve performance, enhance security, and increase fault tolerance?

A.AWS Cost Explorer
B.AWS Trusted Advisor
C.AWS Budgets
D.AWS Compute Optimizer
AnswerB

Trusted Advisor provides recommendations across cost optimization, performance, security, fault tolerance, and service limits.

Why this answer

AWS Trusted Advisor is the correct answer because it provides real-time guidance and recommendations across five categories: cost optimization, performance, security, fault tolerance, and service limits. It evaluates your AWS environment against AWS best practices and generates actionable recommendations to reduce costs, improve performance, enhance security, and increase fault tolerance. This makes it the only tool among the options that covers all four areas mentioned in the question.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer or AWS Compute Optimizer as the answer because they associate cost reduction and performance improvement with those tools, but they fail to recognize that only Trusted Advisor also addresses security and fault tolerance, which are explicitly mentioned in the question.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer focuses solely on cost analysis and visualization, providing historical cost data and usage patterns, but it does not offer recommendations for performance, security, or fault tolerance. Option C is wrong because AWS Budgets allows you to set custom cost and usage budgets and receive alerts when thresholds are exceeded, but it only addresses cost management and does not provide recommendations for performance, security, or fault tolerance. Option D is wrong because AWS Compute Optimizer specifically recommends optimal AWS compute resources (EC2 instances, Auto Scaling groups, and Lambda functions) to reduce costs and improve performance, but it does not cover security or fault tolerance recommendations.

350
MCQmedium

A startup is building a prototype web application on AWS and is eligible for the AWS Free Tier. They plan to use a single t2.micro Amazon EC2 instance running continuously (24 hours per day, 7 days per week), 10 GB of Amazon S3 Standard storage, and 1 GB of Amazon RDS for MySQL storage. Which of the following statements accurately describes how these services will be billed during the first 12 months under the Free Tier, assuming they stay within the Free Tier limits for each service?

A.All three services are completely free for the entire 12-month period because the startup is using the Free Tier.
B.The EC2 instance usage will be free for up to 750 hours per month; the S3 storage will be free for the first 5 GB, with standard charges for the additional 5 GB; the RDS storage will be free for the first 20 GB.
C.The EC2 instance usage will be free for up to 750 hours per month; the S3 storage will be free for up to 10 GB; the RDS storage will be free for up to 20 GB.
D.The EC2 instance usage will be free for the first 750 hours total over the 12-month period; the S3 storage will be free for the first 5 GB; the RDS storage will be free for the first 20 GB.
AnswerB

This is accurate. EC2 free tier provides 750 hours per month, enough for continuous usage. S3 free tier includes 5 GB, so extra 5 GB is billed. RDS free tier includes 20 GB of storage, so 1 GB is within the free limit.

Why this answer

Option B is correct because the AWS Free Tier for EC2 provides 750 hours of t2.micro instance usage per month, not total over 12 months. S3 Standard storage is free for the first 5 GB, so the additional 5 GB incurs standard charges. RDS for MySQL storage is free for the first 20 GB, so the 1 GB used is fully covered.

Exam trap

The trap here is confusing the monthly Free Tier limits (e.g., 750 hours per month for EC2) with a cumulative 12-month total, and assuming S3 offers 10 GB free instead of the actual 5 GB limit.

How to eliminate wrong answers

Option A is wrong because the Free Tier has specific limits per service; not all usage is free—for example, S3 only covers the first 5 GB, so the extra 5 GB would be billed. Option C is wrong because S3 Standard storage is free for only the first 5 GB, not 10 GB; the 10 GB limit is incorrect. Option D is wrong because the EC2 750-hour limit is per month, not a total over 12 months; the cumulative interpretation is a common mistake.

351
MCQmedium

A company runs an e-commerce web application on Amazon EC2 instances. During flash sales, the backend order processing service becomes overloaded and drops requests, causing customer failures. The company needs a durable, scalable, and fully managed service to buffer incoming order requests and decouple the web tier from the backend processing tier. Orders must be stored reliably and processed in the order they were received. Which AWS service should the company use?

A.Amazon Simple Notification Service (SNS)
B.Amazon Simple Queue Service (SQS)
C.Amazon Kinesis Data Streams
D.Amazon MQ
AnswerB

Amazon SQS is a fully managed message queuing service that decouples application components. It can durably store messages until they are processed, and FIFO queues guarantee exactly-once processing and strict message ordering. This matches all stated requirements.

Why this answer

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that decouples application components. It provides durable, scalable storage for incoming order requests and supports FIFO (First-In-First-Out) queues to guarantee that messages are processed exactly once and in the order they were sent, meeting the requirement for ordered processing.

Exam trap

The trap here is that candidates often confuse Amazon Kinesis Data Streams with a message queue, but Kinesis is optimized for real-time analytics and stream processing, not for durable, ordered, exactly-once message buffering required for decoupling web and backend tiers.

How to eliminate wrong answers

Option A is wrong because Amazon Simple Notification Service (SNS) is a pub/sub messaging service that pushes messages to subscribers, not a durable buffer; it does not guarantee order preservation or provide a queue for decoupling. Option C is wrong because Amazon Kinesis Data Streams is designed for real-time streaming of large data volumes with shard-level ordering, not for reliable, ordered message buffering with exactly-once processing; it requires more operational overhead and does not natively support FIFO semantics. Option D is wrong because Amazon MQ is a managed message broker for Apache ActiveMQ and RabbitMQ, which can provide ordering but is not fully serverless and requires provisioning and managing broker instances, making it less scalable and more complex than SQS for this use case.

352
MCQmedium

A company wants to ensure its cloud architecture can handle sudden spikes in traffic without manual intervention. Which cloud concept best describes this capability?

A.High availability
B.Fault tolerance
C.Elasticity
D.Durability
AnswerC

Elasticity automatically scales resources to match demand spikes and valleys.

Why this answer

Elasticity is the ability to automatically scale compute resources up or down in response to demand. This allows workloads to handle traffic spikes without pre-provisioning and to scale down when demand subsides, optimizing cost.

353
MCQmedium

A company manages multiple AWS accounts under a single AWS Organizations structure with consolidated billing. The finance team needs to analyze historical cost and usage data across all accounts for the past six months. They want to filter the data by service (e.g., Amazon EC2, Amazon S3), AWS Region, and individual account. Additionally, they want to generate a line chart showing monthly trends and a forecast of future costs based on historical usage patterns. Which AWS tool should the finance team use to meet all of these requirements?

A.AWS Budgets
B.AWS Trusted Advisor
C.AWS Cost Explorer
D.AWS Pricing Calculator
AnswerC

AWS Cost Explorer is the correct tool. It provides a pre-built dashboard and reports that allow you to visualize and analyze your AWS costs and usage. You can filter by service, Region, account, and other dimensions, view trends over time, and generate forecasts. It meets all the requirements described in the scenario.

Why this answer

AWS Cost Explorer is the correct tool because it provides a pre-built dashboard with historical cost and usage data for up to the last 12 months, supports filtering by service (e.g., Amazon EC2, Amazon S3), AWS Region, and linked account (individual account), and can generate line charts showing monthly trends. It also includes a forecasting feature that uses machine learning to predict future costs based on historical usage patterns, meeting all the finance team's requirements.

Exam trap

The trap here is that candidates may confuse AWS Budgets with cost analysis tools, but AWS Budgets only monitors against set limits and does not provide historical trend analysis or forecasting, which are essential for the finance team's requirements.

How to eliminate wrong answers

Option A is wrong because AWS Budgets is designed for setting cost and usage thresholds and sending alerts when those thresholds are exceeded, but it does not provide historical cost and usage analysis, line chart generation, or forecasting capabilities. Option B is wrong because AWS Trusted Advisor is a service that inspects your AWS environment and provides recommendations to optimize costs, improve performance, and enhance security, but it does not offer historical cost and usage data analysis, filtering by service/region/account, or cost forecasting.

354
MCQmedium

After GuardDuty generates a security finding about potentially compromised EC2 instances, a security analyst needs to investigate the full context of the threat — understanding which users, IPs, and resources were involved and how they relate to each other. Which AWS service helps investigators analyse and visualise these relationships?

A.Amazon GuardDuty
B.AWS CloudTrail
C.Amazon Detective
D.AWS Security Hub
AnswerC

Detective analyses security data from CloudTrail, VPC Flow Logs, and GuardDuty to automatically build a behaviour graph. Analysts use the visual interface to trace the timeline of an incident, identify affected resources, and understand attacker lateral movement.

Why this answer

Amazon Detective is designed specifically to analyze, investigate, and quickly identify the root cause of security findings by automatically collecting log data from AWS resources and building a graph model that shows relationships between users, IPs, and resources. When GuardDuty generates a finding about a potentially compromised EC2 instance, Detective can ingest that finding and provide a visual, interactive view of the entire resource interaction timeline, including network connections, API calls, and user activity, enabling investigators to understand the full context of the threat.

Exam trap

The trap here is that candidates often confuse Security Hub's aggregation and prioritization of findings with Detective's investigative and visualization capabilities, leading them to choose Security Hub when the question specifically asks for analyzing and visualizing relationships between users, IPs, and resources.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that generates security findings, but it does not provide the investigative analysis or visualization of relationships between users, IPs, and resources; it only alerts on suspicious activity. Option B is wrong because AWS CloudTrail records API calls for auditing and governance, but it does not automatically correlate events across multiple resources or build a graph model to visualize relationships; it provides raw logs that require manual correlation. Option D is wrong because AWS Security Hub aggregates and prioritizes security findings from multiple services, including GuardDuty, but it does not perform deep investigative analysis or visualize resource relationships; it is a central dashboard for compliance and security posture, not an investigation tool.

355
MCQmedium

A company uses AWS Organizations to manage multiple AWS accounts. The security team wants to enforce that all Amazon Elastic Block Store (EBS) volumes created in any account within the organization are automatically encrypted at rest. The team needs a centrally managed solution that proactively prevents the creation of unencrypted EBS volumes without requiring individual account administrators to enable any settings. Which AWS feature should the security team use to meet these requirements?

A.AWS Key Management Service (AWS KMS) with automatic key rotation
B.AWS Organizations with a service control policy (SCP) that denies the CreateVolume action unless encryption is enabled
C.Amazon EBS encryption by default at the account level, configured via the EC2 console in each account
D.AWS Config with a managed rule to detect unencrypted volumes and trigger an AWS Lambda function for automatic remediation
AnswerB

An SCP can be applied to the root or specific organizational units (OUs) to deny the creation of unencrypted EBS volumes. This centrally enforces the encryption requirement across all affected accounts without requiring any local configuration. It is a proactive, preventive control.

Why this answer

Option B is correct because an SCP in AWS Organizations can centrally deny the ec2:CreateVolume API call unless the request includes a condition that encryption is enabled (e.g., ec2:Encrypted = true). This proactively prevents any user or role in any member account from creating an unencrypted EBS volume, regardless of individual account settings, meeting the requirement for a centrally managed, preventive control.

Exam trap

The trap here is that candidates confuse account-level default encryption settings (which are per-account and not centrally enforced) with SCPs, which provide organization-wide preventive controls without requiring individual account configuration.

How to eliminate wrong answers

Option A is wrong because AWS KMS with automatic key rotation manages encryption keys but does not enforce that EBS volumes are created encrypted; it only handles key lifecycle and rotation, not policy enforcement. Option C is wrong because enabling EBS encryption by default at the account level via the EC2 console requires each account administrator to manually configure the setting, which violates the requirement for a centrally managed solution that does not rely on individual account actions.

356
MCQeasy

Which AWS service provides a fully managed NoSQL database with single-digit millisecond latency at any scale?

A.Amazon RDS
B.Amazon ElastiCache
C.Amazon Redshift
D.Amazon DynamoDB
AnswerD

DynamoDB is AWS's fully managed NoSQL database with single-digit millisecond latency at any scale.

Why this answer

Amazon DynamoDB is a fully managed NoSQL key-value and document database that delivers consistent single-digit millisecond latency at any scale. It achieves this through its distributed architecture, automatic partitioning, and SSD-backed storage, making it ideal for high-traffic applications like gaming, ad tech, and IoT.

Exam trap

The trap here is that candidates confuse Amazon ElastiCache's low-latency caching with a fully managed NoSQL database, but ElastiCache lacks persistent storage and native query capabilities, making DynamoDB the correct choice for a durable, scalable NoSQL database.

How to eliminate wrong answers

Option A is wrong because Amazon RDS is a relational database service (SQL-based) that does not provide a NoSQL data model and can experience higher latency under heavy load due to its traditional ACID constraints. Option B is wrong because Amazon ElastiCache is an in-memory caching service (Redis/Memcached) that is not a fully managed NoSQL database; it is used for caching to reduce latency but does not offer persistent, durable storage with query capabilities. Option C is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for analytical SQL queries on structured data, not a NoSQL database, and its latency is measured in seconds for complex aggregations, not single-digit milliseconds for point lookups.

357
MCQmedium

A solutions architect is reviewing an application design to ensure the system can automatically recover from failures, scale horizontally to increase availability, and prevent failures from cascading to other components. Which pillar of the AWS Well-Architected Framework is the architect applying?

A.Performance Efficiency
B.Operational Excellence
C.Security
D.Reliability
AnswerD

The Reliability pillar covers automatic recovery from failure, horizontal scaling for availability, and designing against cascading failures with circuit breakers and loose coupling. These are the exact concerns described in the question.

Why this answer

The question focuses on automatic recovery from failures, horizontal scaling for availability, and preventing cascading failures. These are core design principles of the Reliability pillar, which ensures a workload performs its intended function correctly and consistently when expected. The Reliability pillar specifically addresses foundations like distributed system design, recovery procedures, and change management to handle and recover from infrastructure or service disruptions.

Exam trap

The trap here is that candidates confuse Operational Excellence (which includes incident response and operations management) with Reliability (which specifically governs failure recovery, scaling for availability, and preventing cascading failures), leading them to select Operational Excellence when the question explicitly describes automatic recovery and horizontal scaling.

How to eliminate wrong answers

Option A is wrong because Performance Efficiency focuses on using computing resources efficiently to meet system requirements, and maintaining that efficiency as demand changes and technologies evolve; it does not directly address failure recovery or cascading failure prevention. Option B is wrong because Operational Excellence focuses on running and monitoring systems to deliver business value, and on continually improving processes and procedures; while it includes incident response, the primary goal of automatic recovery and horizontal scaling for availability is a Reliability concern. Option C is wrong because Security focuses on protecting information, systems, and assets through confidentiality, integrity, and availability controls (CIA triad), but the specific mechanisms of automatic recovery and horizontal scaling are not security controls; they are reliability mechanisms.

358
MCQmedium

A company uses AWS Support and wants to know which plan provides the fastest response time for a business-critical system outage causing complete service disruption.

A.Business Support (1-hour response)
B.Enterprise On-Ramp (30-minute response)
C.Enterprise Support (15-minute response)
D.Developer Support (12-hour response)
AnswerC

Enterprise Support provides the fastest response SLA — 15 minutes for business-critical system down (highest severity cases).

Why this answer

AWS Support plans define response times based on severity. For a business-critical system outage (severity-critical, complete service disruption), Enterprise Support provides a 15-minute response time, which is the fastest available. This is explicitly documented in AWS Support plan details, making option C correct.

Exam trap

The trap here is that candidates often confuse Enterprise On-Ramp (30-minute response) with Enterprise Support (15-minute response), assuming both offer the same speed, but Enterprise On-Ramp is a lower-tier plan with a slower response time for critical cases.

How to eliminate wrong answers

Option A is wrong because Business Support offers a 1-hour response time for critical cases, not the fastest. Option B is wrong because Enterprise On-Ramp provides a 30-minute response time for critical cases, which is slower than Enterprise Support's 15-minute response. Option D is wrong because Developer Support offers a 12-hour response time for critical cases, which is far too slow for a business-critical outage.

359
MCQmedium

A company uses AWS Organizations to manage multiple AWS accounts. The security team needs to ensure that Amazon CloudTrail is enabled in all AWS Regions for every member account, and that no user (including account administrators) can disable it. The policy must apply automatically to any new accounts that are added to the organization. Which AWS feature should the security team use to enforce this requirement?

A.IAM policies with a Deny effect for CloudTrail actions
B.AWS Config rules with an auto-remediation action
C.Service Control Policies (SCPs)
D.AWS CloudTrail trails with multi-region and organization trail enabled
AnswerC

SCPs are the correct choice. They allow you to define a central permission guardrail at the organization level that applies to all accounts, including the root user. An SCP denying CloudTrail disablement will prevent any principal in the account from disabling the trail, and it automatically applies to new accounts added to the organization.

Why this answer

Service Control Policies (SCPs) are the correct choice because they allow the security team to centrally control the maximum available permissions for all accounts within an AWS Organization. By creating an SCP that denies all CloudTrail disabling actions (e.g., `cloudtrail:StopLogging`, `cloudtrail:DeleteTrail`) and attaching it to the root or specific organizational units, the policy applies automatically to all existing and new member accounts, and even account administrators cannot override it. This ensures CloudTrail remains enabled across all Regions in every account, meeting the enforcement requirement.

Exam trap

The trap here is that candidates often confuse IAM policies (which are account-specific and can be bypassed by administrators) with SCPs (which are organization-wide and cannot be overridden by account administrators), leading them to choose IAM Deny policies instead of SCPs.

How to eliminate wrong answers

Option A is wrong because IAM policies are applied at the account or user level and can be overridden by account administrators who have full control over their own IAM configurations; they do not provide a centralized, unchangeable guardrail across all accounts in an organization. Option B is wrong because AWS Config rules can detect non-compliance and trigger auto-remediation actions, but they are not preventive controls—they can be disabled or modified by account administrators, and they do not inherently prevent a user from disabling CloudTrail in the first place.

360
MCQmedium

A company wants to store frequently changing configuration data and feature flags that their applications need to read at runtime without hard-coding values. Which AWS service provides secure, centralized configuration storage with version history?

A.Amazon S3
B.AWS Systems Manager Parameter Store
C.Amazon DynamoDB
D.AWS CloudFormation
AnswerB

Parameter Store provides centralized, versioned storage for configuration data and secrets with IAM-based access control, KMS encryption for secure strings, and a hierarchical namespace.

Why this answer

AWS Systems Manager Parameter Store is the correct choice because it provides a secure, centralized service for storing configuration data and feature flags, with built-in version history for each parameter. It allows applications to read configuration values at runtime via the AWS SDK or CLI without hard-coding, and supports encryption using AWS KMS for sensitive data.

Exam trap

The trap here is that candidates often confuse Amazon S3's object versioning with configuration version history, but S3 lacks the centralized parameter management, secure runtime access patterns, and integration with AWS KMS that Parameter Store provides for frequently changing configuration data.

How to eliminate wrong answers

Option A is wrong because Amazon S3 is an object storage service for files and static assets, not designed for storing frequently changing configuration data with version history in a parameter-style access pattern; while S3 has versioning, it lacks the hierarchical parameter structure and secure runtime retrieval features of Parameter Store. Option C is wrong because Amazon DynamoDB is a NoSQL database for high-performance, scalable application data, not a configuration store; it requires custom code for versioning and lacks native parameter management features like tiers, policies, and secure parameter references. Option D is wrong because AWS CloudFormation is an Infrastructure as Code (IaC) service for provisioning AWS resources, not a runtime configuration store; it does not provide a mechanism for applications to read configuration values at runtime without redeploying stacks.

361
MCQeasy

Which AWS pricing concept means you pay a lower per-unit price when you use more of a service, such as S3 charging less per GB as storage volume increases?

A.Pay-as-you-go pricing
B.Tiered pricing (volume discounts)
C.Reserved pricing
D.Spot pricing
AnswerB

Tiered pricing reduces the per-unit cost as usage crosses higher thresholds — S3 storage, data transfer, and many other services use this model to reward scale.

Why this answer

B is correct because tiered pricing (volume discounts) is the AWS pricing model where the per-unit cost decreases as usage increases. For example, Amazon S3 charges a lower per-GB rate for larger storage volumes, such as $0.023 per GB for the first 50 TB and $0.022 per GB for the next 450 TB, directly reflecting volume-based discounts.

Exam trap

The trap here is that candidates often confuse pay-as-you-go pricing (Option A) with tiered pricing, mistakenly thinking that paying only for what you use automatically includes volume discounts, but AWS separates these concepts: pay-as-you-go is about no upfront commitments, while tiered pricing is about decreasing per-unit costs with higher usage.

How to eliminate wrong answers

Option A is wrong because pay-as-you-go pricing means you pay only for what you use without upfront commitments, but it does not inherently reduce the per-unit price as usage increases; it is a consumption-based model, not a volume discount model. Option C is wrong because reserved pricing involves committing to a specific usage level (e.g., 1 or 3 years) in exchange for a lower rate, but the discount is based on the commitment term, not on increasing usage volume. Option D is wrong because spot pricing lets you bid on unused EC2 capacity at variable rates, which can be cheaper but is not based on volume discounts; it is a dynamic pricing model driven by supply and demand.

362
MCQmedium

A financial services company stores confidential transaction records in Amazon S3. The company's compliance policy requires that all data at rest be encrypted using encryption keys that are under the company's full control. The keys must be automatically rotated every year. The company also needs a detailed audit trail of when each key was used and by which AWS principal. Which combination of AWS service and key type should the company use to meet these requirements?

A.Use Amazon S3 server-side encryption with customer-provided keys (SSE-C) and store the keys in AWS Secrets Manager with automatic rotation enabled.
B.Use Amazon S3 server-side encryption with AWS managed keys (SSE-S3) and enable automatic key rotation.
C.Use AWS CloudHSM to generate and store the encryption keys, and configure an AWS Lambda function to rotate the keys every year and log usage to Amazon CloudWatch Logs.
D.Use AWS Key Management Service (AWS KMS) with a customer managed key and enable automatic key rotation.
AnswerD

AWS KMS customer managed keys give you full control over the key material and key policy. You can enable automatic annual rotation, and all key usage is logged in AWS CloudTrail, providing a detailed audit trail of which principal used the key.

Why this answer

Option D is correct because AWS KMS with a customer managed key allows the company to maintain full control over the encryption keys, enable automatic annual rotation, and provides detailed CloudTrail audit logs for every key usage, including the AWS principal that made the request. This satisfies the compliance requirements for encryption at rest, key rotation, and audit trail.

Exam trap

The trap here is that candidates often confuse SSE-C with customer managed keys in KMS, assuming that providing your own key (SSE-C) gives you full control and auditability, but SSE-C lacks automatic rotation and integrated auditing, which KMS provides.

How to eliminate wrong answers

Option A is wrong because SSE-C requires the customer to manage and provide the encryption keys themselves, and AWS does not support automatic key rotation for SSE-C; storing keys in Secrets Manager does not integrate with S3's SSE-C encryption process. Option B is wrong because SSE-S3 uses AWS managed keys, which are not under the customer's full control, and while automatic rotation is enabled, the customer cannot control the rotation schedule or have a detailed audit trail of key usage by AWS principal. Option C is wrong because CloudHSM provides hardware-based key storage but does not natively support automatic key rotation or integrate with AWS KMS for a detailed audit trail; a custom Lambda function would be needed, but this adds complexity and does not provide the same level of integrated auditing as KMS.

363
MCQmedium

A company has migrated to AWS and uses multiple accounts under AWS Organizations with consolidated billing. The finance team needs a monthly cost breakdown by business unit. Each business unit's AWS resources are tagged with a 'BusinessUnit' tag (e.g., 'Marketing', 'Engineering'). However, some resources are not tagged. The team wants to see both the cost per business unit (based on tagged resources) and the total cost of untagged resources, all in one view. They also need the ability to filter by AWS service (e.g., EC2, S3) for each business unit. Which AWS tool or feature should the finance team use to meet these requirements?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Trusted Advisor
D.AWS Monthly Report (from Billing console)
AnswerA

Correct. Cost Explorer provides a customizable dashboard where you can group costs by tags, filter by service, and see untagged costs. It supports the required granularity for multi-account consolidated billing views.

Why this answer

AWS Cost Explorer provides a customizable dashboard that allows you to filter and group costs by tags (such as 'BusinessUnit') and by AWS service (e.g., EC2, S3). It can display both tagged and untagged resource costs in the same view, enabling the finance team to see a monthly breakdown per business unit alongside the total cost of untagged resources. This meets all the requirements without additional configuration.

Exam trap

The trap here is that candidates may confuse AWS Budgets (which only monitors against thresholds) with Cost Explorer (which provides the required historical, filterable cost breakdown), or assume Trusted Advisor can generate cost reports when it only offers optimization checks.

How to eliminate wrong answers

Option B (AWS Budgets) is wrong because it is designed for setting cost thresholds and sending alerts, not for providing a detailed historical cost breakdown with filtering by tags and services. Option C (AWS Trusted Advisor) is wrong because it focuses on best-practice recommendations for cost optimization, security, and performance, not on generating cost reports or filtering by tags and services.

364
MCQmedium

A company wants to use Amazon S3 as their data lake but needs a way to track, search, and govern all datasets across multiple S3 buckets. Which AWS service provides centralized data catalog management?

A.Amazon Macie
B.AWS Glue Data Catalog
C.Amazon S3 Inventory
D.AWS Lake Formation
AnswerB

Glue Data Catalog is the centralized metadata store for S3-based data lakes — Crawlers discover schemas automatically, and the catalog integrates with Athena, Redshift, and EMR.

Why this answer

AWS Glue Data Catalog is a fully managed, centralized metadata repository that stores table definitions, schema information, and partition details for datasets across multiple S3 buckets. It integrates with AWS Glue ETL, Amazon Athena, and Amazon Redshift Spectrum to provide a unified view for tracking, searching, and governing data lake assets, making it the correct choice for centralized data catalog management.

Exam trap

The trap here is that candidates confuse AWS Lake Formation with the Glue Data Catalog because Lake Formation provides a visual interface for managing data lakes and uses the catalog under the hood, but the question specifically asks for the service that provides centralized data catalog management, which is the Glue Data Catalog itself.

How to eliminate wrong answers

Option A (Amazon Macie) is wrong because it is a data security and privacy service that uses machine learning to discover and protect sensitive data (e.g., PII) in S3, not a metadata catalog for tracking and governing datasets. Option C (Amazon S3 Inventory) is wrong because it generates flat-file reports of object metadata (e.g., size, last modified date) for a single bucket, not a searchable, centralized catalog across multiple buckets. Option D (AWS Lake Formation) is wrong because it is a service for building, securing, and managing data lakes, and while it uses the Glue Data Catalog internally for metadata, it is not itself the centralized catalog; its primary function is data lake setup and fine-grained access control, not standalone catalog management.

365
MCQmedium

A company has a compliance requirement that all Amazon S3 buckets must have server-side encryption (SSE) enabled and must block all public access. The company has hundreds of existing S3 buckets and creates new ones regularly. The security team needs a centralized AWS service that can continuously evaluate all buckets against these two rules, automatically detect noncompliant buckets, and then automatically remediate them by enabling SSE and blocking public access. Additionally, the team wants to receive notifications when compliance changes occur. Which AWS service should the security team use?

A.AWS Config with managed rules and automatic remediation
B.AWS Security Hub
C.AWS IAM Access Analyzer
D.Amazon Macie
AnswerA

AWS Config provides managed rules to evaluate resource configurations against best practices. It can automatically remediate noncompliant resources by invoking Systems Manager Automation documents. It also sends notifications via Amazon SNS for compliance changes, fully meeting the requirement.

Why this answer

AWS Config with managed rules such as 's3-bucket-server-side-encryption-enabled' and 's3-bucket-public-read-prohibited' can continuously evaluate all S3 buckets against these compliance requirements. When a noncompliant bucket is detected, AWS Config can automatically remediate it using SSM Automation documents (e.g., enabling SSE-S3 or SSE-KMS and applying bucket policies to block public access). Additionally, AWS Config can send notifications via Amazon SNS when compliance changes occur, meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse AWS Security Hub's aggregation and visibility capabilities with the ability to perform automatic remediation, but Security Hub does not natively remediate resources; it relies on AWS Config rules or other services for that functionality.

How to eliminate wrong answers

Option B is wrong because AWS Security Hub aggregates security findings from multiple services (including AWS Config) and provides a comprehensive security posture view, but it does not natively perform automatic remediation of noncompliant resources; it relies on AWS Config rules or other services for remediation actions. Option C is wrong because AWS IAM Access Analyzer analyzes resource-based policies to identify unintended public or cross-account access, but it does not enforce server-side encryption, does not automatically remediate noncompliant buckets, and does not continuously evaluate all S3 buckets against encryption requirements.

366
MCQmedium

A company is calculating the Total Cost of Ownership (TCO) for migrating to AWS vs. staying on-premises. Which costs are typically REDUCED when migrating to AWS?

A.Software licensing costs always decrease when moving to AWS
B.Physical hardware, data center facilities, and infrastructure management costs
C.Developer salaries and application development costs
D.Data transfer costs are eliminated in the cloud
AnswerB

Moving to AWS eliminates purchasing servers, renting/owning data center space, paying for power and cooling, and infrastructure management labor — these costs become variable and are shared across AWS's massive customer base.

Why this answer

AWS TCO analysis typically shows reduction in: hardware acquisition and depreciation (no physical servers), data center facility costs (power, cooling, space), hardware maintenance and support contracts, and staff time for infrastructure management. AWS shifts these from fixed capital costs to variable operational costs, and eliminates many administrative tasks that managed services handle automatically.

367
MCQmedium

A company is developing a mobile application that requires a database to store user session data and preferences. The data is accessed very frequently with low-latency requirements, and the access patterns are unpredictable – the application experiences sudden spikes in read and write traffic. The company wants a fully managed database service that automatically scales to handle the workload, requires no patching or server administration, and charges based on the throughput consumed rather than on provisioned capacity. Which AWS service meets these requirements?

A.Amazon RDS for MySQL
B.Amazon DynamoDB
C.Amazon Redshift
D.Amazon EBS
AnswerB

Amazon DynamoDB is a fully managed NoSQL database that provides single-digit millisecond performance at any scale. It supports on-demand capacity mode, which automatically scales to accommodate traffic spikes and charges per request, eliminating the need for provisioning. It is ideal for session storage, gaming, and real-time applications.

Why this answer

Amazon DynamoDB is a fully managed NoSQL key-value and document database that delivers single-digit millisecond latency at any scale. It supports on-demand capacity mode, which automatically scales to handle unpredictable traffic spikes and charges based on the actual reads and writes consumed, not on pre-provisioned throughput. This eliminates the need for patching, server administration, or capacity planning, matching all the stated requirements exactly.

Exam trap

The trap here is that candidates often confuse 'fully managed' with 'serverless' and pick Amazon RDS for MySQL because it is also fully managed, but they overlook the specific requirement for throughput-based pricing and automatic scaling for unpredictable spikes, which only DynamoDB's on-demand mode provides.

How to eliminate wrong answers

Option A is wrong because Amazon RDS for MySQL is a relational database that requires provisioning and managing compute and storage capacity, does not automatically scale for sudden spikes without manual intervention or Auto Scaling setup, and charges based on provisioned instances rather than throughput consumed. Option C is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for complex analytical queries on large datasets, not for low-latency, high-frequency read/write access patterns typical of user session data and preferences.

368
MCQmedium

A company has multiple AWS accounts used by different departments (Finance, Marketing, Engineering). The finance team wants to see a single monthly bill that aggregates charges from all accounts. Additionally, they want to track costs by department using custom cost allocation tags that each department applies to its resources. Which AWS feature should the company use to meet both requirements?

A.AWS Trusted Advisor
B.AWS Budgets
C.AWS Organizations with consolidated billing
D.AWS Cost Explorer
AnswerC

AWS Organizations enables you to centrally manage multiple AWS accounts. By enabling consolidated billing, you get a single monthly bill for all member accounts. Additionally, you can define cost allocation tags, and those tags are inherited across the organization, allowing cost tracking by department using tools like AWS Cost Explorer.

Why this answer

AWS Organizations with consolidated billing allows the company to aggregate charges from all member accounts into a single monthly bill for the finance team. Additionally, it enables the use of cost allocation tags, including custom tags applied by each department, to track and filter costs by department in AWS Cost Explorer and cost reports.

Exam trap

The trap here is that candidates often confuse AWS Budgets (which only monitors and alerts on costs) with consolidated billing (which aggregates charges and enables tag-based cost allocation), leading them to select AWS Budgets because they focus on the 'track costs' requirement without recognizing the need for multi-account aggregation.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor is an advisory service that inspects your AWS environment and provides recommendations for cost optimization, performance, security, and fault tolerance, but it does not aggregate billing across accounts or support custom cost allocation tags. Option B is wrong because AWS Budgets allows you to set custom budgets and receive alerts when costs or usage exceed thresholds, but it does not provide a consolidated view of charges across multiple accounts or enable custom cost allocation tags for departmental tracking.

369
MCQhard

A security team needs to continuously assess their AWS resources for security vulnerabilities and deviations from security best practices. Which service provides automated security assessments?

A.AWS Trusted Advisor
B.Amazon Detective
C.AWS Security Hub
D.AWS Config
AnswerC

Security Hub continuously runs automated security checks and aggregates findings from multiple security services.

Why this answer

AWS Security Hub is the correct answer because it provides a comprehensive view of your security posture across AWS accounts by aggregating, organizing, and prioritizing security findings from multiple AWS services (like Amazon GuardDuty, Amazon Inspector, and AWS Macie) and third-party tools. It continuously assesses your environment against security standards and best practices (e.g., CIS AWS Foundations Benchmark, AWS Foundational Security Best Practices) and generates automated security assessments and compliance checks. This directly matches the requirement for continuous, automated security assessments.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks configuration changes) with Security Hub (which provides security assessments and aggregates findings), leading them to select AWS Config because they think 'continuous assessment' means configuration monitoring, but Security Hub is the service specifically designed for automated security posture assessments.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor inspects your AWS environment and provides recommendations on cost optimization, performance, security, fault tolerance, and service limits, but it does not perform continuous automated security assessments or aggregate findings from multiple security services. Option B is wrong because Amazon Detective is a security investigation service that analyzes, investigates, and identifies the root cause of security findings or suspicious activities, but it does not provide automated security assessments or compliance checks. Option D is wrong because AWS Config is a service that evaluates your resource configurations against desired configurations (via rules) and tracks configuration changes, but it does not perform security vulnerability assessments or aggregate security findings; it focuses on configuration compliance, not security posture assessment.

370
MCQmedium

A startup is evaluating a migration from its on-premises infrastructure to AWS. The CTO notes that AWS can offer significantly lower per-unit costs for compute and storage compared to the startup's own data center. The CTO explains that AWS achieves this by pooling the demand of millions of customers, which allows AWS to negotiate better hardware prices and spread the fixed costs of data centers, power, cooling, and operational staff across a massive customer base. This specific cost advantage of cloud computing is best described by which fundamental concept?

A.Elasticity
B.Economies of scale
C.High availability
D.Fault tolerance
AnswerB

Economies of scale refer to the cost advantages that enterprises obtain due to their scale of operation. AWS leverages its massive customer base to negotiate lower prices for hardware, reduce per-unit operational costs, and pass those savings to customers. This directly matches the scenario described.

Why this answer

Economies of scale (Option B) is the correct concept because it directly describes how AWS achieves lower per-unit costs by aggregating demand from millions of customers. This massive scale allows AWS to negotiate bulk discounts on hardware, spread fixed costs (data centers, power, cooling, staff) over a huge customer base, and operate at a cost structure that individual startups cannot match. The CTO's description of pooling demand and spreading fixed costs is the textbook definition of economies of scale in cloud computing.

Exam trap

The trap here is that candidates often confuse 'economies of scale' with 'elasticity' because both involve scaling, but elasticity is about dynamic resource adjustment to meet variable demand, not the cost advantage from aggregated purchasing power.

How to eliminate wrong answers

Option A (Elasticity) is wrong because elasticity refers to the ability to automatically scale compute resources up or down based on demand, not the cost advantage from aggregated purchasing power. Option C (High availability) is wrong because high availability focuses on ensuring systems remain operational and accessible despite failures, typically through redundancy across Availability Zones, not on cost reduction from scale. Option D (Fault tolerance) is wrong because fault tolerance is the ability of a system to continue operating without interruption when one or more components fail, which is a resilience characteristic, not a cost-efficiency mechanism.

371
MCQmedium

A company stores sensitive customer data in multiple Amazon S3 buckets. The security team wants to proactively identify any buckets that have been configured to allow unintended access from external AWS accounts or from the public internet. The team needs a service that continuously analyzes the resource-based policies attached to these buckets and generates findings when such unintended access is detected. Which AWS service should the security team use to meet this requirement?

A.AWS IAM Access Analyzer
B.AWS Config
C.AWS Trusted Advisor
D.Amazon Macie
AnswerA

Correct. AWS IAM Access Analyzer continuously analyzes resource-based policies and reports on resources that are accessible from external entities, including other AWS accounts or public access. It is specifically designed for this use case.

Why this answer

AWS IAM Access Analyzer is the correct service because it continuously analyzes resource-based policies (such as S3 bucket policies) to identify resources that are shared with external AWS accounts or publicly accessible. It generates findings for any policy that grants access to a principal outside of its AWS account, including the 'Principal': '*' condition that allows public internet access. This directly meets the requirement for proactive, continuous monitoring of unintended access.

Exam trap

The trap here is that candidates often confuse AWS Config's ability to monitor resource configurations with IAM Access Analyzer's specific purpose of analyzing resource-based policies for cross-account and public access, leading them to choose Config when the requirement explicitly mentions 'resource-based policies' and 'unintended access from external AWS accounts or the public internet.'

How to eliminate wrong answers

Option B is wrong because AWS Config evaluates resource configurations against compliance rules but does not specifically analyze resource-based policies for external or public access; it can detect configuration drift but not generate findings about unintended cross-account or public sharing. Option C is wrong because AWS Trusted Advisor provides best-practice checks, including S3 bucket permissions, but it is not a continuous monitoring service—it runs on a periodic schedule (e.g., every 24 hours) and does not generate real-time findings for policy changes. Option D is wrong because Amazon Macie is designed to discover and protect sensitive data using machine learning and pattern matching, not to analyze resource-based policies for unintended access from external accounts or the public.

372
MCQmedium

A company uses multiple AWS accounts managed through AWS Organizations. The finance team wants to see a consolidated view of all costs across accounts, and also wants to filter costs by specific projects using custom tags that are applied to resources. The team has already created tag keys and applied them to resources in all accounts. What additional step must the team take in the Management Account to ensure these tags appear as cost allocation dimensions in AWS Cost Explorer?

A.Activate the tag keys for cost allocation tracking.
B.Enable the AWS Cost Explorer default reports.
C.Create a budget using AWS Budgets with the tag filters.
D.Configure the AWS Support plan to include cost analysis.
AnswerA

Correct. After creating and applying tags to resources, the tags must be activated for cost allocation in the AWS Billing and Cost Management console. Only activated tags appear as dimensions in Cost Explorer and other cost management tools.

Why this answer

Option A is correct because in AWS Organizations, custom tags must be explicitly activated for cost allocation tracking in the Management Account's Billing and Cost Management console. Without this activation, the tags exist on resources but are not recognized as cost allocation dimensions in AWS Cost Explorer, so the finance team cannot filter costs by those tags. Activating the tag keys enables Cost Explorer to ingest the tag key-value pairs and present them as filtering dimensions in cost reports.

Exam trap

The trap here is that candidates assume applying tags to resources automatically makes them available in Cost Explorer, but AWS requires an explicit activation step in the Management Account to promote custom tags to cost allocation dimensions.

How to eliminate wrong answers

Option B is wrong because enabling default reports in Cost Explorer only provides pre-built cost and usage views; it does not make custom tags available as filtering dimensions. Option C is wrong because creating a budget with tag filters requires the tags to already be activated for cost allocation; budgets cannot force tags to appear as dimensions in Cost Explorer. Option D is wrong because the AWS Support plan level (Basic, Developer, Business, Enterprise) does not affect cost allocation tag visibility; cost allocation tags are a feature of the Billing and Cost Management console, not the Support plan.

373
MCQmedium

A company wants to provision and manage SSL/TLS certificates for their AWS resources without paying for certificates or manually handling renewals. Which AWS service provides this?

A.AWS KMS
B.AWS Certificate Manager (ACM)
C.AWS CloudHSM
D.AWS IAM
AnswerB

ACM provides free SSL/TLS certificates for AWS services with automatic renewal — no certificate purchase, no manual renewal, no CSR submissions required.

Why this answer

AWS Certificate Manager (ACM) provisions, manages, and deploys public and private SSL/TLS certificates for use with AWS services (e.g., Elastic Load Balancing, CloudFront, API Gateway) at no additional cost. ACM automatically handles certificate renewals, eliminating the need for manual intervention.

Exam trap

The trap here is that candidates may confuse AWS KMS or CloudHSM as certificate management services because they deal with encryption, but they do not provision or renew SSL/TLS certificates.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a key management service for creating and controlling encryption keys, not for managing SSL/TLS certificates. Option C is wrong because AWS CloudHSM provides dedicated hardware security modules for cryptographic key storage and operations, but it does not provision or manage SSL/TLS certificates. Option D is wrong because AWS IAM manages users, groups, roles, and permissions, and while it can store server certificates for use with Elastic Load Balancing, it does not automate certificate provisioning or renewal.

374
MCQeasy

A retail company uses Amazon EC2 Auto Scaling to automatically launch hundreds of EC2 instances when CPU utilization exceeds 70% during a flash sale. When traffic subsides, the Auto Scaling group terminates the excess instances. This ability to dynamically provision and release compute resources in response to changes in demand best demonstrates which fundamental characteristic of cloud computing?

A.Broad network access
B.Resource pooling
C.Rapid elasticity
D.Measured service
AnswerC

Rapid elasticity is the ability to provision and release cloud resources quickly, often automatically, to scale in and out with demand. The Auto Scaling behavior shown in the scenario is a direct example of this characteristic.

Why this answer

Option C is correct because the scenario describes the ability to automatically scale compute resources up and down in response to real-time demand changes, which is the definition of rapid elasticity. In AWS, this is implemented through EC2 Auto Scaling, which dynamically launches or terminates instances based on CloudWatch alarms (e.g., CPU utilization > 70%). This on-demand provisioning and release of resources without manual intervention is a core characteristic of cloud computing as defined by NIST SP 800-145.

Exam trap

The trap here is that candidates confuse resource pooling (the multi-tenant sharing of infrastructure) with rapid elasticity (the dynamic scaling of resources), because both involve 'pooling' or 'sharing' in a broad sense, but only rapid elasticity describes the automatic scaling up and down in response to demand.

How to eliminate wrong answers

Option A is wrong because broad network access refers to resources being accessible over the network via standard protocols (e.g., HTTPS, SSH), not the dynamic scaling of compute capacity. Option B is wrong because resource pooling describes the multi-tenant model where physical and virtual resources are pooled to serve multiple customers, not the ability to scale in response to demand. Option D is wrong because measured service involves metering and billing for resource usage (e.g., per-hour or per-GB charges), not the automatic provisioning and release of instances.

375
MCQmedium

A company runs a critical e-commerce application in a single AWS Region. The architecture team wants to ensure the application remains available even if an entire data center fails. They plan to deploy the application across multiple physically separate and independent locations within that Region. Which component of the AWS global infrastructure should the team use to achieve this goal?

A.Availability Zones
B.Edge Locations
C.AWS Local Zones
D.AWS Regions
AnswerA

Availability Zones are isolated locations within a Region, each with independent power, cooling, and networking. Deploying across multiple AZs provides high availability and fault tolerance against data center failures.

Why this answer

Availability Zones (AZs) are physically separate and independent data centers within an AWS Region, each with isolated power, cooling, and networking. By deploying the application across multiple AZs, the architecture ensures that if one entire data center fails, the application continues to run in the other AZs, meeting the goal of high availability within a single Region.

Exam trap

The trap here is that candidates often confuse Availability Zones with Edge Locations or Regions, mistakenly thinking Edge Locations provide compute failover or that deploying across Regions is required for high availability within a single geographic area.

How to eliminate wrong answers

Option B (Edge Locations) is wrong because Edge Locations are used for content caching and delivery via Amazon CloudFront, not for hosting compute or storage resources to survive a data center failure. Option C (AWS Local Zones) is wrong because Local Zones extend a Region closer to end users for low-latency workloads, but they are not designed as independent failure domains within the same Region; they rely on the parent Region for core services. Option D (AWS Regions) is wrong because Regions are separate geographic areas, not physically separate locations within a single Region; deploying across Regions would address multi-Region disaster recovery, not the stated requirement of surviving a data center failure within one Region.

Page 4

Page 5 of 14

Page 6