AWS Certified Cloud Practitioner CLF-C02 (CLF-C02) — Questions 376450

1024 questions total · 14pages · All types, answers revealed

Page 5

Page 6 of 14

Page 7
376
MCQeasy

A company deploys their web application across multiple isolated locations within the same AWS Region, each with independent power, cooling, and networking. This design ensures that a failure in one location does not affect the others. What are these isolated locations called?

A.AWS Regions
B.Availability Zones
C.Edge Locations
D.VPC Subnets
AnswerB

AZs are one or more discrete data centres within a Region, each with independent power, cooling, and networking. Deploying across multiple AZs means a failure in one AZ does not affect workloads in the others.

Why this answer

Availability Zones (AZs) are isolated locations within an AWS Region that consist of one or more data centers with independent power, cooling, and networking. This design ensures that a failure in one AZ does not affect the others, providing high availability and fault tolerance for applications. The scenario directly describes the defining characteristics of an Availability Zone.

Exam trap

The trap here is that candidates confuse Availability Zones with AWS Regions, thinking that any isolated location must be a different Region, but the question explicitly states 'within the same AWS Region,' which points directly to Availability Zones.

How to eliminate wrong answers

Option A is wrong because AWS Regions are separate geographic areas (e.g., us-east-1, eu-west-2) that are isolated from each other, but the question specifies multiple isolated locations within the same AWS Region, not different Regions. Option C is wrong because Edge Locations are used for content delivery and caching via Amazon CloudFront, not for deploying web applications with independent power, cooling, and networking; they are not designed for compute or storage in the same way as AZs. Option D is wrong because VPC Subnets are logical subdivisions of a VPC's IP address range within a single Availability Zone, not physically isolated locations with independent infrastructure.

377
MCQmedium

A company is migrating its on-premises infrastructure to AWS. The operations team needs a managed service that allows them to define their entire cloud environment—including VPCs, subnets, EC2 instances, and RDS databases—as a reusable template stored in version control. The service must automatically handle resource dependencies, such as creating the database before launching the application servers, and ensure that the infrastructure is provisioned consistently across multiple environments (e.g., development, staging, production). Which AWS service should the company use to meet these requirements?

A.AWS CloudFormation
B.AWS Elastic Beanstalk
C.AWS OpsWorks
D.AWS CodeDeploy
AnswerA

AWS CloudFormation allows you to define your entire infrastructure as code in a template. It automatically manages resource dependencies, handles creation and updates in the correct order, and provides consistent provisioning across environments. This matches the requirement for a managed infrastructure-as-code service.

Why this answer

AWS CloudFormation is the correct choice because it provides Infrastructure as Code (IaC) capabilities, allowing you to define your entire cloud environment—including VPCs, subnets, EC2 instances, and RDS databases—in a reusable JSON or YAML template stored in version control. It automatically manages resource dependencies using the DependsOn attribute and intrinsic functions like Ref and Fn::GetAtt, ensuring resources are created in the correct order (e.g., database before application servers). CloudFormation also supports consistent provisioning across multiple environments by using parameters, mappings, and stacksets, making it ideal for the operations team's requirements.

Exam trap

The trap here is that candidates often confuse AWS Elastic Beanstalk with Infrastructure as Code because it automates resource provisioning, but Elastic Beanstalk is a managed PaaS that does not give you full control over defining every resource (like VPCs and subnets) in a reusable template, whereas CloudFormation provides that granular, declarative control.

How to eliminate wrong answers

Option B (AWS Elastic Beanstalk) is wrong because it is a Platform as a Service (PaaS) that abstracts away the underlying infrastructure, automatically provisioning resources like EC2 and RDS, but it does not allow you to define the entire cloud environment as a reusable template stored in version control; it focuses on application deployment and scaling, not granular infrastructure definition. Option C (AWS OpsWorks) is wrong because it is a configuration management service that uses Chef or Puppet to manage server configurations and deployments, but it does not provide a declarative template for defining all cloud resources like VPCs and subnets, and it does not inherently handle resource dependencies across multiple environments in the same way as CloudFormation. Option D (AWS CodeDeploy) is wrong because it is a deployment service that automates code deployments to EC2 instances, Lambda functions, or on-premises servers, but it does not define or provision infrastructure resources like VPCs, subnets, or RDS databases; it only handles the application deployment phase.

378
MCQeasy

Which AWS service provides a fully managed NoSQL database designed for single-digit millisecond performance at any scale?

A.Amazon RDS
B.Amazon Redshift
C.Amazon DynamoDB
D.Amazon ElastiCache
AnswerC

DynamoDB is AWS's serverless, fully managed NoSQL database with guaranteed single-digit millisecond latency.

Why this answer

Amazon DynamoDB is a fully managed NoSQL key-value and document database that delivers consistent single-digit millisecond latency at any scale. It achieves this through its distributed architecture, automatic partitioning, and SSD-backed storage, making it ideal for high-traffic web applications, gaming, and IoT workloads.

Exam trap

The trap here is that candidates often confuse Amazon ElastiCache (an in-memory cache) with a NoSQL database, but ElastiCache is not a persistent database and lacks the durability and querying capabilities of DynamoDB.

How to eliminate wrong answers

Option A is wrong because Amazon RDS is a relational database service that supports SQL-based engines like MySQL and PostgreSQL, not a NoSQL database, and it does not guarantee single-digit millisecond performance at any scale. Option B is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for analytical queries using SQL, not a NoSQL database designed for low-latency transactional workloads. Option D is wrong because Amazon ElastiCache is an in-memory caching service (supporting Redis and Memcached) that provides microsecond latency, but it is not a fully managed NoSQL database; it is primarily used for caching and session storage, not as a persistent database.

379
MCQmedium

A healthcare company is migrating its application and patient data to AWS. To meet HIPAA requirements, the compliance officer must review and accept the AWS Business Associate Addendum (BAA). Additionally, the auditor requires the company to provide the latest AWS SOC 2 Type II report. The compliance officer needs a single self-service portal to access both documents directly from AWS. Which AWS service should the company use?

A.AWS Config
B.AWS Artifact
C.AWS Trusted Advisor
D.AWS Security Hub
AnswerB

AWS Artifact is the correct service. It is a self-service portal that provides on-demand access to AWS compliance reports (e.g., SOC, PCI) and allows customers to review and accept agreements such as the HIPAA Business Associate Addendum (BAA).

Why this answer

AWS Artifact is the correct service because it provides a self-service portal for on-demand access to AWS compliance reports, including the Business Associate Addendum (BAA) and SOC 2 Type II reports. This directly meets the compliance officer's requirement to review and accept the BAA and provide the latest SOC 2 report from a single AWS portal.

Exam trap

The trap here is that candidates may confuse AWS Artifact with AWS Config or Security Hub, thinking those services also provide compliance documentation, but only Artifact offers direct access to signed BAAs and third-party audit reports.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating, auditing, and assessing resource configurations against desired policies, not for accessing compliance documents like BAAs or SOC reports. Option C is wrong because AWS Trusted Advisor provides recommendations for cost optimization, performance, security, and fault tolerance, but does not offer access to compliance reports or legal agreements. Option D is wrong because AWS Security Hub aggregates security findings and compliance checks from multiple AWS services, but it does not provide a portal to download or accept BAAs or SOC reports.

380
MCQmedium

A company wants to improve the resilience of their Amazon RDS database by ensuring that read traffic is distributed across multiple copies of the database and that a replica can be promoted if the primary fails. Which RDS feature enables this?

A.RDS Multi-AZ deployment
B.RDS Read Replicas
C.RDS Automated Backups
D.RDS Performance Insights
AnswerB

Read Replicas create asynchronous read-only copies that serve read traffic (improving performance) and can be manually promoted to standalone databases if the primary fails.

Why this answer

Amazon RDS Read Replicas allow you to create one or more copies of your database instance that serve read traffic, offloading read queries from the primary DB instance. In the event of a primary failure, a Read Replica can be manually promoted to a standalone primary instance, providing resilience and continuity for read-heavy workloads. This directly matches the requirement to distribute read traffic and enable replica promotion.

Exam trap

The trap here is that candidates confuse Multi-AZ with Read Replicas, assuming Multi-AZ also distributes read traffic, but Multi-AZ's standby is passive and only used for automatic failover, not for serving reads or manual promotion.

How to eliminate wrong answers

Option A is wrong because RDS Multi-AZ deployment provides high availability by automatically failing over to a standby replica in a different Availability Zone, but that standby does not serve read traffic and cannot be promoted manually—it is only used for automatic failover. Option C is wrong because RDS Automated Backups are point-in-time recovery snapshots and transaction logs, not live copies that can serve read traffic or be promoted. Option D is wrong because RDS Performance Insights is a monitoring and diagnostic feature for database performance, not a replication or failover mechanism.

381
MCQeasy

A multinational company hosts its customer relationship management (CRM) application on AWS. Sales team members access the CRM from various locations using desktop computers, laptops, tablets, and smartphones. They connect over the internet through standard web browsers. Which essential characteristic of cloud computing does this scenario best illustrate?

A.Resource pooling
B.Measured service
C.Broad network access
D.Rapid elasticity
AnswerC

Correct. Broad network access means capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous client platforms (e.g., mobile phones, tablets, laptops, and workstations). The scenario explicitly describes access from multiple device types over the internet.

Why this answer

This scenario best illustrates broad network access because the CRM application is accessed over the internet by sales team members using a variety of devices (desktops, laptops, tablets, smartphones) through standard web browsers. Broad network access is the cloud computing characteristic that defines the ability to access resources via standard protocols (e.g., HTTPS, TLS) from heterogeneous client platforms, which is exactly what is described here.

Exam trap

The trap here is that candidates often confuse broad network access with resource pooling because both involve 'many users,' but broad network access is about device and protocol diversity, not shared infrastructure.

How to eliminate wrong answers

Option A is wrong because resource pooling refers to the provider's ability to serve multiple customers from shared physical and virtual resources, dynamically assigned according to demand; the scenario does not mention multi-tenancy or shared infrastructure. Option B is wrong because measured service involves metering and monitoring resource usage (e.g., CPU hours, data transfer) for billing and optimization; the scenario focuses on access methods, not usage tracking or pay-per-use. Option D is wrong because rapid elasticity is the ability to automatically scale resources up or down in response to demand; the scenario does not describe any scaling events or variable workload patterns.

382
MCQmedium

A company operates over 100 AWS accounts consolidated under AWS Organizations. The finance team needs to analyze the company's historical AWS spending across all accounts for the past 6 months. They want to understand which services and regions drive the most costs, and they also need a 3-month forecast of future spending to inform budget planning. The team needs a visual dashboard that allows interactive filtering by account, service, and region without requiring custom scripts. Which AWS tool should the finance team use to meet these requirements?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Cost and Usage Report
D.AWS Trusted Advisor
AnswerA

Correct. AWS Cost Explorer has a built-in interactive dashboard that allows you to view and analyze historical cost data, drill down by service, region, account, etc., and generate forecasts up to 12 months out. No custom scripts are needed.

Why this answer

AWS Cost Explorer provides a pre-built, interactive dashboard that visualizes historical cost data (up to 12 months) and generates forecasts (up to 12 months) without requiring custom scripts. It supports filtering by account, service, and region, making it ideal for the finance team's requirements. This tool directly meets the need for a visual, filterable dashboard with built-in forecasting.

Exam trap

The trap here is that candidates often confuse the raw data output of AWS Cost and Usage Report (CUR) with a visualization tool, overlooking that CUR requires additional processing to create a dashboard, whereas Cost Explorer provides an out-of-the-box interactive interface.

How to eliminate wrong answers

Option B is wrong because AWS Budgets is designed for setting cost thresholds and sending alerts, not for historical analysis or interactive dashboards with forecasting. Option C is wrong because AWS Cost and Usage Report (CUR) delivers raw, detailed CSV/Parquet data files that require external tools (e.g., Amazon Athena, QuickSight) to create visual dashboards, violating the 'without requiring custom scripts' requirement. Option D is wrong because AWS Trusted Advisor provides cost optimization recommendations and checks, not historical spending analysis or forecasting dashboards.

383
MCQeasy

Which AWS service is used to send emails, SMS messages, and push notifications to subscribers in a publish/subscribe pattern?

A.Amazon SES
B.Amazon Pinpoint
C.Amazon SNS
D.Amazon SQS
AnswerC

SNS enables publish/subscribe messaging with delivery to email, SMS, push notifications, HTTP endpoints, SQS, and Lambda.

Why this answer

Amazon Simple Notification Service (SNS) is a fully managed pub/sub messaging service that enables you to send messages to a large number of subscribers via multiple protocols, including email (JSON/plain text), SMS (text messages), and push notifications to mobile devices. It decouples message producers from consumers by using topics, where each topic can have multiple subscriber endpoints that receive messages asynchronously.

Exam trap

The trap here is that candidates confuse Amazon Pinpoint's ability to send SMS and push notifications with the pub/sub pattern, but Pinpoint is a campaign and analytics tool, not a general-purpose pub/sub messaging service like SNS.

How to eliminate wrong answers

Option A is wrong because Amazon SES (Simple Email Service) is designed specifically for sending transactional and marketing emails, not for SMS or push notifications, and it does not implement a publish/subscribe pattern—it uses a sender-recipient model. Option B is wrong because Amazon Pinpoint is a customer engagement service focused on targeted marketing campaigns, analytics, and audience segmentation, not a general-purpose pub/sub messaging service; while it can send SMS and push notifications, its primary architecture is campaign-driven rather than topic-based pub/sub. Option D is wrong because Amazon SQS (Simple Queue Service) is a message queue service that uses a pull-based polling model for decoupling components, not a push-based publish/subscribe pattern, and it does not natively support sending to email or SMS endpoints.

384
MCQmedium

A company runs database servers in private subnets with no direct internet access for security. However, these servers need to download OS updates from the internet. Which VPC component allows the private instances to make outbound internet connections while remaining unreachable from the internet?

A.Internet Gateway
B.NAT Gateway
C.VPN Gateway
D.VPC Endpoint
AnswerB

A NAT Gateway placed in a public subnet translates private instance IP addresses for outbound internet traffic. Return traffic is allowed back through the NAT, but no inbound connections initiated from the internet can reach the private instances.

Why this answer

A NAT Gateway enables instances in a private subnet to initiate outbound IPv4 traffic to the internet (e.g., for OS updates) while preventing the internet from initiating inbound connections to those instances. It resides in a public subnet with an Elastic IP and uses Source Network Address Translation (SNAT) to replace the private source IP with the gateway's public IP, making the response traffic routable back without exposing the private instances.

Exam trap

The trap here is that candidates confuse a NAT Gateway with an Internet Gateway, assuming both provide internet access, but the key differentiator is that a NAT Gateway only allows outbound-initiated traffic and blocks unsolicited inbound connections, which is exactly what the question requires.

How to eliminate wrong answers

Option A is wrong because an Internet Gateway allows bidirectional traffic; attaching it to a private subnet would make instances directly reachable from the internet, violating the security requirement. Option C is wrong because a VPN Gateway establishes encrypted tunnels to on-premises networks, not to the public internet; it does not provide outbound internet access for OS updates. Option D is wrong because a VPC Endpoint provides private connectivity to AWS services (e.g., S3, DynamoDB) via the AWS network, not to general internet destinations like OS update servers.

385
MCQmedium

A company runs an e-commerce application on a fleet of Amazon EC2 instances. The application experiences unpredictable traffic spikes during flash sales. To handle this, the company configures an Amazon EC2 Auto Scaling group to automatically add instances when CPU utilization exceeds 70% and remove instances when utilization drops below 30%. The company only pays for the instances that are running. This ability to dynamically add and remove compute capacity based on real-time demand best demonstrates which essential characteristic of cloud computing?

A.Elasticity
B.On-demand self-service
C.Measured service
D.Resource pooling
AnswerA

Correct. Elasticity is the ability to automatically scale resources up or down based on demand, matching supply to need and minimizing cost. The Auto Scaling group directly implements this characteristic.

Why this answer

The scenario describes an Auto Scaling group that adds EC2 instances when CPU exceeds 70% and removes them when it drops below 30%, paying only for running instances. This ability to automatically scale compute capacity up and down in response to real-time demand is the defining characteristic of elasticity in cloud computing, which allows resources to be provisioned and de-provisioned dynamically to match workload fluctuations.

Exam trap

The trap here is that candidates confuse elasticity with on-demand self-service, but on-demand self-service is about provisioning resources without manual intervention, whereas elasticity is specifically about scaling resources up and down to match demand.

How to eliminate wrong answers

Option B (On-demand self-service) is wrong because it refers to the ability to provision computing resources without human interaction, typically via a web console or API, not the dynamic scaling of capacity in response to load. Option C (Measured service) is wrong because it describes the metering and billing of cloud resource usage (e.g., per-hour or per-GB charges), not the automatic adjustment of capacity. Option D (Resource pooling) is wrong because it refers to the multi-tenant model where physical and virtual resources are pooled to serve multiple customers, not the ability to scale resources up or down on demand.

386
MCQmedium

A company needs to store their application's database connection strings and automatically rotate them every 30 days. Which AWS service handles secret storage with automatic rotation built in?

A.AWS Systems Manager Parameter Store
B.Amazon S3 with encryption
C.AWS Secrets Manager
D.AWS KMS
AnswerC

Secrets Manager stores secrets securely, rotates them automatically on a configurable schedule with native RDS integration, and provides versioned access so applications always get the current secret.

Why this answer

AWS Secrets Manager is the correct service because it is specifically designed to securely store secrets such as database connection strings, API keys, and passwords, and it provides built-in automatic rotation of secrets at a configurable interval (e.g., every 30 days) using AWS Lambda. This eliminates the need for custom rotation logic and integrates natively with supported databases like Amazon RDS, Redshift, and DocumentDB.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets but lacks automatic rotation) with AWS Secrets Manager, leading them to choose Parameter Store when the question explicitly requires built-in rotation.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store can store secrets but does not have built-in automatic rotation; you must implement custom rotation logic with Lambda or other services. Option B is wrong because Amazon S3 with encryption provides secure storage but lacks any native secret rotation capability and is not designed for managing secrets with lifecycle rotation policies. Option D is wrong because AWS KMS is a key management service for creating and controlling encryption keys, not for storing or rotating secrets like database connection strings.

387
MCQmedium

A company runs a web application on Amazon EC2 instances that accepts user uploads. The uploads need to be processed by a backend service that performs virus scanning and thumbnail generation. The backend processing can take up to 30 seconds per upload. Users should not experience delays when submitting their files. The company wants to decouple the web tier from the processing tier so that the web application can immediately return a response to the user while the processing happens asynchronously. The solution must be fully managed, durable, and scale automatically with demand. Which AWS service should the company use?

A.Amazon Simple Notification Service (Amazon SNS)
B.Amazon Simple Queue Service (Amazon SQS)
C.Amazon Kinesis Data Streams
D.Amazon MQ
AnswerB

Amazon SQS is a fully managed message queuing service that allows you to decouple application components. The web application can send a message to a queue immediately after user upload, and the backend service can poll and process messages asynchronously. SQS stores messages durably and scales automatically, making it ideal for this use case.

Why this answer

Amazon SQS is the correct choice because it provides a fully managed, durable, and scalable message queue that decouples the web tier from the processing tier. When a user uploads a file, the web application can immediately return a response after sending a message to an SQS queue, while the backend service polls the queue and processes the upload asynchronously, handling the up-to-30-second processing time without blocking the user.

Exam trap

The trap here is that candidates often confuse SNS with SQS because both are messaging services, but SNS is push-based and not designed for decoupled asynchronous processing where the consumer needs to pull messages at its own pace.

How to eliminate wrong answers

Option A is wrong because Amazon SNS is a pub/sub messaging service that pushes messages to subscribers, but it does not provide durable message storage or allow a backend service to pull messages at its own pace; messages are lost if the subscriber is unavailable, and it lacks the decoupling and asynchronous processing capabilities required. Option C is wrong because Amazon Kinesis Data Streams is designed for real-time streaming of large volumes of data (e.g., clickstreams, logs) and requires a consumer to process records in order, which adds complexity and cost for simple decoupling of upload processing; it is not optimized for individual job messages with variable processing times. Option D is wrong because Amazon MQ is a managed message broker for applications that use standard protocols like AMQP, MQTT, or STOMP, but it is not serverless and requires provisioning and scaling of broker instances, making it less fully managed and less automatically scalable than SQS for this use case.

388
MCQmedium

A company runs a critical web application on Amazon EC2 instances in the us-east-1 Region, with a secondary standby deployment in us-west-2 for disaster recovery. The application requires that user traffic be directed to the nearest healthy endpoint, automatically failover to the secondary region if the primary region becomes unavailable, and the company needs two static IP addresses that remain fixed regardless of infrastructure changes. The application uses TCP and UDP protocols. Which AWS service should the company use to meet these requirements?

A.Amazon Route 53
B.AWS Global Accelerator
C.Amazon CloudFront
D.Elastic Load Balancing
AnswerB

AWS Global Accelerator uses the AWS global network to direct traffic to the optimal regional endpoint based on health, latency, and geography. It provides two static anycast IP addresses that remain fixed, and supports TCP and UDP. It automatically performs health checks and failover between endpoints across Regions, meeting all stated requirements.

Why this answer

AWS Global Accelerator is the correct choice because it provides two static anycast IP addresses that remain fixed regardless of infrastructure changes, directs traffic to the nearest healthy endpoint using the AWS global network, and supports automatic failover between regions for both TCP and UDP traffic. It also integrates with Network Load Balancers, Application Load Balancers, or EC2 instances to route traffic to the closest healthy endpoint, meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse DNS-based routing (Route 53) with anycast IP-based routing (Global Accelerator), assuming that DNS can provide static IPs and instant failover, but DNS caching and TTL delays make it unsuitable for the requirement of fixed IPs and rapid failover for both TCP and UDP traffic.

How to eliminate wrong answers

Option A is wrong because Amazon Route 53 is a DNS-based routing service that does not provide static IP addresses; it relies on DNS resolution which can be cached and does not offer fixed IPs, and it does not natively support UDP traffic for health checks or failover at the transport layer. Option C is wrong because Amazon CloudFront is a content delivery network (CDN) optimized for HTTP/HTTPS traffic and does not support UDP protocols; it also does not provide static IP addresses as it uses a dynamic set of edge locations. Option D is wrong because Elastic Load Balancing (ELB) operates within a single region and does not provide cross-region failover or static IP addresses (unless using a Network Load Balancer with Elastic IPs, but that still lacks global anycast and multi-region failover capabilities).

389
MCQmedium

A startup wants to ensure its web application automatically handles traffic spikes during product launches without over-provisioning resources during quiet periods. Which AWS capability best addresses this requirement?

A.High availability through multiple AZs
B.Elasticity through AWS Auto Scaling
C.Durability through S3 data replication
D.Agility through rapid resource provisioning
AnswerB

Auto Scaling automatically adjusts the number of EC2 instances based on demand, handling spikes without manual intervention or permanent over-provisioning.

Why this answer

AWS Auto Scaling enables the startup to automatically adjust the number of Amazon EC2 instances in response to real-time demand, scaling up during traffic spikes and scaling down during quiet periods. This elasticity eliminates the need to over-provision resources, optimizing both cost and performance for variable workloads.

Exam trap

The trap here is that candidates confuse high availability (Option A) with elasticity, but high availability only maintains uptime across failures, not automatic capacity adjustment based on demand.

How to eliminate wrong answers

Option A is wrong because high availability through multiple Availability Zones (AZs) ensures fault tolerance and uptime, but does not automatically adjust capacity based on traffic changes. Option C is wrong because durability through S3 data replication protects data against loss, but does not address compute resource scaling for traffic spikes. Option D is wrong because agility through rapid resource provisioning describes the speed of deploying resources, but without automation it still requires manual intervention to scale, whereas Auto Scaling provides automated, policy-driven elasticity.

390
MCQmedium

A company's CTO asks about the AWS Cloud Adoption Framework (AWS CAF). Which statement about AWS CAF is accurate?

A.AWS CAF is a compliance framework similar to SOC 2 or PCI DSS
B.AWS CAF organizes guidance into six perspectives covering Business, People, Governance, Platform, Security, and Operations
C.AWS CAF is only relevant for large enterprises migrating more than 1,000 servers
D.AWS CAF replaces the AWS Well-Architected Framework for architecture guidance
AnswerB

CAF provides a structured approach to cloud adoption with perspectives addressing business outcomes, organizational change, governance, technical platform, security, and operations.

Why this answer

Option B is correct because the AWS Cloud Adoption Framework (AWS CAF) organizes its guidance into six distinct perspectives: Business, People, Governance, Platform, Security, and Operations. These perspectives help organizations identify and address gaps in their cloud readiness across both business and technical domains, providing actionable best practices for cloud adoption.

Exam trap

The trap here is that candidates confuse AWS CAF with a compliance or security framework (like SOC 2 or PCI DSS) because of the word 'framework,' or assume it is only for large migrations, when in fact it is a holistic adoption guidance tool applicable to any organization regardless of size or migration scope.

How to eliminate wrong answers

Option A is wrong because AWS CAF is not a compliance framework like SOC 2 or PCI DSS; it is a strategic advisory framework that helps organizations plan and execute cloud adoption, not a certification or audit standard. Option C is wrong because AWS CAF is designed for organizations of all sizes and migration scales, not exclusively for large enterprises migrating more than 1,000 servers; it provides guidance for any cloud adoption journey. Option D is wrong because AWS CAF does not replace the AWS Well-Architected Framework; the Well-Architected Framework focuses on architectural best practices for building workloads, while AWS CAF addresses organizational readiness and transformation processes.

391
MCQmedium

A company runs a fleet of 100 EC2 instances and needs to remotely execute commands, apply patches, and collect inventory data across all instances without opening SSH ports. Which AWS service enables this?

A.AWS CloudShell
B.AWS Systems Manager
C.Amazon EC2 Instance Connect
D.AWS Config
AnswerB

Systems Manager enables fleet management including Run Command (remote script execution), Patch Manager, Inventory collection, and Session Manager (SSH-free interactive access) without requiring open inbound ports.

Why this answer

AWS Systems Manager is the correct service because it provides a unified interface to remotely execute commands, apply patches, and collect inventory data across EC2 instances without requiring SSH access. It uses the Systems Manager Agent (SSM Agent) installed on the instances and communicates over HTTPS (port 443), eliminating the need to open inbound SSH ports (port 22). This aligns directly with the requirement to manage a fleet of 100 instances securely and at scale.

Exam trap

The trap here is that candidates often confuse Amazon EC2 Instance Connect (which still requires SSH port 22 to be open) with a solution that avoids opening ports entirely, or they mistakenly think AWS CloudShell can directly manage EC2 instances, when it is only a shell for the AWS CLI.

How to eliminate wrong answers

Option A is wrong because AWS CloudShell is a browser-based shell environment for running AWS CLI commands, not a service for remotely executing commands or managing patches on EC2 instances. Option C is wrong because Amazon EC2 Instance Connect allows SSH access to instances via a one-time key push but still requires the SSH port (22) to be open in the security group, which violates the 'without opening SSH ports' constraint. Option D is wrong because AWS Config is a service for evaluating and auditing resource configurations against rules, not for executing commands, applying patches, or collecting inventory data on running instances.

392
MCQmedium

A company's security team needs to investigate a potential security incident. They want to determine which IAM user launched a new, unauthorized Amazon EC2 instance two days ago. The team needs to see the exact timestamp, the source IP address, and the instance type that was launched. Which AWS service should the security team use to find this information?

A.AWS Config
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Trusted Advisor
AnswerB

AWS CloudTrail records all API calls, including the caller identity, timestamp, source IP address, and request parameters. This enables the security team to determine which IAM user launched the EC2 instance, when, and from where.

Why this answer

AWS CloudTrail is the correct service because it records API activity in your AWS account, including the exact timestamp, source IP address, and details (such as instance type) for every RunInstances API call. This allows the security team to trace the unauthorized EC2 launch back to the specific IAM user who made the request, as CloudTrail logs include the user identity, request parameters, and response elements.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks configuration changes) with CloudTrail (which tracks who made the change and when), leading them to pick Config because they think 'configuration change' includes user identity, but Config does not log the principal or source IP.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating resource configurations against desired policies and tracking configuration changes over time, but it does not record who performed the action or the source IP address; it focuses on resource state, not API-level audit logs. Option C is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events to identify malicious activity, but it does not provide a direct, queryable log of who launched a specific instance with exact timestamp and source IP; it generates findings, not raw API logs. Option D is wrong because AWS Trusted Advisor is an advisory service that inspects your AWS environment to make recommendations for cost optimization, performance, security, and fault tolerance, but it does not log or provide historical API call details like user identity, timestamp, or source IP.

393
MCQeasy

A company wants to use machine learning to automatically identify objects, scenes, and activities in images uploaded by users. Which AWS service should they use?

A.Amazon Textract
B.Amazon SageMaker
C.Amazon Rekognition
D.Amazon Comprehend
AnswerC

Rekognition provides pre-trained ML models for image and video analysis including object detection, facial analysis, and scene recognition via simple API calls.

Why this answer

Amazon Rekognition is the correct service because it is specifically designed to analyze images and videos to identify objects, scenes, activities, faces, and text. It provides pre-trained machine learning models that can automatically detect these elements without requiring custom model training, making it ideal for the use case described.

Exam trap

The trap here is that candidates often confuse Amazon Rekognition with Amazon Textract or Amazon Comprehend, mistakenly thinking text extraction or NLP can handle visual analysis, when in fact Rekognition is the only service purpose-built for image and video content recognition.

How to eliminate wrong answers

Option A is wrong because Amazon Textract is a service for extracting text, handwriting, and data from scanned documents, not for identifying objects, scenes, or activities in images. Option B is wrong because Amazon SageMaker is a fully managed machine learning platform for building, training, and deploying custom models, which is overkill and not the pre-built solution needed for this specific task. Option D is wrong because Amazon Comprehend is a natural language processing (NLP) service used to extract insights from text, such as sentiment or entities, not for analyzing visual content.

394
Matchingmedium

Match each AWS security service to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manage user access and permissions

Create and manage encryption keys

DDoS protection

Web application firewall

Compliance reports and agreements

Why these pairings

Security services protect AWS environments.

395
MCQmedium

A company is preparing for a third-party security audit. The auditors require the company to provide up-to-date AWS compliance reports, such as the SOC 2 report and the ISO 27001 certificate, as part of the evidence. The company needs to access these documents from a centralized, self-service portal within their AWS account. They also need to accept the terms and conditions for the reports. Which AWS service should the company use to meet these requirements?

A.AWS Config
B.AWS Artifact
C.AWS Security Hub
D.AWS CloudTrail
AnswerB

AWS Artifact is the correct service. It provides a self-service portal for downloading AWS compliance reports and managing agreements. Customers can access SOC, ISO, PCI DSS reports, and accept agreements like the BAA directly from the console.

Why this answer

AWS Artifact is the correct service because it provides a centralized, self-service portal for accessing AWS compliance reports, such as SOC 2 and ISO 27001 certificates, directly within the AWS Management Console. It also allows users to accept the terms and conditions for these reports, fulfilling the audit requirements without needing to contact AWS support.

Exam trap

The trap here is that candidates may confuse AWS Artifact with AWS Config or AWS Security Hub, assuming those services also provide compliance reports, but only Artifact offers the specific self-service portal for downloading and accepting terms for AWS compliance documents.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating and recording resource configurations against desired policies, not for accessing compliance reports or accepting terms. Option C is wrong because AWS Security Hub aggregates security findings and compliance checks from multiple AWS services, but it does not provide direct access to downloadable compliance reports like SOC 2 or ISO 27001 certificates. Option D is wrong because AWS CloudTrail records API activity for auditing and governance, but it does not offer a portal for accessing third-party compliance reports or accepting their terms.

396
MCQmedium

A company's finance team needs to analyze AWS spending in detail. They require a report that includes hourly cost data for each AWS service, each individual resource (e.g., a specific EC2 instance), and any cost allocation tags applied. The team plans to export this data to an Amazon S3 bucket and then import it into a custom business intelligence (BI) analytics dashboard. Which AWS tool should the finance team use to generate this level of detailed cost data?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Cost and Usage Report
D.AWS Trusted Advisor
AnswerC

The AWS Cost and Usage Report (CUR) is the most comprehensive tool for cost and usage data. It can be configured to deliver hourly, daily, or monthly reports to an S3 bucket, including line items for individual resources and all user-defined cost allocation tags. This makes it ideal for ingestion into BI tools for detailed custom analysis.

Why this answer

The AWS Cost and Usage Report (CUR) is the correct tool because it provides the granular, hourly cost data broken down by AWS service, individual resource (e.g., specific EC2 instance IDs), and cost allocation tags. It can be delivered to an S3 bucket for integration with custom BI tools like Amazon QuickSight or third-party dashboards, meeting the finance team's exact requirements.

Exam trap

The trap here is that candidates confuse AWS Cost Explorer's visual summaries with the raw, exportable data needed for custom BI, overlooking that only CUR provides the granular, hourly, tag-level data in S3.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer provides visualizations and high-level cost trends but does not support exporting raw, hourly-level data per resource or tags to S3 for custom BI ingestion. Option B is wrong because AWS Budgets only sends alerts based on cost or usage thresholds and does not generate detailed, exportable cost reports with hourly granularity. Option D is wrong because AWS Trusted Advisor offers cost optimization recommendations (e.g., idle resources) but does not produce hourly cost reports broken down by service, resource, or tags.

397
MCQeasy

A company operates 10 AWS accounts, each managed by a separate team. Each account runs its own Amazon EC2 instances and stores data in Amazon S3. The CFO wants to minimize overall costs by taking advantage of volume discount pricing tiers that AWS offers (e.g., lower per-GB storage costs as total S3 usage increases). Which AWS feature should the company use to combine usage from all accounts so they benefit from the highest possible volume discounts?

A.AWS Budgets
B.AWS Cost Explorer
C.AWS Organizations with consolidated billing
D.AWS Trusted Advisor
AnswerC

AWS Organizations enables consolidated billing, which aggregates the usage of all member accounts into a single monthly bill. The combined usage qualifies for volume discount pricing tiers for services like Amazon S3 and EC2, reducing overall costs.

Why this answer

AWS Organizations with consolidated billing allows you to aggregate usage from all member accounts into a single payer account. This combined usage qualifies for volume discount pricing tiers (e.g., lower S3 per-GB storage costs as total usage increases), enabling the company to benefit from the highest possible discounts across all 10 accounts.

Exam trap

The trap here is that candidates may confuse cost monitoring tools (Budgets, Cost Explorer) or advisory services (Trusted Advisor) with the actual billing aggregation feature required to unlock volume discounts, leading them to pick a wrong answer that sounds cost-related but does not combine usage across accounts.

How to eliminate wrong answers

Option A is wrong because AWS Budgets is a cost monitoring and alerting tool that tracks spending against defined thresholds, but it does not combine usage or apply volume discounts. Option B is wrong because AWS Cost Explorer provides visualization and analysis of historical and forecasted costs, but it does not aggregate usage across accounts for discount purposes. Option D is wrong because AWS Trusted Advisor inspects accounts for best practices (e.g., idle resources, security gaps) and offers cost optimization recommendations, but it cannot combine usage across separate accounts to achieve volume pricing tiers.

398
MCQmedium

A company ingests sensor data from IoT devices into an Amazon S3 bucket. The data is accessed frequently for the first 30 days, but after that, it is rarely queried. The company’s compliance policy requires all data to be retained for 7 years. The company wants to minimize storage costs by automatically moving data to more cost-effective storage classes as it ages, without any manual intervention. Which Amazon S3 feature should the company configure to meet these requirements?

A.S3 Lifecycle policy
B.S3 Object Lock
C.S3 Replication
D.S3 Transfer Acceleration
AnswerA

Correct. An S3 Lifecycle policy can automatically transition objects to cheaper storage classes (e.g., from S3 Standard to S3 Glacier Deep Archive) based on the object's age, meeting the cost-optimization and compliance requirements without manual intervention.

Why this answer

An S3 Lifecycle policy automates the transition of objects between storage classes based on age. By configuring a lifecycle rule to move objects to S3 Standard-IA or S3 One Zone-IA after 30 days, and then to S3 Glacier Deep Archive after a longer period, the company can meet the 7-year retention requirement while minimizing costs without manual intervention.

Exam trap

The trap here is that candidates may confuse S3 Object Lock (which only enforces retention, not cost-efficient transitions) with lifecycle policies, or think S3 Replication can change storage classes, but replication only copies objects and does not alter the source's storage class over time.

How to eliminate wrong answers

Option B (S3 Object Lock) is wrong because it prevents objects from being deleted or overwritten for a fixed retention period, but it does not automate transitions between storage classes to reduce costs. Option C (S3 Replication) is wrong because it asynchronously copies objects to another bucket for redundancy or compliance, but it does not change the storage class of the source objects over time. Option D (S3 Transfer Acceleration) is wrong because it speeds up uploads over long distances using AWS edge locations, but it has no effect on storage class transitions or cost optimization for aged data.

399
MCQmedium

A company's application runs on multiple AWS services across different geographic regions. The development team needs to access and manage these resources from their office using standard web browsers and API calls over the internet. The team does not need any dedicated private network connections. Which essential characteristic of cloud computing does this scenario best demonstrate?

A.Rapid elasticity
B.Broad network access
C.Resource pooling
D.Measured service
AnswerB

Broad network access is the correct characteristic. It means resources are available over the network and can be accessed by standard protocols (HTTP, HTTPS, SSH, etc.) from various devices, which matches the team using web browsers and APIs over the internet.

Why this answer

Broad network access is the correct answer because the scenario describes accessing AWS resources over the internet using standard web browsers and API calls, without requiring dedicated private network connections. This characteristic ensures that cloud services are available from any standard device (e.g., laptops, smartphones) using standard protocols such as HTTPS (port 443) and RESTful APIs, which is exactly what the development team needs.

Exam trap

The trap here is that candidates confuse 'broad network access' with 'rapid elasticity' because both involve scalability, but broad network access is specifically about ubiquitous network accessibility via standard protocols, not about scaling resources.

How to eliminate wrong answers

Option A is wrong because rapid elasticity refers to the ability to automatically scale resources up or down based on demand, not to accessing resources over the internet. Option C is wrong because resource pooling means the provider's computing resources are pooled to serve multiple customers using a multi-tenant model, which is unrelated to network accessibility. Option D is wrong because measured service involves metering and billing for resource usage (e.g., pay-per-use), not the ability to access services via standard browsers and APIs.

400
MCQmedium

A company runs a mix of Amazon EC2 instances (different instance families) and AWS Fargate tasks across multiple AWS Regions. The cloud operations team wants to reduce costs while retaining maximum flexibility to change instance families, operating systems, and compute platforms (EC2 or Fargate) without losing the discount. They are willing to commit to a consistent amount of compute usage (measured in $/hour) for a 1-year term. Which AWS pricing model should they choose?

A.EC2 Instance Savings Plans
B.Compute Savings Plans
C.Reserved Instances (Standard)
D.Dedicated Hosts
AnswerB

Compute Savings Plans are the most flexible discount model. They apply to any Amazon EC2, Fargate, or Lambda usage, and automatically cover any instance family, region, operating system, or tenancy. The company can change workloads freely while still benefiting from the committed discount, making this the best choice.

Why this answer

Compute Savings Plans provide the most flexibility, applying to any EC2 instance family, any operating system, and any compute platform (including Fargate) across any region, as long as the hourly spend commitment is met. This matches the team's requirement to retain maximum flexibility to change instance families, OS, and compute platforms without losing the discount, for a 1-year term.

Exam trap

The trap here is that candidates often confuse EC2 Instance Savings Plans (which are family-specific) with Compute Savings Plans (which are fully flexible), leading them to choose the less flexible option when the question explicitly requires flexibility across instance families and platforms.

How to eliminate wrong answers

Option A is wrong because EC2 Instance Savings Plans are tied to a specific instance family within a region (e.g., m5 in us-east-1), so changing instance families or moving to Fargate would lose the discount. Option C is wrong because Reserved Instances (Standard) lock you to a specific instance family, OS, and tenancy in a specific region, and do not cover Fargate at all. Option D is wrong because Dedicated Hosts provide a physical server for licensing purposes but do not offer a discount based on a consistent hourly spend commitment; they are a billing model for dedicated hardware, not a flexible discount plan.

401
MCQmedium

Which AWS service provides a managed message broker for Apache ActiveMQ and RabbitMQ to help migrate existing messaging systems to the cloud?

A.Amazon SQS
B.Amazon SNS
C.Amazon MQ
D.Amazon Kinesis
AnswerC

Amazon MQ is the managed broker service for ActiveMQ and RabbitMQ with standard protocol support.

Why this answer

Amazon MQ is a managed message broker service that natively supports Apache ActiveMQ and RabbitMQ, making it the ideal choice for migrating existing messaging systems that rely on these protocols to the cloud without rewriting application code. It handles the provisioning, patching, and high availability of the broker infrastructure, allowing you to use standard JMS, AMQP, MQTT, and STOMP protocols.

Exam trap

The trap here is that candidates often confuse Amazon MQ with Amazon SQS or SNS because all three handle messaging, but only Amazon MQ provides managed brokers for ActiveMQ and RabbitMQ, which is specifically tested in migration scenarios.

How to eliminate wrong answers

Option A is wrong because Amazon SQS is a fully managed, pull-based queue service that uses a proprietary API and does not support ActiveMQ or RabbitMQ protocols, so it would require application code changes to migrate. Option B is wrong because Amazon SNS is a pub/sub notification service that uses HTTP/S, email, SMS, and Lambda triggers, not a message broker for ActiveMQ or RabbitMQ. Option D is wrong because Amazon Kinesis is a real-time data streaming service for ingesting and processing large data streams, not a message broker compatible with ActiveMQ or RabbitMQ.

402
MCQmedium

A security team suspects unauthorised network traffic is reaching a subnet in their VPC. They need to capture metadata about the IP traffic (source IP, destination IP, port, protocol, accept/reject status) flowing through their VPC network interfaces for analysis. Which AWS feature provides this network traffic metadata?

A.AWS CloudTrail
B.Amazon GuardDuty
C.VPC Flow Logs
D.AWS WAF logs
AnswerC

VPC Flow Logs capture IP traffic metadata including source IP, destination IP, port, protocol, and accept/reject status for traffic through VPC ENIs. Logs can be published to CloudWatch Logs or S3 for analysis.

Why this answer

VPC Flow Logs capture metadata about IP traffic flowing through VPC network interfaces, including source/destination IP addresses, ports, protocol numbers, and accept/reject status (based on security group and NACL rules). This is the correct service because it is specifically designed to log network traffic metadata at the VPC, subnet, or network interface level, enabling security analysis without impacting network performance.

Exam trap

The trap here is that candidates confuse VPC Flow Logs with CloudTrail or GuardDuty, mistakenly thinking that CloudTrail captures network traffic or that GuardDuty generates the raw metadata, when in fact VPC Flow Logs are the only service that directly captures the specified network traffic metadata at the interface level.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API calls and management events (e.g., who launched an EC2 instance), not network traffic metadata like IP addresses or ports. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and other data sources to identify malicious activity, but it does not itself generate or provide raw network traffic metadata. Option D is wrong because AWS WAF logs capture HTTP/HTTPS request details (e.g., URI, headers) for web ACL evaluations, not general IP traffic metadata across all protocols (e.g., TCP, UDP, ICMP) at the network interface level.

403
MCQmedium

Which AWS concept describes the strategy of designing applications so that any individual component can fail without causing the entire system to fail?

A.Economies of scale
B.Design for failure
C.Managed services adoption
D.Infrastructure as code
AnswerB

Design for failure assumes components will fail and builds applications to continue operating despite failures through redundancy, loose coupling, and isolation of failure domains.

Why this answer

B is correct because the 'design for failure' principle is a core AWS Well-Architected Framework concept that mandates building applications with no single point of failure. By distributing workloads across multiple Availability Zones and using services like Elastic Load Balancing (ELB) and Auto Scaling, a failure in one component (e.g., an EC2 instance) is isolated and automatically replaced, ensuring the system remains available. This contrasts with traditional monolithic designs where a single component failure can cascade into a full outage.

Exam trap

The trap here is that candidates confuse 'design for failure' with 'high availability' or 'disaster recovery,' but the question specifically asks about preventing a single component failure from causing total system failure—a core tenet of fault isolation, not just uptime metrics.

How to eliminate wrong answers

Option A is wrong because 'economies of scale' refers to the cost advantages AWS achieves by aggregating usage across many customers, which it passes on as lower pay-as-you-go prices; it is a pricing benefit, not a fault-tolerance design strategy. Option C is wrong because 'managed services adoption' (e.g., using Amazon RDS instead of self-managed databases) reduces operational overhead but does not inherently guarantee that a component failure won't bring down the entire system—fault isolation must still be architected. Option D is wrong because 'infrastructure as code' (e.g., using AWS CloudFormation or Terraform) automates provisioning and configuration management, but it does not by itself prevent a single component failure from causing a system-wide outage; it is an operational practice, not a resilience design pattern.

404
MCQmedium

A company currently owns and operates its own data center. They are considering moving to AWS. Which economic benefit describes the elimination of the costs associated with purchasing, maintaining, and cooling physical servers?

A.Economies of scale
B.Stop spending money running and maintaining data centers
C.Go global in minutes
D.Increase speed and agility
AnswerB

By moving to AWS, companies eliminate costs for physical hardware, cooling, power, physical security, and data center staff — redirecting that spend to business value.

Why this answer

Option B is correct because moving to AWS eliminates the capital and operational expenses associated with owning and operating physical servers, including procurement, maintenance, cooling, and facility management. This aligns with the AWS value proposition of shifting from a capital expenditure (CapEx) model to an operational expenditure (OpEx) model, where customers pay only for the resources they consume.

Exam trap

The trap here is that candidates often confuse 'economies of scale' (a broad pricing benefit) with the specific elimination of data center operational costs, leading them to incorrectly select option A.

How to eliminate wrong answers

Option A is wrong because economies of scale refer to the cost advantages AWS achieves through massive infrastructure aggregation, which are passed to customers as lower pay-as-you-go prices, not the direct elimination of data center costs. Option C is wrong because going global in minutes describes the ability to deploy infrastructure in multiple AWS Regions quickly, which is a benefit of global reach, not the removal of physical server costs. Option D is wrong because increase speed and agility refers to the ability to provision and iterate resources rapidly using automation and self-service, not the specific elimination of data center operational expenses.

405
MCQmedium

A company runs multiple workloads on Amazon EC2 instances. They expect consistent usage for the next three years but want the flexibility to change instance families (for example, from M5 to C5) if performance requirements shift. Which AWS pricing model meets these requirements while providing a significant discount over On-Demand pricing?

A.Reserved Instances (Standard)
B.Compute Savings Plans
C.EC2 Instance Savings Plans
D.Spot Instances
AnswerB

Compute Savings Plans apply to any EC2 instance family, any size, in any region, and also cover Fargate and Lambda usage. This gives the company the flexibility to change instance families while still receiving a significant discount over On-Demand rates, making it the correct choice.

Why this answer

Compute Savings Plans (Option B) offer a significant discount (up to 66%) over On-Demand pricing in exchange for a commitment to a consistent amount of compute usage (measured in $/hour) for a 1- or 3-year term. Unlike Reserved Instances, Savings Plans are flexible across instance families (e.g., M5 to C5), regions, OS, and tenancy, making them ideal for workloads that may need to change instance types over time while still receiving a discounted rate.

Exam trap

The trap here is that candidates often confuse Compute Savings Plans with EC2 Instance Savings Plans, assuming both offer cross-family flexibility, but only Compute Savings Plans allow changing instance families (e.g., M5 to C5) while EC2 Instance Savings Plans are locked to a specific family.

How to eliminate wrong answers

Option A is wrong because Standard Reserved Instances lock you into a specific instance family (e.g., M5) and region; changing to a different family (e.g., C5) would require purchasing new RIs or incurring modification fees, reducing flexibility. Option C is wrong because EC2 Instance Savings Plans are tied to a specific instance family within a region (e.g., M5 in us-east-1), so they do not allow switching between families like M5 and C5. Option D is wrong because Spot Instances offer deep discounts but can be interrupted with a 2-minute warning when AWS needs capacity back, making them unsuitable for consistent, long-term workloads that require reliability over three years.

406
MCQeasy

A company wants to enable HTTPS on their Application Load Balancer using an SSL/TLS certificate. They want a managed service that provisions, renews, and deploys the certificate automatically at no cost for certificates used with integrated AWS services. Which AWS service provides this?

A.AWS KMS
B.AWS Secrets Manager
C.AWS Certificate Manager
D.AWS IAM
AnswerC

ACM provisions free SSL/TLS certificates for AWS-integrated services (ALB, CloudFront, API Gateway) and automatically renews them before expiration. This eliminates the cost and manual effort of certificate management.

Why this answer

AWS Certificate Manager (ACM) is the correct service because it is a managed service that provisions, renews, and deploys SSL/TLS certificates automatically at no additional cost when used with integrated AWS services like Application Load Balancers. ACM handles the entire certificate lifecycle, including automatic renewal before expiration, and integrates natively with ALB to enable HTTPS without manual intervention.

Exam trap

The trap here is that candidates may confuse AWS Secrets Manager with ACM because both involve 'secrets' and 'rotation,' but Secrets Manager does not handle SSL/TLS certificate provisioning or deployment to load balancers, and it incurs costs per secret.

How to eliminate wrong answers

Option A is wrong because AWS KMS (Key Management Service) is a service for creating and managing encryption keys, not SSL/TLS certificates; it does not provision or renew certificates for HTTPS. Option B is wrong because AWS Secrets Manager is designed to rotate and manage secrets such as database credentials and API keys, not SSL/TLS certificates for load balancers; it does not automatically deploy certificates to ALB. Option D is wrong because AWS IAM (Identity and Access Management) can be used to upload and manage SSL/TLS certificates as server certificates for legacy use, but it does not provide automatic provisioning, renewal, or deployment, and certificates managed in IAM incur costs and require manual renewal.

407
MCQeasy

What does the AWS Free Tier offer to new AWS customers?

A.Unlimited free usage of all AWS services forever
B.Free usage of certain services up to specified limits for 12 months
C.Free usage only for the first month after signup
D.Free usage for all services with a credit card on file
AnswerB

The Free Tier offers limited free usage for 12 months plus some always-free services.

Why this answer

The AWS Free Tier is designed to allow new customers to explore and experiment with AWS services at no cost for the first 12 months after sign-up. It includes specific usage limits per service (e.g., 750 hours of Amazon EC2 t2.micro instances per month, 5 GB of Amazon S3 standard storage, etc.), after which standard pay-as-you-go rates apply. This helps customers gain hands-on experience without upfront financial commitment.

Exam trap

The trap here is that candidates often assume the Free Tier covers all services indefinitely or for a very short period, but the exam tests the precise 12-month duration and the specific per-service limits (e.g., 750 EC2 hours, 5 GB S3 storage) that define the offer.

How to eliminate wrong answers

Option A is wrong because the Free Tier does not offer unlimited free usage of all services forever; it has defined limits per service and a 12-month expiration for the initial tier, after which only certain always-free services (like 10 GB of CloudWatch Logs) remain available. Option C is wrong because the Free Tier provides free usage for 12 months, not just the first month after signup; the 12-month period starts from the account creation date. Option D is wrong because the Free Tier does not require a credit card on file for free usage; while AWS does require a valid payment method for account creation, the Free Tier itself is not contingent on having a credit card on file—it is a promotional offer with service-specific caps.

408
MCQmedium

A financial services company is preparing for an annual compliance audit. The compliance team needs to continuously assess whether their AWS environment adheres to industry standards such as PCI DSS. They want to automate the collection of evidence, such as IAM policy changes and S3 bucket configurations, and generate audit-ready reports. They also need to identify gaps in their controls and receive remediation recommendations. Which AWS service should the company use?

A.AWS Config
B.AWS Audit Manager
C.AWS Artifact
D.AWS Security Hub
AnswerB

AWS Audit Manager helps you continuously assess your AWS usage to simplify risk assessment and compliance with regulations and industry standards. It automatically collects evidence from various AWS services, maps it to controls in frameworks like PCI DSS, and generates audit-ready reports. It also identifies control gaps and provides remediation recommendations.

Why this answer

AWS Audit Manager is the correct choice because it is specifically designed to continuously assess compliance with industry standards like PCI DSS. It automates the collection of evidence (e.g., IAM policy changes, S3 bucket configurations) and generates audit-ready reports, while also identifying control gaps and providing remediation recommendations. This directly matches the company's need for automated evidence collection and gap analysis.

Exam trap

The trap here is that candidates often confuse AWS Audit Manager with AWS Config or AWS Security Hub, but Audit Manager is the only service that combines automated evidence collection, framework-specific assessments, and remediation recommendations for compliance audits.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for recording and evaluating resource configuration changes against rules, but it does not generate audit-ready reports or provide remediation recommendations for compliance frameworks like PCI DSS. Option C is wrong because AWS Artifact is a self-service portal for downloading compliance reports and agreements (e.g., SOC reports, PCI DSS attestations), but it does not automate evidence collection or assess live AWS environments. Option D is wrong because AWS Security Hub aggregates security findings from multiple services and provides a consolidated view of security posture, but it does not generate audit-ready reports or offer remediation recommendations specific to compliance frameworks like PCI DSS.

409
MCQmedium

A company uses multiple AWS accounts to store data in Amazon S3. The security team wants to enforce a policy that all S3 buckets must have server-side encryption enabled. The team needs a service that can continuously monitor all S3 bucket configurations across all accounts, automatically detect any bucket that does not have encryption enabled, and automatically apply the encryption setting to bring the bucket into compliance. Which AWS service should the team use?

A.AWS Config
B.AWS Trusted Advisor
C.AWS Security Hub
D.AWS CloudTrail
AnswerA

AWS Config continuously evaluates resource configurations against rules and can automatically remediate non-compliant resources, such as enabling encryption on S3 buckets.

Why this answer

AWS Config is the correct service because it provides continuous monitoring and evaluation of AWS resource configurations against desired policies. Using a managed rule like 's3-bucket-server-side-encryption-enabled', AWS Config can automatically detect S3 buckets that lack server-side encryption and, through AWS Config rules with auto-remediation (via Systems Manager Automation or Lambda), automatically apply the encryption setting to bring non-compliant buckets into compliance.

Exam trap

The trap here is that candidates often confuse AWS Config's monitoring and remediation capabilities with AWS Security Hub's aggregation or Trusted Advisor's advisory checks, forgetting that only AWS Config can both detect and automatically fix non-compliant resource configurations.

How to eliminate wrong answers

Option B is wrong because AWS Trusted Advisor provides best-practice checks and recommendations but does not offer continuous monitoring or automatic remediation of S3 bucket encryption settings; it only gives a one-time or periodic assessment. Option C is wrong because AWS Security Hub aggregates security findings from multiple services (like AWS Config) and provides a centralized view, but it cannot directly monitor S3 bucket configurations or automatically apply encryption settings on its own. Option D is wrong because AWS CloudTrail records API activity and events for auditing, but it does not evaluate resource configurations or enforce compliance policies; it only logs actions after they occur.

410
MCQmedium

Which AWS service enables no-code integration between SaaS applications (like Salesforce, ServiceNow, Zendesk) and AWS services for automated data flows?

A.AWS DataSync
B.Amazon AppFlow
C.AWS Glue
D.Amazon EventBridge
AnswerB

AppFlow provides no-code SaaS-to-AWS data integration with pre-built connectors for dozens of SaaS providers, data transformation, and scheduling — no custom integration code required.

Why this answer

Amazon AppFlow is the correct service because it is specifically designed for no-code integration between SaaS applications (such as Salesforce, ServiceNow, and Zendesk) and AWS services, enabling automated data flows without writing any code. It supports bi-directional data transfer, transformation, and filtering, making it ideal for syncing customer records or support tickets directly into Amazon S3 or Redshift.

Exam trap

The trap here is that candidates often confuse Amazon EventBridge's event routing capability with the actual data integration and transformation features of AppFlow, assuming EventBridge can directly pull data from SaaS apps without custom code.

How to eliminate wrong answers

Option A is wrong because AWS DataSync is a data transfer service for moving large datasets between on-premises storage and AWS (e.g., NFS/SMB to S3/EFS), not for integrating SaaS applications. Option C is wrong because AWS Glue is a serverless ETL service that requires writing or generating code (e.g., PySpark or Scala) for data preparation and cataloging, not a no-code SaaS integration tool. Option D is wrong because Amazon EventBridge is an event bus service for routing events between AWS services and custom applications, but it does not provide built-in connectors for SaaS applications like Salesforce or ServiceNow for automated data flows without custom code.

411
MCQmedium

A company runs a public-facing e-commerce website on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team has discovered that attackers are attempting SQL injection attacks through the website's search feature. The company wants to use a managed AWS service to inspect incoming HTTP requests and block these malicious payloads before they reach the application. Which AWS service should the company use?

A.AWS Shield Standard
B.AWS WAF
C.Network ACLs
D.Amazon GuardDuty
AnswerB

AWS WAF is a web application firewall that inspects HTTP and HTTPS requests and can block common threats such as SQL injection and cross-site scripting. It integrates directly with Application Load Balancers, Amazon CloudFront, and API Gateway, making it the correct service for this use case.

Why this answer

AWS WAF is a managed web application firewall that allows you to create rules to inspect HTTP/HTTPS requests and block common attack patterns, such as SQL injection and cross-site scripting. By associating a WAF web ACL with the Application Load Balancer, the company can filter incoming traffic and block malicious payloads before they reach the EC2 instances.

Exam trap

The trap here is that candidates often confuse AWS Shield (which protects against DDoS at Layer 3/4) with AWS WAF (which protects against application-layer attacks like SQL injection), leading them to choose Shield Standard instead of WAF.

How to eliminate wrong answers

Option A is wrong because AWS Shield Standard provides only basic DDoS protection against network and transport layer attacks (e.g., SYN floods, UDP floods) and does not inspect application-layer payloads like SQL injection strings. Option C is wrong because Network ACLs are stateless firewall rules that operate at the subnet level (Layer 3/4) and cannot inspect HTTP request bodies or headers for SQL injection patterns. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events for malicious activity; it does not actively block incoming HTTP requests in real time.

412
MCQmedium

A startup is using the AWS Free Tier for the first time. They have launched an Amazon EC2 t2.micro instance and are storing 10 GB of data in Amazon S3 Standard. The startup wants to ensure they do not incur any charges beyond the Free Tier limits. They need a managed AWS service that can automatically monitor their usage against the Free Tier allowances and send them a notification if they are approaching or exceeding those limits. Which AWS service should the startup use?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Trusted Advisor
D.AWS Billing Conductor
AnswerB

AWS Budgets allows you to create a Free Tier budget that tracks your usage against the Free Tier allowances. You can set alert thresholds (e.g., when usage reaches 80% or 100%) and receive email or SNS notifications. This is the correct service for automated monitoring and alerting on Free Tier usage.

Why this answer

AWS Budgets is the correct service because it allows you to create a cost budget that monitors your actual and forecasted AWS spend against a specified threshold (e.g., the Free Tier limits). You can configure an alert action to send an SNS notification when usage approaches or exceeds the budgeted amount, ensuring proactive notification without manual oversight.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer (a historical reporting tool) with AWS Budgets (a proactive alerting service), or they assume Trusted Advisor handles all cost monitoring, when in fact Trusted Advisor only provides recommendations and does not send threshold-based alerts for Free Tier limits.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer is a visualization and analytics tool for exploring historical cost data, not a proactive monitoring or alerting service for Free Tier limits. Option C is wrong because AWS Trusted Advisor inspects your AWS environment for best practices (e.g., security, performance, fault tolerance) and provides cost optimization recommendations, but it does not automatically monitor usage against Free Tier allowances or send threshold-based notifications. Option D is wrong because AWS Billing Conductor is a tool for customizing billing reports and allocating costs across business units, not for monitoring Free Tier usage or sending alerts.

413
MCQeasy

AWS can offer lower pay-as-you-go pricing than a single company could achieve operating its own data centre because AWS aggregates usage from hundreds of thousands of customers. Which cloud computing benefit does this describe?

A.Trade capital expense for variable expense
B.Benefit from massive economies of scale
C.Increase speed and agility
D.Go global in minutes
AnswerB

AWS aggregates demand from hundreds of thousands of customers, achieving purchasing power and operational efficiencies that translate into lower prices than any individual company could achieve building and running their own data centres.

Why this answer

The scenario describes AWS aggregating usage from hundreds of thousands of customers to achieve lower per-unit costs than a single company could achieve operating its own data center. This is the direct definition of economies of scale, where the massive scale of AWS's infrastructure (e.g., purchasing power for hardware, optimized data center design) reduces the average cost per customer, enabling lower pay-as-you-go pricing.

Exam trap

The trap here is that candidates confuse 'economies of scale' with 'trade capital expense for variable expense' (Option A), because both relate to cost savings, but the question specifically describes the cost reduction from aggregated customer usage, not the payment model shift.

How to eliminate wrong answers

Option A is wrong because trading capital expense for variable expense describes the shift from upfront hardware purchases to pay-as-you-go operational costs, not the cost reduction from aggregated usage. Option C is wrong because increasing speed and agility refers to the ability to rapidly provision resources (e.g., via AWS CloudFormation or APIs), not the cost benefit from aggregated customer usage. Option D is wrong because going global in minutes describes the ability to deploy resources across AWS Regions (e.g., using Route 53 or CloudFront) for low-latency global reach, not the cost advantage from aggregated usage.

414
MCQmedium

A company runs a monolithic order processing application on a single Amazon EC2 instance. During peak hours, the instance receives a sudden burst of orders that exceeds its processing capacity. Orders are dropped and customers do not receive confirmations. The company needs a solution that buffers incoming orders, stores them durably, and allows the application to process them at a manageable pace. The solution must be fully managed and ensure that no orders are lost. Which AWS service should the company use to meet these requirements?

A.Amazon Simple Queue Service (SQS)
B.Amazon Simple Notification Service (SNS)
C.Amazon Kinesis Data Firehose
D.Amazon ElastiCache
AnswerA

SQS is a fully managed message queue that reliably stores messages until consumers retrieve them. It decouples the order submission from processing, buffering bursts and preventing loss.

Why this answer

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that decouples application components. It durably stores incoming orders in a queue, allowing the EC2 instance to poll and process them at its own pace, preventing order loss during traffic bursts. SQS guarantees at-least-once delivery and provides a buffer that absorbs spikes in demand.

Exam trap

The trap here is that candidates confuse SNS (push-based) with SQS (pull-based), assuming any notification or messaging service can buffer orders, but only SQS provides the durable, decoupled queue needed for the application to process at its own pace.

How to eliminate wrong answers

Option B (Amazon SNS) is wrong because it is a pub/sub messaging service that pushes messages to subscribers; it does not buffer messages or allow the application to pull them at a manageable pace, and messages are lost if the subscriber is unavailable. Option C (Amazon Kinesis Data Firehose) is wrong because it is designed for streaming data ingestion into data stores like S3 or Redshift, not for decoupling a single application's processing; it does not provide a queue for the application to pull from at its own pace. Option D (Amazon ElastiCache) is wrong because it is an in-memory caching service that does not provide durable message storage or guaranteed message delivery; it is not designed for buffering and decoupling workloads.

415
MCQmedium

Which AWS service provides a managed way to create, control, and rotate encryption keys used to protect your data?

A.AWS Certificate Manager
B.AWS Secrets Manager
C.AWS Key Management Service (KMS)
D.AWS CloudHSM
AnswerC

KMS is the dedicated managed service for creating and controlling encryption keys.

Why this answer

AWS Key Management Service (KMS) is the correct answer because it is a fully managed service that allows you to create, control, and rotate encryption keys used to protect your data. KMS integrates with other AWS services to encrypt data at rest and provides centralized key management, including automatic annual rotation for customer-managed keys. It uses hardware security modules (HSMs) to protect key material, but the service itself handles the management and rotation lifecycle.

Exam trap

The trap here is that candidates confuse AWS Secrets Manager (which rotates secrets) with KMS (which rotates encryption keys), but Secrets Manager does not create or manage the encryption keys themselves—it uses KMS for that purpose.

How to eliminate wrong answers

Option A is wrong because AWS Certificate Manager (ACM) manages SSL/TLS certificates, not encryption keys for data protection; it handles certificate provisioning, renewal, and deployment, but does not create or rotate symmetric encryption keys. Option B is wrong because AWS Secrets Manager is designed to securely store, retrieve, and rotate secrets such as database credentials and API keys, not to create or manage encryption keys; while it can rotate secrets, it relies on KMS to encrypt those secrets at rest. Option D is wrong because AWS CloudHSM provides dedicated hardware security modules (HSMs) that give you full control over the HSM appliance and key management, but it is not a managed service for creating, controlling, and rotating keys—you must manage the HSM cluster, key policies, and rotation yourself, and it does not offer automatic key rotation.

416
MCQmedium

A company's security policy requires that all Amazon S3 buckets have default encryption enabled (SSE-S3 or SSE-KMS). A recent audit found several buckets without encryption enabled. The company wants an automated solution to continuously monitor all existing and new S3 buckets, detect any bucket that does not have default encryption enabled, and automatically remediate by enabling encryption. The solution must also maintain a compliance score and allow the security team to review non-compliant resources. Which AWS service should the company use to meet these requirements?

A.AWS Config with a managed rule (s3-bucket-server-side-encryption-enabled) and an automatic remediation action using an AWS Systems Manager Automation document
B.Amazon GuardDuty with a finding type for S3 bucket encryption
C.AWS Trusted Advisor with the S3 Bucket Permissions check
D.AWS CloudTrail with a trail that logs S3 API calls and an Amazon CloudWatch alarm
AnswerA

AWS Config continuously evaluates resource configurations against rules. The managed rule checks for S3 bucket default encryption. Automatic remediation via Systems Manager Automation can enable encryption on non-compliant buckets. This meets all stated requirements: continuous monitoring, detection, remediation, compliance score, and review capability.

Why this answer

AWS Config with the managed rule `s3-bucket-server-side-encryption-enabled` continuously evaluates S3 buckets against the encryption requirement. When a non-compliant bucket is detected, an automatic remediation action can invoke an AWS Systems Manager Automation document to enable default encryption (SSE-S3 or SSE-KMS). AWS Config also provides a compliance score dashboard and allows the security team to review non-compliant resources, meeting all stated requirements.

Exam trap

The trap here is that candidates confuse AWS Config's compliance evaluation and remediation capabilities with GuardDuty's threat detection or Trusted Advisor's advisory checks, but only AWS Config provides continuous monitoring, automated remediation, and a compliance score for resource configuration rules.

How to eliminate wrong answers

Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity (e.g., unusual API calls, credential compromise) and does not have a finding type for S3 bucket encryption compliance; it cannot detect or remediate missing default encryption. Option C is wrong because AWS Trusted Advisor's S3 Bucket Permissions check only reviews bucket access policies (e.g., public read/write), not server-side encryption settings, and it does not provide automated remediation or a compliance score. Option D is wrong because AWS CloudTrail logs S3 API calls (e.g., PutBucketEncryption) but cannot evaluate encryption configuration state, trigger remediation, or maintain a compliance score; CloudWatch alarms can only react to metric thresholds, not enforce encryption policies.

417
Matchingmedium

Match each AWS database service to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Managed relational database

NoSQL key-value and document database

Data warehousing

In-memory caching

MySQL/PostgreSQL-compatible relational database

Why these pairings

AWS offers diverse database options.

418
Multi-Selectmedium

A company wants to adopt AWS and is performing a readiness assessment. The AWS Cloud Adoption Framework (CAF) identifies which two areas that most cloud migrations fail to address adequately?

Select 2 answers
A.Platform and Security perspectives
B.People and Governance perspectives
C.Business and Operations perspectives
D.Platform and Operations perspectives
AnswersB, C

CAF identifies People (organizational change, training, culture) and Governance (risk management, finance management, program management) as frequently underaddressed — technical teams focus on Platform and Security while neglecting these enabling factors.

Why this answer

The AWS Cloud Adoption Framework (CAF) identifies that most cloud migrations fail because organizations neglect the People and Governance perspectives. The People perspective focuses on change management, training, and organizational culture, while the Governance perspective ensures that policies, compliance, and oversight mechanisms are in place to manage cloud risks and costs. Without addressing these two areas, even technically sound migrations can stall due to lack of stakeholder buy-in or uncontrolled spending.

Exam trap

The trap here is that candidates often assume the most critical failure areas are technical (Platform, Security, Operations) because those are the most visible, but the CAF explicitly calls out People and Governance as the root causes of migration failures.

419
MCQmedium

A company is preparing for a PCI DSS compliance audit. The security team needs to ensure that all AWS API calls are logged and that the logs are continuously analyzed for suspicious or unauthorized activity. The team wants a managed security service that uses machine learning to identify threats, generates findings for review, and can trigger automated remediation through AWS Lambda. Which AWS service should the team use?

A.AWS CloudTrail
B.Amazon GuardDuty
C.AWS Config
D.Amazon Inspector
AnswerB

Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior using machine learning and integrated threat intelligence. It analyzes CloudTrail logs, VPC Flow Logs, and DNS logs, generates findings, and can trigger automated responses through AWS Lambda, meeting all the requirements.

Why this answer

Amazon GuardDuty is a managed threat detection service that uses machine learning and integrated threat intelligence to continuously monitor AWS API calls (via CloudTrail), VPC Flow Logs, and DNS logs for suspicious activity. It generates actionable security findings and can trigger automated remediation through AWS Lambda, making it the correct choice for the described requirements.

Exam trap

The trap here is that candidates confuse AWS CloudTrail's logging capability with GuardDuty's threat detection, overlooking that CloudTrail alone does not analyze logs or trigger automated responses.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail only logs API calls and does not analyze them for threats or use machine learning to identify suspicious activity; it lacks built-in threat detection and automated remediation capabilities. Option C is wrong because AWS Config evaluates resource configurations against compliance rules and does not analyze API call logs for threats or use machine learning for threat detection. Option D is wrong because Amazon Inspector is a vulnerability assessment service that scans EC2 instances and container images for software vulnerabilities and network exposure, not API call logs or continuous threat detection.

420
MCQeasy

Which AWS service provides recommendations to help reduce costs, such as identifying idle EC2 instances, underutilized EBS volumes, and unassociated Elastic IPs?

A.AWS Cost Explorer
B.AWS Trusted Advisor
C.Amazon CloudWatch
D.AWS Pricing Calculator
AnswerB

Trusted Advisor provides automated best-practice checks and recommendations for cost optimization, including idle resources, underutilized capacity, and savings opportunities.

Why this answer

AWS Trusted Advisor is the correct service because it provides automated cost optimization recommendations by analyzing your AWS environment. It specifically identifies idle EC2 instances, underutilized EBS volumes, and unassociated Elastic IPs, which are common sources of wasted spend. These checks are part of the cost optimization category within Trusted Advisor, and they help you reduce costs by right-sizing or releasing unused resources.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer (which shows cost data) with Trusted Advisor (which provides actionable recommendations), leading them to choose Cost Explorer because it sounds cost-related, but it lacks the specific idle resource detection logic.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer is a tool for visualizing, understanding, and managing your AWS costs and usage over time, but it does not proactively identify idle resources or provide specific recommendations like Trusted Advisor does. Option C is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms; it can track utilization but lacks built-in cost optimization checks for idle EC2 instances or unassociated Elastic IPs. Option D is wrong because AWS Pricing Calculator is a planning tool used to estimate costs for new architectures or migrations, not a service that analyzes existing resources to identify waste or provide recommendations.

421
MCQmedium

A company runs a combination of Amazon EC2 instances and AWS Lambda functions for its applications. The finance team wants to reduce costs by making a commitment to a consistent amount of compute usage (measured in dollars per hour) for a 1-year term. The team wants the flexibility to change instance families, sizes, and AWS regions, and also wants the commitment to cover both EC2 and Lambda usage. Which AWS pricing option should the team purchase?

A.Compute Savings Plans
B.EC2 Instance Savings Plans
C.Reserved Instances
D.Spot Instances
AnswerA

Compute Savings Plans apply to EC2, Lambda, and Fargate usage and provide flexibility across instance families, regions, and operating systems. They are the correct choice for the team's requirements.

Why this answer

Compute Savings Plans provide the required flexibility to change instance families, sizes, and AWS regions, and they automatically apply to both EC2 and Lambda usage. This plan offers a discounted hourly rate in exchange for a 1-year commitment to a consistent amount of compute spend (measured in dollars per hour), making it the only option that meets all the stated requirements.

Exam trap

The trap here is that candidates often confuse Compute Savings Plans with EC2 Instance Savings Plans, mistakenly thinking the latter offers the same flexibility, but EC2 Instance Savings Plans are restricted to a single instance family and do not cover Lambda or Fargate.

How to eliminate wrong answers

Option B is wrong because EC2 Instance Savings Plans are locked to a specific instance family within a region, so they do not allow changing instance families or regions, and they do not cover Lambda usage. Option C is wrong because Reserved Instances are tied to a specific instance type, size, and Availability Zone (or region for regional RIs), and they do not apply to Lambda usage. Option D is wrong because Spot Instances are not a commitment-based pricing model; they offer significant discounts but can be terminated by AWS at any time, and they do not cover Lambda usage.

422
MCQhard

Which AWS pricing model allows customers to commit to a consistent amount of compute usage (measured in $/hour) for a 1 or 3-year term in exchange for significant discounts, without being locked to specific instance types?

A.Standard Reserved Instances
B.Spot Instances
C.Compute Savings Plans
D.Convertible Reserved Instances
AnswerC

Compute Savings Plans offer flexible discounts across any EC2 instance in exchange for a consistent $/hour commitment.

Why this answer

Compute Savings Plans offer the flexibility to commit to a consistent amount of compute usage (measured in $/hour) for a 1- or 3-year term, providing significant discounts (up to 66%) without requiring you to lock into specific instance types, families, or regions. This model automatically applies the discount to any EC2 instance, Fargate, or Lambda usage within the committed compute commitment, making it the correct answer.

Exam trap

The trap here is that candidates often confuse Compute Savings Plans with Reserved Instances, assuming that any long-term commitment must lock you to a specific instance type, but Compute Savings Plans specifically decouple the commitment from instance type details.

How to eliminate wrong answers

Option A is wrong because Standard Reserved Instances require you to commit to a specific instance family (e.g., m5.large) in a specific region, locking you into that exact configuration, which contradicts the question's requirement of not being locked to specific instance types. Option B is wrong because Spot Instances use spare EC2 capacity and offer discounts but do not involve a 1- or 3-year commitment; they can be terminated by AWS at any time with a 2-minute warning, making them unsuitable for a consistent, long-term commitment. Option D is wrong because Convertible Reserved Instances, while offering flexibility to change instance families, still require you to commit to a specific instance type at the time of purchase and only allow changes via exchange, not the free-form usage flexibility of Compute Savings Plans.

423
Drag & Dropmedium

Drag and drop the steps to create an IAM user with programmatic access and attach a policy in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IAM user creation involves enabling programmatic access, attaching policies, and securely storing credentials.

424
MCQmedium

A company wants to automate the deployment of its infrastructure across multiple AWS environments (development, staging, production). The operations team needs to define all AWS resources (such as Amazon EC2 instances, security groups, and load balancers) in a declarative JSON or YAML template. They want to version control these templates, quickly replicate the entire infrastructure in a new region, and ensure that each deployment is consistent and repeatable. Which AWS service should the company use to achieve this?

A.AWS CloudFormation
B.AWS Elastic Beanstalk
C.AWS OpsWorks
D.AWS CodePipeline
AnswerA

CloudFormation is the correct service because it provides Infrastructure as Code using declarative JSON or YAML templates to define and provision AWS resources consistently across environments. Templates can be version-controlled, and stacks can be replicated in different regions.

Why this answer

AWS CloudFormation is the correct choice because it allows you to define all AWS resources (EC2 instances, security groups, load balancers) in a declarative JSON or YAML template. These templates can be version-controlled, enabling you to replicate the entire infrastructure in a new region by simply reusing the same template, ensuring consistent and repeatable deployments across environments.

Exam trap

The trap here is that candidates often confuse AWS Elastic Beanstalk (which also uses templates but is application-focused) with CloudFormation, or they think AWS CodePipeline can define infrastructure directly, but CodePipeline only orchestrates pipelines and relies on other services like CloudFormation for provisioning.

How to eliminate wrong answers

Option B (AWS Elastic Beanstalk) is wrong because it is a Platform-as-a-Service (PaaS) that abstracts infrastructure management and is not designed for declarative infrastructure-as-code templates; it focuses on deploying applications, not defining raw AWS resources in JSON/YAML. Option C (AWS OpsWorks) is wrong because it uses Chef or Puppet for configuration management, not declarative JSON/YAML templates, and is more suited for managing server configurations rather than provisioning infrastructure resources. Option D (AWS CodePipeline) is wrong because it is a continuous integration and continuous delivery (CI/CD) service that orchestrates build, test, and deploy phases, but it does not itself define infrastructure resources in a declarative template; it can integrate with CloudFormation but is not the service for defining resources.

425
MCQeasy

A developer needs to launch a test EC2 instance for a new prototype. The developer logs into the AWS Management Console, selects an instance type, and launches the instance without contacting AWS support or waiting for approval. Which cloud computing characteristic does this demonstrate?

A.Broad network access
B.On-demand self-service
C.Resource pooling
D.Measured service
AnswerB

On-demand self-service allows users to provision compute capabilities as needed automatically, without requiring human interaction from each service provider. Launching EC2 instances via the console without contacting AWS support exemplifies this.

Why this answer

The scenario describes a developer independently provisioning an EC2 instance through the AWS Management Console without requiring human interaction with AWS support. This directly aligns with the NIST definition of on-demand self-service, a core characteristic of cloud computing where users can unilaterally provision computing capabilities as needed automatically.

Exam trap

The trap here is that candidates confuse 'on-demand self-service' with 'broad network access' because both involve network-based interaction, but the key differentiator is the absence of human intervention in the provisioning process, not the method of access.

How to eliminate wrong answers

Option A is wrong because broad network access refers to capabilities being available over the network and accessed through standard mechanisms (e.g., HTTPS, SSH), not the ability to provision resources without approval. Option C is wrong because resource pooling describes the provider's multi-tenant model where physical and virtual resources are dynamically assigned and reassigned according to consumer demand, not the user's ability to self-provision. Option D is wrong because measured service involves cloud systems automatically controlling and optimizing resource use by leveraging a metering capability, which is about usage monitoring and billing, not the self-service provisioning action.

426
MCQmedium

A company operates three separate AWS accounts, one for production, one for development, and one for testing. The finance team wants to receive a single monthly invoice that shows the total charges from all three accounts combined. They also want to aggregate usage across accounts to benefit from volume discounts on Amazon S3 and Amazon EC2. Additionally, the team wants to apply a single payment method (credit card) to cover charges for all accounts. Which AWS feature should the finance team use to meet these requirements?

A.AWS Budgets
B.AWS Cost Explorer
C.Consolidated Billing through AWS Organizations
D.AWS Cost and Usage Report
AnswerC

Consolidated Billing is a feature of AWS Organizations that combines usage and costs from all member accounts into a single invoice, allows volume discounts based on aggregated usage, and supports a single payment method for the entire organization.

Why this answer

Consolidated Billing through AWS Organizations is the correct feature because it allows the finance team to link multiple AWS accounts under a single organization, enabling a single monthly invoice that aggregates charges from all accounts. This aggregation also combines usage across accounts for services like Amazon S3 and Amazon EC2, allowing the team to benefit from volume discounts. Additionally, Consolidated Billing supports a single payment method (credit card) that covers charges for all linked accounts, meeting all stated requirements.

Exam trap

The trap here is that candidates may confuse cost management tools (like Budgets or Cost Explorer) with billing consolidation features, not realizing that only Consolidated Billing through AWS Organizations provides the single invoice, aggregated usage, and unified payment method required.

How to eliminate wrong answers

Option A (AWS Budgets) is wrong because it is a tool for setting cost and usage budgets and sending alerts, not for consolidating billing or aggregating usage across accounts. Option B (AWS Cost Explorer) is wrong because it is a visualization and analysis tool for exploring cost and usage data, not a mechanism to combine accounts into a single invoice or apply a single payment method. Option D (AWS Cost and Usage Report) is wrong because it provides detailed cost and usage data for export, but it does not consolidate billing across multiple accounts or enable a single payment method.

427
MCQmedium

A company wants to accelerate their machine learning workflows by using pre-trained foundation models for tasks like text generation and image creation without training models from scratch. Which AWS service provides access to pre-trained foundation models via API?

A.Amazon SageMaker
B.Amazon Rekognition
C.Amazon Bedrock
D.AWS DeepComposer
AnswerC

Amazon Bedrock provides serverless API access to foundation models from Amazon, Anthropic, Meta, Stability AI, and others — enabling generative AI applications without managing model training or inference infrastructure.

Why this answer

Amazon Bedrock is a fully managed service that provides access to pre-trained foundation models (FMs) from leading AI providers like AI21 Labs, Anthropic, Cohere, Meta, Stability AI, and Amazon via a single API. It enables you to build generative AI applications for tasks such as text generation and image creation without managing underlying infrastructure or training models from scratch.

Exam trap

The trap here is that candidates often confuse Amazon SageMaker (a full ML lifecycle service) with Bedrock (a managed FM API service), or mistakenly think Amazon Rekognition or AWS DeepComposer provide general-purpose generative AI capabilities, when in fact they are specialized for narrow use cases.

How to eliminate wrong answers

Option A is wrong because Amazon SageMaker is a machine learning platform for building, training, and deploying custom models, not a service that provides direct API access to pre-trained foundation models. Option B is wrong because Amazon Rekognition is a specialized service for image and video analysis (e.g., object detection, facial recognition) and does not offer generative foundation models for text generation or image creation. Option D is wrong because AWS DeepComposer is a service for creating music using generative AI, specifically for composing melodies, and is not a general-purpose API for accessing pre-trained foundation models for text or image generation.

428
MCQeasy

Which AWS service continuously assesses your AWS resources for security vulnerabilities, unintended network exposure, and deviations from security best practices?

A.AWS Security Hub
B.Amazon Inspector
C.AWS Config
D.Amazon Macie
AnswerB

Inspector continuously scans EC2 instances and ECR container images for vulnerabilities and network exposure issues, generating prioritized findings.

Why this answer

Amazon Inspector is a vulnerability management service that continuously scans AWS workloads for software vulnerabilities and unintended network exposure. It uses a combination of network reachability analysis and agent-based or agentless assessments to detect deviations from security best practices, such as missing patches or open ports to the internet.

Exam trap

The trap here is that candidates often confuse AWS Security Hub (a central dashboard for findings) with the actual scanning service, leading them to choose Security Hub instead of Inspector, even though Security Hub does not perform the underlying vulnerability assessments.

How to eliminate wrong answers

Option A is wrong because AWS Security Hub is a central security posture management service that aggregates findings from multiple AWS services (including Inspector) and checks compliance against standards like CIS AWS Foundations, but it does not perform the actual vulnerability scanning itself. Option C is wrong because AWS Config is a resource inventory and configuration tracking service that evaluates resource configurations against desired policies (e.g., whether an S3 bucket is public), but it does not scan for software vulnerabilities or network exposure. Option D is wrong because Amazon Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data (e.g., PII) in S3 buckets, not to assess compute resources for security vulnerabilities or network exposure.

429
MCQmedium

A company manages a fleet of hundreds of Amazon EC2 instances running across multiple AWS Regions. The company's security policy requires that all instances be patched with the latest security updates within 7 days of release. The operations team currently logs in to each instance manually to apply patches, which is time-consuming and error-prone. The team wants to automate the patching process, track compliance across all instances, and receive reports on patch status. The solution must not require any changes to the existing application code or the use of additional third-party software. Which AWS service should the operations team use to meet these requirements?

A.AWS Config
B.AWS Systems Manager
C.Amazon Inspector
D.AWS Trusted Advisor
AnswerB

AWS Systems Manager includes Patch Manager, which automates the process of patching managed instances with security updates and provides compliance reporting across the fleet.

Why this answer

AWS Systems Manager is the correct choice because it provides Patch Manager, a native capability that automates the patching of EC2 instances across multiple Regions without requiring any changes to application code or third-party software. It also integrates with Systems Manager Compliance to track patch status and generate reports, meeting all stated requirements.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks configuration changes) with Systems Manager (which can both track and remediate), leading them to choose Config for compliance reporting while overlooking the patching automation requirement.

How to eliminate wrong answers

Option A is wrong because AWS Config is a configuration auditing and compliance service that records resource changes and evaluates rules, but it cannot apply patches or automate the patching process itself. Option C is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and unintended network exposure, but it does not patch instances or manage patch compliance reporting. Option D is wrong because AWS Trusted Advisor is an advisory service that inspects your AWS environment and makes recommendations for cost optimization, performance, security, and fault tolerance, but it cannot automate patching or track patch compliance across instances.

430
MCQmedium

A retail company wants to implement a recommendation engine based on customer purchase history. Which AWS service is designed to provide ML-based personalized recommendations with no ML experience required?

A.Amazon SageMaker
B.Amazon Personalize
C.Amazon Comprehend
D.Amazon Rekognition
AnswerB

Personalize delivers real-time personalized recommendations without requiring ML expertise, using the same algorithms as Amazon.com.

Why this answer

Amazon Personalize is a fully managed AWS service that enables developers to build applications with real-time personalized recommendations without requiring any prior machine learning experience. It uses the same technology that powers Amazon.com's recommendation engine, processing customer purchase history to deliver tailored product suggestions.

Exam trap

The trap here is that candidates often confuse Amazon SageMaker as the go-to ML service for any ML task, overlooking that Amazon Personalize is specifically designed for recommendation use cases with minimal ML expertise required.

How to eliminate wrong answers

Option A is wrong because Amazon SageMaker is a comprehensive ML service that requires users to build, train, and deploy their own models, demanding significant ML expertise and coding, not a no-experience-required solution. Option C is wrong because Amazon Comprehend is a natural language processing (NLP) service for extracting insights from text (e.g., sentiment, entities), not for generating personalized recommendations from purchase history. Option D is wrong because Amazon Rekognition is a computer vision service for analyzing images and videos (e.g., object detection, facial recognition), not for building recommendation engines.

431
MCQmedium

A company has a hybrid cloud environment with both on-premises servers and AWS. They want a consistent management experience across both environments. Which AWS service extends the same AWS Systems Manager capabilities to non-AWS servers?

A.AWS Outposts
B.AWS Systems Manager with hybrid activations
C.AWS Direct Connect
D.Amazon EC2 Systems Manager
AnswerB

Systems Manager hybrid activations register on-premises servers and VMs as managed instances, extending Run Command, Patch Manager, Inventory, and Session Manager to non-AWS infrastructure.

Why this answer

AWS Systems Manager with hybrid activations allows you to manage on-premises servers and other non-AWS compute resources using the same Systems Manager capabilities (e.g., Run Command, Patch Manager, Inventory) as you use for EC2 instances. By installing the SSM Agent on the non-AWS server and registering it via a hybrid activation, the server appears as a managed instance in Systems Manager, providing a consistent management plane across hybrid environments.

Exam trap

The trap here is that candidates often confuse AWS Outposts (which extends AWS infrastructure) with the ability to manage existing non-AWS servers, or they mistakenly think Amazon EC2 Systems Manager (the old name) can natively manage on-premises servers without hybrid activations.

How to eliminate wrong answers

Option A is wrong because AWS Outposts is a fully managed service that extends AWS infrastructure, services, and APIs to on-premises locations, but it does not extend Systems Manager capabilities to existing non-AWS servers; it requires running AWS-designed hardware. Option C is wrong because AWS Direct Connect is a dedicated network connection from on-premises to AWS, which improves bandwidth and latency but does not provide any management or Systems Manager functionality. Option D is wrong because Amazon EC2 Systems Manager is the former name of AWS Systems Manager, and it only manages EC2 instances natively; it does not inherently support non-AWS servers without hybrid activations.

432
MCQmedium

A company is planning to migrate a legacy application to AWS and wants to estimate the monthly cost of running the new workload. The company needs to compare costs across different Amazon EC2 instance types, regions, and pricing models (On-Demand, Reserved, and Spot). The team also wants to include estimated costs for related services such as Amazon EBS storage and data transfer. Which AWS tool should the company use to generate this cost estimate?

A.AWS Pricing Calculator
B.AWS Cost Explorer
C.AWS Budgets
D.AWS Trusted Advisor
AnswerA

Correct. The AWS Pricing Calculator is designed to produce cost estimates for new AWS workloads. You can select specific EC2 instance types, pricing models, regions, and associated services like EBS and data transfer to get a monthly estimate.

Why this answer

The AWS Pricing Calculator (formerly the Simple Monthly Calculator) is the correct tool because it allows users to estimate monthly costs by selecting specific EC2 instance types, regions, and pricing models (On-Demand, Reserved, Spot), and it also includes estimates for related services like EBS storage and data transfer. This tool provides a detailed, upfront cost comparison before any resources are deployed, which directly matches the company's requirement to compare costs across different configurations.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer (which analyzes past costs) with the AWS Pricing Calculator (which estimates future costs), especially since both tools deal with cost data and are found in the Billing and Cost Management console.

How to eliminate wrong answers

Option B (AWS Cost Explorer) is wrong because it analyzes historical cost and usage data after resources have been deployed, not for estimating future costs before migration. Option C (AWS Budgets) is wrong because it sets spending limits and alerts based on actual or forecasted costs, not for generating upfront cost estimates for planned workloads. Option D (AWS Trusted Advisor) is wrong because it provides best-practice recommendations for cost optimization, security, and performance based on existing AWS resources, not for estimating costs of a planned migration.

433
MCQeasy

Under the AWS Shared Responsibility Model, which of the following is the customer's responsibility when using Amazon RDS?

A.Patching the underlying EC2 instances hosting the database
B.Managing the physical storage media and hardware
C.Managing database user accounts and controlling data access
D.Applying database engine minor version patches
AnswerC

Customers are responsible for their data, creating database users, setting permissions, and controlling which applications and users can access the database.

Why this answer

Under the AWS Shared Responsibility Model, AWS manages the infrastructure, including the underlying EC2 instances, physical storage, and database engine minor version patches for Amazon RDS. The customer is responsible for managing database user accounts, controlling data access, and securing the data itself, as these are within the customer's control and not managed by AWS.

Exam trap

The trap here is that candidates often confuse the customer's responsibility for managing database user accounts with AWS's responsibility for patching the database engine, leading them to incorrectly select option D as the customer's task.

How to eliminate wrong answers

Option A is wrong because AWS is responsible for patching the underlying EC2 instances that host the RDS database, as RDS is a managed service where AWS handles the host OS and infrastructure. Option B is wrong because managing physical storage media and hardware is AWS's responsibility under the shared model, as they control the data center and physical infrastructure. Option D is wrong because applying database engine minor version patches is managed by AWS for RDS, though customers can schedule maintenance windows; the actual patching is AWS's responsibility.

434
MCQmedium

A company uses Amazon EC2 instances to run its workloads. The company's IT team does not know the exact physical server where each instance runs, and instances from multiple customers may be hosted on the same physical hardware. The team only specifies the AWS Region and Availability Zone. Which essential characteristic of cloud computing does this scenario BEST represent?

A.On-demand self-service
B.Resource pooling
C.Rapid elasticity
D.Measured service
AnswerB

Resource pooling is the correct answer. The scenario describes how AWS pools its physical infrastructure to serve multiple customers simultaneously, with customers having no control over the exact physical location of their resources beyond a high-level abstraction like region or Availability Zone. This is a direct example of resource pooling.

Why this answer

Resource pooling is the correct answer because the scenario describes how AWS aggregates compute resources from multiple physical hosts into a shared pool, which is then dynamically assigned and reassigned to customers based on demand. The IT team has no control over or knowledge of the exact physical server, and instances from different customers can run on the same hardware, which is the defining behavior of resource pooling as defined by NIST SP 800-145.

Exam trap

The trap here is that candidates often confuse resource pooling with on-demand self-service because both involve abstraction, but resource pooling specifically addresses the multi-tenant sharing of physical infrastructure, whereas on-demand self-service is about the user's ability to provision resources without provider intervention.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user's ability to provision computing capabilities (like launching an EC2 instance) automatically without requiring human interaction with the service provider, not to the multi-tenant sharing of physical hardware. Option C is wrong because rapid elasticity describes the ability to scale resources up or down quickly and automatically (e.g., using Auto Scaling groups), not the underlying multi-tenant infrastructure. Option D is wrong because measured service involves metering and reporting resource usage (e.g., CloudWatch metrics and billing), not the pooling of physical hardware across multiple customers.

435
MCQmedium

A healthcare company runs a production application on AWS that stores protected health information (PHI). The company needs a support plan that provides a designated Technical Account Manager (TAM) who will perform quarterly business reviews, offer proactive architectural guidance, and help optimize the environment. The company also requires a 15-minute response time for critical system failures. Which AWS Support plan should the company choose?

A.AWS Basic Support
B.AWS Developer Support
C.AWS Business Support
D.AWS Enterprise Support
AnswerD

Correct. Enterprise Support includes a TAM, 15-minute critical case response, proactive guidance, and quarterly business reviews.

Why this answer

AWS Enterprise Support is the only plan that provides a designated Technical Account Manager (TAM) who conducts quarterly business reviews, offers proactive architectural guidance, and helps optimize the environment. It also guarantees a 15-minute response time for critical system failures, meeting the healthcare company's requirements for handling protected health information (PHI) with high availability and compliance.

Exam trap

The trap here is that candidates often confuse AWS Business Support's 1-hour critical response time and general architectural guidance with the dedicated TAM and quarterly business reviews that are exclusive to Enterprise Support, leading them to select Business Support instead.

How to eliminate wrong answers

Option A is wrong because AWS Basic Support does not include a TAM, quarterly business reviews, proactive architectural guidance, or any defined response time for critical failures; it only provides access to documentation and basic support. Option B is wrong because AWS Developer Support offers a response time of less than 12 hours for critical cases but does not include a designated TAM or quarterly business reviews. Option C is wrong because AWS Business Support provides a 1-hour response time for critical failures and some architectural guidance, but it does not include a designated TAM or quarterly business reviews, which are exclusive to Enterprise Support.

436
MCQeasy

Which AWS service is used to distribute incoming application traffic across multiple EC2 instances to improve availability and fault tolerance?

A.Amazon Route 53
B.Amazon CloudFront
C.Elastic Load Balancing
D.AWS Auto Scaling
AnswerC

ELB distributes incoming traffic across multiple EC2 instances to improve availability and fault tolerance.

Why this answer

Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple Amazon EC2 instances in one or more Availability Zones. By doing so, it increases the fault tolerance of your application because if one instance fails, the load balancer routes traffic to the remaining healthy instances, ensuring high availability. ELB supports multiple types (Application, Network, and Gateway Load Balancers) to handle different traffic patterns and protocols.

Exam trap

The trap here is that candidates often confuse Amazon Route 53's DNS routing policies (like weighted or latency-based routing) with actual load balancing, but Route 53 only resolves DNS queries and does not manage traffic distribution to EC2 instances at the application or network layer.

How to eliminate wrong answers

Option A is wrong because Amazon Route 53 is a DNS web service that translates domain names to IP addresses and routes end users to internet applications, but it does not distribute traffic across EC2 instances for load balancing. Option B is wrong because Amazon CloudFront is a content delivery network (CDN) that caches content at edge locations to accelerate delivery of static and dynamic web content, not a load balancer for distributing traffic across EC2 instances. Option D is wrong because AWS Auto Scaling automatically adjusts the number of EC2 instances based on demand, but it does not distribute incoming traffic; it works in conjunction with a load balancer to scale the fleet.

437
MCQmedium

A software development team uses AWS CloudFormation to define their test environments as infrastructure as code. Each developer can launch a complete environment containing multiple Amazon EC2 instances, an Application Load Balancer, and an Amazon RDS database in under five minutes. They run their test suite for a few hours and then delete the entire CloudFormation stack, releasing all resources. Which essential characteristic of cloud computing does this workflow best illustrate?

A.On-demand self-service
B.Rapid elasticity
C.Resource pooling
D.Measured service
AnswerB

Rapid elasticity is the ability to quickly scale resources up and down in response to demand. The developers can create a full environment in minutes and tear it down just as quickly, directly illustrating this characteristic.

Why this answer

Option B is correct because the ability to provision and de-provision a complete environment—including EC2 instances, an ALB, and an RDS database—in minutes and then release all resources after a few hours directly demonstrates rapid elasticity. This characteristic allows cloud resources to scale out and in quickly, matching demand without manual intervention, which is exactly what the CloudFormation stack lifecycle achieves.

Exam trap

The trap here is that candidates confuse 'on-demand self-service' (the ability to provision without human interaction) with 'rapid elasticity' (the ability to scale resources up and down quickly), but the question's focus on the speed of provisioning and de-provisioning the entire environment points to elasticity, not just self-service.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user provisioning resources without human interaction, but the question emphasizes the speed of scaling out and in, not the self-service aspect. Option C is wrong because resource pooling describes the provider's multi-tenant model where physical resources are shared among customers, which is not illustrated by the team's ability to rapidly create and delete environments. Option D is wrong because measured service involves metering and billing for resource usage, which is not the focus of this workflow; the team deletes the stack after testing, and the key takeaway is the elasticity of resource allocation, not the measurement.

438
MCQeasy

Which AWS service or feature provides a notification when AWS is performing planned maintenance that may affect your resources?

A.Amazon CloudWatch Alarms
B.AWS Health Dashboard
C.AWS Trusted Advisor
D.AWS Config
AnswerB

AWS Health Dashboard provides personalized notifications about scheduled maintenance, resource health events, and AWS announcements affecting your specific account and resources.

Why this answer

AWS Health Dashboard (specifically the AWS Personal Health Dashboard) provides proactive notifications and alerts when AWS is performing planned maintenance that may affect your resources. It gives you a personalized view of service health events, including scheduled maintenance, that are relevant to your AWS account and resources.

Exam trap

The trap here is that candidates often confuse the AWS Service Health Dashboard (public, region-wide status) with the AWS Personal Health Dashboard (account-specific alerts), or mistakenly think CloudWatch Alarms can capture AWS-side maintenance events via custom metrics.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Alarms monitor metrics (e.g., CPU utilization, latency) and trigger actions based on thresholds you define, but they do not natively receive or relay AWS-planned maintenance notifications. Option C is wrong because AWS Trusted Advisor inspects your environment and makes recommendations to optimize cost, performance, security, and fault tolerance, but it does not provide real-time alerts for planned maintenance events. Option D is wrong because AWS Config evaluates your resource configurations against desired policies and tracks configuration changes, but it is not designed to notify you of AWS-side planned maintenance activities.

439
MCQmedium

A healthcare company needs to store patient medical records that must be retained for 10 years to comply with regulatory requirements. These records are accessed very rarely, only in the event of an audit or legal request. Which Amazon S3 storage class is the MOST cost-effective choice for this data?

A.S3 Standard
B.S3 Intelligent-Tiering
C.S3 One Zone-IA
D.S3 Glacier Deep Archive
AnswerD

S3 Glacier Deep Archive is the lowest-cost S3 storage class, designed for long-term retention of data that is accessed extremely rarely (e.g., once or twice per year). It provides secure and durable storage with retrieval times of 12-48 hours, making it the most cost-effective choice for regulatory archives with a 10-year retention requirement.

Why this answer

S3 Glacier Deep Archive is the most cost-effective choice because it is designed for long-term retention of rarely accessed data with a retrieval time of 12–48 hours. The 10-year retention requirement and infrequent access pattern (only during audits or legal requests) align perfectly with this storage class, offering the lowest storage cost among S3 classes while still meeting compliance needs.

Exam trap

The trap here is that candidates often choose S3 Glacier (Flexible Retrieval) instead of S3 Glacier Deep Archive, confusing the two, but the question specifically asks for the 'most cost-effective' option for data accessed 'very rarely' over a 10-year period, making Deep Archive the correct choice due to its lower storage cost and longer retrieval time.

How to eliminate wrong answers

Option A is wrong because S3 Standard is optimized for frequently accessed data with low latency and high throughput, making it unnecessarily expensive for data that is accessed only a few times over a decade. Option B is wrong because S3 Intelligent-Tiering automatically moves data between access tiers based on changing usage patterns, but it incurs a monthly monitoring and automation fee per object, which is not cost-effective for data that will almost never be accessed and is better served by a static deep archive tier. Option C is wrong because S3 One Zone-IA stores data in a single Availability Zone and is designed for infrequently accessed data that can be recreated, but it does not provide the durability or resilience required for regulatory compliance over a 10-year period, and its cost is higher than Glacier Deep Archive for long-term retention.

440
MCQmedium

A company needs to synchronize files between their on-premises file server and Amazon S3 on a recurring schedule, detecting and copying only the changed files. Which AWS service is designed for this use case?

A.AWS Snowball
B.Amazon S3 Transfer Acceleration
C.AWS DataSync
D.AWS Storage Gateway
AnswerC

DataSync automates file transfers between on-premises and AWS storage, detecting changed files, scheduling recurring syncs, validating data integrity, and encrypting transfers.

Why this answer

AWS DataSync is purpose-built for automating and accelerating the transfer of data between on-premises storage systems and AWS storage services, including Amazon S3. It supports incremental, scheduled transfers that detect and copy only changed files, making it the ideal choice for recurring file synchronization with S3.

Exam trap

The trap here is that candidates confuse AWS Storage Gateway's file gateway with DataSync, but file gateway provides a live file server interface to S3 rather than a scheduled, agent-based sync tool for changed files.

How to eliminate wrong answers

Option A is wrong because AWS Snowball is a physical data transport device used for large-scale, one-time data migrations, not for recurring scheduled synchronization of changed files. Option B is wrong because Amazon S3 Transfer Acceleration only speeds up uploads to S3 over the internet by using AWS edge locations; it does not provide scheduling, change detection, or on-premises agent capabilities. Option D is wrong because AWS Storage Gateway offers file gateway, volume gateway, and tape gateway modes for hybrid cloud storage, but its file gateway does not natively support recurring scheduled synchronization of changed files to S3; it provides a cached or stored volume interface rather than a dedicated sync service.

441
MCQmedium

A company runs a web application on Amazon EC2 instances. The application experiences unpredictable traffic spikes during marketing campaigns. The company configures an Amazon EC2 Auto Scaling group to automatically add instances when CPU utilization exceeds 70% and remove instances when it drops below 30%. This allows the company to handle peak loads without manual intervention and avoid paying for idle capacity during low traffic periods. Which essential characteristic of cloud computing does this configuration BEST demonstrate?

A.On-demand self-service
B.Broad network access
C.Rapid elasticity
D.Measured service
AnswerC

Rapid elasticity is the ability to quickly and automatically scale computing resources up or down to match demand. The Auto Scaling group adding and removing EC2 instances based on CPU thresholds is a direct example of this characteristic.

Why this answer

The Auto Scaling group dynamically adjusts the number of EC2 instances in response to CPU utilization thresholds, scaling out during traffic spikes and scaling in during low traffic. This ability to rapidly provision and release compute resources to match demand is the defining characteristic of rapid elasticity, which allows the company to handle peak loads without manual intervention and avoid paying for idle capacity.

Exam trap

The trap here is that candidates often confuse rapid elasticity with on-demand self-service, but on-demand self-service is about the ability to provision resources without human interaction, while rapid elasticity is about automatically scaling resources up or down to match demand in near real-time.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user provisioning computing resources without requiring human interaction with the service provider, not the automatic scaling behavior described. Option B is wrong because broad network access describes resources accessible over the network via standard protocols (e.g., HTTP, HTTPS) from various devices, not the dynamic scaling of compute capacity. Option D is wrong because measured service involves metering and reporting resource usage for billing and optimization, whereas the scenario focuses on automatic scaling to match demand, not on usage tracking or cost allocation.

442
MCQmedium

A startup is migrating its infrastructure to AWS. The CTO notices that the hourly rate for an Amazon EC2 instance is significantly lower than the cost of purchasing and maintaining a comparable physical server in their own data center. The CTO explains that AWS can offer lower prices because it aggregates demand from thousands of customers and optimizes its data center operations. Which benefit of cloud computing does this scenario primarily illustrate?

A.High availability
B.Elasticity
C.Economies of scale
D.Global reach
AnswerC

Economies of scale occur when a provider achieves lower per-unit costs by operating at a massive scale. AWS passes these savings to customers in the form of lower usage-based prices. The CTO's explanation directly matches this concept.

Why this answer

The scenario describes AWS aggregating demand from thousands of customers to optimize data center operations, which directly reduces per-unit costs. This is the definition of economies of scale, where larger operational scale leads to lower average costs. The CTO's observation that the hourly EC2 rate is lower than purchasing a physical server illustrates how cloud providers pass these savings to customers.

Exam trap

The trap here is that candidates confuse 'economies of scale' with 'elasticity' because both involve scaling, but elasticity is about dynamic resource adjustment while economies of scale is about cost advantages from large-scale operations.

How to eliminate wrong answers

Option A is wrong because high availability refers to systems remaining operational despite failures (e.g., using Multi-AZ deployments), not to cost reduction from aggregated demand. Option B is wrong because elasticity is the ability to scale resources up or down automatically based on demand (e.g., using Auto Scaling groups), not the cost advantage from provider scale. Option D is wrong because global reach means deploying resources across multiple geographic regions (e.g., using AWS Regions and Edge Locations), not the cost benefits of shared infrastructure.

443
MCQmedium

A company wants to ensure their containerized microservices can discover each other by name without hard-coding IP addresses. Which AWS service provides DNS-based service discovery for ECS and EKS?

A.Amazon Route 53
B.AWS Cloud Map
C.Elastic Load Balancing
D.Amazon VPC
AnswerB

Cloud Map automatically registers service instances as they start and removes them as they stop, enabling dynamic DNS-based and API-based service discovery for containers.

Why this answer

AWS Cloud Map is a cloud resource discovery service that enables microservices to dynamically discover each other by name using DNS queries or API calls. It integrates directly with Amazon ECS and EKS, allowing containers to register and resolve service endpoints without hard-coded IP addresses, making it the correct choice for DNS-based service discovery.

Exam trap

The trap here is that candidates often confuse Route 53's general DNS capabilities with Cloud Map's specialized service discovery, overlooking that Route 53 lacks the dynamic registration and health-check-aware instance management required for containerized microservices.

How to eliminate wrong answers

Option A is wrong because Amazon Route 53 is a DNS web service primarily for domain registration and routing traffic to AWS resources, but it does not provide native service discovery for dynamic containerized microservices with health checks and instance registration. Option C is wrong because Elastic Load Balancing distributes incoming traffic across targets but does not offer DNS-based service discovery for containers to find each other by name. Option D is wrong because Amazon VPC provides networking isolation and IP address management, but it lacks built-in service discovery mechanisms for resolving service names to dynamic IP addresses.

444
MCQhard

A company's security policy requires that access keys for IAM users must be rotated every 90 days. Which AWS service can automatically detect users with non-compliant key age?

A.AWS CloudTrail
B.AWS Config with the access-keys-rotated rule
C.Amazon GuardDuty
D.AWS IAM Access Analyzer
AnswerB

The AWS Config managed rule 'access-keys-rotated' continuously evaluates IAM access key ages and generates non-compliance findings for keys older than the configured threshold.

Why this answer

AWS Config with the 'access-keys-rotated' managed rule automatically checks whether IAM user access keys have been rotated within the specified number of days (default 90). When a key exceeds the configured maximum age, AWS Config flags the resource as non-compliant, enabling automated detection and remediation.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance rules (which evaluate resource configurations like key age) with CloudTrail's auditing capabilities (which log actions but do not enforce policies), leading them to incorrectly select CloudTrail.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity (e.g., key creation, deletion) but does not evaluate compliance against a rotation policy; it lacks built-in rules for key age checks. Option C is wrong because Amazon GuardDuty is a threat detection service that analyzes DNS, VPC flow logs, and CloudTrail events for malicious activity, not for IAM key rotation compliance. Option D is wrong because AWS IAM Access Analyzer identifies resources shared with external entities (e.g., cross-account access), not internal key rotation age.

445
MCQmedium

A compliance team needs to track the configuration history of AWS resources, determine when a security group was last modified, and verify that all EC2 instances comply with a rule requiring encryption on all attached EBS volumes. Which AWS service provides these capabilities?

A.AWS CloudTrail
B.Amazon CloudWatch
C.AWS Config
D.Amazon GuardDuty
AnswerC

Config continuously records the configuration of AWS resources and their relationships. It maintains a configuration history, evaluates configurations against compliance rules, and identifies non-compliant resources (like unencrypted EBS volumes).

Why this answer

AWS Config is the correct service because it provides configuration history of AWS resources, tracks changes to security groups (including last modification time), and allows you to define rules—such as requiring encryption on all EBS volumes attached to EC2 instances—and evaluate resources against those rules. It records configuration changes as configuration items and can trigger evaluations against managed or custom rules, making it ideal for compliance auditing.

Exam trap

The trap here is that candidates confuse AWS CloudTrail's API logging with AWS Config's configuration tracking, but CloudTrail only records the API call that made the change, not the resulting configuration state or compliance evaluation.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity (who did what, when, and from where) but does not track the configuration state or history of resources over time, nor does it evaluate compliance rules. Option B is wrong because Amazon CloudWatch monitors metrics, logs, and alarms for operational health and performance, but it does not track resource configuration history or enforce compliance rules like encryption requirements. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes DNS logs, VPC flow logs, and CloudTrail events for malicious activity, not for tracking configuration changes or evaluating compliance rules.

446
MCQmedium

A company is adopting microservices and wants to enable their services to communicate securely and track network traffic between them. Which AWS service provides service mesh capabilities with mutual TLS and observability?

A.Amazon VPC with security groups
B.AWS App Mesh
C.Amazon API Gateway
D.AWS Transit Gateway
AnswerB

App Mesh provides a service mesh layer for microservices with mTLS encryption, traffic control (routing policies, retry logic), and observability (metrics, traces) via Envoy proxy integration.

Why this answer

AWS App Mesh is a service mesh that provides application-level networking, enabling microservices to communicate securely with mutual TLS (mTLS) and offering observability through metrics, logs, and traces. It integrates with AWS services like AWS X-Ray and Amazon CloudWatch to track network traffic between services, making it the correct choice for this requirement.

Exam trap

The trap here is that candidates often confuse network-level services like VPC security groups or Transit Gateway with application-level service mesh capabilities, overlooking that mTLS and observability require a dedicated service mesh like AWS App Mesh.

How to eliminate wrong answers

Option A is wrong because Amazon VPC with security groups provides network-level traffic filtering and segmentation, not service mesh capabilities like mTLS or observability at the application layer. Option C is wrong because Amazon API Gateway is a managed API proxy for creating, publishing, and securing APIs, not a service mesh for inter-service communication within a microservices architecture. Option D is wrong because AWS Transit Gateway is a network transit hub for connecting VPCs and on-premises networks, lacking service mesh features such as mTLS and observability for service-to-service traffic.

447
MCQmedium

A startup runs an e-commerce website on AWS. During flash sales, traffic can increase 10x in a few minutes. The startup uses an Auto Scaling group to automatically launch additional EC2 instances when CPU utilization exceeds 70% and terminate them when utilization drops below 30%. This approach ensures that the application always has enough capacity to handle the load without manual intervention, and they only pay for what they use. Which cloud computing concept does this scenario BEST illustrate?

A.High availability
B.Elasticity
C.Fault tolerance
D.Disaster recovery
AnswerB

Elasticity is the correct answer. It refers to the ability to dynamically scale infrastructure resources up and down based on real-time demand. The Auto Scaling group automatically adjusts the number of EC2 instances in response to CPU utilization, which is a textbook example of elasticity.

Why this answer

Option B is correct because elasticity is the ability of a cloud system to automatically scale resources up or down based on demand. The Auto Scaling group dynamically adds EC2 instances when CPU utilization exceeds 70% and terminates them when it drops below 30%, ensuring capacity matches load without manual intervention. This pay-per-use model is a hallmark of elasticity, not just high availability or fault tolerance.

Exam trap

The trap here is that candidates confuse elasticity with high availability, but elasticity is about scaling resources to match demand, while high availability is about maintaining uptime through redundancy and failover mechanisms.

How to eliminate wrong answers

Option A is wrong because high availability focuses on ensuring the application remains accessible despite failures, typically through redundancy across multiple Availability Zones, not on dynamically scaling capacity in response to load changes. Option C is wrong because fault tolerance refers to a system's ability to continue operating without interruption after a component failure, often using redundant components in an active-active configuration, whereas this scenario describes scaling based on demand, not failure recovery. Option D is wrong because disaster recovery involves predefined plans and procedures to restore operations after a catastrophic event, such as data loss or region-wide outage, not the automatic scaling of resources during normal traffic spikes.

448
MCQmedium

A company is planning to migrate a legacy application to AWS. The solutions architect needs to estimate the monthly cost of running Amazon EC2 instances, Amazon RDS databases, and Amazon S3 storage. The architect wants to compare different instance types, storage classes, and pricing models (e.g., On-Demand vs. Reserved Instances) to find the most cost-effective configuration. The team requires a tool that provides a detailed, itemized cost estimate without incurring any actual charges, and allows saving and sharing the estimate with stakeholders. Which AWS tool should the solutions architect use?

A.AWS Budgets
B.AWS Cost Explorer
C.AWS Pricing Calculator
D.AWS Cost and Usage Report
AnswerC

The AWS Pricing Calculator is specifically built to create cost estimates for planned AWS usage. Users can configure services, select pricing models, and receive a detailed monthly estimate. Estimates can be saved, shared, and refined without any actual spend.

Why this answer

The AWS Pricing Calculator (formerly AWS Simple Monthly Calculator) is the correct tool because it allows users to build a detailed, itemized cost estimate for AWS services like EC2, RDS, and S3 without incurring any actual charges. It supports comparing different instance types, storage classes, and pricing models (On-Demand vs. Reserved Instances), and provides a shareable link to save and share the estimate with stakeholders.

Exam trap

The trap here is confusing tools that analyze past costs (Cost Explorer, Cost and Usage Report) with tools that estimate future costs (Pricing Calculator), leading candidates to pick Cost Explorer because it also shows cost breakdowns, but it cannot model a greenfield migration without historical data.

How to eliminate wrong answers

Option A is wrong because AWS Budgets is used to set cost or usage thresholds and receive alerts when those thresholds are exceeded, not to generate upfront cost estimates for planned configurations. Option B is wrong because AWS Cost Explorer provides historical cost and usage data and allows forecasting, but it cannot generate a detailed, itemized estimate for a planned migration without actual usage history. Option D is wrong because AWS Cost and Usage Report delivers detailed billing data after charges have been incurred, not a pre-migration cost estimate.

449
MCQeasy

Which AWS service provides managed Elasticsearch (OpenSearch) clusters for log analytics and full-text search?

A.Amazon CloudSearch
B.Amazon OpenSearch Service
C.Amazon Athena
D.Amazon Redshift
AnswerB

OpenSearch Service provides managed Elasticsearch/OpenSearch clusters for search and log analytics without cluster management overhead.

Why this answer

Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) is the correct choice because it provides managed clusters for Elasticsearch and OpenSearch, enabling log analytics, full-text search, and real-time application monitoring. It integrates with Logstash and Kibana (the ELK stack) and supports the OpenSearch API, making it the direct AWS offering for this use case.

Exam trap

The trap here is that candidates often confuse Amazon CloudSearch (a simpler, proprietary search service) with Amazon OpenSearch Service, not realizing that CloudSearch does not support the Elasticsearch/OpenSearch ecosystem required for log analytics and Kibana integration.

How to eliminate wrong answers

Option A is wrong because Amazon CloudSearch is a managed search service that uses its own proprietary search engine and API, not Elasticsearch or OpenSearch, and is designed for simpler full-text search use cases like website search, not log analytics. Option C is wrong because Amazon Athena is a serverless interactive query service for analyzing data in Amazon S3 using standard SQL, not a managed search or analytics engine for Elasticsearch/OpenSearch clusters. Option D is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for SQL-based analytics on structured data, not for real-time log analytics or full-text search with Elasticsearch/OpenSearch.

450
MCQeasy

A company hires 10 new developers and needs to assign them identical AWS permissions — read access to S3 and the ability to launch EC2 instances. What is the AWS best practice for assigning these permissions efficiently?

A.Attach an inline policy to each of the 10 IAM users individually
B.Create an IAM group, attach the required policies to the group, and add all 10 users to the group
C.Create one IAM user account and share the credentials with all 10 developers
D.Grant the developers root account access with MFA enabled
AnswerB

IAM groups are specifically designed for this purpose. Assign policies once to the group, add users to the group, and all users inherit the permissions. Future permission changes only need to be made to the group.

Why this answer

IAM groups allow administrators to assign permissions to multiple users at once. By creating a 'Developers' group with the required policies and adding all 10 users to it, permissions are managed centrally. Adding a policy to the group affects all members simultaneously.

Page 5

Page 6 of 14

Page 7