AWS Certified Cloud Practitioner CLF-C02 (CLF-C02) — Questions 451525

1024 questions total · 14pages · All types, answers revealed

Page 6

Page 7 of 14

Page 8
451
MCQmedium

A company uses AWS Organizations to manage multiple AWS accounts. The security team needs to enforce a policy that prevents any employee from deploying resources in AWS Regions outside of the United States. The company’s legal department requires a preventive control that automatically blocks all resource creation in non-approved Regions for every account, including any new accounts added in the future. The team wants a solution that requires minimal ongoing administration. Which AWS feature should the security team use?

A.Create an IAM policy with a condition that denies `ec2:RunInstances` if the Region is not `us-east-1` or `us-west-2`, and attach it to all IAM users and roles.
B.Configure an AWS Config rule that checks for resources in non-approved Regions and automatically terminates them using a custom Lambda function.
C.Attach a Service Control Policy (SCP) in AWS Organizations that denies access to all AWS API actions when the `aws:RequestedRegion` condition key does not match an approved Region.
D.Use VPC endpoint policies to restrict traffic to only the approved AWS Regions.
AnswerC

This is correct. An SCP is a centralized, preventive control that applies to all principals (users, roles) in member accounts. The condition `aws:RequestedRegion` is supported by most AWS services, allowing the policy to block resource creation in any non-approved Region. It automatically applies to new accounts added to the organization.

Why this answer

Option C is correct because a Service Control Policy (SCP) attached to the root or an OU in AWS Organizations can deny all AWS API actions when the `aws:RequestedRegion` condition key does not match an approved Region (e.g., `us-east-1` or `us-west-2`). This provides a preventive, account-wide guard that automatically applies to all existing and future accounts in the organization, requiring no per-user or per-role configuration and minimal ongoing administration.

Exam trap

The trap here is that candidates confuse detective controls (AWS Config) with preventive controls (SCPs) or mistakenly think IAM policies can enforce organization-wide restrictions, but SCPs are the only mechanism that applies to all accounts and principals in AWS Organizations without ongoing maintenance.

How to eliminate wrong answers

Option A is wrong because an IAM policy attached to users and roles is not a preventive control that applies to all accounts in the organization; it does not cover service-linked roles, root users, or new accounts, and it requires manual attachment to every principal. Option B is wrong because AWS Config rules are detective, not preventive—they detect non-compliant resources after creation and rely on a Lambda function for remediation, which does not block the initial resource creation and introduces latency and potential race conditions. Option D is wrong because VPC endpoint policies control traffic to AWS services through VPC endpoints but do not restrict resource creation in non-approved Regions; they are scoped to network-level access, not account-wide API actions.

452
MCQmedium

A company manages a fleet of hundreds of EC2 instances and needs to automate patching across all instances, run commands remotely without SSH, and store configuration parameters centrally. Which AWS service provides these operational management capabilities?

A.Amazon CloudWatch
B.AWS Config
C.AWS Systems Manager
D.AWS CloudFormation
AnswerC

Systems Manager provides Patch Manager for automated patching, Session Manager for SSH-free remote access, Run Command for running scripts across instances, and Parameter Store for centralised configuration — all required capabilities.

Why this answer

AWS Systems Manager is the correct choice because it provides a unified interface for operational management tasks, including automated patching via Patch Manager, remote command execution without SSH using Run Command, and centralized parameter storage with Parameter Store. These capabilities directly address the need to manage fleets of EC2 instances at scale without requiring direct network access to each instance.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager with AWS Config because both deal with 'management' and 'configuration,' but Config is only for compliance auditing and drift detection, not for patching or remote command execution.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch is a monitoring and observability service for metrics, logs, and alarms, not a tool for patching, remote command execution, or parameter storage. Option B is wrong because AWS Config is a service for evaluating and auditing resource compliance against desired configurations, not for automating patching or running commands remotely. Option D is wrong because AWS CloudFormation is an Infrastructure as Code (IaC) service for provisioning and managing AWS resources via templates, not for ongoing operational tasks like patching or remote command execution.

453
MCQmedium

A company runs a globally distributed multiplayer game on AWS. The game uses UDP for real-time communication and requires static IP addresses that do not change for whitelisting by internet service providers. The company needs to route traffic to the nearest healthy application endpoint to minimize latency and improve performance. The solution must work with both TCP and UDP traffic and provide static IP addresses. Which AWS service should the company use?

A.AWS Global Accelerator
B.Amazon CloudFront
C.Amazon Route 53
D.AWS Direct Connect
AnswerA

Correct. AWS Global Accelerator provides static IP addresses and optimizes the path from users to applications over TCP/UDP, routing traffic to the nearest healthy endpoint using the AWS global network.

Why this answer

AWS Global Accelerator provides static IP addresses that serve as fixed entry points to your application, and it uses the AWS global network to route traffic to the nearest healthy endpoint via Anycast. It supports both TCP and UDP traffic, making it ideal for real-time UDP-based gaming workloads that require low latency and static IPs for ISP whitelisting.

Exam trap

The trap here is that candidates often confuse CloudFront's edge caching with Global Accelerator's network-layer optimization, but CloudFront does not support UDP or provide static IPs, making it unsuitable for real-time gaming traffic.

How to eliminate wrong answers

Option B (Amazon CloudFront) is wrong because CloudFront is a content delivery network optimized for HTTP/HTTPS traffic and does not support UDP, nor does it provide static IP addresses for whitelisting. Option C (Amazon Route 53) is wrong because Route 53 is a DNS service that resolves domain names to IP addresses but does not provide static IP addresses or handle UDP traffic routing at the network layer; it relies on DNS caching and can change IPs over time. Option D (AWS Direct Connect) is wrong because Direct Connect establishes a dedicated private network connection from on-premises to AWS, but it does not provide globally distributed static IP addresses or anycast routing for traffic to the nearest endpoint.

454
MCQeasy

A government agency runs all of its computing workloads on hardware located in its own secure facility. No resources are hosted with a third-party cloud provider. The agency manages all servers, networking equipment, and storage. Which cloud deployment model describes this architecture?

A.Public cloud
B.Hybrid cloud
C.Private cloud
D.Community cloud
AnswerC

Private cloud means the infrastructure is dedicated to a single organisation and is not shared with others. Operating all workloads on agency-owned hardware in an agency-managed facility is private cloud.

Why this answer

Option C is correct because a private cloud deployment model is defined by cloud resources being used exclusively by a single organization, typically hosted on-premises in the organization's own data center. In this scenario, the government agency owns and manages all hardware, networking, and storage within its own secure facility, with no third-party cloud provider involvement, which aligns precisely with the private cloud model.

Exam trap

The trap here is that candidates often confuse 'on-premises' with 'private cloud,' forgetting that a private cloud requires cloud characteristics like self-service, resource pooling, and rapid elasticity, not just isolated hardware; however, in this question, the agency's fully managed on-premises environment still qualifies as a private cloud because it meets the NIST definition of exclusive use by a single organization.

How to eliminate wrong answers

Option A is wrong because a public cloud model involves resources hosted and managed by a third-party cloud provider (e.g., AWS, Azure, GCP) and shared with multiple tenants, which contradicts the agency's exclusive use of its own on-premises hardware. Option B is wrong because a hybrid cloud model requires a combination of on-premises infrastructure (private cloud) and public cloud resources, with orchestration or data transfer between them; the agency has no public cloud component. Option D is wrong because a community cloud model is shared by several organizations with common concerns (e.g., compliance, security), not a single agency, and often involves third-party hosting; this scenario describes exclusive use by one organization.

455
MCQeasy

Before moving to AWS, a company over-provisioned their data centre servers to handle projected peak traffic, resulting in expensive idle capacity most of the time. After migrating, the company uses Auto Scaling to match capacity exactly to actual demand. Which cloud benefit does this represent?

A.Trade capital expense for variable expense
B.Benefit from economies of scale
C.Stop guessing about capacity
D.Increase speed and agility
AnswerC

Cloud computing allows organisations to provision as much or as little capacity as needed and scale up or down automatically. This eliminates both the waste of over-provisioning and the performance problems of under-provisioning.

Why this answer

Option C is correct because the scenario directly describes the cloud benefit of 'Stop guessing about capacity.' Before AWS, the company over-provisioned servers to handle projected peak traffic, leading to idle capacity. With Auto Scaling, AWS dynamically adjusts compute resources to match actual demand, eliminating the need to predict capacity in advance.

Exam trap

The trap here is that candidates confuse 'Stop guessing about capacity' with 'Trade capital expense for variable expense,' because both involve cost optimization, but the question specifically highlights the elimination of over-provisioning due to demand prediction, not the payment model shift.

How to eliminate wrong answers

Option A is wrong because 'Trade capital expense for variable expense' refers to shifting from upfront hardware costs (CAPEX) to pay-as-you-go operational costs (OPEX), not to matching capacity to demand. Option B is wrong because 'Benefit from economies of scale' describes how AWS aggregates usage across many customers to lower per-unit costs, which is unrelated to Auto Scaling's demand-matching behavior. Option D is wrong because 'Increase speed and agility' focuses on rapid provisioning of resources, not on eliminating capacity guessing; Auto Scaling does improve agility, but the core benefit illustrated here is removing the need to predict capacity.

456
MCQmedium

A company wants to automate the creation and management of machine learning models without writing code. Which AWS service provides a no-code ML model building interface?

A.Amazon SageMaker Studio
B.Amazon SageMaker Canvas
C.Amazon SageMaker Autopilot
D.Amazon Rekognition Custom Labels
AnswerB

SageMaker Canvas provides a visual, no-code interface for building ML models — business analysts can import data and generate predictions without writing any code.

Why this answer

Amazon SageMaker Canvas is a no-code ML service that provides a visual, drag-and-drop interface for building and managing machine learning models without writing any code. It is designed for business analysts and domain experts who need to generate predictions from their data without programming expertise.

Exam trap

The trap here is that candidates confuse SageMaker Studio (a code-based IDE) or SageMaker Autopilot (automated but code-required) with a true no-code service, missing that Canvas is the only option explicitly designed for non-programmers.

How to eliminate wrong answers

Option A is wrong because Amazon SageMaker Studio is an integrated development environment (IDE) for ML that requires writing code in notebooks or scripts, not a no-code interface. Option C is wrong because Amazon SageMaker Autopilot automates the ML pipeline (feature engineering, model selection, tuning) but still requires some code or API calls to initiate and manage; it does not provide a no-code visual builder. Option D is wrong because Amazon Rekognition Custom Labels is a service for training custom image classification models using a visual interface, but it is limited to computer vision tasks and is not a general-purpose no-code ML model building tool.

457
MCQmedium

A company has multiple departments (HR, Finance, Engineering) sharing a single AWS account. Each department tags its resources with a 'Department' tag (e.g., Department:HR). The finance team wants to set monthly spending limits for each department and receive email alerts when a department's spending reaches 80% of its limit. They also want a visual dashboard to compare actual spending against the budgeted amounts. Which combination of AWS services should the finance team use?

A.AWS Cost Explorer and AWS Trusted Advisor
B.AWS Budgets and Amazon QuickSight
C.AWS Budgets and AWS Cost Explorer
D.AWS Pricing Calculator and AWS Cost Explorer
AnswerC

Correct. AWS Budgets allows the finance team to create monthly cost budgets per department (using cost allocation tags) and configure alerts at 80% of the budgeted amount. AWS Cost Explorer provides a visual dashboard with charts and tables to compare actual spending against budgets, enabling the team to track progress without needing an external BI tool.

Why this answer

AWS Budgets allows the finance team to set monthly spending limits per department (using the 'Department' tag) and configure alerts at 80% of the budget. AWS Cost Explorer provides a visual dashboard to compare actual spending against budgeted amounts, enabling trend analysis and cost allocation tracking. Together, they fulfill both the alerting and visualization requirements.

Exam trap

The trap here is that candidates may think Amazon QuickSight is needed for visualization, but AWS Cost Explorer already provides built-in charts and dashboards for comparing actual vs. budgeted costs, making QuickSight unnecessary for this specific requirement.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides cost optimization recommendations and checks (e.g., idle resources) but does not support setting spending limits or sending budget alerts. Option B is wrong because Amazon QuickSight is a business intelligence service for creating dashboards, but it cannot directly set budget limits or trigger email alerts based on spending thresholds; it would require additional integration. Option D is wrong because AWS Pricing Calculator is used for estimating costs before deployment, not for monitoring actual spending or setting budget alerts.

458
MCQmedium

A data team needs to extract data from S3 and RDS, transform it (clean, enrich, join), and load it into Amazon Redshift for analytics. They want a serverless service that discovers and catalogues data schemas automatically and runs the ETL jobs without provisioning servers. Which AWS service provides this?

A.Amazon EMR
B.AWS Data Pipeline
C.AWS Glue
D.Amazon Kinesis Data Firehose
AnswerC

Glue is a serverless ETL service. The Glue Crawler discovers and catalogues schemas from S3 and databases automatically. Glue Jobs run Spark-based transformations serverlessly, loading results to Redshift without any server provisioning.

Why this answer

AWS Glue is a fully managed, serverless ETL service that automatically discovers and catalogs data schemas using its Crawler feature, which populates the AWS Glue Data Catalog. It can extract data from S3 and RDS, transform it (clean, enrich, join), and load it into Amazon Redshift without any server provisioning or management.

Exam trap

The trap here is that candidates confuse AWS Glue with Amazon EMR because both can run Spark-based ETL, but EMR requires server provisioning and lacks automatic schema discovery, while Glue is fully serverless and includes the Data Catalog.

How to eliminate wrong answers

Option A is wrong because Amazon EMR is a cluster-based big data platform that requires provisioning and managing EC2 instances (servers), and it does not automatically discover or catalog data schemas. Option B is wrong because AWS Data Pipeline is a managed orchestration service but it is not serverless—it relies on EC2 instances or task runners that must be provisioned, and it lacks built-in schema discovery and cataloging. Option D is wrong because Amazon Kinesis Data Firehose is a serverless streaming data ingestion service that loads data into destinations like S3 or Redshift, but it does not perform complex transformations (e.g., joins, enrichment) and has no schema discovery or cataloging capabilities.

459
MCQmedium

A company migrates their self-managed MySQL database running on a virtual machine to Amazon RDS for MySQL, taking advantage of managed backups and Multi-AZ without changing the database schema or application code. Which migration strategy does this represent?

A.Rehost
B.Replatform
C.Refactor
D.Repurchase
AnswerB

Replatforming involves moving to a managed cloud service to gain benefits (automated backups, Multi-AZ) without rearchitecting the application. Moving from a self-managed MySQL VM to Amazon RDS is the classic replatform example.

Why this answer

This is a Replatform (also called 'lift and reshape' or 'platform modernization') migration because the company moves the MySQL database from a self-managed VM to Amazon RDS without changing the database schema or application code. They gain managed backups and Multi-AZ, which are RDS-specific features, but the core database engine and application interface remain unchanged, so no refactoring of the application is required.

Exam trap

The trap here is that candidates confuse Rehost with Replatform because both involve minimal code changes, but Rehost keeps the workload on the same type of infrastructure (e.g., EC2), while Replatform moves to a managed service like RDS that offloads administrative tasks.

How to eliminate wrong answers

Option A is wrong because Rehost (lift-and-shift) would involve moving the MySQL database as-is to an EC2 instance, not to a managed service like RDS that provides automated backups and Multi-AZ. Option C is wrong because Refactor would require changing the database schema, application code, or both (e.g., moving from MySQL to DynamoDB or Aurora Serverless), which is not done here. Option D is wrong because Repurchase involves replacing the database with a different commercial product (e.g., moving from MySQL to Oracle Database), which is not the case as the company stays on MySQL.

460
MCQmedium

A company uses Amazon EC2 instances and Amazon S3 for its workloads. The finance team reviews the monthly AWS bill and notices it includes line items for EC2 instance hours, data transfer out from EC2, and S3 storage usage. The bill shows exactly how many hours each instance ran and how much data was transferred. The company uses this detailed usage data to allocate costs to different departments and to optimize resource utilization. This scenario best demonstrates which essential characteristic of cloud computing?

A.Measured service
B.On-demand self-service
C.Broad network access
D.Resource pooling
AnswerA

This is correct because measured service is the characteristic where cloud providers meter usage and provide detailed reports, enabling customers to understand and optimize costs. The scenario of receiving a detailed per-hour and per-gigabyte bill directly illustrates this concept.

Why this answer

The correct answer is A (Measured service) because the scenario explicitly describes how the company uses detailed usage data—EC2 instance hours, data transfer out, and S3 storage—to allocate costs and optimize resource utilization. This aligns with the cloud computing characteristic where resource usage is metered, monitored, and reported transparently, enabling pay-per-use billing and cost allocation.

Exam trap

The trap here is that candidates may confuse 'Measured service' with 'Resource pooling' because both involve resource usage, but measured service specifically refers to the metering and reporting of usage for billing and optimization, not the multi-tenant sharing aspect.

How to eliminate wrong answers

Option B (On-demand self-service) is wrong because the scenario focuses on cost allocation and optimization based on usage data, not on the ability to provision resources automatically without human interaction. Option C (Broad network access) is wrong because the scenario does not mention network accessibility from diverse devices or platforms; it is about billing and usage tracking. Option D (Resource pooling) is wrong because the scenario does not describe multi-tenant resource sharing or location independence; it is about metered usage and cost allocation.

461
MCQmedium

A company's external auditor requires the company to provide evidence that the AWS infrastructure used by the company meets SOC 2 and ISO 27001 standards. The company needs to download the latest AWS SOC 2 report and ISO 27001 certification to share with the auditor. Which AWS service or feature should the company use to retrieve these documents?

A.AWS Audit Manager
B.AWS Artifact
C.AWS Config
D.AWS Trusted Advisor
AnswerB

AWS Artifact is the correct service for downloading AWS compliance reports, such as SOC 2 and ISO 27001 certifications, on demand.

Why this answer

AWS Artifact is the correct service because it provides on-demand access to AWS security and compliance reports, including SOC 2 and ISO 27001 certifications. The company can download the latest versions directly from the AWS Artifact console or API, satisfying the auditor's request for evidence without needing to configure any additional resources.

Exam trap

The trap here is that candidates confuse AWS Artifact (a document repository for compliance reports) with AWS Audit Manager (a tool for automating internal audits), leading them to select Audit Manager when the question specifically asks for downloading existing reports.

How to eliminate wrong answers

Option A (AWS Audit Manager) is wrong because it is used to continuously audit AWS usage and automate evidence collection for internal compliance frameworks, not to download pre-existing compliance reports like SOC 2 or ISO 27001. Option C (AWS Config) is wrong because it evaluates and records resource configuration changes against desired policies, but it does not provide access to AWS's own third-party compliance certifications. Option D (AWS Trusted Advisor) is wrong because it offers real-time recommendations for cost optimization, performance, security, and fault tolerance, but it does not host or distribute compliance documentation.

462
MCQmedium

A company operates multiple Amazon VPCs across several AWS accounts for different business units. The company also has an on-premises data center connected to AWS via AWS Direct Connect. The network team wants to simplify the connectivity between all VPCs and the on-premises network. Currently, they manage individual VPC peering connections, which is becoming complex as more VPCs are added. They need a single network hub that can scale to connect hundreds of VPCs and the on-premises network, with centralized routing management. Which AWS service should the network team use?

A.AWS Transit Gateway
B.Amazon VPC peering
C.AWS PrivateLink
D.AWS Site-to-Site VPN
AnswerA

AWS Transit Gateway is a central hub that connects VPCs and on-premises networks. It supports hub-and-spoke topology, scales to hundreds of VPCs, and works with Direct Connect and VPNs. This meets the requirement for simplified, scalable connectivity with centralized routing.

Why this answer

AWS Transit Gateway acts as a single, scalable network hub that connects multiple VPCs and on-premises networks via Direct Connect, using a centralized routing table. This eliminates the need for complex, meshed VPC peering connections and provides transitive routing across all attached networks, which directly addresses the requirement for a hub that scales to hundreds of VPCs.

Exam trap

AWS often tests the misconception that VPC peering can be used as a hub-and-spoke solution, but candidates must remember that VPC peering is non-transitive and requires a full mesh, whereas Transit Gateway provides transitive routing and centralized management.

How to eliminate wrong answers

Option B (Amazon VPC peering) is wrong because it creates a one-to-one, non-transitive connection between two VPCs only, requiring a full mesh of peering connections as VPCs increase, which does not scale to hundreds of VPCs and does not natively integrate with Direct Connect for on-premises connectivity. Option C (AWS PrivateLink) is wrong because it is designed for private, one-way access to a specific service or endpoint within a VPC, not for routing traffic between multiple VPCs or to an on-premises network; it lacks transitive routing and hub-and-spoke capabilities. Option D (AWS Site-to-Site VPN) is wrong because it only connects a single VPC to an on-premises network over the internet, not multiple VPCs, and does not provide centralized routing or transitive connectivity between VPCs.

463
MCQeasy

Which AWS service is used to register domain names and route DNS queries for domain names like 'example.com'?

A.Amazon CloudFront
B.AWS Global Accelerator
C.Amazon Route 53
D.AWS Certificate Manager
AnswerC

Route 53 provides domain registration, DNS hosting, and health checking — a complete managed DNS solution from domain purchase to global traffic routing.

Why this answer

Amazon Route 53 is a scalable Domain Name System (DNS) web service that provides both domain name registration and DNS resolution. It translates human-readable domain names like 'example.com' into IP addresses and can also register new domains or transfer existing ones. This dual functionality makes it the correct choice for the question.

Exam trap

The trap here is that candidates often confuse AWS Global Accelerator with a DNS service because both use anycast and improve performance, but Global Accelerator does not handle domain registration or standard DNS query resolution.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront is a content delivery network (CDN) that caches and delivers content at edge locations, not a DNS service or domain registrar. Option B is wrong because AWS Global Accelerator improves application availability and performance by directing traffic over the AWS global network using anycast IP addresses, but it does not register domain names or perform DNS resolution. Option D is wrong because AWS Certificate Manager (ACM) provisions, manages, and deploys SSL/TLS certificates for use with AWS services, but it has no role in domain registration or DNS routing.

464
MCQmedium

A startup is designing a new application on AWS. They have selected specific Amazon EC2 instance types, Amazon EBS volumes, and estimated data transfer. The team wants to compare the monthly cost of running the application using On-Demand instances versus 1-year All Upfront Reserved Instances before they commit to any resources. Which AWS tool should they use to generate this cost estimate?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Pricing Calculator
D.AWS Trusted Advisor
AnswerC

The AWS Pricing Calculator is the correct tool for estimating the cost of AWS services based on planned usage, including comparing pricing models like On-Demand and Reserved Instances before deployment.

Why this answer

AWS Pricing Calculator (option C) is the correct tool because it allows users to estimate the monthly cost of AWS services, including EC2 instances, EBS volumes, and data transfer, before deployment. It supports comparing pricing models such as On-Demand and 1-year All Upfront Reserved Instances by letting you input specific instance types, storage, and transfer details to generate a detailed cost breakdown. This matches the startup's need to compare costs without committing to resources.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer (which analyzes existing costs) with the AWS Pricing Calculator (which estimates future costs for new deployments), leading them to select Cost Explorer for a scenario that requires pre-deployment cost comparison.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer analyzes historical cost and usage data to visualize past spending and forecast future costs, but it cannot generate estimates for a new, undeployed application with specific instance types and pricing models. Option B is wrong because AWS Budgets sets cost or usage thresholds and sends alerts when those are exceeded, but it does not provide upfront cost estimation or comparison of pricing models for planned resources. Option D is wrong because AWS Trusted Advisor inspects existing AWS environments to offer optimization recommendations (e.g., idle resources, reserved instance opportunities) but cannot generate cost estimates for a new application that has not been deployed.

465
MCQmedium

A company runs non-production Amazon EC2 instances for development and testing. The finance team wants to automatically stop all non-production instances if the monthly spending exceeds $5,000. The team wants to set this up without writing custom scripts or using third-party tools. Which AWS feature should the finance team use to meet this requirement?

A.AWS Budgets with a budget action to stop EC2 instances
B.AWS Cost Explorer
C.AWS Trusted Advisor
D.AWS Config
AnswerA

Correct. AWS Budgets supports budget actions that can automatically stop EC2 instances when actual or forecasted costs exceed the budget threshold, eliminating the need for custom scripts.

Why this answer

AWS Budgets allows you to set a cost budget (e.g., $5,000) and attach a budget action that triggers an AWS Systems Manager (SSM) automation document to stop EC2 instances when the actual or forecasted spend exceeds the threshold. This meets the requirement without custom scripts or third-party tools, as the budget action natively integrates with EC2 via SSM.

Exam trap

The trap here is that candidates confuse AWS Budgets (a cost management tool) with AWS Config (a compliance tool) or Trusted Advisor (a recommendation engine), assuming those can enforce actions, but only Budgets with budget actions provides the automated, threshold-based stop capability without custom code.

How to eliminate wrong answers

Option B (AWS Cost Explorer) is wrong because it provides visualization and analysis of cost and usage data but cannot execute automated actions like stopping instances. Option C (AWS Trusted Advisor) is wrong because it offers best-practice recommendations (e.g., idle instance detection) but does not support automated enforcement or budget-based triggers. Option D (AWS Config) is wrong because it evaluates resource configurations against rules and can trigger remediation via SSM, but it lacks native budget threshold monitoring and cannot directly stop instances based on monthly spending limits.

466
MCQmedium

A company runs a web application on multiple EC2 instances across multiple Availability Zones. All instances need to access and share the same file system simultaneously to read and write shared configuration files. Which AWS storage service supports simultaneous access from multiple EC2 instances?

A.Amazon EBS
B.Instance Store
C.Amazon EFS
D.Amazon S3
AnswerC

EFS provides a shared NFS file system that can be mounted simultaneously by multiple EC2 instances across multiple AZs. It scales automatically and supports concurrent reads and writes from many instances.

Why this answer

Amazon EFS is a fully managed, NFS-based file system that can be mounted concurrently by multiple EC2 instances across different Availability Zones, providing shared access for reading and writing configuration files. It uses the NFSv4.1 protocol and supports thousands of simultaneous connections, making it ideal for shared storage scenarios.

Exam trap

The trap here is that candidates may confuse Amazon EBS with a shared file system, not realizing that standard EBS volumes are single-instance attachable, while EFS is purpose-built for multi-instance shared access.

How to eliminate wrong answers

Option A is wrong because Amazon EBS volumes are block-level storage that can only be attached to a single EC2 instance at a time (except for multi-attach EBS io1/io2 volumes, which are limited to a few instances and not designed for general shared file access). Option B is wrong because Instance Store provides temporary, block-level storage that is physically attached to the host server and cannot be shared across instances; data is lost if the instance stops or terminates. Option D is wrong because Amazon S3 is object storage accessed via HTTP/HTTPS APIs, not a POSIX-compliant file system, and does not support standard file locking or direct mount as a shared file system for EC2 instances.

467
MCQmedium

A company runs a web application on Amazon EC2 instances that connect to a relational database. The application requires high database availability so that if the primary database instance fails, a standby instance automatically takes over without manual intervention. The company wants to minimize administrative overhead for database patching, backups, and replication. Which AWS service should the company use to meet these requirements?

A.Amazon RDS Multi-AZ
B.Amazon RDS Single-AZ
C.Amazon DynamoDB Global Tables
D.Amazon S3
AnswerA

Correct. Amazon RDS Multi-AZ automatically provisions and maintains a synchronous standby replica in a different Availability Zone. If the primary instance fails, Amazon RDS automatically fails over to the standby, providing high availability. It also handles automated backups, patching, and replication.

Why this answer

Amazon RDS Multi-AZ provides high availability by automatically provisioning and maintaining a synchronous standby replica in a different Availability Zone. If the primary database instance fails, Amazon RDS automatically fails over to the standby, ensuring minimal downtime without manual intervention. Additionally, RDS handles patching, backups, and replication automatically, reducing administrative overhead.

Exam trap

The trap here is that candidates may confuse Amazon RDS Multi-AZ with Amazon DynamoDB Global Tables, assuming both provide high availability for relational databases, but DynamoDB is NoSQL and does not support relational queries or the same failover model.

How to eliminate wrong answers

Option B is wrong because Amazon RDS Single-AZ does not provide a standby instance or automatic failover; if the instance fails, the database becomes unavailable until manual recovery is performed. Option C is wrong because Amazon DynamoDB Global Tables is a NoSQL database service, not a relational database, and while it offers multi-region replication, it does not support the relational database model required by the application. Option D is wrong because Amazon S3 is an object storage service, not a relational database, and cannot serve as the primary database for a web application requiring relational queries and high availability.

468
MCQmedium

A company needs a managed workflow service to coordinate long-running business processes that may require human approval steps and can run for up to one year. Which AWS service handles this?

A.AWS Lambda
B.Amazon SQS
C.AWS Step Functions (Standard Workflows)
D.Amazon EventBridge
AnswerC

Step Functions Standard Workflows support executions lasting up to one year, human approval steps via task tokens, parallel execution, and comprehensive error handling — ideal for long-running business processes.

Why this answer

AWS Step Functions Standard Workflows are designed for long-running, durable, and auditable workflows that can run for up to one year, making them ideal for coordinating business processes that require human approval steps. They provide built-in error handling, retries, and state management, which are essential for orchestrating multi-step processes with human intervention.

Exam trap

The trap here is that candidates often confuse AWS Step Functions with Amazon EventBridge, but EventBridge is only for event routing and cannot orchestrate long-running workflows with human approval steps, while Step Functions Standard Workflows are explicitly built for this purpose.

How to eliminate wrong answers

Option A is wrong because AWS Lambda has a maximum execution timeout of 15 minutes, making it unsuitable for workflows that can run for up to one year. Option B is wrong because Amazon SQS is a message queuing service that does not provide workflow orchestration, state management, or built-in human approval step capabilities. Option D is wrong because Amazon EventBridge is an event bus service for routing events between applications, not a workflow orchestrator that can manage long-running business processes with human approval steps.

469
MCQmedium

Which benefit of cloud computing allows organizations to avoid the capital expense of buying hardware and instead pay only for what they use?

A.Economies of scale
B.Stop spending money running and maintaining data centers
C.Trade capital expense for variable expense
D.Increase speed and agility
AnswerC

Cloud computing converts upfront CapEx (hardware purchases) into variable OpEx (pay-as-you-go) spending.

Why this answer

Trading capital expense (CapEx) for variable/operational expense (OpEx) is a core cloud benefit. Instead of investing in data centers and servers upfront, organizations pay only for the computing resources they consume, converting large fixed costs into smaller, flexible operating expenses.

470
MCQmedium

A company processes credit card transactions and must comply with PCI DSS requirements. Customer payment data is stored in Amazon RDS for MySQL. The security team needs to ensure that all automated database snapshots are encrypted at rest using customer-managed encryption keys that are automatically rotated every 365 days. The team wants a fully managed AWS service to create and control these encryption keys. Which AWS service should the company use to meet these requirements?

A.AWS Key Management Service (AWS KMS)
B.AWS CloudHSM
C.AWS Secrets Manager
D.AWS Certificate Manager (ACM)
AnswerA

Correct. AWS KMS is the managed service for creating and controlling encryption keys. It supports automatic annual key rotation and encrypts RDS snapshots at rest.

Why this answer

AWS KMS is the correct service because it provides a fully managed, centralized way to create and control customer-managed keys (CMKs) that can be used to encrypt Amazon RDS automated snapshots. KMS supports automatic annual key rotation (365 days) as a built-in feature, and it integrates directly with RDS to enforce encryption at rest for snapshots without requiring any manual key management. This meets the PCI DSS requirement for customer-controlled encryption keys with automated rotation.

Exam trap

The trap here is that candidates confuse CloudHSM's hardware-based key control with KMS's fully managed key rotation and integration, assuming that any HSM service automatically handles key rotation, when in fact CloudHSM requires you to implement rotation logic yourself.

How to eliminate wrong answers

Option B is wrong because AWS CloudHSM provides dedicated hardware security modules (HSMs) that give you full control over the HSM appliance, but it is not a fully managed key creation and rotation service; you must manage key rotation yourself, and it does not natively integrate with RDS for automated snapshot encryption. Option C is wrong because AWS Secrets Manager is designed to manage and rotate secrets (like database credentials or API keys), not to create or control encryption keys for data-at-rest encryption; it cannot be used to encrypt RDS snapshots. Option D is wrong because AWS Certificate Manager (ACM) handles SSL/TLS certificates for securing network traffic, not encryption keys for data at rest; it has no capability to encrypt RDS snapshots or manage customer-managed encryption keys.

471
MCQmedium

A healthcare startup is migrating its patient records database to Amazon RDS for PostgreSQL. The company must comply with HIPAA and ensure that all protected health information (PHI) is encrypted at rest and in transit. Which task is the company responsible for under the AWS shared responsibility model?

A.Encrypting the physical disk drives in the AWS data center that host the database.
B.Enabling encryption at rest for the Amazon RDS instance and configuring SSL for connections.
C.Applying operating system patches to the Amazon RDS database engine.
D.Configuring network ACLs to block all traffic except from authorized sources.
AnswerB

This is the customer's responsibility. The customer must choose to enable encryption at rest when creating or modifying the RDS instance and must configure SSL/TLS settings to ensure data in transit is encrypted. AWS provides the underlying infrastructure, but the customer controls the encryption settings.

Why this answer

Under the AWS shared responsibility model, the customer is responsible for encryption in transit and at rest for the data they store in AWS services. For Amazon RDS, enabling encryption at rest (via AWS KMS) and configuring SSL/TLS for client connections are customer-side tasks. AWS handles the physical security of data centers and the underlying infrastructure, but the customer must explicitly enable these encryption features to meet HIPAA compliance.

Exam trap

The trap here is that candidates often confuse customer-managed patching (Option C) with AWS-managed patching in RDS, or they assume network ACLs (Option D) satisfy encryption requirements, when the question specifically targets encryption responsibilities under HIPAA.

How to eliminate wrong answers

Option A is wrong because encrypting physical disk drives in AWS data centers is the sole responsibility of AWS under the shared responsibility model; customers have no access to or control over physical hardware. Option C is wrong because applying operating system patches to the Amazon RDS database engine is managed by AWS, not the customer; RDS is a managed service where AWS handles patching of the database engine and underlying OS. Option D is wrong because configuring network ACLs to block all traffic except from authorized sources is a customer responsibility, but it is not the specific task required to meet the encryption-in-transit and at-rest requirements for HIPAA; the question explicitly asks about encryption, not network access control.

472
MCQmedium

A company runs a development environment composed of multiple Amazon EC2 instances. The finance team has set a monthly budget of $5,000 for this environment and wants to automatically stop all EC2 instances if the accumulated cost reaches $4,500 before the end of the month. The team needs a managed AWS-native solution that does not require custom scripts or third-party tools. Which AWS feature or service should the company use to meet this requirement?

A.AWS Budgets with a budget action that stops EC2 instances when the threshold is exceeded
B.AWS Cost Explorer with a saved filter and manual instance termination
C.AWS Trusted Advisor cost optimization checks
D.AWS Organizations Service Control Policies (SCPs)
AnswerA

AWS Budgets supports budget actions that can automate responses to cost or usage threshold breaches. You can configure an action to stop Amazon EC2 instances, which directly satisfies the requirement without custom scripts.

Why this answer

AWS Budgets allows you to set a cost budget with an associated budget action that can automatically stop EC2 instances when the actual or forecasted cost exceeds a specified threshold (e.g., $4,500). This is a fully managed, native AWS solution that requires no custom scripts or third-party tools, directly meeting the requirement to stop instances automatically based on cost.

Exam trap

The trap here is that candidates may confuse AWS Cost Explorer's visualization capabilities with automated cost control actions, or mistakenly think Trusted Advisor can enforce cost limits, when only AWS Budgets with budget actions provides native, automated instance stopping based on cost thresholds.

How to eliminate wrong answers

Option B is wrong because AWS Cost Explorer provides cost visualization and filtering but does not support automated actions like stopping EC2 instances; it requires manual intervention to terminate instances. Option C is wrong because AWS Trusted Advisor offers cost optimization recommendations and checks but cannot execute automated actions such as stopping instances based on a budget threshold. Option D is wrong because AWS Organizations Service Control Policies (SCPs) are used to centrally control permissions across accounts and cannot directly stop EC2 instances or react to cost thresholds.

473
MCQmedium

A company moves its infrastructure to AWS. The company's IT team notices that they have no control over which specific physical server their virtual machines run on, and they are unaware of the exact hardware location except at the regional level. The underlying physical resources are shared across multiple AWS customers. Which essential characteristic of cloud computing does this scenario BEST describe?

A.On-demand self-service
B.Broad network access
C.Resource pooling
D.Rapid elasticity
AnswerC

Resource pooling is correct. The cloud provider pools its computing resources to serve multiple consumers using a multi-tenant model. The customer has no visibility or control over the exact physical location of the resources, only a higher-level abstraction such as region or availability zone. This characteristic allows for efficient utilization and cost savings.

Why this answer

Option C is correct because resource pooling is the cloud characteristic where the provider's computing resources are pooled to serve multiple customers using a multi-tenant model, with physical and virtual resources dynamically assigned and reassigned according to customer demand. The scenario describes the customer having no control over the exact physical server or hardware location beyond the regional level, which is the essence of resource pooling. This allows AWS to achieve economies of scale while abstracting the underlying hardware from the customer.

Exam trap

The trap here is that candidates confuse resource pooling with rapid elasticity because both involve dynamic allocation, but resource pooling is about multi-tenant sharing of physical infrastructure, while rapid elasticity is about the speed of scaling resources up or down.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a customer's ability to provision computing capabilities automatically without requiring human interaction with each service provider, not to the lack of visibility into physical hardware. Option B is wrong because broad network access describes capabilities that are available over the network and accessed through standard mechanisms (e.g., HTTPS, SSH) by heterogeneous client platforms, not the sharing of physical infrastructure. Option D is wrong because rapid elasticity refers to the ability to quickly scale resources up or out and down or in, often automatically, to meet fluctuating demand, not to the abstraction or sharing of physical servers.

474
MCQmedium

A company uses an Amazon RDS for PostgreSQL database for its production application. The security policy requires that database passwords be rotated automatically every 90 days. The database credentials are currently stored in a configuration file on an Amazon EC2 instance. The company wants a fully managed AWS service that can securely store the credentials, automatically rotate them on a schedule, and update the RDS instance without requiring code changes to the application. Which AWS service should the company use to meet these requirements?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.AWS Key Management Service (KMS)
D.AWS Certificate Manager (ACM)
AnswerA

Secrets Manager natively supports automatic rotation of RDS database credentials with built-in rotation functions, and it integrates directly with RDS to update the password. No application code changes are needed.

Why this answer

AWS Secrets Manager is the correct choice because it is a fully managed service designed specifically to securely store database credentials, automatically rotate them on a defined schedule (e.g., every 90 days), and natively integrate with Amazon RDS to update the password without requiring any application code changes. The application can retrieve the current credentials at runtime using the Secrets Manager API, eliminating the need for hardcoded or file-based credentials.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store secrets, but Parameter Store lacks native automatic rotation and RDS integration, making it unsuitable for the rotation requirement.

How to eliminate wrong answers

Option B is wrong because AWS Systems Manager Parameter Store does not support automatic rotation of secrets; it only stores plaintext or encrypted parameters and requires custom solutions (e.g., Lambda functions) to implement rotation. Option C is wrong because AWS Key Management Service (KMS) is a key management service for creating and controlling encryption keys, not for storing or rotating database credentials. Option D is wrong because AWS Certificate Manager (ACM) is used to provision, manage, and deploy SSL/TLS certificates, not database passwords or secrets.

475
MCQmedium

A company is migrating a steady-state web server to AWS. The server is expected to run continuously (24 hours a day, 7 days a week) for the next three years. The workload has predictable CPU and memory usage and does not experience significant spikes. The company wants to minimize the total cost of running this server over the three-year period. Which AWS EC2 pricing model should the company choose?

A.On-Demand Instances
B.Spot Instances
C.Standard Reserved Instances with a 3-year term and all upfront payment
D.Dedicated Hosts
AnswerC

Standard Reserved Instances provide a substantial discount over On-Demand pricing when you commit to a 1- or 3-year term. Paying all upfront gives the highest discount, making this the most cost-effective option for a predictable, long-running workload.

Why this answer

Standard Reserved Instances with a 3-year term and all upfront payment provide the highest discount (up to 72% compared to On-Demand) for workloads that run continuously and predictably. Since this server will run 24/7 for three years with no significant spikes, a 3-year all upfront Reserved Instance minimizes total cost by locking in the lowest effective hourly rate.

Exam trap

AWS often tests the misconception that Spot Instances are always cheaper and can be used for any workload, but the trap here is that Spot Instances are interruptible and thus unsuitable for continuous, steady-state production servers.

How to eliminate wrong answers

Option A is wrong because On-Demand Instances have no upfront commitment and charge the highest per-hour rate, making them the most expensive choice for a steady-state, always-on workload over three years. Option B is wrong because Spot Instances can be interrupted with a 2-minute warning when AWS needs capacity back, making them unsuitable for a server that must run continuously without interruption. Option D is wrong because Dedicated Hosts provide physical servers for licensing or compliance needs and are significantly more expensive than Reserved Instances; they do not offer cost optimization for a standard web server workload.

476
MCQmedium

A company wants its employees to access cloud applications and manage cloud resources from anywhere using a variety of devices, including laptops, smartphones, and tablets. Which essential characteristic of cloud computing does this requirement directly represent?

A.On-demand self-service
B.Broad network access
C.Resource pooling
D.Measured service
AnswerB

Broad network access means that resources are available over the network and can be accessed by standard mechanisms that promote use by heterogeneous client platforms (e.g., mobile phones, tablets, laptops, and workstations). This directly matches the requirement to access cloud resources from a variety of devices.

Why this answer

The requirement for employees to access cloud applications and manage resources from anywhere using laptops, smartphones, and tablets directly represents broad network access. This essential characteristic means that cloud services are available over standard network protocols (e.g., HTTP/HTTPS, SSH) and can be accessed by heterogeneous client platforms, including mobile devices, workstations, and tablets, without requiring location-specific infrastructure.

Exam trap

The trap here is that candidates confuse 'broad network access' with 'on-demand self-service' because both involve user interaction, but the question's emphasis on 'from anywhere using a variety of devices' is a direct match for the NIST definition of broad network access, not the automated provisioning aspect of self-service.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user's ability to provision computing capabilities (e.g., spinning up an EC2 instance) automatically without requiring human interaction with the service provider, not the ability to access from multiple devices. Option C is wrong because resource pooling describes the provider's multi-tenant model where physical and virtual resources are dynamically assigned and reassigned according to consumer demand, not the access method or device diversity. Option D is wrong because measured service means that cloud systems automatically control and optimize resource use by leveraging a metering capability (e.g., billing per API call or GB-hour), which is unrelated to device or network accessibility.

477
MCQeasy

Which of the following best describes an AWS Region?

A.A single data center used by AWS
B.A group of edge locations used for content delivery
C.A geographic area containing multiple Availability Zones
D.A virtual private network segment within AWS
AnswerC

A Region is a geographic area with multiple, isolated Availability Zones.

Why this answer

An AWS Region is a distinct geographic area that consists of multiple, isolated, and physically separate Availability Zones (AZs). Each AZ contains one or more data centers with redundant power, networking, and connectivity. This design ensures high availability and fault tolerance, as resources can be distributed across AZs within a Region to withstand failures in a single data center.

Exam trap

The trap here is that candidates confuse an Availability Zone (a single data center or cluster) with an AWS Region, or mistakenly think a Region is just a single data center, when in fact a Region always contains at least two AZs for high availability.

How to eliminate wrong answers

Option A is wrong because a single data center is not an AWS Region; a Region comprises multiple Availability Zones, each of which may contain one or more data centers. Option B is wrong because a group of edge locations is used for content delivery via AWS CloudFront, not for compute or storage services that define a Region. Option D is wrong because a virtual private network segment within AWS refers to a Virtual Private Cloud (VPC), which is a logically isolated network within a Region, not the Region itself.

478
MCQeasy

Which AWS IAM feature allows you to set the maximum permissions that IAM entities in an account can have, regardless of what their identity-based policies allow?

A.IAM Conditions
B.Permission Boundaries
C.Service Control Policies (SCPs)
D.Resource-based policies
AnswerB

Permission Boundaries define the maximum permissions an IAM entity can have — even if attached policies grant more, the boundary limits actual effective permissions.

Why this answer

Permission Boundaries are an AWS IAM feature that sets the maximum permissions an IAM entity (user or role) can have. They act as a guardrail, limiting the effective permissions to the intersection of the identity-based policy and the boundary, regardless of what the identity-based policy allows. This ensures that even if a policy grants broad access, the boundary caps it at a defined maximum.

Exam trap

The trap here is confusing Permission Boundaries with Service Control Policies (SCPs), as both set permission limits, but SCPs operate at the AWS Organizations account level, not at the individual IAM entity level within a single account.

How to eliminate wrong answers

Option A is wrong because IAM Conditions are used to specify when a policy is in effect (e.g., based on IP address, time, or MFA status), not to set a hard cap on maximum permissions. Option C is wrong because Service Control Policies (SCPs) are an AWS Organizations feature that apply to all accounts within an organization, not to individual IAM entities within a single account. Option D is wrong because Resource-based policies are attached directly to AWS resources (like S3 buckets or KMS keys) and grant cross-account access, but they do not limit the maximum permissions of an IAM entity.

479
MCQmedium

A company hosts a multi-tier web application on AWS. The web tier runs on Amazon EC2 instances in a public subnet, and the database tier runs on Amazon EC2 instances in a private subnet. The security team needs to configure security groups to allow only the web tier instances to communicate with the database tier on port 3306 (MySQL). The web tier must be accessible from the internet on port 443. Which security group configuration meets these requirements?

A.Web security group: inbound rule allowing 0.0.0.0/0 on port 443. Database security group: inbound rule allowing the web security group as source on port 3306.
B.Web security group: inbound rule allowing 0.0.0.0/0 on port 443. Database security group: inbound rule allowing 0.0.0.0/0 on port 3306.
C.Web security group: inbound rule allowing the web security group as source on port 443. Database security group: inbound rule allowing the web security group as source on port 3306.
D.Web security group: inbound rule allowing 0.0.0.0/0 on port 443. Database security group: inbound rule allowing the internet-facing Application Load Balancer security group as source on port 3306.
AnswerA

This is correct. The web SG allows internet traffic on port 443, and the database SG uses the web SG as a source, which permits only traffic from instances associated with the web SG on port 3306.

Why this answer

Option A is correct because it uses a security group reference as the source for the database security group's inbound rule on port 3306, which allows traffic only from instances associated with the web security group. The web security group allows inbound HTTPS traffic from the internet (0.0.0.0/0) on port 443, meeting the requirement for public access. This configuration ensures least-privilege access by restricting database communication to only the web tier, without exposing the database to the internet or requiring IP-based rules.

Exam trap

The trap here is that candidates often confuse security group references with IP-based rules or incorrectly assume that the web security group should reference itself for inbound internet traffic, rather than using 0.0.0.0/0 for public access.

How to eliminate wrong answers

Option B is wrong because allowing 0.0.0.0/0 on port 3306 in the database security group would permit any internet host to connect to the database, violating the requirement to restrict access to only the web tier. Option C is wrong because the web security group's inbound rule should allow traffic from the internet (0.0.0.0/0) on port 443, not from itself; referencing the web security group as source on port 443 would only allow traffic from other instances in the same web security group, blocking external users. Option D is wrong because the database security group should reference the web security group as source, not the Application Load Balancer security group; the ALB is not part of the web tier instances and would allow traffic from the load balancer rather than directly from the EC2 instances, which does not match the requirement.

480
MCQeasy

A company is concerned about unexpected AWS charges from development instances that developers forget to stop. Which AWS service provides a simple dashboard showing AWS service health events and can also be used to stay informed about account-level events?

A.AWS Trusted Advisor
B.Amazon CloudWatch
C.AWS Health Dashboard (Personal Health Dashboard)
D.AWS Config
AnswerC

AWS Health Dashboard provides personalized, account-specific notifications about AWS service events, planned maintenance, and security notifications that may affect your resources.

Why this answer

The AWS Health Dashboard (Personal Health Dashboard) provides a personalized view of the health of AWS services and resources that affect your account, including scheduled maintenance and account-level events. It can also surface billing alerts and other account-level notifications, making it the correct choice for staying informed about unexpected charges from forgotten development instances.

Exam trap

The trap here is that candidates often confuse the AWS Health Dashboard (Personal Health Dashboard) with the AWS Service Health Dashboard (the public status page at status.aws.amazon.com), which shows only global service health and not account-specific events or billing alerts.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor inspects your AWS environment and makes recommendations for cost optimization, performance, security, and fault tolerance, but it does not provide a dashboard for service health events or account-level event notifications. Option B is wrong because Amazon CloudWatch monitors metrics and logs for your AWS resources and applications, and can trigger alarms based on thresholds, but it is not a dedicated dashboard for AWS service health events or account-level events. Option D is wrong because AWS Config evaluates your resource configurations against desired policies and tracks configuration changes, but it does not provide a dashboard for service health events or account-level billing events.

481
MCQmedium

A company encrypts data stored in Amazon S3, Amazon RDS, and Amazon EBS. The security team needs a managed service to create, rotate, and control the encryption keys used to protect this data, with full audit trails of key usage. Which AWS service should they use?

A.AWS CloudHSM
B.AWS Secrets Manager
C.AWS KMS
D.AWS Certificate Manager
AnswerC

KMS creates and manages encryption keys and integrates directly with S3, RDS, EBS, and many other services. All key usage events are automatically logged in CloudTrail, providing the required audit trail.

Why this answer

AWS KMS is a managed service that allows you to create, rotate, and control encryption keys used to protect data in Amazon S3, Amazon RDS, and Amazon EBS. It integrates with AWS CloudTrail to provide full audit trails of key usage, meeting the security team's requirements for a managed key management solution.

Exam trap

The trap here is that candidates often confuse AWS KMS with AWS CloudHSM, mistakenly thinking CloudHSM is required for full control and audit trails, but KMS provides managed key rotation and native CloudTrail integration without the operational overhead of managing HSMs.

How to eliminate wrong answers

Option A is wrong because AWS CloudHSM provides dedicated hardware security modules (HSMs) for key storage but requires manual management of key rotation and does not offer native integration with AWS services for automatic key creation and rotation like KMS does. Option B is wrong because AWS Secrets Manager is designed to manage and rotate secrets such as database credentials and API keys, not encryption keys for data at rest in S3, RDS, or EBS. Option D is wrong because AWS Certificate Manager handles SSL/TLS certificates for securing network traffic, not encryption keys for data at rest.

482
MCQmedium

A startup uses AWS Lambda for its backend processing. The company is billed only for the number of function invocations and the compute time consumed, rounded up to the nearest millisecond. There are no minimum fees or upfront commitments. This billing model is a direct example of which essential characteristic of cloud computing?

A.On-demand self-service
B.Resource pooling
C.Measured service
D.Broad network access
AnswerC

Measured service is the characteristic where cloud systems automatically control and optimize resource use by leveraging a metering capability. Charging only for the actual compute time consumed (down to the millisecond) with no minimum fees is a direct demonstration of this metering and pay-per-use model.

Why this answer

The AWS Lambda billing model—charging only for function invocations and compute time rounded to the nearest millisecond, with no minimum fees or upfront commitments—directly exemplifies measured service. This essential characteristic of cloud computing means that resource usage is metered, monitored, and reported transparently, allowing customers to pay only for what they consume. In Lambda, the metering is granular: each invocation is counted, and duration is measured in 1-millisecond increments, enabling precise cost allocation.

Exam trap

The trap here is that candidates confuse 'measured service' with 'on-demand self-service' because both involve user control, but measured service specifically refers to the metering and pay-per-use billing model, not the ability to provision resources without human interaction.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user's ability to provision computing resources automatically without requiring human interaction with the service provider, not to the billing model itself. Option B is wrong because resource pooling describes the provider's multi-tenant model where physical and virtual resources are dynamically assigned to serve multiple customers, which is an underlying infrastructure characteristic, not a billing feature. Option D is wrong because broad network access means that resources are available over the network and accessed through standard protocols (e.g., HTTPS, SSH), which is unrelated to how usage is metered and billed.

483
MCQeasy

A company needs to convert text documents into natural-sounding speech in multiple languages for an audiobook application. Which AWS service provides this capability?

A.Amazon Transcribe
B.Amazon Translate
C.Amazon Polly
D.Amazon Lex
AnswerC

Polly is AWS's managed TTS service that converts text into lifelike speech in dozens of languages, with standard and neural voice options for audiobook-quality output.

Why this answer

Amazon Polly is a managed service that turns text into lifelike speech using deep learning technologies, supporting multiple languages and voices. It is specifically designed for text-to-speech (TTS) conversion, making it the correct choice for generating natural-sounding audio for an audiobook application.

Exam trap

The trap here is confusing Amazon Polly (text-to-speech) with Amazon Transcribe (speech-to-text), as both deal with speech but in opposite directions, leading candidates to mistakenly choose Transcribe when the requirement is to generate speech from text.

How to eliminate wrong answers

Option A is wrong because Amazon Transcribe is an automatic speech recognition (ASR) service that converts speech to text, not text to speech. Option B is wrong because Amazon Translate is a neural machine translation service that translates text between languages, but it does not generate speech output. Option D is wrong because Amazon Lex is a service for building conversational interfaces (chatbots) using speech recognition and natural language understanding, but its primary purpose is not standalone text-to-speech conversion for audiobooks.

484
MCQmedium

A development team needs to spin up a new Amazon RDS database instance for a proof-of-concept application. The team can log into the AWS Management Console, select the database engine, configure settings, and launch the instance within minutes, without needing to submit a ticket or wait for IT operations to provision hardware. Which essential characteristic of cloud computing does this scenario BEST demonstrate?

A.Resource pooling
B.Measured service
C.On-demand self-service
D.Rapid elasticity
AnswerC

On-demand self-service is a key characteristic of cloud computing that enables users to provision computing resources automatically as needed, without requiring human interaction with the service provider. The team's ability to launch an RDS instance directly via the console, without waiting for IT staff, is a direct example of this characteristic.

Why this answer

The scenario describes a user independently provisioning an RDS instance through the AWS Management Console without any human interaction with IT operations. This directly aligns with the on-demand self-service characteristic of cloud computing, where users can provision computing resources automatically as needed without requiring service provider interaction.

Exam trap

The trap here is confusing the ability to quickly provision resources (on-demand self-service) with the ability to scale them dynamically (rapid elasticity), as both involve speed but address different phases of resource lifecycle.

How to eliminate wrong answers

Option A is wrong because resource pooling refers to the provider's ability to serve multiple customers from shared physical resources using multi-tenant models, not the user's ability to provision resources independently. Option B is wrong because measured service involves monitoring, controlling, and reporting resource usage for billing and optimization, which is not demonstrated by the act of spinning up an instance. Option D is wrong because rapid elasticity describes the ability to scale resources up or down quickly in response to demand, not the initial self-provisioning of a single instance.

485
MCQmedium

A company wants to purchase EC2 capacity that provides a discount over On-Demand pricing and is available only when AWS has excess capacity, with the option of interruption with a 2-minute warning. Which option is this?

A.Reserved Instances
B.On-Demand Instances
C.Spot Instances
D.Dedicated Instances
AnswerC

Spot Instances leverage AWS spare capacity at up to 90% discount, with the risk of a 2-minute interruption notice when AWS needs capacity back.

Why this answer

Spot Instances (Option C) are correct because they offer a significant discount over On-Demand pricing but can be interrupted by AWS with a 2-minute warning when AWS needs the capacity back. This matches the scenario of purchasing EC2 capacity that is available only when AWS has excess capacity and includes the risk of interruption.

Exam trap

The trap here is that candidates often confuse Spot Instances with Reserved Instances, thinking any discount means a commitment, but Spot Instances are interruptible and based on excess capacity, not a fixed-term contract.

How to eliminate wrong answers

Option A is wrong because Reserved Instances provide a discount in exchange for a 1- or 3-year commitment, not based on excess capacity, and they are not interruptible. Option B is wrong because On-Demand Instances have no discount, no interruption risk, and are always available at a fixed price. Option D is wrong because Dedicated Instances are physically isolated at the host hardware level for compliance or licensing, but they are billed on an On-Demand or Reserved basis and do not offer a discount tied to excess capacity or interruption.

486
MCQeasy

A company uses several AWS services and wants to create a unified monitoring dashboard to track metrics and set alarms. Which AWS service provides this capability?

A.AWS CloudTrail
B.Amazon CloudWatch
C.AWS Config
D.AWS X-Ray
AnswerB

CloudWatch provides metrics collection, custom dashboards, alarms, log analysis, and automated responses for AWS services and custom applications.

Why this answer

Amazon CloudWatch is AWS's observability service for monitoring metrics, logs, events, and traces from AWS services and custom applications. CloudWatch dashboards display metrics from multiple services in a single view. CloudWatch Alarms trigger notifications or automated actions when metrics exceed thresholds.

487
MCQeasy

Which AWS service provides a desktop development environment in the cloud with a browser-based code editor and computing resources, requiring no local installation?

A.AWS CloudShell
B.AWS Cloud9
C.AWS CodeCommit
D.AWS CodeBuild
AnswerB

Cloud9 is a full browser-based IDE with code editing, debugging, terminal access, and collaborative development features — no local installation required.

Why this answer

AWS Cloud9 is a cloud-based integrated development environment (IDE) that provides a browser-based code editor, terminal, and pre-configured computing resources (e.g., EC2 instances or SSH servers). It requires no local installation, making it ideal for developing applications directly from a web browser.

Exam trap

The trap here is that candidates confuse AWS CloudShell (a simple shell) with a full development environment, but CloudShell lacks the code editor and project management features that Cloud9 provides.

How to eliminate wrong answers

Option A is wrong because AWS CloudShell provides a browser-based shell with pre-installed CLI tools, but it does not include a code editor or a full development environment like Cloud9. Option C is wrong because AWS CodeCommit is a fully managed source control service (Git-based) for storing and versioning code, not a development environment. Option D is wrong because AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages, but it does not provide an interactive desktop or code editor.

488
MCQmedium

A company runs a microservices application on AWS. It needs to send real-time alerts to mobile devices via push notifications and to administrators via email whenever a critical event occurs. The solution must be a fully managed service that supports both delivery channels without requiring separate infrastructure for each. Which AWS service should the company use?

A.Amazon Simple Notification Service (SNS)
B.Amazon Simple Queue Service (SQS)
C.Amazon Simple Email Service (SES)
D.Amazon Pinpoint
AnswerA

Amazon SNS is a fully managed pub/sub messaging service that can deliver messages to a variety of subscribers, including mobile push notifications and email. It is the correct choice for this requirement.

Why this answer

Amazon SNS is a fully managed pub/sub messaging service that supports multiple delivery protocols, including push notifications to mobile devices (via Apple Push Notification Service, Firebase Cloud Messaging, etc.) and email (via SMTP or HTTP endpoints). This allows the company to send real-time alerts through both channels from a single service without provisioning separate infrastructure for each.

Exam trap

The trap here is that candidates often confuse Amazon Pinpoint (a marketing and analytics service) with Amazon SNS (a simple pub/sub notification service), but the question explicitly asks for a fully managed service that supports both push notifications and email without separate infrastructure — SNS fits this requirement directly, while Pinpoint is designed for targeted campaigns and user segmentation, not simple event-driven alerts.

How to eliminate wrong answers

Option B (Amazon SQS) is wrong because it is a message queue service for decoupling application components, not a push notification or email delivery service; it requires consumers to poll messages and does not natively send push notifications or emails. Option C (Amazon SES) is wrong because it is designed for sending transactional and bulk email only, not push notifications to mobile devices. Option D (Amazon Pinpoint) is wrong because while it supports push notifications and email, it is primarily a customer engagement and marketing analytics service, not a simple pub/sub alerting service; it requires more configuration and is overkill for straightforward event-driven alerts.

489
MCQmedium

A company runs a multi-region application on AWS with separate VPCs in us-east-1 and eu-west-1. The company also has an on-premises data center connected to AWS via AWS Direct Connect. The network team wants to simplify the routing topology so that traffic between all VPCs and the on-premises network flows through a central hub. They need a service that can manage many VPC attachments and provide transitive routing across all connected networks. Which AWS service should the network team use?

A.AWS Transit Gateway
B.Amazon Route 53
C.AWS Direct Connect Gateway
D.AWS PrivateLink
AnswerA

AWS Transit Gateway is a network transit hub that connects VPCs, VPN connections, and AWS Direct Connect connections. It supports transitive routing, allowing all attached networks to communicate through a single gateway, which simplifies network architecture.

Why this answer

AWS Transit Gateway is the correct choice because it acts as a central hub that connects multiple VPCs and on-premises networks via a single gateway, enabling transitive routing between all attached networks. It supports many VPC attachments (up to thousands per gateway) and simplifies routing topology by eliminating the need for complex peering or VPN mesh configurations. This directly meets the requirement for a service that manages many VPC attachments and provides transitive routing across all connected networks.

Exam trap

The trap here is that candidates often confuse AWS Direct Connect Gateway with Transit Gateway, assuming Direct Connect Gateway can provide transitive routing between VPCs, but it only connects Direct Connect circuits to multiple VPCs and does not enable VPC-to-VPC routing or act as a central hub for all network attachments.

How to eliminate wrong answers

Option B (Amazon Route 53) is wrong because it is a DNS and domain name resolution service, not a network routing or connectivity service; it cannot route traffic between VPCs or to on-premises networks. Option C (AWS Direct Connect Gateway) is wrong because it only facilitates connectivity between Direct Connect connections and multiple VPCs in different regions, but it does not provide transitive routing between VPCs themselves or act as a central hub for all network attachments. Option D (AWS PrivateLink) is wrong because it enables private connectivity between VPCs and specific services (like SaaS endpoints) without traversing the public internet, but it does not provide transitive routing between multiple VPCs or between VPCs and on-premises networks.

490
MCQmedium

A company has 20 AWS accounts managed under AWS Organizations. The finance team wants to centralize billing so that the company receives volume discounts for the aggregated usage across all accounts. Additionally, the team needs to set monthly budgets for each department and automatically receive email notifications when a department's spending reaches 80% of its budget threshold. Which combination of AWS features or services should the company use to meet these requirements?

A.AWS Cost Explorer with AWS Budgets
B.Consolidated Billing with AWS Budgets
C.AWS Trusted Advisor with Consolidated Billing
D.AWS Cost Explorer with AWS Organizations
AnswerB

Consolidated Billing in AWS Organizations aggregates all account usage into a single bill, enabling the company to receive volume discounts (e.g., tiered pricing for EC2, S3). AWS Budgets allows the finance team to set custom budgets for each department and automatically send email notifications when actual or forecasted costs reach a defined threshold (e.g., 80%). This combination meets both requirements.

Why this answer

Consolidated Billing aggregates usage across all accounts in AWS Organizations, enabling volume discounts. AWS Budgets allows setting monthly budgets per department and configuring alerts (e.g., at 80% threshold) to send email notifications via Amazon SNS. Together, they meet both centralization and notification requirements.

Exam trap

The trap here is confusing AWS Cost Explorer (a visualization tool) with AWS Budgets (an alerting tool), leading candidates to pick A or D, which lack the automated notification mechanism.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer provides visualization and analysis of costs but does not automate budget threshold notifications or enable volume discounts through aggregation. Option C is wrong because AWS Trusted Advisor offers best-practice checks and cost optimization recommendations, but it does not provide consolidated billing or budget alerting capabilities. Option D is wrong because AWS Cost Explorer with AWS Organizations only enables cost visibility across accounts, not the automated budget threshold notifications required.

491
MCQmedium

A company has been using Amazon EC2 instances for a production application for the past 12 months. The finance team wants to understand historical spending patterns and identify opportunities to reduce costs. Specifically, they need to see which EC2 instance families and sizes are being underutilized and get recommendations for purchasing Reserved Instances to save money compared to current On-Demand pricing. The team wants to use a native AWS tool that provides a visual dashboard of costs, usage trends, and actionable recommendations. Which AWS tool should the finance team use?

A.AWS Budgets
B.AWS Trusted Advisor
C.AWS Cost Explorer
D.AWS Compute Optimizer
AnswerC

AWS Cost Explorer is the correct tool. It provides an interactive dashboard of historical costs and usage, allows filtering by EC2 instance family, and generates Reserved Instance purchase recommendations based on your past usage. It is specifically designed for cost analysis and optimization.

Why this answer

AWS Cost Explorer is the correct choice because it provides a visual dashboard of historical cost and usage data, including the ability to filter by EC2 instance families and sizes to identify underutilized resources. It also offers Reserved Instance (RI) purchase recommendations based on historical On-Demand usage, enabling the finance team to compare costs and identify savings opportunities directly within the native AWS console.

Exam trap

The trap here is that candidates often confuse AWS Compute Optimizer (which focuses on right-sizing) with Cost Explorer (which provides both historical cost visualization and RI purchase recommendations), leading them to choose D instead of C.

How to eliminate wrong answers

Option A is wrong because AWS Budgets allows you to set cost and usage thresholds and receive alerts, but it does not provide historical spending analysis, visual dashboards of usage trends, or specific RI purchase recommendations. Option B is wrong because AWS Trusted Advisor offers cost optimization checks (e.g., underutilized EC2 instances) but does not provide a visual dashboard of historical spending patterns or detailed RI recommendations based on usage history. Option D is wrong because AWS Compute Optimizer analyzes resource utilization and provides recommendations for instance type changes, but it does not focus on historical cost trends or provide RI purchase recommendations; it is more about right-sizing than cost savings via Reserved Instances.

492
MCQmedium

A company is developing a microservices application using Docker containers. The development team wants to deploy and run these containers on AWS without having to provision or manage any underlying EC2 instances. Additionally, the team does not want to manage the container orchestration control plane. They need a fully serverless compute engine for containers that automatically scales based on demand. Which AWS compute option should the team use?

A.Amazon EC2 instances with Docker installed
B.AWS Lambda
C.Amazon ECS with the AWS Fargate launch type
D.Amazon EKS with managed node groups
AnswerC

AWS Fargate is a serverless compute engine for containers that works with Amazon ECS and Amazon EKS. With Fargate, you do not need to provision or manage EC2 instances; you specify the CPU and memory requirements, and Fargate automatically runs and scales the containers. This fully meets the requirement of a serverless container compute service with no cluster management.

Why this answer

Amazon ECS with the AWS Fargate launch type is the correct choice because it provides a fully serverless compute engine for containers. Fargate eliminates the need to provision or manage EC2 instances and removes the burden of managing the container orchestration control plane, as AWS handles both the underlying infrastructure and the orchestration layer. It automatically scales container instances based on demand, meeting the team's requirement for a serverless, auto-scaling container solution.

Exam trap

The trap here is that candidates often confuse AWS Lambda's container image support with a full container orchestration solution, but Lambda is not designed for long-running or stateful container workloads and lacks the orchestration features of ECS or EKS.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 instances with Docker installed require the team to provision, manage, and scale the underlying EC2 instances, which contradicts the requirement to avoid managing any EC2 instances. Option B is wrong because AWS Lambda is designed for event-driven, short-lived functions, not for running Docker containers as a primary compute model; while Lambda supports container images, it is not a container orchestration service and does not provide the same level of control for microservices applications. Option D is wrong because Amazon EKS with managed node groups still requires the team to manage the Kubernetes control plane (even though node groups are managed), and it does not offer a fully serverless experience; the control plane is managed by AWS but the team must still handle node scaling and patching, unlike Fargate which abstracts all infrastructure.

493
MCQmedium

A company wants to migrate their on-premises VMware virtual machines to Amazon EC2. Which AWS service simplifies this lift-and-shift migration?

A.AWS Snowball
B.AWS Application Migration Service (AWS MGN)
C.AWS Database Migration Service
D.Amazon EC2 Import/Export
AnswerB

AWS MGN continuously replicates on-premises servers (physical, virtual, or cloud) to AWS, enabling non-disruptive testing and cutover for lift-and-shift migrations to EC2.

Why this answer

AWS Application Migration Service (AWS MGN) is the correct choice because it is specifically designed to simplify and automate the lift-and-shift migration of on-premises VMware virtual machines to Amazon EC2. It continuously replicates source servers (including VMware VMs) to a staging area in AWS, then automatically converts and launches the instances on EC2, minimizing downtime and manual effort.

Exam trap

The trap here is that candidates often confuse AWS MGN with the older EC2 Import/Export service, mistakenly thinking the legacy tool is sufficient for a modern lift-and-shift migration, but EC2 Import/Export requires manual steps and does not support continuous replication or automated conversion.

How to eliminate wrong answers

Option A is wrong because AWS Snowball is a physical data transport device used for large-scale data transfer (petabytes) or edge computing, not for live migration of VMware VMs to EC2. Option C is wrong because AWS Database Migration Service (DMS) is designed for migrating databases (e.g., Oracle to Amazon RDS), not for migrating entire virtual machines or server workloads. Option D is wrong because Amazon EC2 Import/Export is a legacy service that allows importing VM images as AMIs but requires manual conversion and does not provide continuous replication or automated lift-and-shift capabilities like AWS MGN.

494
MCQmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer. The application connects to an Amazon RDS for MySQL database. The database password is currently hardcoded in the application configuration file, and the security team is concerned about the risk of exposure. The company wants to remove the hardcoded credential and instead have the application retrieve the database password securely at runtime. Additionally, the security team requires that the password be automatically rotated every 90 days without any manual intervention or custom scripting. Which AWS service should the company use to meet these requirements?

A.AWS Systems Manager Parameter Store (SecureString parameters)
B.AWS Key Management Service (AWS KMS)
C.AWS Secrets Manager
D.AWS Identity and Access Management (IAM) roles for Amazon EC2
AnswerC

AWS Secrets Manager is a fully managed service for storing, retrieving, and automatically rotating secrets, including database credentials. It integrates with Amazon RDS to enable automatic rotation without custom code, meeting all requirements.

Why this answer

AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, retrieving, and automatically rotating database credentials (including RDS for MySQL) without custom code. It supports native, automatic rotation of secrets every 90 days via a built-in Lambda rotation function, meeting the security team's requirement for zero manual intervention. Unlike Parameter Store, Secrets Manager provides automatic rotation out of the box, which is the key differentiator here.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (SecureString) with Secrets Manager, but Parameter Store lacks native automatic rotation, which is the critical requirement in this scenario.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store (SecureString parameters) can securely store the password and retrieve it at runtime, but it does not provide built-in automatic rotation of secrets; you would need custom scripting or a separate solution to rotate the password every 90 days. Option B is wrong because AWS KMS is a key management service for creating and controlling encryption keys, not for storing or rotating secrets like database passwords. Option D is wrong because IAM roles for EC2 grant permissions to AWS API actions but cannot store or rotate a database password; they are used for authentication to AWS services, not for managing application-level credentials.

495
MCQmedium

A company has a development environment running on Amazon EC2 instances. To control costs, the team wants to set a monthly budget of $5,000 for this environment. If the forecasted cost for the month exceeds $6,000 (20% over budget), they want AWS to automatically stop all non-critical EC2 instances to prevent further spending. Which AWS feature should the team use to implement this automated cost control?

A.AWS Cost Explorer
B.AWS Budgets with budget actions
C.AWS Trusted Advisor
D.AWS Cost Anomaly Detection
AnswerB

AWS Budgets enables you to set custom budgets (e.g., monthly cost budget). With budget actions, you can configure automated responses when actual or forecasted costs exceed budget thresholds. For example, you can define an action to stop non-critical EC2 instances when the forecast exceeds $6,000. This fully meets the requirement.

Why this answer

AWS Budgets with budget actions allows you to set a monthly budget of $5,000 and define an action that triggers when the forecasted cost exceeds a specified threshold (e.g., 20% over budget, or $6,000). The action can automatically stop non-critical EC2 instances using an IAM role and a predefined runbook, directly enforcing cost control without manual intervention. This is the only AWS feature that combines budget monitoring with automated remediation actions.

Exam trap

The trap here is that candidates confuse AWS Budgets (which can trigger actions) with AWS Cost Explorer (which only provides reporting) or AWS Cost Anomaly Detection (which only alerts), failing to recognize that only AWS Budgets with budget actions supports automated remediation.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer provides visualization and analysis of historical and forecasted costs, but it cannot trigger automated actions to stop instances. Option C is wrong because AWS Trusted Advisor offers cost optimization recommendations (e.g., idle instances) but does not support automated budget-based actions or instance termination. Option D is wrong because AWS Cost Anomaly Detection uses machine learning to detect anomalous spending patterns and send alerts, but it cannot execute automated remediation like stopping EC2 instances.

496
MCQeasy

A company's sales team uses a cloud-based CRM application hosted on AWS. Sales representatives access the application from various devices—office desktops, company-issued laptops, and personal smartphones—using only standard web browsers and internet connections. No special client software or dedicated network connections are required. Which essential characteristic of cloud computing does this scenario best illustrate?

A.On-demand self-service
B.Broad network access
C.Resource pooling
D.Rapid elasticity
AnswerB

Broad network access means capabilities are available over the network and accessed through standard mechanisms from a variety of client devices. The sales team uses multiple device types and standard web browsers, which is a direct example of this characteristic.

Why this answer

The scenario describes sales representatives accessing the CRM application from various devices (desktops, laptops, smartphones) using only standard web browsers and internet connections, without requiring special client software or dedicated network connections. This directly illustrates 'broad network access,' which is the ability for resources to be accessed over the network by a wide range of client platforms (e.g., mobile phones, laptops, workstations) using standard protocols (HTTP/HTTPS). The key is that the service is available from anywhere with an internet connection, not limited to a specific location or device type.

Exam trap

The trap here is that candidates confuse 'broad network access' with 'on-demand self-service' because both involve user interaction, but the key differentiator is that broad network access focuses on accessibility from multiple device types over standard networks, whereas on-demand self-service is about automated provisioning without provider intervention.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user's ability to provision computing resources (like spinning up EC2 instances) automatically without requiring human interaction with the service provider, not simply accessing an application from different devices. Option C is wrong because resource pooling describes the provider's multi-tenant model where physical and virtual resources are dynamically assigned and reassigned according to consumer demand, which is an internal implementation detail not observable by the sales team. Option D is wrong because rapid elasticity involves the ability to quickly scale resources up or down (e.g., adding more compute capacity during peak load), which is not demonstrated by the sales team merely accessing a static CRM application from various devices.

497
MCQmedium

A company runs an e-commerce application on Amazon EC2 instances in the us-east-1 Region. The application serves static assets (images, CSS files) and dynamic API responses. Users in Europe and Asia report that the website loads slowly, especially for images. The company needs a solution that reduces latency for both static and dynamic content by caching static assets at edge locations and accelerating dynamic API calls using optimized network paths. Which AWS service should the company use?

A.Amazon CloudFront
B.AWS Global Accelerator
C.Amazon S3 Transfer Acceleration
D.Application Load Balancer
AnswerA

CloudFront is correct because it provides caching of static assets at edge locations and accelerates dynamic content via optimized routing, addressing both latency requirements for a global audience.

Why this answer

Amazon CloudFront is a content delivery network (CDN) that caches static assets (images, CSS files) at edge locations worldwide, reducing latency for users in Europe and Asia. It also supports dynamic API acceleration by using optimized network paths (AWS global network backbone) and features like origin shield and TCP optimizations, making it the correct choice for both static and dynamic content.

Exam trap

The trap here is that candidates may confuse AWS Global Accelerator (which optimizes dynamic traffic only) with CloudFront (which handles both caching and acceleration), failing to recognize that caching static assets is a requirement that only a CDN like CloudFront can fulfill.

How to eliminate wrong answers

Option B (AWS Global Accelerator) is wrong because it only improves performance for dynamic traffic by routing over the AWS global network and providing static IP addresses, but it does not cache static assets at edge locations. Option C (Amazon S3 Transfer Acceleration) is wrong because it only speeds up uploads to S3 buckets over long distances, not caching or accelerating delivery of static assets or dynamic API responses to end users. Option D (Application Load Balancer) is wrong because it distributes traffic across EC2 instances within a region and does not provide edge caching or global network path optimization.

498
MCQmedium

A company has a two-tier web application. The front-end web servers run on Amazon EC2 instances in a public subnet. The back-end application servers process jobs that are submitted by the front end. The company wants to decouple the front-end and back-end tiers so that the back-end servers can process jobs as they are submitted, even if the front-end servers experience a spike in traffic. The solution must be durable and fully managed, and must allow the front-end servers to send job requests without waiting for the back-end servers to be available. Which AWS service should the company use to send the job requests from the front end to the back end?

A.Amazon Simple Queue Service (SQS)
B.Amazon Simple Notification Service (SNS)
C.Amazon Kinesis Data Streams
D.AWS Step Functions
AnswerA

Amazon SQS is a fully managed message queue service that decouples application components. Front-end servers can send job requests to an SQS queue, and back-end servers process them asynchronously. Messages are stored durably across multiple Availability Zones, and the front end can continue sending requests without waiting for the back end to be ready. This correctly meets the requirement for a durable, fully managed decoupling solution.

Why this answer

Amazon Simple Queue Service (SQS) is the correct choice because it provides a fully managed, durable, and decoupled message queue that allows front-end EC2 instances to send job requests as messages. The back-end application servers can then poll and process these messages asynchronously, ensuring that spikes in front-end traffic do not overwhelm the back-end, and the front-end does not need to wait for back-end availability.

Exam trap

The trap here is that candidates often confuse SNS (push-based, no durability for offline consumers) with SQS (pull-based, durable queue), or they overcomplicate the solution by selecting Kinesis Data Streams for its streaming capability, not recognizing that the requirement is simply a decoupled job queue, not real-time analytics.

How to eliminate wrong answers

Option B (Amazon Simple Notification Service) is wrong because SNS is a pub/sub messaging service that pushes notifications to subscribers; it does not provide a durable queue where messages are stored until consumed, so if the back-end is unavailable, messages are lost. Option C (Amazon Kinesis Data Streams) is wrong because it is designed for real-time streaming of large volumes of data (e.g., log ingestion, analytics) and requires custom consumers to manage checkpointing and shard processing; it is not a simple job queue for decoupling request/response patterns. Option D (AWS Step Functions) is wrong because it is a serverless orchestration service for coordinating multiple AWS services into workflows, not a message queue for decoupling front-end and back-end tiers; it adds unnecessary complexity and does not natively provide a durable buffer for job requests.

499
MCQmedium

A company operates a global e-commerce website behind Amazon CloudFront. Security analysts have noticed a pattern of SQL injection attempts and cross-site scripting attacks targeting the web application. The company needs a fully managed service that can inspect incoming HTTP(S) requests and block these common web exploits before they reach the application origin. The solution must integrate with CloudFront and allow the security team to author custom rules. Which AWS service should the company use?

A.AWS Shield Advanced
B.AWS WAF
C.Amazon GuardDuty
D.AWS Firewall Manager
AnswerB

AWS WAF is a web application firewall that monitors and filters web requests for common attack patterns such as SQL injection and cross-site scripting. It integrates with CloudFront and allows you to define custom rules to block malicious traffic before it reaches your application.

Why this answer

AWS WAF is a fully managed web application firewall that integrates directly with Amazon CloudFront to inspect HTTP(S) requests. It provides pre-configured rule groups (e.g., the SQL injection and cross-site scripting rule sets) and allows the security team to author custom rules to block common web exploits before they reach the origin. This makes it the correct choice for the described use case.

Exam trap

The trap here is that candidates confuse AWS Shield Advanced (which handles volumetric DDoS) with AWS WAF (which handles application-layer exploits like SQL injection and XSS), leading them to select Shield Advanced when the question explicitly describes web application attacks.

How to eliminate wrong answers

Option A is wrong because AWS Shield Advanced provides DDoS protection and cost protection against scaling attacks, not application-layer inspection for SQL injection or XSS. Option C is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity in AWS accounts and workloads using VPC Flow Logs, DNS logs, and CloudTrail events, not a web application firewall that inspects HTTP(S) requests. Option D is wrong because AWS Firewall Manager is a policy management service that centrally configures and enforces firewall rules (including AWS WAF rules) across accounts, but it does not itself inspect or block web traffic.

500
MCQmedium

A company is reviewing their AWS bill and notices charges for Amazon CloudWatch. Which specific CloudWatch usage would NOT incur additional charges beyond the CloudWatch free tier?

A.Detailed monitoring (1-minute metrics) for EC2 instances
B.Basic monitoring (5-minute metrics) for EC2 instances
C.Publishing 100 custom metrics
D.Storing CloudWatch Logs beyond the free tier
AnswerB

CloudWatch Basic monitoring providing 5-minute EC2 metrics is included at no additional charge — it's automatically enabled for all EC2 instances.

Why this answer

Basic monitoring for EC2 instances provides metrics at 5-minute intervals at no additional cost, as it is included in the CloudWatch free tier. Detailed monitoring (1-minute metrics) incurs charges because it requires more frequent data collection and storage. Therefore, basic monitoring is the only option that does not generate extra charges beyond the free tier.

Exam trap

The trap here is that candidates assume all CloudWatch monitoring is free, but AWS specifically charges for detailed monitoring and custom metrics beyond the free tier limits, while basic monitoring remains free to encourage foundational observability without upfront costs.

How to eliminate wrong answers

Option A is wrong because detailed monitoring (1-minute metrics) for EC2 instances is a paid feature that incurs additional charges per instance per hour, as it increases the volume of metric data points sent to CloudWatch. Option C is wrong because the CloudWatch free tier includes only 10 custom metrics per month; publishing 100 custom metrics would exceed this limit and incur charges for the additional 90 metrics. Option D is wrong because storing CloudWatch Logs beyond the free tier (5 GB per month) incurs charges for both data ingestion and storage, as the free tier only covers the first 5 GB of log data per account per month.

501
MCQeasy

What is the purpose of AWS Shield Standard?

A.To encrypt data at rest in S3 buckets
B.To protect AWS resources against common DDoS attacks
C.To monitor API calls made to AWS services
D.To filter malicious web traffic using rules
AnswerB

Shield Standard automatically protects all AWS customers against common DDoS attacks at no extra cost.

Why this answer

AWS Shield Standard is a free, always-on service that protects all AWS customers from common, infrastructure-layer Distributed Denial of Service (DDoS) attacks, such as SYN floods, UDP floods, and reflection attacks. It uses network flow monitoring and inline mitigation techniques at the AWS edge to automatically detect and block malicious traffic targeting AWS resources like EC2, ELB, CloudFront, and Route 53. This makes option B correct because its sole purpose is to provide baseline DDoS protection without any additional configuration or cost.

Exam trap

The trap here is that candidates often confuse AWS Shield Standard with AWS WAF, mistakenly thinking Shield Standard provides application-layer filtering (like SQL injection or XSS protection), when in fact it only handles infrastructure-layer DDoS attacks, while WAF is needed for Layer 7 web traffic inspection.

How to eliminate wrong answers

Option A is wrong because encrypting data at rest in S3 buckets is handled by AWS Key Management Service (KMS) or S3 server-side encryption (SSE), not by Shield Standard, which is a network-layer DDoS mitigation service. Option C is wrong because monitoring API calls to AWS services is the function of AWS CloudTrail, which logs API activity for auditing and governance, not Shield Standard. Option D is wrong because filtering malicious web traffic using rules is the purpose of AWS WAF (Web Application Firewall), which operates at Layer 7 and inspects HTTP/HTTPS requests, whereas Shield Standard focuses on Layer 3/4 volumetric DDoS attacks.

502
MCQmedium

A company wants to migrate 50 virtual machines from their on-premises data centre to AWS as quickly as possible to reduce data centre costs. They plan to move the VMs without making any changes to the applications. Which cloud migration strategy does this represent?

A.Refactor
B.Replatform
C.Rehost
D.Retire
AnswerC

Rehosting (lift and shift) moves applications to the cloud with no changes. It is the fastest strategy for migrating VMs and is chosen when speed and minimising disruption are the primary goals.

Why this answer

Option C (Rehost) is correct because the company is migrating 50 virtual machines to AWS without making any changes to the applications, which is the defining characteristic of a 'lift and shift' migration. This strategy involves moving the VMs as-is, typically using AWS Server Migration Service (SMS) or AWS Application Migration Service (AWS MGN), to quickly reduce on-premises data center costs without application refactoring.

Exam trap

The trap here is that candidates confuse Rehost (no changes) with Replatform (minimal changes), often selecting Replatform because they think moving to AWS inherently requires some modification, but the exam explicitly defines Rehost as migrating without any application changes.

How to eliminate wrong answers

Option A is wrong because Refactor involves re-architecting the application to be cloud-native (e.g., converting a monolithic app to microservices), which contradicts the requirement of no changes to applications. Option B is wrong because Replatform involves making minimal changes to leverage cloud-managed services (e.g., moving a database to Amazon RDS), which still requires some application modifications, not a pure lift-and-shift. Option D is wrong because Retire means decommissioning applications that are no longer needed, but the question states the company wants to migrate 50 VMs, not eliminate them.

503
MCQmedium

A startup company is evaluating the benefits of migrating to AWS. The CEO wants to experiment with a new application idea by quickly launching a small server, testing the application for a few days, and then decommissioning it. The company does not want to go through a lengthy procurement process to purchase hardware. Which cloud computing concept does this scenario best demonstrate?

A.Elasticity
B.Agility
C.High availability
D.Pay-as-you-go
AnswerB

Agility is the ability to rapidly provision and decommission resources with minimal effort, enabling fast experimentation and time-to-market. This matches the CEO's need to quickly launch a server for a trial and then shut it down without long procurement cycles.

Why this answer

The scenario describes the ability to rapidly provision a small server, test an application for a few days, and then decommission it without the delay of hardware procurement. This directly demonstrates agility, which in cloud computing refers to the speed and ease with which resources can be deployed, modified, and removed to respond to changing business needs. AWS services like EC2 allow instances to be launched in minutes via the AWS Management Console, CLI, or SDK, and terminated just as quickly, bypassing traditional hardware acquisition cycles.

Exam trap

The trap here is that candidates confuse the rapid provisioning and decommissioning (agility) with the cost model (pay-as-you-go) or the scaling capability (elasticity), but the question specifically emphasizes the speed of setup and teardown without procurement delays, which is the definition of agility.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability to automatically scale resources up or down based on demand, not the speed of initial provisioning or decommissioning for a short-term experiment. Option C is wrong because high availability focuses on ensuring applications remain accessible and fault-tolerant across multiple Availability Zones, which is not relevant to quickly launching and decommissioning a single server. Option D is wrong because pay-as-you-go is a pricing model where you pay only for what you use, which is a benefit of the scenario but not the primary concept being demonstrated; the core idea is the rapid provisioning and decommissioning, which is agility.

504
MCQmedium

Which AWS support plan includes access to AWS Incident Detection and Response as an add-on service for proactive incident management?

A.Business Support
B.Developer Support
C.Enterprise Support
D.Enterprise On-Ramp
AnswerC

Incident Detection and Response is an add-on available to Enterprise Support customers, providing proactive monitoring and AWS-initiated response before customers notice issues.

Why this answer

AWS Incident Detection and Response is an add-on service that provides proactive incident management, including 24/7 monitoring and response from the AWS Support team. This service is only available as an add-on to the Enterprise Support plan, which offers the highest level of support with a Technical Account Manager (TAM) and proactive guidance. The Enterprise Support plan is designed for large-scale, mission-critical workloads that require rapid incident response and continuous operational improvement.

Exam trap

The trap here is that candidates often confuse the Enterprise On-Ramp plan with the full Enterprise plan, assuming it includes all enterprise-level features like Incident Detection and Response, when in fact it is a scaled-down offering without this add-on.

How to eliminate wrong answers

Option A is wrong because the Business Support plan does not include access to AWS Incident Detection and Response as an add-on; it offers only basic incident response via Cloud Support Engineers without proactive monitoring. Option B is wrong because the Developer Support plan is intended for early development and testing, providing only general guidance and best practices, not proactive incident management or add-on services. Option D is wrong because the Enterprise On-Ramp plan is a lower-cost entry point for enterprises that includes some proactive guidance but does not offer the AWS Incident Detection and Response add-on, which is exclusive to the full Enterprise Support plan.

505
MCQmedium

A company wants to understand the AWS Well-Architected Framework's sixth pillar added in 2021. Which pillar focuses on minimizing the environmental impact of cloud workloads?

A.Cost Optimization
B.Sustainability
C.Governance
D.Resilience
AnswerB

Sustainability was added as the sixth pillar in 2021, focused on minimizing environmental impacts through higher utilization, managed services, right-sizing, and selecting lower-carbon Regions.

Why this answer

The AWS Well-Architected Framework added a sixth pillar, Sustainability, in 2021. This pillar provides design principles and best practices to minimize the environmental impact of cloud workloads, such as optimizing utilization, reducing energy consumption, and selecting efficient hardware and regions.

Exam trap

The trap here is that candidates confuse the Sustainability pillar with Cost Optimization, assuming reducing costs automatically reduces environmental impact, but the Sustainability pillar specifically targets carbon footprint and energy efficiency, not just financial savings.

How to eliminate wrong answers

Option A is wrong because Cost Optimization focuses on managing costs and eliminating unnecessary spending, not specifically on environmental impact. Option C is wrong because Governance is not a pillar of the AWS Well-Architected Framework; the framework includes pillars like Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability. Option D is wrong because Resilience is not a pillar; it is a characteristic often associated with the Reliability pillar, which addresses workload recovery and fault tolerance, not environmental impact.

506
MCQmedium

A company uses AWS for multiple projects. Each project's resources have been tagged with 'Project' and 'Team' tags. The finance team wants to view a cost breakdown in AWS Cost Explorer using these tags. The tags are already applied to existing resources. However, when the finance team opens Cost Explorer, the tags are not available for filtering. What must the finance team do to see costs by these tags?

A.Enable detailed billing reports in the Billing console.
B.Activate the cost allocation tags in the Billing and Cost Management console.
C.Create a budget in AWS Budgets and set tag-based filters.
D.Use AWS Organizations to create separate accounts per project.
AnswerB

Correct. Cost allocation tags must be activated in the Billing console before they appear in Cost Explorer. Once activated, AWS includes the tag keys and values in cost data, and after up to 24 hours, the tags become available for filtering in Cost Explorer.

Why this answer

Cost allocation tags must be explicitly activated in the Billing and Cost Management console before they appear in AWS Cost Explorer. Even though tags are already applied to resources, AWS does not automatically make them available for cost filtering until they are activated as cost allocation tags. This activation process enables the tags to be recognized by billing and cost management services.

Exam trap

The trap here is that candidates assume applying tags to resources automatically makes them available for cost filtering, but AWS requires a separate activation step in the Billing and Cost Management console to enable cost allocation tags.

How to eliminate wrong answers

Option A is wrong because enabling detailed billing reports (now called AWS Cost and Usage Reports) provides raw billing data but does not make tags available for filtering in Cost Explorer; tags must still be activated as cost allocation tags. Option C is wrong because AWS Budgets can use tag-based filters only after the tags have been activated as cost allocation tags; creating a budget does not activate the tags themselves. Option D is wrong because using AWS Organizations to create separate accounts per project is an alternative organizational approach, but it does not address the requirement to view costs by existing tags in Cost Explorer; the tags still need to be activated.

507
MCQeasy

Which Amazon RDS feature enables automatic scaling of database storage capacity without any downtime when storage is running low?

A.RDS Multi-AZ
B.RDS Read Replicas
C.RDS Storage Auto Scaling
D.RDS Automated Backups
AnswerC

RDS Storage Auto Scaling monitors free storage space and automatically increases storage capacity when utilization is high, eliminating manual storage management and downtime.

Why this answer

RDS Storage Auto Scaling is the correct answer because it automatically increases the allocated storage for an RDS database instance when free space drops below a configured threshold, without requiring any downtime or manual intervention. This feature uses a scaling policy that triggers a storage increase in predefined increments, ensuring the database remains available and performant during storage growth.

Exam trap

The trap here is that candidates often confuse RDS Multi-AZ with storage scaling because both involve 'automatic' behavior, but Multi-AZ only handles failover, not storage growth.

How to eliminate wrong answers

Option A is wrong because RDS Multi-AZ provides high availability and automatic failover across Availability Zones, but it does not automatically scale storage capacity. Option B is wrong because RDS Read Replicas are used to offload read traffic and improve read performance, not to manage storage scaling. Option D is wrong because RDS Automated Backups handle point-in-time recovery and backup retention, but they have no role in dynamically increasing storage when it runs low.

508
MCQeasy

Under the AWS Shared Responsibility Model, what is AWS responsible for when a customer uses AWS Lambda?

A.Writing the Lambda function code
B.Managing the underlying OS, runtime, and execution environment
C.Configuring IAM roles and permissions for Lambda functions
D.Encrypting the data processed by the function
AnswerB

For Lambda, AWS manages the entire infrastructure stack including OS, runtime patching, scaling infrastructure, and execution environment — customers only manage their function code.

Why this answer

AWS Lambda is a serverless compute service where AWS manages the underlying infrastructure, including the operating system, runtime environment, and execution environment. Under the Shared Responsibility Model, AWS is responsible for the security of the cloud, which for Lambda includes patching the runtime, managing the hypervisor, and ensuring the execution environment is isolated between customers. The customer is only responsible for the code and configuration they provide.

Exam trap

The trap here is that candidates often confuse 'serverless' with 'no responsibility for anything,' but AWS still manages the underlying runtime and execution environment while the customer remains responsible for code, IAM, and data encryption.

How to eliminate wrong answers

Option A is wrong because writing the Lambda function code is entirely the customer's responsibility under the model, as the customer controls the application logic. Option C is wrong because configuring IAM roles and permissions for Lambda functions is a customer responsibility, as the customer defines access policies for their resources. Option D is wrong because encrypting data processed by the function is a customer responsibility, as the customer must implement encryption (e.g., using AWS KMS or client-side encryption) for data at rest or in transit.

509
MCQmedium

A company runs a latency-sensitive application on AWS that must communicate with an on-premises data center. The company requires a dedicated, private network connection that provides consistent, low-latency performance and bypasses the public internet. Which AWS service should the company use to meet these requirements?

A.AWS Direct Connect
B.AWS Site-to-Site VPN
C.AWS Client VPN
D.AWS Transit Gateway
AnswerA

Correct. AWS Direct Connect establishes a dedicated, private network link between an on-premises data center and AWS, offering consistent bandwidth and lower latency by avoiding the public internet.

Why this answer

AWS Direct Connect is the correct choice because it provides a dedicated, private network connection from an on-premises data center to AWS, bypassing the public internet entirely. This ensures consistent, low-latency performance for latency-sensitive applications by using a physical cross-connect or hosted virtual interface, which avoids the variability and potential congestion of internet-based connections.

Exam trap

The trap here is that candidates confuse AWS Site-to-Site VPN (which also provides a private tunnel) with a dedicated connection, overlooking that VPNs still traverse the public internet and cannot guarantee consistent low latency, whereas Direct Connect offers a physically private path.

How to eliminate wrong answers

Option B (AWS Site-to-Site VPN) is wrong because it uses the public internet to establish an encrypted tunnel (IPsec), which introduces variable latency and potential bandwidth limitations, making it unsuitable for consistent low-latency requirements. Option C (AWS Client VPN) is wrong because it is a managed VPN service for individual client devices (using OpenVPN) to connect to AWS, not for dedicated site-to-site connectivity between a data center and AWS. Option D (AWS Transit Gateway) is wrong because it is a network transit hub that connects VPCs and on-premises networks, but it does not itself provide a dedicated private connection; it requires an underlying connection like Direct Connect or VPN to function.

510
MCQmedium

A company publishes a message each time a new product is added to its catalogue. Three services need to receive this message simultaneously: an email notification service, an inventory update service, and an analytics service. Which AWS service should the company use to deliver the message to all three services at the same time?

A.Amazon SQS
B.Amazon SNS
C.Amazon Kinesis Data Streams
D.AWS EventBridge
AnswerB

SNS supports the fan-out pattern where a single message published to a topic is delivered to all subscribers simultaneously. The three services can each subscribe to the SNS topic and receive every product update message at the same time.

Why this answer

Amazon SNS is the correct choice because it is a fully managed pub/sub messaging service designed to deliver messages to multiple subscribers simultaneously. When a new product is added, the company can publish a single message to an SNS topic, and SNS will fan out that message to all three subscribed endpoints (email, inventory, and analytics) in parallel, ensuring they receive it at the same time.

Exam trap

The trap here is that candidates often confuse SQS (a queue for one-to-one processing) with SNS (a pub/sub for one-to-many delivery), or they overcomplicate the solution by choosing Kinesis or EventBridge when a simple fan-out pattern is required.

How to eliminate wrong answers

Option A is wrong because Amazon SQS is a queue-based service that stores messages for a single consumer to pull, not push to multiple subscribers simultaneously; it is designed for decoupling and asynchronous processing, not fan-out. Option C is wrong because Amazon Kinesis Data Streams is intended for real-time streaming of large volumes of data for processing by multiple consumers in order, but it does not provide immediate push delivery to endpoints like email; it requires consumers to poll and process records sequentially per shard. Option D is wrong because AWS EventBridge is a serverless event bus that routes events based on rules, but it is primarily for event-driven architectures and does not natively support direct push to email endpoints without additional integration; SNS is the simpler, purpose-built service for simultaneous fan-out to heterogeneous subscribers.

511
MCQmedium

A company runs a web application on multiple Amazon EC2 instances across two Availability Zones. The application processes user-uploaded documents and must store them in a shared file system that all instances can access simultaneously. The file system must be scalable to petabytes, durable, and fully managed. Which AWS service should the company use to meet these requirements?

A.Amazon EBS with Multi-Attach enabled
B.Amazon EFS
C.Amazon S3
D.Amazon EC2 Instance Store
AnswerB

Amazon EFS provides a fully managed, elastic NFS file system that can be mounted on multiple EC2 instances across multiple Availability Zones. It scales automatically to petabytes, offers high durability, and is designed for concurrent access from thousands of instances. This matches all requirements.

Why this answer

Amazon EFS is a fully managed, scalable, and durable NFS file system that can be mounted concurrently by multiple EC2 instances across different Availability Zones. It automatically scales storage capacity up to petabytes as files are added or removed, and it provides high durability by replicating data across multiple AZs within a region. This makes it the ideal choice for a shared file system that must be accessed simultaneously by all instances.

Exam trap

The trap here is that candidates often confuse Amazon S3's object storage capabilities with a shared file system, but S3 lacks POSIX file locking and mountability, making it unsuitable for simultaneous file-level access from multiple EC2 instances.

How to eliminate wrong answers

Option A is wrong because Amazon EBS with Multi-Attach enabled only supports a maximum of 16 Nitro-based EC2 instances in a single Availability Zone, and it does not provide cross-AZ access or petabyte-scale storage. Option C is wrong because Amazon S3 is an object storage service accessed via HTTP/HTTPS APIs, not a POSIX-compliant shared file system that can be mounted directly as a drive by EC2 instances. Option D is wrong because Amazon EC2 Instance Store provides temporary block-level storage that is physically attached to the host server, is not durable (data is lost on instance stop/termination), and cannot be shared across multiple instances.

512
MCQmedium

A company uses separate AWS accounts for development, testing, and production. The finance team wants to receive a single monthly invoice that covers all accounts and to benefit from volume pricing discounts across the entire organization. Which AWS feature should the company use to achieve this?

A.Enable Consolidated Billing in AWS Organizations
B.Set up an AWS Budget to track all account costs
C.Use Cost Explorer to generate a combined cost report
D.Activate AWS Trusted Advisor on the management account
AnswerA

Consolidated Billing within AWS Organizations combines usage from all accounts into a single bill, allowing the company to receive one monthly invoice and benefit from aggregated volume pricing discounts across the entire organization.

Why this answer

AWS Organizations with Consolidated Billing allows a company to combine usage across multiple accounts into a single monthly invoice, enabling the organization to aggregate usage and benefit from volume pricing discounts (e.g., tiered pricing for EC2, S3, or data transfer). The management account pays for all member accounts, and the consolidated view simplifies cost tracking while maximizing savings from AWS's graduated pricing model.

Exam trap

The trap here is that candidates confuse cost monitoring tools (Budgets, Cost Explorer) or advisory services (Trusted Advisor) with the billing consolidation feature, which is the only mechanism that combines invoices and unlocks volume discounts across accounts.

How to eliminate wrong answers

Option B is wrong because AWS Budgets is a cost monitoring and alerting tool that tracks spending against thresholds, but it does not consolidate invoices or apply volume discounts across accounts. Option C is wrong because Cost Explorer provides visualization and analysis of historical costs, but it cannot combine billing into a single invoice or enable cross-account pricing benefits. Option D is wrong because AWS Trusted Advisor offers best-practice recommendations (e.g., cost optimization, security), but it does not consolidate billing or aggregate usage for volume discounts.

513
MCQmedium

Which AWS service provides hardware-based key management and cryptographic operations using FIPS 140-2 Level 3 validated hardware security modules (HSMs)?

A.AWS Key Management Service (KMS)
B.AWS CloudHSM
C.AWS Secrets Manager
D.Amazon Macie
AnswerB

CloudHSM provides dedicated, single-tenant HSMs validated to FIPS 140-2 Level 3, giving customers full control over cryptographic keys without AWS having access.

Why this answer

AWS CloudHSM is the correct answer because it provides dedicated, single-tenant hardware security modules (HSMs) that are FIPS 140-2 Level 3 validated. This allows customers to perform cryptographic operations (e.g., key generation, signing, encryption) using hardware that meets the highest security level required for regulated workloads like PKI and financial services.

Exam trap

The trap here is that candidates confuse AWS KMS (which also uses HSMs) with CloudHSM, not realizing that KMS uses multi-tenant, FIPS 140-2 Level 2 HSMs by default and does not offer dedicated, single-tenant hardware or direct HSM access for custom cryptographic operations.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a managed service that uses FIPS 140-2 Level 2 validated HSMs (or Level 3 in some regions for specific operations) but does not provide dedicated, single-tenant hardware or direct access to the HSM for custom cryptographic operations. Option C is wrong because AWS Secrets Manager is a service for rotating and managing secrets (e.g., database credentials, API keys) and does not perform cryptographic operations or use HSMs directly. Option D is wrong because Amazon Macie is a data security service that uses machine learning to discover and protect sensitive data (e.g., PII) in S3, and it has no involvement with hardware-based key management or cryptographic operations.

514
MCQmedium

A company runs a web application behind an Application Load Balancer (ALB). The security team wants to protect the application from common web exploits such as SQL injection and cross-site scripting (XSS). They need a managed service that allows them to create custom rules to filter malicious HTTP traffic and integrates directly with the ALB and Amazon CloudFront. Which AWS service should the security team configure?

A.AWS WAF
B.AWS Shield Advanced
C.AWS Firewall Manager
D.AWS Network Firewall
AnswerA

Correct. AWS WAF is a web application firewall that protects against common web exploits like SQL injection and XSS. It integrates directly with ALB and CloudFront and allows custom rule creation.

Why this answer

AWS WAF is a managed web application firewall that protects against common web exploits like SQL injection and cross-site scripting (XSS). It integrates directly with Application Load Balancers (ALB) and Amazon CloudFront, and allows you to create custom rules to filter malicious HTTP traffic based on conditions such as IP addresses, HTTP headers, and request body patterns.

Exam trap

The trap here is that candidates often confuse AWS WAF with AWS Shield Advanced, thinking both provide application-layer filtering, but Shield Advanced only provides DDoS mitigation and does not inspect HTTP payloads for SQL injection or XSS.

How to eliminate wrong answers

Option B (AWS Shield Advanced) is wrong because it provides DDoS protection at the network and transport layers, not application-layer filtering for SQL injection or XSS. Option C (AWS Firewall Manager) is wrong because it is a centralized policy management service for deploying firewall rules across accounts, not a service that itself inspects HTTP traffic for web exploits. Option D (AWS Network Firewall) is wrong because it inspects network traffic at layers 3 and 4 (and some layer 7 for domain filtering), but it does not provide the granular HTTP request inspection needed for SQL injection or XSS detection.

515
MCQmedium

A financial institution needs a private, dedicated, high-bandwidth network connection from their on-premises data centre to AWS that does not traverse the public internet, provides consistent low latency, and supports up to 100 Gbps bandwidth. Which AWS service provides this?

A.AWS Site-to-Site VPN
B.AWS Direct Connect
C.Amazon CloudFront
D.AWS Transit Gateway
AnswerB

Direct Connect provides a dedicated, private physical connection (1 Gbps to 100 Gbps) from on-premises to AWS. Traffic never touches the public internet, providing consistent low latency and reliable bandwidth.

Why this answer

AWS Direct Connect is the correct choice because it provides a private, dedicated network connection from an on-premises data center to AWS that bypasses the public internet, ensuring consistent low latency and supporting bandwidths up to 100 Gbps (via 100 Gbps dedicated connections or link aggregation). This meets all the specified requirements for a high-bandwidth, private, and low-latency link.

Exam trap

The trap here is that candidates often confuse AWS Site-to-Site VPN with Direct Connect, assuming VPN provides dedicated bandwidth and low latency, but VPNs are inherently internet-based and subject to public network variability, while Direct Connect offers a private, dedicated physical link.

How to eliminate wrong answers

Option A (AWS Site-to-Site VPN) is wrong because it traverses the public internet over encrypted tunnels (IPsec), which cannot guarantee consistent low latency or dedicated bandwidth, and typically maxes out at lower throughput (e.g., ~1.25 Gbps per VPN tunnel). Option C (Amazon CloudFront) is wrong because it is a content delivery network (CDN) that caches data at edge locations for low-latency delivery to end users, not a dedicated network connection for hybrid connectivity between a data center and AWS. Option D (AWS Transit Gateway) is wrong because it is a network transit hub that connects multiple VPCs and on-premises networks, but it does not itself provide the physical or dedicated connection; it requires an underlying connection like Direct Connect or VPN to function.

516
MCQmedium

A company hosts an e-commerce website on Amazon EC2 instances in the us-east-1 Region. The website serves static assets (images, CSS, and JavaScript) to a global user base. Users in Europe and Asia report slow page load times. The company needs to improve the performance of delivering these static assets to all users without modifying the application code or provisioning additional origin servers. Which AWS service should the company use?

A.Deploy the website on additional Amazon EC2 instances in the eu-west-1 and ap-southeast-1 Regions, and use a Network Load Balancer to distribute traffic across all Regions.
B.Use Amazon CloudFront to distribute the static assets from AWS edge locations.
C.Use Amazon Route 53 with geolocation routing policies to route users to the nearest AWS Region for the website.
D.Enable S3 Transfer Acceleration on the Amazon S3 bucket that stores the static assets.
AnswerB

CloudFront caches static content at edge locations around the world. When a user requests a file, CloudFront serves it from the nearest edge location, reducing latency and improving load times without any changes to the origin application.

Why this answer

Amazon CloudFront is a content delivery network (CDN) that caches static assets at AWS edge locations worldwide, reducing latency for global users without requiring code changes or additional origin servers. It integrates seamlessly with EC2 origins and automatically serves content from the nearest edge location, directly addressing the slow page load times reported in Europe and Asia.

Exam trap

The trap here is that candidates often confuse S3 Transfer Acceleration (which optimizes uploads to S3) with a CDN service (which optimizes downloads to users), leading them to select Option D even though the question explicitly asks about delivering static assets to a global user base.

How to eliminate wrong answers

Option A is wrong because provisioning additional EC2 instances in other Regions and using a Network Load Balancer (NLB) does not cache static assets at edge locations; NLB operates at the transport layer (Layer 4) and cannot distribute traffic across multiple Regions or reduce latency for static content without modifying application code. Option C is wrong because Amazon Route 53 geolocation routing policies only direct DNS queries to the nearest Region's origin server, but they do not cache or accelerate content delivery; users would still experience latency from the origin server's response time. Option D is wrong because S3 Transfer Acceleration only speeds up uploads to an S3 bucket over long distances using AWS edge locations, but it does not accelerate downloads or serve cached content to end users; the scenario requires improving delivery of static assets to users, not uploading them.

517
MCQmedium

A company manages 15 AWS accounts and wants to centrally deploy and enforce consistent AWS WAF rules, security groups, and Shield Advanced protections across all accounts and regions from a single administrator account. Which AWS service provides this centralised security policy management?

A.AWS WAF
B.AWS Security Hub
C.AWS Firewall Manager
D.AWS Shield Advanced
AnswerC

Firewall Manager is a security management service that centrally deploys and enforces WAF rules, Shield Advanced protections, VPC security groups, and Network Firewall policies across all accounts in an AWS Organisation.

Why this answer

AWS Firewall Manager is the correct service because it provides centralized security policy management across multiple AWS accounts and regions. It allows an administrator to define and enforce AWS WAF rules, security group rules, and Shield Advanced protections from a single administrator account, ensuring consistent compliance across all accounts in an AWS Organization.

Exam trap

The trap here is that candidates confuse AWS WAF (a resource-level protection service) with Firewall Manager (a multi-account policy management service), leading them to select AWS WAF instead of the centralized governance solution.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall service that protects individual resources (e.g., CloudFront, ALB) but does not centrally manage policies across multiple accounts or regions. Option B is wrong because AWS Security Hub aggregates security findings and compliance checks from various services but does not enforce or deploy security policies like WAF rules or security groups. Option D is wrong because AWS Shield Advanced provides DDoS protection for specific resources but lacks the centralized policy management and enforcement capabilities across accounts and regions that Firewall Manager offers.

518
MCQmedium

A company manages multiple AWS accounts using AWS Organizations with consolidated billing. The company purchases a Standard Reserved Instance (RI) for an Amazon EC2 m5.large instance in a member account (the production account). The finance team wants the discount from this RI to apply to any m5.large instance usage across all accounts in the organization. What must the company do to achieve this?

A.Set the 'shared' attribute to 'true' when purchasing the Reserved Instance.
B.Enable Reserved Instance sharing in the AWS Management Console under the Billing and Cost Management service.
C.Enable the Reserved Instance sharing setting in the AWS Organizations console.
D.No action is needed; all Reserved Instances purchased in any account within a consolidated billing environment automatically apply across all member accounts.
AnswerB

This is the correct action. The Reserved Instance sharing setting is found in the Billing and Cost Management console. Enabling it allows the member account's RI discount to be applied to eligible usage across all accounts in the organization, provided the aggregated usage meets the RI requirements.

Why this answer

Option B is correct because in AWS Organizations with consolidated billing, Reserved Instance discounts can be shared across all accounts in the organization only if the 'RI sharing' feature is explicitly enabled in the Billing and Cost Management console. By default, RIs are scoped to the account that purchased them; enabling sharing allows the discount to apply to matching usage in any member account.

Exam trap

The trap here is that candidates assume all RIs in a consolidated billing environment are automatically shared, but AWS requires explicit opt-in via the Billing and Cost Management console to enable cross-account RI sharing.

How to eliminate wrong answers

Option A is wrong because Reserved Instances do not have a 'shared' attribute; the sharing behavior is controlled at the organization level, not via a property on the RI itself. Option C is wrong because the Reserved Instance sharing setting is configured in the Billing and Cost Management console, not in the AWS Organizations console. Option D is wrong because Reserved Instances purchased in a member account do not automatically apply across all accounts; sharing must be explicitly enabled.

519
MCQmedium

A company uses AWS for multiple workloads across several linked accounts under AWS Organizations. The finance team needs to analyze historical cost and usage data to identify monthly spending trends by service (e.g., Amazon EC2, Amazon S3) and by linked account. They also need to filter the data by date range and view the top cost drivers. The team prefers a built-in AWS tool that provides an interactive interface with graphs and tables, without requiring them to download or process raw data. Which AWS service or tool should the finance team use?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Trusted Advisor
D.AWS Cost and Usage Reports
AnswerA

Correct. AWS Cost Explorer is a built-in AWS tool that provides interactive graphs and tables to explore historical cost and usage data, with filtering by service, linked account, region, and date range. It is designed for visual trend analysis and identifying cost drivers without needing to process raw data.

Why this answer

AWS Cost Explorer is the correct choice because it provides a built-in, interactive interface with pre-built graphs and tables that allow the finance team to analyze historical cost and usage data without downloading or processing raw data. It supports filtering by service (e.g., Amazon EC2, Amazon S3), linked account, and date range, and can identify top cost drivers through customizable views and filtering options.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer with AWS Cost and Usage Reports, assuming both provide the same interactive analysis, but the key differentiator is that Cost Explorer offers a built-in GUI without requiring data downloads or external processing.

How to eliminate wrong answers

Option B (AWS Budgets) is wrong because it is designed for setting cost and usage thresholds and sending alerts, not for analyzing historical spending trends or viewing interactive graphs and tables. Option C (AWS Trusted Advisor) is wrong because it provides best-practice recommendations for cost optimization, performance, security, and fault tolerance, but does not offer historical cost and usage analysis or interactive data exploration. Option D (AWS Cost and Usage Reports) is wrong because it delivers raw, detailed CSV/Parquet files that require downloading and processing (e.g., with Amazon Athena or a third-party tool) to analyze, which contradicts the requirement for a built-in interactive interface without manual data handling.

520
MCQhard

A company is designing a resilient multi-tier web application on AWS. The architect wants to implement the Well-Architected Framework Reliability pillar design principle of 'automatically recover from failure.' Which combination of services implements this most completely?

A.Manual restart procedures documented in a runbook
B.EC2 Auto Scaling + ELB health checks + RDS Multi-AZ
C.AWS CloudTrail + Amazon CloudWatch
D.AWS Config rules with manual remediation
AnswerB

Auto Scaling automatically replaces failed instances, ELB health checks remove unhealthy targets from rotation, and RDS Multi-AZ automatically fails over the database — full automatic recovery without human intervention.

Why this answer

Option B is correct because it combines EC2 Auto Scaling to automatically replace unhealthy instances, ELB health checks to detect failures and route traffic away from them, and RDS Multi-AZ to automatically failover to a standby database in a different Availability Zone. This trio directly implements the 'automatically recover from failure' principle by enabling self-healing at both the compute and database tiers without manual intervention.

Exam trap

The trap here is that candidates often confuse monitoring services (like CloudTrail and CloudWatch) with recovery services, failing to recognize that detection alone does not satisfy the 'automatically recover' principle unless paired with an automated action mechanism such as Auto Scaling or Multi-AZ failover.

How to eliminate wrong answers

Option A is wrong because manual restart procedures documented in a runbook require human action to detect and respond to failures, which violates the 'automatically recover' principle that demands automated, not manual, recovery. Option C is wrong because AWS CloudTrail and Amazon CloudWatch provide logging, monitoring, and alerting capabilities but do not perform any automated recovery actions themselves; they only detect and notify about failures. Option D is wrong because AWS Config rules with manual remediation detect configuration drift but require a human to execute the remediation steps, whereas the principle requires automatic recovery without human intervention.

521
MCQhard

A company architect is reviewing their architecture for the Operational Excellence pillar of the Well-Architected Framework. Which practice is a core recommendation of this pillar?

A.Encrypt all data at rest using AWS KMS
B.Perform operations as code using infrastructure-as-code and automated runbooks
C.Use Reserved Instances to minimize cost
D.Deploy across multiple Availability Zones
AnswerB

Operational Excellence's 'perform operations as code' means defining infrastructure and procedures in code, version-controlling them, and executing operations through automated pipelines — reducing human error.

Why this answer

The Operational Excellence pillar focuses on running and monitoring systems to deliver business value and continually improve supporting processes and procedures. Performing operations as code—using infrastructure-as-code (e.g., AWS CloudFormation, AWS CDK) and automated runbooks (e.g., AWS Systems Manager Automation)—is a core recommendation because it enables consistent, repeatable, and auditable operations, reducing human error and enabling rapid recovery.

Exam trap

The trap here is that candidates often confuse the pillars—associating automation with Reliability or Security—when the Well-Architected Framework explicitly places 'operations as code' under Operational Excellence.

How to eliminate wrong answers

Option A is wrong because encrypting data at rest with AWS KMS is a recommendation of the Security pillar, not Operational Excellence. Option C is wrong because using Reserved Instances to minimize cost is a recommendation of the Cost Optimization pillar. Option D is wrong because deploying across multiple Availability Zones is a recommendation of the Reliability pillar, specifically for high availability and fault tolerance.

522
MCQmedium

A company wants to use AWS to run a relational database that is compatible with MySQL but with improved performance and availability. Which service should they use?

A.Amazon RDS for MySQL
B.Amazon Aurora
C.Amazon DynamoDB
D.Amazon Redshift
AnswerB

Aurora is MySQL-compatible with up to 5x better performance, automatic multi-AZ replication, and auto-scaling storage.

Why this answer

Amazon Aurora is the correct choice because it is a MySQL-compatible relational database engine that provides significantly higher performance (up to 5x faster than standard MySQL) and improved availability through features like distributed storage, automatic failover, and six-way replication across three Availability Zones. Aurora is designed to deliver the durability and availability of commercial databases while maintaining MySQL compatibility, making it ideal for workloads requiring enhanced performance and uptime.

Exam trap

The trap here is that candidates may assume Amazon RDS for MySQL is sufficient for improved performance and availability, overlooking that Aurora is specifically engineered to outperform standard MySQL while maintaining full compatibility, and that DynamoDB and Redshift are not relational databases.

How to eliminate wrong answers

Option A is wrong because Amazon RDS for MySQL is a managed MySQL database service that does not offer the same level of performance improvements or built-in high availability as Aurora; it relies on standard MySQL engine limitations and requires manual Multi-AZ configuration for failover. Option C is wrong because Amazon DynamoDB is a NoSQL key-value and document database, not a relational database, and is not compatible with MySQL queries or schemas. Option D is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for analytical queries, not a relational database for transactional workloads, and it is not compatible with MySQL.

523
MCQmedium

A company has multiple AWS accounts that are consolidated under AWS Organizations. The finance team receives a single monthly bill for all accounts. The team needs to allocate costs to individual departments based on which department owns each resource. They want to see a breakdown of costs by department in the monthly cost report without manually combining data from each account. Which action should the finance team take to meet these requirements?

A.Activate cost allocation tags, tag all resources with a department identifier, and use Cost Explorer to filter and group costs by the tag.
B.Set up separate payment methods for each department's AWS account so that each department receives its own bill.
C.Create a dedicated AWS account for each department and manually sum the charges from each account's monthly bill.
D.Use AWS Budgets to set a spending threshold for each department and review the alerts to estimate departmental costs.
AnswerA

Correct. Cost allocation tags allow you to categorize and track AWS costs by department. After activating the tags in the Billing console, Cost Explorer can display cost breakdowns by tag value, enabling department-level cost allocation without manual work.

Why this answer

Option A is correct because activating cost allocation tags and tagging all resources with a department identifier allows the finance team to use Cost Explorer to filter and group costs by that tag. This provides a per-department cost breakdown in the consolidated monthly bill without manual aggregation, leveraging AWS Organizations' consolidated billing and tag-based cost tracking.

Exam trap

The trap here is that candidates may confuse AWS Budgets (which only tracks spending against thresholds) with cost allocation tags and Cost Explorer (which provide actual cost breakdowns), or assume that separate accounts or payment methods are necessary for cost allocation when tags suffice.

How to eliminate wrong answers

Option B is wrong because setting up separate payment methods for each department's AWS account would generate individual bills, not a single consolidated bill, and would require manual combination to see total costs. Option C is wrong because creating a dedicated AWS account for each department and manually summing charges from each monthly bill is inefficient and contradicts the requirement to avoid manual data combination. Option D is wrong because AWS Budgets is used for setting spending thresholds and sending alerts, not for generating a detailed cost breakdown by department in the monthly cost report.

524
MCQeasy

A company runs a database on an Amazon EC2 instance. They need block storage that persists independently from the EC2 instance — if the instance is stopped or terminated, the data must remain available. Which AWS storage service provides this?

A.Amazon S3
B.Instance Store
C.Amazon EBS
D.Amazon EFS
AnswerC

EBS provides durable, persistent block storage volumes that attach to EC2 instances. Data persists independently of the instance state — if the instance is stopped or the volume is detached, data remains intact.

Why this answer

Amazon EBS (Elastic Block Store) provides persistent block-level storage volumes that can be attached to an EC2 instance. Unlike instance store, EBS volumes persist independently of the instance lifecycle — data remains intact even when the instance is stopped or terminated, as long as the volume is not deleted. This makes EBS the correct choice for the requirement of persistent, independent block storage.

Exam trap

The trap here is that candidates confuse 'persistent block storage' with 'instance store' because both appear as block devices, but instance store is ephemeral and tied to the instance's physical host, while EBS is a separate network-attached volume that survives instance stops and terminations.

How to eliminate wrong answers

Option A is wrong because Amazon S3 is an object storage service, not block storage; it stores data as objects in buckets and is accessed via HTTP/HTTPS APIs, not as a block device attached to an EC2 instance. Option B is wrong because Instance Store provides temporary block-level storage physically attached to the host computer, but its data is ephemeral — it is lost when the instance is stopped, terminated, or fails. Option D is wrong because Amazon EFS is a file-level storage service (NFS-based) that provides a shared file system for multiple instances, not a block storage device that can be attached as a single volume to one instance.

525
MCQmedium

A company is building a serverless web application using AWS Lambda for compute. The application needs to expose RESTful API endpoints that allow users to perform CRUD operations on a database. The API must support authentication using API keys, throttle requests to prevent abuse, and validate incoming request payloads before they reach the Lambda functions. The company wants a fully managed service that handles these API management tasks and integrates directly with AWS Lambda. Which AWS service should the company use?

A.Amazon CloudFront
B.Amazon API Gateway
C.Application Load Balancer
D.AWS Step Functions
AnswerB

Amazon API Gateway is a fully managed service designed to handle all aspects of API management, including authentication (API keys, IAM, Cognito), request throttling, rate limiting, request validation, and direct integration with AWS Lambda. It is the correct choice for exposing Lambda-based serverless applications as RESTful APIs.

Why this answer

Amazon API Gateway is a fully managed service that handles RESTful API creation, authentication via API keys, request throttling to prevent abuse, and request payload validation before invoking AWS Lambda functions. It integrates natively with Lambda, making it the ideal choice for serverless web applications requiring CRUD operations with built-in API management.

Exam trap

The trap here is that candidates may confuse Application Load Balancer (ALB) with API Gateway because both can invoke Lambda, but ALB lacks the API management features (API keys, throttling, payload validation) that are explicitly required in the question.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront is a content delivery network (CDN) that caches and distributes content at edge locations; it does not provide API key authentication, request throttling, or payload validation for RESTful APIs. Option C is wrong because Application Load Balancer (ALB) distributes incoming HTTP/HTTPS traffic to targets like Lambda functions but lacks native API key management, throttling, and request validation features; it is a load balancer, not an API management service. Option D is wrong because AWS Step Functions is a serverless orchestration service for coordinating multiple AWS services into workflows; it does not expose RESTful API endpoints, handle authentication, or perform request validation.

Page 6

Page 7 of 14

Page 8