AWS Certified Cloud Practitioner CLF-C02 (CLF-C02) — Questions 526600

1024 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQmedium

A company runs a critical production application on AWS. The internal team is unable to resolve intermittent errors that are impacting the application. The company currently has the AWS Basic Support plan and requires access to AWS technical support with a faster response time for production issues. Due to budget constraints, the company wants the most cost-effective support plan that provides a response time of 1 hour for production system impaired cases. Which AWS Support plan should the company choose?

A.Developer Support
B.Business Support
C.Enterprise Support
D.Enterprise On-Ramp
AnswerB

The Business Support plan offers a response time of 1 hour for production system impaired cases, which directly meets the company's requirement. It is the most cost-effective plan that provides this level of support.

Why this answer

The AWS Business Support plan is the most cost-effective option that provides a 1-hour response time for production system impaired cases. The Basic Support plan offers no technical support, while the Developer Support plan only provides a 12-hour response time for impaired systems, which does not meet the requirement. Business Support is the lowest-tier plan that includes 1-hour response for production issues, making it the correct choice.

Exam trap

The trap here is that candidates may confuse the Developer Support plan's 12-hour response for production issues with the 1-hour response required, or assume that only Enterprise-level plans offer fast response times, overlooking the Business Support plan as the cost-effective middle ground.

How to eliminate wrong answers

Option A (Developer Support) is wrong because it only provides a 12-hour response time for production system impaired cases, not the required 1-hour response. Option C (Enterprise Support) is wrong because although it offers a 1-hour response for production issues, it is significantly more expensive than Business Support and includes additional features (like a Technical Account Manager) that are not needed, making it not the most cost-effective. Option D (Enterprise On-Ramp) is wrong because it is designed for customers moving to Enterprise support and provides a 1-hour response for production issues but at a higher cost than Business Support, and it is not the most cost-effective option for this requirement.

527
MCQmedium

A company is considering AWS for their new application. Which tool allows them to compare the cost of running their workloads on AWS versus on-premises, and estimate the potential savings?

A.AWS Cost Explorer
B.AWS Pricing Calculator
C.AWS Budgets
D.AWS Trusted Advisor
AnswerB

AWS Pricing Calculator estimates costs for AWS architectures and supports TCO analysis comparing on-premises infrastructure costs versus AWS cloud costs for migration business cases.

Why this answer

AWS Pricing Calculator (formerly TCO Calculator) is specifically designed to compare the cost of running workloads on AWS versus on-premises environments. It allows users to input their current on-premises infrastructure details (such as server specifications, storage, and network usage) and generates a detailed cost comparison, including estimated savings from migrating to AWS. This directly matches the question's requirement for comparing costs and estimating potential savings.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer (which shows historical AWS spending) with the AWS Pricing Calculator (which is used for upfront cost comparison and estimation before migration), leading them to select Cost Explorer incorrectly.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer is a tool for visualizing, understanding, and managing AWS costs and usage over time, not for comparing on-premises costs to AWS. Option C is wrong because AWS Budgets is used to set custom cost and usage budgets and receive alerts when thresholds are exceeded, not for cost comparison or savings estimation. Option D is wrong because AWS Trusted Advisor inspects your AWS environment and provides recommendations to save money, improve performance, and close security gaps, but it does not compare on-premises costs to AWS costs.

528
MCQmedium

A security team wants to automatically identify S3 buckets, IAM roles, and other resources in their AWS account that have policies granting access to external AWS accounts or the public internet — including findings they may not be aware of. Which AWS service performs this analysis?

A.Amazon GuardDuty
B.AWS Config
C.AWS IAM Access Analyzer
D.Amazon Macie
AnswerC

IAM Access Analyzer uses automated reasoning to analyse resource-based policies and generate findings when resources are accessible from outside the account or organisation. It covers S3 buckets, IAM roles, KMS keys, SQS queues, Lambda functions, and Secrets Manager secrets.

Why this answer

AWS IAM Access Analyzer is the correct service because it is specifically designed to analyze resource-based policies (such as S3 bucket policies, IAM role trust policies, and KMS key policies) and identify resources that are shared with external AWS accounts or publicly accessible. It generates findings for any policy that grants access to a principal outside of your AWS account, including the public internet, even for resources you may not be aware of. This directly matches the security team's requirement to automatically identify such exposures.

Exam trap

The trap here is that candidates often confuse IAM Access Analyzer with Amazon GuardDuty, assuming GuardDuty's threat detection includes policy analysis, but GuardDuty focuses on operational threats (e.g., compromised credentials) rather than static policy evaluation for external access.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using VPC Flow Logs, DNS logs, and CloudTrail events, but it does not analyze resource policies for external access. Option B is wrong because AWS Config evaluates resource configurations against desired rules and tracks configuration changes, but it does not specifically analyze policies for cross-account or public access; it can only trigger rules that you define manually. Option D is wrong because Amazon Macie uses machine learning to discover and protect sensitive data in S3 buckets, but it does not analyze IAM roles or other resource policies for external access permissions.

529
MCQmedium

A company hosts a public-facing web application on Amazon EC2 instances behind an Application Load Balancer. The security team has noticed an increase in volumetric distributed denial-of-service (DDoS) attacks targeting the application's IP address. The company wants a managed AWS service that provides automatic, always-on protection against common network-layer DDoS attacks at no additional cost. Which AWS service should the company use?

A.AWS WAF
B.AWS Shield Standard
C.AWS Shield Advanced
D.AWS Network Firewall
AnswerB

AWS Shield Standard is free and automatically provides always-on protection against common network-layer (Layer 3/4) DDoS attacks for all AWS customers. It requires no configuration or additional cost, meeting the company's requirements.

Why this answer

AWS Shield Standard is the correct choice because it provides automatic, always-on protection against common network-layer (Layer 3/4) DDoS attacks, such as SYN floods and UDP reflection attacks, at no additional cost. It is integrated with Elastic Load Balancing (ELB), Amazon CloudFront, and Amazon Route 53, making it ideal for protecting a public-facing web application behind an Application Load Balancer without requiring any configuration or extra fees.

Exam trap

The trap here is that candidates often confuse AWS WAF (Layer 7) with network-layer DDoS protection, or assume Shield Advanced is required for any DDoS protection, when Shield Standard already provides free, automatic coverage for common volumetric attacks at Layer 3/4.

How to eliminate wrong answers

Option A (AWS WAF) is wrong because it is a web application firewall that protects against application-layer (Layer 7) attacks like SQL injection and cross-site scripting, not volumetric network-layer DDoS attacks, and it incurs additional costs based on rules and requests. Option C (AWS Shield Advanced) is wrong because it provides enhanced DDoS protection with 24/7 access to the DDoS Response Team (DRT) and cost protection against scaling, but it is not free; it has a monthly subscription fee of $3,000 per organization plus data transfer charges. Option D (AWS Network Firewall) is wrong because it is a managed firewall service for filtering traffic at the VPC subnet level based on stateful rules and domain lists, not a dedicated DDoS mitigation service, and it does not provide automatic always-on protection against volumetric attacks.

530
MCQmedium

A company launches EC2 instances in a public subnet of their VPC. For these instances to communicate directly with the internet — both to receive inbound requests and to make outbound requests — which VPC component must be attached to the VPC and referenced in the subnet's route table?

A.NAT Gateway
B.VPC Peering connection
C.Internet Gateway
D.Virtual Private Gateway
AnswerC

An Internet Gateway enables instances in public subnets to communicate bidirectionally with the internet. The subnet's route table must direct 0.0.0.0/0 traffic to the IGW for instances with public IPs to be reachable from the internet.

Why this answer

An Internet Gateway (IGW) is a horizontally scaled, redundant VPC component that enables communication between a VPC and the internet. For EC2 instances in a public subnet to both receive inbound requests and make outbound requests, the IGW must be attached to the VPC and a route in the subnet's route table must point 0.0.0.0/0 (or a specific public IP range) to the IGW. Without the IGW, the instances have no path to the internet, even if they have public IP addresses.

Exam trap

The trap here is that candidates often confuse a NAT Gateway with an Internet Gateway, mistakenly thinking a NAT Gateway alone can provide bidirectional internet access, when in fact a NAT Gateway only supports outbound traffic and requires an IGW for internet connectivity.

How to eliminate wrong answers

Option A is wrong because a NAT Gateway only enables outbound internet traffic from private subnets and does not allow inbound connections from the internet; it requires an Internet Gateway in the VPC to function. Option B is wrong because a VPC Peering connection only allows traffic between two VPCs using private IP addresses, not direct internet access. Option D is wrong because a Virtual Private Gateway is used to connect a VPC to an on-premises network via VPN or Direct Connect, not for direct internet communication.

531
MCQhard

A company wants to improve their application's reliability by ensuring it can handle the failure of a single Availability Zone. According to AWS Well-Architected Framework, what architectural pattern achieves this?

A.Deploy all resources to the largest EC2 instance type available
B.Use Amazon S3 for all data storage
C.Distribute resources across multiple Availability Zones with automatic failover
D.Enable AWS CloudTrail in all regions
AnswerC

Multi-AZ deployment with load balancing and automated failover ensures the application survives the loss of any single AZ — the core reliability pattern in the AWS Well-Architected Framework.

Why this answer

Option C is correct because distributing resources across multiple Availability Zones (AZs) with automatic failover is the core pattern for high availability and fault tolerance as defined by the AWS Well-Architected Framework. By deploying application instances and data in at least two AZs and using services like an Application Load Balancer (ALB) with cross-zone load balancing or Amazon RDS Multi-AZ, the application can automatically redirect traffic to healthy resources if a single AZ fails, ensuring continued operation without manual intervention.

Exam trap

The trap here is that candidates often confuse high availability (multi-AZ) with disaster recovery (multi-Region) or assume that a single service like S3 or CloudTrail can solve application-level reliability, when the question specifically asks for the architectural pattern to handle an AZ failure.

How to eliminate wrong answers

Option A is wrong because deploying all resources to the largest EC2 instance type (e.g., u-24tb1.metal) only provides vertical scaling and does not address Availability Zone failure; a single AZ outage would still take down all instances regardless of size. Option B is wrong because while Amazon S3 is highly durable and stores data across multiple AZs by default, it is a storage service and does not provide the compute or application-level failover pattern needed to handle an AZ failure for the entire application. Option D is wrong because AWS CloudTrail is a governance, compliance, and auditing service that records API calls; enabling it in all regions does not provide any mechanism for application reliability or failover across Availability Zones.

532
MCQmedium

A mobile gaming company is developing a real-time multiplayer game that requires ultra-low latency (under 10 milliseconds) for player interactions. The company expects most of its users to be on 5G mobile networks. To meet the latency requirement, the company needs to deploy compute and storage resources as close as possible to the mobile subscribers, directly at the edge of the telecommunications network. Which AWS service should the company use?

A.AWS Wavelength
B.AWS Local Zones
C.AWS Outposts
D.Amazon CloudFront Edge Locations
AnswerA

Correct. AWS Wavelength brings AWS compute and storage to the edge of 5G networks, providing ultra-low latency for mobile applications such as real-time gaming, AR/VR, and live video processing. This service is purpose-built for scenarios where latency to mobile subscribers is critical and the application must run within the telecom network edge.

Why this answer

AWS Wavelength is the correct choice because it embeds AWS compute and storage services directly at the edge of 5G telecommunications networks, enabling ultra-low latency (under 10 ms) for mobile subscribers. This allows the gaming company to process player interactions within the carrier's network, minimizing the round-trip time between the mobile device and the application server.

Exam trap

The trap here is that candidates confuse AWS Local Zones or CloudFront Edge Locations as suitable for ultra-low latency compute, but only Wavelength is purpose-built for 5G mobile edge computing with direct carrier integration.

How to eliminate wrong answers

Option B (AWS Local Zones) is wrong because Local Zones place AWS infrastructure closer to metropolitan areas but not directly inside telecom carrier edge nodes, so they cannot guarantee sub-10 ms latency for 5G mobile users. Option C (AWS Outposts) is wrong because Outposts are customer-managed racks deployed on-premises, not integrated into a telecom provider's 5G network edge, and they lack the native 5G connectivity required for this use case. Option D (Amazon CloudFront Edge Locations) is wrong because CloudFront edge locations are designed for content delivery and caching, not for running compute-intensive real-time game logic with ultra-low latency requirements, and they do not provide the direct 5G network integration that Wavelength offers.

533
MCQmedium

A company operates hundreds of AWS accounts under AWS Organizations. The security team wants a single dashboard that aggregates security findings from Amazon GuardDuty, Amazon Inspector, and AWS Macie across all accounts. Additionally, they want to continuously assess the accounts against the CIS AWS Foundations Benchmark and receive a consolidated compliance score. Which AWS service should the security team use?

A.AWS Config
B.AWS Security Hub
C.Amazon GuardDuty
D.AWS Trusted Advisor
AnswerB

Correct. AWS Security Hub is designed to aggregate, organize, and prioritize security findings from multiple AWS services (GuardDuty, Inspector, Macie, etc.) and third-party tools. It also provides continuous compliance checks against industry standards such as the CIS AWS Foundations Benchmark and displays a consolidated compliance score, all from a single dashboard.

Why this answer

AWS Security Hub is the correct service because it provides a single dashboard that aggregates security findings from multiple AWS services, including GuardDuty, Inspector, and Macie, across all accounts in an AWS Organization. It also integrates with AWS Config rules to continuously assess accounts against the CIS AWS Foundations Benchmark and provides a consolidated compliance score, meeting both requirements.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation capabilities with Security Hub's consolidated dashboard and cross-service aggregation, leading them to choose AWS Config despite it lacking the single-pane-of-glass view for findings from multiple security services.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating resource configurations against rules, but it does not aggregate findings from GuardDuty, Inspector, or Macie into a single dashboard, nor does it provide a consolidated compliance score for the CIS benchmark across multiple accounts. Option C is wrong because Amazon GuardDuty is a threat detection service that only generates findings for malicious activity; it cannot aggregate findings from other services or assess compliance against the CIS benchmark. Option D is wrong because AWS Trusted Advisor provides best-practice recommendations for cost, performance, security, and fault tolerance, but it does not aggregate security findings from GuardDuty, Inspector, or Macie, nor does it perform continuous CIS benchmark assessments with a compliance score.

534
MCQmedium

According to the AWS Well-Architected Framework, what does the Performance Efficiency pillar primarily focus on?

A.Protecting information and systems from unauthorized access
B.Minimizing the cost of running cloud workloads
C.Using computing resources efficiently to meet performance requirements
D.Automating operational tasks to reduce human error
AnswerC

Performance Efficiency focuses on selecting the right resource types, monitoring performance, and making architectural decisions that maintain efficiency as demand evolves.

Why this answer

The Performance Efficiency pillar of the AWS Well-Architected Framework focuses on using computing resources efficiently to meet system requirements and maintain that efficiency as demand changes and technologies evolve. This includes selecting the right resource types and sizes, monitoring performance, and making architectural trade-offs to optimize for speed and throughput.

Exam trap

The trap here is that candidates confuse 'efficiency' with 'cost savings,' but Performance Efficiency is about meeting performance requirements with the right resources, not about minimizing spend, which belongs to the Cost Optimization pillar.

How to eliminate wrong answers

Option A is wrong because protecting information and systems from unauthorized access is the focus of the Security pillar, not Performance Efficiency. Option B is wrong because minimizing the cost of running cloud workloads is the focus of the Cost Optimization pillar, which deals with financial governance and resource waste reduction. Option D is wrong because automating operational tasks to reduce human error is the focus of the Operational Excellence pillar, which covers runbooks, deployments, and incident response.

535
MCQmedium

A company hosts a static website on Amazon S3. The website serves product images and documents to customers around the world. Users in distant regions report slow load times. The company wants to reduce latency for all users without changing the existing S3 bucket configuration. Which AWS service should the company use?

A.Amazon CloudFront
B.AWS Direct Connect
C.Amazon Route 53
D.AWS Global Accelerator
AnswerA

Correct. CloudFront is a CDN that caches static content at edge locations, reducing latency for global users.

Why this answer

Amazon CloudFront is a content delivery network (CDN) that caches static content (e.g., images, documents) at edge locations worldwide. By distributing content from the nearest edge location to the user, CloudFront significantly reduces latency without requiring any changes to the existing S3 bucket configuration. The origin remains the S3 bucket, and CloudFront handles the global distribution automatically.

Exam trap

The trap here is that candidates often confuse AWS Global Accelerator with a CDN, but Global Accelerator optimizes network path for dynamic traffic (e.g., API calls) and does not cache static content, making CloudFront the correct choice for static website acceleration.

How to eliminate wrong answers

Option B (AWS Direct Connect) is wrong because it establishes a dedicated private network connection from an on-premises data center to AWS, which does not improve latency for global end users accessing a public website; it only benefits hybrid cloud connectivity. Option C (Amazon Route 53) is wrong because it is a DNS service that translates domain names to IP addresses and can route traffic via latency-based routing, but it does not cache or accelerate content delivery—it only directs users to the S3 bucket endpoint, which still suffers from the same geographic latency. Option D (AWS Global Accelerator) is wrong because it improves performance for TCP/UDP traffic by routing users to the nearest AWS edge location and then over the AWS global network, but it is designed for dynamic content and non-HTTP protocols, not for caching static assets; it does not reduce latency for static file downloads as effectively as a CDN.

536
MCQmedium

A company runs a critical e-commerce platform on AWS. The Chief Technology Officer (CTO) wants a dedicated Technical Account Manager (TAM) who will provide proactive architectural guidance, conduct regular operational reviews, and maintain a deep understanding of the company's AWS environment. The company also requires a response time of 15 minutes for business-critical system issues, 24/7 access to senior AWS engineers, and access to the AWS Infrastructure Event Management service for planned launches. Which AWS Support plan should the company choose?

A.Basic Support
B.Developer Support
C.Business Support
D.Enterprise Support
AnswerD

The Enterprise Support plan is the highest tier and includes all the features the company needs: a dedicated Technical Account Manager (TAM) for proactive architectural guidance and operational reviews, a 15-minute response time for business-critical issues, 24/7 access to senior engineers, and AWS Infrastructure Event Management. This plan is designed for organizations running critical workloads that demand a high level of personalized, proactive support.

Why this answer

The Enterprise Support plan is the only AWS Support plan that provides a dedicated Technical Account Manager (TAM) who offers proactive architectural guidance and operational reviews. It also includes a 15-minute response time for business-critical issues, 24/7 access to senior AWS engineers, and access to AWS Infrastructure Event Management (IEM) for planned launches, all of which are explicitly required by the CTO.

Exam trap

The trap here is that candidates often confuse Business Support (which offers 15-minute response and IEM) with Enterprise Support, overlooking the critical requirement for a dedicated TAM, which is exclusive to the Enterprise plan.

How to eliminate wrong answers

Option A is wrong because Basic Support provides only account and billing support, no TAM, no 15-minute response time, no senior engineer access, and no IEM access. Option B is wrong because Developer Support offers best-effort response times (not 15-minute for business-critical), no dedicated TAM, and no IEM access. Option C is wrong because Business Support provides a 15-minute response time for business-critical issues and IEM access, but it does not include a dedicated Technical Account Manager (TAM) or proactive architectural guidance from a named resource.

537
MCQmedium

A development team is building a serverless application that processes image uploads to Amazon S3. The application needs to automatically generate a thumbnail version of each uploaded image and store it in a separate S3 bucket. The team wants to minimize operational overhead and only pay for the compute time used during thumbnail generation. Which AWS service should the team use to execute the thumbnail generation code in response to S3 upload events?

A.Amazon EC2 Auto Scaling group
B.AWS Lambda
C.Amazon ECS with Fargate
D.Amazon Elastic Beanstalk
AnswerB

AWS Lambda is a serverless compute service that can be triggered directly by S3 events. It runs code only when invoked, scales automatically, and bills only for the compute time used, meeting all the stated requirements.

Why this answer

AWS Lambda is the correct choice because it is a serverless compute service that can be triggered directly by S3 events (e.g., s3:ObjectCreated:*). This allows the thumbnail generation code to run automatically in response to each image upload, with no servers to manage and billing based only on the compute time consumed during execution.

Exam trap

The trap here is that candidates may confuse 'serverless' with container services like Fargate, but Lambda is the only option that natively integrates with S3 events and charges only for execution time, while Fargate still requires managing task definitions and incurs costs for running containers even when idle.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 Auto Scaling group manages a fleet of virtual servers that run continuously, incurring costs even when idle, and requires manual integration with S3 events via polling or additional services like SQS, adding operational overhead. Option C is wrong because Amazon ECS with Fargate, while serverless at the container level, still requires defining a task definition, managing a cluster, and handling event integration via EventBridge or S3 notifications, which introduces more complexity and potential for idle costs compared to Lambda's direct event-driven model. Option D is wrong because Amazon Elastic Beanstalk is a PaaS service that provisions and manages underlying EC2 instances, which run continuously and are not event-driven; it would require additional components (e.g., SQS, Lambda) to react to S3 uploads, defeating the goal of minimizing overhead and pay-per-use compute.

538
MCQmedium

A company is preparing for a SOC 2 Type II audit and needs to provide its auditor with evidence of AWS's operational security controls. The security team has been asked to download the latest SOC 2 Type II report published by AWS. The team must access the report through a self-service portal without needing to contact AWS Support. Which AWS service should the security team use to meet this requirement?

A.AWS Artifact
B.AWS Audit Manager
C.AWS Config
D.AWS Trusted Advisor
AnswerA

AWS Artifact is a self-service portal that provides on-demand access to AWS compliance reports, including SOC 2 Type II, PCI DSS, and ISO 27001. Customers can download these reports directly without contacting AWS Support, making it the correct service for this requirement.

Why this answer

AWS Artifact is the correct service because it provides a self-service portal for downloading AWS compliance reports, including SOC 2 Type II reports, without needing to contact AWS Support. It offers on-demand access to AWS’s security and compliance documents, directly meeting the requirement for auditor evidence.

Exam trap

The trap here is that candidates may confuse AWS Audit Manager (which helps manage your own audits) with AWS Artifact (which provides AWS’s own compliance reports), leading them to select Audit Manager for downloading AWS’s SOC reports.

How to eliminate wrong answers

Option B is wrong because AWS Audit Manager is used to automate evidence collection for audits by assessing resource configurations, not to download pre-existing AWS compliance reports. Option C is wrong because AWS Config evaluates and records resource configuration changes against rules, but it does not host or provide access to AWS’s own SOC reports. Option D is wrong because AWS Trusted Advisor offers recommendations for cost optimization, performance, security, and fault tolerance, but it does not provide compliance report downloads.

539
Matchingmedium

Match each AWS support plan to its key feature.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Customer service & documentation only

Business hours email support

24/7 phone & chat support

Concierge support team & proactive guidance

Technical Account Manager (TAM) & business-critical support

Why these pairings

AWS support plans offer increasing levels of support.

540
MCQmedium

A development team needs to provision a new Amazon EC2 instance for a proof-of-concept project. The team has an AWS account with appropriate IAM permissions. One developer logs into the AWS Management Console, selects an Amazon Machine Image (AMI), chooses an instance type, configures security groups, and launches the instance. The entire process takes less than 10 minutes and does not require any interaction with AWS support or IT administrators. Which essential characteristic of cloud computing does this scenario best illustrate?

A.On-demand self-service
B.Resource pooling
C.Measured service
D.Broad network access
AnswerA

Correct. The developer provisions the instance entirely through self-service steps in the AWS Management Console without any human intervention from AWS staff or internal IT, which is the definition of on-demand self-service.

Why this answer

This scenario best illustrates on-demand self-service because the developer was able to provision an EC2 instance entirely through the AWS Management Console without any human interaction with AWS support or IT administrators. The ability to independently configure and launch compute resources—selecting an AMI, instance type, and security groups—within minutes, without requiring manual approval or provisioning, is the defining characteristic of on-demand self-service as defined by NIST SP 800-145.

Exam trap

The trap here is that candidates confuse the speed of provisioning (which is a benefit of on-demand self-service) with resource pooling or measured service, but the question specifically tests the ability to provision resources without human interaction, which is the core of on-demand self-service.

How to eliminate wrong answers

Option B (Resource pooling) is wrong because resource pooling refers to the provider's multi-tenant model where physical and virtual resources are dynamically assigned and reassigned according to consumer demand; the scenario focuses on the consumer's ability to provision resources independently, not on how the provider shares resources across customers. Option C (Measured service) is wrong because measured service involves metering and billing for resource usage (e.g., per-hour or per-GB charges), which is not demonstrated in the quick provisioning process described. Option D (Broad network access) is wrong because broad network access means resources are accessible over the network via standard mechanisms (e.g., HTTPS, SSH) from a wide range of devices; while the console is accessed over the internet, the core action is self-service provisioning, not network accessibility.

541
MCQeasy

A gaming company needs a database that can handle millions of requests per second with consistent single-digit millisecond latency and automatically scales without any capacity planning. Which AWS database service meets these requirements?

A.Amazon RDS for MySQL
B.Amazon Aurora
C.Amazon DynamoDB
D.Amazon Redshift
AnswerC

DynamoDB is a serverless NoSQL database that automatically scales to handle millions of requests per second with single-digit millisecond response times. No server or capacity management is needed.

Why this answer

Amazon DynamoDB is a fully managed NoSQL key-value and document database that delivers consistent single-digit millisecond latency at any scale. It automatically scales throughput capacity via on-demand mode, eliminating the need for capacity planning, and can handle millions of requests per second, making it ideal for high-traffic gaming workloads.

Exam trap

The trap here is that candidates often confuse Amazon Aurora's auto-scaling storage with automatic throughput scaling, overlooking that Aurora still requires manual compute provisioning and does not match DynamoDB's ability to handle millions of requests per second without capacity planning.

How to eliminate wrong answers

Option A is wrong because Amazon RDS for MySQL is a relational database that requires manual scaling (e.g., instance resizing, read replicas) and cannot automatically handle millions of requests per second with single-digit millisecond latency without significant tuning and capacity planning. Option B is wrong because Amazon Aurora, while high-performance and auto-scaling for storage, is a relational database that still requires provisioning compute capacity and does not natively support the sub-millisecond, auto-scaling throughput needed for millions of requests per second without manual intervention. Option D is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for complex analytical queries, not for high-throughput, low-latency transactional workloads, and it requires capacity planning for node types and clusters.

542
MCQeasy

Which AWS service provides a serverless, fully managed Apache Kafka-compatible data streaming service?

A.Amazon SQS
B.Amazon Kinesis Data Streams
C.Amazon MSK (Managed Streaming for Apache Kafka)
D.AWS Step Functions
AnswerC

Amazon MSK provides fully managed Apache Kafka clusters on AWS, with MSK Serverless for serverless operation, maintaining full Kafka API compatibility.

Why this answer

Amazon MSK (Managed Streaming for Apache Kafka) is the correct answer because it is a fully managed, serverless service that provides Apache Kafka-compatible data streaming. It handles cluster provisioning, scaling, and maintenance, allowing you to run Kafka workloads without managing infrastructure. This directly matches the question's requirement for a serverless, fully managed Apache Kafka-compatible service.

Exam trap

The trap here is that candidates confuse Amazon Kinesis Data Streams with a Kafka-compatible service, but Kinesis uses its own API and is not compatible with Kafka protocols, while MSK is the only fully managed Kafka-compatible option.

How to eliminate wrong answers

Option A is wrong because Amazon SQS is a fully managed message queue service that uses pull-based messaging, not a streaming platform, and it is not compatible with Apache Kafka protocols or APIs. Option B is wrong because Amazon Kinesis Data Streams is a serverless streaming service but uses its own proprietary API and is not Apache Kafka-compatible; it does not support Kafka producers or consumers. Option D is wrong because AWS Step Functions is a serverless orchestration service for coordinating workflows, not a data streaming service, and it has no relation to Apache Kafka.

543
MCQmedium

A company has multiple AWS accounts managed under AWS Organizations with consolidated billing enabled. The company purchases a 3-year Compute Savings Plan to reduce costs on Amazon EC2, AWS Fargate, and AWS Lambda usage. The finance team wants the discount from the Savings Plan to apply to eligible usage across all accounts in the organization. What configuration is required to achieve this?

A.The Savings Plan must be purchased in the management account, and the discount automatically applies to all accounts in the organization.
B.The Savings Plan must be purchased separately in each account where the discount is needed.
C.The finance team must create custom cost allocation tags to distribute the Savings Plan discount across accounts.
D.The Savings Plan must be linked to each member account using the AWS Billing Conductor.
AnswerA

This configuration is correct. With consolidated billing, Savings Plans purchased in the management account cover eligible usage across all member accounts automatically.

Why this answer

When a Compute Savings Plan is purchased in the management account of an AWS Organization with consolidated billing enabled, the discount is automatically shared across all member accounts. This is because consolidated billing aggregates all usage across the organization, and Savings Plans apply discounts to the combined eligible usage, regardless of which account incurred the cost.

Exam trap

The trap here is that candidates may think Savings Plans need to be purchased in each account or require additional configuration like tags or Billing Conductor, when in fact consolidated billing automatically shares the discount across the entire organization.

How to eliminate wrong answers

Option B is wrong because purchasing a Savings Plan separately in each account would not allow the discount to be shared across the organization; each account would only receive its own discount, defeating the purpose of consolidated billing. Option C is wrong because cost allocation tags are used for tracking and reporting costs, not for distributing or applying Savings Plan discounts; discounts are applied automatically based on usage and billing aggregation. Option D is wrong because AWS Billing Conductor is a tool for customizing billing reports and allocating costs, not for linking Savings Plans to accounts; Savings Plan sharing is inherent to consolidated billing and does not require Billing Conductor.

544
MCQmedium

A data science team wants to build, train, and deploy machine learning models without managing the underlying server infrastructure for training and inference. Which AWS service provides a fully managed environment for the machine learning workflow?

A.AWS Lambda
B.Amazon EC2 with NVIDIA GPUs
C.Amazon SageMaker
D.Amazon Rekognition
AnswerC

SageMaker provides a complete managed ML platform: data labelling (Ground Truth), a managed Jupyter notebook environment, distributed training infrastructure, and one-click model deployment to a managed endpoint.

Why this answer

Amazon SageMaker is a fully managed service that provides every component needed for the machine learning workflow, including data labeling, model building, training, tuning, and deployment. It eliminates the need to manage underlying server infrastructure for both training and inference by automatically provisioning, scaling, and managing compute resources.

Exam trap

The trap here is that candidates often confuse 'fully managed ML workflow' with 'serverless compute' (Lambda) or 'raw compute power' (EC2), but the key differentiator is that SageMaker manages the entire ML lifecycle from data preparation to deployment, not just a single compute step.

How to eliminate wrong answers

Option A is wrong because AWS Lambda is a serverless compute service designed for short-running, event-driven functions (max 15-minute execution time) and is not suitable for the long-running, resource-intensive training and inference tasks of a full ML workflow. Option B is wrong because Amazon EC2 with NVIDIA GPUs provides raw compute infrastructure that requires the data science team to manually manage the operating system, ML frameworks, scaling, and fault tolerance, which contradicts the requirement of not managing underlying server infrastructure. Option D is wrong because Amazon Rekognition is a pre-trained AI service for image and video analysis (e.g., facial recognition, object detection) and does not allow users to build, train, or deploy custom machine learning models.

545
MCQeasy

Which AWS service enables real-time translation of text between languages for applications serving a global audience?

A.Amazon Comprehend
B.Amazon Polly
C.Amazon Translate
D.Amazon Transcribe
AnswerC

Amazon Translate provides real-time and batch neural machine translation between multiple language pairs via a simple API.

Why this answer

Amazon Translate is a neural machine translation service that delivers fast, high-quality, and customizable language translation in real time. It is specifically designed to translate text between languages for applications serving a global audience, making it the correct choice for this use case.

Exam trap

The trap here is that candidates often confuse Amazon Translate with Amazon Comprehend, mistakenly thinking that NLP capabilities include translation, but Comprehend only analyzes text in its original language and does not convert it to another language.

How to eliminate wrong answers

Option A is wrong because Amazon Comprehend is a natural language processing (NLP) service that extracts insights like sentiment, entities, and key phrases from text, but it does not translate text between languages. Option B is wrong because Amazon Polly is a text-to-speech service that converts text into lifelike speech, not a translation service. Option D is wrong because Amazon Transcribe is an automatic speech recognition (ASR) service that converts audio to text, but it does not perform language translation.

546
MCQmedium

A company has a monthly budget of $10,000 for its development AWS account. The project manager wants to receive an automated email alert when the actual costs for the current month reach 80% of the budget. The project manager does not want to build any custom code or manage any infrastructure for this alert. Which approach should the project manager take to meet these requirements?

A.Create a budget in AWS Budgets for the account, set the budget amount to $10,000, configure an alert for actual cost at 80% of the budget amount, and specify an email address to receive the notification.
B.Create a cost allocation tag in the Billing and Cost Management console, then configure an Amazon SNS topic to send an email when the tag's cost reaches $8,000.
C.Create a usage report in AWS Cost Explorer, set a forecast alert at 80% of the monthly budget, and configure the report to be sent via email.
D.Create an AWS Lambda function that queries the AWS Cost Explorer API daily, compares actual cost to the budget, and sends an email if costs exceed $8,000.
AnswerA

Correct. AWS Budgets allows you to set a cost budget and define alerts for actual or forecasted costs. When the actual costs reach the 80% threshold, Budgets sends a notification to the specified email address. This is a fully managed feature with no custom code or infrastructure required.

Why this answer

AWS Budgets allows you to set a monthly budget of $10,000 and configure an alert to trigger when actual costs reach 80% ($8,000). The alert can send an email notification directly without requiring any custom code or infrastructure management, meeting the project manager's requirements exactly.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing a custom-coded approach (Lambda) or a reporting tool (Cost Explorer) when AWS Budgets provides a simple, managed, and code-free alerting mechanism directly in the Billing and Cost Management console.

How to eliminate wrong answers

Option B is wrong because cost allocation tags are used to categorize costs, not to trigger alerts; Amazon SNS alone cannot monitor costs or compare them to a threshold without additional logic. Option C is wrong because AWS Cost Explorer usage reports provide historical data and forecasts but do not support real-time alerting or automated email notifications when a budget threshold is reached. Option D is wrong because it requires building and managing a custom AWS Lambda function and infrastructure, which violates the requirement of not building custom code or managing infrastructure.

547
MCQmedium

A company has two separate VPCs — one for development workloads and one for a shared services environment — and wants EC2 instances in both VPCs to communicate with each other using private IP addresses without traffic traversing the public internet. Which AWS feature enables this?

A.Internet Gateway
B.NAT Gateway
C.VPC Peering
D.AWS Direct Connect
AnswerC

VPC Peering connects two VPCs (even across accounts or regions) so instances can communicate using private IPs without public internet exposure. Traffic remains on the AWS private network.

Why this answer

VPC Peering enables direct network connectivity between two VPCs using private IP addresses, with traffic routed entirely within the AWS network backbone. This allows EC2 instances in the development VPC and the shared services VPC to communicate without traversing the public internet, as traffic stays within the AWS global infrastructure.

Exam trap

The trap here is that candidates often confuse VPC Peering with a NAT Gateway or Internet Gateway, mistakenly thinking those services can bridge two VPCs, when in fact they are designed for internet-bound traffic, not private VPC-to-VPC connectivity.

How to eliminate wrong answers

Option A is wrong because an Internet Gateway (IGW) is a horizontally scaled, redundant component that allows communication between a VPC and the public internet, not between two separate VPCs. Option B is wrong because a NAT Gateway enables instances in a private subnet to initiate outbound traffic to the internet (e.g., for updates) but does not allow inbound connections from another VPC or direct VPC-to-VPC communication. Option D is wrong because AWS Direct Connect establishes a dedicated private network connection from an on-premises data center to AWS, not between two VPCs within AWS.

548
MCQmedium

A company manages over 100 AWS accounts using AWS Organizations. The security team wants a centralized service that continuously monitors for malicious or unauthorized behavior across all accounts. The service must analyze AWS CloudTrail management event logs, VPC Flow Logs, and DNS query logs to automatically detect threats such as anomalous API calls, crypto-mining activity, and compromised credentials. The security team wants to receive actionable alerts without having to write custom detection rules or manage underlying infrastructure. Which AWS service should the security team use?

A.Amazon Inspector
B.AWS Trusted Advisor
C.Amazon GuardDuty
D.AWS Config
AnswerC

Amazon GuardDuty is a managed threat detection service that continuously monitors AWS accounts and workloads for malicious activity. It analyzes CloudTrail management events, VPC Flow Logs, and DNS logs to detect threats such as anomalous API calls, crypto-mining, and compromised credentials. It operates without requiring custom rules and can be centrally enabled across all accounts in an AWS Organization.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior using machine learning, anomaly detection, and integrated threat intelligence. It natively analyzes AWS CloudTrail management event logs, VPC Flow Logs, and DNS query logs across all accounts in an AWS Organization, automatically generating actionable alerts without requiring custom rules or infrastructure management.

Exam trap

The trap here is that candidates often confuse Amazon Inspector (a vulnerability scanner) with GuardDuty (a threat detector), or assume AWS Config can perform threat detection when it is actually a compliance and configuration tracking service.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not a continuous threat detection service that analyzes CloudTrail, VPC Flow Logs, or DNS logs. Option B is wrong because AWS Trusted Advisor provides best-practice checks for cost optimization, performance, security, and fault tolerance, but it does not perform real-time threat detection or analyze log data for malicious activity. Option D is wrong because AWS Config is a resource inventory and compliance auditing service that evaluates resource configurations against rules, not a threat detection service that monitors for anomalous behavior or analyzes log streams.

549
Drag & Dropmedium

Drag and drop the steps to troubleshoot an EC2 instance that is not reachable via SSH in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting connectivity: security group, NACL, public IP, routing, and system logs.

550
MCQeasy

Which AWS service is a fully managed data warehousing service optimized for online analytical processing (OLAP) of large datasets?

A.Amazon RDS
B.Amazon DynamoDB
C.Amazon Redshift
D.Amazon Aurora
AnswerC

Redshift is AWS's cloud data warehouse, optimized for complex analytical queries across petabytes of structured data using columnar storage and MPP.

Why this answer

Amazon Redshift is a fully managed, petabyte-scale data warehouse service designed specifically for online analytical processing (OLAP) of large datasets. It uses columnar storage, massively parallel processing (MPP), and data compression to deliver fast query performance on structured and semi-structured data, making it the correct choice for OLAP workloads.

Exam trap

The trap here is that candidates often confuse OLTP services (RDS, Aurora, DynamoDB) with OLAP services, mistakenly thinking any database can handle large-scale analytics, but AWS specifically positions Redshift as the only fully managed data warehouse for OLAP workloads.

How to eliminate wrong answers

Option A is wrong because Amazon RDS is a relational database service optimized for online transaction processing (OLTP), not for large-scale analytical queries. Option B is wrong because Amazon DynamoDB is a NoSQL key-value and document database designed for low-latency, high-throughput OLTP workloads, not for complex analytical queries on large datasets. Option D is wrong because Amazon Aurora is a MySQL- and PostgreSQL-compatible relational database engine focused on OLTP performance and high availability, not on OLAP or data warehousing.

551
MCQmedium

A company discovered that an IAM user's access keys were accidentally committed to a public GitHub repository. Which immediate action should they take first?

A.Delete the GitHub repository
B.Immediately deactivate or delete the exposed IAM access keys
C.Enable MFA for the IAM user
D.Move the credentials to a private repository
AnswerB

Deactivating or deleting the exposed keys stops any active unauthorized use immediately. This is the first priority before investigation.

Why this answer

The immediate priority when IAM access keys are exposed is to revoke their validity to prevent unauthorized use. Deactivating or deleting the keys ensures that any malicious actor who obtained them from the public repository can no longer authenticate as the IAM user, stopping potential data breaches or resource abuse. This aligns with the AWS security best practice of rotating credentials upon suspected compromise.

Exam trap

The trap here is that candidates may focus on removing the public exposure (e.g., deleting the repo or moving to private) rather than understanding that the keys themselves must be invalidated, as the damage is already done once they are publicly accessible.

How to eliminate wrong answers

Option A is wrong because deleting the GitHub repository does not invalidate the already-exposed access keys; the keys remain active and can still be used by anyone who copied them. Option C is wrong because enabling MFA adds a second factor for future console logins but does not affect the validity of the already-leaked access keys, which are used for programmatic access and bypass MFA entirely. Option D is wrong because moving the credentials to a private repository does not revoke the keys; they are still active and could have been copied by unauthorized parties before the move, leaving the account vulnerable.

552
MCQmedium

A company plans to migrate its on-premises workload to AWS. The finance team wants to compare the total cost of ownership between running the workload on-premises and running it on AWS. They need to estimate monthly costs for different Amazon EC2 instance types, pricing models (On-Demand, Reserved, Spot), and storage options before making any commitment. Which AWS tool should the finance team use to create this detailed cost estimate?

A.AWS Pricing Calculator
B.AWS Budgets
C.AWS Cost Explorer
D.AWS Trusted Advisor
AnswerA

Correct. The AWS Pricing Calculator is the tool specifically designed to create detailed cost estimates for AWS services, allowing you to compare different pricing models and compute total cost of ownership against on-premises environments.

Why this answer

AWS Pricing Calculator is the correct tool because it allows users to create detailed cost estimates for AWS services, including EC2 instance types, pricing models (On-Demand, Reserved, Spot), and storage options, before any commitment. It provides a granular breakdown of monthly costs, enabling a total cost of ownership (TCO) comparison between on-premises and AWS workloads. This aligns directly with the finance team's requirement to estimate costs without incurring actual usage.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer (a historical analysis tool) with the AWS Pricing Calculator (a pre-provisioning estimation tool), because both deal with cost data, but Cost Explorer cannot generate estimates for hypothetical configurations.

How to eliminate wrong answers

Option B (AWS Budgets) is wrong because it is used to set cost thresholds and receive alerts based on actual or forecasted spending, not to create upfront estimates for different configurations. Option C (AWS Cost Explorer) is wrong because it analyzes historical usage and costs after resources have been deployed, not for pre-migration estimation. Option D (AWS Trusted Advisor) is wrong because it provides best-practice recommendations for cost optimization, security, and performance based on existing AWS resources, not for generating detailed cost estimates for hypothetical scenarios.

553
MCQeasy

Which AWS support plan provides access to AWS Infrastructure Event Management (IEM) for product launches and migrations at no additional charge?

A.Developer Support
B.Business Support
C.Enterprise Support
D.Basic Support
AnswerC

Enterprise Support includes IEM at no additional charge, providing dedicated AWS expertise for critical business events.

Why this answer

The Enterprise Support plan includes AWS Infrastructure Event Management (IEM) at no additional charge, providing architectural and scaling guidance for product launches and migrations. This is a key differentiator from lower-tier plans, which either do not include IEM or require an extra fee. The Business Support plan offers IEM only as a paid add-on, while Developer and Basic plans lack access entirely.

Exam trap

The trap here is that candidates often assume the Business Support plan includes IEM for free because it offers a higher level of support than Developer, but AWS explicitly reserves complimentary IEM for Enterprise Support, while Business requires an additional fee.

How to eliminate wrong answers

Option A is wrong because the Developer Support plan does not include IEM; it is designed for early development and testing with no access to event management. Option B is wrong because the Business Support plan offers IEM only as a paid add-on, not at no additional charge. Option D is wrong because the Basic Support plan provides only account and billing support with no access to IEM or any proactive guidance.

554
MCQmedium

A company runs a web application that connects to an Amazon RDS for MySQL database. The security policy requires that the database password be rotated every 30 days. The development team wants a fully managed solution that automatically rotates the password, handles the update in RDS, and provides the application with the latest credentials without any code changes. The application should also continue to work during the rotation process. Which AWS service should the company use to meet these requirements?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.AWS Key Management Service (AWS KMS)
D.AWS Identity and Access Management (IAM)
AnswerA

Correct. AWS Secrets Manager is a fully managed service that stores, rotates, and retrieves secrets such as database credentials. It supports automatic rotation with built-in integration for Amazon RDS, Aurora, Redshift, and other services. Secrets Manager can rotate passwords on a schedule and use versioning to ensure that applications continue to work during rotation by serving the current version while a new version is being created.

Why this answer

AWS Secrets Manager is the correct choice because it provides a fully managed service for automatic password rotation every 30 days, directly integrates with Amazon RDS for MySQL to update the database credentials, and supplies the latest credentials to the application via the Secrets Manager API without requiring any code changes. The rotation process is designed to ensure application availability by using a staged rotation strategy (e.g., creating a new credential while the old one remains valid) so the application continues to work during the rotation.

Exam trap

AWS often tests the distinction between Secrets Manager (for automatic rotation and RDS integration) and Systems Manager Parameter Store (for static configuration or manual rotation), leading candidates to choose Parameter Store because it can store secrets but lacks the automated rotation and RDS-specific update capability required here.

How to eliminate wrong answers

Option B (AWS Systems Manager Parameter Store) is wrong because it does not support automatic rotation of RDS database passwords; it is a parameter store for configuration data and secrets but lacks built-in rotation scheduling or direct RDS integration. Option C (AWS Key Management Service) is wrong because it is a key management service for encryption keys, not for storing or rotating database passwords; it cannot update RDS credentials or provide the application with the latest password. Option D (AWS Identity and Access Management) is wrong because IAM manages users, roles, and permissions for AWS services, not database passwords; it cannot rotate RDS credentials or serve as a credential store for the application.

555
MCQeasy

A company collects sensor data from IoT devices and stores the data in Amazon S3. For the first 90 days, the data is accessed frequently for real-time analysis. After 90 days, the data is rarely accessed but must be retrievable within 24 hours for compliance audits. After 365 days, the data must be retained for legal purposes but can be deleted after 7 years. Which S3 storage class should the company use for the data from day 91 to day 365 to minimize storage costs while meeting the retrieval time requirement?

A.Amazon S3 Standard
B.Amazon S3 Glacier Flexible Retrieval
C.Amazon S3 Standard-Infrequent Access (S3 Standard-IA)
D.Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)
AnswerC

S3 Standard-IA is ideal for data that is accessed less frequently but requires rapid access when needed. It provides the same low-latency retrieval as S3 Standard at a lower storage cost, perfectly matching the requirement of retrievability within 24 hours while minimizing cost.

Why this answer

From day 91 to day 365, the data is rarely accessed but must be retrievable within 24 hours. Amazon S3 Standard-IA (S3 Standard-IA) is designed for infrequently accessed data that needs rapid access when required, with retrieval times in milliseconds, easily meeting the 24-hour requirement. It offers lower storage costs than S3 Standard while still providing high durability and low-latency retrieval, making it the most cost-effective choice for this period.

Exam trap

The trap here is that candidates see 'rarely accessed' and 'retrievable within 24 hours' and incorrectly choose S3 Glacier Flexible Retrieval, forgetting that Glacier retrieval times are typically minutes to hours (not milliseconds) and that S3 Standard-IA is the correct infrequent-access tier for data that still needs rapid retrieval.

How to eliminate wrong answers

Option A is wrong because Amazon S3 Standard is optimized for frequently accessed data and has higher storage costs, making it unnecessarily expensive for data that is rarely accessed after 90 days. Option B is wrong because Amazon S3 Glacier Flexible Retrieval has a retrieval time of minutes to hours (typically 1-5 minutes for expedited, but standard retrievals can take 3-5 hours), which does not meet the requirement of retrievable within 24 hours, but more importantly, it is designed for archival data and would be overkill for data that is only 91-365 days old and still needs occasional access. Option D is wrong because Amazon S3 One Zone-IA stores data in a single Availability Zone, which does not provide the same level of durability and availability as S3 Standard-IA, and the scenario does not specify that data can tolerate zone-level failures; S3 Standard-IA is the safer and more appropriate choice for compliance and legal retention needs.

556
MCQmedium

A company needs to integrate their on-premises Active Directory with AWS to enable SSO for employees accessing AWS services. Which AWS service provides this federation capability?

A.Amazon Cognito
B.AWS IAM Identity Center
C.AWS Directory Service AD Connector
D.AWS IAM roles
AnswerB

IAM Identity Center integrates with Active Directory to provide SSO access to multiple AWS accounts, with users signing in once to access all their permitted AWS environments.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) is the correct service for integrating on-premises Active Directory with AWS to enable single sign-on (SSO) for employees accessing AWS services. It supports federation via SAML 2.0 or SCIM protocols, allowing you to connect your existing AD identity source and centrally manage user access to multiple AWS accounts and business applications.

Exam trap

The trap here is that candidates confuse AWS Directory Service AD Connector (which only proxies authentication) with the full SSO and access management capabilities of IAM Identity Center, leading them to choose Option C.

How to eliminate wrong answers

Option A is wrong because Amazon Cognito is designed for customer-facing identity and access management (e.g., mobile app users), not for federating enterprise on-premises Active Directory with AWS for employee SSO. Option C is wrong because AWS Directory Service AD Connector is a proxy that forwards authentication requests to your on-premises AD but does not provide the centralized SSO portal, permission sets, or multi-account management capabilities that IAM Identity Center offers. Option D is wrong because AWS IAM roles are a mechanism for granting permissions, not a service that provides federation or SSO integration; while roles can be used in federation flows, they require an external identity provider (IdP) and do not themselves integrate with on-premises AD.

557
MCQmedium

A development team needs to deploy a web application on AWS. They want to avoid managing the underlying infrastructure, such as EC2 instances and load balancers, but still need the ability to control scaling, update the application code, and perform rollbacks. The application must scale automatically based on demand and remain highly available. Which AWS service should the team use?

A.AWS Elastic Beanstalk
B.Amazon EC2 with Auto Scaling groups and an Application Load Balancer
C.AWS Lambda
D.Amazon ECS using the EC2 launch type
AnswerA

Correct. AWS Elastic Beanstalk is a PaaS that abstracts the underlying infrastructure (EC2, load balancers, scaling) and automatically manages deployment, scaling, and health monitoring. Developers can upload code and configure scaling and rollback policies without managing servers.

Why this answer

AWS Elastic Beanstalk is the correct choice because it provides a Platform as a Service (PaaS) model that abstracts the underlying EC2 instances, load balancers, and Auto Scaling groups. It allows the team to upload their application code, and Elastic Beanstalk automatically handles capacity provisioning, load balancing, scaling, and health monitoring. The team retains control over scaling configuration, application version updates, and rollbacks through the Elastic Beanstalk console or CLI, without managing the infrastructure directly.

Exam trap

The trap here is that candidates often confuse AWS Elastic Beanstalk with Amazon EC2 Auto Scaling, thinking that Auto Scaling alone meets the 'no infrastructure management' requirement, but Auto Scaling still requires managing the underlying EC2 instances and load balancer configuration.

How to eliminate wrong answers

Option B is wrong because Amazon EC2 with Auto Scaling groups and an Application Load Balancer requires the team to manually provision, configure, and manage the EC2 instances, load balancer, and scaling policies, which contradicts the requirement to avoid managing underlying infrastructure. Option C is wrong because AWS Lambda is a serverless compute service designed for event-driven, short-running functions (max 15-minute execution time) and is not suitable for deploying a full web application that requires persistent connections, long-running processes, or custom runtime environments. Option D is wrong because Amazon ECS using the EC2 launch type requires the team to manage the underlying EC2 instances, including patching, scaling the cluster, and configuring the container orchestration, which does not meet the requirement to avoid infrastructure management.

558
MCQmedium

A company runs a production MySQL database on Amazon RDS. The workload has a steady baseline usage that requires a db.r5.large instance most of the time, but during end-of-month processing, the database needs to scale up to a db.r5.xlarge for a few days. The company wants to maximize cost savings while retaining the ability to temporarily scale up the instance during those peaks and still receive a discounted rate. Which purchasing option should the company choose?

A.Standard Reserved Instance
B.Convertible Reserved Instance
C.Compute Savings Plan
D.On-Demand
AnswerB

Convertible Reserved Instances for RDS offer the flexibility to modify instance attributes (such as size) during the commitment term while still receiving a discounted rate. This allows the company to temporarily scale up to a db.r5.xlarge during peak periods without losing the RI discount.

Why this answer

Convertible Reserved Instances (RIs) allow you to change instance attributes (such as size) during the term, which fits the need to temporarily scale from db.r5.large to db.r5.xlarge for a few days each month. They offer a significant discount over On-Demand pricing (typically 30-50%) while retaining flexibility to modify the instance type. Standard RIs lock you into a specific instance family and size, making them unsuitable for this variable workload.

Exam trap

The trap here is that candidates often confuse Compute Savings Plans with RDS Reserved Instances, not realizing that Compute Savings Plans only apply to EC2 and Fargate, not to RDS database instances.

How to eliminate wrong answers

Option A is wrong because Standard Reserved Instances require a fixed instance family and size for the entire term (1 or 3 years), and you cannot temporarily scale up to a larger instance without incurring full On-Demand costs for the upgrade; they are designed for steady-state, predictable workloads. Option C is wrong because Compute Savings Plans apply to any EC2 or RDS compute usage but do not provide a discounted rate for RDS database instances; they only cover EC2 instances and AWS Fargate, not RDS.

559
Matchingmedium

Match each AWS service to its primary category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Compute

Storage

Database

Networking & Content Delivery

Compute

Why these pairings

These are core AWS services and their categories.

560
MCQmedium

A company runs multiple applications across hundreds of Amazon EC2 instances in several AWS accounts. The finance team needs to perform daily cost analysis by combining detailed usage data (including instance type, operating system, and custom cost allocation tags) with their own business data stored in an on-premises data warehouse. They want to export cost and usage data from AWS at the most granular level possible (down to each individual resource and hour) into their on-premises system for custom reporting. Which AWS tool should they use to achieve this?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Cost and Usage Report
D.AWS Trusted Advisor
AnswerC

The AWS Cost and Usage Report delivers the most comprehensive set of cost and usage data, including hourly granularity, resource-level details, and custom tags. It is delivered to an S3 bucket, enabling further analysis or integration with other systems.

Why this answer

AWS Cost and Usage Report (CUR) is the correct choice because it provides the most granular cost and usage data available, down to individual resource IDs and hourly intervals, and supports custom cost allocation tags. It can be delivered to an Amazon S3 bucket and then integrated with on-premises systems for custom reporting, meeting the finance team's requirement for detailed daily cost analysis combined with their own business data.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's visualization capabilities with the raw data export requirement, overlooking that CUR is the only service that provides hourly, resource-level data with custom tags for external integration.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer provides a pre-built visualization and filtering interface for cost data, but it does not export raw, hourly-level data with custom tags to an on-premises system. Option B is wrong because AWS Budgets is designed for setting cost thresholds and sending alerts, not for exporting granular usage data for custom reporting. Option D is wrong because AWS Trusted Advisor provides best-practice recommendations for cost optimization, security, and performance, but it does not generate or export detailed cost and usage data.

561
MCQmedium

A company runs an e-commerce application using Amazon RDS for MySQL. The database stores order and customer information. To achieve high availability, the company configures a Multi-AZ deployment. Which of the following describes a benefit of this configuration?

A.It automatically scales the database read capacity to handle traffic spikes.
B.It automatically fails over to a standby instance in a different Availability Zone if the primary instance fails.
C.It creates read replicas in multiple Regions to reduce latency for global users.
D.It encrypts data at rest using AWS KMS without any additional configuration.
AnswerB

This is the primary benefit of Multi-AZ. A synchronous standby is maintained in another AZ, and failover happens automatically to ensure high availability.

Why this answer

Option B is correct because a Multi-AZ deployment for Amazon RDS automatically synchronously replicates data to a standby instance in a different Availability Zone. If the primary instance fails (due to hardware failure, AZ outage, or patching), Amazon RDS automatically performs a failover to the standby, promoting it to become the new primary. This provides high availability by minimizing downtime without requiring manual intervention.

Exam trap

The trap here is that candidates often confuse Multi-AZ deployments with Read Replicas, assuming Multi-AZ provides read scaling or cross-Region benefits, when in fact it only provides high availability within a single Region.

How to eliminate wrong answers

Option A is wrong because Multi-AZ deployments do not automatically scale read capacity; they are designed for high availability and failover, not for scaling read traffic. To scale read capacity, you would need to use RDS Read Replicas, which are separate from Multi-AZ. Option C is wrong because Multi-AZ deployments operate within a single AWS Region across multiple Availability Zones, not across multiple Regions; cross-Region read replicas are a separate feature used for disaster recovery or global latency reduction.

562
MCQmedium

A company operates a healthcare application on AWS that must comply with HIPAA regulations. The application stores sensitive patient data in Amazon S3. The compliance team requires that all data at rest in S3 be encrypted with a key that the company manages. The company also needs the ability to automatically rotate the encryption key every 365 days and to audit all key usage through AWS CloudTrail. Which AWS service should the company use to meet these requirements?

A.AWS Certificate Manager (ACM)
B.AWS Key Management Service (KMS) with a customer managed key
C.AWS CloudHSM
D.Amazon S3 server-side encryption with S3-managed keys (SSE-S3)
AnswerB

KMS with a customer managed key enables you to create and control the lifecycle of encryption keys. Automatic key rotation every 365 days is supported for customer managed keys, and all key usage is recorded in CloudTrail for auditing.

Why this answer

AWS KMS with a customer managed key (CMK) allows the company to create and control the encryption key used for S3 server-side encryption, meeting HIPAA's requirement for customer-managed keys. KMS supports automatic key rotation every 365 days (or custom period) and integrates with AWS CloudTrail to log every key usage (e.g., Decrypt, Encrypt API calls) for auditing. This combination satisfies all stated requirements: encryption at rest, customer-managed key, automatic rotation, and auditability.

Exam trap

The trap here is that candidates may confuse AWS CloudHSM (which offers dedicated HSM control) with KMS's simpler managed rotation and auditing, overlooking that CloudHSM requires manual rotation and lacks native CloudTrail integration for key usage logs.

How to eliminate wrong answers

Option A is wrong because AWS Certificate Manager (ACM) manages SSL/TLS certificates for data in transit, not encryption keys for data at rest in S3; it cannot provide key rotation or audit key usage via CloudTrail. Option C is wrong because AWS CloudHSM provides dedicated hardware security modules (HSMs) for key storage but does not natively support automatic key rotation (you must implement rotation manually) and does not integrate directly with CloudTrail for key usage auditing without additional custom logging; KMS is the simpler, fully managed service that meets all requirements out of the box.

563
MCQmedium

Which AWS service helps detect unusual API activity and potential security threats by analyzing AWS CloudTrail, VPC Flow Logs, and DNS logs?

A.AWS Security Hub
B.Amazon Macie
C.Amazon GuardDuty
D.AWS CloudTrail
AnswerC

GuardDuty uses ML to analyze CloudTrail, VPC Flow Logs, and DNS logs to detect threats.

Why this answer

Amazon GuardDuty is a threat detection service that uses machine learning, anomaly detection, and integrated threat intelligence to identify malicious activity. It analyzes data sources including AWS CloudTrail management and data events, VPC Flow Logs, and DNS logs to detect unusual API calls, potentially compromised instances, and other security threats.

Exam trap

The trap here is that candidates confuse AWS CloudTrail (the logging service) with GuardDuty (the threat detection service), assuming that simply enabling CloudTrail provides threat detection, when in fact CloudTrail only records events and requires a separate analysis engine like GuardDuty to identify malicious patterns.

How to eliminate wrong answers

Option A is wrong because AWS Security Hub is a centralized security posture management service that aggregates findings from multiple AWS services (including GuardDuty) and checks compliance against standards, but it does not directly analyze raw logs like CloudTrail, VPC Flow Logs, or DNS logs. Option B is wrong because Amazon Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data (e.g., PII) stored in Amazon S3, not to analyze API activity or network logs. Option D is wrong because AWS CloudTrail is the service that records API activity for governance and auditing, but it does not perform threat detection or analysis; it simply provides the log data that other services like GuardDuty can consume.

564
MCQmedium

A company is migrating its on-premises data center to AWS. The Chief Financial Officer (CFO) wants to understand how this migration will change the company's financial structure. Historically, the company purchased servers, networking equipment, and software licenses upfront, with costs depreciating over several years. The CFO notes that the move to AWS will replace these large upfront capital expenditures with smaller, recurring operational expenses based on actual usage. Which essential characteristic of cloud computing enables this shift from capital expenditure (CAPEX) to operational expenditure (OPEX)?

A.Elasticity
B.Measured service
C.High availability
D.Resource pooling
AnswerB

Measured service is the characteristic that enables cloud providers to track resource consumption and bill customers based on actual usage. This consumption-based model turns IT expenses into operational expenditures (OPEX) by eliminating upfront hardware purchases.

Why this answer

Measured service is the cloud characteristic that allows providers to track and bill customers for actual resource usage (e.g., compute hours, storage GB-months, data transfer). This pay-as-you-go model directly replaces the need for large upfront capital purchases (CAPEX) with variable, usage-based operational expenses (OPEX), as the CFO requires. Without measured service, AWS would have no mechanism to meter consumption and charge proportionally, making the financial shift impossible.

Exam trap

The trap here is that candidates confuse elasticity (scaling) with the financial model shift, but elasticity only changes how much you use, not how you pay—measured service is what enables the per-unit billing that turns CAPEX into OPEX.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability to automatically scale resources up or down based on demand, which affects operational agility and cost optimization but does not inherently change the financial structure from CAPEX to OPEX—elasticity can exist in both models. Option C is wrong because high availability ensures that applications remain accessible despite failures, typically through redundancy across Availability Zones; it is a reliability characteristic that impacts uptime and design, not the fundamental billing or financial classification of expenses.

565
MCQmedium

A company's application has components that tightly depend on each other, making it difficult to scale individual components or update one without affecting others. The architects want to refactor to a more resilient architecture. What AWS design principle addresses this?

A.Design for failure by adding redundant instances
B.Implement loose coupling through asynchronous messaging between components
C.Use larger instance types to handle all components on fewer servers
D.Enable AWS Auto Scaling to handle traffic variability
AnswerB

Loose coupling via SQS, SNS, EventBridge, or API contracts allows independent scaling, deployment, and failure isolation — the core pattern for resilient microservices architectures.

Why this answer

Option B is correct because loose coupling through asynchronous messaging (e.g., using Amazon SQS or Amazon SNS) decouples components so that they can scale independently and updates can be made to one component without affecting others. This directly addresses the tight dependency described in the question, where scaling or updating one component impacts the entire application. By introducing message queues or pub/sub patterns, components communicate indirectly, improving resilience and fault isolation.

Exam trap

The trap here is that candidates often confuse high availability (redundancy) with architectural decoupling, assuming that adding more instances of tightly coupled components solves the scaling and update problem, when in fact loose coupling is required to break the dependencies.

How to eliminate wrong answers

Option A is wrong because adding redundant instances (e.g., deploying multiple EC2 instances behind an Auto Scaling group) addresses high availability and fault tolerance at the instance level, but does not solve the architectural problem of tight coupling between components—redundancy alone does not decouple interdependent services. Option C is wrong because using larger instance types (vertical scaling) consolidates components onto fewer servers, which actually increases tight coupling and creates a single point of failure, making the architecture less resilient, not more. Option D is wrong because AWS Auto Scaling handles traffic variability by adjusting capacity, but it does not address the tight coupling between components; scaling individual components independently requires decoupling, which Auto Scaling alone cannot provide.

566
MCQeasy

A company uses Amazon WorkMail for corporate email. Employees access email through a web browser or mobile app. The company does not manage any servers, email software, or storage infrastructure. Which cloud service model does this represent?

A.Infrastructure as a Service (IaaS)
B.Platform as a Service (PaaS)
C.Software as a Service (SaaS)
D.Hybrid cloud
AnswerC

SaaS is a fully managed application delivered over the internet. Amazon WorkMail is SaaS — AWS manages everything from the servers to the email application software. Customers simply use the service.

Why this answer

Amazon WorkMail is a fully managed email service where users access their email via a web browser or mobile app without managing any underlying servers, email software, or storage infrastructure. This aligns with the Software as a Service (SaaS) model, where the provider delivers the entire application and the consumer only uses the software over the internet.

Exam trap

The trap here is that candidates may confuse 'no server management' with IaaS, thinking that because email is hosted in the cloud it must be IaaS, but the key distinction is that SaaS delivers a complete application without any consumer control over the underlying infrastructure.

How to eliminate wrong answers

Option A is wrong because Infrastructure as a Service (IaaS) provides virtualized computing resources (e.g., EC2 instances, storage volumes) where the consumer manages the operating system, applications, and middleware, which is not the case here as no servers or storage are managed. Option B is wrong because Platform as a Service (PaaS) provides a runtime environment and development tools for building and deploying applications, but WorkMail is a ready-to-use email application, not a platform for custom development. Option D is wrong because Hybrid cloud refers to a combination of on-premises and cloud infrastructure, but the scenario describes a fully cloud-based email service with no on-premises management.

567
MCQeasy

A company stores sensitive financial data in an Amazon S3 bucket. The security policy requires that all data must be encrypted in transit. The security administrator discovers that some automated scripts are using HTTP instead of HTTPS to upload files. The administrator must enforce that any request that does not use HTTPS is denied by the S3 bucket policy. Which condition key should the administrator include in the bucket policy to enforce this requirement?

A.aws:SourceIp
B.aws:Referer
C.aws:SecureTransport
D.s3:x-amz-server-side-encryption
AnswerC

This condition key checks if the request was sent over SSL/TLS. When set to 'false', the condition matches HTTP requests, allowing the policy to deny them. This is the correct key to enforce encryption in transit.

Why this answer

Option C is correct because the `aws:SecureTransport` condition key in an S3 bucket policy evaluates whether the request was sent over HTTPS (TLS). Setting it to `false` denies any request that uses HTTP, enforcing encryption in transit as required by the security policy.

Exam trap

The trap here is that candidates may confuse `aws:SecureTransport` with other condition keys like `aws:SourceIp` or `aws:Referer`, which control different aspects of access (network origin or referrer) rather than the transport protocol itself.

How to eliminate wrong answers

Option A is wrong because `aws:SourceIp` restricts access based on the client's IP address, not the protocol (HTTP vs HTTPS). Option B is wrong because `aws:Referer` restricts access based on the HTTP Referer header, which is unrelated to transport encryption.

568
MCQmedium

A company wants to analyse petabytes of historical sales data using standard SQL queries and connect their existing business intelligence (BI) tools to the data store. The workload is analytical (OLAP), not transactional (OLTP). Which AWS service is designed for this use case?

A.Amazon RDS for MySQL
B.Amazon DynamoDB
C.Amazon Redshift
D.Amazon Aurora
AnswerC

Redshift is AWS's managed data warehouse service specifically designed for OLAP. It uses columnar storage and parallel query execution to efficiently run complex SQL queries across petabytes of data and integrates with standard BI tools.

Why this answer

Amazon Redshift is a fully managed, petabyte-scale data warehouse service designed for analytical (OLAP) workloads. It uses standard SQL and integrates directly with popular BI tools via JDBC/ODBC connections, making it ideal for querying large historical datasets and connecting existing business intelligence tools.

Exam trap

The trap here is that candidates often confuse OLTP databases (like RDS, Aurora, or DynamoDB) with OLAP data warehouses, assuming any SQL-capable service can handle petabyte-scale analytics, but only Redshift is purpose-built for that workload with columnar storage and MPP.

How to eliminate wrong answers

Option A is wrong because Amazon RDS for MySQL is a relational database optimized for transactional (OLTP) workloads, not for petabyte-scale analytical queries; it lacks the columnar storage and massively parallel processing (MPP) architecture needed for OLAP. Option B is wrong because Amazon DynamoDB is a NoSQL key-value and document database designed for low-latency, high-throughput transactional workloads, not for complex SQL analytical queries on petabytes of data. Option D is wrong because Amazon Aurora is a MySQL- and PostgreSQL-compatible relational database built for OLTP, not for petabyte-scale data warehousing; it does not provide the columnar storage or MPP engine required for large-scale analytical processing.

569
MCQmedium

A company's application experiences traffic spikes every weekday morning when employees arrive at work. During off-hours, very few users are active. Which AWS feature automatically adjusts the number of EC2 instances based on demand, adding instances during peak hours and removing them during quiet periods?

A.Amazon EC2 Reserved Instances
B.AWS Elastic Load Balancing
C.Amazon EC2 Auto Scaling
D.AWS CloudFormation
AnswerC

EC2 Auto Scaling Groups automatically launch or terminate instances based on scaling policies. Scheduled policies add capacity before known peaks; dynamic policies respond to CloudWatch metrics in real time.

Why this answer

Amazon EC2 Auto Scaling is the correct service because it automatically adjusts the number of EC2 instances in response to demand, using scaling policies (e.g., scheduled scaling or dynamic scaling) to add instances during peak hours and terminate them during quiet periods. This directly matches the described traffic pattern of weekday morning spikes and off-hour lulls, without manual intervention.

Exam trap

The trap here is that candidates often confuse Elastic Load Balancing with Auto Scaling, assuming load balancers automatically scale instances, when in fact ELB only distributes traffic and requires Auto Scaling to adjust capacity.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 Reserved Instances provide a billing discount for committing to a specific instance configuration over 1 or 3 years, but they do not automatically add or remove instances based on demand. Option B is wrong because AWS Elastic Load Balancing distributes incoming traffic across multiple targets (e.g., EC2 instances) but does not scale the number of instances up or down; it requires an external scaling mechanism like Auto Scaling. Option D is wrong because AWS CloudFormation is an Infrastructure as Code (IaC) service that provisions and manages AWS resources via templates, but it does not dynamically adjust instance counts in response to real-time traffic changes.

570
MCQmedium

A company's development team regularly creates temporary test environments. Each time, they log into the AWS Management Console, select the required Amazon EC2 instance types and storage, and launch the resources without needing to contact AWS support or their IT department. The team also terminates the resources when testing is complete. Which essential characteristic of cloud computing does this scenario best demonstrate?

A.Broad network access
B.On-demand self-service
C.Resource pooling
D.Measured service
AnswerB

On-demand self-service allows users to provision computing resources automatically without requiring human interaction from the cloud provider. The team independently launches and terminates resources through the AWS Management Console, directly demonstrating this characteristic.

Why this answer

The scenario describes the development team provisioning and terminating EC2 instances and storage directly through the AWS Management Console without requiring human intervention from AWS support or their IT department. This is the precise definition of on-demand self-service, one of the five essential characteristics of cloud computing as defined by NIST SP 800-145, where a consumer can unilaterally provision computing capabilities as needed automatically.

Exam trap

The trap here is that candidates may confuse 'broad network access' (access from anywhere via the internet) with the ability to self-provision, but the key differentiator is the lack of human intervention required, not the method of access.

How to eliminate wrong answers

Option A is wrong because broad network access refers to capabilities being available over the network and accessed through standard mechanisms (e.g., HTTPS, SSH) that promote use by heterogeneous client platforms (e.g., mobile phones, laptops), not the ability to provision resources without human interaction. Option C is wrong because resource pooling describes the provider's computing resources being pooled to serve multiple consumers using a multi-tenant model, with physical and virtual resources dynamically assigned and reassigned according to consumer demand; the scenario does not illustrate multi-tenancy or dynamic assignment across customers.

571
MCQmedium

A media production company has a physical studio in Atlanta, Georgia. The company runs video editing workloads on Amazon EC2 instances that require single-digit millisecond latency to the studio's on-premises storage and workstations. The company wants to use AWS infrastructure that is physically located in or very near Atlanta to achieve this latency, while still having full access to AWS services like EC2, EBS, and VPC. The company does not want to manage the underlying hardware. Which AWS infrastructure option should the company use?

A.AWS Outposts
B.AWS Local Zones
C.AWS Wavelength
D.AWS Edge Locations
AnswerB

AWS Local Zones are specifically designed to provide single-digit millisecond latency for applications in a specific geographic area. They are fully managed by AWS and extend the AWS Region to be closer to end users. The company can run EC2 instances in a Local Zone near Atlanta to achieve the required low latency for video editing workloads.

Why this answer

AWS Local Zones are an infrastructure deployment that places compute, storage, and database services closer to large population centers, enabling single-digit millisecond latency for latency-sensitive applications. Since the company needs physical proximity to Atlanta without managing hardware, a Local Zone in or near Atlanta provides the required low latency while offering full access to EC2, EBS, and VPC services, with AWS handling the underlying hardware.

Exam trap

The trap here is that candidates may confuse AWS Local Zones with AWS Outposts, assuming Outposts is the only way to get on-premises-like latency, but Outposts requires customer-managed hardware, whereas Local Zones provide AWS-managed infrastructure in a specific geographic location.

How to eliminate wrong answers

Option A is wrong because AWS Outposts requires the customer to manage and maintain the physical hardware on-premises, which contradicts the requirement of not wanting to manage underlying hardware. Option C is wrong because AWS Wavelength is specifically designed for ultra-low latency applications at the edge of 5G networks, integrating with telecom providers, and is not intended for general-purpose EC2 workloads requiring proximity to a specific geographic location like Atlanta. Option D is wrong because AWS Edge Locations are content delivery endpoints for CloudFront and Route 53, not compute infrastructure that supports EC2, EBS, and VPC services for running video editing workloads.

572
MCQmedium

A company migrates its on-premises applications to AWS. The finance team wants to allocate costs to different departments based on the exact amount of compute, storage, and network resources each department consumes. They also want to set automatic alerts when a department's usage exceeds a predefined budget. Which essential characteristic of cloud computing enables this level of visibility and control over resource consumption?

A.Rapid elasticity
B.On-demand self-service
C.Measured service
D.Resource pooling
AnswerC

Measured service means that cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction. AWS meters consumption of compute, storage, and network resources, providing detailed reports and enabling cost allocation, budgets, and alerts. This directly supports the finance team's requirements.

Why this answer

Measured service is the correct answer because it refers to the cloud provider's ability to meter and report resource usage (compute hours, storage GB, data transfer) at a granular level. This metering data enables the finance team to allocate exact costs per department and set automated budget alerts via services like AWS Budgets or Cost Explorer, directly supporting the requirement for visibility and control over consumption.

Exam trap

The trap here is that candidates confuse 'on-demand self-service' (the ability to provision resources) with 'measured service' (the ability to track and bill for that usage), but the question specifically asks about visibility and control over consumption, not provisioning.

How to eliminate wrong answers

Option A is wrong because rapid elasticity describes the ability to automatically scale resources up or down based on demand, not the metering or cost allocation of those resources. Option B is wrong because on-demand self-service allows users to provision resources without human interaction, but it does not inherently provide the usage metering, cost tracking, or alerting capabilities needed for departmental cost allocation.

573
MCQmedium

A gaming company wants to deploy its multiplayer game to players in North America, Europe, and Asia. The company needs to ensure that players in all three regions experience low latency when connecting to game servers, and the game servers must be located as close as possible to the players. The company chooses AWS to host the game servers. Which benefit of cloud computing does this scenario best illustrate?

A.Rapid elasticity – because AWS can automatically scale the number of game servers based on player demand.
B.Global reach – because AWS has regions around the world, allowing the company to deploy game servers geographically close to players.
C.Pay-as-you-go – because the company only pays for game server compute hours used.
D.Resource pooling – because multiple players share the same underlying server resources.
AnswerB

Correct. Global reach (or global infrastructure) is a key benefit of cloud computing. AWS operates Regions across the globe, enabling customers to deploy applications near their users for low-latency access. This matches the gaming company's requirement to serve players in North America, Europe, and Asia with minimal latency.

Why this answer

This scenario best illustrates global reach because AWS operates multiple geographic regions worldwide, enabling the gaming company to deploy game servers in North America, Europe, and Asia. By placing infrastructure close to players, the company minimizes network latency and improves the real-time multiplayer experience. This is a core benefit of cloud computing that on-premises solutions cannot easily replicate without significant investment.

Exam trap

The trap here is that candidates may confuse rapid elasticity with global reach, since both involve scaling, but the question's emphasis on 'close to players' directly points to geographic distribution, not dynamic capacity adjustment.

How to eliminate wrong answers

Option A is wrong because rapid elasticity refers to automatically scaling resources up or down based on demand, which is not the primary focus here—the question emphasizes geographic proximity, not scaling. Option C is wrong because pay-as-you-go describes the consumption-based pricing model, but the scenario specifically highlights low latency through regional deployment, not cost savings. Option D is wrong because resource pooling involves multi-tenancy and shared infrastructure, which is unrelated to the goal of placing servers close to players for latency reduction.

574
MCQmedium

A company runs a production workload on AWS and needs technical support that includes phone and email access with a response time of less than 1 hour for critical system failures. The company also wants architectural guidance for cost optimization and performance improvement. The company currently has an AWS account with the Basic Support plan. Which AWS Support plan should the company choose to meet these requirements at the most cost-effective price?

A.Basic Support
B.Developer Support
C.Business Support
D.Enterprise Support
AnswerC

The Business Support plan includes phone and email support, a 1-hour response time for critical failures, and access to architectural guidance for cost optimization and performance. It is the most cost-effective plan that satisfies all the stated requirements.

Why this answer

The Business Support plan is the most cost-effective option that provides phone and email support with a response time of under 1 hour for critical system failures, along with architectural guidance for cost optimization and performance improvement. The Basic and Developer plans lack phone support and the required response time SLA, while the Enterprise plan offers additional features (e.g., a Technical Account Manager) that are not needed here, making it more expensive than necessary.

Exam trap

The trap here is that candidates often confuse the Developer Support plan's email-only support with phone access, or assume that the Basic plan includes any form of technical support beyond community forums, leading them to overlook the specific response time and channel requirements.

How to eliminate wrong answers

Option A is wrong because the Basic Support plan provides only documentation, whitepapers, and community forums with no phone or email access and no response time SLA for critical failures. Option B is wrong because the Developer Support plan offers email-only support with a response time of less than 12 hours for critical failures, not the required under 1 hour phone and email access. Option D is wrong because the Enterprise Support plan includes phone and email support with a 15-minute response time for critical failures and architectural guidance, but it is significantly more expensive than the Business plan and includes features (e.g., a Technical Account Manager, infrastructure event management) that are not required, making it not the most cost-effective choice.

575
MCQmedium

A company uses AWS Organizations to manage multiple AWS accounts. The security team needs to ensure that no Amazon S3 bucket in any account within the organization can be made publicly accessible. The team wants a centrally managed, preventive control that applies to all existing and future accounts and cannot be overridden by individual account administrators. Which AWS feature should the security team use to meet these requirements?

A.S3 Block Public Access account-level settings
B.AWS Config managed rule s3-bucket-public-read-prohibited
C.Amazon Macie with a sensitive data discovery job
D.Service control policy (SCP) in AWS Organizations
AnswerD

Service control policies (SCPs) are a feature of AWS Organizations. They allow centralized, preventive control over the maximum permissions granted to accounts within the organization. An SCP can deny actions that would make an S3 bucket public, such as s3:PutBucketAcl or s3:PutBucketPolicy. SCPs apply to all accounts (including future accounts) and cannot be overridden by account administrators, meeting all requirements.

Why this answer

Service control policies (SCPs) in AWS Organizations allow you to centrally define and enforce permission guardrails across all accounts in the organization. An SCP that denies the `s3:PutBucketPublicAccessBlock` action and related public-access actions ensures that no S3 bucket can be made publicly accessible, and this policy applies to all existing and future accounts without being overridden by individual account administrators.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config rules) with preventive controls (like SCPs), or assume account-level settings (like S3 Block Public Access) can be centrally enforced across an organization without an SCP.

How to eliminate wrong answers

Option A is wrong because S3 Block Public Access account-level settings are applied per account and can be overridden by an account administrator with sufficient permissions; they are not centrally enforced across all accounts in an organization. Option B is wrong because AWS Config managed rules are detective controls that only evaluate and report compliance after a resource is created or modified; they do not prevent the action from occurring. Option C is wrong because Amazon Macie is a data security service that discovers and protects sensitive data, but it does not provide preventive controls to block public access to S3 buckets.

576
MCQmedium

A company hosts a file-sharing platform on Amazon S3. The application bucket is in the us-west-2 (Oregon) Region. Users in Europe and Asia experience slow upload speeds when transferring large files. The company wants to improve upload performance by using AWS edge locations to accelerate data transfers to the bucket. The solution must work with standard S3 PUT operations and require minimal application changes. Which AWS feature should the company enable?

A.Amazon CloudFront
B.AWS Direct Connect
C.Amazon S3 Transfer Acceleration
D.AWS Global Accelerator
AnswerC

Amazon S3 Transfer Acceleration uses AWS edge locations to accelerate uploads to S3 buckets. It works with standard S3 PUT operations and only requires using a different endpoint URL, making it the correct choice for this scenario.

Why this answer

Amazon S3 Transfer Acceleration (C) uses AWS edge locations to route uploads over the optimized AWS network backbone, reducing latency for geographically distant clients. It works with standard S3 PUT operations and requires only enabling the feature on the bucket and updating the endpoint URL, minimizing application changes.

Exam trap

The trap here is that candidates confuse CloudFront's download acceleration (caching) with upload acceleration, or assume Direct Connect is a simple, minimal-change solution when it actually requires physical infrastructure and network configuration.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront is a content delivery network (CDN) that accelerates downloads via caching at edge locations, not uploads; it does not accelerate S3 PUT operations. Option B is wrong because AWS Direct Connect provides a dedicated private network connection from on-premises to AWS, but it does not leverage edge locations and requires significant infrastructure changes, not minimal application changes.

577
MCQmedium

A company has a web application that processes user-uploaded images. When a user uploads an image, the application needs to resize the image into multiple formats (thumbnail, medium, large). The company wants to avoid managing servers and wants the image processing to execute only when a new image is uploaded. The solution must automatically scale to handle thousands of concurrent uploads. Which AWS service should the company use to perform the image processing?

A.Amazon EC2 Auto Scaling group
B.AWS Lambda
C.Amazon ECS with Fargate launch type
D.AWS Elastic Beanstalk
AnswerB

AWS Lambda is a serverless compute service that runs code in response to triggers, such as an S3 upload event. It scales automatically and charges only for execution duration, making it perfect for short-lived, sporadic image processing tasks.

Why this answer

AWS Lambda is the correct choice because it is a serverless compute service that runs code in response to events, such as an image upload to Amazon S3. It automatically scales from zero to thousands of concurrent executions, perfectly matching the requirement to avoid managing servers and to process images only when a new upload occurs.

Exam trap

The trap here is that candidates may choose Amazon ECS with Fargate because it is also serverless, but they overlook that Lambda is the simpler, event-driven, and cost-effective service for short-lived, stateless processing tasks triggered by S3 events.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 Auto Scaling group requires managing server instances (even with scaling policies) and incurs costs even when idle, which contradicts the requirement to avoid server management and to execute only on upload events. Option C is wrong because Amazon ECS with Fargate launch type, while serverless, is designed for running containerized applications as long-running tasks or services, not for event-driven, short-lived executions triggered by S3 uploads; it adds unnecessary complexity and cost compared to Lambda for this use case.

578
MCQmedium

A company runs a web application behind an Application Load Balancer (ALB) in a VPC. The application must comply with a security standard that requires encryption in transit for all web traffic. The company needs a service to centrally manage SSL/TLS certificates, automatically renew them, and deploy them to the ALB without manual intervention. Which AWS service should the company use to meet these requirements?

A.AWS Certificate Manager (ACM)
B.AWS Key Management Service (AWS KMS)
C.AWS Secrets Manager
D.AWS Identity and Access Management (IAM)
AnswerA

ACM allows you to provision, manage, and deploy public and private SSL/TLS certificates for use with integrated AWS services like Application Load Balancers. ACM handles automatic renewal and reduces administrative overhead.

Why this answer

AWS Certificate Manager (ACM) is the correct service because it provides centralized management of SSL/TLS certificates, supports automatic renewal for certificates issued by ACM, and can seamlessly deploy these certificates to an Application Load Balancer (ALB) without any manual intervention. This directly meets the requirement for encryption in transit and compliance with the security standard.

Exam trap

The trap here is that candidates often confuse AWS KMS (for encryption at rest) or Secrets Manager (for secrets) with ACM, because all three involve 'keys' or 'certificates,' but only ACM handles SSL/TLS certificates for encryption in transit and integrates with ALB for automatic deployment and renewal.

How to eliminate wrong answers

Option B (AWS KMS) is wrong because it is designed for creating and managing encryption keys used for data at rest, not for SSL/TLS certificates used for encryption in transit. Option C (AWS Secrets Manager) is wrong because it is intended for securely storing and rotating database credentials, API keys, and other secrets, not for managing SSL/TLS certificates or deploying them to an ALB.

579
MCQeasy

Which AWS service provides a managed Apache Kafka streaming service without requiring customers to provision, configure, or manage Kafka clusters?

A.Amazon Kinesis Data Streams
B.Amazon MSK Serverless
C.Amazon SQS FIFO queues
D.AWS Glue Streaming ETL
AnswerB

MSK Serverless provides serverless Apache Kafka — AWS manages capacity automatically with full Kafka API compatibility and no cluster provisioning required.

Why this answer

Amazon MSK Serverless is a fully managed Apache Kafka service that automatically provisions, scales, and manages Kafka clusters, eliminating the need for customers to handle cluster infrastructure. It supports the same Kafka producer and consumer APIs, making it ideal for streaming workloads without operational overhead.

Exam trap

The trap here is confusing Amazon Kinesis Data Streams with a managed Kafka service, as both handle streaming data, but Kinesis uses a proprietary API and shard model, not the open-source Kafka protocol.

How to eliminate wrong answers

Option A is wrong because Amazon Kinesis Data Streams is a proprietary streaming service with its own API and shard-based model, not a managed Apache Kafka service. Option C is wrong because Amazon SQS FIFO queues provide ordered, exactly-once message delivery but are not a streaming platform and do not implement the Kafka protocol. Option D is wrong because AWS Glue Streaming ETL is a serverless data integration service for running ETL jobs on streaming data, not a managed Kafka cluster service.

580
MCQhard

A company is evaluating the AWS Sustainability pillar in the Well-Architected Framework. Which action aligns with AWS cloud sustainability best practices?

A.Provisioning maximum instance sizes to ensure peak performance at all times
B.Running workloads 24/7 even when not needed to maintain warm state
C.Right-sizing instances and using managed services to maximize resource utilization
D.Replicating all data to multiple regions for maximum redundancy
AnswerC

Right-sizing reduces wasted capacity and energy, while managed services share infrastructure across many customers at higher utilization rates than dedicated servers — both reduce environmental impact.

Why this answer

Option C is correct because right-sizing instances and using managed services directly aligns with the AWS Sustainability pillar, which focuses on minimizing the environmental impact of cloud workloads. By matching instance capacity to actual demand and leveraging services like AWS Lambda or Amazon RDS, you reduce wasted compute cycles and energy consumption, improving resource utilization and lowering carbon footprint.

Exam trap

The trap here is that candidates often confuse the Sustainability pillar with the Reliability pillar, assuming that maximizing redundancy or always-on resources is always beneficial, but the exam specifically tests that sustainability prioritizes minimizing resource consumption and waste.

How to eliminate wrong answers

Option A is wrong because provisioning maximum instance sizes for peak performance at all times leads to over-provisioning, which wastes energy and resources, contradicting the sustainability goal of minimizing environmental impact. Option B is wrong because running workloads 24/7 when not needed keeps idle resources consuming power and generating heat, increasing carbon emissions without business value. Option D is wrong because replicating all data to multiple regions for maximum redundancy introduces unnecessary data transfer and storage costs, increasing energy use and carbon footprint, whereas sustainability best practices recommend replicating only critical data based on business requirements.

581
MCQeasy

Which AWS service enables automatic speech recognition (ASR) to convert audio from customer service calls into text for further analysis?

A.Amazon Polly
B.Amazon Lex
C.Amazon Transcribe
D.Amazon Comprehend
AnswerC

Transcribe is purpose-built for converting speech recordings to text, supporting batch and real-time transcription with speaker diarization and custom vocabulary.

Why this answer

Amazon Transcribe is the correct AWS service for automatic speech recognition (ASR) because it is specifically designed to convert audio speech into text. It uses deep learning-based ASR models to process audio files or real-time streams, making it ideal for transcribing customer service call recordings for downstream analysis.

Exam trap

The trap here is that candidates confuse Amazon Lex (which also uses ASR) with Amazon Transcribe, but Lex's ASR is used for real-time conversational interactions, not for batch transcription of recorded audio for analysis.

How to eliminate wrong answers

Option A is wrong because Amazon Polly is a text-to-speech (TTS) service that converts text into lifelike speech, not the reverse. Option B is wrong because Amazon Lex is a service for building conversational interfaces (chatbots) using automatic speech recognition (ASR) and natural language understanding (NLU), but its primary purpose is to power interactive voice and text chatbots, not to provide a standalone transcription service for recorded audio. Option D is wrong because Amazon Comprehend is a natural language processing (NLP) service that extracts insights (e.g., sentiment, entities) from text, not audio.

582
MCQmedium

A retail company wants to provide personalized product recommendations on their homepage using machine learning. Which AWS service delivers this without requiring any ML expertise or model training?

A.Amazon SageMaker
B.Amazon Personalize
C.Amazon Forecast
D.Amazon Comprehend
AnswerB

Personalize delivers managed real-time personalized recommendations using interaction data — no ML expertise needed, just data ingestion and API calls for recommendations.

Why this answer

Amazon Personalize is a fully managed ML service that enables developers to build applications with real-time personalized recommendations without requiring any ML expertise or model training. It uses the same technology used by Amazon.com for its recommendation engine, and it automatically handles the entire ML pipeline, including data processing, model training, and inference.

Exam trap

The trap here is that candidates often confuse Amazon SageMaker (a general-purpose ML platform) with Amazon Personalize (a specialized recommendation service), mistakenly assuming that any ML task requires SageMaker, but the question explicitly asks for a service that delivers recommendations without ML expertise or model training.

How to eliminate wrong answers

Option A is wrong because Amazon SageMaker is a comprehensive ML service that requires users to build, train, and deploy their own models, demanding ML expertise and manual model training. Option C is wrong because Amazon Forecast is specifically designed for time-series forecasting (e.g., demand planning, inventory forecasting), not for generating personalized product recommendations. Option D is wrong because Amazon Comprehend is a natural language processing (NLP) service used for extracting insights and relationships from text, such as sentiment analysis or entity recognition, not for recommendation systems.

583
MCQmedium

A company is undergoing a compliance audit to demonstrate that its AWS environment adheres to industry standards such as PCI DSS and SOC. The auditor requests the company to provide the latest AWS compliance reports to verify the security controls implemented by AWS. The company needs to obtain these reports directly from AWS in a downloadable format. Which AWS service should the company use to meet this requirement?

A.AWS Config
B.AWS Trusted Advisor
C.AWS Artifact
D.AWS Security Hub
AnswerC

AWS Artifact is the correct service for downloading AWS compliance reports. It provides on-demand access to AWS security and compliance documents, including SOC reports, PCI DSS reports, and ISO certifications, which are commonly requested by auditors.

Why this answer

AWS Artifact is the correct service because it provides on-demand access to AWS compliance reports, including SOC and PCI DSS reports, in a downloadable format. This allows the company to directly obtain the latest reports from AWS to share with auditors, meeting the compliance audit requirement without needing to configure or manage any other service.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks configuration changes) with AWS Artifact (which provides compliance reports), leading them to select a service that manages compliance rules rather than one that delivers the actual audit documentation.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service that evaluates and records resource configurations against desired policies, not a repository for downloading compliance reports. Option B is wrong because AWS Trusted Advisor provides recommendations for optimizing AWS environments based on best practices, but it does not offer downloadable compliance reports like SOC or PCI DSS.

584
MCQmedium

A company uses multiple AWS accounts and wants to perform detailed custom cost analysis using a third-party business intelligence (BI) tool. The company needs the most granular cost and usage data available, including resource-level details such as instance type, region, and tags. The BI tool can read CSV files from an Amazon S3 bucket. The company wants a managed AWS service that automatically exports this detailed data to an S3 bucket on a daily basis with no additional coding. Which AWS service should the company use?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Cost and Usage Reports
D.AWS Trusted Advisor
AnswerC

AWS Cost and Usage Reports (CUR) publishes the most granular cost and usage data, including resource-level details, to an S3 bucket in CSV format on a daily basis. This data can be ingested by third-party BI tools for custom analysis.

Why this answer

AWS Cost and Usage Reports (CUR) is the correct choice because it is a managed AWS service that automatically publishes the most granular cost and usage data—including resource-level details like instance type, region, and tags—to an Amazon S3 bucket in CSV format on a daily basis, with no additional coding required. This directly meets the company's need for detailed custom cost analysis using a third-party BI tool that reads CSV files from S3.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's manual CSV export capability with the fully automated, scheduled export feature of AWS Cost and Usage Reports, leading them to incorrectly select Cost Explorer.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer provides visual cost analysis and can export data to CSV, but it is not a managed service that automatically exports detailed resource-level data to an S3 bucket on a daily schedule without coding; its exports are manual or require API calls. Option B is wrong because AWS Budgets is designed for setting cost and usage thresholds and sending alerts, not for exporting granular cost and usage data to S3 for BI tool analysis. Option D is wrong because AWS Trusted Advisor provides best-practice recommendations for cost optimization, performance, and security, but it does not export cost and usage data to S3.

585
MCQmedium

A company runs a steady-state production workload on a fixed number of m5.large EC2 instances in the us-east-1 region. The workload runs 24/7 and the instance type and region are not expected to change. The company wants to obtain the highest possible discount for this workload with a 3-year commitment. Which purchasing option should the company choose?

A.Compute Savings Plan
B.EC2 Instance Savings Plan
C.Convertible Reserved Instances (3-year, All Upfront)
D.Standard Reserved Instances (3-year, All Upfront)
AnswerD

Correct. Standard Reserved Instances with a 3-year term and All Upfront payment offer the highest possible discount for a fixed, predictable workload because they lock in a specific instance type and region with no flexibility.

Why this answer

Standard Reserved Instances (3-year, All Upfront) offer the highest discount for a steady-state workload with a fixed instance type and region because they provide a significant discount over On-Demand pricing in exchange for a commitment to a specific instance family, size, and Availability Zone. Since the workload runs 24/7 on m5.large instances in us-east-1 and the configuration is not expected to change, Standard RIs maximize savings without the flexibility trade-offs that reduce discount rates.

Exam trap

The trap here is that candidates often confuse Savings Plans with Reserved Instances, assuming the flexibility of Savings Plans always yields the best discount, but for a fixed, unchanging workload, Standard RIs provide the highest possible savings due to the stricter commitment.

How to eliminate wrong answers

Option A is wrong because Compute Savings Plans apply to any EC2 instance family and region, but their discount is lower than that of Standard RIs for a fixed, predictable workload, and they do not require a specific instance type commitment. Option B is wrong because EC2 Instance Savings Plans offer flexibility within a region and instance family, but their discount is still less than Standard RIs for a fixed instance type and size, and they do not lock in a specific Availability Zone. Option C is wrong because Convertible Reserved Instances allow changing instance families and attributes, but they offer a lower discount than Standard RIs due to this flexibility, making them less cost-effective for a workload with no expected changes.

586
MCQmedium

A company archives historical transaction records in Amazon S3. The records are accessed frequently for the first 30 days after creation. After 30 days, access drops sharply to only a few times per year, but the company must be able to retrieve any record within 5 minutes if needed. The company wants to minimize storage costs while meeting the retrieval time requirement. Which combination of S3 storage classes should the company use?

A.Use S3 Standard for all data.
B.Use S3 Standard for the first 30 days, then transition to S3 Glacier Flexible Retrieval.
C.Use S3 Standard-IA for the first 30 days, then transition to S3 Glacier Deep Archive.
D.Use S3 One Zone-IA for the first 30 days, then transition to S3 Glacier Deep Archive.
AnswerB

S3 Standard provides low-latency access for the initial frequent access period. After 30 days, transitioning to S3 Glacier Flexible Retrieval reduces storage costs significantly. Although standard retrieval from S3 Glacier Flexible Retrieval takes hours, the company can use expedited retrieval (available as an optional feature) to meet the 5-minute requirement when needed, at an additional cost.

Why this answer

Option B is correct because S3 Standard provides low-latency access for the first 30 days when records are frequently accessed, and then lifecycle rules transition the data to S3 Glacier Flexible Retrieval, which offers retrieval times of minutes (typically 1–5 minutes for expedited retrievals) at a much lower storage cost. This combination meets the 5-minute retrieval requirement while minimizing costs for data that is rarely accessed after 30 days.

Exam trap

The trap here is that candidates may confuse S3 Glacier Deep Archive's retrieval time (12–48 hours) with S3 Glacier Flexible Retrieval's faster expedited retrieval (1–5 minutes), leading them to incorrectly choose a cheaper but non-compliant storage class.

How to eliminate wrong answers

Option A is wrong because using S3 Standard for all data would incur unnecessarily high storage costs for data that is rarely accessed after 30 days, failing to minimize storage costs. Option C is wrong because S3 Standard-IA is designed for infrequently accessed data but still has a minimum storage duration charge of 30 days and higher retrieval costs, making it less cost-effective for the first 30 days of frequent access; additionally, S3 Glacier Deep Archive has a retrieval time of 12–48 hours, which violates the 5-minute retrieval requirement.

587
MCQmedium

A company operates multiple AWS accounts for separate departments. The finance team wants to simplify monthly billing by receiving a single consolidated invoice that covers all accounts. Additionally, the company wants to aggregate usage across accounts to qualify for lower volume-based pricing tiers. Which AWS feature should the company enable to meet these requirements?

A.Consolidated billing through AWS Organizations
B.AWS Cost Explorer
C.AWS Budgets
D.AWS Trusted Advisor
AnswerA

Consolidated billing enables a single invoice for multiple accounts and aggregates usage for volume discounts, which directly meets both requirements.

Why this answer

AWS Organizations enables consolidated billing by allowing you to combine multiple AWS accounts under a single paying account, which aggregates usage across all accounts. This aggregation qualifies the company for lower volume-based pricing tiers (e.g., AWS volume discounts for services like S3 or EC2) because usage is summed across all member accounts. The master account receives a single consolidated invoice covering all accounts, simplifying monthly billing.

Exam trap

The trap here is that candidates may confuse AWS Cost Explorer or AWS Budgets with billing consolidation features, but neither of those tools actually aggregates usage across accounts or generates a single invoice; they are monitoring and alerting tools, not billing consolidation services.

How to eliminate wrong answers

Option B is wrong because AWS Cost Explorer is a tool for visualizing, analyzing, and forecasting AWS costs and usage, but it does not consolidate billing or aggregate usage for pricing tiers; it only provides insights into existing cost data. Option C is wrong because AWS Budgets allows you to set custom cost and usage budgets and receive alerts when thresholds are exceeded, but it does not enable consolidated invoicing or volume-based pricing aggregation.

588
Multi-Selectmedium

A company wants to ensure that their AWS account root user is protected with the highest level of security. Which two actions should they take? (Choose the answer that covers both.)

Select 2 answers
A.Create IAM user access keys for the root account to enable programmatic access
B.Enable MFA on the root account and delete any existing root access keys
C.Share the root password with the security team for emergency access
D.Use the root account for all day-to-day AWS operations to avoid delegation complexity
AnswersB, C

MFA on root provides strong authentication protection, and deleting root access keys eliminates programmatic root access — together these are the most critical root account security measures.

Why this answer

Option B is correct because enabling multi-factor authentication (MFA) on the AWS root user adds a second layer of security beyond the password, and deleting any existing root access keys eliminates the risk of programmatic access using long-term credentials. The root user has unrestricted access to all AWS resources, so these two actions are the most effective ways to protect it according to AWS best practices.

Exam trap

The trap here is that candidates may think creating IAM access keys for the root user is a valid way to enable programmatic access (Option A), but AWS explicitly prohibits this because root access keys cannot be managed or rotated like IAM user keys and pose an unacceptable security risk.

589
MCQmedium

A company has been using AWS for several months. The finance team wants to view a graphical dashboard of their monthly spending trends for the past 6 months and also obtain a forecast of their expected costs for the next month. The team needs an AWS managed service that provides this visualization and forecasting without requiring any additional data export or third-party tools. Which AWS service should the team use?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Cost and Usage Report
D.AWS Trusted Advisor
AnswerA

Correct. AWS Cost Explorer is a managed service that provides a graphical interface to view and analyze historical cost and usage data. It also includes a forecasting feature to predict future costs, all without requiring any additional setup or third-party tools.

Why this answer

AWS Cost Explorer provides a pre-built, managed graphical dashboard that visualizes historical spending trends and generates cost forecasts for the next month without requiring any data export or third-party tools. It allows filtering by time range (e.g., past 6 months) and automatically computes a forecast based on historical usage patterns using AWS's internal machine learning models.

Exam trap

The trap here is that candidates often confuse AWS Budgets (which only alerts on thresholds) with Cost Explorer (which provides historical visualization and forecasting), or they assume the Cost and Usage Report includes a built-in dashboard when it actually only provides raw data for external tools.

How to eliminate wrong answers

Option B (AWS Budgets) is wrong because AWS Budgets is designed for setting cost and usage thresholds and sending alerts when those thresholds are exceeded, not for providing a graphical dashboard of historical spending trends or forecasting future costs. Option C (AWS Cost and Usage Report) is wrong because it delivers detailed, raw billing data in CSV or Parquet format that must be exported to another tool (e.g., Amazon Athena, QuickSight) for visualization and forecasting; it does not offer a built-in graphical dashboard or forecasting capability.

590
MCQmedium

Which AWS service provides a managed workflow for human review tasks, allowing machine learning models to request human oversight for low-confidence predictions?

A.Amazon SageMaker Ground Truth
B.Amazon Augmented AI (A2I)
C.Amazon Mechanical Turk
D.Amazon Rekognition Custom Labels
AnswerB

A2I provides human review workflows for ML predictions, routing low-confidence or high-risk decisions to human reviewers with configurable thresholds and reviewer pools.

Why this answer

Amazon Augmented AI (A2I) is the correct service because it provides a managed workflow for human review of machine learning predictions, specifically when models have low confidence. It integrates with services like Amazon Rekognition and Amazon Textract to automatically route low-confidence predictions to human reviewers, enabling a human-in-the-loop (HITL) process without custom infrastructure.

Exam trap

The trap here is that candidates confuse Amazon Augmented AI (A2I) with Amazon SageMaker Ground Truth, because both involve human tasks, but Ground Truth is for labeling training data while A2I is for reviewing live predictions.

How to eliminate wrong answers

Option A is wrong because Amazon SageMaker Ground Truth is a data labeling service for creating training datasets, not a workflow for reviewing low-confidence predictions from deployed models. Option C is wrong because Amazon Mechanical Turk is a crowdsourcing marketplace for human tasks, but it lacks the managed integration with ML models and confidence thresholds that A2I provides for automated human review workflows. Option D is wrong because Amazon Rekognition Custom Labels is a service for training custom image analysis models, not a human review workflow for low-confidence predictions.

591
MCQeasy

Which AWS service enables sending promotional and transactional email at scale, such as marketing newsletters and order confirmations?

A.Amazon SNS
B.Amazon Pinpoint
C.Amazon SES
D.Amazon Cognito
AnswerC

SES is purpose-built for high-volume email sending — both transactional and marketing email — with deliverability management, bounce handling, and dedicated IP options.

Why this answer

Amazon SES (Simple Email Service) is specifically designed for sending high-volume transactional and marketing emails, such as order confirmations and newsletters. It provides dedicated SMTP endpoints and APIs for email delivery, with features like bounce handling, suppression lists, and deliverability tracking. This makes it the correct choice for scalable email sending at scale.

Exam trap

The trap here is that candidates confuse Amazon SNS with SES because both can send emails, but SNS is a pub/sub notification service with limited email features, while SES is the dedicated email-sending service for high-volume transactional and marketing emails.

How to eliminate wrong answers

Option A is wrong because Amazon SNS (Simple Notification Service) is a pub/sub messaging service for sending notifications via SMS, email, HTTP, or Lambda, but it is not optimized for high-volume transactional or marketing email campaigns—it lacks dedicated email deliverability features like DKIM signing and suppression lists. Option B is wrong because Amazon Pinpoint is a customer engagement service focused on targeted marketing campaigns across multiple channels (email, SMS, push), but it is not the primary service for raw transactional email at scale; SES is the core email-sending engine behind Pinpoint's email channel. Option D is wrong because Amazon Cognito is an identity and user management service for authentication, authorization, and user pools—it has no capability to send promotional or transactional emails.

592
MCQmedium

A company runs a nightly batch processing job on a single on-premises server. The job takes 4 hours to complete, and if the server fails during processing, the job must start over from the beginning. The company is migrating this workload to AWS. The solutions architect proposes running the job across multiple Amazon EC2 instances that process different chunks of data simultaneously. The architect also plans to configure the system so that if any single instance fails, its chunk is automatically reprocessed by another instance, ensuring the overall job still completes. Which benefit of cloud computing does this architecture primarily demonstrate?

A.Elasticity
B.High availability
C.Horizontal scaling
D.Global reach
AnswerC

Correct. Horizontal scaling (scaling out) means adding more instances to share the workload. The architect splits the job into chunks and runs them on multiple EC2 instances, improving both performance (parallelism) and fault tolerance (chunks are reprocessed if an instance fails).

Why this answer

Option C is correct because the architecture distributes the workload across multiple EC2 instances, each processing a separate chunk of data. This is the definition of horizontal scaling (scaling out). If an instance fails, its chunk is automatically reprocessed by another instance, which demonstrates the fault tolerance and parallelism that horizontal scaling enables, not just adding more capacity.

Exam trap

The trap here is that candidates confuse fault tolerance (handling instance failure) with high availability, but the question emphasizes distributing work across multiple instances to complete the job faster and handle failures, which is the core benefit of horizontal scaling, not just keeping the system running.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability to automatically scale resources up or down based on demand, such as adding instances during peak load and removing them when idle. The scenario describes a fixed nightly job with a fixed number of instances, not dynamic scaling. Option B is wrong because high availability focuses on ensuring the system remains operational and accessible despite failures, typically through redundancy across Availability Zones.

While the architecture does handle instance failure, the primary benefit demonstrated is distributing work across multiple instances (scaling out), not maintaining uptime of the overall system. Option D is wrong because global reach refers to deploying resources in multiple geographic regions to reduce latency or comply with data residency requirements. The scenario involves a single batch job on EC2 instances, with no mention of multi-region deployment or latency optimization.

593
MCQmedium

A company runs a web application on Amazon EC2 instances that connect to an Amazon RDS for MySQL database. Currently, the database administrator (DBA) hardcodes the database password in the application configuration file. A recent security audit recommends removing the password from the code and implementing automated password rotation every 30 days. The company wants a managed AWS service that can store the password securely and rotate it on a schedule without requiring custom code. Which AWS service should the company use?

A.AWS KMS (Key Management Service)
B.AWS Systems Manager Parameter Store
C.AWS Secrets Manager
D.AWS IAM (Identity and Access Management)
AnswerC

Secrets Manager is designed for securely storing secrets such as database credentials, API keys, and other sensitive data. It offers built-in automatic secret rotation with integration to RDS and other services, meeting the requirement without custom code.

Why this answer

AWS Secrets Manager is the correct choice because it is a managed service specifically designed to securely store database credentials and other secrets, with built-in capability to automatically rotate passwords on a defined schedule (e.g., every 30 days) without requiring custom code. It integrates natively with Amazon RDS for MySQL, enabling automated rotation of the master user password via a pre-built Lambda function, which directly addresses the security audit's requirement to remove hardcoded passwords and implement rotation.

Exam trap

The trap here is that candidates confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store encrypted strings, but Parameter Store lacks native automated rotation, which is the critical requirement in this question.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a key management service for creating and controlling encryption keys used to encrypt data at rest or in transit; it does not store secrets like database passwords nor provide any automated rotation capability for credentials. Option B is wrong because AWS Systems Manager Parameter Store can store passwords as SecureString parameters with encryption via KMS, but it lacks native automated rotation functionality—any rotation would require custom code (e.g., a Lambda function) and manual scheduling, which does not meet the requirement for a managed service that rotates on a schedule without custom code.

594
MCQmedium

A company runs its primary database on an Amazon RDS for MySQL DB instance in the us-east-1 Region. The company's disaster recovery policy requires that the database be recoverable in a different AWS Region within 1 hour of a region-wide failure, with a Recovery Point Objective (RPO) of less than 5 minutes and a Recovery Time Objective (RTO) of less than 1 hour. Which AWS feature should the company use to meet these requirements?

A.Deploy a Multi-AZ RDS DB instance in us-east-1.
B.Create a cross-region read replica of the DB instance in us-west-2.
C.Take manual DB snapshots daily and copy them to us-west-2.
D.Enable termination protection on the RDS instance.
AnswerB

A cross-region read replica asynchronously replicates data from the primary RDS instance to a replica in another region. The replica can be promoted to a standalone primary instance in minutes, achieving an RTO under 1 hour. As replication is near real-time, the RPO is typically a few seconds to minutes, satisfying the <5 minute RPO. This is the correct solution.

Why this answer

A cross-region read replica in us-west-2 meets the RPO of less than 5 minutes because replication is asynchronous with a lag typically under 1 minute, and the RTO of less than 1 hour is achievable by promoting the replica to a standalone primary in the event of a region-wide failure. This approach provides a ready-to-use database copy in another region without the need for manual snapshot restoration.

Exam trap

The trap here is confusing Multi-AZ (single-region high availability) with cross-region disaster recovery, leading candidates to choose Option A because they think 'redundancy' automatically means cross-region protection.

How to eliminate wrong answers

Option A is wrong because Multi-AZ provides high availability within a single region, not cross-region disaster recovery, and cannot meet the RPO/RTO if us-east-1 fails entirely. Option C is wrong because manual daily snapshots have an RPO of up to 24 hours, far exceeding the required 5-minute RPO, and restoring from a snapshot would take longer than 1 hour. Option D is wrong because termination protection only prevents accidental deletion of the DB instance, it does not provide any replication, backup, or recovery capability across regions.

595
MCQeasy

A company wants to run a MySQL database in AWS without managing database software installation, applying patches, setting up backups, or configuring replication for high availability. Which AWS service meets these requirements?

A.Amazon EC2 with a self-managed MySQL installation
B.Amazon RDS
C.Amazon Redshift
D.Amazon ElastiCache
AnswerB

Amazon RDS is a fully managed relational database service. AWS handles patching, automated backups, Multi-AZ failover, and monitoring while the customer focuses on schema design and queries.

Why this answer

Amazon RDS is a managed database service that automates database software installation, patching, backup, and replication for high availability. By choosing RDS for MySQL, the company offloads these administrative tasks to AWS, meeting the requirement to avoid manual management of the database software, patches, backups, and replication configuration.

Exam trap

The trap here is that candidates may confuse Amazon RDS with Amazon EC2, thinking that running MySQL on EC2 is also 'managed' because AWS manages the hypervisor, but the question explicitly requires not managing the database software, patches, backups, or replication, which EC2 does not provide.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 with a self-managed MySQL installation requires the company to manually install, patch, back up, and configure replication for the database, which directly contradicts the requirement to avoid these tasks. Option C is wrong because Amazon Redshift is a petabyte-scale data warehouse service based on PostgreSQL, not a relational database for transactional workloads like MySQL, and it does not provide MySQL compatibility or managed MySQL features. Option D is wrong because Amazon ElastiCache is an in-memory caching service (supporting Redis and Memcached) that does not persist data like a relational database and cannot run MySQL workloads or provide MySQL-specific management features.

596
MCQmedium

A company needs to implement a disaster recovery strategy where data is continuously replicated to AWS but AWS compute resources are only started during a declared disaster. Which DR strategy does this describe?

A.Backup and Restore
B.Pilot Light
C.Warm Standby
D.Multi-Site Active/Active
AnswerB

Pilot Light keeps a minimal environment running (data replication, database) with compute resources ready to be quickly provisioned only when a disaster is declared, balancing cost and RTO.

Why this answer

The Pilot Light strategy involves continuously replicating data to AWS (e.g., using AWS Database Migration Service or S3 replication) while keeping only a minimal core set of AWS resources (like a small EC2 instance or RDS database) running. Compute resources are not fully provisioned until a disaster is declared, at which point they are scaled up to handle production traffic. This matches the description of data being continuously replicated but compute only started during a declared disaster.

Exam trap

The trap here is that candidates confuse 'Pilot Light' with 'Warm Standby' because both involve some pre-provisioned resources, but Pilot Light keeps compute resources minimal and inactive until failover, whereas Warm Standby runs a scaled-down but fully operational environment.

How to eliminate wrong answers

Option A is wrong because Backup and Restore involves periodic backups (e.g., snapshots to S3) rather than continuous replication, and compute resources are provisioned from scratch during recovery, not started from a pre-existing minimal environment. Option C is wrong because Warm Standby maintains a scaled-down but fully functional copy of the production environment running on AWS, with compute resources already active and ready to handle traffic, not started only during a disaster. Option D is wrong because Multi-Site Active/Active requires compute resources to be running in multiple AWS Regions simultaneously to handle live traffic, not started only upon disaster declaration.

597
MCQmedium

A company is required by their compliance framework to encrypt all data at rest and in transit. Which AWS service provides centralized key creation, management, rotation, and audit logging for encryption keys used across AWS services?

A.AWS Secrets Manager
B.AWS CloudHSM
C.AWS Key Management Service (KMS)
D.Amazon Macie
AnswerC

KMS provides centralized cryptographic key management with automatic rotation, HSM-backed key storage, fine-grained IAM access control, and CloudTrail audit logging for all key operations.

Why this answer

AWS Key Management Service (KMS) is the correct choice because it is a fully managed service that provides centralized control over encryption keys, including creation, rotation, and audit logging via AWS CloudTrail. It integrates seamlessly with other AWS services (e.g., S3, EBS, RDS) to encrypt data at rest and supports TLS/SSL for data in transit, meeting compliance requirements for key lifecycle management.

Exam trap

The trap here is that candidates confuse AWS Secrets Manager's secret rotation capability with encryption key management, but Secrets Manager does not create or manage encryption keys—it relies on KMS for that purpose.

How to eliminate wrong answers

Option A is wrong because AWS Secrets Manager is designed to manage secrets (e.g., database credentials, API keys) and can rotate them, but it does not provide native encryption key creation or centralized key management for AWS services; it relies on KMS for encryption. Option B is wrong because AWS CloudHSM offers dedicated hardware security modules (HSMs) for key storage and cryptographic operations, but it requires manual key management, lacks built-in automatic rotation, and does not provide centralized audit logging via CloudTrail without additional configuration. Option D is wrong because Amazon Macie is a data security service that uses machine learning to discover and protect sensitive data (e.g., PII) in S3, but it does not create, manage, or rotate encryption keys.

598
MCQeasy

A company's compliance team is preparing documentation for a third-party audit. The auditor requires a copy of the AWS SOC 3 report, which provides an overview of AWS's security controls and is intended for public distribution. The team needs to securely download the most recent version of this report directly from AWS. Which AWS service should the team use?

A.AWS Artifact
B.AWS Trusted Advisor
C.AWS Config
D.AWS CloudTrail
AnswerA

Correct. AWS Artifact is a service that provides on-demand downloads of AWS compliance reports, including SOC reports, PCI DSS reports, and ISO certifications, making it the right choice for obtaining the SOC 3 report.

Why this answer

AWS Artifact is the correct service because it provides on-demand access to AWS compliance reports, including SOC reports, PCI reports, and ISO certifications. The SOC 3 report is specifically designed for public distribution, and AWS Artifact allows users to securely download the most recent version directly from AWS without needing to contact support or navigate third-party sites.

Exam trap

The trap here is that candidates may confuse operational auditing services (CloudTrail, Config) with compliance document delivery (Artifact), or mistakenly think Trusted Advisor provides compliance reports instead of optimization recommendations.

How to eliminate wrong answers

Option B (AWS Trusted Advisor) is wrong because it provides recommendations for optimizing AWS environments based on best practices (cost, performance, security, fault tolerance, service limits), but it does not store or distribute compliance reports like SOC 3. Option C (AWS Config) is wrong because it evaluates and records resource configurations and changes over time for compliance auditing, but it does not provide access to AWS's own third-party audit reports. Option D (AWS CloudTrail) is wrong because it records API activity and user actions within an AWS account for governance and operational auditing, but it does not host or deliver AWS compliance documentation such as SOC reports.

599
MCQeasy

What does the principle of least privilege mean in the context of AWS IAM?

A.All IAM users should have the same level of access to ensure consistency
B.Grant only the minimum permissions necessary to perform required tasks
C.Use AWS managed policies instead of customer-managed policies
D.Rotate IAM access keys every 90 days
AnswerB

Least privilege limits the blast radius of compromised credentials or misconfigured resources by restricting permissions to only what is needed.

Why this answer

The principle of least privilege in AWS IAM means granting only the permissions that are strictly necessary for a user, role, or service to perform its intended functions. This minimizes the attack surface by ensuring that even if credentials are compromised, the potential damage is limited to only the allowed actions and resources. AWS IAM enforces this through fine-grained policy statements that specify exact actions, resources, and conditions.

Exam trap

The trap here is that candidates confuse security best practices (like key rotation or using managed policies) with the core definition of least privilege, which is solely about minimizing permission scope, not about policy source or credential management.

How to eliminate wrong answers

Option A is wrong because granting all IAM users the same level of access violates the principle of least privilege and increases security risk; users should have different permissions based on their job functions. Option C is wrong because the principle of least privilege does not mandate using AWS managed policies over customer-managed policies; in fact, customer-managed policies often allow more precise permission scoping, while AWS managed policies may grant broader access than needed. Option D is wrong because rotating IAM access keys every 90 days is a security best practice for credential management, but it does not define or implement the principle of least privilege, which is about permission scope, not credential lifecycle.

600
MCQeasy

A company operates three separate AWS accounts: development, testing, and production. Each account independently incurs Amazon S3 data transfer charges. The company signs up for AWS Organizations and enables consolidated billing. How does consolidated billing affect the S3 data transfer pricing for the company?

A.It applies a flat 20% discount to all S3 data transfer charges across accounts.
B.It aggregates the data transfer usage across all accounts, allowing the company to benefit from lower pricing tiers that are based on total usage.
C.It allows the company to use a single payment method and automatically applies Reserved Instance pricing to data transfer.
D.It creates a single combined bill and automatically applies an enterprise discount negotiated with AWS.
AnswerB

This is correct. With consolidated billing, the data transfer usage from all accounts is summed. AWS's pricing tiers (e.g., up to 10 TB, next 40 TB, etc.) are then applied to the aggregate total, often resulting in a lower effective per-GB cost than if each account were billed separately.

Why this answer

Consolidated billing in AWS Organizations aggregates usage across all linked accounts. For S3 data transfer, AWS applies tiered pricing based on total monthly data transfer volume. By combining usage from the development, testing, and production accounts, the company can reach higher volume tiers, reducing the per-GB cost for all accounts.

This is the primary benefit of consolidated billing for data transfer charges.

Exam trap

The trap here is that candidates may assume consolidated billing only simplifies payment or applies a flat discount, rather than understanding it aggregates usage to unlock higher volume pricing tiers.

How to eliminate wrong answers

Option A is wrong because AWS does not apply a flat 20% discount to S3 data transfer charges under consolidated billing; discounts are based on aggregated usage tiers, not a fixed percentage. Option C is wrong because consolidated billing does not automatically apply Reserved Instance pricing to data transfer; Reserved Instances apply to compute or database services, not to S3 data transfer, and consolidated billing simply pools usage for tiered pricing.

Page 7

Page 8 of 14

Page 9