AWS Certified Cloud Practitioner CLF-C02 (CLF-C02) — Questions 601675

1024 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQmedium

A company runs a web application on multiple Amazon EC2 instances that are behind an Application Load Balancer. The operations team wants to ensure that if any EC2 instance fails, a new instance is automatically launched to replace it and maintain a minimum number of running instances. Which AWS service should the company use to meet this requirement?

A.AWS Elastic Load Balancing
B.Amazon EC2 Auto Scaling
C.AWS Lambda
D.AWS Auto Scaling
AnswerB

Amazon EC2 Auto Scaling is the correct service. It automatically adds or removes EC2 instances based on defined policies or to maintain a desired capacity. If an instance fails, Auto Scaling detects the decrease in healthy capacity and launches a new instance to replace it, ensuring the application remains available.

Why this answer

Amazon EC2 Auto Scaling is the correct service because it automatically launches new EC2 instances to replace failed ones and maintains a specified minimum number of running instances. It integrates with the Application Load Balancer to register new instances and deregister failed ones, ensuring the web application remains available. This directly meets the requirement for automatic instance replacement and capacity maintenance.

Exam trap

The trap here is confusing Amazon EC2 Auto Scaling (which directly manages EC2 instance lifecycle and replacement) with AWS Auto Scaling (a broader service for scaling multiple resources), leading candidates to pick D instead of B.

How to eliminate wrong answers

Option A is wrong because AWS Elastic Load Balancing distributes incoming traffic across healthy instances but does not launch new instances or manage instance counts; it only routes traffic to existing instances. Option C is wrong because AWS Lambda is a serverless compute service for running code in response to events, not for managing or replacing EC2 instances; it lacks the lifecycle management and scaling policies needed for EC2 instance replacement. Option D is wrong because AWS Auto Scaling is a service that helps configure scaling plans for multiple resources (e.g., EC2, DynamoDB), but the specific service that directly launches and replaces EC2 instances to maintain a minimum count is Amazon EC2 Auto Scaling; AWS Auto Scaling is a higher-level orchestration service, not the one that performs the actual instance replacement.

602
MCQmedium

A company runs a batch processing workload on Amazon EC2 instances. The finance team has set a monthly budget of $10,000 for this workload. They want to automatically stop the batch processing instances if the accumulated costs for the month exceed $8,000, to prevent overspending. The company needs a native AWS solution that can monitor the costs and take corrective action automatically. Which AWS feature should the company use to meet these requirements?

A.AWS Budgets with budget actions configured to stop EC2 instances
B.AWS Cost Explorer with a custom cost threshold report
C.AWS Trusted Advisor with a cost optimization check
D.AWS Organizations with a service control policy (SCP)
AnswerA

Correct. AWS Budgets allows you to define cost or usage budgets and set budget actions that trigger automatically when a threshold is exceeded. For example, you can stop EC2 instances to prevent further spending. This meets the requirement natively.

Why this answer

AWS Budgets allows you to set a cost budget of $8,000 and attach a budget action that triggers an AWS Systems Manager (SSM) automation document to stop EC2 instances when actual or forecasted costs exceed the threshold. This provides a native, automated, and serverless solution to enforce cost controls without manual intervention.

Exam trap

The trap here is that candidates may confuse AWS Cost Explorer's reporting capabilities with automated remediation, or assume Trusted Advisor can take corrective actions, when in fact only AWS Budgets with budget actions provides native, automated cost-based instance control.

How to eliminate wrong answers

Option B is wrong because AWS Cost Explorer is a visualization and analysis tool for historical cost data; it cannot trigger automated actions or stop EC2 instances. Option C is wrong because AWS Trusted Advisor provides cost optimization recommendations and checks, but it does not have the capability to execute corrective actions like stopping instances based on a cost threshold.

603
MCQmedium

A company manages multiple AWS accounts under AWS Organizations. The finance team needs to set a monthly spending limit for each account, receive automatic email alerts when spending reaches 80% of that limit, and also view a graphical dashboard showing historical cost trends across all accounts. Which combination of AWS services should the company use to meet these requirements?

A.AWS Budgets and Amazon QuickSight
B.AWS Cost Explorer and Amazon CloudWatch
C.AWS Cost Explorer and AWS Trusted Advisor
D.AWS Budgets and AWS Cost Explorer
AnswerD

AWS Budgets enables you to define monthly spending limits for each account (or the whole organization) and receive automatic email or SNS alerts when actual or forecasted costs reach a specified percentage of the budget. AWS Cost Explorer provides an intuitive, graphical dashboard that shows historical cost trends across all linked accounts, giving the finance team the visibility they need. This combination directly addresses both requirements without additional overhead.

Why this answer

AWS Budgets allows you to set custom monthly spending limits per AWS account and configure alerts (via Amazon SNS or email) when actual or forecasted costs exceed a threshold, such as 80% of the budget. AWS Cost Explorer provides a graphical dashboard with historical cost trends and enables filtering by linked accounts, making it the correct service for visualizing trends across all accounts under AWS Organizations. Together, they satisfy the requirements for per-account limits, email alerts at 80%, and a historical cost dashboard.

Exam trap

The trap here is that candidates often confuse AWS Budgets with AWS Cost Explorer, thinking Cost Explorer alone can send alerts, or they mistakenly pair Budgets with QuickSight because both involve dashboards, but QuickSight is not the native cost visualization tool for AWS billing data.

How to eliminate wrong answers

Option A is wrong because Amazon QuickSight is a business intelligence service for creating interactive dashboards from various data sources, but it is not the native AWS service for viewing historical cost trends across accounts — AWS Cost Explorer is the appropriate tool for that, and QuickSight would require additional setup and data export. Option B is wrong because AWS Cost Explorer does not natively send automatic email alerts when spending reaches a threshold; that alerting capability is provided by AWS Budgets, not CloudWatch (CloudWatch can monitor billing metrics but requires manual setup of custom metrics and alarms, and is not designed for per-account budget alerts). Option C is wrong because AWS Trusted Advisor provides cost optimization recommendations (e.g., idle resources) but does not allow setting per-account spending limits or sending threshold-based alerts, nor does it offer a historical cost trend dashboard.

604
MCQmedium

A company runs a batch processing application in Docker containers. The application runs for several hours at a time and requires significant CPU and memory resources. The company wants to run these containers on AWS without provisioning or managing any underlying EC2 instances or cluster capacity. They need a service that automatically scales based on demand and charges only for the resources consumed by the containers. Which AWS service should the company use?

A.Amazon ECS with EC2 launch type
B.Amazon EKS with managed node groups
C.AWS Fargate
D.AWS Lambda
AnswerC

AWS Fargate is the correct choice. It is a serverless compute engine for containers that runs on Amazon ECS or EKS. You define your containerized application and its resource requirements, and Fargate handles the underlying infrastructure, scaling, and billing per resource consumption.

Why this answer

AWS Fargate is the correct choice because it is a serverless compute engine for containers that eliminates the need to provision or manage EC2 instances. It automatically scales based on demand and charges only for the CPU and memory resources consumed by the containers, which aligns perfectly with the requirement to run long-running batch processing without managing underlying infrastructure.

Exam trap

The trap here is that candidates often confuse the EC2 launch type (which still requires instance management) with Fargate's serverless model, or they assume managed node groups in EKS eliminate all infrastructure management, when in fact they still involve EC2 instances and cluster scaling decisions.

How to eliminate wrong answers

Option A is wrong because Amazon ECS with the EC2 launch type requires you to provision, configure, and manage a cluster of EC2 instances, which contradicts the requirement to avoid managing underlying instances. Option B is wrong because Amazon EKS with managed node groups still involves managing EC2 instances (even if partially automated) and does not provide the serverless, pay-per-resource model that Fargate offers.

605
MCQmedium

A company develops a mobile application that allows employees to upload sales reports to an Amazon S3 bucket. The application must work reliably from any location, including from corporate offices, remote home offices, and international travel locations. The solution uses standard HTTPS requests over the internet. Which essential characteristic of cloud computing does this scenario best illustrate?

A.On-demand self-service
B.Broad network access
C.Resource pooling
D.Rapid elasticity
AnswerB

Broad network access means that cloud resources are available over the network and can be accessed by standard mechanisms (such as HTTPS) from a wide range of devices, including mobile phones, laptops, and workstations. This allows users to upload data from corporate offices, home offices, and while traveling.

Why this answer

Broad network access is the correct answer because the scenario describes a mobile application that must work reliably from any location—corporate offices, remote home offices, and international travel locations—using standard HTTPS requests over the internet. This directly aligns with the NIST definition of broad network access, which states that capabilities are available over the network and accessed through standard mechanisms (e.g., HTTPS) by heterogeneous client platforms (such as mobile phones, laptops, and tablets). The ability to access the S3 bucket from diverse geographic locations via the public internet is the core characteristic being illustrated.

Exam trap

The trap here is that candidates often confuse 'broad network access' with 'rapid elasticity' because both involve network-based access, but the key distinction is that broad network access is about the ability to access resources from anywhere using standard protocols, while rapid elasticity is about automatic scaling of resources to meet demand.

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user's ability to provision computing resources (like S3 buckets or EC2 instances) automatically without requiring human interaction with the service provider, which is not the focus of the scenario—the scenario emphasizes access from any location, not self-provisioning. Option C is wrong because resource pooling describes how the provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with physical and virtual resources dynamically assigned and reassigned according to consumer demand; the scenario does not illustrate multi-tenancy or resource sharing among customers. Option D is wrong because rapid elasticity refers to the ability to quickly scale resources up or down in response to demand, often automatically; while S3 is elastic, the scenario highlights reliable access from any location, not scaling behavior.

606
MCQeasy

What is the primary purpose of an AWS Virtual Private Cloud (VPC)?

A.To provide a CDN for distributing content globally
B.To create a logically isolated virtual network in the AWS Cloud
C.To manage user authentication and access control
D.To monitor AWS resource usage and performance metrics
AnswerB

VPC provides a private, isolated virtual network where customers control IP addressing, subnets, routing, and security — a fundamental networking layer for all AWS deployments.

Why this answer

The primary purpose of an AWS Virtual Private Cloud (VPC) is to create a logically isolated virtual network within the AWS Cloud, where you can launch AWS resources in a defined virtual network that closely resembles a traditional on-premises network. This isolation is achieved through IP address ranges (CIDR blocks), subnets, route tables, and network gateways, giving you full control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

Exam trap

The trap here is that candidates often confuse the VPC's role of providing network isolation with other AWS services like CloudFront (CDN), IAM (access control), or CloudWatch (monitoring), leading them to select options that describe those services instead of the core networking purpose of a VPC.

How to eliminate wrong answers

Option A is wrong because a CDN (Content Delivery Network) is provided by AWS CloudFront, not by a VPC; a VPC is a networking construct, not a content distribution service. Option C is wrong because user authentication and access control are managed by AWS Identity and Access Management (IAM), not by a VPC; VPCs handle network-level isolation and connectivity, not identity management. Option D is wrong because monitoring AWS resource usage and performance metrics is the function of Amazon CloudWatch, not a VPC; VPCs provide network isolation and control, not monitoring or metrics collection.

607
MCQmedium

A company has unused Reserved Instances that don't match their current infrastructure. What option allows them to recoup some cost from unused RIs?

A.Convert them to Spot Instances
B.Sell them on the Reserved Instance Marketplace
C.Request a refund from AWS for unused RI capacity
D.Transfer them to another AWS account for free
AnswerB

Standard RIs (not Convertible) can be listed on the RI Marketplace, allowing other AWS customers to purchase the remaining term at a seller-defined price.

Why this answer

The AWS Reserved Instance Marketplace allows customers to sell unused Reserved Instances (RIs) to other AWS users, enabling them to recoup some of the upfront costs. This is the only option that directly addresses the need to recover costs from RIs that no longer match the current infrastructure, as AWS does not offer refunds or free transfers for unused RIs.

Exam trap

The trap here is that candidates may assume AWS offers refunds or free transfers for unused RIs, but the only cost-recovery option is selling them on the Reserved Instance Marketplace, which involves a marketplace fee and is subject to availability of buyers.

How to eliminate wrong answers

Option A is wrong because Spot Instances are a separate pricing model for spare compute capacity, not a mechanism to convert or sell existing Reserved Instances; you cannot convert an RI into a Spot Instance. Option C is wrong because AWS does not provide refunds for unused Reserved Instance capacity; RIs are a commitment-based pricing model with no partial refunds for unused time. Option D is wrong because transferring RIs to another AWS account is not free; it requires selling them on the Reserved Instance Marketplace, which involves a transaction fee and is not a direct free transfer.

608
MCQmedium

A finance team works with architects to eliminate unused EC2 instances, right-size over-provisioned resources, replace On-Demand instances with Reserved Instances for stable workloads, and adopt managed services to reduce operational overhead. Which AWS Well-Architected Framework pillar guides these activities?

A.Operational Excellence
B.Reliability
C.Cost Optimisation
D.Security
AnswerC

The Cost Optimisation pillar covers eliminating unused resources, right-sizing instances, selecting appropriate pricing models (Reserved vs On-Demand), and using managed services to reduce total cost.

Why this answer

Option C is correct because the Cost Optimization pillar of the AWS Well-Architected Framework focuses on eliminating unused resources, right-sizing over-provisioned instances, using Reserved Instances for predictable workloads, and adopting managed services to reduce operational overhead. These activities directly target cost efficiency by aligning resource usage with demand and avoiding waste.

Exam trap

The trap here is that candidates may confuse Cost Optimization with Operational Excellence, as both involve improving efficiency, but Cost Optimization specifically targets financial savings through resource and pricing optimization, not process automation or reliability improvements.

How to eliminate wrong answers

Option A is wrong because Operational Excellence focuses on automating operations, monitoring, and improving processes, not specifically on cost reduction activities like eliminating unused instances or right-sizing. Option B is wrong because Reliability focuses on ensuring workloads recover from failures and meet availability requirements, not on cost-saving measures like Reserved Instances or managed services adoption. Option D is wrong because Security focuses on protecting data and systems through identity, access controls, and encryption, not on cost optimization activities.

609
MCQmedium

A company hosts its corporate website entirely as static content (HTML, CSS, JavaScript, images) in an Amazon S3 bucket. The website currently has no authentication requirements and is accessible to the public. The company wants to serve this content to users around the world with low latency. Additionally, the company wants to enforce HTTPS for all traffic using a custom domain name (www.example.com). The company does not want to manage SSL/TLS certificates on any servers. Which AWS service should the company use to meet these requirements?

A.Amazon CloudFront
B.AWS Global Accelerator
C.Amazon S3 Transfer Acceleration
D.AWS Lambda@Edge
AnswerA

Amazon CloudFront is a global content delivery network (CDN) that caches static content at edge locations, reducing latency. It integrates with ACM for free SSL/TLS certificates, supports custom domain names, and enforces HTTPS. This meets all the requirements without any server management.

Why this answer

Amazon CloudFront is a content delivery network (CDN) that caches static content at edge locations worldwide, reducing latency for global users. It supports custom domain names and can enforce HTTPS by using AWS Certificate Manager (ACM) to provision and renew SSL/TLS certificates automatically, eliminating the need for server-side certificate management. CloudFront integrates directly with an S3 bucket as the origin, allowing the bucket to remain private while serving content securely via HTTPS.

Exam trap

The trap here is that candidates often confuse S3 Transfer Acceleration (which only accelerates uploads) with CloudFront (which accelerates downloads and caches content), or they think Global Accelerator can serve static content with HTTPS, but it lacks caching and certificate management at the edge.

How to eliminate wrong answers

Option B (AWS Global Accelerator) is wrong because it is designed to improve availability and performance for TCP/UDP traffic by routing users to the nearest healthy application endpoint, but it does not cache static content or provide HTTPS termination at the edge; it also requires managing certificates on the backend. Option C (Amazon S3 Transfer Acceleration) is wrong because it only speeds up uploads to S3 buckets by using edge locations for data transfer, not for serving cached content to end users, and it does not support custom domain names or HTTPS enforcement for content delivery.

610
MCQmedium

A company uses AWS Organizations with consolidated billing across multiple member accounts. The finance team requires that only the management account (payer account) can view and modify payment methods and receive invoices. Member accounts must be prevented from accessing billing and payment information in the AWS Billing and Cost Management console. Which AWS feature should be configured to enforce this restriction?

A.Enable all features in AWS Organizations, including consolidated billing.
B.Apply a Service Control Policy (SCP) to deny billing-related actions for all member accounts.
C.Enable AWS CloudTrail to log billing events for all accounts.
D.Configure AWS Cost Explorer to grant cross-account access only to the management account.
AnswerB

An SCP can explicitly deny actions like 'aws-portal:ViewBilling' and 'aws-portal:ModifyBilling' for member accounts. This prevents users in those accounts from accessing billing information, leaving full control to the management account.

Why this answer

Service Control Policies (SCPs) in AWS Organizations allow you to centrally restrict the AWS services and actions that member accounts can use. By applying an SCP that denies billing-related actions (e.g., `aws-portal:*` or `awsbilling:*`) to all member accounts, the management account can enforce that only the payer account can view and modify payment methods and receive invoices. This directly meets the requirement without affecting the management account, which is not subject to SCPs.

Exam trap

The trap here is that candidates often confuse enabling consolidated billing (Option A) with actually restricting access, not realizing that consolidated billing alone does not enforce any access controls on member accounts.

How to eliminate wrong answers

Option A is wrong because enabling all features in AWS Organizations, including consolidated billing, does not by itself restrict member accounts from accessing billing information; it only enables centralized management and consolidated billing functionality. Option C is wrong because AWS CloudTrail logs API activity for auditing but does not prevent member accounts from accessing billing and payment information; it is a logging service, not an access control mechanism. Option D is wrong because AWS Cost Explorer provides cost visualization and analysis, and configuring cross-account access does not restrict member accounts from viewing payment methods or invoices; it is a cost management tool, not a policy-based restriction.

611
MCQmedium

A company uses three separate AWS accounts for development, testing, and production workloads. The security team needs to enforce a policy that prevents users in any account from disabling AWS CloudTrail or deleting CloudTrail log files. The team also wants to consolidate billing and have a single payment method for all accounts. Which AWS service should the security team use to meet these requirements?

A.AWS Organizations
B.AWS Identity and Access Management (IAM)
C.AWS Config
D.AWS CloudTrail
AnswerA

Correct. AWS Organizations enables both cross-account policy enforcement via Service Control Policies (SCPs) and consolidated billing. SCPs can deny actions such as disabling CloudTrail or deleting log files across all accounts in the organization.

Why this answer

AWS Organizations is the correct service because it allows the security team to create a multi-account structure with a single consolidated billing method and a single payment method across all accounts. Additionally, Organizations supports service control policies (SCPs), which can be applied to the root or individual accounts to explicitly deny actions such as disabling CloudTrail or deleting CloudTrail log files, ensuring enforcement across the development, testing, and production accounts.

Exam trap

The trap here is that candidates often confuse AWS Organizations with IAM, thinking IAM can enforce cross-account policies, but IAM is account-scoped and cannot apply preventive controls across multiple accounts like SCPs in Organizations can.

How to eliminate wrong answers

Option B (IAM) is wrong because IAM manages permissions for individual users and roles within a single account, not across multiple accounts, and cannot enforce policies that prevent CloudTrail disabling or log deletion across all three accounts simultaneously. Option C (AWS Config) is wrong because AWS Config is a service for evaluating resource configurations against rules and tracking changes, but it cannot enforce preventive controls or block actions; it only provides detective compliance and notifications. Option D (AWS CloudTrail) is wrong because CloudTrail is the service being protected (it records API activity), not a service that can enforce policies or consolidate billing; it cannot prevent its own disabling or log deletion.

612
MCQmedium

A company's application receives images from users and needs to detect and blur any credit card numbers visible in the images for compliance. Which AWS AI service provides document text extraction from images?

A.Amazon Rekognition
B.Amazon Textract
C.Amazon Comprehend
D.Amazon Macie
AnswerB

Textract automatically extracts text, forms, and tables from documents and images using ML, providing structured data extraction that goes beyond basic OCR.

Why this answer

Amazon Textract is specifically designed to extract text, including handwritten and printed text, from scanned documents and images. It goes beyond simple optical character recognition (OCR) by using machine learning to identify and extract key-value pairs, tables, and form data, making it the correct choice for extracting credit card numbers from images for compliance processing.

Exam trap

The trap here is that candidates confuse Amazon Rekognition's ability to detect text in images (via its DetectText API) with Amazon Textract's specialized document text extraction, but Rekognition is optimized for general scene text (e.g., signs, labels) and lacks the layout analysis and key-value extraction capabilities needed for compliance-grade document processing.

How to eliminate wrong answers

Option A is wrong because Amazon Rekognition is primarily an image and video analysis service for object detection, facial recognition, and scene understanding, not a document text extraction service. Option C is wrong because Amazon Comprehend is a natural language processing (NLP) service that analyzes text for sentiment, entities, and key phrases, but it does not extract text from images. Option D is wrong because Amazon Macie is a data security and privacy service that discovers and protects sensitive data using machine learning and pattern matching, but it does not perform document text extraction from images.

613
MCQmedium

A company runs a multiplayer gaming application on AWS. The application uses UDP for real-time communication between players. Players in different geographic regions report high latency and connection instability. The company wants to improve performance by directing user traffic to the nearest healthy application endpoint and using a static IP address for the application. Which AWS service should the company use to meet these requirements?

A.Amazon CloudFront
B.AWS Global Accelerator
C.Amazon Route 53
D.AWS Direct Connect
AnswerB

Global Accelerator uses static anycast IP addresses and the AWS global network to optimize the path for TCP and UDP traffic. It automatically routes users to the nearest healthy application endpoint, improving latency and connection stability for real-time applications.

Why this answer

AWS Global Accelerator uses the AWS global network to route UDP traffic over optimized paths to the nearest healthy application endpoint, reducing latency and jitter. It provides two static anycast IP addresses that act as a fixed entry point, masking changes to underlying infrastructure. This directly addresses the need for low-latency UDP communication and a static IP for the gaming application.

Exam trap

The trap here is that candidates often confuse Amazon CloudFront's edge caching with network path optimization, but CloudFront does not support UDP traffic or provide static IP addresses, making AWS Global Accelerator the correct choice for real-time UDP applications.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront is a content delivery network (CDN) optimized for HTTP/HTTPS and WebSocket traffic, not for UDP-based real-time gaming protocols; it cannot handle raw UDP packets. Option C is wrong because Amazon Route 53 is a DNS service that resolves domain names to IP addresses but does not provide static IP addresses for the application endpoint; it also lacks the ability to optimize network path routing for UDP traffic. Option D is wrong because AWS Direct Connect establishes a dedicated network connection from on-premises to AWS, which is irrelevant for directing user traffic from multiple geographic regions to the nearest endpoint and does not provide a static IP address for the application.

614
MCQmedium

A media company runs a video-on-demand platform on AWS. Video files (.mp4) and thumbnail images (.jpg) are stored in the same Amazon S3 bucket. The company uses Amazon CloudFront to deliver content to users globally. The video files are large and do not change frequently, so the company wants them to be cached at CloudFront edge locations for 30 days. Thumbnails change more often when new uploads are processed, so the company wants them to be cached for only 1 day. The company wants a single CloudFront distribution to serve both types of content from the same S3 bucket. Which configuration should the company use to meet these requirements with minimal operational overhead?

A.Create one CloudFront behavior for all content. Set a cache policy with a TTL of 30 days. Create a Lambda@Edge function to override the TTL to 1 day for requests with .jpg extension.
B.Create two CloudFront behaviors: one for the path pattern /videos/* and one for /thumbnails/*. Associate a cache policy with a TTL of 30 days to the video behavior and a cache policy with a TTL of 1 day to the thumbnail behavior. Both behaviors point to the same S3 origin.
C.Create two separate CloudFront distributions: one for videos with a cache policy of 30 days, and one for thumbnails with a cache policy of 1 day. Point both to the same S3 bucket.
D.In the S3 bucket, create two folders: /videos and /thumbnails. Use S3 Cross-Region Replication to replicate thumbnails to a separate bucket in a different Region. Create a single CloudFront behavior with a cache policy of 1 day for the thumbnail bucket and a separate behavior for the original bucket.
AnswerB

This uses CloudFront's built-in behavior routing with path patterns. Each behavior can have its own cache policy (or TTL settings), allowing different caching durations for videos and thumbnails while using a single distribution and a single S3 bucket. This meets the requirements with minimal operational overhead.

Why this answer

Option B is correct because CloudFront allows multiple behaviors within a single distribution, each with its own path pattern and cache policy. By configuring path patterns /videos/* and /thumbnails/*, the company can apply a 30-day TTL cache policy to video requests and a 1-day TTL cache policy to thumbnail requests, both pointing to the same S3 origin. This meets the caching requirements with minimal operational overhead, as it avoids custom code or multiple distributions.

Exam trap

The trap here is that candidates may think Lambda@Edge or multiple distributions are necessary to apply different TTLs to different file types from the same origin, but CloudFront’s multiple behaviors with path patterns and cache policies provide a simpler, native solution.

How to eliminate wrong answers

Option A is wrong because using a single behavior with a 30-day TTL and a Lambda@Edge function to override TTL for .jpg requests adds unnecessary complexity and operational overhead; CloudFront natively supports multiple behaviors with different cache policies, making Lambda@Edge overkill for this simple requirement. Option C is wrong because creating two separate CloudFront distributions increases management overhead and complexity, and it is unnecessary since a single distribution can handle both content types via multiple behaviors. Option D is wrong because S3 Cross-Region Replication is irrelevant to caching TTL requirements; it adds cost and complexity without solving the caching duration difference, and the proposed setup with two buckets and behaviors is overly complicated compared to using path patterns in a single distribution.

615
MCQmedium

Which AWS service provides managed, automated workflows for coordinating migration tasks such as tracking migration status, grouping servers into migration waves, and coordinating cutover?

A.AWS Application Discovery Service
B.AWS Migration Hub
C.AWS Control Tower
D.AWS Organizations
AnswerB

Migration Hub provides centralized tracking of migration progress across multiple tools and migration waves, grouping applications and monitoring each stage from discovery through cutover.

Why this answer

AWS Migration Hub is the correct service because it provides a single location to track the progress of application migrations across multiple AWS and partner solutions. It offers managed, automated workflows for grouping servers into migration waves, tracking migration status, and coordinating cutover activities, which directly matches the question's requirements.

Exam trap

The trap here is that candidates often confuse AWS Migration Hub with AWS Application Discovery Service, thinking that discovery and migration tracking are the same service, but Discovery Service only handles the initial data collection phase, not the ongoing workflow coordination.

How to eliminate wrong answers

Option A is wrong because AWS Application Discovery Service is used to gather information about on-premises data centers (server specifications, dependencies) to plan migrations, but it does not provide the automated workflows for tracking status, grouping into waves, or coordinating cutover. Option C is wrong because AWS Control Tower is a service for setting up and governing a secure, multi-account AWS environment using pre-built blueprints and guardrails, not for managing migration task workflows. Option D is wrong because AWS Organizations is a service for centrally managing billing, access, compliance, and security across multiple AWS accounts, and it does not include migration tracking or wave coordination capabilities.

616
MCQmedium

A company is migrating an on-premises application to AWS. The application will run on Amazon EC2 instances and use an Amazon RDS for MySQL database. The security team needs to understand which security controls remain the company's responsibility after the migration. Under the AWS Shared Responsibility Model, which of the following is the customer's responsibility?

A.Patching the MySQL database engine for the Amazon RDS instance.
B.Patching the guest operating system on the Amazon EC2 instances.
C.Providing physical security at the AWS data center facilities.
D.Replacing failed network switches in the AWS global network.
AnswerB

Correct. The customer is responsible for the security of the guest OS on EC2 instances, including applying patches and updates. AWS manages the hypervisor and physical infrastructure.

Why this answer

Under the AWS Shared Responsibility Model, the customer is responsible for patching the guest operating system on Amazon EC2 instances because EC2 is an Infrastructure as a Service (IaaS) offering where AWS manages the hypervisor and physical infrastructure, but the customer has full control over the OS, applications, and configurations. In contrast, for Amazon RDS, AWS handles patching of the database engine (e.g., MySQL) and the underlying OS, making option A AWS's responsibility. Physical security at AWS data centers is always AWS's responsibility, not the customer's.

Exam trap

The trap here is that candidates often confuse the responsibility for patching in managed services like RDS versus unmanaged services like EC2, assuming the customer must patch everything in RDS, when in fact AWS handles the database engine and OS patching for RDS.

How to eliminate wrong answers

Option A is wrong because Amazon RDS is a managed service where AWS automatically applies patches to the MySQL database engine and the underlying OS, so the customer does not need to patch the database engine themselves. Option C is wrong because physical security at AWS data center facilities is exclusively AWS's responsibility under the Shared Responsibility Model, covering aspects like access controls, surveillance, and environmental safeguards.

617
Drag & Dropmedium

Drag and drop the steps to configure an Application Load Balancer (ALB) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

ALB setup: target group first, then register instances, create ALB, configure listeners, and link target group.

618
MCQmedium

A company runs a mix of production and non-production Amazon EC2 instances. The finance team uses AWS Budgets to monitor monthly spending. For the development accounts, the team wants to automatically stop all running EC2 instances when the account's monthly spending reaches 90% of the budgeted amount. The team wants a solution that does not require custom scripting or additional infrastructure. Which AWS Budgets feature should the team configure to meet this requirement?

A.Create a budget alert that sends an email notification to the operations team when spending reaches 90% of the budget.
B.Configure a budget action that applies an IAM policy to deny the ec2:StopInstances permission for all users.
C.Configure a budget action that runs an AWS Systems Manager automation document to stop the EC2 instances.
D.Create a budget alert that publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic, and subscribe an AWS Lambda function to stop the instances.
AnswerC

AWS Budgets actions can trigger an AWS Systems Manager automation document, which can be set to stop EC2 instances. This provides a native, automated solution without requiring custom code or additional services.

Why this answer

AWS Budgets supports budget actions that can automatically trigger AWS Systems Manager automation documents to stop EC2 instances when a budget threshold is exceeded. This meets the requirement of no custom scripting or additional infrastructure, as the automation document is a built-in capability of Systems Manager.

Exam trap

The trap here is that candidates may choose Option D (Lambda + SNS) because it is a common pattern for automation, but the question explicitly requires 'no custom scripting or additional infrastructure,' making the built-in budget action with Systems Manager the correct choice.

How to eliminate wrong answers

Option A is wrong because sending an email notification does not automatically stop EC2 instances; it only alerts the operations team, requiring manual intervention. Option B is wrong because denying the ec2:StopInstances permission would prevent users from stopping instances, but the requirement is to stop instances automatically, not to deny permissions. Option D is wrong because while it could technically work, it requires creating and managing an AWS Lambda function (custom scripting) and an SNS topic, which violates the 'no custom scripting or additional infrastructure' requirement.

619
MCQmedium

Which statement correctly describes the difference between horizontal scaling and vertical scaling in cloud computing?

A.Horizontal scaling means increasing instance size; vertical scaling means adding more instances
B.Horizontal scaling adds more instances; vertical scaling increases the size of existing instances
C.Both scaling types produce identical results and are interchangeable in cloud architectures
D.Vertical scaling is always preferred because it reduces the number of instances to manage
AnswerB

Horizontal scaling (out/in) adds or removes instances from a fleet. Vertical scaling (up/down) resizes a single instance to be more or less powerful — requires a restart for EC2 instances.

Why this answer

Option B is correct because horizontal scaling (scaling out) involves adding more instances of a resource, such as EC2 instances, to distribute the load, while vertical scaling (scaling up) increases the size or capacity of an existing instance, for example by moving from a t2.micro to a t2.large. This distinction is fundamental in AWS cloud architectures, where horizontal scaling improves fault tolerance and availability, and vertical scaling is limited by the maximum instance size.

Exam trap

The trap here is that candidates often confuse the terms 'horizontal' and 'vertical' scaling, mistakenly thinking horizontal means increasing size (like a horizontal bar getting wider) rather than adding more units, leading them to select Option A.

How to eliminate wrong answers

Option A is wrong because it reverses the definitions: horizontal scaling adds more instances, not increases instance size, and vertical scaling increases instance size, not adds more instances. Option C is wrong because the two scaling types produce different results: horizontal scaling improves redundancy and distributes load across multiple instances, while vertical scaling increases the capacity of a single instance but creates a single point of failure; they are not interchangeable in all architectures. Option D is wrong because vertical scaling is not always preferred; it can lead to downtime during resizing and is limited by hardware constraints, whereas horizontal scaling offers better elasticity and fault tolerance, making it the preferred approach for many cloud-native applications.

620
MCQmedium

A company runs a multi-tier web application on Amazon EC2 instances. The security team wants to continuously monitor the configuration of the EC2 security groups to ensure that no security group allows inbound SSH (port 22) access from the entire internet (0.0.0.0/0). If a security group is modified to allow such access, the company must be automatically notified and provided with a detailed record of the change, including the user who made the change. Which combination of AWS services should the company use to meet these requirements?

A.AWS Config with a managed rule to check for unrestricted SSH access, and Amazon Simple Notification Service (Amazon SNS) to send notifications when the rule is non-compliant.
B.AWS CloudTrail to log all API calls, and Amazon CloudWatch Logs to analyze the logs for security group modifications and trigger a notification.
C.AWS Trusted Advisor to check for security groups with unrestricted SSH access on a periodic basis, and Amazon Simple Email Service (Amazon SES) to send email alerts.
D.AWS Systems Manager Inventory to collect configuration data from EC2 instances, and Amazon CloudWatch Events to trigger a Lambda function that checks security group rules.
AnswerA

AWS Config can evaluate security group rules against a managed rule like 'restricted-ssh' (or a custom rule) and trigger an SNS notification when a resource is non-compliant. CloudTrail logs the API calls that made the change, and AWS Config can include the related CloudTrail event in its compliance history.

Why this answer

AWS Config continuously monitors the configuration of AWS resources, including security groups, and can evaluate them against managed rules such as 'restricted-ssh' (which checks that inbound SSH traffic is not allowed from 0.0.0.0/0). When a security group becomes non-compliant, AWS Config can trigger an Amazon SNS notification to alert the security team, and the detailed configuration history (including the user who made the change via CloudTrail integration) is available in the AWS Config timeline. This combination directly meets the requirements for continuous monitoring, automatic notification, and a detailed record of the change.

Exam trap

The trap here is that candidates often confuse AWS Config's continuous compliance monitoring with AWS Trusted Advisor's periodic checks or AWS CloudTrail's logging-only capability, leading them to choose options that lack real-time evaluation or detailed change attribution.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail logs API calls but does not continuously monitor security group configurations or evaluate compliance against rules; analyzing logs in CloudWatch Logs would require custom logic and does not provide built-in compliance evaluation or automatic notifications for specific security group rule changes. Option C is wrong because AWS Trusted Advisor performs periodic checks (not continuous monitoring) and does not provide a detailed record of who made the change; Amazon SES is for sending emails but does not integrate directly with Trusted Advisor for automated notifications on configuration changes. Option D is wrong because AWS Systems Manager Inventory collects configuration data from EC2 instances (e.g., installed software, OS patches), not security group rules; CloudWatch Events can trigger a Lambda function, but this approach requires custom code and does not provide the built-in compliance evaluation and detailed change history that AWS Config offers.

621
MCQeasy

Which AWS service provides a landing zone and automated multi-account setup with pre-configured security baselines and guardrails for AWS Organizations?

A.AWS Organizations
B.AWS Control Tower
C.AWS CloudFormation StackSets
D.AWS Service Catalog
AnswerB

Control Tower automates the creation of a secure, well-governed multi-account landing zone including Organizations structure, SSO, centralized logging, and pre-configured guardrails.

Why this answer

AWS Control Tower is the correct service because it provides a pre-configured landing zone and automates the setup of a multi-account environment based on AWS Organizations. It enforces security baselines and guardrails (preventive and detective controls) using AWS Service Catalog and AWS Config rules, ensuring compliance from the start.

Exam trap

The trap here is that candidates often confuse AWS Organizations (the underlying service) with AWS Control Tower (the managed orchestration service), thinking Organizations alone provides the landing zone and guardrails, when in fact it only provides the multi-account structure and policy framework without the automated setup and pre-configured baselines.

How to eliminate wrong answers

Option A is wrong because AWS Organizations is the underlying service that enables multi-account management and policy-based control, but it does not provide a pre-built landing zone or automated guardrails; it is a building block, not the orchestration layer. Option C is wrong because AWS CloudFormation StackSets allows you to deploy CloudFormation templates across multiple accounts and regions, but it does not provide a landing zone, security baselines, or guardrails; it is a deployment tool, not a governance framework. Option D is wrong because AWS Service Catalog creates and manages a catalog of approved IT services (products), but it does not automate multi-account setup or enforce security guardrails; it is used for governance of service provisioning, not for landing zone orchestration.

622
MCQmedium

A company stores sensitive customer data in Amazon S3. The security policy requires that all objects be encrypted at rest using an encryption key that is automatically rotated every 12 months. The company must retain full control over the key, including the ability to immediately revoke access to the key if a security incident occurs. The security team also needs to audit every use of the key through AWS CloudTrail. Which key management solution should the company choose to meet these requirements?

A.Use an AWS KMS customer managed key (CMK) with automatic key rotation enabled.
B.Use an AWS KMS AWS managed key with automatic key rotation.
C.Use Amazon S3 server-side encryption with SSE-S3.
D.Use AWS CloudHSM to generate and manage the key.
AnswerA

Correct. A customer managed CMK provides full control over the key, allows automatic yearly rotation, and integrates with CloudTrail for auditing all key usage.

Why this answer

AWS KMS customer managed keys (CMKs) allow you to enable automatic annual key rotation (every 12 months) and retain full control over the key, including the ability to immediately revoke access by disabling or deleting the key. CloudTrail integration is inherent with KMS, logging every use of the key via the `Decrypt` and `GenerateDataKey` API calls, meeting the audit requirement. This combination satisfies all stated security policy needs: encryption at rest, automatic rotation, full control, immediate revocation, and auditability.

Exam trap

The trap here is that candidates often confuse AWS managed keys (which also rotate automatically) with customer managed keys, overlooking the requirement for full customer control and immediate revocation capability that only customer managed keys provide.

How to eliminate wrong answers

Option B is wrong because AWS managed keys are automatically rotated every 12 months, but the customer does not have full control over the key—they cannot disable, delete, or immediately revoke access to an AWS managed key; AWS manages the key lifecycle. Option C is wrong because SSE-S3 uses Amazon S3-managed keys (SSE-S3) which are automatically rotated but the customer has no control over the key material, cannot revoke access independently, and CloudTrail does not log individual object-level encryption events with the key ID for SSE-S3.

623
MCQmedium

A company hosts a critical e-commerce web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team is concerned about Layer 7 attacks, such as SQL injection and cross-site scripting (XSS). They also want to automatically block traffic from known malicious IP addresses. The company needs a managed web application firewall that integrates directly with the ALB. Which AWS service should the company use?

A.AWS WAF
B.AWS Shield Advanced
C.Amazon GuardDuty
D.AWS Firewall Manager
AnswerA

AWS WAF is a managed web application firewall that protects against common web exploits like SQL injection and XSS. It integrates with Application Load Balancers to filter and monitor HTTP/S requests.

Why this answer

AWS WAF is a managed web application firewall that protects web applications from common Layer 7 attacks, such as SQL injection and cross-site scripting (XSS), by inspecting HTTP/HTTPS requests. It integrates directly with an Application Load Balancer (ALB) to allow you to create custom rules that block or allow traffic based on request patterns, including automatically blocking traffic from known malicious IP addresses using managed IP reputation lists.

Exam trap

The trap here is that candidates often confuse AWS WAF with AWS Shield Advanced, assuming Shield Advanced provides application-layer filtering, but Shield Advanced focuses on DDoS mitigation at the network and transport layers, not on inspecting request payloads for SQL injection or XSS.

How to eliminate wrong answers

Option B is wrong because AWS Shield Advanced provides protection against Distributed Denial of Service (DDoS) attacks at Layer 3 and Layer 4, and does not include Layer 7 inspection capabilities like SQL injection or XSS detection, nor does it offer managed IP reputation lists for automatic blocking. Option C is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using VPC Flow Logs, DNS logs, and CloudTrail events, but it does not act as a web application firewall or integrate directly with an ALB to inspect and filter HTTP/HTTPS requests.

624
MCQmedium

A company is planning to migrate its on-premises infrastructure to AWS. The operations team wants to compare the total cost of ownership (TCO) between running workloads on-premises and running them on AWS. They need a tool that can accept details about their current on-premises servers (number of servers, CPU, memory, storage) and produce a detailed report comparing costs over a specified period, including savings from avoided hardware purchases, IT labor, and data center costs. Which AWS tool should the operations team use?

A.AWS Cost Explorer
B.AWS Total Cost of Ownership (TCO) Calculator
C.AWS Pricing Calculator
D.AWS Cost and Usage Report
AnswerB

The AWS TCO Calculator is the correct tool for this scenario. It accepts input about existing on-premises infrastructure and provides a detailed comparison of costs between running on-premises and on AWS, including savings from hardware, labor, and data center expenses. It helps organizations estimate the financial benefits of migration.

Why this answer

The AWS Total Cost of Ownership (TCO) Calculator is specifically designed to compare the costs of running on-premises infrastructure versus AWS. It accepts detailed inputs about existing on-premises servers (such as CPU, memory, and storage) and generates a comprehensive report that includes savings from avoided hardware purchases, IT labor, and data center costs over a user-specified period. This directly matches the operations team's requirement for a detailed TCO comparison.

Exam trap

The trap here is that candidates often confuse the AWS Pricing Calculator (which estimates AWS service costs) with the TCO Calculator (which compares on-premises vs. AWS costs), leading them to select the Pricing Calculator even though it lacks the on-premises input and comparative savings features.

How to eliminate wrong answers

Option A (AWS Cost Explorer) is wrong because it is a tool for visualizing, understanding, and managing AWS costs and usage over time, not for comparing on-premises TCO with AWS costs. Option C (AWS Pricing Calculator) is wrong because it is used to estimate the cost of AWS services based on expected usage, but it does not accept on-premises server details or produce a comparative TCO report that includes savings from avoided hardware, IT labor, and data center costs.

625
MCQeasy

A company has migrated all of its workloads to AWS and has decommissioned all of its on-premises data centres. All compute, storage, databases, and networking are now managed in AWS. Which cloud deployment model describes this architecture?

A.Hybrid cloud
B.Private cloud
C.Multi-cloud
D.Public cloud
AnswerD

Public cloud means all resources are owned by the cloud provider and shared with many customers. A company running entirely on AWS with no on-premises infrastructure is operating fully in the public cloud.

Why this answer

Option D is correct because the company has migrated all workloads to AWS and decommissioned all on-premises data centers, meaning all infrastructure is hosted entirely on AWS's shared infrastructure. This is the definition of a public cloud deployment model, where resources are owned and operated by a third-party cloud provider (AWS) and delivered over the internet to multiple tenants. No private or on-premises components remain, so the architecture is purely public cloud.

Exam trap

The trap here is that candidates confuse 'public cloud' with 'multi-cloud' or 'hybrid cloud' because they think using AWS alone implies a private cloud, but AWS is a public cloud provider by definition, and the absence of on-premises infrastructure eliminates hybrid or multi-cloud models.

How to eliminate wrong answers

Option A is wrong because a hybrid cloud requires a mix of on-premises (private) and public cloud resources connected via a network (e.g., VPN or Direct Connect), but the company has decommissioned all on-premises data centers. Option B is wrong because a private cloud involves dedicated infrastructure for a single organization, either on-premises or hosted, but AWS's infrastructure is multi-tenant and shared, not dedicated solely to this company. Option C is wrong because multi-cloud involves using multiple public cloud providers (e.g., AWS and Azure), but the company uses only AWS for all workloads.

626
MCQeasy

Which AWS service provides a fully managed content delivery network (CDN) that caches content at global edge locations to reduce latency for end users?

A.AWS Global Accelerator
B.Amazon Route 53
C.Amazon CloudFront
D.AWS Transfer Acceleration
AnswerC

CloudFront is AWS's CDN that caches content at 400+ global edge locations, delivering content to users with low latency by serving from the nearest cache.

Why this answer

Amazon CloudFront is a fully managed content delivery network (CDN) that caches static and dynamic content at global edge locations. By serving cached content from the edge closest to the user, CloudFront significantly reduces latency and improves data transfer speeds for end users.

Exam trap

The trap here is that candidates confuse AWS Global Accelerator (a network optimization service) with a CDN, because both use edge locations, but Global Accelerator does not cache content—it only optimizes network routing.

How to eliminate wrong answers

Option A is wrong because AWS Global Accelerator improves application availability and performance by directing traffic over the AWS global network using anycast IP addresses, but it does not cache content at edge locations—it is a network traffic optimization service, not a CDN. Option B is wrong because Amazon Route 53 is a DNS web service that translates domain names to IP addresses and routes end users to applications, but it does not cache or serve content at edge locations. Option D is wrong because AWS Transfer Acceleration uses edge locations to accelerate uploads to Amazon S3 by routing traffic over the AWS network, but it is not a general-purpose CDN for caching and serving content to end users.

627
MCQmedium

A company runs a data analytics workload on a cluster of Amazon EC2 instances. The application requires a shared file system that can be mounted by multiple EC2 instances simultaneously. The workload is bursty: during data processing jobs, the instances write and read large datasets, but between jobs the file system is mostly idle. The company wants a fully managed, highly available, and durable file storage solution that automatically scales capacity up and down and charges only for the storage used. The solution must be accessible from EC2 instances across multiple Availability Zones in the same AWS Region. Which AWS service should the company use?

A.Amazon Elastic Block Store (EBS) with Multi-Attach enabled
B.Amazon Elastic File System (EFS)
C.Amazon Simple Storage Service (S3)
D.Amazon FSx for Windows File Server
AnswerB

Amazon EFS is a fully managed NFS file system that automatically scales storage capacity as you add or remove files, and you pay only for the storage used. It provides high availability and durability by storing data across multiple Availability Zones within a Region, and can be accessed by multiple EC2 instances concurrently.

Why this answer

Amazon EFS is a fully managed, highly available, and durable NFS file system that automatically scales storage capacity up and down as files are added or removed, charging only for the storage used. It can be mounted by multiple EC2 instances across different Availability Zones simultaneously, making it ideal for bursty, shared-file workloads that require concurrent access and automatic scaling.

Exam trap

The trap here is that candidates often confuse Amazon EBS Multi-Attach (which is limited to a single AZ and requires manual capacity management) with a truly multi-AZ, auto-scaling shared file system, or they mistakenly think S3 can serve as a POSIX-compatible shared file system for EC2 instances.

How to eliminate wrong answers

Option A is wrong because Amazon EBS with Multi-Attach is limited to a maximum of 16 Nitro-based EC2 instances in a single Availability Zone, does not automatically scale capacity, and you pay for provisioned storage regardless of usage. Option C is wrong because Amazon S3 is an object storage service, not a file system; it cannot be mounted as a shared file system using standard POSIX file operations (NFS/SMB) and does not support concurrent file-level locking from multiple EC2 instances. Option D is wrong because Amazon FSx for Windows File Server is designed for Windows-based workloads using SMB protocol, and while it is fully managed and highly available, it does not automatically scale capacity down when idle—you provision and pay for fixed throughput and storage.

628
MCQmedium

A financial services company uses AWS CloudTrail to log all API calls in its AWS account. The company must demonstrate to auditors that the CloudTrail log files have not been tampered with after they were delivered to the Amazon S3 bucket. The company wants to use a feature that automatically creates digest files containing a hash of each log file, allowing the auditor to mathematically verify the integrity of the logs. Which AWS feature should the company enable to meet this requirement?

A.S3 Object Lock
B.CloudTrail log file integrity validation
C.AWS Config conformance packs
D.Amazon Detective
AnswerB

CloudTrail log file integrity validation is a feature that automatically creates digest files containing the hash of each log file. These digests are signed using private keys from AWS Key Management Service (AWS KMS), enabling an auditor to verify that log files have not been altered or deleted. This feature is specifically designed for compliance scenarios that require cryptographic proof of log integrity.

Why this answer

CloudTrail log file integrity validation is the correct feature because it automatically creates digest files that contain a hash of each log file. These digest files are themselves signed using a private key, and the corresponding public key is published by AWS, enabling auditors to mathematically verify that the log files have not been tampered with after delivery to S3.

Exam trap

The trap here is that candidates may confuse S3 Object Lock's write-once-read-many (WORM) protection with cryptographic integrity validation, but Object Lock only prevents deletion/modification at the S3 layer and does not provide the hash-based digest chain needed for auditor verification.

How to eliminate wrong answers

Option A is wrong because S3 Object Lock prevents objects from being deleted or overwritten for a fixed retention period, but it does not create hash-based digest files or provide a cryptographic mechanism to verify log file integrity after delivery. Option C is wrong because AWS Config conformance packs are used to evaluate compliance of AWS resources against predefined rules, not to generate or verify cryptographic digests of CloudTrail logs. Option D is wrong because Amazon Detective is a security investigation service that analyzes and visualizes security data, but it does not create digest files or provide integrity verification for CloudTrail logs.

629
MCQmedium

A company deploys their web application across two Availability Zones using an Application Load Balancer. If one AZ experiences an outage, traffic is automatically routed to the other AZ and the application continues to function. Which cloud benefit does this demonstrate?

A.Economies of scale
B.On-demand self-service
C.High availability and fault tolerance
D.Rapid elasticity
AnswerC

Deploying across multiple AZs with automatic load balancing failover provides high availability — the system continues to function when one AZ fails. Cloud infrastructure makes this achievable without expensive duplicate on-premises data centres.

Why this answer

This scenario demonstrates high availability and fault tolerance because the application is deployed across two Availability Zones with an Application Load Balancer (ALB) distributing traffic. If one AZ fails, the ALB automatically reroutes traffic to the healthy AZ, ensuring continuous operation. This design eliminates a single point of failure and maintains service availability, which is the core of fault tolerance in AWS.

Exam trap

The trap here is that candidates confuse high availability/fault tolerance with rapid elasticity, because both involve automatic responses to changing conditions, but elasticity handles scaling capacity while fault tolerance handles failure recovery.

How to eliminate wrong answers

Option A is wrong because economies of scale refer to cost advantages gained from large-scale operations (e.g., AWS passing on lower per-unit costs to customers), not to traffic rerouting during an AZ outage. Option B is wrong because on-demand self-service means users can provision and configure resources without human interaction (e.g., launching an EC2 instance via the AWS Management Console), not automatic failover between AZs. Option D is wrong because rapid elasticity is the ability to scale resources up or down automatically based on demand (e.g., using Auto Scaling groups to add EC2 instances during traffic spikes), not the automatic rerouting of traffic to a healthy AZ during an outage.

630
MCQmedium

A company runs a production web application on a fleet of Amazon EC2 instances. The operations team has observed that most instances have an average CPU utilization below 10% over the past month. They want to receive automated, ML-based recommendations for downsizing these instances to smaller instance types to reduce costs without compromising performance. The team also wants to see the estimated monthly savings for each recommendation. Which AWS service should the operations team use?

A.AWS Trusted Advisor
B.AWS Cost Explorer
C.AWS Compute Optimizer
D.AWS Budgets
AnswerC

Correct. AWS Compute Optimizer uses ML to analyze utilization patterns and recommends optimal instance types and sizes, including downsizing opportunities, along with estimated savings.

Why this answer

AWS Compute Optimizer is the correct service because it uses machine learning to analyze historical utilization metrics (such as CPU, memory, and network) of EC2 instances and provides actionable recommendations to downsize or rightsize instances. It specifically generates estimated monthly savings for each recommendation, directly addressing the need for automated, ML-based downsizing suggestions without compromising performance.

Exam trap

The trap here is that candidates often confuse AWS Trusted Advisor's cost optimization checks with the ML-driven rightsizing capabilities of AWS Compute Optimizer, but Trusted Advisor does not provide per-instance, ML-based recommendations with estimated savings.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides general best-practice checks (e.g., cost optimization, security, fault tolerance) but does not use machine learning for EC2 rightsizing recommendations and does not offer detailed per-instance estimated monthly savings. Option B is wrong because AWS Cost Explorer focuses on visualizing and analyzing historical cost and usage data, not on providing ML-based recommendations for downsizing EC2 instances based on CPU utilization. Option D is wrong because AWS Budgets allows you to set custom cost and usage budgets and receive alerts, but it does not generate automated, ML-based rightsizing recommendations or estimated savings for specific EC2 instances.

631
MCQmedium

A company based in Germany needs to store and process customer data that, by law, must remain within the European Union (EU). The company plans to use AWS services. Which AWS Global Infrastructure element is the MOST important for the company to evaluate when choosing where to deploy its resources?

A.Availability Zones
B.Edge Locations
C.AWS Regions
D.Local Zones
AnswerC

AWS Regions are distinct geographic areas that are completely isolated from each other. Choosing a Region within the EU (e.g., eu-central-1 in Frankfurt) ensures that the customer's data remains in the EU, satisfying data residency laws. This is the foundational decision before considering other infrastructure components.

Why this answer

AWS Regions are geographically isolated areas that contain multiple Availability Zones. Since the company must ensure customer data remains within the EU by law, choosing the correct AWS Region (e.g., eu-central-1 in Frankfurt) is the primary mechanism to guarantee data residency. Only by deploying resources in an EU-based Region can the company meet legal data sovereignty requirements.

Exam trap

The trap here is that candidates confuse Availability Zones with geographic regions, thinking that choosing a specific AZ ensures data stays in a country, when in fact AZs are within a single Region and do not provide cross-border data sovereignty guarantees.

How to eliminate wrong answers

Option A is wrong because Availability Zones are physically separate data centers within a single AWS Region; they do not provide data residency control across national borders. Option B is wrong because Edge Locations are content delivery endpoints for CloudFront and do not offer compute or storage services for primary data processing; they cannot be used to enforce data residency requirements.

632
MCQeasy

A company used to spend $2 million upfront purchasing servers and building a data centre before launching a new product. With AWS, they provision resources as needed and pay monthly based on actual usage. Which cloud benefit does this represent?

A.Stop guessing about capacity
B.Benefit from economies of scale
C.Trade capital expense for variable expense
D.Increase speed and agility
AnswerC

Cloud computing replaces large upfront hardware investments (capital expenditure) with pay-as-you-go operating expense. This reduces financial risk, improves cash flow, and eliminates idle sunk-cost capacity.

Why this answer

This scenario describes shifting from a large upfront capital expenditure (CapEx) on servers and data centers to a variable operational expenditure (OpEx) based on actual usage. AWS's pay-as-you-go model directly enables this trade, allowing the company to align costs with consumption rather than paying for idle capacity. This is the core benefit of trading capital expense for variable expense.

Exam trap

The trap here is that candidates confuse the financial benefit of 'trading capital expense for variable expense' with the operational benefit of 'stop guessing about capacity,' as both involve avoiding over-provisioning, but the question specifically focuses on the payment model shift.

How to eliminate wrong answers

Option A is wrong because 'Stop guessing about capacity' refers to eliminating the need to over-provision or under-provision infrastructure, not the financial shift from upfront to usage-based spending. Option B is wrong because 'Benefit from economies of scale' describes how AWS's massive purchasing power lowers per-unit costs for customers, not the change in payment model from CapEx to OpEx. Option D is wrong because 'Increase speed and agility' relates to rapidly provisioning resources via APIs and automation, not the financial restructuring of costs.

633
MCQmedium

A startup is building a photo-sharing application on AWS. The startup expects to store billions of photos over time. The CEO is surprised that the per-GB price for Amazon S3 storage is the same for the startup as it is for a multinational corporation with petabytes of data. Which characteristic of cloud computing does this pricing model best demonstrate?

A.Elasticity
B.Economies of scale
C.High availability
D.Global reach
AnswerB

Correct. AWS benefits from massive aggregation of customer usage, which lowers infrastructure and operational costs. These cost savings are reflected in simple, low prices that apply equally to all customers, regardless of their individual size.

Why this answer

The pricing model where the per-GB cost for Amazon S3 is the same for a small startup as for a large enterprise demonstrates economies of scale. AWS aggregates demand from millions of customers, allowing it to negotiate lower prices for hardware, power, and bandwidth, then passes those savings on to all customers equally. This means the startup benefits from the same low unit cost as a multinational corporation, without needing to invest in its own infrastructure.

Exam trap

The trap here is that candidates confuse 'economies of scale' with 'elasticity,' mistakenly thinking that the ability to scale storage up or down explains why the price is the same for all customers, when in fact elasticity is about dynamic resource adjustment, not uniform pricing.

How to eliminate wrong answers

Option A is wrong because elasticity refers to the ability to automatically scale resources up or down based on demand, not to pricing equality across customers of different sizes. Option C is wrong because high availability ensures that services remain accessible despite failures, typically through redundancy across Availability Zones, and has no direct relationship to uniform per-GB pricing. Option D is wrong because global reach describes the ability to deploy resources in multiple geographic regions worldwide, which affects latency and compliance, not the per-unit cost structure of storage.

634
MCQeasy

A development team builds Docker container images as part of their CI/CD pipeline and needs a managed, private registry to store and version these images, integrated with Amazon ECS and EKS for deployment. Which AWS service provides this container image registry?

A.Amazon ECS
B.Amazon S3
C.Amazon ECR
D.AWS CodeBuild
AnswerC

ECR is a fully managed private container image registry. It stores Docker images in repositories, supports image versioning with tags and digests, integrates natively with ECS and EKS, and includes automated vulnerability scanning.

Why this answer

Amazon ECR (Elastic Container Registry) is the correct choice because it is a fully managed Docker container registry that stores, manages, and deploys container images. It integrates natively with Amazon ECS and Amazon EKS, allowing seamless image pulls during deployment without needing to manage underlying infrastructure.

Exam trap

AWS often tests the distinction between a container registry (ECR) and a container orchestrator (ECS/EKS), so candidates mistakenly select ECS thinking it includes image storage, but ECS only schedules and runs containers.

How to eliminate wrong answers

Option A is wrong because Amazon ECS is a container orchestration service that runs containers, not a registry for storing container images. Option B is wrong because Amazon S3 is an object storage service that can store arbitrary files but lacks native Docker Registry API support (e.g., /v2/ endpoints) and does not provide image-specific features like vulnerability scanning or lifecycle policies. Option D is wrong because AWS CodeBuild is a continuous integration service that builds and tests code, not a registry for storing or versioning container images.

635
MCQmedium

A company wants to identify all resources in their AWS account that are accessible from outside the account — such as S3 buckets with public access or IAM roles with external trust. Which AWS service provides this analysis?

A.Amazon Inspector
B.AWS IAM Access Analyzer
C.Amazon GuardDuty
D.AWS Config
AnswerB

IAM Access Analyzer uses automated reasoning to identify resources accessible from outside the account or organization, generating findings for S3, IAM roles, KMS keys, Lambda, SQS, and more.

Why this answer

AWS IAM Access Analyzer is the correct service because it analyzes resource-based policies (such as S3 bucket policies, IAM role trust policies, and KMS key policies) to identify resources shared with an external entity outside the AWS account. It uses a policy analysis engine that evaluates the principal, action, and condition elements to determine if a policy grants access to an external AWS account, an IAM user in another account, or a public principal (e.g., `"Principal": "*"`). This directly matches the requirement to find resources accessible from outside the account.

Exam trap

The trap here is that candidates often confuse Amazon Inspector's network reachability analysis with policy-based external access analysis, but Inspector only checks for network-level exposure (e.g., open ports), not for resource policies that grant permissions to external principals.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability management service that scans EC2 instances and container images for software vulnerabilities and unintended network exposure, but it does not analyze resource-based policies for external access. Option C is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity using DNS logs, VPC Flow Logs, and CloudTrail events, but it does not perform policy-level analysis to identify publicly accessible resources or external trust relationships. Option D is wrong because AWS Config evaluates resource configurations against desired rules and tracks configuration changes over time, but it does not specifically analyze policies to determine if resources are accessible from outside the account; it lacks the policy analysis engine that IAM Access Analyzer provides.

636
MCQeasy

Which Amazon S3 feature allows you to automatically delete objects after a specified number of days to reduce storage costs?

A.S3 Versioning
B.S3 Lifecycle policies with expiration rules
C.S3 Object Lock
D.S3 Block Public Access
AnswerB

Lifecycle expiration rules automatically delete objects (or their versions) after a specified number of days, reducing storage costs for data with defined retention periods.

Why this answer

S3 Lifecycle policies with expiration rules allow you to define rules that automatically delete objects after a specified number of days. This is a cost-optimization feature that helps reduce storage costs by removing data that is no longer needed, such as logs or temporary files, without manual intervention.

Exam trap

The trap here is that candidates often confuse S3 Lifecycle policies with S3 Versioning, mistakenly thinking versioning alone can delete old versions to save costs, but versioning actually retains all versions and requires a Lifecycle policy with noncurrent version expiration to remove them.

How to eliminate wrong answers

Option A is wrong because S3 Versioning is a feature that preserves, retrieves, and restores every version of an object, which can increase storage costs, not reduce them. Option C is wrong because S3 Object Lock is a feature that prevents objects from being deleted or overwritten for a fixed retention period, which is used for compliance and data protection, not for automatic deletion to reduce costs. Option D is wrong because S3 Block Public Access is a security feature that blocks public access to buckets and objects, and has no role in managing object lifecycle or deletion.

637
MCQmedium

A healthcare company is subject to HIPAA regulations and must record all AWS API calls made in its account for auditing. The logs must be retained for 7 years and must be protected from any modification or deletion, including by the account root user. Which combination of AWS services should the company use to meet these requirements?

A.AWS CloudTrail with log file validation enabled, and store the log files in an Amazon S3 bucket with S3 Object Lock enabled in compliance mode
B.AWS Config with a HIPAA conformance pack, and store the configuration history in an Amazon S3 bucket with versioning enabled
C.Amazon GuardDuty with findings exported to an Amazon S3 bucket, and enable MFA Delete on the bucket
D.AWS CloudTrail with log file validation enabled, and store the log files in an Amazon S3 bucket with MFA Delete enabled
AnswerA

This option is correct. CloudTrail records API calls, and log file validation provides integrity. S3 Object Lock in compliance mode prevents any user, including the root user, from deleting or modifying the log files for the retention period, satisfying the tamper-proof retention requirement.

Why this answer

Option A is correct because AWS CloudTrail with log file validation enabled ensures the integrity of the API call logs by using a digital signature (SHA-256 hash) to detect any tampering. Storing these logs in an Amazon S3 bucket with S3 Object Lock in compliance mode prevents any user, including the root user, from overwriting or deleting the objects for the specified retention period (7 years), meeting HIPAA's immutable audit log requirements.

Exam trap

The trap here is that candidates confuse MFA Delete with S3 Object Lock, not realizing that MFA Delete can be bypassed by the root user who controls the MFA device, whereas compliance mode enforces a legal hold that even the root user cannot override.

How to eliminate wrong answers

Option B is wrong because AWS Config records configuration changes, not AWS API calls, and versioning alone does not prevent deletion or modification by the root user; it only preserves previous versions. Option C is wrong because Amazon GuardDuty detects threats but does not record all API calls, and MFA Delete on the bucket does not prevent deletion by the root user if the root user has access to the MFA device. Option D is wrong because MFA Delete only requires multi-factor authentication for delete operations but does not prevent the root user from deleting objects if they possess the MFA device; it also does not enforce a retention period or immutability against all users.

638
MCQmedium

A developer wants to build a serverless application that responds to HTTP requests. Which combination of AWS services would be most appropriate?

A.Amazon EC2 and Elastic Load Balancing
B.Amazon ECS and AWS Fargate
C.Amazon API Gateway and AWS Lambda
D.AWS Elastic Beanstalk and Amazon RDS
AnswerC

API Gateway + Lambda is the standard serverless HTTP API pattern — no server management required.

Why this answer

Amazon API Gateway acts as a fully managed HTTP endpoint that receives and routes incoming requests to AWS Lambda functions, which execute the application logic without provisioning servers. This combination directly fulfills the requirement for a serverless application that responds to HTTP requests, as Lambda handles compute in a stateless, event-driven manner and API Gateway provides the HTTP interface with built-in features like throttling, authentication, and request validation.

Exam trap

The trap here is that candidates may confuse 'serverless' with 'managed services' and choose options like ECS with Fargate or Elastic Beanstalk, which still involve underlying compute management, whereas the correct answer requires a fully event-driven, no-server model with API Gateway and Lambda.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 with Elastic Load Balancing requires managing virtual servers, scaling groups, and load balancer configurations, which contradicts the serverless requirement and introduces operational overhead. Option B is wrong because Amazon ECS with AWS Fargate, while reducing server management, still involves container orchestration, task definitions, and cluster management, making it container-based rather than truly serverless in the event-driven, pay-per-request sense. Option D is wrong because AWS Elastic Beanstalk with Amazon RDS provisions and manages EC2 instances and a relational database, requiring ongoing server maintenance and scaling decisions, which is not serverless.

639
MCQmedium

What is the purpose of an AWS Region when designing a global cloud architecture?

A.To provide a single physical location for all AWS resources worldwide
B.To define geographic boundaries for deploying resources, meeting compliance requirements, and minimizing end-user latency
C.To automatically replicate all data and compute resources across the globe
D.To limit the availability of AWS services to specific enterprise customers
AnswerB

Regions enable data residency compliance (keeping data in specific countries), low-latency access for users in specific geographies, and fault isolation from disasters affecting other regions.

Why this answer

An AWS Region is a distinct geographic area that contains multiple, isolated Availability Zones. Its purpose is to allow customers to deploy resources close to their end users to minimize latency, and to meet data residency and compliance requirements by keeping data within specific geographic boundaries. Each Region operates independently, ensuring fault isolation and regulatory adherence.

Exam trap

The trap here is that candidates often confuse an AWS Region with a single data center or Availability Zone, or mistakenly believe that AWS automatically replicates data across Regions for high availability, when in fact cross-Region replication is opt-in and incurs additional costs.

How to eliminate wrong answers

Option A is wrong because an AWS Region is not a single physical location; it consists of multiple, physically separate Availability Zones within a geographic area, and AWS has many Regions worldwide. Option C is wrong because AWS does not automatically replicate data or compute resources across Regions; cross-Region replication must be explicitly configured by the customer using services like S3 Cross-Region Replication or RDS cross-Region read replicas. Option D is wrong because AWS Regions are available to all AWS customers, not limited to specific enterprise customers, though some services may have regional availability or require special requests for certain Regions.

640
MCQeasy

A company wants to define their entire AWS infrastructure — VPCs, EC2 instances, RDS databases, and load balancers — as code in a text template so they can version-control the infrastructure, deploy it consistently across multiple environments, and recreate it reliably after deletion. Which AWS service enables this?

A.AWS Systems Manager
B.AWS CodePipeline
C.Amazon CloudWatch
D.AWS CloudFormation
AnswerD

CloudFormation allows AWS infrastructure to be defined as code in YAML or JSON templates. Templates can be version-controlled, redeployed across environments, and used to reliably recreate identical infrastructure stacks.

Why this answer

AWS CloudFormation is the correct service because it enables you to model your entire AWS infrastructure as a text template (JSON or YAML), which can be version-controlled, deployed consistently across environments, and used to recreate resources reliably. It is an Infrastructure as Code (IaC) service that provisions and manages AWS resources in an orderly and predictable fashion, directly matching the company's requirements.

Exam trap

The trap here is that candidates often confuse AWS CloudFormation with AWS Elastic Beanstalk or AWS OpsWorks, but the question specifically asks for defining infrastructure as code in a text template, which is the core function of CloudFormation, not a deployment or management service.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager is a management service for operational tasks like patching, configuration, and automation, not for defining infrastructure as code in a template. Option B is wrong because AWS CodePipeline is a continuous delivery service for automating build, test, and deploy phases, not for defining or provisioning infrastructure resources. Option C is wrong because Amazon CloudWatch is a monitoring and observability service for metrics, logs, and alarms, not for infrastructure provisioning or template-based deployment.

641
MCQeasy

A company hosts a website in the US East (N. Virginia) AWS region. Users in Europe and Asia Pacific report slow page load times because content must travel long distances from the origin server. Which AWS service should the company deploy to reduce latency for global users?

A.AWS Direct Connect
B.Amazon Route 53 with latency routing
C.Amazon CloudFront
D.Amazon VPC peering
AnswerC

CloudFront is a CDN that caches static and dynamic content at 400+ edge locations globally. A user in Europe would be served cached content from a nearby edge location instead of making a round-trip to US East, dramatically reducing latency.

Why this answer

Amazon CloudFront is a content delivery network (CDN) that caches static and dynamic content at edge locations worldwide, including Europe and Asia Pacific. By serving content from the edge location closest to each user, CloudFront significantly reduces latency and improves page load times for global users without requiring changes to the origin infrastructure.

Exam trap

The trap here is that candidates often confuse latency-based routing (Route 53) with content caching (CloudFront), mistakenly thinking that routing traffic to a different region solves the problem of content traveling long distances, when in fact only a CDN reduces the physical distance by serving cached content from edge locations.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect establishes a dedicated private network connection from on-premises to AWS, which reduces network variability and bandwidth costs but does not cache content or provide edge locations to reduce latency for global users. Option B is wrong because Amazon Route 53 with latency routing directs traffic to the AWS region with the lowest latency for the user, but it still requires content to travel from the origin server in US East (N. Virginia), so it does not reduce the physical distance content must travel.

Option D is wrong because Amazon VPC peering connects two VPCs privately using AWS's internal network, but it does not provide any caching or edge distribution capabilities and is irrelevant for reducing latency for users outside the VPC network.

642
MCQmedium

A financial services company must comply with PCI DSS requirements that mandate the use of a dedicated hardware security module (HSM) to store encryption keys used to protect cardholder data. The company plans to use server-side encryption in Amazon S3 and needs to ensure that the encryption keys are stored in a dedicated HSM under the company's sole control. Which AWS service should the company use to meet this requirement?

A.AWS KMS with automatic key rotation
B.AWS Certificate Manager (ACM)
C.AWS CloudHSM
D.AWS Secrets Manager
AnswerC

CloudHSM provides a dedicated HSM appliance that runs in the customer's VPC. The customer has exclusive control over the HSM and the keys it contains, meeting the PCI DSS requirement for a dedicated HSM under sole control.

Why this answer

AWS CloudHSM provides dedicated hardware security modules (HSMs) that are under the customer's sole control, meeting PCI DSS requirements for storing encryption keys in a dedicated HSM. It allows you to generate and manage your own encryption keys within a single-tenant, FIPS 140-2 Level 3 validated device, ensuring compliance with the mandate for dedicated hardware.

Exam trap

The trap here is that candidates often confuse AWS KMS with a dedicated HSM solution, but KMS is a shared, multi-tenant service that does not provide the sole control required by PCI DSS for dedicated HSMs.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a multi-tenant, managed service that uses shared hardware security modules; it does not provide a dedicated HSM under the customer's sole control, and automatic key rotation does not address the dedicated hardware requirement. Option B is wrong because AWS Certificate Manager (ACM) is used to provision, manage, and deploy public and private SSL/TLS certificates, not for storing encryption keys in a dedicated HSM. Option D is wrong because AWS Secrets Manager is a service for securely storing and rotating secrets (e.g., database credentials, API keys), not for dedicated HSM-based key storage, and it does not provide a dedicated HSM under the customer's sole control.

643
MCQmedium

A company runs a production web application on Amazon EC2 and Amazon RDS. The internal IT team needs a support plan that provides a guaranteed response time of less than one hour for a production system outage. Additionally, the company wants access to AWS Infrastructure Event Management, which includes guidance from AWS experts during planned events such as product launches or migrations. The company does not require a dedicated Technical Account Manager (TAM). Which AWS Support plan should the company choose?

A.Basic Support
B.Developer Support
C.Business Support
D.Enterprise Support
AnswerC

Correct. Business Support provides a 1-hour response time for Severity 1 (production system down) cases and includes access to Infrastructure Event Management. It meets the stated requirements without the higher cost and TAM of Enterprise Support.

Why this answer

The Business Support plan is the correct choice because it provides a guaranteed response time of less than one hour for production system outages (production system impaired) and includes access to AWS Infrastructure Event Management for guidance during planned events. The company does not need a dedicated Technical Account Manager (TAM), which is only available with the Enterprise Support plan, making Business Support the most cost-effective option that meets all stated requirements.

Exam trap

The trap here is that candidates often confuse the Developer Support plan's 12-hour response time for production outages with the 1-hour response time offered by Business Support, or mistakenly think that Infrastructure Event Management is available on Developer Support, when it is only available on Business and Enterprise tiers.

How to eliminate wrong answers

Option A is wrong because Basic Support does not provide any guaranteed response times for support cases, nor does it include access to AWS Infrastructure Event Management; it only offers access to documentation, whitepapers, and the AWS Trusted Advisor (basic checks). Option B is wrong because Developer Support provides a response time of less than 12 hours for production system outages (not under 1 hour) and does not include AWS Infrastructure Event Management, which is a feature reserved for Business and Enterprise Support plans.

644
MCQmedium

A company uses a continuous integration and continuous deployment (CI/CD) pipeline to deploy applications on AWS. The development teams frequently create feature branches in the code repository. The company wants to automatically provision a complete, isolated environment (including compute, storage, and networking) for each new feature branch, with no manual intervention. The environment must be ready within minutes of the branch creation. Which characteristic of cloud computing does this requirement primarily demonstrate?

A.On-demand self-service
B.Rapid elasticity
C.High availability
D.Measured service
AnswerA

Correct. On-demand self-service allows users to provision computing resources automatically without requiring human interaction with the service provider. In this scenario, the CI/CD pipeline automatically provisions the environment without manual intervention, demonstrating this characteristic.

Why this answer

Option A is correct because the requirement to automatically provision a complete, isolated environment for each new feature branch without manual intervention directly demonstrates the on-demand self-service characteristic of cloud computing. This characteristic allows users to provision computing resources automatically as needed, without requiring human interaction with service providers. In this scenario, the CI/CD pipeline triggers the creation of compute, storage, and networking resources via AWS APIs (e.g., CloudFormation, AWS CDK, or Terraform) the moment a branch is created, fulfilling the 'no manual intervention' and 'ready within minutes' conditions.

Exam trap

The trap here is that candidates confuse 'rapid elasticity' with 'automated provisioning' because both involve speed, but elasticity is about scaling existing resources in response to load, not creating new isolated environments from scratch.

How to eliminate wrong answers

Option B (Rapid elasticity) is wrong because rapid elasticity refers to the ability to scale resources up or down quickly in response to demand, not to the automated provisioning of isolated environments per feature branch. Option C (High availability) is wrong because high availability focuses on ensuring systems remain operational and accessible despite failures, typically through redundancy across multiple Availability Zones, which is unrelated to the automated creation of per-branch environments.

645
MCQmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer. The application experiences unpredictable traffic patterns, with sudden spikes during promotional events and low traffic at other times. The company configures an Auto Scaling group to automatically add EC2 instances when CPU utilization exceeds 70% and remove instances when utilization drops below 30%. The system handles the spike without any manual intervention and reduces capacity when demand decreases. Which fundamental characteristic of cloud computing does this scenario best illustrate?

A.On-demand self-service
B.Broad network access
C.Resource pooling
D.Rapid elasticity
AnswerD

Rapid elasticity is the ability to quickly and automatically scale computing resources up or down to match demand. The Auto Scaling configuration that adds and removes EC2 instances based on CPU utilization directly demonstrates this cloud characteristic.

Why this answer

The scenario describes the Auto Scaling group automatically adding EC2 instances during traffic spikes and removing them when demand drops, which directly demonstrates rapid elasticity—the ability to scale computing resources up and down quickly and automatically in response to demand. This is a core characteristic of cloud computing defined by the National Institute of Standards and Technology (NIST), where resources appear unlimited and can be provisioned in any quantity at any time.

Exam trap

AWS often tests the distinction between rapid elasticity and resource pooling, where candidates mistakenly choose resource pooling because they confuse the dynamic assignment of resources (pooling) with the automatic scaling of capacity (elasticity).

How to eliminate wrong answers

Option A is wrong because on-demand self-service refers to a user provisioning computing capabilities (e.g., launching an EC2 instance) without requiring human interaction with the cloud provider, not the automatic scaling of resources based on load. Option B is wrong because broad network access describes capabilities being available over the network and accessed through standard mechanisms (e.g., HTTP/HTTPS, SSH) by heterogeneous client platforms, not the dynamic adjustment of capacity. Option C is wrong because resource pooling means the provider's computing resources are pooled to serve multiple customers using a multi-tenant model, with physical and virtual resources dynamically assigned and reassigned according to consumer demand; this scenario focuses on scaling for a single customer's workload, not multi-tenant resource sharing.

646
MCQeasy

A company wants to set up a cloud-based customer service contact centre with an interactive voice response (IVR) system, agent call routing, and the ability to scale to thousands of agents without purchasing phone hardware or PBX equipment. Which AWS service provides this?

A.Amazon Chime
B.Amazon Connect
C.Amazon SNS
D.Amazon WorkMail
AnswerB

Amazon Connect is a cloud-native contact centre service. It provides IVR, call routing to agents, omnichannel support (voice and chat), and pay-per-use pricing with no upfront hardware or licensing costs.

Why this answer

Amazon Connect is a cloud-based contact center service that provides an interactive voice response (IVR) system, automatic call distribution (ACD) for agent routing, and the ability to scale to thousands of agents without requiring any physical phone hardware or PBX equipment. It is purpose-built for this exact use case, offering pay-as-you-go pricing and integration with AWS services like Lambda and Lex for custom IVR flows.

Exam trap

The trap here is that candidates may confuse Amazon Chime (a meeting/collaboration tool) with a contact center service, because both involve voice, but Chime lacks IVR, agent routing, and queue management that are core to Amazon Connect.

How to eliminate wrong answers

Option A is wrong because Amazon Chime is a communications service for online meetings, video conferencing, and chat, not a contact center solution with IVR and agent routing capabilities. Option C is wrong because Amazon SNS is a pub/sub messaging service for sending notifications via email, SMS, or HTTP endpoints, and it lacks the telephony, IVR, and agent management features required for a contact center. Option D is wrong because Amazon WorkMail is a managed email and calendaring service, not a voice-based contact center platform.

647
MCQmedium

A development team needs to create a temporary Amazon RDS database for testing a new feature. The team uses the AWS Management Console to launch a db.t3.micro MySQL instance, configures the security group, and connects the application within minutes. When the testing is complete, they terminate the instance without any interaction with AWS support or IT administrators. This ability to provision and manage resources entirely through self-service interfaces best describes which essential characteristic of cloud computing?

A.On-demand self-service
B.Resource pooling
C.Rapid elasticity
D.Measured service
AnswerA

Correct. On-demand self-service describes the ability of a user to provision and manage cloud resources (like an RDS database) through a web console, API, or CLI without requiring human interaction with the cloud provider. The team independently launched and terminated the database instance, demonstrating this characteristic.

Why this answer

Option A is correct because the scenario describes the development team provisioning and terminating an RDS instance entirely through the AWS Management Console without requiring any human interaction with AWS support or IT administrators. This aligns with the NIST definition of on-demand self-service, where a consumer can unilaterally provision computing capabilities as needed automatically without requiring human interaction with each service provider.

Exam trap

The trap here is that candidates often confuse 'rapid elasticity' with the ability to quickly create and delete resources, but rapid elasticity specifically refers to automatic scaling in response to demand, not manual provisioning and termination.

How to eliminate wrong answers

Option B (Resource pooling) is wrong because resource pooling refers to the provider's computing resources being pooled to serve multiple consumers using a multi-tenant model, with physical and virtual resources dynamically assigned and reassigned according to consumer demand; the scenario does not describe multi-tenancy or location independence. Option C (Rapid elasticity) is wrong because rapid elasticity involves the ability to quickly scale resources up or down, often automatically, in response to demand; the scenario only shows provisioning and terminating a single instance, not scaling. Option D (Measured service) is wrong because measured service refers to cloud systems automatically controlling and optimizing resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service; the scenario does not mention monitoring, billing, or metering of resource usage.

648
MCQmedium

A company wants to proactively monitor its AWS spending and receive email notifications when actual or forecasted costs exceed a defined threshold. The company has a monthly budget of $10,000 and wants to be alerted when costs reach 80% of the budget. Which AWS service should the company use to meet these requirements?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Trusted Advisor
D.AWS Consolidated Billing
AnswerB

AWS Budgets is the correct service because it enables you to set custom cost and usage budgets and define threshold alerts that trigger email notifications (or actions via Amazon SNS) when actual or forecasted costs exceed specified percentages of the budget. This directly meets the requirement for proactive monitoring and alerts at the 80% threshold.

Why this answer

AWS Budgets allows you to set custom cost and usage budgets, and configure alerts that trigger when actual or forecasted costs exceed a defined threshold (e.g., 80% of a $10,000 monthly budget). It can send email notifications via Amazon SNS when the threshold is breached, meeting the proactive monitoring requirement.

Exam trap

The trap here is that candidates confuse AWS Cost Explorer's forecasting capability with proactive alerting, but Cost Explorer does not send automatic notifications; AWS Budgets is the service designed specifically for threshold-based alerts.

How to eliminate wrong answers

Option A (AWS Cost Explorer) is wrong because it provides historical cost visualization and forecasting, but does not natively support threshold-based alerts or email notifications; it requires manual analysis. Option C (AWS Trusted Advisor) is wrong because it inspects your AWS environment for cost optimization, security, and performance best practices, but it does not offer configurable budget alerts or threshold-based notifications. Option D (AWS Consolidated Billing) is wrong because it aggregates costs across multiple accounts for billing purposes, but it does not provide proactive alerting or threshold-based notifications on its own.

649
MCQmedium

A company wants to centralise backup management for all their AWS resources — EC2, EBS, RDS, DynamoDB, and EFS — under a single policy, automate backup schedules, and ensure cross-region backup copies for disaster recovery. Which AWS service provides this?

A.Amazon S3 versioning
B.AWS Snapshot Manager
C.AWS Backup
D.AWS CloudFormation
AnswerC

AWS Backup provides centralised backup management across multiple AWS services from a single console. It automates backup schedules, enforces retention policies, creates cross-region copies for DR, and provides compliance reporting.

Why this answer

AWS Backup is the correct choice because it provides a fully managed, centralized backup service that supports EC2, EBS, RDS, DynamoDB, and EFS. It allows you to define a single backup policy, automate backup schedules, and configure cross-region copies for disaster recovery, meeting all the stated requirements.

Exam trap

The trap here is that candidates might confuse AWS Backup with the non-existent 'AWS Snapshot Manager' (Option B) because of the word 'Snapshot,' but AWS Backup is the actual service that centralizes and automates backups across multiple AWS services, including snapshot-based resources like EBS and RDS.

How to eliminate wrong answers

Option A is wrong because Amazon S3 versioning is a feature for preserving, retrieving, and restoring every version of an object in an S3 bucket; it does not centralize backup management across EC2, EBS, RDS, DynamoDB, or EFS, nor does it automate cross-region copies for those resources. Option B is wrong because AWS Snapshot Manager is not a real AWS service; the correct service for managing snapshots is AWS Backup, and this option is a distractor that does not exist. Option D is wrong because AWS CloudFormation is an Infrastructure as Code (IaC) service for provisioning and managing AWS resources via templates, not a backup management service; it cannot automate backup schedules or enforce cross-region backup copies natively.

650
Matchingmedium

Match each AWS compute service to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Full control over virtual servers

Run code without provisioning servers

Run containerized applications

Run Kubernetes containers

Serverless compute for containers

Why these pairings

Different compute services cater to different needs.

651
MCQeasy

Which AWS offering provides free, self-paced online training courses, videos, and labs to help customers learn AWS services and pass certification exams?

A.AWS Partner Network (APN)
B.AWS Skill Builder
C.AWS Certification
D.AWS Marketplace
AnswerB

AWS Skill Builder provides free and paid digital training including courses, videos, labs, learning plans, and practice exams to help learners build and validate AWS skills.

Why this answer

AWS Skill Builder is the official AWS training portal that offers free, self-paced online training courses, videos, and hands-on labs. It is specifically designed to help individuals learn AWS services and prepare for AWS Certification exams, including the CLF-C02. Unlike other options, Skill Builder directly provides the described learning resources at no cost.

Exam trap

The trap here is that candidates may confuse AWS Certification (the exam itself) with the training resources needed to prepare for it, leading them to select option C instead of recognizing that AWS Skill Builder is the dedicated training platform.

How to eliminate wrong answers

Option A is wrong because AWS Partner Network (APN) is a program for organizations and consultants who build solutions on AWS, providing business, technical, and marketing support, but it does not offer free self-paced training courses and labs for individual learners. Option C is wrong because AWS Certification is the credentialing program that validates cloud expertise through exams; it does not itself provide training content, videos, or labs. Option D is wrong because AWS Marketplace is a digital catalog of third-party software and services that run on AWS, not a training platform for learning AWS services or preparing for certifications.

652
MCQeasy

A company runs non-critical batch analytics jobs that can be paused and restarted if interrupted. The jobs are flexible regarding when they run. Which EC2 purchasing option offers the lowest possible cost for this workload?

A.On-Demand Instances
B.Reserved Instances
C.Spot Instances
D.Dedicated Instances
AnswerC

Spot Instances use spare AWS capacity at discounts up to 90%. Since the batch jobs can be paused and restarted when interrupted, they are perfectly suited for Spot, achieving the lowest possible compute cost.

Why this answer

Spot Instances offer the lowest possible cost because they use spare AWS EC2 capacity at a steep discount (up to 90% off On-Demand). Since the batch analytics jobs are non-critical, can be paused and restarted, and are flexible regarding when they run, they are an ideal fit for Spot Instances, which can be interrupted with a 2-minute warning when capacity is reclaimed.

Exam trap

The trap here is that candidates often choose Reserved Instances thinking they always provide the best discount, but they fail to recognize that Spot Instances can be even cheaper for fault-tolerant, flexible workloads that can handle interruptions.

How to eliminate wrong answers

Option A is wrong because On-Demand Instances provide full pricing flexibility but at the highest per-hour cost, making them unsuitable for minimizing costs. Option B is wrong because Reserved Instances offer a discount in exchange for a 1- or 3-year commitment, which is unnecessary for flexible, interruptible workloads and does not achieve the lowest possible cost. Option D is wrong because Dedicated Instances are physically isolated at the host hardware level and incur additional charges, making them the most expensive option for this use case.

653
MCQmedium

A financial services company has a core banking application that runs on-premises and stores sensitive customer data. Due to strict regulatory requirements, this application cannot be migrated to the cloud. However, the company wants to use AWS for its development and test environments to benefit from rapid provisioning and pay-per-use pricing. The company also wants to establish a dedicated private network connection between its on-premises data center and AWS to securely transfer data between the environments. Which cloud deployment model does this scenario describe?

A.Public cloud
B.Private cloud
C.Hybrid cloud
D.Multi-cloud
AnswerC

Hybrid cloud is a model that combines on-premises infrastructure (private cloud) with public cloud services. This scenario perfectly fits hybrid cloud because the company runs its core application on-premises while using AWS for development and test. The dedicated private network connection (e.g., Direct Connect) bridges the two environments, enabling secure data exchange and unified operations.

Why this answer

This scenario describes a hybrid cloud deployment model because it combines on-premises infrastructure (the core banking application) with AWS public cloud resources (development and test environments) connected via a dedicated private network, such as AWS Direct Connect. The hybrid cloud model allows the company to keep sensitive data on-premises for regulatory compliance while leveraging AWS's scalability and pay-per-use pricing for non-production workloads. The key enabler is the private, low-latency connection that securely transfers data between the two environments, which is a hallmark of hybrid cloud architecture.

Exam trap

The trap here is that candidates often confuse hybrid cloud with multi-cloud, but hybrid cloud specifically refers to a mix of on-premises and public cloud (or private and public cloud), whereas multi-cloud involves using multiple public cloud providers without any on-premises component.

How to eliminate wrong answers

Option A is wrong because a public cloud model would involve running all workloads, including the core banking application, on AWS infrastructure, which contradicts the requirement that the application cannot be migrated to the cloud. Option B is wrong because a private cloud model would mean the company runs its own cloud environment, either on-premises or hosted exclusively for its use, but the scenario explicitly uses AWS public cloud services for development and test environments, not a private cloud. Option D is wrong because a multi-cloud model involves using multiple public cloud providers (e.g., AWS and Azure), but the scenario only uses AWS alongside on-premises infrastructure, not multiple public clouds.

654
MCQmedium

A company is building a global e-commerce application that requires a database with single-digit millisecond latency, seamless scaling to handle millions of requests per second, and the ability to replicate data across multiple AWS Regions for disaster recovery and low-latency reads. The database must be fully managed with automatic backup and restores. Which AWS service should the company choose?

A.Amazon Aurora
B.Amazon DynamoDB
C.Amazon RDS for MySQL
D.Amazon Redshift
AnswerB

Amazon DynamoDB is a fully managed NoSQL database that delivers consistent single-digit millisecond latency at any scale. It supports global tables for multi-Region replication and automatic scaling to handle millions of requests per second. It also provides built-in backup and restore, meeting all stated requirements.

Why this answer

Amazon DynamoDB is the correct choice because it is a fully managed NoSQL key-value and document database that delivers single-digit millisecond latency at any scale, supports automatic multi-Region replication via DynamoDB Global Tables for disaster recovery and low-latency reads, and provides built-in backup and restore capabilities. This combination of performance, seamless scaling to millions of requests per second, and global replication aligns perfectly with the requirements of a global e-commerce application.

Exam trap

The trap here is that candidates often choose Amazon Aurora because of its familiarity with relational databases and its 'high performance' reputation, but they overlook the specific requirement for single-digit millisecond latency at millions of requests per second, which is a key-value/NoSQL workload that DynamoDB is purpose-built for, not a relational database.

How to eliminate wrong answers

Option A is wrong because Amazon Aurora is a relational database that, while offering high performance and multi-Region replication via Aurora Global Database, does not natively achieve single-digit millisecond latency at the scale of millions of requests per second without significant read replica scaling and caching layers, and its scaling model is not as seamless or cost-effective for high-throughput, key-value workloads as DynamoDB. Option C is wrong because Amazon RDS for MySQL is a relational database that cannot provide single-digit millisecond latency at millions of requests per second due to its traditional SQL engine overhead and limited horizontal scaling (primarily read replicas), and its multi-Region replication requires manual setup or additional services like MySQL binlog replication, lacking the native global table support of DynamoDB.

655
MCQmedium

A company's architecture team is evaluating their multi-tier application against the AWS Well-Architected Framework. They discover that their database has no backup and recovery procedure. Which pillar does this finding fall under?

A.Security
B.Operational Excellence
C.Reliability
D.Cost Optimization
AnswerC

Reliability covers recovery from failure, including data protection through backups. A database without backup violates Reliability — the system cannot recover from data loss.

Why this answer

The Reliability pillar of the AWS Well-Architected Framework focuses on ensuring that workloads can recover from infrastructure or service disruptions, acquire computing resources to meet demand, and mitigate transient or persistent failures. A database without a backup and recovery procedure directly violates the 'Backup and Restore' design principle, which is a core component of reliability because it ensures data durability and the ability to restore operations after a failure. Without backups, any data corruption or loss event would result in permanent data loss, making the system unreliable.

Exam trap

The trap here is that candidates often confuse the lack of a backup procedure with a Security issue (data protection) or an Operational Excellence issue (process gap), but the AWS Well-Architected Framework explicitly places backup and recovery under the Reliability pillar because it directly impacts the workload's ability to recover from failure.

How to eliminate wrong answers

Option A is wrong because the Security pillar focuses on protecting data, systems, and assets through access control, encryption, and threat detection, not on the ability to recover from failures. Option B is wrong because Operational Excellence focuses on running and monitoring systems to deliver business value, and while it includes incident response, the lack of a backup procedure is a fundamental reliability concern, not an operational runbook gap. Option D is wrong because Cost Optimization focuses on avoiding unnecessary costs and matching supply with demand, and while backups incur storage costs, the absence of a backup procedure is a reliability risk, not a cost-saving measure.

656
MCQmedium

Which AWS service provides a centrally managed firewall policy that can be applied to multiple AWS accounts and VPCs across an organization?

A.AWS WAF
B.Amazon GuardDuty
C.AWS Firewall Manager
D.AWS Security Hub
AnswerC

Firewall Manager provides centralized management of WAF rules, Shield Advanced protections, security groups, and Network Firewall policies across all accounts in an AWS Organization.

Why this answer

AWS Firewall Manager is the correct service because it provides a centralized firewall policy management across multiple accounts and VPCs within an AWS Organization. It allows you to deploy AWS WAF rules, AWS Shield Advanced protections, and VPC security group rules consistently across your entire organization, ensuring a uniform security posture without manual per-account configuration.

Exam trap

The trap here is that candidates confuse AWS WAF (a per-resource firewall) with Firewall Manager (a multi-account policy management service), because both involve firewall rules, but Firewall Manager is specifically designed for centralized governance across an organization.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall that protects individual resources like CloudFront, ALB, or API Gateway from common web exploits, but it does not centrally manage policies across multiple accounts or VPCs. Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity using machine learning and threat intelligence, not a firewall policy management service. Option D is wrong because AWS Security Hub aggregates security findings and compliance checks from multiple AWS services into a single dashboard, but it does not deploy or manage firewall policies across accounts and VPCs.

657
MCQmedium

A company runs a batch processing job on a single Amazon EC2 instance. The job takes 10 hours to complete. The company needs to reduce the processing time to under 1 hour to meet a new business requirement. The data can be split into independent chunks that can be processed in parallel. Which cloud computing concept would most directly enable the company to achieve this goal?

A.Elasticity
B.High availability
C.Scalability
D.Fault tolerance
AnswerC

Scalability is the ability to increase resources (scale up or out) to handle growing workloads or to reduce task completion times. By splitting the data into independent chunks and processing them in parallel across multiple EC2 instances, the company horizontally scales its compute capacity, directly reducing the job time from 10 hours to under 1 hour.

Why this answer

Scalability is the correct answer because it refers to the ability to increase resources to handle increased load. By scaling horizontally (adding more EC2 instances) and processing the independent data chunks in parallel, the batch job can be completed in under 1 hour instead of 10 hours.

Exam trap

The trap here is that candidates confuse elasticity with scalability, but elasticity is about automatic resource adjustment to match fluctuating demand, not about adding resources to meet a fixed performance goal.

How to eliminate wrong answers

Option A is wrong because elasticity is the ability to automatically scale resources up or down based on demand, which is not the primary concept needed here; the requirement is to add enough resources to achieve a specific performance target, not to dynamically adjust. Option B is wrong because high availability focuses on ensuring the system remains operational and accessible despite failures, typically through redundancy across Availability Zones, which does not directly reduce processing time for a batch job.

658
MCQeasy

Amazon CloudFront serves cached content to users from the closest possible network point, with over 400 such points globally. What are these network points called?

A.Availability Zones
B.AWS Regions
C.Edge Locations
D.Local Zones
AnswerC

Edge locations are the 400+ points of presence in CloudFront's CDN. They cache content locally so users receive it from the nearest possible server, minimising latency.

Why this answer

Amazon CloudFront uses a global network of edge locations to cache and serve content to users with low latency. These edge locations are distinct from AWS Regions and Availability Zones, as they are specifically designed for content delivery rather than compute or storage. Option C correctly identifies these network points as Edge Locations.

Exam trap

The trap here is that candidates often confuse Edge Locations with Availability Zones or Local Zones, assuming all AWS infrastructure points are similar, but CloudFront's edge locations are a separate global network optimized for content delivery, not for running general AWS services.

How to eliminate wrong answers

Option A is wrong because Availability Zones are isolated data centers within an AWS Region, used for high availability of compute and storage resources, not for content caching at the network edge. Option B is wrong because AWS Regions are geographic areas containing multiple Availability Zones, designed for resource deployment and not for serving cached content from the closest point to users. Option D is wrong because Local Zones are extensions of AWS Regions that place compute, storage, and database services closer to end users for latency-sensitive applications, but they are not the primary points for CloudFront's content caching.

659
MCQmedium

A marketing company is launching a new campaign that will require a temporary increase in web server capacity. The operations team provisions an additional 10 Amazon EC2 instances through the AWS Management Console within five minutes, without needing to submit a purchase order or wait for hardware delivery. Which advantage of cloud computing does this scenario best demonstrate?

A.Benefit from massive economies of scale
B.Trade capital expense for variable expense
C.Increase speed and agility
D.Stop spending money on running and maintaining data centers
AnswerC

Increasing speed and agility means that IT resources can be provisioned in minutes, allowing organizations to respond swiftly to new requirements without the delays of traditional procurement and hardware setup. This directly matches the scenario.

Why this answer

Option C is correct because the scenario highlights how cloud computing enables rapid provisioning of resources—10 EC2 instances in five minutes—without the delays of procurement or hardware setup. This directly demonstrates increased speed and agility, a core advantage of cloud computing that allows businesses to experiment and scale quickly.

Exam trap

The trap here is that candidates may confuse 'speed and agility' with 'economies of scale' or 'variable expense,' but the key differentiator is the rapid provisioning without procurement delays, not cost structure or provider scale.

How to eliminate wrong answers

Option A is wrong because economies of scale refer to cost benefits from massive provider infrastructure, not the speed of provisioning. Option B is wrong because trading capital expense for variable expense relates to paying for only what you use (e.g., per-hour billing), not the rapid deployment described. Option D is wrong because stopping spending on data centers addresses reduced operational overhead, not the temporary capacity increase or provisioning speed.

660
MCQmedium

A company runs multiple workloads on AWS, each in separate AWS accounts managed through AWS Organizations. The finance team wants to set a monthly cost threshold of $5,000 for the 'development' account. If the actual or forecasted costs exceed 80% of this threshold, the team wants to receive an email alert so they can review usage and take corrective action if needed. They also want to track costs against this threshold over time using a dashboard. Which AWS service should the finance team use to set up this threshold and receive the alerts?

A.AWS Cost Explorer
B.AWS Budgets
C.AWS Trusted Advisor
D.AWS Organizations
AnswerB

AWS Budgets enables you to set custom cost and usage budgets and receive alerts when actual or forecasted costs exceed your defined thresholds. You can also track budget progress on the AWS Budgets dashboard. This matches the requirement perfectly.

Why this answer

AWS Budgets allows you to set custom cost and usage budgets with alerts based on actual or forecasted costs. In this scenario, you can create a budget for the 'development' account with a $5,000 monthly threshold and configure an alert at 80% ($4,000) to send an email notification. AWS Budgets also integrates with Amazon QuickSight or Cost Explorer for historical tracking, but the budget itself provides a dashboard view of current and forecasted spend against the threshold.

Exam trap

The trap here is that candidates often confuse AWS Cost Explorer's visualization capabilities with the proactive alerting and threshold-setting functionality that only AWS Budgets provides, leading them to choose Cost Explorer for a task it cannot perform.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer is a visualization and analysis tool for historical cost data, not a service for setting thresholds or proactive alerts; it lacks the ability to define a budget limit and send email notifications when costs exceed a percentage. Option C is wrong because AWS Trusted Advisor inspects your environment for best practices in cost optimization, performance, security, and fault tolerance, but it does not allow you to set custom cost thresholds or receive alerts based on account-level spending limits. Option D is wrong because AWS Organizations is a service for centrally managing multiple AWS accounts, including policy-based management and consolidated billing, but it does not provide per-account budget threshold alerts or email notifications; it can be used to apply service control policies (SCPs) but not cost-based alerts.

661
MCQmedium

A gaming company needs ultra-low latency access to AWS compute for their mobile game players at 5G network edges. Which AWS infrastructure extension enables this?

A.AWS Local Zones
B.AWS Outposts
C.AWS Wavelength Zones
D.Amazon CloudFront Edge Locations
AnswerC

Wavelength Zones embed EC2 and EBS within 5G carrier networks, enabling mobile applications to access AWS compute with single-digit millisecond latency at the 5G network edge.

Why this answer

AWS Wavelength Zones embed AWS compute and storage services at the edge of 5G networks, enabling ultra-low latency for mobile game players by minimizing the distance data must travel between the device and the application. This is specifically designed for applications that require single-digit millisecond latencies over 5G, such as real-time gaming, AR/VR, and live video processing.

Exam trap

The trap here is that candidates often confuse AWS Local Zones with Wavelength Zones, but Local Zones are designed for latency-sensitive workloads in metro areas (e.g., media rendering) and lack the direct integration with 5G carrier networks that Wavelength Zones provide.

How to eliminate wrong answers

Option A is wrong because AWS Local Zones place compute and storage closer to large population centers but not at the 5G network edge, so they do not provide the sub-10ms latency required for mobile gaming over 5G. Option B is wrong because AWS Outposts are fully managed racks of AWS infrastructure installed on-premises, which are not integrated into telecom 5G networks and cannot offer the ultra-low latency from the carrier edge. Option D is wrong because Amazon CloudFront Edge Locations are content delivery network (CDN) nodes optimized for caching and accelerating static and dynamic content delivery, not for running compute workloads with the single-digit millisecond latency needed at the 5G edge.

662
MCQmedium

A fast-growing mobile game company uses a NoSQL database to store player profiles, leaderboards, and game state. The database must deliver consistent single-digit millisecond response times regardless of the number of concurrent players. The company wants a fully managed service that automatically scales throughput capacity up and down based on traffic and replicates data across multiple Availability Zones for high availability. Which AWS service should the company use?

A.Amazon RDS for MySQL
B.Amazon DynamoDB
C.Amazon Redshift
D.Amazon ElastiCache for Redis
AnswerB

Amazon DynamoDB is the correct answer. It is a fully managed NoSQL service that delivers consistent single-digit millisecond latency at any scale. It automatically scales read/write throughput based on traffic patterns and replicates data across three Availability Zones in an AWS Region by default, meeting all requirements.

Why this answer

Amazon DynamoDB is a fully managed NoSQL database service that delivers consistent single-digit millisecond latency at any scale. It supports automatic scaling of throughput capacity based on traffic patterns and replicates data across multiple Availability Zones (AZs) for high availability and durability, making it the ideal choice for a fast-growing mobile game company.

Exam trap

The trap here is that candidates may confuse Amazon ElastiCache for Redis (a caching layer) with a primary NoSQL database, overlooking that DynamoDB is the fully managed, auto-scaling, multi-AZ NoSQL service designed for consistent low-latency workloads.

How to eliminate wrong answers

Option A is wrong because Amazon RDS for MySQL is a relational database, not a NoSQL database, and while it can be scaled vertically, it does not automatically scale throughput capacity up and down based on traffic in the same way DynamoDB does. Option C is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for analytical queries, not for low-latency, high-concurrency transactional workloads like player profiles and leaderboards. Option D is wrong because Amazon ElastiCache for Redis is an in-memory caching service, not a primary database; it lacks the durability and automatic scaling of throughput capacity that DynamoDB provides, and it is typically used as a cache layer rather than a persistent data store.

663
MCQmedium

A company runs a production application on a mix of Amazon EC2 instance families (e.g., M5, C5, R5) across two AWS Regions. The application runs 24/7 and is expected to continue for the next three years. The company wants to minimize compute costs while retaining the flexibility to change instance families, sizes, or Regions if needed. The company also prefers to avoid any upfront payment to preserve cash flow. Which AWS pricing option should the company choose?

A.On-Demand instances
B.Standard Reserved Instances (no upfront, 3-year term)
C.Compute Savings Plans (no upfront, 3-year term)
D.Spot Instances
AnswerC

Compute Savings Plans offer flexible compute coverage across EC2 instance families, sizes, Regions, OS, and tenancy. The 3-year term with no upfront payment provides cost savings without an initial cash outlay, exactly meeting the stated needs.

Why this answer

Compute Savings Plans (no upfront, 3-year term) provide the highest discount (up to 66%) while allowing flexibility to change instance families (e.g., M5 to C5), sizes, and AWS Regions. This matches the company’s requirement to minimize costs over three years without upfront payment, and the plan automatically applies to any EC2 instance usage within the chosen commitment, preserving the ability to switch instance types or Regions as needed.

Exam trap

The trap here is that candidates often confuse Reserved Instances with Savings Plans, assuming RIs offer the same flexibility, but Standard RIs are region- and instance-family-specific, while Compute Savings Plans provide cross-family and cross-Region flexibility.

How to eliminate wrong answers

Option A is wrong because On-Demand instances offer no discount and would result in the highest compute cost over three years, failing to minimize costs. Option B is wrong because Standard Reserved Instances (no upfront, 3-year term) lock the company to a specific instance family, size, and Region, eliminating the flexibility to change instance families, sizes, or Regions without incurring additional costs or forfeiting the discount.

664
MCQmedium

A company received an unexpected AWS bill that was much higher than expected. Which AWS service would help them understand which resource or service caused the cost spike?

A.AWS Budgets
B.AWS Cost Explorer
C.AWS Pricing Calculator
D.AWS Trusted Advisor
AnswerB

Cost Explorer lets customers filter and group costs by service, resource, and time to pinpoint exactly which service caused an unexpected cost increase.

Why this answer

AWS Cost Explorer (B) is the correct service because it provides a pre-built dashboard and reports that allow you to visualize, analyze, and drill down into your AWS costs and usage over time. You can filter by service, linked account, region, or resource tags to identify exactly which resource or service caused the unexpected cost spike. AWS Budgets (A) can alert you when costs exceed a threshold, but it does not provide the historical analysis and granular breakdown needed to pinpoint the root cause of a past spike.

Exam trap

The trap here is that candidates confuse AWS Budgets (a proactive alerting tool) with AWS Cost Explorer (a reactive analysis tool), mistakenly thinking that setting a budget will help them understand the cause of a past spike, when in fact budgets only alert on future thresholds and do not provide historical drill-down capabilities.

How to eliminate wrong answers

Option A is wrong because AWS Budgets is a proactive alerting tool that notifies you when costs or usage exceed a defined budget threshold, but it does not provide the detailed historical cost and usage analysis needed to investigate a past spike. Option C is wrong because AWS Pricing Calculator is a planning tool used to estimate future costs based on expected usage, not a tool for analyzing actual incurred costs or identifying the source of a past bill increase. Option D is wrong because AWS Trusted Advisor is an advisory service that inspects your AWS environment and makes recommendations for cost optimization, performance, security, and fault tolerance, but it does not provide a granular breakdown of historical cost data by resource or service.

665
MCQmedium

A company wants to ensure they never spend more than $500 per month on AWS services. Which AWS feature can automatically stop or terminate resources when cost projections reach a threshold?

A.AWS Budgets with budget alerts only
B.AWS Budgets Actions
C.AWS Cost Explorer spending forecasts
D.AWS Service Quotas
AnswerB

AWS Budgets Actions can automatically apply IAM policies to deny further usage, stop EC2/RDS instances, or trigger custom Lambda responses when budget thresholds are exceeded.

Why this answer

AWS Budgets Actions allow you to define cost and usage budgets with automated responses, such as stopping or terminating EC2 instances, when actual or forecasted costs exceed a specified threshold. This directly meets the requirement to enforce a $500 monthly spending limit without manual intervention. Budget alerts alone only notify you; they do not take automated actions.

Exam trap

The trap here is that candidates confuse budget alerts (which only notify) with Budgets Actions (which automate responses), leading them to select Option A because they overlook the requirement for automatic resource termination.

How to eliminate wrong answers

Option A is wrong because AWS Budgets with budget alerts only send notifications (e.g., email or SNS) when costs exceed thresholds, but they cannot automatically stop or terminate resources. Option C is wrong because AWS Cost Explorer spending forecasts provide visual predictions of future costs but have no capability to trigger automated actions on resources. Option D is wrong because AWS Service Quotas manage service limits (e.g., maximum number of instances) and do not monitor or control spending thresholds or terminate resources.

666
MCQeasy

A company uses Amazon CloudFront to serve their website globally. They want to ensure that users in China can also access the website with low latency. What infrastructure consideration is required?

A.Enable CloudFront Geo-targeting for the China region
B.Use AWS China Regions (cn-north-1, cn-northwest-1) which require a separate AWS account
C.Enable CloudFront Accelerated Transfer for China
D.Use Route 53 latency routing to direct Chinese users to the nearest CloudFront PoP
AnswerB

AWS China Regions are legally separate entities requiring a separate account, ICP license, and compliance with Chinese regulations — standard CloudFront is not available in mainland China.

Why this answer

Option B is correct because serving content to users in China with low latency via CloudFront requires using AWS China Regions (cn-north-1, cn-northwest-1), which are isolated from global AWS Regions and require a separate AWS account due to Chinese regulatory and legal requirements. CloudFront distributions cannot directly serve content from global edge locations to users in China with optimal performance; instead, you must set up a separate CloudFront distribution in a China Region or use third-party CDN integration.

Exam trap

The trap here is that candidates assume CloudFront's global network can serve China with low latency through standard features like Geo-targeting or latency routing, overlooking the regulatory and infrastructure isolation that mandates a separate AWS account and China-specific Regions.

How to eliminate wrong answers

Option A is wrong because CloudFront Geo-targeting restricts content based on geographic location but does not provide low-latency access for users in China; it simply controls access or serves different content versions. Option C is wrong because CloudFront does not have an 'Accelerated Transfer for China' feature; AWS offers a 'CloudFront China' service that requires a separate account and uses local edge locations in China, not a global acceleration feature. Option D is wrong because Route 53 latency routing directs traffic to the nearest CloudFront Point of Presence (PoP) based on latency, but CloudFront PoPs outside China cannot provide low-latency access to users within China due to internet restrictions and firewall latency; a China-based distribution is necessary.

667
MCQmedium

A company has deployed multiple EC2 instances with different security groups. The compliance team wants to ensure that no security group allows unrestricted SSH access (0.0.0.0/0) and receive alerts if any such rule is created. Which AWS service can they use to continuously monitor and evaluate the security group configurations against this policy?

A.AWS CloudTrail
B.Amazon GuardDuty
C.AWS Config
D.AWS Security Hub
AnswerC

AWS Config continuously monitors and records AWS resource configurations and allows you to evaluate them against desired configurations using managed or custom rules. It can detect security groups with unrestricted SSH access and trigger notifications or automatic remediation.

Why this answer

AWS Config is the correct service because it provides continuous monitoring and evaluation of AWS resource configurations against desired policies. With a managed rule like `restricted-ssh`, AWS Config can automatically detect security groups that allow unrestricted SSH access (0.0.0.0/0) and trigger alerts or remediation actions. This meets the compliance team's requirement for ongoing, rule-based evaluation of security group configurations.

Exam trap

The trap here is that candidates confuse AWS CloudTrail (which logs API calls) with AWS Config (which evaluates resource configurations), or they mistakenly think Amazon GuardDuty can check static security group rules when it is designed for dynamic threat detection.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity (e.g., who created a security group rule) but does not continuously evaluate the configuration state of resources against a policy; it is an audit trail, not a configuration compliance checker. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes network traffic and logs for malicious activity (e.g., brute force attempts), not a tool for evaluating static security group rules against a compliance policy.

668
MCQmedium

A company runs a critical e-commerce application that uses an Amazon RDS for MySQL database deployed in a single Availability Zone. The company needs to ensure that the database remains available if the underlying hardware or the entire Availability Zone fails. The solution must provide automatic failover with minimal downtime and must not require any changes to the application's database connection string. Which Amazon RDS feature should the company use to meet these requirements?

A.Deploy a Read Replica in another Availability Zone and configure the application to use it as a failover target
B.Enable automated backups with point-in-time recovery
C.Manually provision a standby database instance in another Availability Zone and configure a custom failover script
D.Configure a Multi-AZ deployment for the Amazon RDS database instance
AnswerD

Multi-AZ deployments create a synchronous standby replica in a different Availability Zone. Amazon RDS automatically handles failover to the standby replica when a failure is detected, and updates the DNS record so that the same connection endpoint continues to work without any application changes. This meets all the stated requirements.

Why this answer

Option D is correct because a Multi-AZ deployment for Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. In the event of a failure, Amazon RDS automatically fails over to the standby, and the DNS record for the database endpoint is updated to point to the standby, so the application's connection string remains unchanged. This provides automatic failover with minimal downtime without requiring any manual intervention or application changes.

Exam trap

The trap here is that candidates often confuse Read Replicas (which are for read scaling and require manual promotion) with Multi-AZ deployments (which provide automatic failover with no application changes), leading them to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because a Read Replica is an asynchronous replica used primarily for read scaling; it does not support automatic failover, and promoting it to a primary instance requires manual intervention and a change to the application's connection string. Option B is wrong because automated backups with point-in-time recovery provide data durability and restore capability, but they do not provide automatic failover or high availability; restoring from a backup incurs significant downtime. Option C is wrong because manually provisioning a standby instance and configuring a custom failover script is error-prone, introduces operational complexity, and would require changes to the application's connection string or DNS configuration to redirect traffic, violating the requirement for no application changes.

669
MCQhard

A company is designing a microservices architecture on AWS. According to the AWS Well-Architected Framework's Operational Excellence pillar, which practice best supports the ability to safely make frequent, small changes to production?

A.Performing large batch deployments monthly to minimize change frequency
B.Making frequent, small, reversible changes through automated CI/CD pipelines
C.Requiring manual approval for every code change
D.Deploying all microservices simultaneously in coordinated releases
AnswerB

The Operational Excellence pillar explicitly recommends frequent, small, reversible changes via automation to reduce risk, enable faster rollback, and improve deployment confidence.

Why this answer

Option B is correct because the Operational Excellence pillar emphasizes the ability to make frequent, small, reversible changes to reduce the blast radius of failures and enable rapid recovery. Automated CI/CD pipelines enforce consistent deployment practices, allowing teams to safely iterate on production with minimal risk. This approach aligns with the principle of 'perform operations as code' and supports the 'make frequent, small, reversible changes' design principle.

Exam trap

The trap here is that candidates may confuse 'operational excellence' with 'security' or 'cost optimization' and choose manual approval (Option C) thinking it adds safety, but the Well-Architected Framework explicitly advocates for automation over manual gates to enable safe, high-velocity changes.

How to eliminate wrong answers

Option A is wrong because performing large batch deployments monthly increases the risk of complex failures and violates the principle of making small, reversible changes; it also delays feedback loops. Option C is wrong because requiring manual approval for every code change introduces bottlenecks and slows down the deployment cadence, contradicting the goal of frequent, small changes. Option D is wrong because deploying all microservices simultaneously in coordinated releases creates tight coupling and increases the blast radius of any failure, undermining the independence and resilience that microservices are meant to provide.

670
MCQeasy

Which AWS service provides a fully managed environment for creating, maintaining, and documenting APIs using REST, HTTP, and WebSocket protocols?

A.AWS AppSync
B.Amazon API Gateway
C.Elastic Load Balancing
D.AWS Lambda
AnswerB

API Gateway is AWS's managed API platform supporting REST APIs, HTTP APIs, and WebSocket APIs with built-in throttling, authorization, caching, and monitoring.

Why this answer

Amazon API Gateway is the correct service because it is a fully managed service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. It specifically supports RESTful APIs, HTTP APIs (for lower-latency and simpler integrations), and WebSocket APIs (for real-time two-way communication), making it the only AWS service that natively covers all three protocol types in a managed environment.

Exam trap

The trap here is that candidates often confuse AWS AppSync (which also supports real-time data via GraphQL subscriptions) with API Gateway's WebSocket support, but AppSync does not provide REST or HTTP API creation, and it uses GraphQL as its sole protocol.

How to eliminate wrong answers

Option A is wrong because AWS AppSync is a managed GraphQL service that uses GraphQL endpoints, not REST, HTTP, or WebSocket APIs directly; it focuses on real-time data synchronization and offline capabilities for mobile and web apps, not general-purpose API creation with those three protocols. Option C is wrong because Elastic Load Balancing (ELB) is a load balancer that distributes incoming traffic across targets, such as EC2 instances or containers, and does not create, maintain, or document APIs; it operates at the transport layer (TCP) or application layer (HTTP/HTTPS) but lacks API management features like request/response transformation, API keys, or documentation generation. Option D is wrong because AWS Lambda is a serverless compute service that runs code in response to events, not an API management service; while Lambda can be integrated with API Gateway as a backend, it does not itself create, maintain, or document APIs.

671
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team needs to enforce a policy that restricts SSH access (port 22) from the internet (0.0.0.0/0) in all VPCs across all accounts. The team wants to centrally define the allowed rules and automatically apply them to newly created VPCs and security groups, while also automatically remediating any existing non-compliant security groups. Which AWS service should the team use?

A.AWS Config
B.AWS Firewall Manager
C.Amazon GuardDuty
D.AWS Identity and Access Management (IAM)
AnswerB

AWS Firewall Manager is designed to centrally configure and manage firewall rules across accounts and resources in AWS Organizations. It can enforce a common security group policy, automatically apply it to new VPCs and security groups, and remediate existing non-compliant resources, meeting all the stated requirements.

Why this answer

AWS Firewall Manager is the correct service because it provides centralized management of firewall rules across all accounts in AWS Organizations. It can enforce a common security group rule to deny SSH access from 0.0.0.0/0, automatically apply this policy to new VPCs and security groups, and remediate non-compliant existing security groups by removing or replacing violating rules. This meets the requirement for both proactive enforcement and automated remediation at scale.

Exam trap

The trap here is that candidates often confuse AWS Config's detection capabilities with enforcement, assuming it can automatically fix non-compliant resources without additional automation, while Firewall Manager is the native service for centralized, automated security group policy enforcement across an organization.

How to eliminate wrong answers

Option A is wrong because AWS Config is a compliance monitoring and evaluation service that can detect non-compliant security groups but cannot automatically remediate them or enforce policies on newly created resources without custom automation (e.g., AWS Config rules with auto-remediation via Systems Manager Automation, which is not a native, built-in enforcement mechanism). Option C is wrong because Amazon GuardDuty is a threat detection service that analyzes network traffic and logs for malicious activity; it does not enforce security group rules or manage firewall policies.

672
MCQmedium

A company is expanding its AWS environment from a single account to multiple accounts using AWS Organizations. The security team wants to enforce a baseline set of permissions across all accounts, ensuring that users in any account cannot disable AWS CloudTrail or modify Amazon S3 bucket policies that prevent public access. Which feature of AWS Organizations should the security team use to achieve this control?

A.Consolidated Billing
B.Service Control Policies (SCPs)
C.AWS Config rules
D.IAM roles
AnswerB

SCPs allow you to define and enforce maximum permissions for all accounts in your AWS Organization. They act as a guardrail, ensuring that even if an account has permissive IAM policies, the effective permissions are limited by the SCP. This enables central enforcement of security baselines such as preventing the disabling of CloudTrail or modification of S3 bucket policies that block public access.

Why this answer

Service Control Policies (SCPs) are the correct choice because they allow you to centrally define and enforce baseline permissions across all accounts in an AWS Organization. SCPs act as a guardrail, restricting what actions users and roles in member accounts can perform, even if they have full administrative privileges within their own account. By creating an SCP that explicitly denies the `cloudtrail:StopLogging`, `cloudtrail:DeleteTrail`, and `s3:PutBucketPolicy` actions (or similar), the security team can prevent disabling CloudTrail and modifying S3 bucket policies that block public access across the entire organization.

Exam trap

The trap here is that candidates often confuse AWS Config rules (detective) with SCPs (preventive), thinking that Config rules can block actions when they only alert on non-compliance after the fact.

How to eliminate wrong answers

Option A is wrong because Consolidated Billing is a feature that aggregates usage costs across accounts for a single invoice and volume discounts; it does not enforce any permissions or security controls. Option C is wrong because AWS Config rules are used for evaluating resource configurations against desired policies (e.g., detecting non-compliant S3 bucket policies) but they cannot prevent actions from being taken—they only provide detective, not preventive, controls.

673
MCQmedium

A company runs a multiplayer gaming application on Amazon EC2 instances in the us-east-1 Region. The application uses the UDP protocol for real-time communication between players and game servers. Players in Asia and Europe report high latency and packet loss. The company wants to improve performance by directing player traffic from the nearest edge location to the application over the AWS global network, without modifying the application code. Which AWS service should the company use?

A.Amazon CloudFront
B.AWS Global Accelerator
C.Amazon Route 53 latency routing
D.AWS Site-to-Site VPN
AnswerB

AWS Global Accelerator uses the AWS global network to improve the performance of TCP/UDP applications. It directs user traffic to the nearest edge location and then routes it over the AWS global backbone to the optimal regional endpoint, reducing latency and packet loss. This matches the requirement for UDP-based gaming application without application changes.

Why this answer

AWS Global Accelerator uses the AWS global network to route UDP traffic from the nearest edge location to the application, reducing latency and packet loss without requiring code changes. It leverages Anycast IP addresses to direct player traffic to the closest edge location, then transports it over the optimized AWS backbone to the EC2 instances in us-east-1.

Exam trap

The trap here is that candidates often confuse CloudFront's edge caching with Global Accelerator's network path optimization, but CloudFront does not support UDP and cannot accelerate non-HTTP traffic without application changes.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront is a content delivery network (CDN) optimized for HTTP/HTTPS and WebSocket traffic, not for UDP-based real-time gaming protocols, and it would require modifying the application to use HTTP-based delivery. Option C is wrong because Amazon Route 53 latency routing only controls DNS resolution to direct traffic to the nearest endpoint based on latency, but it does not optimize the network path after DNS resolution and does not use the AWS global network for packet transport; it also cannot handle UDP traffic flow optimization. Option D is wrong because AWS Site-to-Site VPN creates an encrypted tunnel between on-premises networks and AWS, not between players and the application, and it would not improve performance for global player traffic without modifying the application to route through a VPN.

674
MCQeasy

An e-commerce company runs its website on Amazon EC2. During normal operation, 10 instances are sufficient. During a major sale event, traffic increases 20x and the Auto Scaling group automatically adds 190 additional instances within minutes. After the sale, the instances are terminated. Which cloud computing characteristic does this behaviour demonstrate?

A.Resource pooling
B.On-demand self-service
C.Broad network access
D.Rapid elasticity
AnswerD

Rapid elasticity describes the ability to provision resources quickly to scale out during demand spikes and release them when demand drops. Auto Scaling adding hundreds of instances in minutes and terminating them after the event is the classic example.

Why this answer

D is correct because the ability to automatically scale from 10 to 200 instances within minutes and then terminate them after the sale demonstrates rapid elasticity. This characteristic allows cloud resources to be provisioned and released elastically, often automatically, to scale rapidly outward and inward commensurate with demand. AWS Auto Scaling groups achieve this by using launch configurations, scaling policies, and CloudWatch alarms to dynamically adjust the EC2 instance count based on real-time metrics like CPU utilization or request count.

Exam trap

The trap here is that candidates often confuse rapid elasticity with on-demand self-service, but the key differentiator is the speed and automatic nature of scaling in response to demand, not the ability to provision resources without human interaction.

How to eliminate wrong answers

Option A is wrong because resource pooling refers to the provider's computing resources being pooled to serve multiple customers using a multi-tenant model, with physical and virtual resources dynamically assigned and reassigned according to demand; it does not describe the rapid scaling of instances for a single customer's workload. Option B is wrong because on-demand self-service means a customer can provision computing capabilities unilaterally without requiring human interaction with each service provider, typically via a web console or API; while the scaling is automated, the key behavior here is the speed and elasticity of scaling, not the self-service provisioning model. Option C is wrong because broad network access means resources are available over the network and accessed through standard mechanisms (e.g., HTTP, HTTPS, SSH) that promote use by heterogeneous client platforms (e.g., mobile phones, laptops); this characteristic is unrelated to the dynamic scaling of compute capacity.

675
MCQeasy

A company's marketing team needs a temporary compute environment to run a one-week data analysis for a campaign. The developer uses the AWS CLI to automatically provision an Amazon EC2 instance and an Amazon RDS database without any manual approval or interaction from the AWS support team. This ability to provision resources automatically without requiring human interaction from the cloud provider best demonstrates which essential characteristic of cloud computing?

A.Broad network access
B.On-demand self-service
C.Resource pooling
D.Rapid elasticity
AnswerB

Correct. On-demand self-service allows users to provision and manage computing resources as needed automatically, without requiring human interaction with the cloud provider. The developer used the AWS CLI to provision resources without contacting AWS support, matching this characteristic.

Why this answer

The scenario describes a developer using the AWS CLI to provision an EC2 instance and an RDS database without any manual approval or interaction from AWS support. This ability to automatically obtain and configure computing resources as needed, without requiring human intervention from the provider, is the defining characteristic of on-demand self-service. It allows users to provision and manage resources through a self-service interface (like the AWS Management Console, CLI, or SDKs) at any time, without needing to submit a request to AWS staff.

Exam trap

The trap here is that candidates often confuse 'rapid elasticity' with the ability to provision resources on demand, but rapid elasticity specifically refers to the speed of scaling (up/down) in response to workload changes, not the self-service provisioning mechanism itself.

How to eliminate wrong answers

Option A is wrong because broad network access refers to resources being accessible over the network via standard protocols (e.g., HTTP, SSH, RDP) from a wide range of devices (laptops, phones, etc.), not to the ability to provision resources without human interaction. Option C is wrong because resource pooling describes the provider's multi-tenant model where computing resources are pooled to serve multiple customers, with physical and virtual resources dynamically assigned and reassigned according to demand; it does not relate to the user's ability to self-provision. Option D is wrong because rapid elasticity is the ability to quickly scale resources up or down based on demand, often automatically, but the core characteristic demonstrated here is the self-service provisioning aspect, not the scaling speed or automatic adjustment.

Page 8

Page 9 of 14

Page 10