AWS Certified Database Specialty DBS-C01 (DBS-C01) — Questions 751825

1730 questions total · 24pages · All types, answers revealed

Page 10

Page 11 of 24

Page 12
751
MCQmedium

A company uses Amazon DynamoDB with global tables. They notice that changes made in one region are not appearing in another region after several minutes. Which CloudWatch metric should be monitored to check the replication lag?

A.ConsumedWriteCapacityUnits
B.SuccessfulRequestLatency
C.ReplicationLatency
D.ThrottledRequests
AnswerC

Correct. ReplicationLatency tracks the lag between regions for global tables.

Why this answer

Option C is correct because ReplicationLatency measures the time between the last update on the source table and the last update on the replica table. Option A is wrong because ThrottledRequests indicates throttling. Option B is wrong because ConsumedWriteCapacityUnits measures usage.

Option D is wrong because SuccessfulRequestLatency measures request latency.

752
Multi-Selecthard

A company is using Amazon DynamoDB with auto scaling enabled. Despite auto scaling, the application is still experiencing throttling during traffic spikes. Which THREE actions should the company take to resolve this issue? (Choose THREE.)

Select 3 answers
A.Implement exponential backoff in the application code
B.Enable DynamoDB Accelerator (DAX) to cache read-heavy workloads
C.Use DynamoDB global tables to distribute write traffic across regions
D.Switch to on-demand capacity mode
E.Disable auto scaling and set fixed capacity
AnswersA, B, C

Exponential backoff helps retry throttled requests without overwhelming the system.

Why this answer

Options A, D, and E are correct. Enabling DynamoDB Accelerator (DAX) reduces read load. Implementing exponential backoff helps retry gracefully.

Using DynamoDB global tables can distribute write load. Option B is wrong because disabling auto scaling would not help. Option C is wrong because switching to on-demand capacity might help but is not always cost-effective and does not address hot keys.

753
Multi-Selectmedium

Which THREE measures can help protect an Amazon RDS database from a DDoS attack? (Choose 3.)

Select 3 answers
A.Place the RDS instance in a private subnet without direct internet access.
B.Use security groups to restrict inbound traffic to known IP addresses.
C.Make the RDS instance publicly accessible for easy monitoring.
D.Use AWS Shield Advanced.
E.Disable audit logging to reduce resource usage.
AnswersA, B, D

Reduces exposure to DDoS attacks.

Why this answer

Placing the RDS instance in a private subnet without direct internet access prevents any external traffic from reaching the database endpoint. Since DDoS attacks rely on overwhelming a publicly routable IP address, removing internet-facing connectivity eliminates the attack surface entirely. This is a foundational network-layer defense that complements other security controls.

Exam trap

The trap here is that candidates may think making an RDS instance publicly accessible is acceptable for monitoring purposes, but AWS best practices require all database access to go through a bastion host or VPN, and disabling audit logging is a common distractor that appears to reduce overhead but actually removes critical security visibility without any DDoS benefit.

754
Multi-Selectmedium

A database administrator is troubleshooting a performance issue on an Amazon Aurora MySQL cluster. The application is experiencing high latency on write operations. Which TWO CloudWatch metrics should the administrator analyze to identify the root cause?

Select 2 answers
A.ReadLatency
B.DMLThroughput
C.CommitLatency
D.SelectLatency
E.FreeableMemory
AnswersB, C

Shows the volume of write operations.

Why this answer

Option A (DMLThroughput) measures the rate of write operations. Option D (CommitLatency) measures the time to commit transactions, which directly affects write latency. Option B is incorrect because it is a read metric.

Option C is incorrect because it measures storage. Option E is incorrect because it is a read latency metric.

755
Multi-Selecteasy

A database team is troubleshooting a performance issue on an Amazon RDS for PostgreSQL instance. They notice that the 'DiskQueueDepth' metric is consistently high. Which TWO actions should the team take to resolve this issue? (Choose TWO.)

Select 2 answers
A.Increase the number of database connections.
B.Enable storage auto scaling.
C.Increase the provisioned IOPS for the instance.
D.Enable query caching in PostgreSQL.
E.Enable Multi-AZ deployment.
AnswersB, C

Auto scaling can increase throughput and reduce queue depth.

Why this answer

Options B and D are correct. A high disk queue depth indicates I/O bottleneck. Increasing IOPS (Option B) or enabling Auto Scaling (Option D) can alleviate the bottleneck.

Option A is wrong because more connections may increase I/O contention. Option C is wrong because query caching is not a primary solution for I/O. Option E is wrong because Multi-AZ does not improve I/O performance.

756
MCQmedium

A company is designing a database for an IoT application that receives millions of sensor readings per second. Each reading is a small JSON payload (timestamp, device_id, metric, value). The primary query pattern retrieves the most recent reading for a given device. Which AWS database service is BEST suited for this workload?

A.Amazon Aurora
B.Amazon DynamoDB
C.Amazon ElastiCache for Redis
D.Amazon RDS for MySQL
AnswerB

Handles high write throughput and supports efficient point queries with sort key.

Why this answer

DynamoDB is a key-value and document database optimized for high-velocity writes and low-latency point lookups. With a primary key of device_id and a sort key of timestamp, the query for the most recent reading can use ScanIndexForward: false and limit 1, which is efficient. RDS and Aurora are relational and not ideal for high-throughput writes.

ElastiCache is a cache, not a durable database. Redshift is for analytics.

757
MCQmedium

A company is migrating their on-premises Oracle database to Amazon RDS for Oracle. They need to ensure minimal downtime. During the migration, they observe that the change data capture (CDC) is falling behind. What is the most effective approach to catch up?

A.Disable supplemental logging on the source
B.Increase the instance size of the target RDS instance
C.Pause the CDC task and resume later
D.Stop the CDC and perform a full load migration
AnswerB

More CPU/memory can help the apply process catch up.

Why this answer

Option B is correct because increasing the instance size provides more resources for replication. Option A is wrong because pausing replication would increase lag. Option C is wrong because switching to full load would cause downtime.

Option D is wrong because disabling logging would break CDC.

758
Multi-Selectmedium

A company is using Amazon DynamoDB for a high-traffic web application. The table has on-demand capacity mode. During a marketing event, the application experiences throttling. Which TWO actions should the database specialist take to prevent throttling in future events?

Select 2 answers
A.Increase the read capacity units of the table.
B.Switch the table to provisioned capacity mode and increase write capacity units.
C.Pre-create a DynamoDB global table to distribute write traffic.
D.Decrease the write capacity units to reduce throttling.
E.Implement DynamoDB Accelerator (DAX) to offload read traffic.
AnswersC, E

Global tables spread writes across regions, reducing throttling.

Why this answer

Options B and D are correct. Option B: Pre-creating a global table can distribute write traffic across regions, reducing load on a single table. Option D: Using DynamoDB Accelerator (DAX) can offload read traffic, reducing read capacity consumption.

Option A is wrong because switching to provisioned capacity requires capacity planning but does not automatically prevent throttling. Option C is wrong because increasing read capacity units is not applicable to on-demand mode. Option E is wrong because decreasing write capacity is counterproductive.

759
MCQeasy

A company is building a social network application that needs to store user profiles, friend relationships, and a feed of posts. The feed queries are complex, involving graph traversals (e.g., friends of friends). Which database is best suited for the relationship data?

A.Amazon DynamoDB
B.Amazon RDS for MySQL
C.Amazon ElastiCache for Redis
D.Amazon Neptune
AnswerD

Neptune is a graph database purpose-built for traversing relationships.

Why this answer

Amazon Neptune is a fully managed graph database service optimized for storing and querying highly connected data. It supports both property graph and RDF models, and it uses graph traversal languages like Gremlin and SPARQL, making it ideal for complex friend-of-friend queries and social network relationship data.

Exam trap

The trap here is that candidates often choose DynamoDB for its scalability or RDS for its familiarity with JOINs, failing to recognize that graph databases are purpose-built for relationship-heavy workloads and that the exam specifically tests the ability to match database types to query patterns.

How to eliminate wrong answers

Option A is wrong because Amazon DynamoDB is a key-value and document database that does not natively support graph traversals; querying friends of friends would require multiple expensive client-side joins or scans. Option B is wrong because Amazon RDS for MySQL is a relational database that can model relationships with JOINs, but it suffers from performance degradation and complexity as the depth of graph traversals increases, lacking native graph traversal optimizations. Option C is wrong because Amazon ElastiCache for Redis is an in-memory data store primarily used for caching, session management, and simple data structures; while it can store adjacency lists, it does not provide a graph query language or support complex multi-hop traversals efficiently.

760
Multi-Selecthard

Which THREE are valid methods to encrypt data at rest in Amazon DynamoDB? (Choose 3.)

Select 3 answers
A.Use a customer managed CMK.
B.Use S3 server-side encryption.
C.Use an AWS-owned CMK.
D.Use an AWS managed CMK.
E.Use client-side encryption with the DynamoDB Encryption Client.
AnswersC, D, E

Default encryption uses AWS-owned keys.

Why this answer

Option C is correct because DynamoDB encrypts data at rest by default using an AWS-owned customer master key (CMK), which is a key managed by AWS on behalf of the customer. This key is used to protect the table data, backups, and replicas without requiring any customer configuration.

Exam trap

The trap here is that candidates often confuse server-side encryption options across AWS services, incorrectly assuming that S3 server-side encryption can be applied to DynamoDB, or they forget that client-side encryption is a valid method for encrypting data at rest in DynamoDB.

761
Multi-Selecteasy

Which TWO CloudWatch Logs features can be used to monitor and troubleshoot Amazon RDS for SQL Server error logs? (Choose TWO.)

Select 2 answers
A.Integrating with AWS X-Ray for trace analysis
B.Setting metric filters to count error occurrences
C.Exporting logs to Amazon S3
D.Using AWS CloudTrail to capture log events
E.Real-time monitoring of log streams
AnswersB, E

Metric filters can create alarms based on error counts.

Why this answer

Options A and C are correct because CloudWatch Logs can monitor error logs in real time and set metric filters for specific error patterns. Option B (S3 export) is for archiving, not real-time monitoring. Option D (CloudTrail) is for API activity, not database logs.

Option E (X-Ray) is for tracing, not log monitoring.

762
Multi-Selecthard

A company is migrating an on-premises Oracle database to Amazon Aurora PostgreSQL. The migration must have minimal downtime and support ongoing replication. Which THREE services should the company use? (Choose 3.)

Select 3 answers
A.AWS Snowball Edge
B.Amazon Aurora PostgreSQL
C.AWS DataSync
D.AWS Database Migration Service (AWS DMS)
E.AWS Schema Conversion Tool (AWS SCT)
AnswersB, D, E

Target database for migration.

Why this answer

Option A is correct for schema conversion. Option B is correct for ongoing replication. Option C is correct for data migration.

Option D is incorrect because it is for file transfer. Option E is incorrect because it is for large data transfer.

763
MCQeasy

An administrator runs the above AWS CLI command to create an RDS MySQL instance. The command completes successfully. What is the status of the new DB instance immediately after the command returns?

A.available
B.stopped
C.deleting
D.creating
AnswerD

The instance enters 'creating' state until provisioning completes.

Why this answer

When the create-db-instance command returns, the DB instance state is 'creating'. It takes several minutes for the instance to become 'available'. Option A (available) is incorrect because creation is not instant.

Option C (stopped) is incorrect. Option D (deleting) is incorrect.

764
Multi-Selecthard

A company is migrating a 5 TB Oracle database to Amazon RDS for Oracle. The database contains large BFILEs stored in a file system. The company needs to migrate the data with minimal downtime and ensure the BFILEs are migrated. Which THREE steps should the company take?

Select 3 answers
A.Replace BFILEs with BLOBs in the source database before migration.
B.Use AWS SCT to convert any incompatible schema objects.
C.Upload the BFILEs to Amazon S3 and use Oracle Directory objects to reference them.
D.Use AWS CloudEndure Migration to replicate the entire server.
E.Use AWS DMS with the Oracle source endpoint configured to include the BFILE directory path.
AnswersB, C, E

SCT helps convert Oracle-specific objects to RDS-compatible ones.

Why this answer

DMS can migrate BFILEs if the source endpoint is configured with the directory path. Using SCT to convert any incompatible schema is recommended. Uploading BFILEs to S3 and using Oracle Directory objects with DMS can handle the migration.

Option B (direct update) is not secure. Option E (CloudEndure) is for servers.

765
MCQeasy

Refer to the exhibit. A DBA is checking the backup configuration of an RDS MySQL instance. The current time is 2023-03-15T06:00:00Z. What is the most recent point to which the database can be restored?

A.2023-03-15T03:00:00Z
B.2023-03-15T05:30:00Z
C.2023-03-15T04:30:00Z
D.2023-03-15T06:00:00Z
AnswerC

This is the latest restorable time shown.

Why this answer

Option C is correct. The latest restorable time is 2023-03-15T04:30:00Z, which is within the backup window. Option A is wrong because it is after the latest restorable time.

Option B is wrong because it is earlier than the latest restorable time. Option D is wrong because the backup window ends at 06:00, but the latest restorable time is 04:30.

766
Drag & Dropmedium

Arrange the steps to enable encryption at rest for an existing unencrypted Amazon RDS for MariaDB DB instance in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Encryption at rest for an existing instance requires creating an encrypted snapshot and restoring it, then migrating applications.

767
MCQeasy

A company wants to ensure that an Amazon RDS for MySQL DB instance is encrypted at rest. Which action should be taken to enable encryption for the first time?

A.Enable encryption on the existing DB instance using the AWS CLI.
B.Create a new encrypted DB instance using AWS KMS.
C.Set the rds.encrypted parameter to true in the DB parameter group.
D.Modify the existing DB instance and enable encryption.
AnswerB

Encryption at rest must be specified at instance creation time.

Why this answer

Option A is correct because RDS encryption at rest can only be enabled when creating a new DB instance, not on an existing one. Option B is wrong because enabling encryption requires creating an encrypted snapshot and restoring as a new instance, not just modifying. Option C is wrong because encryption cannot be enabled on an existing instance.

Option D is wrong because encryption is configured at instance creation, not through parameter groups.

768
Multi-Selecthard

A company is migrating a 500 GB Oracle database to Amazon Aurora PostgreSQL. They need to convert the schema and migrate the data with minimal downtime. Which THREE actions should they take? (Choose three.)

Select 3 answers
A.Use AWS Schema Conversion Tool (SCT) to assess and convert Oracle-specific features like hierarchical queries.
B.Modify the application to use Aurora PostgreSQL-specific SQL syntax before migration.
C.Use AWS Database Migration Service (DMS) with change data capture (CDC) to migrate data.
D.Use AWS Schema Conversion Tool (SCT) to convert the Oracle schema to PostgreSQL-compatible schema.
E.Use AWS Snowball Edge to transfer the data to AWS and then load into Aurora.
AnswersA, C, D

SCT can convert Oracle-specific features to PostgreSQL equivalents.

Why this answer

Options A, B, and D are correct. A: SCT converts the schema. B: DMS with CDC provides minimal downtime.

D: Use SCT to assess and convert Oracle-specific features. Option C (modify application to use Aurora-specific features) is not necessary. Option E (Snowball) is not for minimal downtime.

769
MCQeasy

A startup is building a social media analytics platform. The workload is write-heavy, with millions of events per day containing user actions (likes, shares, comments). The data model is simple: each event is a JSON document with a timestamp, user ID, and action type. Queries are primarily aggregations over time (e.g., count of likes per hour) and require low-latency responses for dashboards. The team wants to minimize operational overhead and cost. Which database service is most appropriate?

A.Amazon ElastiCache for Redis to store aggregated counts.
B.Amazon RDS for PostgreSQL with TimescaleDB extension.
C.Amazon Timestream, a purpose-built time-series database.
D.Amazon DynamoDB with global secondary indexes on timestamp and action type.
AnswerC

Timestream is designed for high write throughput and time-based aggregations.

Why this answer

Option B is correct. Amazon Timestream is optimized for time-series data, supports high write throughput, and provides built-in aggregation functions for time-based queries. Option A (DynamoDB) is not ideal for time-series aggregations without additional processing.

Option C (RDS for PostgreSQL) can handle the workload but may require more management and scaling effort. Option D (ElastiCache) is a cache, not a durable database.

770
MCQhard

A company is migrating its on-premises Oracle database to Amazon RDS for Oracle. The database contains sensitive data that must be encrypted at rest and in transit. The security team also requires that the encryption keys be rotated every year. The DBA has enabled encryption at rest using a customer-managed KMS key and SSL/TLS for in-transit encryption. What additional step is needed to meet the key rotation requirement?

A.Manually create a new KMS key every year and update the RDS instance to use the new key.
B.Configure the RDS option group to rotate the encryption key.
C.Use an AWS CloudHSM key and configure automatic rotation.
D.Enable automatic KMS key rotation for the customer-managed key.
AnswerD

KMS can rotate the key automatically every year.

Why this answer

Option B is correct because KMS automatic key rotation rotates the key material annually. Option A is wrong because manual rotation requires creating a new key and updating the RDS instance. Option C is wrong because CloudHSM is not used with RDS.

Option D is wrong because the option group does not control key rotation.

771
MCQeasy

A company is migrating an on-premises MySQL database to Amazon RDS for MySQL. The database is 2 TB in size and the network bandwidth is 100 Mbps. The company needs to minimize downtime. Which migration strategy should be used?

A.Use AWS Database Migration Service (DMS) with ongoing replication.
B.Copy database files to Amazon S3, then restore to RDS using native restore.
C.Use mysqldump to export the database and import it into RDS.
D.Use AWS Server Migration Service to migrate the database server.
AnswerA

AWS DMS can perform a full load followed by continuous replication to keep the target in sync, minimizing downtime.

Why this answer

Option B is correct because AWS DMS can replicate ongoing changes after an initial full load, minimizing downtime. Option A is wrong because mysqldump would be slow and cause more downtime. Option C is wrong because S3 is not directly used for live migration.

Option D is wrong because RDS does not support direct restore of physical backups from on-premises.

772
MCQmedium

A company uses Amazon RDS for PostgreSQL with Multi-AZ deployment. The security team wants to ensure that any access to the database is logged, including SELECT queries. What should be done to capture these logs?

A.Modify the DB parameter group to enable query logging and publish logs to Amazon CloudWatch Logs.
B.Enable automated backups and export logs to Amazon S3.
C.Enable RDS Performance Insights.
D.Enable RDS Enhanced Monitoring.
AnswerA

This captures query logs and stores them in CloudWatch.

Why this answer

Enabling RDS Enhanced Monitoring does not capture query logs. Enabling automatic backups does not log queries. Enabling RDS Performance Insights does not log queries.

To capture SELECT queries, you need to enable PostgreSQL query logging by setting the appropriate parameter group parameters (e.g., log_statement = 'all' or 'mod') and then export logs to CloudWatch Logs.

773
MCQmedium

A company is building a mobile application that requires users to be able to query their order history quickly. The data is stored in Amazon DynamoDB, and each user has up to 10,000 orders over time. The application needs to support pagination and filtering by order date. What is the MOST efficient way to model this data in DynamoDB?

A.Scan the entire table and filter on user ID
B.Store all orders as a JSON document in a single item per user
C.Use user ID as the partition key and a Global Secondary Index on order date
D.Use user ID as the partition key and order date as the sort key
AnswerD

Allows range queries on order date and efficient pagination.

Why this answer

Option D is correct because using user ID as the partition key ensures all orders for a user are co-located on a single partition, enabling efficient queries. Adding order date as the sort key allows the application to filter and paginate by date range using the Query API with KeyConditionExpression, which is far more efficient than scanning or using a secondary index.

Exam trap

The trap here is that candidates often choose a Global Secondary Index (Option C) thinking it is necessary for date-based filtering, but the sort key on the base table is more efficient and avoids the cost and eventual consistency of a GSI when the partition key already isolates the user's data.

How to eliminate wrong answers

Option A is wrong because scanning the entire table and filtering on user ID would read every item in the table, consuming excessive read capacity and causing high latency, especially as the table grows. Option B is wrong because storing all orders as a JSON document in a single item per user would exceed DynamoDB's 400 KB item size limit when a user has up to 10,000 orders, and it prevents efficient filtering and pagination by order date. Option C is wrong because while a Global Secondary Index (GSI) on order date could support date-based queries, it would require a separate query to retrieve orders for a specific user and would not be as efficient as using the sort key on the base table, which avoids the eventual consistency and additional cost of a GSI.

774
MCQmedium

A company is migrating a 2 TB PostgreSQL database from on-premises to Amazon RDS for PostgreSQL with minimal downtime. The database is continuously updated. Which migration strategy should be used?

A.Use AWS Database Migration Service (DMS) with ongoing replication from an on-premises source.
B.Use AWS Schema Conversion Tool (SCT) and AWS Snowball to transfer data.
C.Use AWS Database Migration Service with a full load only, then cut over.
D.Use pg_dump and pg_restore during a maintenance window.
AnswerA

DMS with change data capture (CDC) allows continuous replication with minimal downtime.

Why this answer

Option B (AWS DMS with ongoing replication) is correct because it supports minimal downtime by continuously replicating changes. Option A (native pg_dump/pg_restore) requires downtime. Option C (AWS Database Migration Service with full load only) does not replicate ongoing changes.

Option D (SCT with Snowball) is for large-scale schema conversion, not minimal-downtime migration.

775
MCQhard

A company is migrating a self-hosted Cassandra cluster to Amazon Keyspaces (for Apache Cassandra). The cluster has 10 nodes and handles 50,000 writes per second. Which migration strategy is MOST efficient?

A.Set up Keyspaces as a new datacenter in the existing Cassandra cluster using native replication.
B.Export data using CQL COPY and import into Keyspaces.
C.Use AWS Glue to extract data from Cassandra and write to Keyspaces.
D.Use AWS DMS with Cassandra as source and Keyspaces as target.
AnswerA

Allows live migration with minimal downtime.

Why this answer

Option A is correct because using native Cassandra replication allows seamless migration with zero downtime by adding Keyspaces as a new datacenter. Option B is wrong because DMS does not support Cassandra as a source for Keyspaces. Option C is wrong because CQL COPY is not suitable for high throughput writes and requires downtime.

Option D is wrong because S3 export/import is a batch process, not real-time.

776
MCQeasy

A company runs a time-series application that records sensor data every second. The data volume is 500 GB per month and grows continuously. They need to query the last 30 days of data frequently and older data rarely. Which database design is MOST appropriate?

A.Amazon Timestream
B.Amazon RDS for PostgreSQL with partitioning
C.Amazon DynamoDB with TTL
D.Amazon S3 with Athena and partitioning
AnswerA

Timestream is purpose-built for time-series data with automatic tiering.

Why this answer

Amazon Timestream is purpose-built for time-series data, automatically storing recent data in memory for fast queries and moving older data to a cost-optimized store. This matches the workload of frequent queries on the last 30 days and rare queries on older data, with continuous growth at 500 GB/month.

Exam trap

The trap here is that candidates often choose DynamoDB with TTL because they associate TTL with data lifecycle management, but they overlook that DynamoDB lacks native time-series query capabilities and efficient range scans, making it a poor fit for frequent time-based queries.

How to eliminate wrong answers

Option B is wrong because Amazon RDS for PostgreSQL with partitioning requires manual management of partition maintenance, vacuuming, and scaling, and does not natively separate hot and cold storage tiers for time-series data, leading to higher operational overhead and cost for this volume. Option C is wrong because Amazon DynamoDB with TTL only handles data expiration, not efficient range scans or aggregation queries over time-series data; it lacks native time-based query optimization and can result in high read costs for scanning large time ranges. Option D is wrong because Amazon S3 with Athena and partitioning requires running a query engine that incurs per-scan costs and latency, making it unsuitable for frequent sub-second queries on the last 30 days of data, and it lacks a built-in hot/cold storage tier.

777
MCQmedium

A company uses a self-hosted MySQL database on EC2. They want to migrate to Amazon RDS for MySQL with minimal downtime and automated failover. Which migration strategy should be used?

A.Set up MySQL replication from EC2 to RDS, then cut over
B.Use mysqldump to export the database and import to RDS
C.Take a snapshot of the EC2 instance and restore to RDS
D.Use AWS DMS with full load and CDC
AnswerA

Native replication allows minimal downtime and automated failover is built into RDS Multi-AZ.

Why this answer

Option D is correct because setting up replication from EC2 to RDS using MySQL native replication allows near-zero downtime cutover. Option A is wrong because dump/restore requires downtime. Option B is wrong because snapshot restore requires downtime.

Option C is wrong because DMS might add complexity and is not necessary if native replication works.

778
MCQhard

A company is deploying a new application that uses Amazon RDS for MySQL. The database must be highly available with automatic failover. Which deployment configuration meets these requirements?

A.Single-AZ with a Read Replica in the same region
B.Multi-AZ deployment with synchronous replication to a cross-region replica
C.Multi-AZ deployment with a standby replica in a different Availability Zone
D.Single-AZ with automated backups
AnswerC

Multi-AZ provides automatic failover.

Why this answer

Multi-AZ deployment with a standby replica provides automatic failover in RDS MySQL. Option C is correct. Option A (Read Replica) does not provide automatic failover.

Option B (Single-AZ) lacks high availability. Option D (Multi-AZ with synchronous replication) is correct but the description is more accurate for Aurora; for RDS MySQL, Multi-AZ uses synchronous replication to a standby.

779
MCQhard

Refer to the exhibit. The output is from the AWS CLI for an RDS instance. The security team suspects that the encryption key used for this DB instance has been compromised. What is the required action to re-encrypt the instance with a new key?

A.Create a snapshot of the DB instance, copy the snapshot with a new KMS key, and restore the DB instance from the copied snapshot.
B.Modify the DB instance to use a new KMS key.
C.Restore the DB instance to a point in time and specify a new KMS key.
D.Enable encryption on a new DB instance and migrate the data.
AnswerA

This process allows re-encryption with a new key.

Why this answer

RDS does not allow changing the encryption key of an existing encrypted DB instance. The only way is to take a snapshot, copy it with a new KMS key, and restore from that snapshot. Option A is wrong because you cannot modify the KMS key directly.

Option B is wrong because restoring to a point in time uses the same key. Option D is wrong because enabling encryption on an unencrypted instance requires a snapshot restore, but this instance is already encrypted.

780
MCQmedium

A company has an Amazon Redshift cluster that contains sensitive data. The security team requires that data be encrypted at rest using a customer-managed AWS KMS key. The cluster was initially launched without encryption. How can the company enable encryption with minimal downtime?

A.Unload the data to Amazon S3, create a new encrypted cluster, and reload the data from S3.
B.Use the AWS CLI to update the cluster encryption setting.
C.Take a snapshot of the cluster and restore it to a new cluster with encryption enabled.
D.Modify the cluster and enable encryption using the AWS Management Console.
AnswerA

This is the standard procedure to enable encryption on an existing Redshift cluster.

Why this answer

Option B is correct. To enable encryption on an existing unencrypted Redshift cluster, you must unload the data to Amazon S3, create a new encrypted cluster, and reload the data. Option A is incorrect because Redshift does not support enabling encryption on an existing cluster directly.

Option C is incorrect because snapshots preserve encryption status; restoring an unencrypted snapshot to an encrypted cluster is not possible. Option D is incorrect because modifying the cluster does not support enabling encryption.

781
MCQmedium

A company has a 200 GB PostgreSQL database on-premises and wants to migrate to Amazon RDS for PostgreSQL. The company requires encrypted data transfer and wants to minimize downtime. Which combination of services should be used?

A.Use native pg_dump to S3, then import to RDS
B.Use AWS VPN to connect on-premises to RDS and perform a database dump
C.Use AWS DMS with SSL and ongoing replication
D.Use an EC2 instance with PostgreSQL replication to RDS
AnswerC

DMS supports encrypted transfer and CDC for minimal downtime.

Why this answer

Option B is correct because AWS DMS supports SSL encryption and CDC for minimal downtime. Option A is wrong because S3 does not provide database migration. Option C is wrong because EC2 instance is not needed.

Option D is wrong because VPN alone does not migrate data.

782
MCQmedium

A company is deploying a new Amazon RDS for MySQL database. The security team requires that all data at rest be encrypted. What is the simplest way to meet this requirement?

A.Enable encryption using AWS Certificate Manager
B.Use client-side encryption in the application
C.Enable encryption at rest when creating the RDS instance using an AWS KMS key
D.Enable encryption at rest on the RDS instance after creation
AnswerC

Encryption at rest can be enabled at instance creation time using a KMS key.

Why this answer

Amazon RDS for MySQL supports encryption at rest using AWS KMS keys, which must be enabled at instance creation time because encryption cannot be added to an existing unencrypted RDS instance. Option C is correct because it describes the simplest and most direct method: enabling encryption at rest during the initial RDS instance creation with an AWS KMS key, which transparently encrypts the underlying storage, automated backups, read replicas, and snapshots.

Exam trap

The trap here is that candidates may think encryption can be enabled after creation (Option D) because some AWS services allow post-creation encryption, but RDS requires encryption to be set at launch, and this is a common exam trick to test knowledge of RDS encryption limitations.

How to eliminate wrong answers

Option A is wrong because AWS Certificate Manager (ACM) is used for SSL/TLS certificate management for data in transit, not for encryption at rest. Option B is wrong because client-side encryption in the application adds unnecessary complexity and does not meet the requirement for data at rest encryption managed by the database service; it also requires application code changes and key management outside of AWS KMS. Option D is wrong because Amazon RDS for MySQL does not allow enabling encryption at rest on an existing unencrypted instance; you must create a new encrypted instance and migrate the data.

783
MCQmedium

An application is receiving the error shown in the exhibit. The application uses connection pooling. The RDS instance is a db.r5.large with max_connections set to 1000. What is the most likely cause?

A.The security group is blocking incoming connections.
B.The max_connections parameter is set too low for the instance size.
C.The connection pool in the application is not releasing idle connections.
D.The RDS instance is in a different VPC than the application.
AnswerC

Leaked connections accumulate, exhausting the max_connections limit.

Why this answer

Option C is correct because connection pooling can accumulate connections if not properly configured, leading to exhaustion. Option A is wrong because 1000 is the default for db.r5.large. Option B is wrong because network ACLs affect connectivity, not the number of connections once established.

Option D is wrong because the error indicates connections are being accepted but exhausted.

784
MCQmedium

A company is migrating an on-premises PostgreSQL database to Amazon RDS for PostgreSQL. The database has a large table that is frequently accessed by reporting queries. The reporting queries filter on a column that has a high cardinality but low selectivity. To optimize query performance on this table, which design choice should the database specialist recommend?

A.Partition the table by the filter column
B.Use a read replica to offload reporting queries
C.Increase the provisioned read IOPS for the RDS instance
D.Create a covering index on the filter column
AnswerD

A covering index includes all columns needed, allowing query results to be returned from the index alone.

Why this answer

Option D is correct because a covering index includes all columns needed by the reporting queries, allowing PostgreSQL to satisfy the query entirely from the index without accessing the heap (table) pages. This eliminates the overhead of random I/O for row lookups, which is especially beneficial when filtering on a high-cardinality, low-selectivity column where many rows match but the index scan alone can return the required data. In Amazon RDS for PostgreSQL, this reduces read IOPS consumption and improves query latency.

Exam trap

The trap here is that candidates often choose partitioning (Option A) for any large table with filtering, but fail to recognize that low selectivity means partitioning offers no pruning benefit, while a covering index directly reduces I/O by avoiding heap access.

How to eliminate wrong answers

Option A is wrong because partitioning by a high-cardinality, low-selectivity column would create many partitions with similar row counts, offering minimal pruning benefit and adding management overhead without improving query performance. Option B is wrong because a read replica offloads the query execution but does not optimize the query itself; the same slow table scan or index lookup would still occur on the replica. Option C is wrong because increasing provisioned read IOPS addresses throughput capacity but does not reduce the number of I/O operations required; the query still performs the same inefficient access pattern.

785
MCQhard

An e-commerce platform uses Amazon RDS for PostgreSQL to store order data. The database has a table "orders" with 500 million rows. The application runs a report query that aggregates daily sales for the last 30 days. The query currently scans the entire table and takes 15 minutes to complete. The team needs to reduce the query time to under 30 seconds. Which solution is MOST cost-effective?

A.Partition the table by month and query only the relevant partitions.
B.Create a materialized view that stores daily sales aggregates and refresh it nightly.
C.Add a composite index on the date column and the sales amount column.
D.Upgrade the RDS instance to a larger size with more vCPUs and memory.
AnswerB

The report reads pre-computed aggregates, reducing query time drastically.

Why this answer

Option B is correct because a materialized view can pre-aggregate the daily sales, and refreshing it daily avoids scanning the full table. Option A is wrong because indexes on date columns help but still require scanning large portions. Option C is wrong because partitioning by month still requires scanning the partition.

Option D is wrong because upgrading to a larger instance is costly and may not achieve sub-30 seconds.

786
MCQmedium

A company is migrating an on-premises Oracle database to Amazon Aurora PostgreSQL. The database is 1 TB and has complex stored procedures. The migration must be completed within a 4-hour downtime window. Which migration approach is most efficient?

A.Use AWS Schema Conversion Tool (SCT) to convert schema only.
B.Use AWS SCT to convert schema and code, then AWS DMS for data migration.
C.Use Oracle Data Pump to export and pg_restore to import.
D.Use AWS DMS with ongoing replication.
AnswerB

SCT converts schema/code, DMS migrates data.

Why this answer

Option B is correct because AWS SCT converts the Oracle schema and complex stored procedures to Aurora PostgreSQL-compatible code, while AWS DMS performs the full data migration within the 4-hour window. This combination handles both schema/code conversion and bulk data transfer efficiently, meeting the time constraint.

Exam trap

The trap here is that candidates may think DMS alone can handle the entire migration, overlooking that schema and stored procedure conversion is a prerequisite that SCT must address first.

How to eliminate wrong answers

Option A is wrong because using SCT for schema only leaves the stored procedures unconverted, and no data migration is performed, so the database cannot be used. Option C is wrong because Oracle Data Pump and pg_restore are manual, offline tools that require significant downtime for a 1 TB database and do not handle stored procedure conversion automatically, likely exceeding the 4-hour window. Option D is wrong because DMS with ongoing replication alone does not convert the schema or stored procedures; it requires a compatible target schema, which is missing without SCT.

787
MCQhard

A company uses Amazon Redshift for data warehousing. A nightly ETL job fails with 'Disk full' error on some nodes. The cluster has 8 dc2.large nodes. Which action will MOST efficiently resolve the issue without increasing costs?

A.Increase the number of slices per node
B.Add more nodes to the cluster
C.Enable compression on all tables
D.Run a VACUUM command to reclaim space
AnswerD

VACUUM removes deleted rows and frees disk space.

Why this answer

Option B is correct because VACUUM reclaims space from deleted rows without adding cost. Option A is wrong because adding nodes increases cost. Option C is wrong because increasing slice count is not possible without changing node type.

Option D is wrong because compression reduces storage but may not immediately free space.

788
MCQhard

A company uses Amazon DocumentDB (with MongoDB compatibility) for its application. The application is experiencing high write latency. The DB cluster has one primary instance and two replicas. Which action should be taken to identify the cause?

A.Migrate the database to Amazon DynamoDB for better write performance.
B.Add more read replicas to distribute the load.
C.Enable Enhanced Monitoring and review OS-level metrics like CPU, memory, and I/O.
D.Enable slow query logging and analyze slow queries.
AnswerC

Enhanced Monitoring provides granular OS metrics to pinpoint bottlenecks.

Why this answer

Option B is correct because enabling Enhanced Monitoring at the instance level provides OS-level metrics that can help identify resource bottlenecks causing high write latency. Option A is wrong because profiling queries in the slow query log may show slow queries but not necessarily latency at the OS level. Option C is wrong because creating additional replicas does not reduce write latency on the primary.

Option D is wrong because switching to Amazon DynamoDB is a major architectural change, not a troubleshooting step.

789
MCQmedium

A company is migrating an on-premises Oracle database to Amazon Aurora PostgreSQL. They used AWS SCT to convert the schema, but some stored procedures failed to convert automatically. What is the best course of action?

A.Use AWS Lambda to automatically convert the stored procedures.
B.Use AWS DMS to replicate the Oracle stored procedures as-is to Aurora.
C.Switch to Amazon RDS for Oracle to avoid conversion issues.
D.Manually rewrite the unconverted stored procedures to PostgreSQL-compatible code based on SCT's assessment report.
AnswerD

SCT provides a report of items that need manual attention; rewriting is necessary.

Why this answer

Option C is correct because manual remediation of unconverted code is often necessary, and SCT provides an assessment report to guide this. Option A is wrong because DMS does not convert stored procedures. Option B is wrong because PostgreSQL has its own procedural languages.

Option D is wrong because Lambda is not designed for schema conversion.

790
MCQhard

Refer to the exhibit. An application uses Cognito identity pools to authenticate users and dynamodb:LeadingKeys condition to restrict access to items where the partition key matches the user's sub. Some users report that they can see items belonging to other users. What is the most likely cause?

A.The IAM policy does not include a condition for the table
B.The Cognito identity pool is not configured correctly
C.The table ARN is incorrect
D.The ForAllValues:StringEquals should be ForAnyValue:StringEquals
AnswerD

ForAllValues allows access if all request keys match, but if multiple keys are sent, it may allow unintended items. ForAnyValue ensures at least one key matches.

Why this answer

Option B is correct because ForAllValues:StringEquals allows the action if the condition value matches at least one of the request values, but if the request has multiple leading keys (e.g., batch operations), it may pass incorrectly. ForAllValues checks that every key in the request matches the condition; if no keys are present, it also passes. The correct condition should be ForAnyValue:StringEquals to ensure at least one key matches.

Option A is wrong because the condition is set. Option C is wrong unless the condition is missing. Option D is wrong because the audience is not relevant to item-level access.

791
MCQeasy

A startup is building a mobile app backend with user profiles and social features. They need a database that can handle flexible schemas, high read throughput for user profiles, and strong consistency for friend requests. Which database service should they choose?

A.Amazon RDS for MySQL
B.Amazon Neptune
C.Amazon DynamoDB
D.Amazon DocumentDB
AnswerC

DynamoDB provides flexible schema and high performance with strong consistency.

Why this answer

Option C is correct because Amazon DynamoDB offers flexible schema, high throughput, and optional strong consistency. Option A (RDS MySQL) is relational with fixed schema. Option B (Neptune) is graph-dedicated.

Option D (DocumentDB) is MongoDB-compatible but not as optimized for consistent low-latency reads across a wide range of access patterns.

792
MCQhard

A database administrator sees the above error logs in CloudWatch for an Amazon RDS for PostgreSQL DB instance. The application team confirms that the password for 'app_user' is correct. What is the most likely cause of the authentication failures?

A.The password has expired for 'app_user'.
B.The user 'app_user' does not have the LOGIN privilege.
C.The host '10.0.1.50' is not listed in the pg_hba.conf file.
D.The database is in read-only mode.
AnswerC

RDS for PostgreSQL uses pg_hba.conf entries to allow client connections; if the host is not allowed, authentication fails despite correct password.

Why this answer

The errors show authentication failures from a specific host. If the password is correct, the most likely cause is that the host is not allowed by the pg_hba.conf configuration. RDS for PostgreSQL uses DB parameter groups to control pg_hba.conf rules; the rds.force_ssl parameter or the pg_hba.conf entries may not include that host.

793
MCQhard

A company has a multi-player game that uses DynamoDB to store game state. The access pattern is write-heavy, and the game state for each active game session is updated frequently. The team notices throttling on the table during peak hours. The table has a partition key of game_id and no sort key. What design change would best reduce throttling?

A.Use a composite key with a random suffix on the partition key.
B.Enable DynamoDB global tables.
C.Enable DynamoDB Accelerator (DAX) for the table.
D.Increase the provisioned read capacity units (RCU).
AnswerA

Write sharding distributes writes across multiple partitions, reducing hot spots.

Why this answer

Option D is correct because using a write sharding pattern with a suffix distributes writes across partitions, avoiding hot spots. Option A is wrong because increasing read capacity does not help write throttling. Option B is wrong because DynamoDB Accelerator (DAX) only caches reads.

Option C is wrong because global tables replicate data, not reduce throttling.

794
Multi-Selecthard

Which TWO of the following are valid actions to take when an Amazon Redshift query is taking longer than expected due to disk-based operations?

Select 2 answers
A.Use column compression to reduce the amount of data scanned.
B.Increase the number of workload management (WLM) query queues.
C.Redistribute data across nodes using a distribution style that minimizes data movement.
D.Change the sort keys to match the query's ORDER BY clause.
E.Increase the number of nodes in the cluster to provide more memory and CPU.
AnswersC, E

Proper distribution reduces data shuffling and disk spills.

Why this answer

Option A (increasing the number of nodes) and Option C (distributing data evenly) are correct. Option B is incorrect because Sort keys affect order, not disk spills. Option D is incorrect because WLM queues affect concurrency, not disk operations.

Option E is incorrect because column compression reduces storage but may not reduce disk spills.

795
MCQhard

A database team notices that the Amazon Aurora MySQL-Compatible DB cluster is experiencing frequent failovers during peak hours. The failover events are not correlated with any maintenance windows or manual interventions. Which metric in Amazon CloudWatch should be investigated first to identify the root cause?

A.FreeableMemory.
B.DatabaseConnections.
C.ReadLatency.
D.WriteIOPS.
AnswerD

High write IOPS can overwhelm the primary and trigger failover.

Why this answer

Option C is correct because a high volume of write operations can cause the primary instance to become overloaded, leading to failover. Option A is incorrect because DatabaseConnections alone does not directly cause failover. Option B is incorrect because ReadLatency is a symptom, not a direct cause of failover.

Option D is incorrect because FreeableMemory is not a typical cause of failover.

796
MCQmedium

A company runs an Amazon RDS for PostgreSQL instance with Multi-AZ deployment. The primary DB instance fails unexpectedly and a failover occurs. Which action should be taken to minimize downtime during future failovers?

A.Configure an Amazon RDS Proxy to reduce failover time.
B.Increase the DB instance size to reduce failover time.
C.Create a read replica in the same region and promote it during failover.
D.Enable Multi-AZ deployment to automatically failover to the standby.
AnswerD

Multi-AZ provides automatic failover to the standby instance in a different Availability Zone.

Why this answer

Using a read replica as a failover target is not supported in RDS for PostgreSQL. Multi-AZ already provides automatic failover; no additional action is needed. Option B is correct: Multi-AZ automatically handles failover.

797
MCQmedium

A healthcare company is migrating its patient records database to Amazon RDS for SQL Server. The database contains Protected Health Information (PHI). The compliance team requires that all PHI data be encrypted at rest and that the encryption keys be stored in a dedicated AWS CloudHSM cluster. Additionally, the database must be replicated to a second AWS region for disaster recovery. The DBA has enabled RDS encryption at rest using a KMS key, but the compliance team insists on using CloudHSM. What should the DBA do to meet the compliance requirement while maintaining disaster recovery?

A.Use RDS encryption at rest with a KMS key backed by CloudHSM (custom key store).
B.Migrate the database to Amazon DynamoDB with encryption using CloudHSM via KMS custom key store.
C.Use an RDS Custom for SQL Server instance and configure TDE with CloudHSM, then set up log shipping to another region.
D.Enable Transparent Data Encryption (TDE) using a CloudHSM key and create a cross-region read replica for DR.
AnswerD

TDE supports CloudHSM and cross-region replicas.

Why this answer

Option B is correct because RDS for SQL Server supports Transparent Data Encryption (TDE) which can use CloudHSM as the key store. Multi-AZ deployments support cross-region read replicas, allowing DR. Option A is wrong because RDS encryption at rest cannot use CloudHSM directly.

Option C is wrong because moving to DynamoDB is unnecessary and does not use CloudHSM. Option D is wrong because using an RDS Custom instance with TDE and manual replication is more complex and not recommended.

798
MCQhard

A company uses Amazon DynamoDB to store user session data. The security team requires that all data be encrypted at rest using a customer-managed AWS KMS key. The DynamoDB table is already configured with AWS managed KMS encryption. How can the company meet the encryption requirement without recreating the table?

A.Enable DynamoDB Streams and use a Lambda function to copy data to a new table with the desired encryption.
B.Export the table to Amazon S3 using the on-demand backup feature, then import it into a new table encrypted with the desired KMS key.
C.Use the UpdateTable API to specify the new KMS key in the SSESpecification parameter.
D.Delete the table and recreate it with the new KMS key.
AnswerC

DynamoDB allows updating the encryption key on an existing table via UpdateTable.

Why this answer

Option C is correct because DynamoDB supports updating the encryption key for an existing table using the UpdateTable API with the SSESpecification parameter. You can switch from AWS managed key to a customer managed key. Option A is incorrect because you cannot change the encryption configuration during table creation after the table exists.

Option B is incorrect because exporting to S3 and re-importing is unnecessary and causes more downtime. Option D is incorrect because DynamoDB streams are used for change data capture, not for encryption changes.

799
MCQmedium

An administrator needs to migrate an on-premises MongoDB database to Amazon DocumentDB. The migration must have near-zero downtime. Which approach should the administrator use?

A.Use AWS DataSync to transfer the MongoDB data files
B.Use AWS Glue to extract and load data
C.Use mongodump to export and mongorestore to import
D.Use AWS DMS with MongoDB as source and DocumentDB as target
AnswerD

DMS supports ongoing replication with change data capture for near-zero downtime.

Why this answer

Option B is correct because AWS DMS supports ongoing replication from MongoDB to DocumentDB using change streams. Option A is wrong because mongodump/mongorestore is a one-time import with downtime. Option C is wrong because AWS DataSync is for file-based transfers, not databases.

Option D is wrong because AWS Glue is for ETL, not live replication.

800
MCQeasy

A social media startup is selecting a database for user profiles with a flexible schema and high write throughput. The application is built on Node.js and requires low-latency access. Which database should they choose?

A.Amazon Aurora
B.Amazon ElastiCache for Redis
C.Amazon RDS for MySQL
D.Amazon DynamoDB
AnswerD

NoSQL, flexible schema, high throughput.

Why this answer

Amazon DynamoDB is a NoSQL key-value and document database that offers flexible schema and high throughput with low latency. Option A (Aurora) is relational. Option B (RDS MySQL) is relational.

Option D (ElastiCache) is a cache, not a primary database.

801
MCQmedium

A company is migrating a 500 GB MySQL database from on-premises to Amazon RDS for MySQL. The database is critical and must have minimal downtime. Which approach should be used to migrate the database with the least downtime?

A.Use AWS Database Migration Service (DMS) with a replication instance to perform a full load and then ongoing replication until cutover.
B.Modify the on-premises database to use a new master user and then use the AWS Schema Conversion Tool to migrate.
C.Create a read replica of the on-premises database and promote it to a standalone RDS instance.
D.Export the database using mysqldump and import into RDS using mysql command-line tool. Schedule a maintenance window for cutover.
AnswerA

DMS supports ongoing replication to minimize downtime during migration.

Why this answer

Option C is correct because AWS Database Migration Service (DMS) with ongoing replication allows migration with minimal downtime by continuously replicating changes from the source to the target until cutover. Option A is wrong because creating a read replica is not possible from on-premises. Option B is wrong because exporting and importing will cause significant downtime.

Option D is wrong because changing the master user is unrelated to migration.

802
MCQeasy

A company is deploying a new Amazon RDS for MariaDB instance. The database must be accessible from a specific set of EC2 instances in a VPC. How should the company configure security to allow access?

A.Assign the same security group to both the RDS instance and the EC2 instances.
B.Create a security group for the RDS instance that allows inbound traffic from the EC2 instances' security group.
C.Attach an IAM role to the EC2 instances that grants access to the RDS database.
D.Configure a network ACL to allow inbound traffic from the EC2 instance IPs.
AnswerB

Security group referencing is the best practice for allowing access from EC2.

Why this answer

Option C is correct because the RDS security group should allow inbound traffic from the EC2 security group. Option A is wrong because NACLs are stateless and less granular. Option B is wrong because RDS does not support EC2 classic security groups.

Option D is wrong because IAM roles are for authentication, not network access.

803
Multi-Selecthard

Which THREE practices should be implemented to secure an Amazon DynamoDB table that stores personally identifiable information (PII)? (Select THREE.)

Select 3 answers
A.Use a VPC endpoint to access the table.
B.Enable encryption at rest using an AWS KMS customer-managed key.
C.Use an IAM policy to restrict who can access the table.
D.Enable AWS CloudTrail to log all DynamoDB API calls.
E.Enable encryption in transit using SSL/TLS.
AnswersB, C, D

Encryption at rest protects data.

Why this answer

Using IAM policies to restrict access is a security best practice. Encrypting the table at rest with a KMS key protects data. Monitoring with CloudTrail provides audit trail.

VPC endpoints help but are not a security practice for the table itself. Encryption in transit is done by DynamoDB automatically via HTTPS. Fine-grained access control can be achieved with IAM conditions, not attribute-based access control on the table itself.

804
MCQeasy

A company's Amazon RDS for MySQL DB instance is experiencing high CPU utilization. The DB instance is a db.r5.large with 200 GB of General Purpose SSD (gp2) storage. The application is performing many complex queries. Which action would BEST reduce CPU utilization without changing the application code?

A.Create a read replica and route write queries to it
B.Modify the storage type to gp3
C.Scale up the DB instance to db.r5.xlarge
D.Enable the query cache parameter
AnswerC

More CPU cores/vCPUs reduce utilization.

Why this answer

Option A is correct because scaling up the instance provides more CPU capacity. Option B is wrong because read replicas help with read scaling but not CPU on the writer. Option C is wrong because gp3 storage does not affect CPU.

Option D is wrong because changing the query cache is unlikely to significantly reduce CPU.

805
MCQhard

A company is migrating a 500 GB SQL Server database to Amazon RDS for SQL Server. The database has a large number of stored procedures and triggers. The migration must have minimal downtime. Which approach should be used?

A.Use AWS Schema Conversion Tool (AWS SCT) to convert the schema and AWS DMS for data migration
B.Use AWS S3 to store the data and AWS Glue to transform and load into RDS
C.Use AWS Database Migration Service (AWS DMS) with full load and ongoing replication
D.Use native SQL Server backup and restore to Amazon RDS
AnswerC

AWS DMS supports ongoing replication to minimize downtime.

Why this answer

AWS DMS with ongoing replication allows for minimal downtime. Option A is incorrect because backup/restore does not support ongoing replication. Option B is incorrect because S3 and Glue are not designed for database migration.

Option C is incorrect because AWS SCT is for schema conversion, not data migration.

806
Multi-Selecthard

A company uses Amazon DynamoDB with a global secondary index (GSI). The security team requires that only specific IAM users can query the GSI. Which THREE conditions must be met to restrict access to the GSI?

Select 3 answers
A.The policy must include a condition 'dynamodb:IndexName' with the index name.
B.The policy must include a condition key 'dynamodb:Attributes' to restrict which attributes are returned.
C.The user must have permission to query the base table as well.
D.The policy must allow the 'dynamodb:Query' action on the index.
E.The IAM policy must specify the index ARN in the Resource element.
AnswersC, D, E

Querying a GSI requires access to the base table.

Why this answer

Options A, B, and D are correct. Option C is wrong because a condition with 'dynamodb:Attributes' does not restrict access to the GSI itself; it restricts projection of attributes. Option E is wrong because the index name must be specified in the resource ARN, not by a condition key.

807
MCQmedium

A company wants to enforce encryption in transit for all connections to their ElastiCache for Redis cluster. Which security measure should they implement?

A.Set a parameter group with 'require_secure_transport' to ON.
B.Enable Encryption in-transit when creating the cluster.
C.Use VPC Flow Logs to monitor connections.
D.Enable encryption at rest using KMS.
AnswerB

This enforces TLS for all connections.

Why this answer

Option B is correct because ElastiCache for Redis enforces encryption in transit by enabling the feature at cluster creation time. This uses TLS to encrypt data moving between clients and the Redis nodes, ensuring that all connections are secured against eavesdropping or man-in-the-middle attacks. The setting cannot be changed after the cluster is provisioned, so it must be enabled during the initial setup.

Exam trap

The trap here is that candidates confuse the 'require_secure_transport' parameter from RDS with ElastiCache, or assume that encryption in transit can be enabled after cluster creation via a parameter group change, when in fact it is a one-time setting at launch.

How to eliminate wrong answers

Option A is wrong because ElastiCache for Redis does not support a 'require_secure_transport' parameter; that parameter exists in Amazon RDS for MySQL/MariaDB, not in ElastiCache. Option C is wrong because VPC Flow Logs capture metadata about network traffic (source/destination IPs, ports, protocols) but do not enforce or enable encryption in transit; they are a monitoring tool, not a security control for encryption. Option D is wrong because encryption at rest using KMS protects data stored on disk, not data in transit over the network; it addresses a different threat model.

808
MCQhard

A company is using Amazon DynamoDB with server-side encryption enabled. They need to ensure that all access to the table is audited. Which service should be used to capture data-plane API calls?

A.VPC Flow Logs
B.AWS Config
C.Amazon CloudWatch Logs
D.AWS CloudTrail
AnswerD

CloudTrail can log data events for DynamoDB, including GetItem, PutItem, etc., when configured.

Why this answer

Option C is correct because CloudTrail can record data-plane events for DynamoDB (e.g., GetItem, PutItem) when data events are enabled. Option A is wrong because CloudWatch Logs can store logs but does not capture API calls directly. Option B is wrong because VPC Flow Logs capture network traffic, not API calls.

Option D is wrong because Config records configuration changes, not data-plane API calls.

809
MCQeasy

A company wants to ensure that their Amazon RDS for PostgreSQL database is automatically backed up every day and retains backups for 30 days. Which configuration should they use?

A.Set the backup retention period to 0 to disable automated backups and use manual snapshots.
B.Create a manual snapshot daily using AWS Backup.
C.Enable Multi-AZ deployment for automatic failover.
D.Enable automated backups with a retention period of 30 days.
AnswerD

Automated backups are configurable up to 35 days.

Why this answer

Automated backups are enabled by default with a retention period of 1-35 days. Setting backup retention period to 30 days meets the requirement.

810
Multi-Selecteasy

Which TWO AWS services can be used to monitor and set alarms on Amazon RDS database performance metrics? (Choose two.)

Select 2 answers
A.Amazon RDS Performance Insights
B.AWS Trusted Advisor
C.Amazon RDS Enhanced Monitoring
D.Amazon CloudWatch
E.AWS CloudTrail
AnswersC, D

Enhanced Monitoring provides OS-level metrics, which are sent to CloudWatch.

Why this answer

CloudWatch monitors metrics and can set alarms; Enhanced Monitoring provides OS-level metrics. RDS Performance Insights is for performance analysis, not alarms.

811
MCQhard

A startup is building a real-time analytics dashboard on AWS. The data arrives as time-series events from IoT devices at a rate of 10,000 writes per second. Each event is approximately 1 KB. The dashboard requires sub-second query latency for the last hour of data and must support ad-hoc analytical queries on historical data spanning months. The team needs to design a cost-effective database solution. Which combination of AWS services should be used?

A.Amazon ElastiCache for Redis for real-time queries, and Amazon OpenSearch Service for historical analytics.
B.Amazon DynamoDB with DynamoDB Accelerator (DAX) for real-time queries, and Amazon S3 with Amazon Athena for historical analytics.
C.Amazon Redshift for both real-time and historical queries, using auto-scaling and materialized views.
D.Amazon RDS for PostgreSQL with read replicas for real-time queries, and Amazon Redshift for historical analytics.
AnswerB

DynamoDB handles high write throughput, DAX provides sub-second reads, and S3 with Athena allows cost-effective ad-hoc queries on historical data.

Why this answer

Option A is correct because DynamoDB Accelerator (DAX) provides sub-second read latency for hot data, while Amazon S3 with Athena supports ad-hoc queries on historical data cost-effectively. Option B is wrong because Amazon Redshift is optimized for complex analytics but not for sub-second real-time queries. Option C is wrong because ElastiCache for Redis alone cannot handle the high write throughput and is not designed for analytics.

Option D is wrong because Amazon RDS for PostgreSQL with read replicas is not designed for 10,000 writes per second and querying historical data would be expensive and slow.

812
MCQmedium

An IAM policy is attached to an IAM user. The user wants to connect to an RDS MySQL database using IAM database authentication. What does this policy allow?

A.Allows the user to connect to any database on the RDS instance as any user.
B.Allows the user to manage the RDS instance.
C.Allows the user to connect to the RDS instance with the database user name 'db_user1'.
D.Allows the user to connect to the RDS instance with any database user name.
AnswerC

The resource specifies the database user.

Why this answer

Option A is correct. The policy allows the user to connect to the specified database as user 'db_user1'. Option B is wrong because it only allows connecting to one database user.

Option C is wrong because it allows only one database user. Option D is wrong because the resource is specific to a database instance and user.

813
MCQhard

A company is migrating a 3 TB Oracle database to Amazon RDS for Oracle. The migration uses AWS DMS with ongoing replication. The source database is actively used by applications. After the initial full load, the target RDS instance is in sync. However, during the ongoing replication phase, the replication task fails with an error: 'ORA-1555: snapshot too old.' The DMS task has been set up with a source endpoint that uses the 'Oracle TNS' connection method. The company needs to resolve the issue without stopping the source database. Which action should be taken?

A.Change the source endpoint to use the 'Oracle SID' connection method.
B.Decrease the batch size of the DMS task.
C.Increase the undo retention period in the source Oracle database.
D.Increase the frequency of the DMS task's log mining.
AnswerC

Longer undo retention keeps snapshot data available for DMS.

Why this answer

The ORA-1555 error indicates that undo data is overwritten before DMS can read it. Increasing undo retention ensures the snapshot data is available longer. Reducing batch size would not address the undo issue.

Increasing logging frequency does not affect undo. Using a different connection method does not solve the underlying undo retention problem.

814
MCQmedium

A database administrator is troubleshooting a failover event for an Amazon RDS for SQL Server Multi-AZ DB instance. The failover occurred automatically. Which AWS service or feature should the administrator use to view the failover history and the reason for the failover?

A.The Amazon RDS console Events page.
B.Amazon CloudWatch Logs for the DB instance.
C.AWS CloudTrail logs to view the failover API call.
D.The AWS Status Dashboard.
AnswerA

RDS events include failover events with reasons.

Why this answer

Amazon RDS events are stored in the RDS console under 'Events' and also in CloudTrail. But the best place to see failover reasons is the RDS console events. Option B is correct because the RDS console shows events like 'failover' with reasons.

Option A is wrong because CloudTrail records API calls, not internal failover reasons. Option C is wrong because CloudWatch Logs does not automatically log failover reasons. Option D is wrong because StatusInsis not a service.

815
MCQeasy

A company is building a real-time analytics dashboard for IoT sensor data. The data arrives as JSON and needs to be stored in a way that supports fast ingestion and complex queries. Which database service is best suited?

A.Amazon RDS for PostgreSQL
B.Amazon DynamoDB with TTL
C.Amazon Timestream
D.Amazon Redshift
AnswerC

Timestream is purpose-built for time-series data with fast ingestion and analytical functions.

Why this answer

Amazon Timestream is a time-series database optimized for IoT data, with fast ingestion and built-in analytics functions. DynamoDB is not optimized for time-series queries. RDS is not designed for high-velocity time-series data.

Redshift is for batch analytics.

816
MCQhard

A financial services company is designing a ledger system using Amazon QLDB. The application records transactions that must never be modified or deleted. The company expects high write throughput and needs to ensure that the ledger can handle the load without throttling. Which design consideration is MOST important to achieve this?

A.Partition the ledger table by transaction date to distribute write load.
B.Create multiple ledgers and distribute writes across them.
C.Enable auto-scaling on the ledger to handle bursts of traffic.
D.Batch multiple document inserts into a single transaction to reduce the number of transactions.
AnswerD

Batching reduces the number of transactions, helping to stay within throughput limits.

Why this answer

Option D is correct because Amazon QLDB charges per transaction (document insert, update, or delete) and has a maximum throughput limit of 1,000 transactions per second per ledger. By batching multiple document inserts into a single transaction, you reduce the number of transactions, thereby staying within the throughput limit while still achieving high write throughput. This approach directly addresses the need to avoid throttling without sacrificing the immutability requirements of the ledger system.

Exam trap

The trap here is that candidates often assume QLDB supports auto-scaling like DynamoDB or Aurora, but QLDB has a fixed throughput limit and requires batching to handle high write loads without throttling.

How to eliminate wrong answers

Option A is wrong because QLDB is a fully managed ledger database that automatically partitions data; manual partitioning by transaction date is not supported and would not distribute write load. Option B is wrong because creating multiple ledgers increases operational complexity and does not inherently increase write throughput per ledger; QLDB's throughput limit applies per ledger, and distributing writes across ledgers would require application-level sharding, which is not a recommended design for a single ledger system. Option C is wrong because QLDB does not support auto-scaling; it has a fixed throughput limit of 1,000 transactions per second per ledger, and enabling auto-scaling is not a feature available in QLDB.

817
MCQhard

A financial services company is using Amazon Aurora MySQL as its primary database. The database has a table 'transactions' that receives high inserts during business hours. The table is partitioned by date. Recently, the application team noticed an increase in lock wait timeouts. The database specialist reviewed the InnoDB status and found that there are frequent gap locks on the 'transaction_date' column. The isolation level is REPEATABLE READ. What should the specialist do to reduce lock waits while maintaining data consistency?

A.Add a secondary index on transaction_date.
B.Increase the innodb_lock_wait_timeout parameter.
C.Modify the partitioning key to use a hash-based partition.
D.Change the transaction isolation level to READ COMMITTED.
AnswerD

READ COMMITTED avoids gap locks for locking reads.

Why this answer

Option A is correct because changing the isolation level to READ COMMITTED eliminates gap locks for non-unique indexes, reducing lock contention. Option B is wrong because increasing innodb_lock_wait_timeout only increases timeout, not reduces locks. Option C is wrong because adding an index on transaction_date may increase lock granularity? Actually, if the index is not unique, gap locks still occur.

Option D is wrong because partitioning does not affect gap locks.

818
Multi-Selecteasy

A company is building a microservices architecture and needs a database for a service that stores JSON documents with variable schema. The database must support high availability and automatic scaling. Which TWO services meet these requirements? (Choose two.)

Select 2 answers
A.Amazon ElastiCache for Redis
B.Amazon DynamoDB
C.Amazon DocumentDB
D.Amazon Neptune
E.Amazon RDS for MySQL
AnswersB, C

DynamoDB supports JSON documents, high availability, and auto scaling.

Why this answer

Amazon DynamoDB is correct because it is a fully managed NoSQL key-value and document database that natively supports JSON documents with variable schema, offers high availability through multi-AZ replication, and provides automatic scaling via its on-demand capacity mode or auto-scaling policies. It is ideal for microservices architectures that require low-latency, serverless, and elastic throughput.

Exam trap

AWS often tests the misconception that any database supporting JSON (like MySQL with JSON data type) qualifies as a document database for variable schema workloads, but the key differentiator is automatic scaling and native document store capabilities, which DynamoDB and DocumentDB provide, while RDS does not.

819
MCQhard

Refer to the exhibit. An Amazon RDS for Oracle instance is experiencing ORA-00257 errors. The DBA has already increased the archive log retention setting. What is the most efficient next step to resolve the issue without manual intervention?

A.Configure archiving to Amazon S3 to offload logs.
B.Reboot the DB instance to clear the recovery area.
C.Modify the DB instance to increase the allocated storage.
D.Manually delete old archive logs from the recovery area using RMAN.
AnswerC

Increasing storage automatically increases the recovery area size.

Why this answer

Option C is correct. The error indicates the flash recovery area is full. The most efficient automated way is to modify the RDS DB instance to increase allocated storage, which also increases the recovery area.

Option A is wrong because manually deleting logs is not automated. Option B is wrong because archiving to S3 is not a standard RDS feature. Option D is wrong because restarting does not free space.

820
Multi-Selectmedium

Which TWO methods can be used to encrypt an existing unencrypted Amazon RDS for Oracle DB instance? (Choose 2.)

Select 2 answers
A.Use the AWS Management Console to toggle encryption on the DB instance.
B.Create a snapshot of the DB instance, copy the snapshot with encryption enabled, and restore the DB instance from the encrypted snapshot.
C.Modify the DB instance and enable encryption in the configuration.
D.Use AWS Database Migration Service (DMS) to migrate data to a new encrypted DB instance.
E.Create a read replica with encryption enabled.
AnswersB, D

This is a supported method to encrypt an existing instance.

Why this answer

Options A and D are correct because you can create a snapshot, copy it with encryption, and restore; or use DMS to migrate to an encrypted target. Option B is wrong because you cannot directly enable encryption on an existing instance. Option C is wrong because enabling encryption on a replica requires the source to be encrypted.

Option E is wrong because the console does not allow direct modification.

821
Multi-Selecthard

A company uses Amazon RDS for SQL Server with Multi-AZ deployment. The security team wants to ensure that all database connections use SSL/TLS encryption. Which TWO actions should the database specialist take to enforce SSL connections? (Choose two.)

Select 2 answers
A.Use the RDS Console to enable 'Force SSL' on the DB instance.
B.Modify the DB parameter group to set 'require_secure_transport' to ON.
C.Create a server-level trigger that requires SSL for all logins.
D.Add an inbound rule to the security group that only allows traffic on port 1433 from IP addresses that use SSL.
E.Set the 'rds.force_ssl' parameter to 1 in the DB parameter group.
AnswersC, E

A trigger can enforce SSL by checking the session's protocol and denying non-SSL connections.

Why this answer

Option C is correct because SQL Server allows you to create a server-level DDL trigger that checks the login event and enforces SSL by examining the `@@OPTIONS` or `encrypt_option` in `sys.dm_exec_connections`. This is a supported method to force SSL for all connections to an RDS for SQL Server instance. Option E is correct because setting the `rds.force_ssl` parameter to 1 in the DB parameter group is the native RDS mechanism to enforce SSL/TLS for all connections to the DB instance.

Exam trap

The trap here is that candidates confuse MySQL-specific parameters (like `require_secure_transport`) with SQL Server parameters, or assume that security group rules can enforce encryption at the transport layer, when in fact they only control network access, not the encryption state of the connection.

822
Drag & Dropmedium

Arrange the steps to perform a point-in-time recovery (PITR) for an Amazon RDS for MySQL DB instance in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

PITR restores the database to a specific time within the backup retention window by selecting the restore option and specifying the time.

823
MCQmedium

A company is using Amazon RDS for MySQL with Multi-AZ deployment. The application team reports intermittent connection timeouts. CloudWatch shows increased DatabaseConnections and CPU Utilization during peak hours. Which action should the database specialist take to troubleshoot the issue?

A.Add enhanced monitoring to collect additional metrics.
B.Enable slow query log and analyze queries.
C.Create a read replica and redirect read traffic.
D.Failover to the standby instance to refresh connections.
AnswerB

Slow query log helps identify inefficient queries causing high resource usage.

Why this answer

Option B is correct because enabling slow query log helps identify long-running queries causing high CPU and connections. Option A is wrong because Multi-AZ failover does not resolve performance issues. Option C is wrong because enhancing CloudWatch metrics does not directly fix timeouts.

Option D is wrong because read replicas are for read scaling, not for reducing connection timeouts on the primary.

824
MCQhard

A company is using Amazon DynamoDB with encryption at rest using an AWS managed key. The security team now requires that the encryption key be rotated every 90 days. What should they do?

A.Enable automatic key rotation in AWS KMS for the default DynamoDB key.
B.Create a new customer managed key and enable automatic rotation every 90 days.
C.Disable encryption at rest and implement client-side encryption.
D.Use a customer managed key and manually rotate it every 90 days by creating a new key and updating the DynamoDB table.
AnswerD

Manual rotation is required to achieve a 90-day rotation schedule.

Why this answer

DynamoDB encryption at rest using AWS managed key does not support customer-controlled rotation. Option C is correct. Option A is wrong because AWS managed keys rotate automatically every year, not on customer schedule.

Option B is wrong because KMS automatic rotation is annual and cannot be set to 90 days. Option D is wrong because disabling encryption is not a valid option.

825
MCQhard

A social media company uses Amazon DynamoDB to store user posts. The table has a partition key of 'user_id' and a sort key of 'post_timestamp'. Each item is about 10 KB. The application needs to retrieve all posts for a given user within a date range. The company recently added a new feature that allows users to 'like' posts, and they store the like count as an attribute in the post item. The like count is updated frequently. The application experiences high write throttling on the table. The table has 1000 WCUs provisioned. The write pattern is bursty. Which design change would MOST effectively reduce write throttling?

A.Increase the WCUs to 5000.
B.Enable DynamoDB Accelerator (DAX) to cache writes.
C.Add a random suffix to the user_id partition key to distribute writes across multiple partitions.
D.Create a Global Secondary Index (GSI) on the like count attribute.
AnswerC

Sharding spreads the write load evenly across partitions, reducing throttling.

Why this answer

Option C is correct because the write throttling is caused by a 'hot partition' — all writes for a given user_id go to the same partition, and the bursty write pattern (e.g., many likes on a single post) exceeds the partition's 1,000 WCU limit (1,000 write capacity units per partition). Adding a random suffix to the user_id partition key distributes writes across multiple partitions, effectively increasing the write throughput for that logical user's data. This is a common design pattern for DynamoDB to handle high-traffic items without increasing provisioned capacity.

Exam trap

The trap here is that candidates often assume increasing provisioned capacity (Option A) is the universal fix for throttling, but AWS specifically tests the understanding that DynamoDB's partition-level throughput limits require data distribution changes, not just capacity increases.

How to eliminate wrong answers

Option A is wrong because simply increasing WCUs to 5000 does not solve the hot partition issue — the writes are still concentrated on a single partition key (user_id), and a single partition can only handle up to 1,000 WCUs (or 3,000 if using burst capacity), so throttling will persist. Option B is wrong because DynamoDB Accelerator (DAX) is an in-memory cache for reads, not writes — it does not absorb or buffer write requests, so it cannot reduce write throttling. Option D is wrong because creating a Global Secondary Index (GSI) on the like count attribute does not affect the base table's write capacity or partition distribution; GSIs have their own write capacity and are used for querying, not for alleviating write contention on the base table.

Page 10

Page 11 of 24

Page 12