AWS Certified Database Specialty DBS-C01 (DBS-C01) — Questions 12761350

1730 questions total · 24pages · All types, answers revealed

Page 17

Page 18 of 24

Page 19
1276
MCQhard

A company is using Amazon DynamoDB with client-side encryption using the DynamoDB Encryption Client. The encryption keys are stored in AWS KMS. The security team wants to ensure that the encryption keys can be used only by authorized applications. What should be done?

A.Store the encryption keys in AWS CloudHSM instead of KMS.
B.Use AWS Secrets Manager to store the encryption keys and rotate them automatically.
C.Use an IAM policy that denies access to the DynamoDB table unless the request includes the correct key.
D.Use a KMS key policy that grants access only to the specific IAM roles used by the applications.
AnswerD

KMS key policies can restrict which principals can use the key.

Why this answer

Option A is correct because using a KMS key policy to restrict which IAM roles can use the key ensures only authorized applications can decrypt. Option B is wrong because IAM policies cannot restrict key usage alone; key policies are also needed. Option C is wrong because CloudHSM is a different key store.

Option D is wrong because Secrets Manager is for secrets, not key management.

1277
MCQeasy

A company has an Amazon DynamoDB table with provisioned capacity. The table experiences occasional spikes in write traffic that exceed the provisioned write capacity units (WCU). Which feature should the database specialist enable to handle these spikes without throttling?

A.Enable DynamoDB burst capacity.
B.Configure DynamoDB Auto Scaling for write capacity.
C.Use DynamoDB Accelerator (DAX) to cache writes.
D.Switch to on-demand capacity mode.
AnswerB

Auto Scaling adjusts capacity automatically to handle spikes.

Why this answer

Option D is correct. DynamoDB Auto Scaling adjusts the provisioned capacity based on actual traffic, handling spikes without throttling. Option A is wrong because burst capacity is limited and can be exhausted.

Option B is wrong because switching to on-demand may increase costs. Option C is wrong because DynamoDB Accelerator (DAX) is a cache for reads, not writes.

1278
MCQeasy

Refer to the exhibit. A developer created an IAM policy with the above command and attached it to a user. What is the security implication of this policy?

A.The policy restricts access to only one specific DB instance.
B.The policy allows only actions in the us-east-1 region.
C.The policy grants full administrative access to all RDS resources in the account.
D.The policy only allows read-only access to RDS.
AnswerC

This is the security risk.

Why this answer

The policy allows all RDS actions on all resources. This gives the user full administrative access to all RDS resources in the account, which is overly permissive and violates least privilege. Option A is wrong because the policy does not restrict to a specific region.

Option C is wrong because it does allow modifying instances. Option D is wrong because it does not restrict to specific instances.

1279
MCQhard

A company uses Amazon Aurora MySQL for a SaaS application. Each tenant has a separate database. The company wants to implement a centralized monitoring solution that collects performance metrics from all tenant databases. The solution should be cost-effective and require minimal overhead. Which approach should be used?

A.Use AWS DMS to continuously replicate metrics to a central RDS instance.
B.Consolidate all tenants into a single RDS MySQL instance and use separate schemas.
C.Run an AWS Lambda function that queries each database's performance_schema every minute and stores results in S3.
D.Use Amazon CloudWatch Agent to collect custom metrics from each Aurora instance and aggregate in CloudWatch.
AnswerD

CloudWatch Agent collects metrics with low overhead.

Why this answer

Option C is correct because Amazon CloudWatch Agent installed on each Aurora instance can collect custom metrics, but more efficiently, Aurora publishes Performance Insights metrics to CloudWatch. Option A is wrong because a single RDS instance cannot host multiple databases for isolation. Option B is wrong because DMS is for data migration, not monitoring.

Option D is wrong because a Lambda function querying each database would create overhead.

1280
MCQeasy

A company runs an Amazon RDS for Oracle DB instance. The database administrator wants to receive an alert when the storage space is below 10% of the allocated storage. Which Amazon CloudWatch metric and alarm threshold should be used?

A.Metric: FreeStorageSpace, Condition: < 10% of 100 GB (10 GB)
B.Metric: BinaryLogUsage, Condition: > 10%
C.Metric: FreeableMemory, Condition: < 10% of total memory
D.Metric: DiskQueueDepth, Condition: > 10
AnswerA

FreeStorageSpace metric with a threshold of 10 GB (assuming 100 GB allocated) would trigger when free space is below 10%.

Why this answer

The metric FreeStorageSpace shows the available storage in bytes. The alarm should be set to when FreeStorageSpace is less than 10% of allocated storage. Option B is correct.

Option A is wrong because it's a percentage of total. Option C is wrong because it's a fixed value. Option D is wrong because BinaryLog usage is not relevant.

1281
Multi-Selectmedium

A company runs a MySQL database on Amazon RDS for a financial application that requires point-in-time recovery (PITR) with a recovery window of at least 35 days. The database is 500 GB in size. Which TWO actions should be taken to meet these requirements?

Select 2 answers
A.Create manual snapshots every day.
B.Set the backup retention period to 35 days.
C.Enable deletion protection on the RDS instance.
D.Enable Multi-AZ deployment for high availability.
E.Enable automated backups with a retention period of 35 days.
AnswersB, E

Automated backups with retention up to 35 days enable PITR.

Why this answer

Amazon RDS for MySQL supports point-in-time recovery (PITR) only through automated backups. The backup retention period controls how far back you can perform PITR. Setting the retention period to 35 days ensures that automated backups are retained for that duration, meeting the 35-day recovery window requirement.

Manual snapshots do not support PITR, so option B is correct.

Exam trap

The trap here is that candidates often confuse manual snapshots with automated backups, assuming manual snapshots support PITR, but only automated backups (with transaction logs) enable point-in-time recovery to any second within the retention window.

1282
MCQmedium

A company is deploying a new web application that uses Amazon RDS for MySQL. The application has unpredictable read traffic spikes. The company wants to minimize read latency and automatically scale read capacity. What is the MOST cost-effective solution?

A.Use Amazon ElastiCache as a caching layer
B.Use Amazon RDS Proxy to manage connections
C.Deploy the RDS instance in a Multi-AZ configuration
D.Create an Amazon RDS read replica and configure the application to use it for read traffic
AnswerD

Read replicas offload read traffic and can be scaled manually; they are cost-effective.

Why this answer

A Multi-AZ deployment provides high availability but does not offload reads. Read replicas offload read traffic and can be scaled manually or via auto-scaling with a custom solution. RDS Proxy is for connection management, not read scaling.

ElastiCache is a caching layer but requires application changes and adds cost. Read replicas are the most cost-effective for read scaling.

1283
Multi-Selectmedium

Which TWO actions should a company take to secure an Amazon RDS for MySQL database that is accessible from the internet? (Choose two.)

Select 2 answers
A.Use a security group that restricts inbound traffic to only the required IP addresses.
B.Disable encryption at rest to reduce latency.
C.Use the default VPC with a public subnet and a network ACL that allows all traffic.
D.Launch the DB instance in a public subnet with a public IP address.
E.Place the DB instance in a private subnet without a public IP address.
AnswersA, E

Security groups act as a virtual firewall to control inbound traffic.

Why this answer

Options B and E are correct. Option B: Placing the DB instance in a private subnet with no direct internet access is a fundamental security measure. Option E: Using security groups to restrict inbound traffic to specific IP addresses limits exposure.

Option A is wrong because disabling encryption reduces security. Option C is wrong because using a public subnet increases exposure. Option D is wrong because using the default VPC with a public subnet is insecure.

1284
MCQmedium

A company's Amazon RDS for Oracle instance is running out of storage space. The database administrator wants to add storage without downtime. Which action should be taken?

A.Delete old archived redo logs to free up space.
B.Take a snapshot and restore to a larger instance.
C.Use the 'Modify DB Instance' action to increase the allocated storage.
D.Create a new DB instance with larger storage and migrate the data.
AnswerC

RDS allows online storage modification.

Why this answer

Option C is correct because RDS supports modifying allocated storage online with minimal downtime. Option A is wrong because creating a new instance and migrating involves downtime. Option B is wrong because increasing storage is not a backup.

Option D is wrong because deleting logs may cause issues.

1285
MCQhard

Refer to the exhibit. A developer deploys this CloudFormation template. An application on the EC2 instance cannot connect to the RDS MySQL database. What is the MOST likely cause?

A.The EC2 security group allows inbound MySQL from 0.0.0.0/0 but the RDS security group only allows traffic from the VPC CIDR, which does not include the EC2 security group.
B.The RDS instance has encryption enabled, preventing access from EC2.
C.The RDS instance has DeletionProtection enabled, which blocks connections.
D.The EC2 instance is in a different Availability Zone than the RDS instance.
AnswerA

RDS SG should allow traffic from EC2 SG, not just VPC CIDR.

Why this answer

Option A is correct because the RDS security group (MyDBSecurityGroup) only allows inbound traffic from the VPC CIDR (10.0.0.0/16), but the EC2 security group (MyEC2SecurityGroup) does not allow traffic from the RDS security group. Additionally, the EC2 instance is in the same VPC but the security group rules do not reference the EC2 security group. Option B is wrong because the subnets are in the same VPC and there is no mention of different AZs being an issue.

Option C is wrong because there is no encryption configured. Option D is wrong because DeletionProtection does not affect connectivity.

1286
MCQmedium

A database administrator is troubleshooting an Amazon RDS for SQL Server instance that is experiencing high 'ReadIOPS' and 'ReadLatency'. The instance uses General Purpose SSD (gp2) storage. The 'BurstBalance' metric is 0%. What should the administrator do to improve performance?

A.Enable Multi-AZ to distribute the load
B.Increase the allocated storage or switch to Provisioned IOPS
C.Create a read replica to offload read traffic
D.Disable automatic backups to reduce I/O
AnswerB

Increasing volume size increases baseline IOPS for gp2; switching to io1/io2 provides consistent IOPS.

Why this answer

Option D is correct because when BurstBalance is 0%, the gp2 volume has exhausted its burst credits and is operating at baseline IOPS. To improve performance, you can increase the volume size (which increases baseline IOPS) or switch to Provisioned IOPS (io1/io2). Option A is wrong because enabling Multi-AZ does not increase I/O performance.

Option B is wrong because disabling backups reduces CPU but not IOPS. Option C is wrong because creating a read replica does not improve write performance.

1287
MCQhard

A social media analytics company uses Amazon DynamoDB as the primary data store for user session data. Each session record has a partition key of user_id (String) and a sort key of session_start_time (Number, epoch). The application often queries the most recent 10 sessions for a given user. The traffic pattern shows that 90% of reads are for the last 10 sessions, while 10% are for historical sessions. The table has a provisioned read capacity of 5000 RCU and consistently experiences throttled read requests during peak hours. The company wants to optimize read performance without changing the provisioned capacity. Which design change will MOST improve read performance for this workload?

A.Create a Global Secondary Index (GSI) with the same partition key and a sort key of session_start_time, but query with ScanIndexForward=false and Limit=10.
B.Increase the provisioned read capacity to 10000 RCU to handle the peak load.
C.Enable DynamoDB Accelerator (DAX) with default settings to cache the most recent sessions.
D.Configure Amazon ElastiCache for Redis as a read-through cache for session data.
AnswerA

A GSI with the sort key reversed allows efficient retrieval of recent sessions using a single Query with ScanIndexForward=false and Limit=10.

Why this answer

Option A is correct because creating a GSI with the same partition key (user_id) and sort key (session_start_time) allows you to query with ScanIndexForward=false and Limit=10 to efficiently retrieve only the most recent 10 sessions per user. This avoids scanning all sessions for a user, reducing consumed read capacity and eliminating throttling without increasing provisioned RCU. The GSI also supports the 90% workload pattern by providing a targeted index that minimizes read unit consumption.

Exam trap

The trap here is that candidates often assume caching (DAX or ElastiCache) is the best solution for read-heavy workloads, but in this scenario the inefficiency is due to querying the base table without an index that supports efficient retrieval of the last N items, so a GSI with reversed sort order directly reduces read consumption without adding cache management overhead.

How to eliminate wrong answers

Option B is wrong because increasing provisioned read capacity to 10000 RCU does not optimize read performance; it only increases capacity, which contradicts the requirement to not change provisioned capacity and does not address the root cause of inefficient queries. Option C is wrong because enabling DAX with default settings caches hot items but does not reduce the read capacity consumed per query; the underlying table still uses the same number of read units for each query, and DAX does not change the query pattern to avoid full scans. Option D is wrong because configuring ElastiCache for Redis as a read-through cache adds complexity and latency for cache misses, and does not reduce the read capacity consumption on DynamoDB for the frequent last-10-sessions queries; it also does not address the inefficient scan pattern on the base table.

1288
MCQeasy

A database specialist is configuring an Amazon RDS for PostgreSQL instance with automated backups enabled. The backup retention period is set to 7 days. The instance experiences a failure and becomes unavailable. What is the maximum amount of time the specialist has to recover the database to the most recent possible point in time?

A.1 hour
B.7 days
C.14 days
D.35 minutes
AnswerB

Automated backups allow point-in-time recovery within the retention period.

Why this answer

Option C is correct because with automated backups and a retention period of 7 days, the latest restorable time is typically within the last 5 minutes, but the maximum point-in-time recovery window is 7 days. Option A is wrong because it is too short. Option B is wrong because it is the backup window, not recovery window.

Option D is wrong because it exceeds the retention period.

1289
MCQeasy

A company wants to centrally manage database user credentials and rotate them automatically. The database is an Amazon RDS for MySQL instance. Which AWS service should be used?

A.AWS Secrets Manager
B.AWS CloudHSM
C.AWS Identity and Access Management (IAM)
D.AWS Systems Manager Parameter Store
AnswerA

Secrets Manager supports automatic rotation for RDS.

Why this answer

Option C is correct because AWS Secrets Manager can rotate RDS database credentials automatically. Option A is wrong because Systems Manager Parameter Store can store secrets but does not automatically rotate RDS credentials. Option B is wrong because IAM controls access to AWS services, not database users.

Option D is wrong because CloudHSM is for hardware-based key storage, not credential rotation.

1290
Multi-Selectmedium

Which TWO of the following are valid methods to control network access to an Amazon RDS DB instance? (Select TWO.)

Select 2 answers
A.VPC security groups
B.DB subnet groups
C.AWS WAF
D.IAM policies
E.DB parameter groups
AnswersA, B

Security groups act as a virtual firewall for your DB instance to control inbound and outbound traffic.

Why this answer

Options B and D are correct. Security groups control inbound and outbound traffic to RDS instances. DB subnet groups define which subnets the DB instance can be placed in, but they indirectly control network access.

Option A (IAM policies) control API-level permissions, not network access. Option C (DB parameter groups) control database engine settings. Option E (AWS WAF) is for web application firewalls, not network-level access to RDS.

1291
Multi-Selectmedium

A company is migrating its Oracle database to Amazon RDS for Oracle. The security team requires that all data be encrypted at rest using a customer-managed AWS KMS key. Which TWO steps are necessary to achieve this?

Select 2 answers
A.Migrate the data using Oracle Data Pump to the new encrypted instance.
B.Modify the DB instance to enable encryption using a KMS key.
C.Create a new DB instance and specify the KMS key for encryption.
D.Enable encryption at rest on the existing RDS instance by modifying the DB instance.
E.Use the default RDS encryption key (aws/rds) to encrypt the instance.
AnswersA, C

Data must be migrated to the new encrypted instance.

Why this answer

Options B and C are correct. Option A is wrong because encryption must be enabled at creation time; you cannot add it later without a snapshot. Option D is wrong because the default RDS encryption key is AWS managed, not customer managed.

Option E is wrong because modifying the DB instance after creation does not enable encryption.

1292
MCQhard

A company uses Amazon RDS for MySQL with read replicas. The application writes to the primary and reads from the replicas. Occasionally, the application reads stale data from the replicas. Which action would ensure read-after-write consistency without impacting write performance?

A.Set the replica_read_consistency parameter to 'session'.
B.Use the reader endpoint and increase the replica lag threshold.
C.Configure the application to read from the primary instance for critical queries.
D.Enable the 'rds_set_replication_status' parameter on the read replicas.
AnswerC

Reading from primary guarantees consistency.

Why this answer

Using the primary instance for reads that require consistency ensures the application reads the latest data. Session-level replication checks are not supported in standard MySQL.

1293
MCQeasy

A company has an Amazon DynamoDB table with on-demand capacity mode. The table is used by a serverless application. The company wants to receive an alert when the read request rate exceeds a certain threshold. Which CloudWatch metric and alarm should be used?

A.Alarm on the 'ConsumedReadCapacityUnits' metric.
B.Alarm on the 'ReadThrottleEvents' metric.
C.Alarm on the 'ProvisionedReadCapacityUnits' metric.
D.Alarm on the 'SuccessfulRequestLatency' metric.
AnswerA

This metric shows actual read usage.

Why this answer

Option A is correct because 'ConsumedReadCapacityUnits' tracks the number of read capacity units consumed, and an alarm can be set on this metric. Option B is wrong because 'ProvisionedReadCapacityUnits' is only for provisioned mode. Option C is wrong because 'ReadThrottleEvents' indicates throttling, not request rate.

Option D is wrong because 'SuccessfulRequestLatency' measures latency, not request rate.

1294
Multi-Selectmedium

A security engineer is designing a disaster recovery plan for an Amazon DynamoDB table that contains sensitive data. The table is encrypted using an AWS KMS customer managed key (CMK). The engineer needs to ensure that the table can be restored in a different AWS Region. Which TWO actions must be taken to enable cross-region restores with the same encryption? (Choose TWO.)

Select 2 answers
A.Enable point-in-time recovery (PITR) on the table.
B.Enable DynamoDB global tables.
C.Export the table to S3 and copy the S3 objects to the destination Region.
D.Create a multi-Region KMS key in the source and replicate it to the destination Region.
E.Create a CloudHSM key and use it for encryption.
AnswersA, D

PITR is required for cross-region restores.

Why this answer

Option B and D are correct. DynamoDB cross-region restores require the KMS key to be available in the destination region, which means creating a replica key. The table must also have point-in-time recovery (PITR) enabled.

Option A is wrong because cross-region replication is for live data, not backups. Option C is wrong because CloudHSM keys are not supported for DynamoDB encryption. Option E is wrong because the key must be in the destination region.

1295
MCQeasy

A developer runs the command shown and gets the output. Which conclusion can be drawn about the database configuration?

A.The database is a Multi-AZ read replica
B.The database engine is Aurora MySQL
C.The database is a primary instance in a Multi-AZ deployment
D.The database is a read replica of another instance
AnswerD

ReadReplicaSourceDBInstanceIdentifier indicates it is a replica.

Why this answer

Option B is correct: the ReadReplicaSourceDBInstanceIdentifier field shows that this instance is a read replica of 'mydb-read-replica', meaning it is not the primary. Option A is wrong because the MultiAZ field is true for this instance, but it is a replica. Option C is wrong because the replica is in Multi-AZ, but it is still a read replica.

Option D is wrong because the engine is mysql.

1296
MCQmedium

A media company stores video metadata in Amazon DynamoDB. Each record has a partition key of video_id and a sort key of uploaded_timestamp. The application frequently queries videos by genre and upload date. The access pattern is read-heavy with occasional writes. The table is provisioned with 3000 RCUs and 1000 WCUs. The company notices that queries by genre are slow and consume many RCUs. Which design change should be made to optimize for this workload?

A.Use DynamoDB Accelerator (DAX) to cache query results.
B.Create a local secondary index (LSI) with genre as sort key and uploaded_timestamp as partition key.
C.Increase the provisioned RCUs to 6000.
D.Create a global secondary index (GSI) with genre as partition key and uploaded_timestamp as sort key.
AnswerD

A GSI with genre as partition key allows efficient queries by genre and date.

Why this answer

Option D is correct because creating a Global Secondary Index (GSI) with genre as the partition key and uploaded_timestamp as the sort key allows efficient querying by genre and date without scanning the entire table. This directly supports the access pattern, reducing RCU consumption by using index key lookups instead of full table scans. The GSI is ideal for read-heavy workloads with occasional writes, as it offloads query traffic from the main table.

Exam trap

The trap here is that candidates may confuse LSIs and GSIs, incorrectly assuming an LSI can change the partition key, when in fact LSIs must share the main table's partition key, making them unsuitable for querying by a different attribute like genre.

How to eliminate wrong answers

Option A is wrong because DAX caches query results to reduce latency and RCU consumption, but it does not address the root cause of slow queries by genre—the lack of an appropriate index for that access pattern; DAX would still require expensive scans on cache misses. Option B is wrong because a Local Secondary Index (LSI) must have the same partition key as the main table (video_id), so it cannot support queries by genre as the partition key; using genre as sort key with video_id as partition key would not enable efficient genre-based queries. Option C is wrong because increasing RCUs to 6000 only adds more read capacity without fixing the inefficient query pattern; it would increase cost without resolving the underlying design issue of scanning the entire table for genre queries.

1297
MCQhard

A financial services company runs a critical application on Amazon RDS for PostgreSQL with Multi-AZ and automated backups enabled. The database stores sensitive customer data, and the security team recently audited the environment and found that the database master user password is stored in plain text in a configuration file on the application server. Additionally, the security team noted that the database security group allows inbound traffic from 0.0.0.0/0 on port 5432. The company needs to remediate these issues immediately without downtime and must ensure that access to the database is restricted to only the application servers, and that password management follows AWS best practices. The application connects to the database using the master user credentials. What should the database specialist do to meet these requirements?

A.Modify the security group to allow inbound traffic on port 5432 only from the private IP address of the application server. Store the database password in AWS Secrets Manager and configure automatic rotation. Update the application to retrieve the password from Secrets Manager.
B.Modify the security group to allow inbound traffic on port 5432 only from the public IP address of the application server. Rotate the password using the AWS CLI and store the new password in an encrypted file on the application server. Update the application to read the password from the encrypted file.
C.Modify the security group to allow inbound traffic on port 5432 only from the private IP address of the application server. Rotate the master password by modifying the DB instance and store the new password in AWS Systems Manager Parameter Store as a SecureString. Update the application to retrieve the password from Parameter Store.
D.Modify the security group to allow inbound traffic on port 5432 only from the private IP address of the application server. Rotate the password using the AWS CLI and store the new password in an encrypted file on the application server. Update the application to read the password from the encrypted file.
AnswerA

Option A is correct because it addresses both the security group exposure and password management using AWS best practices (Secrets Manager with automatic rotation).

Why this answer

Option A is correct because it restricts inbound traffic to the application server's private IP address, which is the secure approach for traffic within AWS, and it uses AWS Secrets Manager to store the master password with automatic rotation, following AWS best practices for secrets management. This eliminates the plain-text password exposure and ensures no downtime by updating the application to retrieve credentials dynamically from Secrets Manager.

Exam trap

The trap here is that candidates may confuse AWS Systems Manager Parameter Store SecureString with Secrets Manager, not realizing that Parameter Store lacks native automatic rotation for RDS master passwords, which is a key requirement for this scenario.

How to eliminate wrong answers

Option B is wrong because using the public IP address of the application server is insecure and unnecessary within AWS; traffic should use private IPs over the AWS network, and storing the password in an encrypted file on the application server still requires key management and does not provide automatic rotation or centralized access control. Option C is wrong because while it uses private IP and Parameter Store SecureString, it does not enable automatic rotation of the password; AWS Systems Manager Parameter Store does not natively support automatic rotation for RDS credentials, whereas Secrets Manager does. Option D is wrong because it stores the password in an encrypted file on the application server, which still relies on local key management and lacks automatic rotation, centralized auditing, and the ability to easily revoke access.

1298
MCQmedium

An application uses an Amazon RDS for MySQL database. The security team requires that all traffic to the database be encrypted in transit. Which configuration ensures this?

A.Use the default RDS parameter group.
B.Create a custom DB parameter group with the require_secure_transport parameter set to ON.
C.Configure the security group to allow only port 3306 from the application.
D.Use a network ACL to restrict inbound traffic to port 3306.
AnswerB

This enforces that all connections use SSL/TLS.

Why this answer

Option C is correct because enforcing SSL/TLS via parameter groups ensures all connections use encryption. Option A is wrong because security groups control network access, not encryption. Option B is wrong because the default RDS parameter group does not enforce SSL.

Option D is wrong because NACLs are stateless and do not enforce encryption.

1299
Multi-Selecteasy

A company wants to store session state for a web application that runs on Amazon EC2 instances behind an Application Load Balancer. The session data is ephemeral and must be highly available. Which two AWS services are suitable for this use case? (Choose two.)

Select 2 answers
A.Amazon DynamoDB
B.Amazon ElastiCache for Redis with replication
C.Amazon Redshift
D.Amazon S3
E.Amazon RDS for MySQL
AnswersA, B

Fast, scalable, and highly available key-value store.

Why this answer

Option A (ElastiCache for Redis) is correct because it provides low-latency in-memory storage with replication for HA. Option C (DynamoDB) is correct because it is a highly available, fast key-value store. Option B is wrong because RDS is relational and not optimized for session state.

Option D is wrong because S3 is not low-latency. Option E is wrong because Redshift is a data warehouse.

1300
MCQhard

A company runs a critical Amazon RDS for PostgreSQL database. They notice that the 'DiskQueueDepth' metric is consistently high and the 'FreeStorageSpace' is below 10%. The database is used for OLTP workloads. What is the MOST immediate action to take?

A.Upgrade to a larger DB instance class.
B.Modify the DB instance to increase allocated storage.
C.Switch the instance to Provisioned IOPS storage.
D.Create a read replica to offload read traffic.
AnswerB

Increasing storage immediately addresses the low free space and can reduce disk queue depth by allowing more I/O operations.

Why this answer

Option B is correct because increasing storage quickly avoids potential downtime and I/O throttling. Option A is wrong because switching to Provisioned IOPS addresses latency but not the storage shortage. Option C is wrong because adding a read replica does not increase storage on the primary.

Option D is wrong because modifying the instance class may not address storage space.

1301
MCQmedium

An Amazon RDS for Oracle DB instance is experiencing high swap usage. The database administrator wants to reduce swap usage. Which action should be taken?

A.Change the storage type from gp2 to io1
B.Increase the DB instance class to a larger size with more memory
C.Delete archived redo logs to free up space
D.Enable Multi-AZ to distribute the load
AnswerB

More memory reduces the need for swap.

Why this answer

High swap usage on an Amazon RDS for Oracle DB instance indicates that the operating system is using disk-based swap space as a substitute for physical RAM, which severely degrades database performance. Increasing the DB instance class to a larger size with more memory directly addresses the root cause by providing additional RAM, reducing or eliminating the need for swapping. This is the correct action because swap usage is a memory pressure issue, not a storage or availability problem.

Exam trap

The trap here is that candidates confuse high swap usage with a storage performance or availability issue, leading them to choose storage type changes or Multi-AZ, when the real solution is to address insufficient memory by scaling the instance class.

How to eliminate wrong answers

Option A is wrong because changing the storage type from gp2 to io1 improves I/O performance and latency but does not increase the amount of available RAM, so it cannot reduce swap usage. Option C is wrong because deleting archived redo logs frees up storage space in the recovery area, not memory; swap usage is unrelated to log retention or disk space. Option D is wrong because enabling Multi-AZ provides high availability and automatic failover by replicating data to a standby instance, but it does not distribute memory load or reduce swap usage on the primary instance.

1302
MCQeasy

Refer to the exhibit. A database specialist is taking a final snapshot of an RDS DB instance before deletion. The command returns the output shown. The snapshot is at 75% progress. What should the specialist do next?

A.Use the describe-db-snapshots command with --db-snapshot-identifier to get more details.
B.Use the stop-db-instance command to pause the snapshot.
C.Wait for the snapshot status to become 'available' before deleting the instance.
D.Delete the DB instance immediately; the snapshot will continue in the background.
AnswerC

Snapshot must be available before deletion to ensure completeness.

Why this answer

The snapshot is still creating. The specialist should wait for the snapshot to complete before deleting the instance. Option A (delete now) would cause snapshot to be incomplete.

Option B (describe-db-snapshots to check) is redundant. Option C (stop the snapshot) is not possible. Option D (wait and check) is correct.

1303
MCQmedium

A company needs to store and manage user sessions for a web application. The application runs on multiple EC2 instances, and sessions must be accessible from any instance. The team wants a fully managed, highly available, and low-latency solution. Which AWS service should they use?

A.Amazon RDS for MySQL
B.Amazon ElastiCache for Redis
C.Amazon DynamoDB
D.Amazon S3
AnswerB

Redis is ideal for session storage with low latency and high availability.

Why this answer

Amazon ElastiCache for Redis is the correct choice because it provides a fully managed, in-memory data store with sub-millisecond latency, making it ideal for storing user session data that must be accessed from any EC2 instance. Redis supports atomic operations and data structures (e.g., TTL-based key expiration) that are well-suited for session management, and its replication and Multi-AZ failover ensure high availability. This meets the requirement for a fully managed, highly available, and low-latency solution without the overhead of managing a database cluster.

Exam trap

The trap here is that candidates often choose Amazon DynamoDB because it is fully managed and highly available, but they overlook the specific requirement for 'low-latency' (sub-millisecond) that only an in-memory cache like ElastiCache for Redis can provide, and they miss that DynamoDB's latency is higher due to disk I/O and consistency models.

How to eliminate wrong answers

Option A is wrong because Amazon RDS for MySQL is a relational database with disk-based storage, which introduces higher latency for session lookups compared to an in-memory store, and it requires more operational overhead for scaling and failover. Option C is wrong because Amazon DynamoDB is a NoSQL database that, while fully managed and highly available, has higher read/write latency (typically single-digit milliseconds) compared to ElastiCache for Redis (sub-millisecond), and it is not optimized for ephemeral session data with automatic TTL expiration as efficiently as Redis. Option D is wrong because Amazon S3 is an object storage service with high latency (often tens to hundreds of milliseconds) and is not designed for frequent, low-latency read/write operations required for user sessions; it also lacks native session management features like atomic operations or TTL.

1304
MCQhard

A company is deploying a new Amazon DynamoDB table with global tables for a multi-region application. The application requires strongly consistent reads in the primary region and eventual consistency in secondary regions. Which write strategy should they use?

A.Use conditional writes to ensure consistency
B.Use DynamoDB global tables with last writer wins (LWW) conflict resolution
C.Use DynamoDB Streams to replicate writes to secondary regions
D.Use DynamoDB transactions across regions
AnswerB

LWW provides eventual consistency across regions; strong read in primary region is supported.

Why this answer

DynamoDB global tables use last writer wins (LWW) for conflict resolution, which is eventually consistent. Strongly consistent reads are supported only in the region where the write occurred (primary region). Option B (conditional writes) does not change consistency.

Option C (transactions) are not global. Option D (DynamoDB Streams) does not affect consistency.

1305
MCQhard

The exhibit shows an IAM policy attached to a user. The user needs to create a manual snapshot of an RDS DB instance named 'production-db'. Which action will the user be able to perform?

A.Create a manual snapshot of 'production-db' with the name 'production-db-snapshot'.
B.Create a manual snapshot of 'production-db' with the name 'mydb-production-snapshot'.
C.Describe the 'production-db' DB instance.
D.Delete the 'production-db' DB instance.
AnswerB

The snapshot name starts with 'mydb-', matching the allowed resource pattern.

Why this answer

Option C is correct because the policy allows CreateDBSnapshot on resources matching 'mydb-*', but the snapshot name must match that pattern. Option A is wrong because DeleteDBInstance is denied. Option B is wrong because the user can create snapshots matching the pattern.

Option D is wrong because the user can describe instances.

1306
MCQhard

A company runs a production Amazon RDS for MySQL DB instance with Multi-AZ. The database is used by a web application. The application team reports that the database is experiencing intermittent connection timeouts and increased latency. The CloudWatch metrics show that the database connections spike to the maximum allowed (max_connections) during peak hours, and the CPU utilization is high. The team needs to resolve the connection issues without modifying the application code. The application uses connection pooling at the application layer. Which action should be taken?

A.Create a read replica and direct read queries to it.
B.Deploy an Amazon RDS Proxy in front of the DB instance.
C.Increase the 'max_connections' parameter to allow more connections.
D.Change the DB instance class to a smaller size to reduce the maximum connections.
AnswerB

RDS Proxy efficiently multiplexes connections, reducing the number of database connections and freeing up resources.

Why this answer

Option B is correct because RDS Proxy manages connection pooling efficiently, reducing the number of connections to the database and lowering CPU overhead. Option A is wrong because increasing max_connections may lead to resource exhaustion. Option C is wrong because read replicas do not reduce write connection load.

Option D is wrong because switching to a smaller instance would worsen the problem.

1307
Multi-Selecthard

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database is 2 TB in size and has a tight migration window of 8 hours. Which THREE steps should be taken to minimize downtime during the migration?

Select 3 answers
A.Take a manual snapshot of the source database before migration.
B.Use AWS Schema Conversion Tool (AWS SCT) to convert the schema.
C.Use AWS Database Migration Service (AWS DMS) with ongoing replication.
D.Disable automated backups on the target RDS instance during migration.
E.Deploy a large RDS instance class to speed up the initial load.
AnswersC, D, E

DMS allows continuous replication to minimize downtime.

Why this answer

Option B is correct because AWS DMS can perform continuous replication. Option C is correct because using a large instance reduces migration time. Option E is correct because disabling backups during migration reduces overhead.

Option A is wrong because AWS SCT is for schema conversion, not data migration. Option D is wrong because manual snapshot is for backup, not migration.

1308
MCQeasy

A developer executed a DELETE statement without a WHERE clause on an Amazon RDS for PostgreSQL instance. The transaction is still open. Which action should the developer take to undo the DELETE without affecting other operations?

A.Execute COMMIT and then run a recovery script.
B.Use the Point-in-Time Recovery feature to restore the database to a time before the DELETE.
C.Execute ROLLBACK in the same session.
D.Stop the DB instance and restore from the latest snapshot.
AnswerC

ROLLBACK undoes all changes made in the current transaction.

Why this answer

Option A is correct because an open transaction can be rolled back using the ROLLBACK command. Option B is incorrect because Point-in-Time Recovery restores the entire DB instance to a previous timestamp, not just the transaction. Option C is incorrect because ROLLBACK will undo the DELETE.

Option D is incorrect because COMMIT would make the DELETE permanent.

1309
MCQmedium

A company is migrating an on-premises PostgreSQL database to Amazon RDS for PostgreSQL. The database currently uses a custom extension that is not supported by RDS. The application relies heavily on this extension for advanced statistical analysis. Which design approach should the company take to minimize application changes?

A.Migrate to PostgreSQL on Amazon EC2 and install the custom extension.
B.Migrate to Amazon DynamoDB and implement statistical analysis using DynamoDB streams and Lambda.
C.Migrate to Amazon RDS for PostgreSQL and install the custom extension on the RDS instance.
D.Migrate to Amazon RDS for PostgreSQL and implement the extension's functionality using AWS Lambda functions called via triggers.
AnswerD

Lambda can replicate the extension's behavior without modifying the application.

Why this answer

Option D is correct because it allows the company to offload the unsupported custom extension's statistical analysis logic to AWS Lambda functions, which can be invoked via RDS PostgreSQL triggers. This approach minimizes application changes by keeping the database schema and query patterns largely intact, while the Lambda functions handle the advanced computations externally. RDS does not allow custom extensions, so this pattern leverages RDS for PostgreSQL's native trigger support to integrate with Lambda without modifying the application's core database interactions.

Exam trap

The trap here is that candidates assume RDS for PostgreSQL supports all PostgreSQL extensions, but AWS explicitly restricts custom extensions, making Option C a common distractor that seems plausible but is technically impossible.

How to eliminate wrong answers

Option A is wrong because migrating to PostgreSQL on Amazon EC2, while allowing custom extensions, requires significant operational overhead for patching, backups, and high availability, and does not minimize application changes more than the trigger-based approach. Option B is wrong because migrating to Amazon DynamoDB would require a complete rewrite of the application's data access layer and statistical analysis logic, as DynamoDB is a NoSQL key-value and document database with a different query model and no native support for PostgreSQL extensions. Option C is wrong because Amazon RDS for PostgreSQL does not allow installation of custom extensions; only AWS-provided extensions are supported, so this option is technically infeasible.

1310
MCQhard

A company is using Amazon DynamoDB with a global table that replicates data across two AWS Regions. The security team requires that all data be encrypted at rest with a customer-managed AWS KMS key. How should the company configure the KMS keys to meet this requirement?

A.Create a single KMS key in the primary region and use it for both replicas.
B.Use AWS managed encryption as DynamoDB does not support customer managed KMS keys for global tables.
C.Create a separate KMS key in each region and assign each replica table its regional KMS key.
D.Create a multi-Region KMS key and use it for both replicas.
AnswerC

Each replica table can use its own regional KMS key.

Why this answer

Option C is correct. For DynamoDB global tables, each replica table can use a different KMS key. You must create a KMS key in each region and configure the table to use the regional key.

Option A is incorrect because a single KMS key cannot be used across regions; KMS keys are region-specific. Option B is incorrect because using the same key across regions is not possible. Option D is incorrect because DynamoDB global tables support encryption with customer managed keys.

1311
Multi-Selecteasy

Which TWO AWS services can be used to monitor and alert on suspicious database access patterns in Amazon RDS? (Choose 2.)

Select 2 answers
A.Amazon Inspector
B.Amazon CloudWatch
C.AWS Trusted Advisor
D.AWS Config
E.Amazon GuardDuty
AnswersB, E

CloudWatch alarms can be set on database metrics and logs.

Why this answer

Amazon GuardDuty and Amazon CloudWatch can both be used to monitor and alert on suspicious access. Option A is wrong because AWS Config is for configuration monitoring. Option C is wrong because AWS Trusted Advisor provides best practices.

Option E is wrong because Amazon Inspector is for vulnerability assessment.

1312
Multi-Selecthard

A company is moving a large-scale time-series application from Cassandra to a managed AWS service. The workload involves high-frequency writes (millions per second) and queries that aggregate data over time windows. Which THREE AWS services are suitable for this time-series workload?

Select 3 answers
A.Amazon OpenSearch Service
B.Amazon Aurora
C.Amazon DynamoDB
D.Amazon Timestream
E.Amazon Redshift
AnswersA, C, D

Supports time-series ingestion and aggregation.

Why this answer

Amazon Timestream is purpose-built for time-series data. Amazon DynamoDB with time-series partitioning (using partition key as entity ID and sort key as timestamp) can handle high-volume writes and support time-based queries. Amazon OpenSearch Service can ingest time-series data and provide aggregation queries.

Option D (Redshift) is wrong because it is optimized for OLAP on structured data, not high-frequency writes. Option E (Aurora) is wrong because it is not designed for time-series ingestion at millions of writes per second.

1313
Multi-Selecthard

A company is using Amazon RDS for MySQL to host a web application. The security team has identified that the application is vulnerable to SQL injection attacks. The team wants to implement a defense-in-depth strategy to protect the database. Which THREE measures should be taken to mitigate SQL injection risks?

Select 3 answers
A.Grant the minimum required permissions to the database user used by the application.
B.Move all SQL logic into stored procedures.
C.Use parameterized queries or prepared statements in the application code.
D.Enable encryption at rest for the RDS instance.
E.Deploy AWS WAF in front of the web application to filter malicious requests.
AnswersA, C, E

Least privilege limits damage if injection occurs.

Why this answer

Options A, B, and D are correct. Prepared statements prevent SQL injection; least privilege reduces impact; WAF filters malicious input. Option C is wrong because stored procedures do not inherently prevent injection if not used with parameters.

Option E is wrong because encryption does not prevent injection.

1314
MCQhard

A company is running an Amazon DynamoDB table with provisioned capacity. The table has a partition key of 'user_id' and a sort key of 'timestamp'. The application performs frequent Query operations using the partition key and a range of sort keys. Recently, the 'ThrottledRequests' metric has spiked. The read and write capacity units are consistently at 80% utilization. What is the most effective way to resolve the throttling?

A.Increase the provisioned read and write capacity units
B.Add a global secondary index with a different partition key
C.Change the partition key to a more uniformly distributed attribute
D.Enable DynamoDB Auto Scaling with a higher target utilization
AnswerD

Auto Scaling with adaptivity can handle hot partitions by adjusting throughput.

Why this answer

Option D is correct because using an adaptive capacity add-on allows DynamoDB to automatically manage throughput for hot partitions. Option A is wrong because increasing capacity units may not help if throttling is due to hot partitions. Option B is wrong because GSI does not directly solve hot partition throttling.

Option C is wrong because changing partition key distribution would require table redesign and data migration.

1315
MCQeasy

Refer to the exhibit. An IAM policy allows creation of a DMS replication task only if the source database engine is Oracle. A user attempts to create a replication task with a MySQL source. What will happen?

A.The action will fail with an error because the policy is malformed.
B.The action will succeed but the task will fail later.
C.The action will be allowed because the resource is '*'.
D.The action will be denied because the condition does not match.
AnswerD

Condition fails for MySQL.

Why this answer

The condition requires the database engine to be Oracle. Since MySQL does not match, the action is not allowed. Option B is correct.

Option A (Denied) would be correct but the explanation clarifies. Option C (Allowed) is incorrect. Option D (Error) is not correct.

1316
Multi-Selecthard

A company is migrating a 3 TB PostgreSQL database to Amazon Aurora PostgreSQL. The migration must have minimal downtime. Which THREE steps should be taken?

Select 3 answers
A.Disable autovacuum on the Aurora cluster to improve migration performance
B.Use AWS DMS with ongoing replication from the source PostgreSQL database
C.Use AWS Snowball Edge to transfer the data offline
D.Create an Aurora PostgreSQL read replica to offload read traffic during migration
E.Increase the instance class of the Aurora cluster to handle the migration load
AnswersB, D, E

DMS with CDC enables near-zero downtime migration.

Why this answer

Options A, C, and D are correct. Using DMS with CDC allows minimal downtime, Aurora supports read replicas for scaling, and adjusting instance class ensures performance. Option B is wrong because Snowball is for offline transfer.

Option E is wrong because disabling autovacuum is not recommended and can lead to bloat.

1317
Multi-Selecthard

Which THREE design patterns can improve the performance of a write-heavy application using Amazon DynamoDB?

Select 3 answers
A.Write sharding by using a composite key with a random suffix to distribute writes across partitions.
B.Enable DynamoDB adaptive capacity to allow a single partition to use more throughput.
C.Create local secondary indexes (LSIs) for all query patterns.
D.Use DynamoDB Accelerator (DAX) to offload read traffic.
E.Increase provisioned write capacity units (WCUs) to the maximum allowed.
AnswersA, B, D

Prevents hot partitions by evenly distributing write traffic.

Why this answer

Option A is correct because write sharding with a random suffix on the partition key distributes writes evenly across multiple partitions, preventing hot partitions. This pattern avoids throttling by ensuring no single partition exceeds its write capacity limit, which is critical for write-heavy workloads in DynamoDB.

Exam trap

The trap here is that candidates may confuse local secondary indexes (LSIs) with global secondary indexes (GSIs) or assume that increasing WCUs alone resolves hot partitions, ignoring DynamoDB's per-partition throughput limits.

1318
Multi-Selecteasy

A company is using Amazon DynamoDB with Auto Scaling enabled. The database specialist notices that write traffic is being throttled occasionally. Which TWO factors could cause throttling despite Auto Scaling?

Select 2 answers
A.The table has Global Tables enabled, causing cross-region replication overhead.
B.Auto Scaling is not configured to scale up quickly enough for sudden traffic spikes.
C.DynamoDB Accelerator (DAX) is not caching write operations.
D.The write traffic exceeds the maximum provisioned capacity that was set for Auto Scaling.
E.A hot partition where a single partition key receives a disproportionate amount of write traffic.
AnswersD, E

Auto Scaling cannot scale beyond the configured maximum.

Why this answer

Options A and D are correct. Hot partitions (A) can cause throttling even with Auto Scaling because a single partition can exceed its limit. Throttling due to exceeding the maximum provisioned capacity (D) can also occur.

Option B is wrong because Global Tables replicate writes but do not cause throttling. Option C is wrong because Auto Scaling is disabled? (the question says enabled, so C is irrelevant). Option E is wrong because DAX is for reads.

1319
MCQhard

A company is deploying a MongoDB-compatible database using Amazon DocumentDB. The application requires the ability to perform ad-hoc queries on nested fields within documents. Which DocumentDB feature should be enabled to meet this requirement?

A.TTL indexes
B.Indexes on nested fields
C.Transactions
D.Change streams
AnswerB

Indexes allow efficient ad-hoc queries on nested fields.

Why this answer

Amazon DocumentDB supports indexing on nested fields, which allows efficient querying of sub-documents and arrays within documents. By creating indexes on specific nested paths (e.g., "address.city"), the query engine can perform index scans instead of full collection scans, enabling fast ad-hoc queries on nested fields. This feature directly meets the requirement for ad-hoc queries on nested fields.

Exam trap

The trap here is that candidates may confuse indexing features with operational features like TTL or Change streams, assuming any advanced DocumentDB feature can support nested queries, when only explicit indexing on nested fields enables efficient ad-hoc querying on sub-documents.

How to eliminate wrong answers

Option A is wrong because TTL indexes are used to automatically expire documents after a specified time period, not to enable querying on nested fields. Option C is wrong because Transactions provide atomic multi-document operations but do not improve query performance on nested fields. Option D is wrong because Change streams capture real-time data changes (inserts, updates, deletes) for event-driven applications, not for ad-hoc querying of nested fields.

1320
MCQhard

A company is using Amazon DynamoDB Accelerator (DAX) to improve read performance. Recently, the cache hit ratio has dropped significantly. The application uses strongly consistent reads. What is the most likely cause of the low cache hit ratio?

A.The DynamoDB table's write capacity is too low
B.The application is using strongly consistent reads, which bypass the DAX cache
C.The DAX cluster has too few nodes
D.The DAX cluster's TTL is set too low
AnswerB

DAX only caches eventually consistent reads; strongly consistent reads go directly to DynamoDB.

Why this answer

Option C is correct because DAX caches eventually consistent reads, not strongly consistent reads. Option A is wrong because TTL affects item expiration but not the consistency model. Option B is wrong because write capacity does not directly affect cache hits.

Option D is wrong because the DAX cluster size affects performance but not the consistency mismatch.

1321
Multi-Selecteasy

A company is migrating an on-premises PostgreSQL database to Amazon RDS for PostgreSQL. The migration must be completed with minimal downtime. Which TWO AWS services should be used together?

Select 2 answers
A.AWS Snowball
B.AWS Database Migration Service (DMS)
C.AWS CloudEndure Migration
D.AWS Schema Conversion Tool (SCT)
E.AWS Direct Connect
AnswersB, D

DMS supports ongoing replication for minimal downtime.

Why this answer

Options A and C are correct. AWS DMS (A) can perform the migration with ongoing replication to minimize downtime, and AWS SCT (C) can help convert the schema if needed. Option B is wrong because Snowball is for large offline data transfer, not for minimal downtime migration.

Option D is wrong because Direct Connect is a network service, not a migration tool. Option E is wrong because CloudEndure is for server migration.

1322
MCQmedium

A company has an Amazon RDS for Oracle DB instance that stores sensitive data. The security team wants to audit all SQL queries that read or modify specific columns containing personally identifiable information (PII). The audit logs must be stored for 5 years. Which solution should the database specialist implement?

A.Use Oracle fine-grained auditing to create an audit policy on the specific columns and store logs in a custom table.
B.Enable database activity streams and send logs to Amazon CloudWatch Logs with a retention of 5 years.
C.Enable RDS Enhanced Monitoring and enable SQL auditing in the parameter group.
D.Enable Oracle Audit Vault and Database Firewall.
AnswerA

Fine-grained auditing allows column-level auditing.

Why this answer

Option C is correct because Amazon RDS for Oracle supports fine-grained auditing using the AUDIT policy for specific columns. Option A is wrong because RDS does not support Oracle Audit Vault. Option B is wrong because database activity streams capture all activities but do not filter by column; also they are stored in CloudWatch Logs, not for 5 years by default.

Option D is wrong because RDS Enhanced Monitoring is for OS metrics, not SQL auditing.

1323
MCQmedium

A company uses Amazon ElastiCache for Redis to cache frequently accessed data. The cache cluster experiences high CPU utilization during peak hours. The cluster has a single node of type cache.r5.large. What is the most cost-effective way to reduce CPU utilization while maintaining performance?

A.Enable encryption at rest and in transit.
B.Upgrade to a cache.r5.xlarge node type.
C.Add a read replica to distribute read traffic.
D.Increase the maxmemory-policy parameter to 'allkeys-lru'.
AnswerC

Offloads read traffic, reducing CPU on primary.

Why this answer

Option A is correct. Adding a read replica (sharing read traffic) reduces CPU on the primary. Option B is wrong because increasing to a larger node type is more expensive than adding replicas.

Option C is wrong because increasing maxmemory-policy does not reduce CPU. Option D is wrong because enabling encryption adds overhead.

1324
MCQhard

An IAM policy is attached to a user to allow read access to the Orders table in DynamoDB. The user reports that a GetItem call for an order returns an 'AccessDeniedException'. What is the likely cause?

A.The user must specify a projection expression in the GetItem request to include only 'order_id' and 'status' attributes.
B.The user does not have permissions to perform GetItem on the Orders table.
C.The resource ARN is incorrect; it should include the wildcard for the table.
D.The condition key 'dynamodb:Attributes' restricts access to only two attributes, but the user can still get all attributes.
AnswerA

The condition requires that only these attributes be returned, so the request must explicitly project them.

Why this answer

Option A is correct because when an IAM policy uses the `dynamodb:Attributes` condition key to restrict access to specific attributes (e.g., `order_id` and `status`), the user must include a `ProjectionExpression` in the `GetItem` request that explicitly lists only those allowed attributes. Without the projection expression, DynamoDB attempts to return all attributes, which triggers an `AccessDeniedException` because the policy denies access to attributes not listed in the condition.

Exam trap

AWS often tests the misconception that a table-level permission error is the cause, when in reality the issue is a missing `ProjectionExpression` due to attribute-level restrictions in the IAM policy.

How to eliminate wrong answers

Option B is wrong because the user does have permissions to perform GetItem on the Orders table; the error is caused by attribute-level restrictions, not a lack of table-level permission. Option C is wrong because the resource ARN in the policy is correct; including a wildcard for the table would not resolve the attribute-level restriction issue. Option D is wrong because the condition key `dynamodb:Attributes` does restrict access to only two attributes, and the user cannot get all attributes; the GetItem call must use a projection expression to limit the returned attributes to those allowed.

1325
MCQhard

A company runs a global e-commerce platform with a relational database. They need to reduce read latency for users in Europe and Asia. The primary database is in us-west-2. Which solution provides the LOWEST read latency for global users while maintaining data consistency?

A.Deploy Amazon ElastiCache clusters in each region and cache database queries
B.Use Amazon Aurora Global Database with reader instances in Europe and Asia
C.Migrate to Amazon DynamoDB global tables
D.Configure Amazon RDS cross-region read replicas
AnswerB

Aurora Global Database provides cross-region read replicas with <1 second latency, enabling low-latency local reads.

Why this answer

Amazon Aurora Global Database is designed for low-latency global reads by replicating data to up to five secondary regions with dedicated reader instances. It uses storage-based replication that typically adds less than one second of lag, ensuring strong consistency while providing local read access for users in Europe and Asia. This architecture directly addresses the requirement for the lowest read latency without compromising data consistency.

Exam trap

The trap here is that candidates often choose ElastiCache (Option A) thinking caching always provides the lowest latency, but they overlook the requirement for data consistency and the fact that caching does not replicate the full database state across regions.

How to eliminate wrong answers

Option A is wrong because ElastiCache caches database queries but does not replicate the underlying relational data; it introduces eventual consistency and cache staleness, and does not provide the same consistency guarantees as Aurora Global Database. Option C is wrong because DynamoDB global tables are a NoSQL solution, not a relational database, and the company specifically requires a relational database for its e-commerce platform. Option D is wrong because Amazon RDS cross-region read replicas use asynchronous replication with potentially higher lag than Aurora Global Database, and they do not offer the same low-latency global read architecture with dedicated reader instances in each region.

1326
MCQmedium

A company is running a production Amazon RDS for MySQL DB instance. The application team reports intermittent connection timeouts. The DBA notices that the DB instance's CPU utilization spikes to 100% during these times. Which metric should be monitored to determine if the issue is due to a specific query?

A.DatabaseConnections
B.NetworkThroughput
C.ReadIOPS
D.Queries (engine-specific counter)
AnswerD

Queries reflects the number of queries executed, helping identify query load spikes.

Why this answer

Option D is correct because the RDS for MySQL engine-specific counter 'Queries' reflects the number of queries executed. Option A is wrong because DatabaseConnections shows connections, not query performance. Option B is wrong because ReadIOPS measures disk I/O, not query volume.

Option C is wrong because NetworkThroughput measures network traffic.

1327
MCQeasy

A company wants to migrate a 1 TB on-premises PostgreSQL database to Amazon RDS for PostgreSQL. They have a limited internet bandwidth. Which service should they use to accelerate the migration?

A.AWS Snowball Edge
B.AWS Database Migration Service (DMS)
C.Amazon S3
D.AWS Direct Connect
AnswerA

Offline data transfer bypasses bandwidth limitations.

Why this answer

AWS Snowball Edge can be used for offline data transfer to accelerate migration over slow internet. Option A is correct. Option B (DMS) requires bandwidth.

Option C (Direct Connect) is a dedicated connection but still requires bandwidth. Option D (S3) is not for database transfer.

1328
MCQmedium

The exhibit shows the output of a MySQL command run on an Amazon RDS for MySQL DB instance. The database is experiencing frequent checkpointing that is causing I/O spikes. The parameter innodb_log_file_size is currently 256 MB. Which change should be made to reduce checkpoint frequency?

A.Decrease the value of innodb_log_file_size to 128 MB.
B.Set innodb_flush_log_at_trx_commit to 0.
C.Increase the value of innodb_log_file_size to 1 GB.
D.Increase the value of innodb_buffer_pool_size.
AnswerC

Larger redo logs allow more transactions to be written before a checkpoint, reducing checkpoint frequency.

Why this answer

Option A is correct because increasing the size of the InnoDB redo log files reduces checkpoint frequency. Option B is wrong because decreasing would increase checkpoint frequency. Option C is wrong because innodb_flush_log_at_trx_commit controls durability, not checkpoint frequency.

Option D is wrong because innodb_buffer_pool_size affects memory, not directly checkpointing.

1329
MCQhard

A company uses Amazon DynamoDB Global Tables with strong consistent reads. They notice that a write to us-east-1 is not visible in eu-west-1 after several seconds. Which configuration setting is MOST likely causing this behavior?

A.DynamoDB Streams is not enabled on the table
B.Auto Scaling is configured for write capacity
C.Last writer wins (LWW) conflict resolution is disabled
D.Strongly consistent reads are used on a global table
AnswerA

Global Tables require DynamoDB Streams to replicate writes; without it, replication does not occur.

Why this answer

Option A is correct because Global Tables use last writer wins (LWW) conflict resolution by default; if the application writes to both regions simultaneously, the latest write from the region with the highest timestamp wins, but replication is typically sub-second. However, if the 'ReplicationGroup' is misconfigured, replication can be delayed. But the question mentions strong consistency reads, which are not supported for Global Tables (they support eventual consistency only).

Actually, strong consistency reads are not available for Global Tables; using them would cause an error. However, the scenario says they notice a delay, which is expected for eventual consistency. Option A is wrong: strong consistency reads are not supported for Global Tables.

Option B is correct: strong consistency reads are not supported, but the scenario says they are using them; this would cause an error, not delay. Option C: DynamoDB Streams must be enabled for Global Tables; if disabled, writes would not replicate at all. Option D: Auto Scaling does not affect replication.

Given the options, the most likely cause is that DynamoDB Streams is not enabled on the table, which would prevent replication entirely. But the question says 'not visible after several seconds', which suggests eventual consistency delay. Actually, the correct answer is that Global Tables only support eventual consistency, so strong consistency reads are not possible; but the question says they are using them, which might be a misconfiguration.

However, typical exam: strong consistency reads on Global Tables are not supported; using them would cause an error, not a delay. So Option B is plausible: they might have requested strong consistency reads on a global table, which would fail. But the scenario says they notice a delay, not an error.

I think the intended answer is that Global Tables rely on DynamoDB Streams; if streams are disabled, writes won't replicate. So Option C. Let me re-evaluate: DynamoDB Streams must be enabled for the table to be used in Global Tables.

If streams are disabled, writes will not be replicated. That matches the symptom: writes to us-east-1 are not visible in eu-west-1. Option A: LWW is default, but it doesn't cause delay.

Option B: Strong consistency reads are not supported for Global Tables, but the scenario says they are using them; it's unclear if that causes delay or error. Option D: Auto Scaling does not affect replication. So Option C is most likely.

1330
MCQeasy

A company needs to migrate a 100 GB on-premises SQL Server database to Amazon RDS for SQL Server. The migration must be completed within a 4-hour maintenance window. The network link has 500 Mbps throughput. Which approach should be used?

A.Use AWS DMS with full load and CDC
B.Use native SQL Server backup to S3, then restore to RDS
C.Use AWS Snowball Edge to transfer the backup
D.Launch an EC2 instance with SQL Server, copy the database, and then migrate to RDS
AnswerB

This method can be fast and fits within the maintenance window with 500 Mbps.

Why this answer

Option A is correct because native backup to S3 and restore to RDS is the fastest method for this size, and the network can transfer 100 GB in ~30 minutes. Option B is wrong because DMS with CDC adds complexity and is not needed. Option C is wrong because Snowball is unnecessary.

Option D is wrong because EC2 is not needed.

1331
Multi-Selectmedium

A company is using Amazon DynamoDB for a shopping cart application. The table has a partition key of `user_id` and a sort key of `item_id`. The application performs frequent updates to the `quantity` attribute. The company notices that write requests are being throttled during peak hours. Which TWO actions would help reduce throttling? (Choose two.)

Select 2 answers
A.Increase the provisioned write capacity for the table.
B.Use conditional writes to prevent overwrites.
C.Implement a write sharding pattern using a random suffix on the partition key.
D.Enable DynamoDB Streams to process writes asynchronously.
E.Enable DynamoDB Accelerator (DAX) for the table.
AnswersA, C

Increasing write capacity directly reduces throttling.

Why this answer

Option A is correct because increasing the provisioned write capacity directly raises the number of write capacity units (WCUs) available per second, allowing more write requests to succeed without being throttled. Since the application performs frequent updates to the `quantity` attribute, which consumes write capacity, adding more capacity alleviates throttling during peak hours.

Exam trap

The trap here is that candidates often confuse read-side solutions (like DAX or Streams) with write-side throttling, or they mistakenly think conditional writes reduce capacity consumption, when in fact they do not address the root cause of insufficient write capacity or hot partitions.

1332
MCQeasy

A gaming company wants to store player profiles and game state data with low-latency access for millions of concurrent users. The data is accessed via a REST API and requires high scalability with minimal operational overhead. Which database service is MOST suitable?

A.Amazon RDS for MySQL with read replicas
B.Amazon DynamoDB
C.Amazon Neptune
D.Amazon ElastiCache for Redis
AnswerB

DynamoDB is serverless, scales automatically, and provides low-latency access.

Why this answer

Option C is correct because DynamoDB is a fully managed NoSQL database that provides single-digit millisecond latency at any scale, ideal for gaming profiles. Option A is wrong because RDS is relational and may not scale as easily. Option B is wrong because ElastiCache is a cache, not a primary database.

Option D is wrong because Neptune is for graph data.

1333
Multi-Selecthard

A company is using Amazon DynamoDB with provisioned capacity for a table that experiences unpredictable traffic spikes. The table's read capacity is often underutilized, but occasionally throttling occurs. Which THREE steps should be taken to improve performance and cost? (Choose THREE.)

Select 3 answers
A.Switch the table to on-demand capacity mode.
B.Reduce the provisioned read capacity units to save cost.
C.Enable auto scaling for read and write capacity.
D.Disable auto scaling to avoid cost fluctuations.
E.Implement DynamoDB Accelerator (DAX) to cache read requests.
AnswersA, C, E

On-demand mode automatically accommodates traffic spikes without throttling.

Why this answer

Switching to on-demand capacity handles unpredictable spikes automatically and reduces throttling. Using DynamoDB Accelerator (DAX) reduces read load by caching. Auto scaling adjusts capacity based on load, but on-demand is better for unpredictable spikes.

Reducing read capacity units would worsen throttling. Disabling auto scaling is counterproductive.

1334
MCQmedium

A database administrator runs the command shown in the exhibit. The security team requires that the database be encrypted at rest. What should the administrator do to enable encryption?

A.Enable encryption at the table level using MySQL's built-in encryption.
B.Create a snapshot of the DB instance, copy the snapshot with encryption, and restore from the encrypted snapshot.
C.Modify the DB instance and set StorageEncrypted to true.
D.The instance is already encrypted because the output shows 'StorageEncrypted' as false.
AnswerB

This is the standard method to enable encryption on an existing instance.

Why this answer

Option B is correct because encryption cannot be enabled on an existing unencrypted instance; you must create a snapshot, copy it with encryption, and restore. Option A is wrong because modifying the instance does not add encryption. Option C is wrong because encryption is at the storage level, not table level.

Option D is wrong because the command shows StorageEncrypted is false, so it is not encrypted.

1335
MCQhard

A company is building a real-time leaderboard for a gaming application. The leaderboard must update scores within seconds and support queries for top players and individual ranks. Which database design is most appropriate?

A.Amazon S3 with Range GET requests
B.Amazon ElastiCache for Redis with sorted sets
C.Amazon DynamoDB with a global secondary index on score
D.Amazon RDS for PostgreSQL with ORDER BY and LIMIT
AnswerC

DynamoDB GSI enables efficient querying of top scores and rank lookups.

Why this answer

Amazon DynamoDB with a global secondary index (GSI) on score can efficiently query top players and individual ranks. Option A (Amazon RDS with ORDER BY) becomes slow at scale. Option C (Amazon ElastiCache sorted sets) is good for leaderboards but not durable.

Option D (Amazon S3) is not suitable for real-time updates.

1336
MCQhard

A company uses Amazon DynamoDB to store IoT sensor data. Each sensor sends data every second, and the application needs to query the latest reading from each sensor. The sensor ID is the partition key, and the timestamp is the sort key. The table has millions of sensors. Which query pattern is most efficient to get the latest reading for a specific sensor?

A.Use BatchGetItem with the sensor ID and multiple timestamps
B.Use Scan with FilterExpression on sensor ID
C.Use GetItem with the sensor ID and the current timestamp
D.Use Query with KeyConditionExpression on sensor ID, ScanIndexForward=false, Limit=1
AnswerD

This retrieves the most recent item for that sensor efficiently.

Why this answer

Using a Query with ScanIndexForward set to false and a limit of 1 returns the most recent item for a given partition key efficiently. Option A (GetItem) requires knowing the exact sort key. Option C (Scan) is inefficient.

Option D (BatchGetItem) is for multiple items with known keys.

1337
MCQmedium

A healthcare application stores patient records in Amazon DynamoDB. Each record has a unique patient ID and contains sensitive health information. The application must encrypt data at rest and ensure that only authorized services can access the data. Which combination of design choices meets these requirements?

A.Implement client-side encryption and use Lambda to validate access.
B.Enable S3 server-side encryption with AWS KMS and use bucket policies.
C.Enable DynamoDB encryption at rest using AWS KMS and use IAM policies to restrict access.
D.Use AWS CloudHSM for key storage and VPC endpoints for access control.
AnswerC

DynamoDB integrates with KMS for encryption and IAM for access control.

Why this answer

Option C is correct because DynamoDB encryption at rest using AWS KMS provides server-side encryption for sensitive patient data, while IAM policies allow fine-grained access control to ensure only authorized services can access the table. This combination directly meets both the encryption and access control requirements without unnecessary complexity or service mismatches.

Exam trap

The trap here is that candidates may confuse encryption mechanisms across services (e.g., applying S3 encryption to DynamoDB) or assume that network controls like VPC endpoints replace the need for IAM-based authorization.

How to eliminate wrong answers

Option A is wrong because client-side encryption does not protect data at rest within DynamoDB (the application must manage keys and encryption logic), and Lambda validation is not a native access control mechanism for DynamoDB—IAM policies are required. Option B is wrong because S3 server-side encryption and bucket policies apply to Amazon S3, not DynamoDB; DynamoDB does not use S3 for primary storage or bucket policies for access control. Option D is wrong because AWS CloudHSM is a hardware security module for key storage but does not directly integrate with DynamoDB encryption at rest (DynamoDB uses AWS KMS, not CloudHSM), and VPC endpoints control network access but not authorization—IAM policies are still needed.

1338
MCQmedium

A company is migrating a 3 TB Oracle database to Amazon RDS for Oracle. They want to use Oracle Data Pump to export the data and then import it into RDS. What is the most efficient way to transfer the dump files to AWS?

A.Use AWS Snowball to physically ship the dump files to AWS.
B.Use AWS DMS to migrate the data directly from Oracle to RDS for Oracle.
C.Upload the dump files to Amazon S3 and then import them into RDS for Oracle using Oracle Data Pump.
D.Transfer the dump files over a VPN connection to an EC2 instance and then copy to RDS.
AnswerC

S3 provides scalable storage and fast upload; RDS can read from S3 for import.

Why this answer

Option C is correct because uploading the dump files to Amazon S3 and then using the Oracle Data Pump import from S3 (via UTL_FILE or direct read) is efficient and scalable. Option A is wrong because transferring over VPN/Direct Connect can be slow for large files. Option B is wrong because AWS Snowball is designed for very large data transfers (petabytes) and may be overkill for 3 TB, plus it adds logistics time.

Option D is wrong because AWS DMS is a separate service for migration, not for transferring dump files.

1339
Multi-Selecthard

Which THREE metrics should be monitored in Amazon CloudWatch to detect a potential memory leak in an Amazon RDS for SQL Server instance? (Choose three.)

Select 3 answers
A.DatabaseConnections
B.CPUUtilization
C.ReadIOPS
D.SwapUsage
E.FreeableMemory
AnswersA, D, E

If connections are not released, memory usage may increase.

Why this answer

Options B, C, and E are correct. FreeableMemory shows available memory. SwapUsage indicates memory pressure.

DatabaseConnections can increase if connections are not closed properly. Option A is incorrect because CPUUtilization is not a memory metric. Option D is incorrect because ReadIOPS relates to I/O.

1340
MCQeasy

A company recently migrated an on-premises PostgreSQL database to Amazon RDS for PostgreSQL. The database is 100 GB and used by a web application. After migration, the application's response time increased. The 'ReadLatency' and 'WriteLatency' metrics are normal. The 'CPUUtilization' is at 90%. The 'DatabaseConnections' metric shows 200 connections, which is close to the max connections for the instance class (db.t3.medium, max connections = 200). The application uses connection pooling. The team wants to reduce CPU utilization without changing the application code. Which action should the team take?

A.Decrease 'max_connections' parameter to 100.
B.Increase allocated storage to 200 GB.
C.Upgrade the DB instance to a larger class like db.t3.large.
D.Enable Performance Insights and switch to Provisioned IOPS.
AnswerC

A larger instance class provides more CPU cores and higher performance.

Why this answer

Option B is correct because upgrading to a larger instance class provides more CPU capacity. Option A is wrong because decreasing max connections may cause connection errors. Option C is wrong because increasing storage does not directly affect CPU.

Option D is wrong because switching to Provisioned IOPS improves I/O, but CPU is the bottleneck.

1341
MCQhard

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. During the migration, the database administrator notices that the CPU utilization on the RDS instance is consistently above 90% during peak hours, even though the on-premises server had similar specifications. The application queries are mostly SELECT statements with occasional DML. The RDS instance is db.r5.large with 500 GB of General Purpose SSD (gp2) storage. Which change would most likely reduce CPU utilization?

A.Create a read replica and redirect all SELECT queries to the replica.
B.Enable Multi-AZ to offload CPU to the standby instance.
C.Increase the allocated storage to 1 TB to improve I/O performance.
D.Upgrade to a larger instance type, such as db.r5.xlarge.
AnswerD

A larger instance provides more CPU cores and better performance, directly addressing high CPU utilization.

Why this answer

The db.r5.large instance type has 2 vCPUs and 16 GiB of memory. Sustained CPU utilization above 90% during peak hours indicates that the instance is compute-bound for the workload. Upgrading to db.r5.xlarge (4 vCPUs, 32 GiB memory) doubles the available CPU capacity, directly reducing CPU utilization for the same query load.

The on-premises server had similar specifications, but RDS instances may have different CPU architectures or hypervisor overhead, making the larger instance the most direct fix.

Exam trap

AWS often tests the misconception that increasing storage or adding a read replica can solve CPU bottlenecks, but the correct answer requires recognizing that CPU saturation is a compute issue best addressed by scaling instance size.

How to eliminate wrong answers

Option A is wrong because creating a read replica and redirecting SELECT queries offloads read traffic from the primary instance, but the primary still handles all DML and writes; if the CPU bottleneck is from both SELECT and DML processing on the primary, the replica does not reduce the primary's CPU load. Option B is wrong because Multi-AZ provides a standby instance for failover only; the standby does not serve read traffic or offload CPU from the primary—it is a synchronous replica that is not active for queries. Option C is wrong because increasing gp2 storage to 1 TB increases baseline IOPS from 1500 to 3000, which improves I/O throughput, but the problem is CPU utilization, not I/O latency or throughput; the instance is compute-bound, not storage-bound.

1342
MCQmedium

A financial services company uses Amazon Redshift for analytics. The workload consists of a mix of short-running queries from dashboards and long-running ETL jobs. The company notices that during peak hours, short queries experience high latency due to queueing behind ETL jobs. How can the company reduce the impact of ETL jobs on dashboard queries?

A.Configure workload management (WLM) queues to separate ETL and dashboard queries, and assign different concurrency levels.
B.Enable concurrency scaling to handle bursts of queries.
C.Enable short query acceleration (SQA) to prioritize queries that run under a certain time threshold.
D.Increase the number of nodes in the Redshift cluster.
AnswerA

WLM allows resource allocation per queue, ensuring dashboard queries have dedicated resources.

Why this answer

Option B is correct because WLM queues can isolate workloads, assigning concurrency and priority. Option A is wrong because concurrency scaling adds cost and doesn't prioritize. Option C is wrong because increasing node count scales all workloads.

Option D is wrong because short query acceleration (SQA) is for short queries but doesn't isolate ETL.

1343
MCQmedium

A company needs to implement a database solution for a global e-commerce platform that requires strongly consistent reads and writes with automatic failover across AWS Regions. Which service should be used?

A.Amazon DynamoDB global tables.
B.Amazon RDS for MySQL with Multi-AZ and cross-Region read replicas.
C.Amazon ElastiCache for Redis with Global Datastore.
D.Amazon Aurora Global Database.
AnswerD

Provides cross-Region replication and failover with strong consistency.

Why this answer

Amazon Aurora Global Database is the correct choice because it provides strongly consistent reads and writes across multiple AWS Regions with automatic failover. It uses a primary cluster in one Region and up to five secondary read-only clusters in other Regions, with replication typically under one second. Failover to a secondary Region can be promoted in as little as one minute, meeting the requirements for a global e-commerce platform.

Exam trap

The trap here is that candidates often confuse DynamoDB global tables' eventual consistency with strong consistency, or assume Multi-AZ RDS provides cross-Region failover, when in fact Multi-AZ is limited to a single Region and cross-Region replicas require manual intervention.

How to eliminate wrong answers

Option A is wrong because Amazon DynamoDB global tables offer multi-Region replication but provide eventual consistency for reads by default, not strong consistency, and writes are only strongly consistent within a single Region. Option B is wrong because Amazon RDS for MySQL with Multi-AZ and cross-Region read replicas does not support automatic failover across Regions; Multi-AZ failover is within a single Region, and cross-Region replicas require manual promotion. Option C is wrong because Amazon ElastiCache for Redis with Global Datastore is an in-memory cache, not a durable database, and it does not guarantee strong consistency for writes across Regions.

1344
Multi-Selectmedium

A company is migrating a self-managed MongoDB database to Amazon DocumentDB (with MongoDB compatibility). Which TWO actions should the company take to ensure a successful migration? (Choose two.)

Select 2 answers
A.Use AWS Schema Conversion Tool (SCT) to convert MongoDB schemas to DocumentDB compatible format.
B.Use AWS Database Migration Service (DMS) to migrate data from MongoDB Atlas to DocumentDB.
C.Use AWS DMS to perform a full load and ongoing replication from MongoDB to DocumentDB.
D.Use AWS DMS with an Amazon EBS snapshot as the source for the migration.
E.Use AWS DMS to migrate data from MongoDB to Amazon DynamoDB, then import into DocumentDB.
AnswersA, C

SCT helps convert schemas for compatibility.

Why this answer

Options B and D are correct. AWS SCT can convert MongoDB schemas to DocumentDB. AWS DMS supports migration from MongoDB to DocumentDB.

Option A is wrong because MongoDB Atlas is a separate service, not used for migration. Option C is wrong because AWS DMS does not support Amazon EBS snapshots. Option E is wrong because DynamoDB is not compatible with MongoDB.

1345
Multi-Selecthard

A company is designing a disaster recovery strategy for an Amazon Aurora MySQL database. The database stores sensitive data that must be encrypted at rest. The primary region is us-east-1, and the secondary region is us-west-2. Which THREE steps are required to set up cross-region replication with encryption at rest?

Select 3 answers
A.Use a multi-Region KMS key to encrypt the Aurora cluster in the primary region.
B.Ensure the DB cluster parameter group is the same in both regions.
C.Create a cross-Region read replica in the secondary region.
D.Create a KMS key in the secondary region (us-west-2) and grant the Aurora service permission to use it.
E.Enable cross-Region replication on the Aurora cluster in the primary region.
AnswersA, D, E

A multi-Region key allows the replica to be encrypted in the secondary region using the same key material.

Why this answer

Option A is correct because using a multi-Region KMS key allows the Aurora cluster in the primary region to be encrypted at rest with a key that can be replicated to the secondary region, ensuring that the cross-region read replica can decrypt the data without needing to re-encrypt it. This key is replicated automatically by AWS KMS to the secondary region, maintaining the same key material for encryption and decryption across regions.

Exam trap

The trap here is that candidates often confuse the steps required for setting up cross-region replication with encryption at rest with the general steps for creating a cross-region read replica, leading them to select Option C as a required step when it is actually an outcome of enabling replication, not a separate configuration step.

1346
Multi-Selecthard

Which THREE of the following are required to set up cross-Region replication for an Amazon RDS for MySQL DB instance? (Choose THREE.)

Select 3 answers
A.The backup retention period on the source must be at least 1 day.
B.The source DB instance must be in a VPC.
C.A read replica must be created in the target Region.
D.Automated backups must be enabled on the source DB instance.
E.The source DB instance must be a Multi-AZ deployment.
AnswersA, C, D

Backup retention must be at least 1 day to enable automated backups.

Why this answer

Option A is correct because Amazon RDS requires a minimum backup retention period of 1 day on the source DB instance to enable automated backups, which are necessary for cross-Region replication. The backup retention period determines how long automated backups are retained, and a value of at least 1 day ensures that the source instance can generate the binary logs needed for replication to a read replica in another Region.

Exam trap

The trap here is that candidates often assume Multi-AZ is required for cross-Region replication, but Multi-AZ is only for high availability within a single Region, not for cross-Region replication, which relies on automated backups and read replicas.

1347
MCQeasy

A company is deploying Amazon DynamoDB for a new application. The application requires single-digit millisecond latency for read operations. Which DynamoDB feature should be configured to meet this requirement?

A.DynamoDB Accelerator (DAX)
B.DynamoDB Streams
C.Auto Scaling
D.Time to Live (TTL)
AnswerA

DAX provides in-memory caching for fast reads.

Why this answer

DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache that delivers up to 10x read performance improvement. Option B (Auto Scaling) handles throughput. Option C (TTL) expires items.

Option D (Streams) captures changes.

1348
MCQhard

A company is running an Amazon RDS for SQL Server instance with Multi-AZ deployment. The database is used by a critical application. During a recent failover test, the application experienced a 2-minute downtime. The application's connection string uses the DB instance endpoint, not the cluster endpoint. Which change would minimize downtime during future failovers?

A.Modify the application to use the cluster endpoint instead of the instance endpoint
B.Increase the DB instance class size
C.Create a read replica in a different Availability Zone
D.Enable Multi-AZ on the DB instance
AnswerA

The cluster endpoint points to the current primary and updates automatically after failover, reducing downtime.

Why this answer

Option D is correct because using the cluster endpoint (CNAME) automatically redirects to the current primary, reducing downtime. Option A is wrong because enabling Multi-AZ is already done. Option B is wrong because increasing instance size does not reduce failover time.

Option C is wrong because read replicas are for read scaling, not failover.

1349
Multi-Selectmedium

A company is using Amazon DynamoDB and wants to monitor the read/write capacity utilization of a table. Which TWO AWS services can be used to set up alarms for capacity consumption?

Select 2 answers
A.Amazon DynamoDB Auto Scaling
B.AWS CloudTrail
C.Amazon CloudWatch Logs
D.Amazon CloudWatch
E.AWS Config
AnswersC, D

CloudWatch Logs can be used with metric filters to monitor log entries for capacity events.

Why this answer

Options A and B are correct. CloudWatch provides metrics like ConsumedReadCapacityUnits and can trigger alarms. CloudWatch Logs can capture log events but is not directly used for capacity alarms.

CloudTrail records API calls, not capacity metrics. DynamoDB Auto Scaling adjusts capacity but does not monitor. AWS Config tracks configuration changes, not capacity.

1350
Multi-Selecteasy

Which TWO AWS services can be used to cache database query results to improve read performance? (Select TWO.)

Select 2 answers
A.Amazon DynamoDB Accelerator (DAX)
B.Amazon ElastiCache for Redis
C.Amazon CloudFront
D.Amazon ElastiCache for Memcached
E.Amazon RDS read replica
AnswersB, D

In-memory cache for query results.

Why this answer

Amazon ElastiCache for Redis and Amazon ElastiCache for Memcached are in-memory caching services. DAX is for DynamoDB only. RDS does not cache.

CloudFront is CDN.

Page 17

Page 18 of 24

Page 19