AWS Certified Database Specialty DBS-C01 (DBS-C01) — Questions 15761650

1730 questions total · 24pages · All types, answers revealed

Page 21

Page 22 of 24

Page 23
1576
Multi-Selecteasy

A company is using Amazon DynamoDB with provisioned capacity. The table's read capacity is consistently underutilized, but the write capacity is frequently maxed out. The team wants to optimize costs while maintaining performance. Which TWO actions should be taken?

Select 2 answers
A.Switch the table to on-demand capacity mode.
B.Enable DynamoDB Accelerator (DAX) to offload reads.
C.Use DynamoDB Auto Scaling for write capacity.
D.Increase the provisioned write capacity to handle spikes.
E.Reduce the provisioned read capacity to match actual usage.
AnswersC, E

Auto Scaling adjusts write capacity to match demand, reducing throttling and cost.

Why this answer

Options B and C are correct because using DynamoDB Auto Scaling for writes will adjust capacity based on demand, and reducing provisioned reads to actual usage will save costs. Option A is wrong because switching to on-demand may increase costs if the workload is predictable. Option D is wrong because reducing writes would cause throttling.

Option E is wrong because using DAX does not reduce write costs.

1577
MCQeasy

A company wants to automate the creation of a new Amazon RDS for SQL Server instance with specific configurations, including VPC, subnet, and security group settings. Which AWS service should be used to deploy this infrastructure as code?

A.AWS CodeDeploy
B.AWS Elastic Beanstalk
C.AWS CloudFormation
D.AWS OpsWorks
AnswerC

CloudFormation templates can define RDS instances along with VPC, subnets, and security groups.

Why this answer

AWS CloudFormation allows you to define infrastructure as code and automate resource creation.

1578
MCQeasy

A company is deploying a new Amazon RDS for PostgreSQL database. The database will be used by an application that requires read-after-write consistency and low latency. Which deployment configuration is MOST suitable?

A.Deploy with one or more read replicas in the same region
B.Deploy with cross-region replicas
C.Deploy as a single-AZ instance with increased instance size
D.Deploy as Multi-AZ with a synchronous standby
AnswerA

Read replicas offload read traffic and reduce latency for read operations.

Why this answer

Multi-AZ deployment with synchronous standby provides high availability and data durability, but does not improve read performance. Read replicas (Option B) improve read scalability but may have eventual consistency. Option C (single-AZ) lacks HA.

Option D (cross-region) is for DR.

1579
MCQhard

A company is using Amazon ElastiCache for Redis as a caching layer for a high-traffic web application. The cache hit ratio has dropped from 95% to 70% after a recent deployment that changed the cache key structure. The application team wants to improve the hit ratio without increasing the cache memory. Which action should they take?

A.Disable Cluster Mode and use a single node.
B.Implement a consistent hashing algorithm for key distribution.
C.Increase the TTL (time-to-live) for all cache keys.
D.Use random TTLs to spread out expiration times.
AnswerB

Consistent hashing minimizes key redistribution when nodes change and ensures even distribution, reducing evictions and improving hit ratio.

Why this answer

Option B is correct because using a consistent hashing algorithm ensures that keys are evenly distributed across nodes, reducing evictions and improving hit ratio. Option A is wrong because increasing TTL may cause stale data but does not directly improve hit ratio. Option C is wrong because Cluster Mode Off would limit scalability but not necessarily improve hit ratio.

Option D is wrong because random TTLs can lead to premature evictions and reduce hit ratio.

1580
MCQeasy

A company is using Amazon RDS for SQL Server with Multi-AZ and automated backups enabled. The database administrator needs to restore the database to a specific point in time that is within the retention period. What is the correct procedure?

A.Use the RDS console to perform a point-in-time recovery to the desired time
B.Restore from a manual snapshot taken at the desired time
C.Use the native SQL Server backup and restore functionality
D.Restore from the latest automated snapshot
AnswerA

Point-in-time recovery allows restoring to any time within the retention period.

Why this answer

Option B is correct because point-in-time recovery is performed through the RDS console or API by specifying the time. Option A is wrong because it restores the latest backup. Option C is wrong because it restores a manual snapshot.

Option D is wrong because automated backups are used for point-in-time recovery.

1581
MCQhard

A company has a production Amazon DynamoDB table with on-demand capacity. The table experiences occasional throttling due to hot partitions. The operations team wants to implement a solution to identify the specific partition keys causing the throttling. What is the MOST efficient approach?

A.Enable AWS X-Ray tracing on the application and analyze traces.
B.Enable VPC Flow Logs and use CloudWatch Logs Insights to query the logs.
C.Enable Amazon CloudWatch Contributor Insights for DynamoDB.
D.Enable DynamoDB Streams and process the stream records to identify hot keys.
AnswerC

Contributor Insights analyzes access patterns and identifies top partition keys.

Why this answer

Option D is correct because Amazon CloudWatch Contributor Insights can analyze DynamoDB logs and identify the most accessed partition keys, helping to pinpoint hot partitions. Option A is incorrect because CloudWatch Logs Insights requires enabling VPC Flow Logs, which is not specific to DynamoDB. Option B is incorrect because AWS X-Ray traces requests but does not provide partition-level metrics.

Option C is incorrect because DynamoDB Streams capture changes, not access patterns.

1582
MCQhard

A company is migrating a 10 TB Oracle data warehouse to Amazon Redshift. They want to use AWS DMS for continuous replication. However, the migration is taking longer than expected due to LOB columns. What optimization should be applied?

A.Use AWS SCT to compress LOBs.
B.Enable FullLobMode to transfer all LOBs.
C.Set MaxLobSize to a value like 64 KB to limit inline LOB transfer.
D.Increase the number of DMS tasks.
AnswerC

This optimizes performance.

Why this answer

Setting the DMS task attribute 'MaxLobSize' to a reasonable value limits the size of LOBs transferred inline, improving performance. 'FullLobMode' slows down migration. Increasing instance size helps but not as targeted.

1583
MCQmedium

A company is migrating its on-premises MySQL database to Amazon Aurora MySQL. The current database has a table of 500 GB that is accessed by a nightly batch job that updates 80% of the rows. The company wants to minimize downtime during migration. Which migration strategy is MOST appropriate?

A.Use AWS Database Migration Service (DMS) with Aurora as the target.
B.Create an Aurora read replica from the on-premises database.
C.Export the data to Amazon S3 and load it into Aurora using the LOAD DATA FROM S3 command.
D.Use mysqldump to export the database and import it into Aurora.
AnswerA

DMS allows ongoing replication, minimizing downtime.

Why this answer

Option B is correct because using AWS DMS with Aurora MySQL as the target allows a full load plus ongoing replication to minimize downtime. Option A is wrong because mysqldump would require application downtime during the dump and restore. Option C is wrong because an Aurora read replica can only be created from an existing Aurora instance, not from on-premises.

Option D is wrong because S3 export/import is for data warehousing, not for minimal downtime migration.

1584
MCQmedium

A data analyst reports that a nightly ETL job to Amazon Redshift is failing with timeout errors shown in the exhibit. The cluster is a dc2.large with 2 nodes. The ETL job inserts large volumes of data. What is the most likely cause?

A.The cluster has reached the maximum number of connections.
B.The workload manager (WLM) queue timeout is too low.
C.The security group is blocking inbound traffic from the ETL server.
D.The cluster has insufficient disk space for the data load.
AnswerD

dc2 nodes use local SSD; full disk causes write failures.

Why this answer

Option C is correct because dc2 nodes have limited local SSD storage; if the cluster runs out of disk space, writes time out. Option A is wrong because Redshift does not have a max_connections parameter like RDS. Option B is wrong because network ACLs would cause connection failures, not timeouts after connection.

Option D is wrong because WLM queue timeouts cause different errors.

1585
MCQhard

A database specialist is troubleshooting an Amazon RDS for PostgreSQL instance that is experiencing intermittent connection timeouts. The application logs show errors like 'FATAL: remaining connection slots are reserved for non-replication superuser connections'. The max_connections parameter is set to 100. What should the specialist do to resolve this issue?

A.Modify the 'max_connections' parameter to a higher value and reboot the instance.
B.Increase the 'max_replication_slots' parameter to allow more replication connections.
C.Increase the value of the 'superuser_reserved_connections' parameter.
D.Enable RDS Proxy to manage database connections efficiently.
AnswerA

Increasing max_connections allows more concurrent connections and resolves the error.

Why this answer

Option C is correct because the error indicates connection pool exhaustion. Increasing max_connections allows more concurrent connections. Option A is wrong because the error is about connection slots, not idle sessions.

Option B is wrong because reserving more slots for superusers does not address the root cause. Option D is wrong because the error is not due to replication slots.

1586
MCQmedium

A company is migrating a 500 GB MongoDB database to Amazon DocumentDB. The migration must have minimal impact on the source database. Which approach should the company take?

A.Use mongodump to export the data, then use mongorestore to import into DocumentDB.
B.Use mongoexport to export CSV, then use the DocumentDB import tool.
C.Use AWS Database Migration Service (DMS) with MongoDB as source and DocumentDB as target.
D.Use AWS Schema Conversion Tool (SCT) to convert schema, then copy data.
AnswerC

DMS allows online migration with minimal impact.

Why this answer

AWS DMS supports MongoDB as a source and DocumentDB as a target, with ongoing replication to minimize downtime. Option A (mongorestore) causes high impact. Option C (export/import) causes impact.

Option D (AWS SCT) is not for migration itself.

1587
MCQeasy

A database specialist needs to capture SQL queries executed against an Amazon Aurora MySQL DB cluster for performance analysis. The capture should have minimal performance impact and be stored in Amazon CloudWatch Logs. Which feature should the specialist use?

A.Enable Performance Insights and configure the Performance Insights log export to CloudWatch Logs.
B.Enable the slow query log and export to CloudWatch Logs.
C.Enable database audit logs and export to CloudWatch Logs.
D.Enable the general log and publish to CloudWatch Logs.
AnswerA

Performance Insights captures SQL queries with minimal impact.

Why this answer

Option B is correct. The Performance Insights dashboard in Aurora provides SQL query metrics with low overhead and can publish logs to CloudWatch Logs. Option A is wrong because database audit logs are for security compliance, not performance analysis.

Option C is wrong because the general log is high overhead. Option D is wrong because slow query log only captures slow queries, not all queries.

1588
MCQmedium

A company is running an Amazon RDS for MySQL DB instance. The database performance has degraded over time. The DBA suspects that the issue is due to a high number of connections that are in a 'sleep' state from a legacy application. What is the MOST effective solution to automatically terminate idle connections?

A.Modify the 'wait_timeout' parameter in the DB parameter group to a lower value.
B.Increase the 'max_connections' parameter to accommodate more idle connections.
C.Enable Amazon RDS Proxy to manage connection pooling and automatically close idle connections.
D.Use a script to run 'SHOW PROCESSLIST' and manually kill idle connections.
AnswerA

This parameter controls how long the server waits for activity on a non-interactive connection before closing it.

Why this answer

Option C is correct because Amazon RDS for MySQL supports the 'wait_timeout' parameter, which automatically closes idle connections after the specified number of seconds. Reducing this value from the default 28800 seconds will terminate sleeping connections sooner. Option A is incorrect because manually killing connections is not automated.

Option B is incorrect because RDS Proxy does not terminate idle connections; it manages connection pooling. Option D is incorrect because modifying 'max_connections' does not affect idle connections.

1589
MCQmedium

A company uses Amazon DynamoDB with AWS KMS customer managed keys for encryption at rest. The security team wants to audit who is using the KMS key to encrypt and decrypt data. Which AWS service should be used?

A.Amazon S3 access logs
B.AWS Config
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerC

CloudTrail records all KMS API operations for auditing.

Why this answer

Option B is correct because CloudTrail logs all KMS API calls, including encrypt and decrypt. Option A is wrong because CloudWatch Logs can store logs but does not capture KMS API calls by itself. Option C is wrong because AWS Config tracks resource configuration changes, not API calls.

Option D is wrong because S3 access logs are for S3.

1590
MCQhard

A company uses Amazon Aurora MySQL-Compatible Edition. The database specialist notices that the DB cluster's failover time is longer than expected. The primary instance is using a db.r5.large instance class. Which change would most likely reduce the failover time?

A.Enable Backtrack on the DB cluster.
B.Use a larger instance class for the Aurora Replicas.
C.Increase the number of Aurora Replicas.
D.Enable Multi-AZ deployment for the DB cluster.
AnswerB

Larger replicas can process transactions faster during promotion, reducing failover time.

Why this answer

Using a larger instance class for Aurora replicas ensures they can handle the workload after failover, potentially reducing failover time. However, the key factor is that Aurora failover is typically fast, but if replicas are undersized, the time to promote and become fully operational increases. Using a larger instance class for the replicas (or all instances) can help.

1591
MCQhard

A company runs an e-commerce platform using Amazon DynamoDB as the database. The table has a provisioned capacity of 5000 WCU and 3000 RCU. During a flash sale, the write traffic spikes to 8000 WCU for 10 minutes, causing significant throttling. The operations team notices that the table's WriteCapacityUnits metric shows 5000, but the ConsumedWriteCapacityUnits metric peaks at 4500. The application is experiencing errors and slow response times. The team wants to handle such spikes automatically without manual intervention and without over-provisioning. Which solution should be implemented?

A.Enable DynamoDB Auto Scaling with a target utilization of 70% and a minimum capacity of 5000 WCU
B.Increase the provisioned WCU to 8000 permanently
C.Implement an Amazon SQS queue to buffer write requests and process them asynchronously
D.Switch the table to on-demand capacity mode
AnswerA

Auto Scaling dynamically adjusts capacity to handle spikes while minimizing cost.

Why this answer

Option A is correct because DynamoDB Auto Scaling can adjust capacity based on demand, and setting a target utilization of 70% allows headroom for spikes. Option B is wrong because on-demand capacity is simpler but can be more expensive for predictable workloads. Option C is wrong because increasing WCU to 8000 permanently would be costly.

Option D is wrong because SQS adds latency and does not solve the throttling issue in real-time.

1592
MCQmedium

A company uses Amazon DynamoDB to store IoT sensor data. Each sensor writes a record every second. The table has a partition key of 'sensor_id' and a sort key of 'timestamp'. Over time, the team notices that write performance degrades for certain sensors that generate more data. The table uses provisioned capacity with auto scaling enabled. The application uses eventual consistency. The team needs to ensure consistent write performance without throttling. Which action should be taken?

A.Modify the partition key to include a random number or prefix to distribute writes evenly.
B.Increase the provisioned write capacity units (WCU) to a higher value.
C.Switch the table to on-demand capacity mode.
D.Create a global secondary index (GSI) with a different partition key to handle writes.
AnswerA

Write sharding evens out the load across partitions, preventing any single partition from being overloaded.

Why this answer

Option C is correct because adding a random suffix to the partition key distributes writes across partitions, avoiding hot partitions. Option A is wrong because increasing WCU does not solve the partition hot spot, as the limit per partition is fixed. Option B is wrong because switching to on-demand still has per-partition limits.

Option D is wrong because a GSI does not change the base table's write distribution.

1593
MCQeasy

A company runs a PostgreSQL database on an Amazon RDS DB instance (db.t3.medium) with 100 GB of General Purpose SSD (gp2) storage. The database is used by a web application that experiences occasional slowdowns. CloudWatch metrics show that the BurstBalance metric for the storage volume drops to 0% during peak usage and then recovers. The average IOPS during peak is 600, and the baseline IOPS for the volume is 300. The team needs a cost-effective solution to eliminate the performance issues. What should the team do?

A.Upgrade the DB instance to db.t3.large.
B.Increase the gp2 volume size to 200 GB.
C.Migrate the storage to gp3 with 3000 baseline IOPS.
D.Enable Performance Insights to monitor database load.
AnswerC

gp3 provides a consistent baseline of 3000 IOPS (or 3000 if using the default) without burst credits, eliminating the burst balance issue and providing headroom.

Why this answer

Option B is correct because converting to gp3 provides a consistent baseline of 3000 IOPS (or 3000 if using the default 3000 IOPS, though for 100 GB the baseline is 3000) without burst credits, eliminating the burst balance problem. Option A is incorrect because increasing gp2 volume size to 200 GB increases baseline to 600 IOPS and burst credits, but still relies on credits; the workload may still exceed baseline. Option C is incorrect because increasing instance size does not affect storage performance.

Option D is incorrect because enabling Performance Insights does not improve performance.

1594
MCQmedium

A company is migrating a 1 TB SQL Server database to Amazon RDS for SQL Server using backup and restore. The database has high transaction volume. Which backup type should be used to minimize downtime?

A.Perform a full backup, then transaction log backups, and restore the full backup with the last log backup.
B.Perform only transaction log backups and restore them to RDS.
C.Perform a differential backup and restore it to RDS.
D.Perform a full backup and restore it to RDS.
AnswerA

Allows point-in-time recovery, minimizing data loss.

Why this answer

Option C is correct because a full backup followed by transaction log backups allows restoring to a point in time, minimizing data loss and downtime. Option A is wrong because only full backup requires longer downtime during restore and may lose transactions. Option B is wrong because differential backup alone is not sufficient; you need a full backup chain.

Option D is wrong because transaction log backup alone cannot restore without a full backup.

1595
MCQhard

A database engineer is troubleshooting a production Amazon Aurora MySQL DB cluster. The application is experiencing high latency on write operations. The engineer checks the Amazon CloudWatch metrics and sees that the 'AuroraBinlogReplicaLag' metric is high. What is the most likely cause of the write latency?

A.The DB cluster has insufficient storage capacity for the binlog files
B.The DB cluster has a high CPU utilization that is causing replication lag
C.The binlog replication to a downstream MySQL instance is falling behind
D.A recent failover event caused the binlog to be replayed from the last checkpoint
AnswerC

High binlog lag means the downstream replica cannot keep up, causing write delays if the source waits for acknowledgment.

Why this answer

Option C is correct because the 'AuroraBinlogReplicaLag' metric specifically measures the lag between the Aurora MySQL cluster and an external MySQL instance that is replicating from Aurora using binary log (binlog) replication. When this lag is high, it indicates that the downstream MySQL instance is falling behind in applying binlog events, which can cause write operations on the Aurora cluster to stall or slow down due to the synchronous nature of binlog generation and the need to retain binlogs until they are consumed by the replica.

Exam trap

The trap here is that candidates often confuse 'AuroraBinlogReplicaLag' with Aurora's internal replication lag (e.g., ReplicaLag for Aurora Replicas) or with general performance metrics like CPU or storage, leading them to select incorrect options that do not address the specific binlog replication context.

How to eliminate wrong answers

Option A is wrong because insufficient storage capacity for binlog files would cause binlog file retention issues or storage full errors, but it does not directly cause high binlog replication lag; the 'AuroraBinlogReplicaLag' metric is about replication delay, not storage capacity. Option B is wrong because high CPU utilization on the DB cluster can cause general performance degradation, but the 'AuroraBinlogReplicaLag' metric is specific to the lag of binlog replication to an external MySQL instance, not to internal replication or CPU-related delays. Option D is wrong because a failover event would cause a brief interruption and replay of binlog from the last checkpoint, but this would not result in a persistently high 'AuroraBinlogReplicaLag' metric; the lag would typically be transient and recover quickly.

1596
Multi-Selecteasy

Which TWO tools can be used to monitor query performance in Amazon Aurora MySQL? (Choose 2.)

Select 2 answers
A.Amazon RDS Performance Insights
B.AWS Config
C.Amazon RDS Enhanced Monitoring
D.VPC Flow Logs
E.AWS CloudTrail
AnswersA, C

Shows database load and SQL queries.

Why this answer

A and D are correct. Performance Insights provides database performance analysis. Enhanced Monitoring provides OS-level metrics.

B is wrong because CloudTrail logs API calls. C is wrong because VPC Flow Logs show network traffic. E is wrong because AWS Config tracks resource configuration.

1597
MCQhard

A company runs a document management system using Amazon DocumentDB (with MongoDB compatibility). The application stores large documents (up to 5 MB each) and frequently fetches them by document ID. The team notices increased latency during peak hours. They need to reduce read latency. Which action is MOST effective?

A.Add read replicas to the cluster
B.Shard the collection across multiple DocumentDB clusters
C.Implement Amazon ElastiCache for Redis in front of DocumentDB
D.Increase the instance class of the primary instance
AnswerA

Read replicas offload read traffic and reduce latency.

Why this answer

Adding read replicas to the DocumentDB cluster is the most effective action because it offloads read traffic from the primary instance, directly reducing read latency during peak hours. DocumentDB supports up to 15 read replicas that are kept in sync via the cluster's replication mechanism, and the application's frequent fetches by document ID are read-heavy operations that benefit from distributing the load across multiple replicas.

Exam trap

AWS often tests the misconception that scaling up the primary instance (Option D) is equivalent to scaling out read capacity, but in DocumentDB, read replicas are the correct solution for read-heavy workloads because they provide horizontal read scaling without overloading the primary.

How to eliminate wrong answers

Option B is wrong because sharding across multiple DocumentDB clusters is not a native feature of DocumentDB; DocumentDB does not support horizontal sharding like MongoDB, and managing multiple clusters manually would introduce complexity without reducing read latency for individual document fetches. Option C is wrong because implementing Amazon ElastiCache for Redis in front of DocumentDB adds an additional caching layer that, while potentially beneficial for repeated queries, introduces cache management overhead and does not address the root cause of increased latency during peak hours for direct document ID lookups. Option D is wrong because increasing the instance class of the primary instance only scales the compute and memory resources of a single node, which does not distribute the read load and may still result in latency under high concurrent read traffic.

1598
MCQmedium

A company is running a production Amazon RDS for PostgreSQL database. The database has experienced a sudden spike in CPU utilization, causing application timeouts. The monitoring team needs to identify the root cause. Which AWS service or feature should be used to analyze the database load and identify the specific queries causing the high CPU?

A.Enhanced Monitoring
B.Amazon CloudWatch Logs
C.Amazon RDS Performance Insights
D.AWS Trusted Advisor
AnswerC

Performance Insights provides database load analysis and helps identify the specific SQL queries that are causing high CPU.

Why this answer

Option D is correct because Performance Insights provides a database performance tuning and monitoring feature that helps you quickly assess the load on your database and determine when and where to take action. Option A is wrong because CloudWatch Logs captures database logs, not real-time performance data. Option B is wrong because Enhanced Monitoring provides OS-level metrics, not database query details.

Option C is wrong because AWS Trusted Advisor provides best practice checks but not query-level analysis.

1599
MCQmedium

A company uses Amazon RDS for Oracle for an OLTP application. The database experiences high CPU utilization during peak hours. The application is read-heavy and can tolerate eventually consistent reads. Which solution reduces CPU load on the primary database with minimal application changes?

A.Implement Amazon ElastiCache to cache frequent queries
B.Upgrade to a larger instance type
C.Create an RDS read replica and direct read traffic to it
D.Use DynamoDB Accelerator (DAX) as a cache layer
AnswerC

Read replicas offload read traffic from the primary, reducing CPU load with minimal application changes.

Why this answer

Option C is correct because creating an RDS Read Replica offloads read traffic from the primary Oracle instance, directly reducing CPU utilization on the primary. Since the application is read-heavy and tolerates eventually consistent reads, the replica’s asynchronous replication lag is acceptable. This solution requires minimal application changes—only modifying the connection string to route SELECT queries to the replica endpoint.

Exam trap

The trap here is that candidates assume caching (ElastiCache or DAX) is the only way to reduce read load, but they overlook that RDS Read Replicas directly offload the database engine’s CPU without requiring application caching logic or a different database service.

How to eliminate wrong answers

Option A is wrong because Amazon ElastiCache caches query results in memory, but it requires application code changes to implement cache-aside or lazy loading patterns, and it does not offload database CPU for queries that miss the cache. Option B is wrong because upgrading to a larger instance type increases capacity but does not reduce CPU load; it only postpones the issue and incurs higher cost without addressing the root cause of read-heavy traffic. Option D is wrong because DynamoDB Accelerator (DAX) is an in-memory cache for Amazon DynamoDB, not for Amazon RDS for Oracle; it cannot be used to cache Oracle queries or reduce CPU on an RDS instance.

1600
MCQhard

A team is setting up a DMS migration task. The IAM policy above is attached to the DMS replication instance's IAM role. The team is unable to modify the target RDS instance's maintenance window during the migration. Which additional permission is missing?

A.Add 'rds:ModifyDBInstance' permission for the source RDS instance.
B.Add 'rds:ModifyOptionGroup' permission for the target RDS instance.
C.Add 'dms:ModifyReplicationInstance' permission for the DMS replication instance.
D.Add 'ec2:DescribeVpcs' permission to the policy.
AnswerA

The policy only allows modification of the target instance; the source instance also needs to be modified during migration, e.g., enabling binary logging.

Why this answer

The correct answer is A because modifying the target RDS instance's maintenance window requires the `rds:ModifyDBInstance` permission. The DMS replication instance's IAM role must have this permission for the target RDS instance to allow the migration task to adjust the maintenance window, which is necessary to prevent conflicts during ongoing replication. Without this permission, the DMS task cannot alter the maintenance window, even if the IAM role has other RDS permissions.

Exam trap

The trap here is that candidates may confuse the permissions needed for modifying the target RDS instance's maintenance window with permissions for modifying the DMS replication instance or RDS option groups, leading them to select options B or C instead of the correct `rds:ModifyDBInstance` permission.

How to eliminate wrong answers

Option B is wrong because `rds:ModifyOptionGroup` is used to modify option groups (e.g., enabling Oracle TDE or SQL Server native backup/restore), not the maintenance window of an RDS instance. Option C is wrong because `dms:ModifyReplicationInstance` is an action on the DMS replication instance itself, not on the target RDS instance, and does not grant the ability to modify the RDS maintenance window. Option D is wrong because `ec2:DescribeVpcs` is a read-only permission for describing VPCs, which is unrelated to modifying RDS instance maintenance windows.

1601
MCQhard

A company uses Amazon DynamoDB with a global secondary index (GSI) on a table that contains sensitive data. The security team requires that the GSI be encrypted with a different AWS KMS key than the base table. Can this be achieved, and if so, how?

A.Yes, by using a custom KMS key policy that differentiates between table and index.
B.Yes, by specifying a different KMS key ID when creating the GSI.
C.No, DynamoDB encrypts the entire table and all its indexes with the same KMS key.
D.No, but you can use a different KMS key for the table and then the GSI will automatically use a different key.
AnswerC

DynamoDB uses one KMS key for the table and all associated indexes.

Why this answer

Option C is correct because DynamoDB encrypts all data at rest using a single KMS key per table. The base table and all of its GSIs are encrypted with the same key. It is not possible to use a different KMS key for a GSI.

Option A is wrong because the GSI cannot have a separate key. Option B is wrong because KMS key policies do not allow per-index encryption. Option D is wrong because the table and its GSIs always use the same key.

1602
MCQmedium

A company is using Amazon DynamoDB to store sensitive customer data. They need to ensure that all data is encrypted at rest using a customer-managed AWS KMS key. The company also wants to rotate the KMS key every year. What is the simplest way to achieve key rotation?

A.Create a new KMS key every year and update the DynamoDB table to use the new key.
B.Manually rotate the key by deleting and recreating the KMS key each year.
C.Enable automatic key rotation in AWS KMS for the customer-managed key.
D.Import new key material into the existing KMS key every year.
AnswerC

Automatic rotation rotates the key material annually without manual intervention.

Why this answer

Option A is correct because AWS KMS supports automatic annual rotation for customer-managed keys when enabled. You can enable automatic rotation using the KMS console or API. Option B is wrong because creating a new key and updating the DynamoDB table requires manual effort and is more complex.

Option C is wrong because AWS KMS does not support importing key material for symmetric keys; you can import key material for asymmetric keys but rotation is not automatic. Option D is wrong because manual rotation is not required and is more error-prone.

1603
Multi-Selectmedium

A company is using Amazon RDS for PostgreSQL and needs to monitor the database for performance issues. Which TWO metrics in Amazon CloudWatch are most useful for identifying I/O bottlenecks?

Select 2 answers
A.ReadIOPS
B.FreeStorageSpace
C.DiskQueueDepth
D.DatabaseConnections
E.CPUUtilization
AnswersA, C

ReadIOPS and WriteIOPS show I/O operations.

Why this answer

Option B is correct because ReadIOPS and WriteIOPS show the actual I/O operations. Option D is correct because DiskQueueDepth indicates pending I/O requests, which suggests contention. Option A is wrong because CPU utilization is compute, not I/O.

Option C is wrong because FreeStorageSpace is capacity, not performance. Option E is wrong because DatabaseConnections is about connections, not I/O.

1604
Multi-Selecteasy

A company needs to choose a database for a real-time analytics workload that requires sub-second query latency on streaming data. Which TWO AWS services are most suitable?

Select 2 answers
A.Amazon Neptune.
B.Amazon RDS for PostgreSQL with materialized views.
C.Amazon Redshift with streaming ingestion from Kinesis.
D.Amazon Timestream.
E.Amazon DynamoDB Accelerator (DAX).
AnswersC, D

Supports near-real-time analytics.

Why this answer

Amazon Timestream is purpose-built for time-series data and provides sub-second query latency on streaming data via its dedicated query engine and automatic tiering between in-memory and magnetic stores. Amazon Redshift with streaming ingestion from Kinesis enables real-time analytics by directly consuming Kinesis data streams into Redshift materialized views, allowing sub-second queries on fresh data without batch loading.

Exam trap

The trap here is that candidates often confuse low-latency caching services like DAX or traditional databases with materialized views as suitable for real-time streaming analytics, overlooking that only purpose-built time-series databases or services with native streaming ingestion can guarantee sub-second query latency on continuous data streams.

1605
MCQmedium

A database administrator is troubleshooting a slow-performing query on an Amazon RDS for MySQL instance. The slow query log shows the above entry. Based on the exhibit, which index would most improve the query performance?

A.Index on `created_at` only.
B.Index on `status` only.
C.Full-text index on `status` and `created_at`.
D.Composite index on (`status`, `created_at`).
AnswerD

Covers both filter and sort, avoiding a full table scan.

Why this answer

The query filters on `status` and then sorts or filters on `created_at`. A composite index on (`status`, `created_at`) allows MySQL to use the index for both the equality condition on `status` and the range or sort on `created_at`, avoiding a filesort and reducing row scans. This is the most efficient index for this query pattern.

Exam trap

The trap here is that candidates often pick a single-column index on `status` (Option B) thinking it will help the filter, but they overlook the need to also optimize the sort or range on `created_at`, which requires a composite index to avoid a filesort.

How to eliminate wrong answers

Option A is wrong because an index on `created_at` only would not help with the `status` filter, forcing a full table scan or inefficient index scan. Option B is wrong because an index on `status` only would filter by status but then require a separate sort or additional filtering on `created_at`, leading to a filesort and poor performance. Option C is wrong because a full-text index is designed for text search (e.g., MATCH AGAINST) and is not suitable for equality or range comparisons on `status` and `created_at`; it would be ignored by the optimizer for this query.

1606
MCQmedium

A company is migrating a 100 GB Oracle database to Amazon RDS for Oracle. They want to use AWS DMS. The source database is in a different AWS account. What is required to allow DMS to connect to the source?

A.Establish VPC peering or VPN between the source and target VPCs, and configure security group rules.
B.Assign an IAM role to the source database to allow DMS access.
C.Configure an S3 VPC gateway endpoint for the source VPC.
D.Create a VPC endpoint for DMS in the source account.
AnswerA

DMS requires network connectivity between the replication instance and the source database.

Why this answer

Option C is correct because DMS needs network connectivity via VPC peering or VPN, and the source security group must allow DMS. Option A is wrong because VPC endpoints are not needed for DMS to source. Option B is wrong because DMS does not use an S3 endpoint for source connectivity.

Option D is wrong because DMS does not use an IAM role for database connectivity; it uses database credentials.

1607
MCQmedium

A database administrator runs the described command. What does the output indicate about the RDS instance?

A.The DB instance is not encrypted at rest.
B.The DB instance is in a failed state.
C.The DB instance is running PostgreSQL.
D.The DB instance is encrypted at rest using a KMS key.
AnswerA

StorageEncrypted is false.

Why this answer

Option C is correct. The output shows 'StorageEncrypted: false' and 'KmsKeyId: null', which means the instance is not encrypted at rest. Option A is incorrect because the instance is available.

Option B is incorrect because the engine is MySQL. Option D is incorrect because the output clearly shows encryption status.

1608
Drag & Dropmedium

Arrange the steps to restore an Amazon RDS for MySQL DB instance to a new instance from a manual snapshot in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Restoring from a manual snapshot involves selecting the snapshot, configuring the new instance, and waiting for completion.

1609
MCQmedium

A company runs a document management system using Amazon S3 and Amazon DynamoDB. The application writes document metadata to DynamoDB and stores the document in S3. Recently, users report that occasionally documents are saved in S3 but the corresponding metadata is missing in DynamoDB. The application writes to DynamoDB first, then to S3. If the S3 upload fails, the application retries. The database specialist suspects a transaction consistency issue. The application is running on multiple EC2 instances behind an Application Load Balancer. What should the specialist recommend to ensure that both the metadata and document are stored consistently?

A.Use DynamoDB transactions to write metadata and initiate S3 upload within the same transaction.
B.Use DynamoDB Streams to trigger an AWS Lambda function that performs the S3 upload.
C.Reverse the order: upload to S3 first, then write to DynamoDB.
D.Implement an idempotency key in the application to retry the entire operation.
AnswerA

Transactions provide atomicity across multiple items.

Why this answer

Option B is correct because using DynamoDB transactions ensures atomicity; if the S3 upload fails, the transaction can be rolled back. Option A is wrong because DynamoDB Streams with Lambda introduces eventual consistency and possible duplicates. Option C is wrong because writing to S3 first still leaves inconsistency if DynamoDB fails.

Option D is wrong because idempotency tokens help with duplicates but not atomicity.

1610
Multi-Selecthard

A company is migrating a large Oracle database to Amazon Aurora PostgreSQL. They need to minimize downtime and validate data consistency after migration. Which THREE steps should they include in their migration plan? (Choose THREE.)

Select 3 answers
A.Create multiple Aurora Replicas for read scaling during migration.
B.Perform a homogeneous migration directly from Oracle to Aurora.
C.Use AWS Database Migration Service (DMS) with ongoing replication to keep the target in sync.
D.Use AWS DMS data validation to compare source and target data.
E.Use AWS Schema Conversion Tool (SCT) to convert the Oracle schema to PostgreSQL.
AnswersC, D, E

Ongoing replication reduces downtime.

Why this answer

Option A (AWS DMS with ongoing replication) minimizes downtime. Option B (Schema Conversion Tool) helps convert Oracle schema to PostgreSQL. Option D (data validation) ensures consistency.

Option C (homogeneous migration) is not needed; DMS works. Option E (Aurora Replicas) is for read scaling, not migration.

1611
Multi-Selectmedium

A company is designing a disaster recovery plan for an Amazon RDS for MySQL database. The database must have a Recovery Point Objective (RPO) of less than 5 minutes and a Recovery Time Objective (RTO) of less than 1 hour. Which TWO actions should be taken? (Choose two.)

Select 2 answers
A.Use a single-AZ instance with automated backups to S3.
B.Deploy the database in a Multi-AZ configuration.
C.Create a cross-region read replica with automated backups enabled.
D.Take daily manual snapshots and copy them to another region.
E.Use AWS DMS for continuous replication to a standby instance.
AnswersB, C

Multi-AZ provides automatic failover to a standby in a different AZ, meeting RTO.

Why this answer

Option A is correct because Multi-AZ provides automatic failover within minutes, meeting the RTO. Option D is correct because a cross-region read replica with automatic backups allows replication with low RPO. Option B is wrong because manual snapshots have higher RPO.

Option C is wrong because a single-AZ instance with backups takes longer to restore. Option E is wrong because AWS DMS is for migration, not DR.

1612
Multi-Selectmedium

A company is migrating an on-premises MongoDB workload to Amazon DocumentDB. The workload includes aggregation pipelines with $lookup and $group operations. The team wants to ensure minimal performance impact. Which THREE steps should they take?

Select 3 answers
A.Disable journaling to reduce I/O overhead
B.Create appropriate indexes on fields used in $lookup and $group
C.Enable TLS for all connections
D.Use parallel scan operations where possible
E.Choose a larger instance size to accommodate the workload
AnswersB, D, E

Indexes improve aggregation performance significantly.

Why this answer

Option A (enable TLS) is security, not performance. Option B (create indexes) is critical for $lookup and $group. Option C (increase instance size) helps compute-intensive operations.

Option D (disable journaling) is not recommended for durability. Option E (use parallel scans) can speed up aggregations.

1613
MCQeasy

A developer is troubleshooting an application that uses Amazon DynamoDB. The application is experiencing throttled requests (ProvisionedThroughputExceededException). Which CloudWatch metric should be monitored to troubleshoot this issue?

A.ThrottledRequests
B.SuccessfulRequestLatency
C.UserErrors
D.ConsumedWriteCapacityUnits
AnswerD

Comparing consumed vs provisioned capacity identifies throttling.

Why this answer

Option C is correct because ConsumedWriteCapacityUnits shows actual usage; comparing with ProvisionedWriteCapacityUnits helps identify throttling. Option A is wrong because UserErrors is for client-side errors. Option B is wrong because ThrottledRequests is a metric but not a CloudWatch metric name; the actual metric is ConsumedWriteCapacityUnits.

Option D is wrong because SuccessfulRequestLatency is about latency, not throttling.

1614
Multi-Selecthard

Which THREE design patterns are appropriate for improving write performance in Amazon DynamoDB? (Choose 3.)

Select 3 answers
A.Partition data using a high-cardinality partition key
B.Use DynamoDB adaptive capacity to handle uneven access patterns
C.Use DynamoDB Accelerator (DAX) to cache write operations
D.Enable DynamoDB global tables to distribute writes across regions
E.Implement TTL to automatically delete old items
AnswersA, B, C

High cardinality reduces hot partitions and improves throughput.

Why this answer

Options A, C, and D are correct: Using DynamoDB Accelerator (DAX) caches writes, partitioning data helps distribute write load, and using adaptive capacity handles uneven access patterns. Option B is wrong because global tables are for multi-region replication, not write performance. Option E is wrong because TTL is for automatic deletion, not write performance.

1615
MCQmedium

A company is migrating a 2 TB Oracle database to Amazon Aurora PostgreSQL. They need to minimize downtime. Which AWS service should they use?

A.AWS Database Migration Service (DMS)
B.AWS Schema Conversion Tool (SCT)
C.AWS Data Pipeline
D.AWS Snowball
AnswerA

DMS supports heterogeneous migrations and ongoing replication to minimize downtime.

Why this answer

AWS Database Migration Service (DMS) supports heterogeneous migrations from Oracle to Aurora PostgreSQL and can perform ongoing replication to minimize downtime. Option A is correct. Option B (AWS Snowball) is for large data transfer but not for ongoing replication.

Option C (SCT) helps with schema conversion but not data migration. Option D (Data Pipeline) is not designed for database migrations.

1616
MCQmedium

A company is migrating a 500 GB MongoDB database to Amazon DocumentDB. The migration is done using AWS DMS with full load and ongoing replication. The full load completes successfully, but during CDC, the DMS task logs show 'Memory limit exceeded' errors and the task fails repeatedly. The DMS replication instance is a dms.r5.large. The source MongoDB has a write-heavy workload with many small updates. The DBA needs to fix the migration without restarting from scratch. Which action should the DBA take?

A.Increase the DMS replication instance size to a larger instance class with more memory.
B.Reduce the DMS task's 'BatchApplyEnabled' setting to apply transactions individually.
C.Stop and restart the DMS task to clear the cache.
D.Enable Multi-AZ on the DMS replication instance to distribute the load.
AnswerA

More memory allows DMS to buffer more changes and handle the workload.

Why this answer

Option C is correct. The 'Memory limit exceeded' error often occurs when DMS cannot keep up with the volume of changes, especially for write-heavy workloads. Increasing the replication instance size provides more memory for buffering.

Option A is wrong because stopping and restarting the task does not address the root cause. Option B is wrong because reducing the batch size may not help; the issue is memory capacity. Option D is wrong because enabling multi-AZ does not increase memory; it provides high availability.

1617
MCQmedium

A social media startup is designing a database for user activity feeds. Each user follows up to 5,000 other users. The feed must show the latest 100 posts from followed users with latency under 200ms. Reads are 10x writes. Which database design best meets these requirements?

A.Use Amazon RDS for PostgreSQL with read replicas and materialized views refreshed every minute
B.Use Amazon ElastiCache for Redis as a primary data store with sorted sets per user
C.Use a single DynamoDB table with a global secondary index on user_id and timestamp
D.Use Amazon DynamoDB with a fan-out on write pattern, storing each user's feed in a separate partition
AnswerD

Fan-out on write ensures feeds are pre-computed for fast reads, meeting latency and throughput requirements.

Why this answer

Option B is correct because DynamoDB with a fan-out on write pattern pre-joins posts into per-user feed tables, enabling fast reads with low latency. Option A (RDS with read replicas) would struggle with the high write volume and join complexity. Option C (ElastiCache as primary store) loses durability.

Option D (DynamoDB single table with GSI) would require expensive scans to filter followed users' posts.

1618
Multi-Selectmedium

A company is deploying a DynamoDB table for a global application that requires low-latency reads and writes in multiple AWS Regions. Which THREE features should be enabled? (Choose three.)

Select 3 answers
A.DynamoDB Accelerator (DAX).
B.On-demand capacity mode.
C.DynamoDB Streams.
D.Time to Live (TTL).
E.DynamoDB global tables.
AnswersA, B, E

Provides in-memory caching for low-latency reads.

Why this answer

Options A, C, and D are correct. DynamoDB global tables provide multi-region replication. DAX provides in-memory caching for low-latency reads.

On-demand capacity handles traffic spikes. Option B is wrong because TTL is for data expiration, not performance. Option E is wrong because Streams are for change data capture, not low-latency access.

1619
Multi-Selectmedium

Which TWO metrics should be monitored together to detect a memory leak in an Amazon RDS for Oracle DB instance? (Choose TWO.)

Select 2 answers
A.FreeableMemory
B.SwapUsage
C.ReadIOPS
D.DatabaseConnections
E.NetworkThroughput
AnswersA, B

Declining freeable memory may indicate a memory leak.

Why this answer

Options A and D are correct because FreeableMemory shows available memory, and SwapUsage indicates swapping, which occurs when memory is exhausted. Option B (NetworkThroughput) is not memory-related. Option C (ReadIOPS) is I/O-related.

Option E (DatabaseConnections) is connection-related.

1620
MCQmedium

A financial services company runs a critical application on Amazon RDS for MySQL that processes transactions. The database must maintain ACID compliance and support point-in-time recovery (PITR) with a recovery point objective (RPO) of 5 seconds and recovery time objective (RTO) of 1 minute. The current setup uses a single db.r5.large instance with automated backups enabled (retention period 7 days) and Multi-AZ deployment. During a recent failover test, the failover took 2 minutes, exceeding the RTO. What should the database specialist recommend to meet the RTO requirement?

A.Remove Multi-AZ and rely on automated backups for recovery.
B.Migrate to a Multi-AZ DB Cluster deployment for RDS for MySQL.
C.Configure a cross-Region read replica and promote it during a failure.
D.Increase the instance size to db.r5.xlarge to improve failover speed.
AnswerB

Multi-AZ DB Cluster provides faster failover (<1 minute).

Why this answer

Option C is correct. Amazon RDS Multi-AZ with a Single-AZ deployment failover can be slow; using a Multi-AZ DB Cluster provides faster failover (typically under 1 minute) because it uses synchronous replication to two standby instances. Option A (increase instance size) does not affect failover time.

Option B (use Read Replica for failover) adds complexity and is not automatic. Option D (disable Multi-AZ) would increase failover risk.

1621
MCQhard

A data analytics company runs Amazon Redshift clusters. A user reports that a complex query is taking much longer than expected. The DBA uses the STL_QUERY view to check the query execution. Which column in STL_QUERY should the DBA examine to identify if the query is waiting for resources?

A.aborted
B.query
C.starttime
D.service_class
AnswerD

Service class indicates the WLM queue; a high queue time suggests waiting for resources.

Why this answer

Option B is correct because the 'service_class' column indicates the workload management (WLM) queue, which can show if the query is queued. Option A is wrong because 'query' is just the query ID. Option C is wrong because 'starttime' shows when the query started.

Option D is wrong because 'aborted' indicates if the query was canceled, not waiting.

1622
MCQeasy

A database administrator notices that an Amazon RDS for MySQL DB instance is using more storage than expected. Which metric should be monitored to troubleshoot storage usage?

A.FreeStorageSpace
B.DatabaseConnections
C.ReadIOPS
D.NetworkThroughput
AnswerA

FreeStorageSpace shows remaining storage, helping identify usage trends.

Why this answer

Option B is correct because FreeStorageSpace indicates remaining capacity. Option A is wrong because DatabaseConnections is about connections. Option C is wrong because ReadIOPS measures I/O operations.

Option D is wrong because NetworkThroughput measures network traffic.

1623
MCQhard

A developer is configuring IAM permissions for a Lambda function that accesses a DynamoDB table named 'Orders'. The policy shown is attached to the Lambda execution role. The function needs to delete items but only if the item contains only 'order_id' and 'status' attributes. Which statement about this policy is correct?

A.The function can delete any item in the Orders table because the condition is on the resource
B.The function cannot delete any items because the DeleteItem action is not allowed
C.The function cannot call Query on the table because it is not listed in the actions
D.The function can only delete items that contain exactly the attributes 'order_id' and 'status'
AnswerD

The condition ensures only items with those attributes can be deleted.

Why this answer

Option D is correct because the condition restricts DeleteItem to items that have only those attributes. Option A is wrong because the condition is on the delete action, not on the resource. Option B is wrong because the policy does allow DeleteItem with the condition.

Option C is wrong because the function has GetItem and Query permissions.

1624
MCQeasy

A company is designing a document storage system using Amazon DynamoDB. Each document is up to 400 KB and is identified by a unique 'document_id'. The access pattern is to retrieve a document by its ID. Which DynamoDB table design is MOST efficient?

A.Use 'document_id' as the partition key and create a GSI on 'document_id'.
B.Use 'document_id' as the primary partition key (only).
C.Store documents in Amazon S3 and use DynamoDB to store metadata with a reference to S3.
D.Use a composite key: partition key 'document_id' and sort key 'version'.
AnswerB

Direct GetItem by partition key is most efficient.

Why this answer

Option B is correct because DynamoDB can store items up to 400 KB in a single table, and using 'document_id' as the sole partition key directly supports the access pattern of retrieving a document by its ID with a single GetItem call, which is the most efficient operation. No secondary index or composite key is needed, as the primary key alone provides O(1) lookup performance for this use case.

Exam trap

The trap here is that candidates often overcomplicate the design by adding GSIs or composite keys, or default to S3 for large objects, when the item size is within DynamoDB's limit and the access pattern is simple key-value lookup.

How to eliminate wrong answers

Option A is wrong because creating a GSI on 'document_id' is redundant and adds unnecessary cost and complexity; the base table already supports direct access by partition key. Option C is wrong because storing documents in S3 with DynamoDB metadata is a valid pattern for items larger than 400 KB, but the question states each document is up to 400 KB, which fits within DynamoDB's item size limit, making the S3 approach less efficient due to additional latency and management overhead. Option D is wrong because using a composite key with a sort key 'version' is unnecessary when the access pattern only requires retrieval by document ID; it adds complexity without benefit and may lead to unintended multiple items per document_id.

1625
MCQmedium

A company has an Aurora MySQL cluster with three instances. The current writer instance is 'mycluster-instance-1'. The company wants to failover to 'mycluster-instance-2' for maintenance. What is the most direct way to achieve this?

A.Change the cluster's endpoint to point to instance-2.
B.Modify 'mycluster-instance-2' to promote it to writer.
C.Reboot 'mycluster-instance-1' to trigger a failover.
D.Use the AWS CLI: aws rds failover-db-cluster --db-cluster-identifier mycluster --target-db-instance-identifier mycluster-instance-2
AnswerD

This command initiates failover to the specified instance.

Why this answer

Option B is correct because you can failover to a specific reader instance by using the --target-db-instance-identifier parameter in the failover-db-cluster command. Option A is wrong because rebooting the writer will cause a failover but may choose any reader, not necessarily instance-2. Option C is wrong because you cannot directly promote a reader to writer; failover must be initiated.

Option D is wrong because modifying the cluster does not trigger failover.

1626
MCQeasy

An IAM policy is attached to a user who needs to restore an Amazon RDS DB instance from a DB snapshot. The user attempts to restore and receives an 'Access Denied' error. Which missing permission is MOST likely causing the failure?

A.rds:DescribeDBSnapshots
B.rds:DescribeDBInstances
C.rds:CreateDBInstance
D.rds:CreateDBSubnetGroup
AnswerC

Restoring from snapshot creates a new DB instance, requiring CreateDBInstance.

Why this answer

To restore an Amazon RDS DB instance from a DB snapshot, the user must have the `rds:CreateDBInstance` permission. This is because the restore operation internally calls the CreateDBInstance API to create a new DB instance from the specified snapshot. Without this permission, the request fails with an 'Access Denied' error, even if the user has permissions to describe snapshots or instances.

Exam trap

The trap here is that candidates often assume describing snapshots is sufficient for restoration, but AWS requires the write-level `CreateDBInstance` permission because restoring creates a new DB instance, not just reads existing data.

How to eliminate wrong answers

Option A is wrong because `rds:DescribeDBSnapshots` only allows listing or viewing snapshot metadata, not performing the restore action. Option B is wrong because `rds:DescribeDBInstances` only allows viewing existing DB instance details, which is unrelated to creating a new instance from a snapshot. Option D is wrong because `rds:CreateDBSubnetGroup` is needed only if a custom subnet group must be created; the restore can use an existing subnet group, and the missing permission is the core CreateDBInstance action.

1627
MCQeasy

Refer to the exhibit. A developer wants to connect to the database. Which database engine is most likely being used?

A.Oracle
B.SQL Server
C.MySQL
D.PostgreSQL
AnswerC

Port 3306 is default for MySQL.

Why this answer

The output shows port 3306, which is the default port for MySQL and MariaDB. Amazon RDS for MySQL uses port 3306. Aurora MySQL also uses 3306, but the endpoint pattern is RDS, not Aurora-specific.

PostgreSQL uses 5432, Oracle uses 1521, SQL Server uses 1433.

1628
Multi-Selecthard

A database specialist is troubleshooting a slow-running query on an Amazon Aurora MySQL DB cluster. The query performs a large table scan. Which THREE actions would likely improve query performance?

Select 3 answers
A.Increase the size of the DB instance to provide more memory and CPU.
B.Change the transaction isolation level to SERIALIZABLE.
C.Enable the query cache feature to cache the results of the query.
D.Enable Aurora Parallel Query to parallelize the table scan.
E.Create an index on columns used in WHERE and JOIN clauses.
AnswersA, C, E

More resources can speed up query execution.

Why this answer

Creating appropriate indexes can speed up queries by avoiding table scans. Increasing the instance size provides more memory and CPU for query execution. Enabling query caching can store results of repeated queries.

Changing isolation level and enabling parallel query may not help in all cases and may have side effects.

1629
MCQhard

A company is migrating a self-managed Oracle database to Amazon Aurora PostgreSQL using AWS DMS. The source database has a large number of tables with foreign key constraints. During the full load phase, some tables fail to load due to foreign key violations. What is the most efficient way to resolve this?

A.Increase the DMS task memory and parallel load threads
B.Use the table preparation mode 'Do nothing' and load tables in dependency order
C.Disable foreign key constraints on the target before migration and re-enable after
D.Pre-create all target tables with the same constraints and use 'Truncate' mode
AnswerC

This allows flexible loading order and avoids violations.

Why this answer

Option C is correct because disabling foreign key constraints on the target Aurora PostgreSQL database before the migration allows DMS to load tables in any order without violating referential integrity. After the full load completes, re-enabling the constraints ensures data consistency. This approach is the most efficient as it avoids complex dependency ordering and reduces migration failures.

Exam trap

The trap here is that candidates may think increasing resources (Option A) or pre-creating tables (Option D) will solve the issue, but they overlook that foreign key violations are a logical dependency problem, not a performance or schema creation issue.

How to eliminate wrong answers

Option A is wrong because increasing DMS task memory and parallel load threads addresses performance bottlenecks, not foreign key constraint violations; the root cause is referential integrity, not resource contention. Option B is wrong because using 'Do nothing' table preparation mode and loading in dependency order is impractical for a large number of tables with foreign keys, as it requires manual analysis and ordering, and DMS does not automatically resolve dependencies; this approach is error-prone and time-consuming. Option D is wrong because pre-creating target tables with the same constraints and using 'Truncate' mode would still cause foreign key violations during the full load, as DMS does not guarantee insertion order; truncate mode only clears data before reloading, not resolving the dependency issue.

1630
MCQhard

A financial services company uses Amazon RDS for MySQL to store sensitive customer data. The compliance team requires that all database administrators (DBAs) must authenticate using IAM database authentication, and no static database passwords should be used. A junior DBA has been granted the rds_iam role in the database. However, the junior DBA is unable to connect using the AWS CLI command: aws rds generate-db-auth-token --hostname mydb.xyz.us-east-1.rds.amazonaws.com --port 3306 --username jdba. The error message says 'Access denied'. What is the most likely cause?

A.The RDS instance does not have a resource-based policy that grants the junior DBA access.
B.The junior DBA is not using an SSL connection to the database.
C.The security group does not allow inbound traffic on port 3306 from the junior DBA's IP address.
D.The RDS instance does not have IAM database authentication enabled.
AnswerD

Without IAM DB auth enabled on the instance, the authentication token is not accepted.

Why this answer

Option C is correct because IAM database authentication requires the RDS instance to have the IAM DB authentication enabled; if it is not enabled, the authentication token will be rejected. Option A is wrong because the error 'Access denied' suggests authentication failure, not a network issue. Option B is wrong because SSL/TLS is required for IAM auth, but the error would be different if SSL was not used.

Option D is wrong because the RDS resource-based policy cannot grant the IAM user permission to generate the token; that requires an IAM policy attached to the user or role.

1631
Multi-Selectmedium

A company has an Amazon DynamoDB table that stores user sessions. The security team wants to ensure that only authorized applications can read and write to the table, and that all access is logged. Which THREE steps should the company take to meet these requirements?

Select 3 answers
A.Enable AWS CloudTrail to log DynamoDB API calls.
B.Create an IAM role with a policy that allows only the required DynamoDB actions.
C.Use an interface VPC endpoint for DynamoDB with a VPC endpoint policy.
D.Encrypt the table using a customer-managed KMS key.
E.Enable DynamoDB Streams and process events with Lambda.
AnswersA, B, C

Logs all data plane and control plane operations.

Why this answer

Options B, C, and D are correct. IAM roles with least privilege restrict access. AWS CloudTrail logs API calls.

VPC endpoints ensure traffic stays within AWS network and can be controlled via endpoint policies. Option A is for auditing, but CloudTrail is more comprehensive. Option E is for encryption, not access control.

1632
MCQmedium

A company uses Amazon DynamoDB with a table that has a partition key of 'user_id' (string) and sort key of 'timestamp' (number). The application queries for recent items for a specific user using the query API with KeyConditionExpression. The query returns items in descending order. Occasionally, the query returns items that are not the most recent. What is the most likely cause?

A.The query is using eventually consistent reads, which may not reflect the latest writes.
B.The query is not using the ScanIndexForward parameter set to false.
C.The query results are paginated and the application is not iterating through all pages.
D.The query is using a global secondary index (GSI) that has a different sort key.
AnswerA

Eventually consistent reads may return stale data.

Why this answer

DynamoDB stores items with the same partition key in sorted order by sort key. Queries return items in order by default. Option C is correct because if the application uses eventually consistent reads, the data might be stale.

Option A is wrong because GSIs don't affect base table queries. Option B is wrong because the query returns items in order, but eventually consistent reads may not reflect latest writes. Option D is wrong because pagination is not the cause.

1633
Multi-Selectmedium

Which TWO actions can help protect an RDS database from SQL injection attacks? (Choose 2.)

Select 2 answers
A.Enable Multi-AZ for the RDS instance.
B.Enable encryption at rest using KMS.
C.Use parameterized SQL statements in the application.
D.Restrict network access using security groups.
E.Implement input validation and sanitization.
AnswersC, E

Parameterized queries separate SQL logic from data.

Why this answer

Option C is correct because parameterized SQL statements (also known as prepared statements) ensure that user input is treated strictly as data, not executable code. By separating SQL logic from data, the database engine compiles the query template once and safely binds parameters, preventing an attacker from injecting malicious SQL fragments. This is the most effective defense against SQL injection at the application layer.

Exam trap

The trap here is that candidates often confuse network-level controls (security groups) or encryption features with application-layer input validation, mistakenly believing that restricting access or encrypting data can prevent SQL injection, when in fact only proper query construction and input handling can stop the attack.

1634
MCQeasy

A startup is using Amazon ElastiCache for Redis to cache session data. They deployed a single Redis node (cache.t3.micro) in us-west-2. The application reports high latency when reading session data. CloudWatch metrics show CPUUtilization at 90% and Evictions at 100 per minute. The cache hit ratio is 80%. The database specialist suspects the node is overloaded. What should the specialist do to improve performance?

A.Scale up to a larger node type, such as cache.m5.large.
B.Add a read replica to offload read traffic.
C.Enable cluster mode and add more shards.
D.Decrease the TTL for session keys to reduce memory usage.
AnswerA

More resources reduce CPU and evictions.

Why this answer

Option D is correct because increasing the node size provides more CPU and memory, reducing evictions and latency. Option A is wrong because a read replica helps with read scaling but the node is a primary. Option B is wrong because Redis Cluster mode requires multiple shards and may add complexity.

Option C is wrong because reducing TTL might increase cache misses.

1635
Multi-Selecthard

A company is designing a disaster recovery strategy for an Amazon RDS for SQL Server DB instance that contains sensitive financial data. The database must be encrypted at rest using a customer-managed AWS KMS key. The recovery point objective (RPO) is 5 minutes, and the recovery time objective (RTO) is 1 hour. Which THREE steps should be taken to meet these requirements?

Select 3 answers
A.Take a manual DB snapshot every hour.
B.Enable Multi-AZ deployment for automatic failover.
C.Store the KMS key in the secondary Region by creating a cross-Region KMS key replica.
D.Configure automated backups with a 5-minute backup interval.
E.Create a cross-Region read replica in a different AWS Region.
AnswersB, D, E

Multi-AZ provides automatic failover within a Region, helping meet RTO.

Why this answer

To meet the RPO of 5 minutes, enable Multi-AZ with automatic failover (Option A) and automated backups with a 5-minute backup window (Option B). For RTO of 1 hour, manual DB snapshot restore is faster than point-in-time restore; automated backups allow point-in-time recovery but may take longer. Option C is wrong because manual snapshots are not automated; you need automated backups.

Option D is correct because you need to ensure the KMS key is available in the secondary Region for cross-Region DR. Option E is correct because a read replica can be promoted faster than restoring from a snapshot.

1636
MCQeasy

A company is running a MongoDB database on Amazon EC2. The database is experiencing high disk I/O latency. Which AWS service can be used to monitor the disk I/O metrics at the instance level?

A.Amazon RDS
B.Amazon CloudWatch
C.Amazon DynamoDB
D.Amazon S3
AnswerB

CloudWatch provides metrics like DiskReadBytes, DiskWriteBytes.

Why this answer

Option C is correct because CloudWatch provides disk I/O metrics for EC2 instances. Option A is wrong because RDS is for managed databases. Option B is wrong because DynamoDB is NoSQL.

Option D is wrong because S3 is object storage.

1637
MCQmedium

A database administrator runs the above CLI command. The DB instance has pending modifications. Which modification will take effect immediately without requiring a reboot?

A.BackupRetentionPeriod
B.DBInstanceClass
C.MasterUserPassword
D.AllocatedStorage
AnswerA

Backup retention change is applied immediately.

Why this answer

Option C is correct because changing the backup retention period takes effect immediately without reboot. Option A is incorrect because it requires a reboot. Option B is incorrect because it requires a reboot.

Option D is incorrect because it requires a reboot.

1638
MCQmedium

A company runs an e-commerce application on Amazon RDS for MySQL. The application experiences read-heavy traffic during flash sales. The development team wants to offload read traffic without changing the application code. Which solution should be used?

A.Implement an Amazon ElastiCache cluster and update the application to cache queries.
B.Configure Multi-AZ deployment for the RDS instance.
C.Create an RDS Read Replica and point read traffic to the replica endpoint.
D.Use DynamoDB Accelerator (DAX) in front of the RDS instance.
AnswerC

Read Replicas offload read traffic without application changes.

Why this answer

Option C is correct because Amazon RDS Read Replicas allow offloading read traffic from the primary DB instance without application changes. Option A is wrong because DynamoDB Accelerator (DAX) is for DynamoDB, not RDS. Option B is wrong because Multi-AZ is for high availability, not read scaling.

Option D is wrong because ElastiCache requires application changes to use caching logic.

1639
MCQhard

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database is 2 TB in size and has a high transaction rate. The migration must have minimal downtime. Which migration strategy should a database specialist recommend?

A.Use AWS DMS with ongoing replication to capture changes.
B.Copy the data files to Amazon S3 and then load into RDS.
C.Use Oracle Data Pump to export and import the database.
D.Perform an RMAN backup and restore to RDS.
AnswerA

DMS with CDC allows near-zero downtime migration.

Why this answer

Option B is correct because AWS DMS with ongoing replication can minimize downtime by capturing changes. Option A is incorrect because native export/import requires downtime. Option C is incorrect because RMAN backup and restore requires downtime for restore.

Option D is incorrect because copying dump files also requires downtime.

1640
MCQmedium

A database administrator notices that an Amazon Aurora MySQL DB cluster's primary instance is experiencing high CPU utilization due to a long-running analytical query. The application can tolerate eventual consistency. What is the MOST cost-effective solution to reduce CPU load on the primary instance?

A.Configure an Auto Scaling policy for Aurora Replicas and modify the application to use the reader endpoint.
B.Create a read replica in a different region and route read traffic there.
C.Increase the instance size of the primary instance.
D.Enable Aurora Parallel Query on the cluster.
AnswerA

Aurora Replicas share the same storage and can offload SELECT queries.

Why this answer

Offloading read queries to Aurora Replicas is cost-effective and reduces primary load without additional infrastructure.

1641
MCQeasy

A team is migrating an on-premises database to Amazon RDS using AWS DMS. After the full load completed, the task stopped. The team needs to perform ongoing replication to minimize downtime. What change should the team make to the DMS task?

A.Modify the replication task to change the migration type to 'full-load-and-cdc'.
B.Restart the replication task with the same settings.
C.Create a new replication instance and start a new full-load task.
D.Use AWS Schema Conversion Tool to convert the schema again.
AnswerA

Changing to 'full-load-and-cdc' enables both full load and ongoing change data capture replication.

Why this answer

After a full load completes and the task stops, the team needs to enable ongoing replication to capture and apply changes made to the source database during the migration window. Modifying the DMS task to use the 'full-load-and-cdc' migration type allows the task to perform the initial full load and then seamlessly transition to Change Data Capture (CDC) to replicate incremental changes, minimizing downtime. This is the correct approach because DMS supports switching a completed full-load task to include CDC without re-running the full load.

Exam trap

The trap here is that candidates may think restarting the task or creating a new instance will automatically enable CDC, but DMS requires explicitly modifying the migration type to include CDC after the full load completes.

How to eliminate wrong answers

Option B is wrong because restarting the replication task with the same settings will simply re-run the full load from scratch, not enable ongoing replication. Option C is wrong because creating a new replication instance and starting a new full-load task would duplicate effort and waste resources, and it still does not enable CDC for ongoing replication. Option D is wrong because the AWS Schema Conversion Tool (SCT) is used for schema conversion, not for enabling CDC or managing replication tasks; it is irrelevant to the need for ongoing replication.

1642
MCQeasy

A startup is building a mobile app that requires a scalable NoSQL database. The data model includes user profiles with variable attributes that change over time. The database must support high read throughput and low latency. Which AWS database is best suited?

A.Amazon Neptune
B.Amazon RDS for MySQL
C.Amazon DynamoDB
D.Amazon Redshift
AnswerC

NoSQL, flexible schema, high performance at scale.

Why this answer

Amazon DynamoDB is a fully managed NoSQL key-value and document database that delivers single-digit millisecond latency at any scale. It supports flexible schema with variable attributes, making it ideal for user profiles that change over time, and its provisioned or on-demand capacity modes enable high read throughput with consistent low latency.

Exam trap

The trap here is that candidates may confuse Amazon Neptune's graph capabilities with NoSQL flexibility, or assume a relational database like MySQL can handle variable attributes via JSON columns, overlooking DynamoDB's native schema-less design and guaranteed single-digit millisecond performance at scale.

How to eliminate wrong answers

Option A is wrong because Amazon Neptune is a graph database designed for highly connected data (e.g., social networks, fraud detection), not for general-purpose NoSQL workloads with variable attributes. Option B is wrong because Amazon RDS for MySQL is a relational database with a fixed schema, requiring predefined columns and table alterations for attribute changes, which contradicts the variable-attribute requirement. Option D is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for analytical queries (OLAP), not for high-throughput, low-latency transactional reads (OLTP) on user profiles.

1643
Multi-Selecthard

A company is running an Amazon RDS for MySQL Multi-AZ DB instance. The company wants to implement a backup strategy that meets a recovery point objective (RPO) of 5 minutes and a recovery time objective (RTO) of 1 hour. Which THREE steps should the company take to meet these objectives?

Select 3 answers
A.Configure AWS Backup to copy automated backups to another region.
B.Enable automated backups with a retention period of 35 days.
C.Change the DB instance to a Single-AZ configuration to reduce costs.
D.Create a cross-region read replica to use for failover in another region.
E.Take daily manual snapshots and copy them to another region.
AnswersA, B, D

AWS Backup can copy backups cross-region for disaster recovery.

Why this answer

Automated backups with a retention period of 35 days provide point-in-time recovery. Cross-region snapshots via AWS Backup provide additional protection. A read replica can be promoted quickly for failover.

Option A (daily manual snapshots) may not meet the 5-minute RPO. Option D (single-AZ) is not as resilient. The correct options are B, C, and E.

1644
Multi-Selecthard

A company is migrating a 5 TB Microsoft SQL Server database to Amazon Aurora MySQL. The migration must be completed with minimal downtime. Which THREE steps should the company take? (Select THREE.)

Select 3 answers
A.Update the application connection string to point to the Aurora reader endpoint.
B.Use AWS DMS to perform a full load and ongoing replication from SQL Server to Aurora.
C.Create a read replica of the Aurora database in the same region.
D.Use AWS SCT to convert the SQL Server schema to MySQL-compatible schema.
E.Update the application connection string to point to the Aurora writer endpoint after cutover.
AnswersB, D, E

DMS handles data migration with minimal downtime.

Why this answer

Options A, B, and D are correct. AWS SCT converts the schema and code from SQL Server to MySQL (A). AWS DMS performs the full data load and ongoing replication (B).

After migration, the application connection string is updated to point to the Aurora writer endpoint (D). Option C is wrong because creating a read replica from Aurora to on-premises is not supported. Option E is wrong because the reader endpoint is for read traffic, not for the primary application connection.

1645
MCQmedium

A developer needs to connect to the RDS instance from an EC2 instance in the same VPC. The EC2 instance's security group allows outbound traffic to 0.0.0.0/0. The RDS security group inbound rules currently allow traffic from 0.0.0.0/0 on port 3306. After a security review, the company decides to restrict inbound traffic to the VPC only. Which inbound rule should be added to the RDS security group?

A.An inbound rule allowing traffic from the RDS endpoint address on port 3306.
B.An inbound rule allowing traffic from the EC2 instance's security group ID on port 3306.
C.An inbound rule allowing traffic from 10.0.0.0/8 on port 3306.
D.An inbound rule allowing traffic from the VPC CIDR (e.g., 10.0.0.0/16) on port 3306.
AnswerB

This restricts access to only the EC2 instances in that security group.

Why this answer

Option D is correct because the EC2 instance is in the same VPC, and using the security group ID is the most secure and specific. Option A is too broad. Option B is unnecessary since the RDS endpoint is not an IP.

Option C would allow all traffic in the VPC, but using the security group is better.

1646
MCQhard

A financial services company is migrating an on-premises Oracle database to AWS. The database supports an OLTP application with complex joins, stored procedures, and requires high availability within a single Region. The company wants to minimize licensing costs and use a fully managed service. Which AWS database service should they choose?

A.Amazon DynamoDB
B.Amazon RDS for Oracle
C.AWS Database Migration Service (DMS)
D.Amazon Aurora PostgreSQL-Compatible Edition
AnswerD

Aurora PostgreSQL is fully managed, supports complex joins and stored procedures, and provides high availability with Multi-AZ.

Why this answer

Amazon Aurora PostgreSQL-Compatible Edition is the correct choice because it is a fully managed, high-availability database service that supports complex joins, stored procedures, and OLTP workloads while minimizing licensing costs. Aurora provides built-in replication across three Availability Zones, automatic failover, and up to 15 read replicas, meeting the high availability requirement without the licensing overhead of commercial databases like Oracle.

Exam trap

The trap here is that candidates may choose Amazon RDS for Oracle (Option B) because it supports Oracle features directly, overlooking the explicit requirement to minimize licensing costs and the fact that Aurora PostgreSQL can handle complex joins and stored procedures without Oracle licensing fees.

How to eliminate wrong answers

Option A is wrong because Amazon DynamoDB is a NoSQL key-value and document database that does not support complex joins, stored procedures, or the relational schema required by the existing Oracle OLTP application. Option B is wrong because Amazon RDS for Oracle would require purchasing Oracle licenses (Bring Your Own License or included license), which contradicts the goal of minimizing licensing costs, and it is not the most cost-effective fully managed option for high availability. Option C is wrong because AWS Database Migration Service (DMS) is a migration tool, not a database service; it helps move data to AWS but does not provide the operational database or high availability itself.

1647
Multi-Selectmedium

Which TWO actions can help reduce Amazon RDS for MySQL replication lag between a primary instance and a read replica? (Choose two.)

Select 2 answers
A.Increase the allocated storage for the read replica.
B.Reduce the number of write-heavy DML statements on the primary.
C.Enable Multi-AZ on the primary instance.
D.Increase the instance size of the read replica.
E.Disable binary logging on the primary instance.
AnswersB, D

Fewer changes to replicate means less lag.

Why this answer

Options A and D are correct. Increasing the replica instance size gives it more resources to apply changes. Reducing write-heavy DML on the primary reduces the volume of changes to replicate.

Option B is incorrect because enabling Multi-AZ on the primary does not reduce lag. Option C is incorrect because binary logging is required for replication. Option E is incorrect because increasing the replica's allocated storage does not directly reduce lag.

1648
Multi-Selecthard

Which TWO steps are required when migrating an on-premises Microsoft SQL Server database to Amazon RDS for SQL Server using AWS DMS with ongoing replication?

Select 2 answers
A.Create a VPC peering connection between the on-premises network and the DMS VPC.
B.Install the DMS agent on the source SQL Server instance.
C.Enable MS-CDC (change data capture) on the source database.
D.Configure MS-Replication on the source database.
E.Ensure the source database is using the full recovery model.
AnswersC, E

DMS uses CDC to capture ongoing changes from SQL Server.

Why this answer

Option B is correct because DMS requires full recovery model to capture all transactions. Option E is correct because DMS uses MS-CDC (change data capture) to capture ongoing changes. Option A is wrong because DMS does not require MS-Replication; it uses its own CDC mechanism.

Option C is wrong because DMS uses a replication instance, not an EC2 instance agent. Option D is wrong because cross-VPC peering is not required; DMS can connect via VPN/Direct Connect.

1649
MCQmedium

A company runs a critical application on Amazon RDS for PostgreSQL with a Multi-AZ deployment. The application experiences intermittent connection timeouts and slow query performance. The CloudWatch metrics show that the 'ReadLatency' and 'WriteLatency' metrics are elevated during peak hours. The 'CPUUtilization' is consistently below 30%, and 'DatabaseConnections' is within limits. The 'BurstBalance' for the gp2 storage is frequently dropping to 0%. The DB instance is a db.r5.large with 300 GB of gp2 storage. The company wants to resolve the latency issues without significant cost increase. Which solution should the company implement?

A.Add a read replica to offload read traffic.
B.Enable Performance Insights to identify the root cause.
C.Switch the storage type to io1 with 3000 provisioned IOPS.
D.Increase the allocated storage to 600 GB to increase baseline IOPS.
AnswerD

Larger gp2 volumes have higher baseline IOPS, reducing burst credit depletion.

Why this answer

Option C: Increasing storage to 600 GB increases baseline IOPS from 900 to 1800, reducing reliance on burst credits. This is cost-effective compared to switching to io1. Option A: Increasing to io1 with 3000 IOPS would be more expensive.

Option B: Adding a read replica does not help with write latency. Option D: Enabling Performance Insights only helps diagnose, not resolve.

1650
MCQhard

A company is using Amazon Aurora MySQL-Compatible Edition. The security team wants to ensure that database credentials are not stored in application configuration files. They decide to use AWS Secrets Manager to manage credentials. The application is hosted on Amazon EC2 instances that have an IAM role attached. What is the most secure way to grant the application access to the secret?

A.Grant the IAM role attached to the EC2 instance permissions to read the secret, and use the Secrets Manager API to retrieve it at runtime.
B.Store the secret in the application code and rotate it periodically.
C.Attach a resource-based policy to the EC2 instance allowing access to the secret.
D.Store the secret in an encrypted S3 bucket and have the application download it at startup.
AnswerA

This is the most secure approach because the secret is never stored on the instance; it is retrieved on demand via API.

Why this answer

Option D is correct because the most secure approach is to grant the EC2 IAM role permission to read the secret using an IAM policy attached to the role, and then have the application call the Secrets Manager API to retrieve the secret at runtime. This avoids storing secrets in code or configuration files. Option A is wrong because hardcoding credentials defeats the purpose.

Option B is wrong because storing the secret in a configuration file is not secure. Option C is wrong because you should not attach a resource-based policy to the EC2 instance; IAM roles are the correct mechanism.

Page 21

Page 22 of 24

Page 23