AWS Certified Database Specialty DBS-C01 (DBS-C01) — Questions 151225

1730 questions total · 24pages · All types, answers revealed

Page 2

Page 3 of 24

Page 4
151
Multi-Selecthard

A company is migrating a legacy Oracle data warehouse to Amazon Redshift. The source uses complex stored procedures with cursors, temporary tables, and PL/SQL. Which THREE design considerations should the company evaluate?

Select 3 answers
A.Redshift does not support procedural languages like PL/SQL; stored procedures must be rewritten in SQL or Python.
B.Redshift supports temporary tables, but they are session-scoped and not automatically dropped in all cases.
C.Redshift Concurrency Scaling can handle thousands of concurrent queries.
D.Redshift does not support cursors; result sets must be handled differently.
E.Redshift automatically scales compute capacity based on workload.
AnswersA, B, D

Redshift supports PL/pgSQL and Python, but not Oracle's PL/SQL.

Why this answer

Amazon Redshift does not support Oracle's PL/SQL procedural language. Stored procedures must be rewritten using Redshift's SQL-based procedural language (PL/pgSQL) or Python (via UDFs). This is a critical migration consideration because complex logic involving loops, conditionals, and error handling must be translated to supported constructs.

Exam trap

The trap here is that candidates assume Redshift supports all Oracle database features (like PL/SQL, cursors, and auto-scaling) because both are relational databases, but Redshift is a columnar, MPP data warehouse with significant differences in procedural logic and resource management.

152
MCQhard

A company runs a critical PostgreSQL database on Amazon RDS and needs to implement point-in-time recovery (PITR) with a recovery window of the last 35 days. Currently, automated backups are set to retain for 35 days. The database size is 500 GB. What additional configuration is required?

A.No additional configuration is required; automated backups enable PITR
B.Enable manual snapshots every hour
C.Set up a replication slot and stream transaction logs to S3
D.Enable Multi-AZ deployment
AnswerA

RDS automatically supports PITR with automated backups.

Why this answer

Automated backups in RDS by default support PITR within the retention period. No additional configuration is needed. Option A (manual snapshots) is not required.

Option B (Multi-AZ) doesn't affect PITR. Option D (log shipping) is not a separate feature.

153
MCQhard

A company has an Amazon DynamoDB table with on-demand capacity. Users report that write requests are occasionally throttled during peak hours. The application uses the AWS SDK and retries with exponential backoff. Which monitoring approach should be used to identify the cause of throttling?

A.Use AWS CloudTrail to monitor PutItem API calls for throttling errors.
B.Analyze VPC Flow Logs to check for network congestion.
C.Monitor CloudWatch metrics for ThrottledRequests and ConsumedWriteCapacityUnits.
D.Enable DynamoDB Streams and process records to monitor throttled requests.
AnswerC

CloudWatch metrics directly show throttling and capacity consumption.

Why this answer

Option C is correct because CloudWatch metrics such as WriteThrottleEvents, ConsumedWriteCapacityUnits, and ProvisionedWriteCapacityUnits (for on-demand, the provisioned is the maximum) help identify throttling causes. Option A is wrong because DynamoDB Streams track changes, not throttling. Option B is wrong because CloudTrail logs API calls but not throttling events at the item level.

Option D is wrong because VPC Flow Logs capture network traffic, not database throttling.

154
MCQmedium

A company is migrating a 500 GB PostgreSQL database from on-premises to Amazon Aurora PostgreSQL. The migration must be completed within 6 hours with minimal downtime. The on-premises network bandwidth is 500 Mbps. The team decides to use AWS DMS. During initial full load, DMS reports a 'Target metadata error: cannot write to Aurora' for a specific table. Investigation shows that the table has a trigger that tries to insert into an external web service. What should the team do to resolve this issue?

A.Disable the trigger on the target Aurora database during migration.
B.Increase the DMS replication instance size.
C.Upgrade the DMS replication instance engine version.
D.Disable the trigger on the source database.
AnswerA

Prevents the trigger from interfering with DMS writes.

Why this answer

Option C is correct: disabling triggers on the target prevents external calls during migration. Option A is wrong because the issue is not about DMS version. Option B is wrong because disabling the trigger on the source does not help.

Option D is wrong because increasing instance size does not fix the trigger issue.

155
MCQmedium

A security engineer runs the AWS CLI command shown in the exhibit. The engineer wants to ensure that all RDS DB instances in the account are encrypted at rest. What should the engineer do to remediate the unencrypted read replica?

A.Modify the read replica by setting the StorageEncrypted parameter to true.
B.Delete the unencrypted read replica and create a new read replica from the encrypted source, enabling encryption on the new replica.
C.Enable encryption on the source DB instance and the read replica will automatically become encrypted.
D.Create a snapshot of the read replica, encrypt the snapshot, and restore it as a new instance.
AnswerB

This ensures the new read replica is encrypted, and the source is already encrypted.

Why this answer

Option D is correct because the read replica is unencrypted, and to encrypt it, you must create a new encrypted read replica from the encrypted source. Option A is wrong because modifying the replica directly does not support enabling encryption. Option B is wrong because you cannot encrypt an existing read replica in place.

Option C is wrong because the source is encrypted, so the new replica can be encrypted.

156
MCQhard

A media company stores video metadata in Amazon Aurora MySQL. The application performs frequent range queries on a 'creation_date' column. The table has 10 million rows. The team notices that queries filtering on 'creation_date' are slow despite an index on that column. The query pattern is: SELECT * FROM videos WHERE creation_date BETWEEN '2023-01-01' AND '2023-01-31' ORDER BY creation_date LIMIT 100. The execution plan shows a full index scan. What is the MOST likely cause?

A.The index should be a composite index on (creation_date, id)
B.The table is not partitioned by creation_date
C.The index on creation_date is not being used
D.The query selects all columns, causing excessive table access
AnswerD

SELECT * forces the database to fetch full rows; a covering index could avoid that.

Why this answer

A full index scan occurs when the query selects a large portion of the table; however, the issue may be that the index is not selective enough, leading to many rows being read. But the key problem is that the index on 'creation_date' is a B-tree, and the query uses LIMIT with ORDER BY, so the optimizer may decide to scan the entire index to find matching rows because the range is wide. However, the correct answer is that the query is selecting all columns (SELECT *), causing the database to fetch rows from the table after the index lookup, which is expensive.

Option A is wrong because the index is being used (full index scan). Option B is wrong because partitioning would help if designed correctly, but the issue is more fundamental. Option D is wrong because a composite index with columns in wrong order may not help.

157
Multi-Selecthard

Which THREE metrics should be monitored to troubleshoot a slow Amazon Redshift query? (Choose three.)

Select 3 answers
A.DatabaseConnections
B.DiskSpaceUsage
C.WLMQueueWaitTime
D.QueryDuration
E.NetworkThroughput
AnswersB, C, D

High disk usage can cause spills to disk, slowing queries.

Why this answer

Options B, C, and D are correct. WLMQueueWaitTime measures time queries wait in queue, QueryDuration measures execution time, and DiskSpaceUsage indicates if disk spills are causing slowness. Option A (NetworkThroughput) is about network, not query performance.

Option E (DatabaseConnections) is about connection count, not query speed.

158
MCQeasy

A developer is troubleshooting an application that is unable to write to a DynamoDB table. The above IAM policy is attached to the IAM role used by the application. What is the likely cause?

A.The Deny statement overrides the Allow statement, blocking all DynamoDB actions.
B.The table name in the Resource ARN is incorrect.
C.The IAM user does not exist.
D.The role is not correctly assumed by the application.
AnswerA

Correct. An explicit Deny overrides any Allow, so PutItem is blocked.

Why this answer

Option B is correct because the Deny statement for all DynamoDB actions overrides the Allow for PutItem. Deny statements always take precedence. Option A is wrong because the table name is correct.

Option C is wrong because the role is assumed. Option D is wrong because the user exists.

159
MCQhard

A healthcare company stores patient records in Amazon DynamoDB. Each record includes a 'patient_id' (partition key) and 'visit_date' (sort key). The company needs to run ad-hoc queries to find all patients seen by a specific doctor within a date range. Which design approach minimizes cost and latency for this query pattern?

A.Query the base table using a filter expression on doctor_id.
B.Create a local secondary index (LSI) with doctor_id as sort key.
C.Create a global secondary index (GSI) with doctor_id as partition key and visit_date as sort key.
D.Use a Scan operation with a filter expression for doctor_id and visit_date.
AnswerC

GSI enables efficient query by doctor and date range.

Why this answer

Option C is correct because a Global Secondary Index (GSI) with doctor_id as the partition key and visit_date as the sort key allows efficient key-based queries for all patients seen by a specific doctor within a date range. This avoids full table scans and filter operations, minimizing both cost (read capacity units) and latency. DynamoDB can directly retrieve the indexed items without scanning the base table.

Exam trap

The trap here is that candidates often confuse LSIs and GSIs, assuming an LSI can support queries on any attribute, but LSIs are restricted to the same partition key as the base table, making them unsuitable for querying by doctor_id across all patients.

How to eliminate wrong answers

Option A is wrong because querying the base table with a filter expression on doctor_id still requires a full table scan if doctor_id is not a key attribute; the base table's partition key is patient_id, so you cannot query by doctor_id without scanning all items, which is costly and slow. Option B is wrong because a Local Secondary Index (LSI) must have the same partition key as the base table (patient_id), so it cannot be used to query by doctor_id alone; it would only help for queries within a specific patient. Option D is wrong because a Scan operation reads every item in the table, incurring maximum read capacity and latency, even with a filter expression; it is the least efficient approach for ad-hoc queries.

160
MCQeasy

A developer runs the AWS CLI command shown in the exhibit. What is the output indicating?

A.The secret value is not accessible.
B.The secret is not encrypted.
C.The secret has been rotated.
D.The secret contains a username and password in JSON format.
AnswerD

The SecretString shows the credentials.

Why this answer

Option B is correct because the JSON in SecretString contains the username and password. Option A is wrong because the secret is encrypted at rest by default. Option C is wrong because the secret version is shown, not rotation.

Option D is wrong because the output includes the secret value.

161
MCQeasy

A company is storing sensitive customer data in an Amazon RDS for MySQL DB instance. They need to ensure that data is encrypted at rest. What is the simplest way to achieve this?

A.Enable encryption on the existing DB instance by modifying the DB instance settings.
B.Enable Transparent Data Encryption (TDE) on the MySQL instance.
C.Launch a new encrypted DB instance and migrate the data.
D.Use client-side encryption with AWS KMS to encrypt data before inserting into the database.
AnswerC

Launching a new RDS instance with encryption enabled is the simplest method, as encryption is specified at launch time.

Why this answer

Option B is correct because enabling encryption at rest on a new RDS instance is straightforward. Option A is wrong because enabling encryption on an existing unencrypted DB instance requires a snapshot and restore. Option C is wrong because client-side encryption is more complex and not the simplest.

Option D is wrong because RDS does not natively support Transparent Data Encryption (TDE) for MySQL.

162
Multi-Selectmedium

A company uses Amazon RDS for PostgreSQL and wants to audit all database login attempts. Which TWO services can be used together to achieve this?

Select 1 answer
A.Enable AWS CloudTrail.
B.Enable VPC Flow Logs.
C.Enable S3 access logs to capture API calls.
D.Enable RDS Enhanced Monitoring.
E.Enable RDS for PostgreSQL to log to CloudWatch Logs.
AnswersE

Database logs can be sent to CloudWatch Logs.

Why this answer

Options A and D are correct. Option B is wrong because CloudTrail does not capture database login events; it captures management events. Option C is wrong because VPC Flow Logs capture network traffic, not database login attempts.

Option E is wrong because S3 Access Logs are for object access, not database logins.

163
MCQmedium

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The compliance team requires that all database connections use SSL/TLS and that users authenticate using IAM database authentication. The database migration is completed, but the application team reports that connections using IAM authentication are failing. The company has already enabled IAM database authentication on the RDS instance. What is the most likely cause of the failure?

A.The application is using an outdated root CA certificate for SSL.
B.The Security Group does not allow inbound traffic from the application.
C.The database user has not been granted the necessary privileges for IAM authentication.
D.The RDS instance is using a different KMS key for encryption.
AnswerC

Database users must be created with 'IDENTIFIED WITH AWS_AUTHENTICATION' and granted 'rds_iam' role to use IAM authentication.

Why this answer

Option C is correct because IAM database authentication requires that the database user be created with the `IDENTIFIED WITH AWS_AUTHENTICATION` clause in Oracle. Without this privilege, the RDS instance will reject IAM-authenticated connections even if IAM authentication is enabled at the instance level. The application team must ensure the database user has been granted the `AWS_ORACLE_EXTENSIONS` role and that the user is mapped to an IAM policy allowing `rds-db:connect`.

Exam trap

The trap here is that candidates often assume enabling IAM authentication on the RDS instance is sufficient, overlooking the mandatory step of creating the database user with the `IDENTIFIED WITH AWS_AUTHENTICATION` clause and granting the necessary privileges.

How to eliminate wrong answers

Option A is wrong because an outdated root CA certificate would cause SSL/TLS handshake failures, not IAM authentication failures; IAM authentication relies on a valid authentication token, not the CA certificate chain. Option B is wrong because security group inbound rules control network-layer access, not authentication; if the security group blocked traffic, the application would receive a timeout or connection refused error, not an IAM authentication failure. Option D is wrong because the KMS key used for encryption at rest is unrelated to IAM authentication; IAM authentication uses the AWS Signature Version 4 signing process and does not involve KMS keys.

164
MCQhard

A database specialist is monitoring an Amazon DynamoDB global table with two replicas in separate regions. The specialist notices that the 'ReplicatedWriteConflictCount' metric is increasing. What is the MOST likely cause?

A.Insufficient write capacity in one of the regions
B.High network latency between the regions
C.The application is using strongly consistent reads
D.The same item is being written concurrently in multiple regions
AnswerD

Global tables use last-writer-wins; concurrent writes increase conflict count.

Why this answer

Option D is correct because concurrent writes to the same item in different regions cause conflicts. Option A is wrong because provisioned throughput affects throttling, not conflicts. Option B is wrong because network latency does not cause conflicts.

Option C is wrong because eventual consistency does not cause conflicts.

165
MCQhard

A company is designing a time-series database for IoT sensor data using Amazon DynamoDB. Each sensor sends a reading every second. The table uses 'sensor_id' as partition key and 'timestamp' as sort key. The application queries for the last hour of data for a specific sensor. The query uses 'KeyConditionExpression' with 'timestamp' between start and end time. The table has auto-scaling enabled. However, the query latency is high. What is the MOST likely cause?

A.Enable DynamoDB Accelerator (DAX) to cache the query results.
B.The sort key should be 'sensor_id' and partition key should be 'timestamp'.
C.The query is scanning from the beginning of time; use 'ScanIndexForward: false' and a 'Limit' parameter.
D.The table does not have enough read capacity units; increase the base capacity.
AnswerC

Reverses the sort order to retrieve recent items first, reducing scanned data.

Why this answer

Option B is correct because the sort key 'timestamp' is in ascending order, so the most recent data is at the end of the sorted range. When querying for the last hour, DynamoDB may scan a large number of items before finding the recent ones, especially if the sensor has been running for a long time. Using 'ScanIndexForward: false' with a limit would reverse the order and retrieve recent items first.

Option A is wrong because auto-scaling would add capacity if needed, but the issue is query design. Option C is wrong because the sort key is already 'timestamp'. Option D is wrong because DAX would reduce latency but not the underlying read consumption.

166
MCQeasy

An IAM policy is attached to a user. What does this policy allow the user to do?

A.Update an item in the Orders table.
B.Scan the entire Orders table and return all attributes.
C.Delete an item from the Orders table.
D.Get an item from the Orders table but only return the order_id, customer_id, and status attributes.
AnswerD

The policy allows GetItem with attribute restriction.

Why this answer

Option B is correct. The policy allows the GetItem action on the Orders table, but only returns the specified attributes (order_id, customer_id, status) due to the condition. Option A is incorrect because the policy does not allow Scan.

Option C is incorrect because the policy only allows GetItem, not PutItem. Option D is incorrect because the policy does not allow deleting items.

167
Multi-Selecthard

A company runs a time-series application on Amazon DynamoDB. The data has a pattern of frequent writes for recent data and rare reads for older data. They want to optimize storage costs and query performance for the time-series data. Which THREE strategies should they implement? (Choose THREE.)

Select 3 answers
A.Use DynamoDB Time to Live (TTL) to automatically delete old data after a certain period
B.Store historical data in Amazon S3 and query with Amazon Athena
C.Increase DynamoDB read capacity units to improve query performance
D.Archive old data to Amazon S3 Glacier using AWS Lambda and DynamoDB Streams
E.Decrease DynamoDB write capacity units to reduce cost
AnswersA, B, D

TTL removes items without consuming WCU and reduces storage costs.

Why this answer

DynamoDB Time to Live (TTL) automatically deletes expired items, reducing storage. Archiving old data to S3 Glacier provides cheap storage. Using S3 and Athena for historical queries avoids scanning old data in DynamoDB.

Option D is wrong because increasing RCU is expensive and not a storage optimization. Option E is wrong because decreasing WCU may cause throttling.

168
MCQeasy

A company runs an Amazon RDS for SQL Server DB instance in a VPC. The security group for the DB instance allows inbound traffic on port 1433 from the application servers' security group. The application servers can connect to the database, but a database administrator cannot connect from their workstation using SQL Server Management Studio (SSMS). What is the MOST likely cause?

A.The security group does not allow inbound traffic from the DBA workstation's IP address.
B.The DBA is using an incompatible version of SSMS.
C.The DB instance is configured as Multi-AZ, which restricts direct connections.
D.The DB instance has encryption enabled, which blocks non-encrypted connections.
AnswerA

The security group only allows traffic from the app servers; the DBA's IP is not allowed.

Why this answer

The DBA's workstation is not within the VPC, so it needs a public IP and the security group must allow inbound traffic from the workstation's IP. Option A (DBA's IP not in security group) is correct. Option B (SSMS version) is unlikely; Option C (Multi-AZ) irrelevant; Option D (encryption) does not prevent connection.

169
MCQmedium

A company has an Amazon DynamoDB table with on-demand capacity mode. The table experiences a sudden spike in traffic, and the application starts receiving ProvisionedThroughputExceededException errors. What is the most likely cause?

A.The provisioned read capacity units are insufficient
B.The table has reached the maximum number of read capacity units
C.The traffic spike exceeded the previous peak traffic by more than double in a short period
D.Auto Scaling is not configured to increase capacity
AnswerC

DynamoDB on-demand mode uses a token bucket algorithm; sudden huge spikes can cause throttling.

Why this answer

Option D is correct because on-demand mode can throttle if traffic exceeds the previous peak by a large margin in a short time. Option A is wrong because on-demand mode does not have provisioned throughput. Option B is wrong because there is no auto-scaling in on-demand mode.

Option C is wrong because read/write capacity units are not set.

170
Multi-Selectmedium

A company is designing an Amazon RDS for MySQL database for an e-commerce application. Which TWO design strategies will help ensure high availability and automatic failover in the event of a primary instance failure?

Select 1 answer
A.Use Amazon Aurora instead of RDS MySQL.
B.Create a read replica in the same Availability Zone.
C.Enable Multi-AZ deployment.
D.Provision read replicas in different Availability Zones.
E.Enable automatic backups.
AnswersC

Multi-AZ provides automatic failover to a standby in a different Availability Zone.

Why this answer

Option C is correct because enabling Multi-AZ deployment for Amazon RDS MySQL automatically provisions and maintains a synchronous standby replica in a different Availability Zone. In the event of a primary instance failure, Amazon RDS automatically fails over to the standby replica, providing high availability with minimal downtime.

Exam trap

The trap here is that candidates often confuse read replicas (which are for read scaling and require manual promotion) with Multi-AZ standby replicas (which provide automatic failover), leading them to select options B or D incorrectly.

171
MCQeasy

A developer is troubleshooting a slow query on Amazon RDS for MySQL. The query joins three large tables and runs frequently. What is the most effective way to identify the bottleneck?

A.Check the RDS Events for any maintenance notifications
B.Review Amazon CloudWatch CPU and memory metrics
C.Enable the slow query log and analyze the output
D.Use AWS Database Migration Service to migrate to a larger instance
AnswerC

Slow query log records queries that take longer than a set time.

Why this answer

Option B is correct because enabling slow query log captures queries that exceed a threshold, allowing analysis. Option A is wrong because Enhanced Monitoring shows OS metrics, not query details. Option C is wrong because Performance Insights shows wait events and SQL, but slow query log specifically targets slow queries.

Option D is wrong because CloudWatch metrics show overall performance, not per-query.

172
MCQeasy

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. After migration, the application team reports that queries are slower than before. Which metric in CloudWatch should the DBA review first to check if the instance is resource-constrained?

A.SwapUsage
B.CPUUtilization
C.FreeableMemory
D.DatabaseConnections
AnswerB

High CPU could indicate resource contention affecting query performance.

Why this answer

Option A is correct because CPUUtilization is a primary indicator of resource saturation. Option B is wrong because DatabaseConnections shows concurrent connections, not resource usage. Option C is wrong because FreeableMemory is important but CPU is more likely the first bottleneck.

Option D is wrong because SwapUsage is relevant but not the first metric to check.

173
MCQmedium

A company is deploying a new application that uses Amazon RDS for PostgreSQL. The application must be highly available with automatic failover in the event of a database failure. Which configuration should be used?

A.Deploy a Multi-AZ RDS instance with a standby in a different Availability Zone
B.Use a read replica in a different Availability Zone
C.Deploy the RDS instance in a single Availability Zone with automated backups
D.Deploy the RDS instance in a Cross-Region replication configuration
AnswerA

Multi-AZ provides automatic failover for high availability.

Why this answer

Multi-AZ deployment with a standby instance in a different Availability Zone provides automatic failover. Read replicas are for read scaling, not failover. Single-AZ has no automatic failover.

Cross-Region replication is for disaster recovery, not automatic failover.

174
MCQhard

A company runs a critical e-commerce application on Amazon Aurora MySQL with a single DB instance. The database has 8 TB of data and uses the default writer endpoint. Recently, the application experienced a 10-minute outage during a primary instance failover. The failover was triggered by an underlying hardware issue. The database specialist needs to minimize downtime during future failovers. The application team is unwilling to modify the application code to handle connection retries. The company has a 99.99% SLA requirement. Which solution should the database specialist implement to meet the SLA with minimal application changes?

A.Increase the DB instance class to a larger size to improve performance and reduce failover time
B.Enable Multi-AZ deployment with automatic failover
C.Create an Amazon RDS Proxy and configure the application to connect to the proxy endpoint
D.Create a cross-Region read replica and promote it to primary during failover
AnswerC

RDS Proxy handles failover seamlessly by preserving connections and reducing downtime.

Why this answer

Amazon RDS Proxy sits between the application and the database, pooling and reusing database connections. During a failover, RDS Proxy maintains the client connections and transparently reconnects to the new primary instance, so the application does not experience a connection loss and does not need to implement retry logic. This directly addresses the 10-minute outage by reducing failover downtime to seconds, meeting the 99.99% SLA without application code changes.

Exam trap

The trap here is that candidates often assume Multi-AZ (Option B) is sufficient for zero-downtime failover, but they overlook that the application must handle connection retries, which the question explicitly prohibits, making RDS Proxy the only solution that provides transparent failover without code changes.

How to eliminate wrong answers

Option A is wrong because increasing the DB instance class does not reduce failover time; failover duration is determined by the time to detect the failure, promote a replica, and flush transactions, not by instance size. Option B is wrong because while Multi-AZ with automatic failover provides a standby in a different Availability Zone, the application still experiences a connection break during failover and must handle retries, which the team is unwilling to do; the outage would still be several minutes. Option D is wrong because a cross-Region read replica requires manual promotion and DNS changes, leading to significantly longer downtime than 10 minutes, and it does not provide automatic failover or transparent reconnection without application changes.

175
MCQhard

A company runs a production Amazon DynamoDB table with on-demand capacity. The security team requires that all access to the table be logged for compliance. What is the most cost-effective way to log every DynamoDB API call?

A.Enable DynamoDB Streams on the table and process the stream with AWS Lambda.
B.Enable Amazon CloudWatch Logs to capture DynamoDB API calls.
C.Enable VPC Flow Logs and analyze them with Amazon Athena.
D.Enable AWS CloudTrail and create a trail that delivers logs to Amazon CloudWatch Logs.
AnswerD

CloudTrail logs all DynamoDB API calls.

Why this answer

Option D is correct because CloudTrail logs all API calls and can be delivered to CloudWatch Logs for monitoring. Option A is wrong because DynamoDB Streams capture data changes, not API calls. Option B is wrong because VPC Flow Logs capture network traffic.

Option C is wrong because CloudWatch Logs does not capture API calls directly.

176
MCQmedium

A company is designing a database for a real-time bidding system that requires sub-millisecond read and write latency for ad impressions. The workload is heavily write-intensive with occasional reads by campaign IDs. Which AWS database service is most suitable?

A.Amazon DynamoDB with DAX
B.Amazon ElastiCache for Redis
C.Amazon DocumentDB
D.Amazon Aurora MySQL
AnswerA

DynamoDB with DAX provides microsecond to single-digit millisecond latency for high-throughput workloads.

Why this answer

Amazon DynamoDB with DAX is the most suitable choice because DynamoDB provides single-digit millisecond latency for read and write operations at any scale, and DAX (DynamoDB Accelerator) is an in-memory cache that reduces read latency to microseconds for frequently accessed items. This combination meets the sub-millisecond read and write latency requirements for a heavily write-intensive real-time bidding system, while supporting occasional reads by campaign IDs via efficient query patterns.

Exam trap

The trap here is that candidates may choose ElastiCache for Redis because of its sub-millisecond latency, overlooking that it is not designed as a primary database for write-heavy, durable workloads, and that DynamoDB with DAX provides the same latency with built-in durability and auto-scaling for writes.

How to eliminate wrong answers

Option B (Amazon ElastiCache for Redis) is wrong because while it offers sub-millisecond latency, it is primarily an in-memory data store that is not optimized for heavy write-intensive workloads with persistence requirements; it lacks the native write scaling and durability features of DynamoDB, and using it as a primary database for ad impressions would risk data loss on node failure without complex replication. Option C (Amazon DocumentDB) is wrong because it is a document database that provides millisecond latency but not sub-millisecond performance for writes, and its write throughput is limited by instance size and storage IOPS, making it unsuitable for the extreme write volume of a real-time bidding system. Option D (Amazon Aurora MySQL) is wrong because it is a relational database that offers low latency but typically in the single-digit millisecond range for writes, and its write performance is constrained by the underlying storage and replication architecture, failing to meet the sub-millisecond write latency requirement for a heavily write-intensive workload.

177
MCQmedium

A company is using Amazon RDS for PostgreSQL with read replicas to offload read traffic. The company wants to ensure that the read replicas are always in sync with the primary instance. Which metric should the company monitor to detect replication lag?

A.DiskQueueDepth
B.ReplicaLag
C.TransactionLogsDiskUsage
D.ReadLatency
AnswerB

This metric shows the time difference between the primary and replica in seconds.

Why this answer

RDS provides the ReplicaLag metric in CloudWatch for PostgreSQL read replicas. Option A (DiskQueueDepth) is for storage. Option B (ReadLatency) is for read operations.

Option D (TransactionLogsDiskUsage) is not a standard metric.

178
MCQhard

A company uses Amazon RDS for PostgreSQL with Multi-AZ deployment. They experience increased write latency during peak hours. The DB instance size is db.r5.large. Which action would MOST effectively reduce write latency?

A.Switch to a db.r5.xlarge instance type.
B.Disable the Multi-AZ feature and use asynchronous replication with a read replica for failover.
C.Enable the synchronous_commit parameter to 'off'.
D.Enable Multi-AZ with two standby replicas.
AnswerB

Asynchronous replication reduces write latency; read replica can be promoted for failover.

Why this answer

Multi-AZ deployments use synchronous standby; enabling Multi-AZ with one standby reduces latency overhead compared to two standbys.

179
MCQhard

A company has a multi-AZ RDS for PostgreSQL DB instance. The security team wants to ensure that database audit logs are stored in CloudWatch Logs for real-time monitoring. The team enabled the 'pgaudit.log' parameter and set 'log_destination' to 'csvlog'. However, logs are not appearing in CloudWatch. What is the most likely cause?

A.The DB instance is multi-AZ, which prevents log delivery to CloudWatch.
B.AWS CloudTrail is not enabled for the RDS instance.
C.The DB parameter group is not associated with the DB instance.
D.The 'rds.logs_to_cloudwatch' parameter is not set to 1.
AnswerD

This parameter must be enabled for logs to be published to CloudWatch.

Why this answer

Option D is correct because RDS publishes logs to CloudWatch only if the 'rds.logs_to_cloudwatch' parameter is set to 1. Option A is wrong because the instance is multi-AZ, which does not affect log delivery. Option B is wrong because the parameter group is associated; the issue is the missing parameter.

Option C is wrong because CloudTrail is not involved.

180
MCQmedium

A company is deploying a new application on Amazon RDS for PostgreSQL. The application requires a database with a specific parameter group that sets 'max_connections' to 500 and 'shared_buffers' to 25% of the instance memory. The company uses CloudFormation to deploy the RDS instance. The CloudFormation template creates a DBInstance with a DBParameterGroup. The deployment fails because the parameter group cannot be associated with the DB instance. What is the most likely cause?

A.The parameter group uses an invalid value for 'shared_buffers' because it must be an integer, not a percentage.
B.The 'max_connections' value of 500 exceeds the allowed maximum for the instance class.
C.The CloudFormation template does not include a DependsOn clause linking the DBParameterGroup to the DBInstance.
D.The DBParameterGroup is not in the same region as the DBInstance.
AnswerA

RDS requires absolute values for 'shared_buffers', not percentages.

Why this answer

Option D is correct because RDS does not allow setting 'shared_buffers' as a percentage; it must be an integer value. Option A is wrong because parameter groups can be created in CloudFormation. Option B is wrong because 'max_connections' can be modified.

Option C is wrong because the parameter group family must match the engine version.

181
Multi-Selecteasy

A company uses Amazon RDS for PostgreSQL with Multi-AZ. The primary instance fails and a failover occurs. After failover, the application reports elevated write latency. Which TWO are possible causes?

Select 2 answers
A.A read replica is now promoting to primary
B.The buffer pool is not warm on the new primary
C.The new primary has a smaller instance size
D.Automated backups are running on the new primary
E.Application DNS cache still points to the old primary IP
AnswersB, E

Cold buffer pool increases read I/O.

Why this answer

After a Multi-AZ failover, the new primary instance starts with a cold buffer pool (no cached data blocks). PostgreSQL relies on shared buffers to cache frequently accessed data; without a warm cache, every read request must fetch data from disk, which increases I/O and write latency because writes often require reading the affected pages first. This is a known behavior in RDS for PostgreSQL after failover, and it resolves as the buffer pool warms up over time.

Exam trap

The trap here is that candidates often confuse Multi-AZ failover with read replica promotion, or assume that automated backups cause performance degradation, when in fact the cold buffer pool is the primary culprit for elevated write latency after failover.

182
MCQmedium

A company has an Amazon RDS for MySQL DB instance that stores sensitive customer data. The security team requires that all data at rest be encrypted using a customer-managed AWS KMS key. The DB instance was originally launched without encryption. Which combination of steps will meet the requirement with the least downtime?

A.Create a read replica of the DB instance with encryption enabled, and then promote the read replica to become the primary instance.
B.Modify the DB instance and enable encryption using the AWS Management Console.
C.Take a snapshot of the DB instance, copy the snapshot with encryption enabled using the desired KMS key, and restore the encrypted snapshot to a new DB instance.
D.Take a snapshot of the DB instance, copy the snapshot with encryption enabled, and restore the encrypted snapshot to the same DB instance ID.
AnswerC

This is the standard procedure to enable encryption on an existing unencrypted RDS instance.

Why this answer

Option D is correct because you must create a snapshot of the unencrypted DB instance, copy the snapshot with encryption enabled using the desired KMS key, and then restore the encrypted snapshot to a new DB instance. This process results in some downtime but is the standard method for enabling encryption on an existing unencrypted RDS instance. Option A is incorrect because modifying the DB instance directly does not support enabling encryption.

Option B is incorrect because enabling encryption on a snapshot copy is the correct approach, but you cannot restore an encrypted snapshot to the same instance; you must create a new instance. Option C is incorrect because RDS does not support enabling encryption via a read replica.

183
MCQmedium

A financial services company needs a database for trade settlement records. Each trade must be processed exactly once and the database must ensure ACID compliance across multiple rows. The workload is write-intensive with moderate reads. Which AWS database service should they choose?

A.Amazon Aurora PostgreSQL
B.Amazon DynamoDB with DynamoDB transactions
C.Amazon ElastiCache for Redis
D.Amazon Neptune
AnswerA

Aurora PostgreSQL provides full ACID compliance and is optimized for high write throughput.

Why this answer

Option B is correct because Aurora is ACID-compliant, supports complex transactions, and provides high availability. Option A (DynamoDB) is not fully ACID (only single-item transactions are atomic). Option C (Neptune) is a graph database.

Option D (ElastiCache) is not durable and not ACID.

184
MCQmedium

A company is deploying an Amazon RDS for MySQL database in a VPC. The database must be accessible only from a specific set of application servers in the same VPC. Which configuration provides the most secure access?

A.Set the security group inbound rule to allow all traffic from the VPC CIDR
B.Place the RDS instance in a separate subnet group
C.Set the RDS instance to publicly accessible
D.Set the security group inbound rule to reference the security group of the application servers
AnswerD

Restricts access to resources with that security group.

Why this answer

Using a security group that references the application servers' security group is the most secure because it allows traffic based on security group ID, not IP. Option A (publicly accessible) is insecure. Option B (all traffic from VPC CIDR) is too broad.

Option D (database subnet group) does not control ingress traffic.

185
MCQmedium

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database size is 500 GB. The migration must have minimal downtime. Which AWS service should be used to perform the migration?

A.AWS Snowball Edge
B.AWS Database Migration Service (DMS)
C.AWS DataSync
D.Amazon RDS for Oracle snapshot copy
AnswerB

DMS supports Oracle to RDS Oracle migrations with minimal downtime using change data capture.

Why this answer

AWS Database Migration Service (DMS) is the correct choice because it supports heterogeneous migrations from Oracle to Amazon RDS for Oracle with minimal downtime. DMS can perform continuous replication using Oracle's change data capture (CDC) via LogMiner or binary reader, allowing the source database to remain operational during the migration. This makes it ideal for a 500 GB database where downtime must be minimized.

Exam trap

The trap here is that candidates often confuse AWS DataSync or Snowball Edge as viable options for live database migrations, but DataSync is for file/object transfers and Snowball Edge is for offline bulk data movement, neither of which support ongoing change replication or minimal-downtime database migration.

How to eliminate wrong answers

Option A is wrong because AWS Snowball Edge is a physical data transfer device designed for large-scale offline data migrations (typically >10 TB) or environments with limited network bandwidth, not for minimal-downtime online database migrations. Option C is wrong because AWS DataSync is a service for transferring files and objects between on-premises storage and AWS (e.g., NFS, SMB, S3), not for live database replication or heterogeneous database migrations. Option D is wrong because Amazon RDS for Oracle snapshot copy only works between existing RDS instances (e.g., cross-region or cross-account copies) and cannot ingest data from an on-premises Oracle database; it requires the source to already be an RDS instance.

186
MCQhard

A security engineer created the IAM policy above for an application that reads from a DynamoDB table named UserSessions. The application reports that it cannot query the table using a Global Secondary Index (GSI). The table's GSI is named GSI_UserSessions. Why is the application unable to query the index?

A.The Query action is not allowed on the index because the Allow statement only applies to the table, not the index.
B.The Deny statement explicitly denies all DynamoDB actions on the index resource, overriding the Allow statement.
C.The application is using GetItem instead of Query to access the index.
D.The policy allows Query on the table, which automatically includes the index.
AnswerA, B

The Allow statement's resource is the table, not the index; however, the Deny is explicit. Actually, both A and C could be argued, but A is the primary reason because the Deny explicitly blocks. But the question expects A. However, in the context, the correct answer is A because Deny overrides Allow. However, note that the Allow statement does not include index ARN, so Query on index is implicitly denied. But there is an explicit Deny, which makes it explicit. The best answer is A.

Why this answer

Option A is correct because the IAM policy's Allow statement grants the Query action on the DynamoDB table resource (arn:aws:dynamodb:...:table/UserSessions) but does not include the index resource (arn:aws:dynamodb:...:table/UserSessions/index/GSI_UserSessions). In DynamoDB, a Global Secondary Index is a separate subresource, and IAM policies must explicitly grant permissions on the index ARN to allow operations like Query on that index. Without this, the application cannot query the GSI.

Exam trap

The trap here is that candidates often assume that granting permissions on a DynamoDB table automatically covers its Global Secondary Indexes, but AWS IAM treats indexes as separate resources requiring explicit ARN-based permissions.

How to eliminate wrong answers

Option B is wrong because the Deny statement in the policy explicitly denies all DynamoDB actions on the index resource, which would indeed override the Allow statement, but the question states the application cannot query the index; the Deny statement is present in the policy and is the actual reason for the failure, not the Allow statement's scope. Option C is wrong because the application reports it cannot query the table using a GSI, and the issue is about permissions, not the API method; GetItem cannot query an index anyway, but the problem is IAM authorization. Option D is wrong because allowing Query on the table does not automatically include the index; DynamoDB treats indexes as separate resources for IAM purposes, so explicit permissions on the index ARN are required.

187
Multi-Selecteasy

Which TWO of the following are valid design considerations when using Amazon DynamoDB for a high-traffic e-commerce application? (Select TWO.)

Select 2 answers
A.Use scan operations for frequent queries to reduce provisioned capacity
B.Use DynamoDB transactions to reduce read capacity consumption
C.Use atomic counters to maintain inventory counts
D.Always use strongly consistent reads for all queries
E.Use sparse global secondary indexes to reduce write capacity costs
AnswersC, E

Atomic counters allow incrementing without read-modify-write.

Why this answer

Option C is correct because atomic counters in DynamoDB allow you to increment or decrement a numeric attribute atomically using the UpdateItem operation with an UpdateExpression like 'SET inventory = inventory - :qty'. This is ideal for maintaining inventory counts in a high-traffic e-commerce application, as it avoids the need for read-modify-write cycles and reduces the risk of race conditions without consuming additional read capacity.

Exam trap

AWS often tests the misconception that DynamoDB transactions reduce capacity consumption, but in reality, transactions increase capacity costs (e.g., TransactGetItems consumes 2x the read capacity units) and are designed for atomicity, not efficiency.

188
MCQhard

A DevOps engineer notices that an Amazon RDS for PostgreSQL instance has been in 'storage-full' state for the past 30 minutes. The instance has 500 GB of General Purpose SSD (gp2) storage, and the free storage space is 0 bytes. The database is critical and cannot tolerate downtime. What is the MOST efficient way to resolve this issue while minimizing downtime?

A.Take a snapshot of the DB instance and restore it to a new instance with larger storage
B.Modify the DB instance to increase allocated storage to 1,000 GB
C.Enable storage auto-scaling on the DB instance
D.Delete unnecessary data, such as old logs or temporary tables
AnswerB

Modifying storage online adds space without downtime.

Why this answer

Option B is correct because modifying storage to 1,000 GB does not require downtime and automatically adds more space. Option A is wrong because deleting logs may not free enough space and requires manual intervention. Option C is wrong because taking a snapshot and restoring to a larger instance causes downtime.

Option D is wrong because enabling storage auto-scaling does not immediately solve the current full state.

189
MCQhard

A CloudFormation template is used to create an RDS DB instance with encryption, as shown in the exhibit. The stack creation fails because the DB instance creation fails. What is the most likely cause?

A.The DB instance has StorageEncrypted set to true but KmsKeyId is not a valid ARN.
B.The KMS key policy does not grant permissions to the RDS service principal.
C.The KmsKeyId property requires the key ARN, not a reference.
D.The DB instance depends on the KMS key, but there is no DependsOn clause to ensure the key is created first.
AnswerD

Without DependsOn, the DB instance may be created before the key.

Why this answer

Option D is correct because KMS key creation must be completed before the DB instance can use it; CloudFormation does not automatically order creation unless dependencies are defined. Option A is wrong because the KMS key policy allows the account root full access. Option B is wrong because the KMS key ID is passed correctly via !Ref.

Option C is wrong because encryption is set to true and the KMS key is provided.

190
MCQmedium

A company is migrating an on-premises Oracle database to Amazon Aurora PostgreSQL. The database is used for a financial application that requires complex joins and transactions. Which migration strategy is MOST appropriate?

A.Use AWS DMS with native Oracle to PostgreSQL endpoint
B.Use Oracle GoldenGate to replicate data to Aurora PostgreSQL
C.Use AWS SCT to convert the schema and AWS DMS to migrate data
D.Use pg_dump to export the Oracle database and restore to Aurora PostgreSQL
AnswerC

SCT converts schema, DMS migrates data.

Why this answer

Option C is correct because AWS Schema Conversion Tool (SCT) is required to convert the Oracle schema (including complex joins and transaction logic) to a PostgreSQL-compatible format, and AWS Database Migration Service (DMS) performs the ongoing data migration with minimal downtime. This combination handles both schema transformation and data replication for heterogeneous migrations, which is essential for a financial application with complex joins and transactions.

Exam trap

The trap here is that candidates assume DMS alone can handle heterogeneous migrations without schema conversion, or that a PostgreSQL-native tool like pg_dump can extract data from Oracle, leading them to choose options A or D instead of recognizing the mandatory role of SCT.

How to eliminate wrong answers

Option A is wrong because AWS DMS with native Oracle to PostgreSQL endpoint does not automatically convert the schema; DMS relies on SCT for schema conversion, and without it, the migration would fail due to incompatible data types, stored procedures, and transaction semantics. Option B is wrong because Oracle GoldenGate is a log-based replication tool primarily used for homogeneous Oracle-to-Oracle migrations or real-time streaming, and it does not natively convert Oracle schema objects to PostgreSQL; using it would require additional custom transformation logic and is not the most appropriate strategy for a full migration to Aurora PostgreSQL. Option D is wrong because pg_dump is a PostgreSQL-native tool that cannot export from an Oracle database; it only works with PostgreSQL databases, so it cannot be used to extract data from an Oracle source.

191
MCQmedium

A company is migrating an on-premises PostgreSQL database to Amazon RDS for PostgreSQL. The database is 2 TB in size and has a high write workload. The company needs to minimize downtime during the migration. Which AWS service or feature should the company use to achieve this?

A.Use pg_dump and pg_restore to export and import the database.
B.Use AWS Database Migration Service (AWS DMS) with ongoing replication.
C.Use the AWS Schema Conversion Tool (AWS SCT) to convert the schema and migrate data.
D.Use AWS DataSync to replicate the database files.
AnswerB

AWS DMS supports ongoing replication via change data capture, minimizing downtime.

Why this answer

AWS DMS with ongoing replication (change data capture, CDC) is the correct choice because it allows continuous synchronization of the source PostgreSQL database with the target RDS for PostgreSQL instance after an initial full load. This minimizes downtime by enabling the target to stay up-to-date with changes until the cutover, which is critical for a 2 TB database with a high write workload.

Exam trap

The trap here is that candidates often confuse AWS DMS with AWS SCT, assuming SCT is needed for same-engine migrations, but SCT is only required for heterogeneous migrations, not for PostgreSQL to RDS PostgreSQL.

How to eliminate wrong answers

Option A is wrong because pg_dump and pg_restore are logical backup and restore tools that require the source database to be quiesced or taken offline during the export, causing significant downtime, and they do not support ongoing replication for a near-zero-downtime migration. Option C is wrong because AWS SCT is used for schema conversion when migrating between different database engines (e.g., Oracle to PostgreSQL), not for migrating within the same engine (PostgreSQL to RDS PostgreSQL), and it does not handle data migration or ongoing replication. Option D is wrong because AWS DataSync is designed for file-based data transfers (e.g., NFS, SMB) and cannot replicate live PostgreSQL database files or support transactional consistency and ongoing change capture for a relational database.

192
MCQmedium

A user is unable to list the contents of the S3 bucket 'my-db-backups' using the AWS CLI. The IAM policy attached to the user is shown in the exhibit. What is the likely cause?

A.The user is using the wrong bucket name.
B.The policy does not grant 's3:ListBucket' permission.
C.The resource ARN is missing the bucket-level ARN needed for listing.
D.The policy has a syntax error.
AnswerB

ListBucket is required to list objects.

Why this answer

Option A is correct because the policy does not include 's3:ListBucket' action. Option B is wrong because the resource includes the bucket. Option C is wrong because the policy is valid JSON.

Option D is wrong because the bucket name is correct.

193
Multi-Selecteasy

A company is designing a highly available e-commerce application using Amazon DynamoDB. The application requires strongly consistent reads for inventory data and eventual consistency for user session data. Which TWO design decisions should the company make?

Select 2 answers
A.Enable DynamoDB Streams on the inventory table to replicate data for disaster recovery.
B.Use DynamoDB Accelerator (DAX) for the inventory table to provide strongly consistent reads.
C.Use a single DynamoDB table for both inventory and session data with different partition keys.
D.Use strongly consistent reads for the inventory table by setting ConsistentRead=true in the query.
E.Use DynamoDB global tables for the user session data to achieve low-latency access across regions.
AnswersD, E

ConsistentRead=true ensures strongly consistent reads in DynamoDB.

Why this answer

Option D is correct because DynamoDB supports strongly consistent reads by setting the `ConsistentRead=true` parameter in the GetItem, Query, or Scan API calls. This ensures that the application always reads the most recent write, which is critical for inventory data where accuracy is paramount. Strongly consistent reads come at the cost of higher latency and lower throughput compared to eventually consistent reads, but they meet the requirement for inventory consistency.

Exam trap

The trap here is that candidates often assume DAX can provide strongly consistent reads because it accelerates read performance, but DAX is an eventually consistent cache and cannot guarantee read-after-write consistency for inventory data.

194
MCQmedium

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database is 5 TB in size and has a daily change rate of 2%. The migration must have minimal downtime. Which migration strategy should be used?

A.Use AWS Schema Conversion Tool (SCT) to convert the schema, then use AWS DMS for full load only.
B.Create an RDS read replica in the same region and promote it.
C.Use AWS Database Migration Service (DMS) with ongoing replication from the source database.
D.Export the database to a dump file using Oracle Data Pump, upload to S3, and restore to RDS.
AnswerC

DMS with ongoing replication enables continuous sync and minimal downtime.

Why this answer

AWS DMS with ongoing replication allows continuous data sync with minimal downtime. Option A (AWS SCT + DMS) is not ideal because SCT is for schema conversion, not needed here. Option C (export/import) causes downtime.

Option D (RDS read replica) is for within AWS, not on-premises to RDS.

195
MCQhard

A company is using Amazon DynamoDB for a high-traffic application. Users report occasional 'ProvisionedThroughputExceededException' errors. The application uses consistent reads and retries with exponential backoff. What is the MOST efficient way to handle these errors and reduce the number of retries?

A.Increase the provisioned read capacity units manually
B.Switch to eventually consistent reads
C.Enable DynamoDB Auto Scaling for the table
D.Increase the provisioned write capacity units manually
AnswerC

Auto Scaling adjusts capacity automatically to handle traffic spikes.

Why this answer

Option B is correct because DynamoDB Auto Scaling adjusts the provisioned throughput automatically in response to traffic patterns, reducing throttling. Option A is wrong because switching to eventually consistent reads may reduce throttling but changes the consistency model, which may not be acceptable. Option C is wrong because increasing read capacity is a manual action and not efficient.

Option D is wrong because increasing write capacity does not address read throttling.

196
MCQmedium

A company is monitoring an Amazon Aurora MySQL DB cluster. They observe that the AuroraReplicaLagMaximum metric is consistently above 10 seconds. Which action would best reduce the replica lag?

A.Increase the instance size of the writer.
B.Increase the instance size of the reader.
C.Reduce the number of transactions per second.
D.Enable Multi-AZ on the cluster.
AnswerB

Correct. A larger reader instance can apply changes faster, reducing lag.

Why this answer

Option B is correct because increasing the instance size of the reader can improve its ability to apply changes faster. Option A is wrong because increasing the writer size may not help if the reader is the bottleneck. Option C is wrong because reducing transaction size helps but may not be feasible.

Option D is wrong because Multi-AZ is always enabled for Aurora.

197
MCQmedium

A company is migrating a 500 GB MySQL database from an on-premises server to Amazon RDS for MySQL. The company uses AWS DMS with ongoing replication. The initial full load completes successfully, and the target RDS instance is in sync. However, after a few hours, the replication task fails with an error: 'Last Error: Error executing source loop; The table 'orders' has a row size larger than the maximum payload size of the target endpoint.' The target RDS instance is configured with db.r5.large and the default parameter group. The company has already verified that the table does not have any BLOB or TEXT columns. What is the MOST likely cause of this error?

A.The DMS task is using a low-memory instance.
B.The source table has a row that exceeds the MySQL row size limit.
C.The target RDS instance's max_allowed_packet parameter is set too low.
D.The target RDS instance does not have enough storage allocated.
AnswerB

MySQL enforces a row size limit; DMS cannot insert rows exceeding it.

Why this answer

RDS for MySQL has a maximum row size limit (65,535 bytes). DMS attempts to insert a row that exceeds this limit. Increasing the instance size does not change the row size limit.

Using a different storage engine might help, but InnoDB is default. Enabling compression reduces row size but is not a direct solution for the DMS error.

198
MCQmedium

A company needs to enforce that all new Amazon RDS DB instances are automatically encrypted at rest. What is the most efficient way to achieve this?

A.Create an IAM policy that denies rds:CreateDBInstance unless encryption is enabled, and attach it to all users.
B.Enable the 'encryption at rest' default in each AWS account's RDS console.
C.Use an AWS Organizations service control policy (SCP) to deny creation of unencrypted RDS instances.
D.Use AWS CloudFormation StackSets to deploy a template that creates encrypted instances in every account.
AnswerC

SCPs can enforce encryption at the organizational level.

Why this answer

Option B is correct because enabling the 'RDS_DB_INSTANCE_ENCRYPTION' SCP at the AWS Organizations level will enforce encryption for all new RDS instances. Option A is wrong because an IAM policy with a condition key only applies to users and roles, not to all accounts. Option C is wrong because a CloudFormation StackSet would require manual deployment.

Option D is wrong because enabling encryption in each account manually is not efficient.

199
Multi-Selecteasy

A company runs a web application that uses Amazon RDS for MySQL. The database frequently experiences high CPU utilization due to many concurrent connections. The application uses connection pooling at the application layer. Which TWO approaches can reduce CPU load on the database?

Select 2 answers
A.Use Amazon RDS Proxy to manage database connections.
B.Enable Multi-AZ to distribute the load.
C.Create read replicas to offload read traffic.
D.Increase the DB instance size to a larger instance type.
E.Implement caching with Amazon ElastiCache for frequently accessed data.
AnswersA, E

Reduces connection overhead.

Why this answer

Option A is correct because RDS Proxy manages connection pooling, reducing the overhead of establishing connections. Option D is correct because caching frequent read queries with ElastiCache reduces database load. Option B is wrong because increasing instance size may help but is not the most targeted solution.

Option C is wrong because read replicas help with read scaling, not CPU due to connections. Option E is wrong because Multi-AZ does not reduce CPU load.

200
MCQhard

A company runs a critical application on an Amazon RDS for MySQL DB instance. The company requires that the database be available with minimal downtime during a disaster recovery scenario. The current RDS instance is in us-east-1. The company wants to have a standby database in us-west-2 with automatic failover. What should the company do to meet this requirement?

A.Create a Multi-AZ deployment in us-west-2 and use Amazon Route 53 to failover.
B.Take daily snapshots and copy them to us-west-2. Restore from snapshot in us-west-2 during a disaster.
C.Create a cross-region read replica in us-west-2. Configure automatic failover using Amazon Route 53 health checks.
D.Create a Multi-AZ deployment in us-east-1.
AnswerC

The read replica can be promoted quickly, and Route 53 can redirect traffic automatically.

Why this answer

An RDS cross-region read replica can be promoted to a standalone instance in a disaster. Option A (Multi-AZ in us-east-1) does not provide cross-region failover. Option B (snapshots) has downtime.

Option D (Multi-AZ in us-west-2) does not help if us-east-1 fails.

201
MCQeasy

A developer is troubleshooting a slow-running query on an Amazon RDS for PostgreSQL instance. The query is performing a sequential scan on a large table. Which AWS service or feature should the developer use to identify the missing index?

A.Amazon RDS Enhanced Monitoring
B.AWS CloudTrail
C.Amazon RDS Performance Insights
D.Amazon CloudWatch Logs
AnswerC

Correct. Performance Insights helps identify performance bottlenecks such as missing indexes.

Why this answer

Option B is correct because Performance Insights provides database performance analysis and can identify missing indexes. Option A is wrong because RDS Enhanced Monitoring provides OS-level metrics. Option C is wrong because CloudWatch Logs are for application logs.

Option D is wrong because AWS CloudTrail logs API calls.

202
Multi-Selecthard

A company is migrating a 500 GB Oracle database to Amazon RDS for Oracle. They need to validate the migration and ensure data consistency. Which TWO methods should they use?

Select 2 answers
A.Use Amazon S3 inventory reports on the exported data.
B.Use AWS DMS data validation feature.
C.Run random SELECT queries on a subset of tables.
D.Compare row counts and checksums on both databases.
E.Use Amazon CloudWatch Logs to compare database logs.
AnswersB, D

DMS validation compares source and target data automatically.

Why this answer

Options B and D are correct. AWS DMS provides data validation, and comparing row counts and checksums can verify consistency. Option A is wrong because CloudWatch does not validate data.

Option C is wrong because querying random rows is not comprehensive. Option E is wrong because S3 inventory is unrelated to database consistency.

203
MCQhard

A company is migrating a 3 TB Oracle database from on-premises to Amazon RDS for Oracle. The migration must have zero downtime. The on-premises server uses Oracle Data Guard for disaster recovery. The network bandwidth is 200 Mbps. The team plans to use AWS DMS with CDC from Oracle redo logs. During the initial full load, DMS reports that the source table 'ORDERS' has a table-level supplemental log missing. The migration fails. What should the team do first to resolve this issue?

A.Switch to Oracle GoldenGate for migration.
B.Use AWS SCT to convert the schema and then use a native export/import.
C.Enable supplemental logging on the Oracle source database for the 'ORDERS' table.
D.Recreate the DMS task with 'full load only' to bypass CDC.
AnswerC

Required for DMS CDC to capture changes.

Why this answer

Option B is correct: the missing supplemental log prevents DMS from capturing changes. Option A is wrong because re-creating the task without fixing the log will fail again. Option C is wrong because using a different tool may not address the root cause.

Option D is wrong because disabling CDC would cause downtime.

204
MCQeasy

Refer to the exhibit. A database administrator retrieves CloudWatch metrics for an RDS instance. What is the trend of CPU utilization during the monitored period?

A.CPU utilization is decreasing over time.
B.CPU utilization is constant around 90%.
C.CPU utilization fluctuates randomly.
D.CPU utilization is increasing over time.
AnswerD

The average values go from 75.5% to 98.2%.

Why this answer

Option B is correct. The average CPU utilization increases from 75.5% to 98.2% over the hour, indicating a steady increase. Option A is incorrect because it is not decreasing.

Option C is incorrect because it is not constant. Option D is incorrect because it does not fluctuate; it increases monotonically.

205
Multi-Selecthard

Which THREE of the following are best practices for designing a DynamoDB table for a gaming leaderboard that updates scores frequently and supports queries for top players? (Choose 3.)

Select 2 answers
A.Scan the entire table and sort to get top scores
B.Use strongly consistent reads for the leaderboard queries
C.Use a Global Secondary Index with score as the sort key to query top scores efficiently
D.Use DynamoDB Streams to update a materialized leaderboard table
E.Use a single partition key for all players to easily query top scores
AnswersC, D

Allows efficient range queries on scores.

Why this answer

Option C is correct because a Global Secondary Index (GSI) with score as the sort key allows efficient range queries (e.g., Query with ScanIndexForward=false) to retrieve top players without scanning the entire table. This leverages DynamoDB's key-value and sorted-index capabilities to minimize read throughput and latency, which is critical for frequently updated leaderboards.

Exam trap

The trap here is that candidates often confuse strongly consistent reads with eventual consistency for leaderboard use cases, or assume a single partition key is acceptable for global ranking, not realizing it creates a hot partition and prevents efficient sorted queries.

206
Multi-Selecteasy

A company is planning to migrate its on-premises Oracle database to Amazon RDS for Oracle. The database uses Oracle Data Guard for disaster recovery. Which TWO AWS services can be used to assess the database and plan the migration? (Choose TWO.)

Select 2 answers
A.AWS Migration Hub
B.CloudEndure Disaster Recovery
C.AWS Snowball
D.AWS Database Migration Service (DMS)
E.AWS Schema Conversion Tool (SCT)
AnswersD, E

DMS can migrate data and assess compatibility.

Why this answer

Option C and Option D are correct. AWS DMS can migrate the database, and AWS Schema Conversion Tool (SCT) can assess and convert the schema. Option A is wrong because CloudEndure is for server migration.

Option B is wrong because AWS Migration Hub tracks migrations but does not assess databases. Option E is wrong because AWS Snowball is for large data transfer offline.

207
MCQeasy

A company is migrating an on-premises MySQL database to Amazon RDS for MySQL. The database uses InnoDB tables and is 500 GB in size. The migration must be completed within a 2-hour maintenance window. Which approach is MOST likely to meet the requirement?

A.Create a read replica of the on-premises database and promote it to RDS.
B.Use mysqldump to export the database and then import it into RDS.
C.Use AWS DMS with a full load task.
D.Take a physical backup of the data directory and copy it to RDS.
AnswerB

mysqldump with --single-transaction provides a consistent export without locking.

Why this answer

Option A is correct because using mysqldump with the --single-transaction flag exports a consistent snapshot without locking tables, and the data can be imported into RDS within the window if network bandwidth is sufficient. Option B is wrong because importing a physical backup from an on-premises database to RDS is not straightforward; RDS does not support backup file import directly. Option C is wrong because AWS DMS requires initial load and may not complete within 2 hours for 500 GB.

Option D is wrong because creating a read replica requires the source to be an RDS instance, not on-premises.

208
Multi-Selecthard

A financial services company runs an Amazon Aurora MySQL database cluster with a single writer and two readers. The cluster handles critical transactional workloads. Over the past month, the database experienced intermittent read replica lag spikes that caused stale reads in application queries. The database administrator needs to identify the root cause and reduce replica lag. Which THREE steps should the administrator take to diagnose and mitigate the issue?

Select 3 answers
A.Switch from a single-writer cluster to Multi-AZ DB instance to reduce replication lag.
B.Upgrade the reader instances to a larger instance class to match the writer.
C.Use Performance Insights on the reader instances to identify high-load queries causing resource contention.
D.Check the binlog retention hours parameter and reduce it if set to a high value.
E.Enable slow query logging on the writer instance and analyze long-running transactions.
AnswersC, D, E

Performance Insights can pinpoint resource bottlenecks on readers.

Why this answer

Option A is correct because analyzing slow query logs helps identify long-running queries on the writer that may cause replication delay. Option B is correct because increased binary log retention can lead to lag; reducing it can help. Option C is correct because using Performance Insights on readers reveals resource bottlenecks.

Option D is wrong because disabling Multi-AZ does not affect replica lag. Option E is wrong because upgrading readers to the same instance class as the writer may not address the root cause if the issue is on the writer side.

209
MCQmedium

A company's RDS for SQL Server instance is frequently running out of disk space. The instance uses General Purpose SSD (gp2) storage. Which monitoring step will help identify the root cause?

A.Review CloudTrail logs for API calls
B.Monitor FreeStorageSpace and BinaryLogUsage metrics
C.Monitor BackupStorageUsed metric
D.Enable Enhanced Monitoring
AnswerB

FreeStorageSpace shows remaining space; BinaryLogUsage tracks transaction log growth.

Why this answer

Option D is correct because monitoring FreeStorageSpace and transaction log usage reveals what consumes space. Option A is wrong because backup storage is separate. Option B is wrong because Enhanced Monitoring shows OS metrics, not disk usage by database.

Option C is wrong because CloudTrail is for API activity.

210
MCQhard

A company is migrating a 500 GB Oracle database to Amazon Aurora PostgreSQL. They need to convert the schema and migrate the data. The application uses Oracle-specific features like hierarchical queries and stored procedures. Which combination of services should they use?

A.Use AWS Snowball Edge to transfer the database files and then use SCT to convert the schema.
B.Use AWS Schema Conversion Tool (SCT) to convert the schema and AWS Database Migration Service (DMS) to migrate the data.
C.Use AWS Database Migration Service (DMS) with the Oracle as source and Aurora PostgreSQL as target.
D.Use AWS Schema Conversion Tool (SCT) to convert the schema and then manually export/import data.
AnswerB

SCT converts the schema including Oracle-specific features, and DMS migrates the data efficiently.

Why this answer

Option D (SCT for schema conversion, DMS for data migration) is correct because SCT converts Oracle schema including stored procedures and hierarchical queries, and DMS migrates the data. Option A (DMS only) does not convert schema. Option B (SCT only) does not migrate data.

Option C (Snowball with SCT) is for large data transfers but not for ongoing replication or schema conversion of complex features.

211
MCQhard

A company is deploying a globally distributed application that requires a low-latency, highly available database with multi-region write support. The application needs to handle conflicts automatically. Which AWS database solution meets these requirements?

A.Amazon Aurora Global Database
B.Amazon ElastiCache for Redis global datastore
C.Amazon DynamoDB global tables
D.Amazon RDS Multi-AZ with cross-region read replicas
AnswerC

DynamoDB global tables provide multi-region, multi-master writes with automatic conflict resolution.

Why this answer

Option C is correct because Amazon DynamoDB global tables provide multi-region, multi-master replication with automatic conflict resolution. Option A is wrong because Aurora Global Database supports cross-region replication but only one primary region for writes. Option B is wrong because RDS Multi-AZ is single-region.

Option D is wrong because ElastiCache is a caching layer, not a primary database.

212
Multi-Selecteasy

A company uses Amazon Redshift and notices that queries are taking longer than usual. CloudWatch metrics show 'CPUUtilization' is high and 'DiskSpace' is low. Which TWO actions can help improve query performance?

Select 2 answers
A.Disable concurrency scaling to free resources
B.Add more nodes to the cluster
C.Enable Multi-AZ to distribute load
D.Run VACUUM to reclaim space
E.Optimize sort keys to reduce data scanned
AnswersB, E

Adding nodes increases parallelism and resources for queries.

Why this answer

Option A is correct because adding nodes distributes workload and increases CPU and I/O resources. Option B is wrong because VACUUM reorganizes data but does not free space if the disk is full; it may require space. Option C is correct because optimizing sort keys reduces the amount of data scanned, speeding up queries.

Option D is wrong because disabling concurrency scaling reduces performance. Option E is wrong because Multi-AZ is not available for Redshift. So correct: A, C.

213
MCQmedium

A company is using Amazon DocumentDB (with MongoDB compatibility) for a content management system. The security team requires that all data be encrypted at rest and in transit. The DocumentDB cluster is already encrypted at rest using AWS KMS. To enforce encryption in transit, the security team wants to ensure that all client connections use TLS. The team has enabled the 'tls' parameter in the cluster parameter group. However, a developer reports that they can still connect to the cluster without specifying TLS options using the mongo shell. The developer is connecting from an EC2 instance in the same VPC. The security group for the DocumentDB cluster allows inbound traffic on port 27017 from the EC2 instance's security group. What is the most likely reason the developer can connect without TLS?

A.DocumentDB does not support TLS; it only supports SSL.
B.The EC2 instance is in the same VPC, so TLS is not enforced for intra-VPC traffic.
C.The developer is using an older version of the mongo shell that does not support TLS.
D.The 'tls' parameter was not applied to the cluster because the parameter group was not associated with the cluster or the cluster was not rebooted.
AnswerD

Parameter group changes require a reboot to take effect.

Why this answer

Option B is correct. DocumentDB supports both TLS and non-TLS connections on the same port. Enabling the 'tls' parameter in the parameter group only affects new connections if the client requests TLS; it does not force TLS.

To enforce TLS, you must modify the cluster's security group to block non-TLS traffic, or use a different port for TLS. However, DocumentDB does not have a separate port for TLS; the same port can accept both. The parameter 'tls' when set to 'enabled' actually forces TLS for all connections? Actually, in DocumentDB, setting the cluster parameter 'tls' to 'enabled' does enforce TLS; but the developer might be using an older client that does not support TLS.

But the question says the developer can connect without specifying TLS options. That suggests that the parameter might not be applied or the cluster was not rebooted. Option A is possible but less likely.

Option C is incorrect because TLS is supported. Option D is incorrect because the same VPC does not bypass TLS.

214
MCQmedium

Refer to the exhibit. A database administrator is reviewing the output of 'SHOW FULL PROCESSLIST' on an Amazon RDS for MySQL DB instance. The company's security policy requires that all database users access only the minimum necessary data. Which user's activity should be investigated further?

A.Both users, because they are both accessing the credit_cards table.
B.The admin user, because the query is selecting all columns from the credit_cards table.
C.The app_user, because the query is selecting card_number which is sensitive.
D.Neither user, because the queries are normal for their roles.
AnswerB

This violates the principle of least privilege; the admin should not be selecting all columns.

Why this answer

The admin user is executing a full scan of the credit_cards table, which is a security concern because it could be accessing unnecessary data. The app_user is querying a specific column with a condition, which is more appropriate. The admin user should have a more restrictive query.

Option B is correct. Option A is wrong because the admin user's query is broad. Option C is wrong because the app_user's query is specific.

Option D is wrong because both queries are selecting data, but the admin's is more concerning.

215
MCQmedium

A company is migrating an on-premises SQL Server database to Amazon RDS for SQL Server. They need to minimize downtime and have a limited network bandwidth of 50 Mbps. The database size is 1 TB. What is the MOST effective approach?

A.Use AWS DMS with CDC over the network.
B.Use AWS SCT to compress data before transfer.
C.Use AWS Snowball Edge to transfer initial load, then DMS for CDC.
D.Use native SQL Server backup and restore to Amazon S3.
AnswerC

Snowball accelerates initial transfer, CDC handles changes.

Why this answer

Option C is correct because the 1 TB database size combined with a 50 Mbps network bandwidth would require over 46 hours for the initial load, making a full network transfer impractical. AWS Snowball Edge allows you to transfer the initial 1 TB seed data offline via a physical appliance, bypassing bandwidth constraints. After the seed is loaded into RDS, AWS DMS with Change Data Capture (CDC) can then replicate ongoing changes over the network, minimizing downtime to only the final cutover window.

Exam trap

The trap here is that candidates assume DMS with CDC alone can handle the full migration, underestimating the time required for the initial load over limited bandwidth, and overlook the offline seeding option provided by Snowball Edge.

How to eliminate wrong answers

Option A is wrong because using AWS DMS with CDC over the network for the full 1 TB initial load at 50 Mbps would take approximately 46+ hours, causing unacceptable downtime and risk of failure due to bandwidth limitations. Option B is wrong because AWS SCT compresses schema and code objects, not the actual data payload; it cannot compress the 1 TB database files for transfer, so it does not solve the bandwidth bottleneck. Option D is wrong because native SQL Server backup and restore to Amazon S3 requires uploading the full 1 TB backup file over the 50 Mbps network, which would take the same prohibitive amount of time as any other network-based approach, and it does not provide a CDC mechanism to minimize downtime.

216
Multi-Selectmedium

A company is migrating an on-premises PostgreSQL database to Amazon RDS for PostgreSQL. The migration must have minimal downtime. Which TWO AWS services should be used together to achieve this?

Select 2 answers
A.AWS DataSync
B.AWS CloudEndure Migration
C.AWS Database Migration Service (AWS DMS)
D.AWS Direct Connect
E.AWS Schema Conversion Tool (AWS SCT)
AnswersC, E

DMS provides ongoing replication for minimal downtime.

Why this answer

AWS Database Migration Service (AWS DMS) is the correct choice because it is specifically designed for migrating databases to AWS with minimal downtime by using ongoing replication (change data capture, CDC) from the source PostgreSQL database to the target Amazon RDS for PostgreSQL instance. This allows the source database to remain fully operational during the migration, and only a short cutover window is needed to switch applications to the target.

Exam trap

The trap here is that candidates often confuse AWS DataSync or CloudEndure Migration as viable for database migration, but neither supports the logical replication and schema conversion required for minimal-downtime PostgreSQL to RDS migration, while DMS and SCT are the only services that directly address both schema conversion and ongoing data replication.

217
Multi-Selecthard

A company uses Amazon DynamoDB with DAX and wants to implement fine-grained access control using IAM. Which THREE conditions can be used in an IAM policy to restrict access to specific items based on the primary key?

Select 3 answers
A.dynamodb:Attributes
B.dynamodb:ReturnValues
C.dynamodb:TableName
D.dynamodb:LeadingKeys
E.dynamodb:Select
AnswersA, D, E

Restricts access to specific attributes (columns).

Why this answer

Options A, B, and D are correct. DynamoDB supports IAM conditions for fine-grained access control using dynamodb:LeadingKeys, dynamodb:Attributes, and dynamodb:Select. Option C is wrong because dynamodb:TableName identifies the table, not items.

Option E is wrong because dynamodb:ReturnValues is a parameter for write operations, not a condition for access control.

218
MCQhard

A company is running a self-managed MongoDB cluster on Amazon EC2. The cluster consists of three replica set members in different Availability Zones. The primary node recently experienced a crash, and the cluster failed over to a secondary. However, the new primary is showing significantly higher latency. The operations team wants to ensure that failover is fast and consistent. What should be done to improve the failover reliability?

A.Use Amazon EBS io2 Block Express volumes with provisioned IOPS.
B.Use Amazon EBS Multi-Attach to allow all replicas to share the same volume.
C.Switch to instance store volumes for better I/O performance.
D.Configure EBS snapshots to be taken every 5 minutes.
AnswerA

io2 Block Express provides consistent low-latency performance, reducing replica lag.

Why this answer

Option C: Using Amazon EBS io2 Block Express volumes with higher IOPS and lower latency can reduce the time for the secondary to catch up. Option A: EBS Multi-Attach is not supported for io2? Actually io2 supports multi-attach but for shared volumes, not typically used for MongoDB. Option B: Using instance store volumes may have higher performance but are ephemeral and data loss is possible.

Option D: Snapshots are for backups, not for improving failover performance.

219
MCQmedium

A company is migrating an on-premises PostgreSQL database to Amazon RDS for PostgreSQL. The database is 2 TB in size and has a sustained write rate of 50 MB/s. The migration must have minimal downtime. Which migration approach should be used?

A.Create an RDS read replica from the on-premises database
B.Use pg_dump and pg_restore
C.Use AWS DMS with a full-load task only
D.Use AWS DMS with ongoing replication (change data capture)
AnswerD

Ongoing replication allows minimal downtime by continuously synchronizing changes.

Why this answer

Option D is correct because AWS Database Migration Service (DMS) with ongoing replication allows minimal downtime by continuously replicating changes from the source to the target. Option A is wrong because AWS DMS with full load only does not support ongoing replication, leading to downtime. Option B is wrong because pg_dump/pg_restore is a logical backup tool that requires downtime during the dump and restore process.

Option C is wrong because an RDS read replica can only be created from an existing RDS instance, not from on-premises.

220
MCQhard

A company has a production Amazon Aurora MySQL DB cluster with one writer and two reader instances. The application uses a custom connection pool that uses the writer endpoint for all database calls. The application is experiencing increased latency during peak hours. A database specialist suggests using the reader endpoint for read-only queries. What change is required on the application side to implement this recommendation?

A.Modify the Aurora cluster to enable load balancing for the reader endpoint.
B.Create a new custom endpoint for read-only queries and use it instead of the reader endpoint.
C.Replace the writer endpoint with the reader endpoint in the connection pool configuration.
D.Update the application's connection logic to use the cluster endpoint for writes and the reader endpoint for reads.
AnswerD

The reader endpoint distributes read traffic across all reader instances, reducing writer load.

Why this answer

The application needs to differentiate between read and write queries and send read queries to the reader endpoint while write queries continue to use the writer endpoint. No changes to the Aurora cluster are needed; Aurora automatically handles connectivity to reader instances via the reader endpoint. The cluster endpoint remains unchanged for writes.

221
Multi-Selecthard

Which THREE factors should be considered when choosing between Amazon DynamoDB and Amazon Aurora for a new application? (Select THREE.)

Select 3 answers
A.Access patterns (key-value vs relational queries)
B.Need for complex joins and transactions
C.Scalability model (horizontal vs vertical)
D.Cost per GB of storage
E.Maximum data size per table
AnswersA, B, C

Determines NoSQL vs SQL choice.

Why this answer

Access pattern (key-value vs relational), transaction support (Aurora supports complex transactions), and scalability model (DynamoDB scales horizontally) are key. Data size and cost are not primary differentiators.

222
Multi-Selectmedium

A company is using an Amazon Aurora MySQL DB cluster. The company wants to implement a backup strategy that supports point-in-time recovery (PITR) with a recovery time objective (RTO) of 15 minutes and a recovery point objective (RPO) of 5 minutes. Which TWO actions should the company take?

Select 2 answers
A.Configure automated backups with a retention period of at least 5 minutes beyond the current time.
B.Create manual snapshots every 5 minutes.
C.Enable cross-Region replication for the cluster.
D.Enable parallel query for the cluster.
E.Enable Aurora Backtrack.
AnswersA, E

Automated backups enable PITR.

Why this answer

Option A is correct because Aurora automated backups are continuous and incremental, and the retention period must be set to at least 1 day (not 5 minutes) to enable point-in-time recovery (PITR). However, the key insight is that automated backups are always enabled by default with a 1-day retention, and PITR can restore to any point within that retention window, supporting an RPO of 5 minutes as Aurora's backup process captures changes every 5 minutes. Option E is correct because Aurora Backtrack allows you to 'rewind' the cluster to a specific point in time without restoring from a backup, achieving an RTO of 15 minutes or less by directly moving the cluster to a previous state, provided Backtrack is enabled with a backtrack window of at least 5 minutes.

Exam trap

The trap here is that candidates assume automated backups require a retention period of exactly 5 minutes to achieve a 5-minute RPO, but Aurora's PITR is based on the frequency of transaction log application (every 5 minutes) and the retention period must be at least 1 day; the 5-minute RPO is inherent to the service, not configurable via retention period.

223
MCQeasy

A company's security policy requires that all database passwords be rotated every 90 days. The company uses AWS Secrets Manager to store database credentials for Amazon RDS. Which feature can be used to automate password rotation?

A.Configure automatic rotation in Secrets Manager with a rotation interval of 90 days.
B.Use an AWS Lambda function triggered by Amazon CloudWatch Events every 90 days to rotate the password.
C.Use IAM Access Analyzer to detect unused passwords and rotate them.
D.Store the password in AWS Systems Manager Parameter Store and use automatic rotation.
AnswerA

Secrets Manager can automatically rotate RDS credentials on a schedule.

Why this answer

Option A is correct because Secrets Manager has built-in rotation support for RDS databases. Option B is wrong because Lambda can be used but is not a feature of Secrets Manager itself; the managed rotation is the simplest. Option C is wrong because IAM Access Analyzer is for analyzing resource policies, not password rotation.

Option D is wrong because Systems Manager Parameter Store does not have built-in rotation for RDS.

224
MCQmedium

A company is using Amazon Aurora MySQL-Compatible Edition. The security team wants to restrict access to the database so that only specific applications running on Amazon EC2 instances can connect. The EC2 instances are in the same VPC as the Aurora cluster. Which combination of steps should be taken to enforce this restriction?

A.Enable IAM database authentication and create database users for each application.
B.Modify the DB subnet group to include only subnets where the EC2 instances reside.
C.Use a network ACL to allow traffic only from the EC2 instances' IP addresses.
D.Configure the Aurora cluster's security group to allow inbound traffic from the EC2 instances' security group.
AnswerD

Security group rules can reference other security groups.

Why this answer

Option A is correct because security groups can be used to allow traffic only from specific security groups (e.g., EC2 security group). Option B is wrong because IAM database authentication controls user authentication, not network access. Option C is wrong because NACLs are stateless and less granular.

Option D is wrong because subnet group does not restrict access.

225
Multi-Selecthard

A company is migrating a 500 GB Oracle database to Amazon Aurora PostgreSQL. Which THREE steps should be part of the migration plan?

Select 3 answers
A.Use AWS Snowball to transfer the database files.
B.Set up AWS Direct Connect between on-premises and AWS.
C.Use AWS DMS to perform a full load and ongoing replication from Oracle to Aurora.
D.Use AWS SCT to convert the Oracle schema to PostgreSQL-compatible schema.
E.Validate the migrated data and test the application against the new database.
AnswersC, D, E

DMS supports Oracle as source and Aurora PostgreSQL as target.

Why this answer

Using SCT for schema conversion is necessary because Oracle and PostgreSQL have different syntax. DMS can migrate data with ongoing replication. After migration, testing is crucial to ensure functionality.

Direct Connect is optional. Snowball may be overkill for 500 GB. S3 is used for backup storage but not a required step.

Page 2

Page 3 of 24

Page 4