AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 175

1616 questions total · 22pages · All types, answers revealed

Page 1 of 22

Page 2
1
MCQmedium

A developer is deploying a serverless application using AWS SAM. The application includes an API Gateway REST API and several Lambda functions. The developer wants to enable X-Ray tracing to debug performance issues. What is the MINIMUM set of actions required to enable X-Ray tracing for the entire application?

A.Enable X-Ray tracing on each Lambda function individually and deploy the X-Ray daemon as a Lambda layer.
B.Enable X-Ray tracing only on the API Gateway stage and configure the Lambda functions to forward traces.
C.Deploy the X-Ray daemon as a sidecar container on each Lambda function.
D.Add Tracing: Active to the Globals section of the SAM template and attach the AWSXRayDaemonWriteAccess managed policy to the Lambda execution role.
AnswerD

This enables X-Ray for all functions and API Gateway, and the policy allows the Lambda function to send traces.

Why this answer

Option A is correct. In AWS SAM, you can enable X-Ray globally by setting Tracing: Active in the Globals section, and the Lambda execution role needs the AWSXRayDaemonWriteAccess managed policy. Option B is wrong because enabling tracing on each function individually is more work but still achieves the goal, but the question asks for MINIMUM.

Option C is wrong because API Gateway tracing alone does not trace Lambda. Option D is wrong because deploying the X-Ray daemon is not required for Lambda functions; the managed policy includes the daemon.

2
Matchingmedium

Match each AWS service to its port number (if applicable).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

3306

6379

5432

11211

1521

Why these pairings

Knowing default ports helps with security group configuration.

3
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The deployment is successful, but the application health checks fail. The application runs on a single EC2 instance. What should a developer do to troubleshoot this issue?

A.View the application logs in the Elastic Beanstalk console.
B.Modify the CloudFormation template to increase instance size.
C.Add an Application Load Balancer to the environment.
D.SSH into the EC2 instance and restart the web server.
AnswerA

Logs show errors causing health check failures.

Why this answer

Option D is correct because viewing the logs in the Elastic Beanstalk console helps identify why the application is not responding to health checks. Option A is wrong because SSH access may not be configured. Option B is wrong because CloudFormation is not directly related.

Option C is wrong because the environment may not be load-balanced.

4
MCQmedium

A developer is using Amazon S3 to store application logs. The logs are generated every hour and must be retained for 90 days. After 90 days, the logs should be deleted automatically. Which S3 lifecycle policy should the developer configure?

A.Expire objects after 30 days.
B.Transition objects to Amazon S3 Glacier after 90 days.
C.Expire objects after 90 days.
D.Transition objects to S3 Standard-IA after 30 days and expire after 90 days.
AnswerC

Expiration deletes objects after the specified days.

Why this answer

Option B is correct because an expiration action after 90 days will delete the objects. Option A (transition to Glacier after 90 days) does not delete. Option C (expire after 30 days) deletes too early.

Option D (transition to S3 Standard-IA and expire after 90 days) is valid but unnecessary; a single expiration action is simpler.

5
Multi-Selecthard

A developer is designing a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application must authenticate users using a third-party OIDC identity provider and authorize each request. Which THREE steps should the developer take? (Choose THREE.)

Select 3 answers
A.Create an Amazon Cognito user pool with the OIDC identity provider configured.
B.Generate an API key and distribute it to users for authentication.
C.Create an IAM authorizer in API Gateway to validate the JWT token.
D.In the Lambda function, parse the JWT claims from the event context to make authorization decisions.
E.Use a Cognito user pool authorizer in API Gateway to validate the token.
AnswersA, D, E

Cognito can federate with OIDC providers.

Why this answer

Option A is correct because Amazon Cognito user pools can be configured to federate with third-party OIDC identity providers. This allows the user pool to act as an intermediary that handles the OIDC token exchange, issuing its own JWT tokens after successful authentication. This is the standard approach for integrating external OIDC providers with AWS serverless applications.

Exam trap

The trap here is confusing the role of API Gateway authorizers: candidates often pick IAM authorizer (Option C) thinking it can validate JWTs, but IAM authorizers require AWS SigV4 signing and are not designed for OIDC token validation, while the Cognito user pool authorizer is the correct choice for JWT-based federated authentication.

6
MCQmedium

A developer is building a serverless application using AWS Lambda to process images uploaded to an S3 bucket. The Lambda function needs to resize the image and store the result in another S3 bucket. The developer notices that the Lambda function fails intermittently with timeout errors for large images. What is the MOST efficient solution to resolve this issue?

A.Increase the Lambda function timeout and memory allocation to accommodate larger images.
B.Limit the S3 event notification to only trigger for images smaller than 5 MB.
C.Refactor the Lambda function to use multi-threading for parallel processing of image chunks.
D.Use AWS Step Functions to orchestrate the image processing in smaller steps.
AnswerA

Increasing timeout and memory provides more execution time and CPU power to process large images within the Lambda limits.

Why this answer

The correct answer is B. Increasing the Lambda timeout and memory allows the function to handle larger images. Option A is wrong because Lambda does not support multi-threading by default and would not help with a single large image.

Option C is wrong because Step Functions add complexity without addressing the root cause. Option D is wrong because larger images do not cause concurrent execution limits to be reached; the issue is timeout.

7
MCQhard

A developer attached the managed policy above to an IAM role used by an application. The application tries to decrypt data using a KMS key that has an encryption context of {"department": "finance"}. However, the request fails with access denied. What is the most likely reason?

A.The KMS key policy does not grant decrypt permission to the IAM role
B.The IAM role does not have permission to call kms:Decrypt on any key
C.The encryption context does not match the condition
D.The IAM policy does not allow the kms:Decrypt action
AnswerA

KMS requires the key policy to allow the IAM role to use the key, in addition to IAM policies.

Why this answer

The policy uses a condition key kms:EncryptionContext:department, which requires the encryption context to match exactly. However, the context is a key-value pair; the condition must match both the key and the value. The policy might be correct, but the issue could be that the application does not pass the encryption context, or the KMS key policy does not grant access.

The most likely reason is that the KMS key policy itself does not allow the IAM role to decrypt, because KMS requires both key policy and IAM policy to allow access.

8
MCQmedium

A company deploys a serverless application using AWS SAM. The application includes an Amazon API Gateway HTTP API and several AWS Lambda functions. The developer wants to implement a canary deployment for the API Gateway stage: 5% of traffic should be immediately shifted to the new version, and after 15 minutes, the remaining 95% should be shifted. Which SAM resource attribute should the developer configure?

A.DeploymentPreference with Type: Canary10Percent30Minutes
B.DeploymentPreference with Type: Canary5Percent15Minutes
C.DeploymentPreference with Type: Linear10PercentEvery10Minutes
D.DeploymentPreference with Type: AllAtOnce
AnswerB

This exactly matches: 5% traffic shifted immediately, remaining 95% after 15 minutes.

Why this answer

Option B is correct because AWS SAM's DeploymentPreference attribute with Type: Canary5Percent15Minutes shifts 5% of traffic to the new version immediately, then automatically shifts the remaining 95% after 15 minutes, exactly matching the requirement. This is a built-in canary deployment strategy for API Gateway stages when using SAM's AutoPublishAlias and DeploymentPreference features.

Exam trap

The trap here is that candidates often confuse the percentage and time values in the canary types (e.g., picking Canary10Percent30Minutes) because they misread the requirement as a 10% canary or a 30-minute wait, rather than carefully matching the exact 5% and 15-minute values specified.

How to eliminate wrong answers

Option A is wrong because Canary10Percent30Minutes shifts 10% immediately and waits 30 minutes, not the required 5% and 15 minutes. Option C is wrong because Linear10PercentEvery10Minutes shifts traffic linearly in 10% increments every 10 minutes, not a single 5% canary followed by a 95% shift. Option D is wrong because AllAtOnce shifts 100% of traffic immediately, providing no canary or gradual rollout.

9
Multi-Selectmedium

An application in ECS Fargate needs to read a secret and decrypt it with KMS. Which two permissions/configurations are needed?

Select 2 answers
A.Store the secret in the container image
B.Task role permissions for Secrets Manager access
C.An EC2 instance profile attached to the Fargate host
D.KMS key policy/IAM permission allowing decrypt for the task role
AnswersB, D

Correct for the stated requirement.

Why this answer

Option B is correct because the ECS task role is an IAM role that the Fargate task assumes to make AWS API calls. To read a secret from AWS Secrets Manager, the task role must have an IAM policy granting `secretsmanager:GetSecretValue` permission. Option D is correct because the secret is encrypted with a KMS key, so the task role also needs a KMS key policy or IAM permission that allows `kms:Decrypt` on that specific key.

Exam trap

The trap here is that candidates often confuse EC2 instance profiles with ECS task roles, forgetting that Fargate is serverless and has no underlying EC2 host to attach an instance profile to.

10
MCQmedium

A developer needs to allow users from another AWS account (account ID: 123456789012) to read objects in an S3 bucket owned by the developer's account. The developer wants to use a bucket policy and does not want to create IAM users in the other account. Which bucket policy statement achieves this securely?

A.{"Principal": "*", "Action": "s3:GetObject", "Effect": "Allow", "Resource": "arn:aws:s3:::bucket/*", "Condition": {"StringEquals": {"aws:SourceAccount": "123456789012"}}}
B.{"Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "s3:GetObject", "Effect": "Allow", "Resource": "arn:aws:s3:::bucket/*"}
C.{"Principal": {"AWS": "arn:aws:iam::123456789012:user/cross-account-user"}, "Action": "s3:GetObject", "Effect": "Allow", "Resource": "arn:aws:s3:::bucket/*"}
D.{"Principal": {"AWS": "arn:aws:iam::123456789012:role/cross-account-role"}, "Action": "s3:GetObject", "Effect": "Allow", "Resource": "arn:aws:s3:::bucket/*"}
AnswerB

The root ARN of the trusted account (arn:aws:iam::123456789012:root) is used as the Principal. This delegates control to the other account's administrator, who can then grant read access to specific IAM users or roles in their account.

Why this answer

Option B is correct because it uses the AWS account root principal ARN (arn:aws:iam::123456789012:root) to grant cross-account access to the S3 bucket. This allows any IAM user or role in the external account to read objects, provided the external account's administrator delegates permissions via IAM policies. The bucket policy does not require creating IAM users in the other account, aligning with the requirement.

Exam trap

The trap here is that candidates often confuse the root principal ARN with a specific IAM entity, leading them to choose options that require pre-existing users or roles in the external account, or they misuse conditions like aws:SourceAccount with a wildcard principal, which does not securely restrict access.

How to eliminate wrong answers

Option A is wrong because the aws:SourceAccount condition is used for ensuring the request originates from a specific AWS account in resource-based policies, but it is typically paired with aws:SourceArn to prevent confused deputy issues; here, it is used alone with a wildcard principal, which is insecure and does not restrict to the intended account. Option C is wrong because it specifies a specific IAM user ARN, which requires that user to exist in the external account, contradicting the requirement not to create IAM users. Option D is wrong because it specifies a specific IAM role ARN, which requires that role to exist in the external account, also contradicting the requirement not to create IAM users or roles.

11
Multi-Selecthard

A developer is optimizing an Amazon S3 bucket that stores millions of small objects. The application frequently lists objects with prefix-based queries. Which THREE strategies should the developer implement to improve performance?

Select 3 answers
A.Use Amazon S3 Inventory to generate a daily list of objects and query that list.
B.Use Amazon S3 Select or Amazon Athena to query objects instead of listing.
C.Move infrequently accessed objects to Amazon S3 Glacier Deep Archive.
D.Increase the TPS limit for ListObjects requests by requesting a quota increase.
E.Use AWS Glue to create a catalog of object metadata for faster querying.
AnswersA, B, E

S3 Inventory provides a CSV/Parquet file of objects, avoiding List API calls.

Why this answer

Option A is correct because Amazon S3 Inventory provides a daily or weekly CSV/Parquet report listing all objects and their metadata. By querying this inventory file (e.g., with Athena or SQL), you avoid making thousands of individual ListObjects API calls, which is far more efficient for prefix-based queries on millions of small objects.

Exam trap

The trap here is that candidates might think increasing API rate limits (Option D) is possible, but AWS S3 does not allow requesting a higher ListObjects TPS limit; instead, you must use alternative strategies like S3 Inventory or partitioning.

12
MCQmedium

A developer is building a serverless application using AWS Lambda and Amazon API Gateway. The API must support different HTTP methods (GET, POST, PUT, DELETE) for the same resource path. The developer wants to define the API in a single Lambda function that can handle all methods without additional mapping configuration. Which Lambda integration type should the developer use?

A.Lambda proxy integration
B.Lambda custom integration
C.AWS service integration
D.HTTP integration
AnswerA

Correct. With Lambda proxy integration, API Gateway sends the entire request to the Lambda function, and the function can inspect the HTTP method to handle different operations.

Why this answer

Lambda proxy integration (option A) is correct because it allows a single Lambda function to handle all HTTP methods (GET, POST, PUT, DELETE) for the same resource path without additional mapping configuration. In this integration type, API Gateway passes the entire client request (method, headers, query parameters, body) as a JSON event to the Lambda function, and the function must return a response in a specific format that includes status code, headers, and body. This eliminates the need for manual mapping templates or method-specific configurations.

Exam trap

The trap here is that candidates often confuse Lambda custom integration with Lambda proxy integration, thinking that custom integration provides more control, but they overlook that proxy integration is specifically designed to handle multiple HTTP methods without additional mapping configuration.

How to eliminate wrong answers

Option B (Lambda custom integration) is wrong because it requires explicit mapping templates to transform the client request into the Lambda function's input format and to transform the Lambda response back to the HTTP response, which adds configuration overhead and does not support handling all methods in a single function without additional mapping. Option C (AWS service integration) is wrong because it is designed to integrate API Gateway directly with other AWS services (e.g., DynamoDB, SQS) without invoking a Lambda function, and it does not support routing multiple HTTP methods to a single Lambda function. Option D (HTTP integration) is wrong because it is used to proxy requests to an external HTTP endpoint, not to a Lambda function, and it requires mapping templates or VPC link configurations, making it unsuitable for a serverless Lambda-based API.

13
MCQeasy

A company has a centralized logging solution where all EC2 instances send logs to a CloudWatch Logs group in a central account. The EC2 instances are in a different account (App Account). The developer configures the CloudWatch agent on the instances with the necessary IAM role. However, logs are not appearing in the central account's log group. The IAM role in the App Account has permissions to put logs to the central account's log group. What is the most likely missing configuration?

A.CloudWatch Logs must be encrypted with the same KMS key in both accounts.
B.The central account's log group must have a resource-based policy that grants the App Account's IAM role permissions to put logs.
C.The log group must be in the same region as the EC2 instances.
D.The EC2 instances must be in a VPC with a VPC endpoint for CloudWatch Logs.
AnswerB

Cross-account logging requires a destination policy on the log group.

Why this answer

Option A is correct because cross-account CloudWatch Logs requires a destination policy in the central account that allows the App Account to write logs. Option B is wrong because VPC endpoints are not required. Option C is wrong because the log group does not need to be in the same region, but cross-region might require additional configuration.

Option D is wrong because KMS encryption is optional.

14
MCQhard

A developer is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment must be as fast as possible while ensuring that at least 50% of instances remain healthy throughout. Which deployment configuration should be used?

A.CodeDeployDefault.OneAtATime
B.CodeDeployDefault.HalfAtATime
C.CodeDeployDefault.AllAtOnce
D.CodeDeployDefault.MinHealthyPercent
AnswerB

Deploys to half the instances at a time, maintaining at least 50% healthy and is faster than OneAtATime.

Why this answer

CodeDeployDefault.HalfAtATime is the correct choice because it deploys to half of the instances in the Auto Scaling group at a time, ensuring that at least 50% of instances remain healthy throughout the deployment. This configuration balances speed (by deploying to multiple instances concurrently) with the required availability constraint, making it the fastest option that satisfies the 'at least 50% healthy' requirement.

Exam trap

The trap here is that candidates may confuse 'HalfAtATime' with 'OneAtATime' thinking slower is safer, or incorrectly assume 'AllAtOnce' is fastest without considering the health constraint, or invent a configuration name like 'MinHealthyPercent' that does not exist in CodeDeploy.

How to eliminate wrong answers

Option A (CodeDeployDefault.OneAtATime) is wrong because it deploys to only one instance at a time, which is the slowest deployment configuration and does not meet the requirement for maximum speed. Option C (CodeDeployDefault.AllAtOnce) is wrong because it deploys to all instances simultaneously, which can cause all instances to become unhealthy at once, violating the 'at least 50% healthy' requirement. Option D (CodeDeployDefault.MinHealthyPercent) is wrong because it is not a valid deployment configuration name in CodeDeploy; the correct parameter is 'minimumHealthyHosts' which can be set to a percentage, but 'MinHealthyPercent' is not a predefined configuration.

15
MCQmedium

A developer is designing a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application experiences occasional throttling on the Lambda function during peak traffic. The developer needs to reduce the number of throttling errors without changing the Lambda function code. Which solution should the developer implement?

A.Increase the Lambda function timeout.
B.Increase the DynamoDB read capacity units.
C.Configure reserved concurrency on the Lambda function.
D.Enable API Gateway caching.
AnswerC

Reserved concurrency guarantees a set number of concurrent executions, reducing throttling.

Why this answer

Option C is correct because enabling reserved concurrency on the Lambda function ensures a set number of concurrent executions are available, preventing throttling due to account-level limits. Option A (increase DynamoDB read capacity) does not affect Lambda throttling. Option B (enable API Gateway caching) helps with API responses but not Lambda invocation throttling.

Option D (increase Lambda timeout) does not affect concurrency limits.

16
MCQmedium

A developer is building a serverless application using AWS Lambda and Amazon DynamoDB. The application needs to store large JSON documents (up to 1 MB) and retrieve them by a primary key. The documents are updated frequently. Which DynamoDB feature should the developer consider to optimize performance and cost for storing and retrieving these large items?

A.Use Amazon S3 to store the documents and store only the S3 key in DynamoDB.
B.Enable DynamoDB Accelerator (DAX) to cache the large items.
C.Use DynamoDB Transactions to atomically update the items.
D.Enable DynamoDB Streams to capture changes to the items.
AnswerA

This is the recommended approach for items exceeding the 400 KB DynamoDB item size limit.

Why this answer

Option A is correct because DynamoDB has a 400 KB item size limit, so storing large JSON documents (up to 1 MB) directly in DynamoDB is not possible. By storing the documents in Amazon S3 (which supports objects up to 5 TB) and keeping only the S3 object key in DynamoDB, the developer can efficiently retrieve the document via the primary key while avoiding DynamoDB's size constraint. This pattern also reduces DynamoDB read/write capacity unit consumption, lowering cost for frequently updated large items.

Exam trap

The trap here is that candidates assume DynamoDB can handle any size of data because it is a NoSQL database, but they overlook the explicit 400 KB item size limit, making the S3 integration pattern the only viable solution for documents up to 1 MB.

How to eliminate wrong answers

Option B is wrong because DynamoDB Accelerator (DAX) is an in-memory cache that speeds up reads but does not change the 400 KB item size limit; large items cannot be stored in DynamoDB at all, so caching them is irrelevant. Option C is wrong because DynamoDB Transactions provide ACID guarantees for multi-item operations but do not address the item size limit or optimize storage/retrieval of large documents. Option D is wrong because DynamoDB Streams capture item-level changes for event-driven processing, but they do not help with storing or retrieving large items that exceed the 400 KB limit.

17
MCQmedium

The above IAM policy is attached to an IAM role used by a Lambda function. The function tries to scan the table 'MyTable' but receives an AccessDenied error. What is the MOST likely cause?

A.The DynamoDB table does not exist.
B.The IAM role is not attached to the Lambda function.
C.The resource ARN is incorrect.
D.The policy does not include the 'dynamodb:Scan' action.
AnswerD

Correct: Scan is not allowed.

Why this answer

Option B is correct because the policy does not include 'dynamodb:Scan' action. Option A is wrong because the resource ARN is correct. Option C is wrong because table exists.

Option D is wrong because the role is attached.

18
MCQeasy

A company wants to ensure that no Amazon S3 buckets in the AWS account can be made publicly accessible, even if a bucket policy or ACL is later configured to allow public access. Which AWS feature should the developer enable to enforce this at the account level?

A.S3 Block Public Access
B.S3 Object Lock
C.S3 Transfer Acceleration
D.S3 Bucket Policy with Deny clause
AnswerA

Correct. S3 Block Public Access at the account level prevents any public access to buckets regardless of bucket policies or ACLs.

Why this answer

S3 Block Public Access is the correct choice because it provides account-level settings that override any bucket-level policies or ACLs that would grant public access. When enabled at the account level, these settings apply to all current and future S3 buckets, effectively preventing any bucket from becoming publicly accessible regardless of subsequent configuration changes.

Exam trap

The trap here is that candidates often choose a bucket policy with a Deny clause (Option D) thinking it can enforce account-wide restrictions, but they overlook that such policies are bucket-specific and can be removed or modified by users with appropriate IAM permissions, whereas S3 Block Public Access provides a centralized, immutable account-level control.

How to eliminate wrong answers

Option B is wrong because S3 Object Lock is designed to prevent objects from being deleted or overwritten for a fixed period, not to control public access permissions. Option C is wrong because S3 Transfer Acceleration is a feature that speeds up uploads over long distances using AWS edge locations, and it has no effect on access control or public accessibility. Option D is wrong because a bucket policy with a Deny clause is applied at the individual bucket level, not at the account level, and it can be overridden or removed by anyone with sufficient permissions; it does not provide the centralized, enforceable control that Block Public Access offers.

19
MCQhard

A company's S3 bucket policy includes a condition that uses 'aws:SourceIp' to restrict access to a specific IP range. However, requests from that IP range are still denied. What is a possible reason?

A.The request is routed through CloudFront, which changes the source IP.
B.The bucket owner's IAM user policy overrides the bucket policy.
C.The request is coming through a VPC endpoint, so the source IP is not the client's IP.
D.The condition key 'aws:SourceIp' is misspelled.
AnswerC

With VPC endpoints, the source IP is the endpoint's private IP, not the client's public IP; use 'aws:SourceVpce' instead.

Why this answer

When a request is made through a VPC endpoint (specifically a Gateway Endpoint for S3), the source IP address seen by S3 is the private IP of the VPC endpoint, not the client's original public IP. The 'aws:SourceIp' condition key evaluates the IP address from which the request originates at the network layer, but VPC endpoints use private IPs from the VPC CIDR range, which will not match the public IP range specified in the policy. This causes the condition to fail and the request to be denied, even though the client is within the intended IP range.

Exam trap

The trap here is that candidates assume 'aws:SourceIp' always reflects the client's original public IP, but they forget that VPC endpoints and proxies (like CloudFront or a NAT gateway) can change the source IP seen by the service, leading to unexpected denials.

How to eliminate wrong answers

Option A is wrong because CloudFront does not change the source IP for S3 bucket policy evaluation; CloudFront uses its own IP addresses when forwarding requests to the origin, but the 'aws:SourceIp' condition in a bucket policy would see CloudFront's IP, not the client's IP, so this could also cause denial, but the question specifies the request is from the correct IP range and still denied, making VPC endpoint the more precise reason. Option B is wrong because IAM user policies do not override bucket policies; if both exist, the request must be allowed by at least one policy, but an explicit deny in the bucket policy would still block the request, and an IAM policy cannot override a bucket policy deny. Option D is wrong because if 'aws:SourceIp' were misspelled, the condition would be ignored (not evaluated), and the policy would likely allow the request (assuming other conditions are met), not deny it.

20
MCQmedium

A developer is troubleshooting an AWS Lambda function that occasionally fails with a timeout error. The function makes HTTP requests to external APIs. The function's current timeout setting is 30 seconds. The developer wants to implement a solution that reduces the chance of timeouts without increasing the Lambda timeout. Which approach should the developer take?

A.Configure the Lambda function to be invoked asynchronously.
B.Implement retry logic with exponential backoff in the Lambda function code.
C.Enable provisioned concurrency on the Lambda function.
D.Increase the Lambda function timeout to 5 minutes.
AnswerB

Retries with backoff help manage transient failures, reducing timeouts.

Why this answer

Option A is correct because implementing retry logic with exponential backoff allows the function to handle transient failures without timing out. Option B (increase timeout) contradicts the requirement. Option C (provisioned concurrency) addresses cold starts, not timeouts.

Option D (async invocation) does not change the execution time.

21
Multi-Selecteasy

A company is using Amazon S3 to store sensitive data. The security team requires that all data be encrypted at rest. The developer must implement a solution that uses server-side encryption with AWS KMS managed keys (SSE-KMS). Which TWO steps are required to meet this requirement? (Choose TWO.)

Select 2 answers
A.Grant the IAM role used by the application the kms:GenerateDataKey permission for the KMS key.
B.Set the default encryption on the S3 bucket to SSE-KMS and disable the option to override it.
C.Set the x-amz-sse header to 'aws:kms' when uploading objects.
D.Enable default encryption on the S3 bucket with SSE-S3.
E.Configure an S3 bucket policy that denies PutObject requests if the request does not include the x-amz-server-side-encryption header.
AnswersA, E

To use SSE-KMS, the caller needs permission to generate data keys.

Why this answer

Options B and D are correct. Option B: The bucket policy must deny uploads without the x-amz-server-side-encryption header. Option D: The IAM role must have kms:GenerateDataKey permission.

Option A is wrong because the header is 'x-amz-server-side-encryption' not 'x-amz-sse'. Option C is wrong because SSE-S3 uses Amazon S3 managed keys, not KMS. Option E is wrong because the default encryption setting can be overridden by individual PUT requests.

22
MCQmedium

A company hosts a web application on EC2 instances behind an Application Load Balancer. The application stores sensitive user data in an S3 bucket. A security audit reveals that the S3 bucket policy allows access from any AWS account. Which combination of actions should be taken to secure the bucket?

A.Enable default encryption on the bucket
B.Enable S3 Block Public Access at the account level
C.Modify the bucket policy to allow access only from the application's VPC endpoint or specific IAM roles
D.Enable AWS CloudTrail to log bucket access
AnswerC

Restricting access to specific VPC endpoints or IAM roles ensures only authorized entities can access the bucket.

Why this answer

Option C is correct because the bucket policy currently allows access from any AWS account, which is overly permissive. By restricting access to only the application's VPC endpoint (via aws:SourceVpce condition) or specific IAM roles (via aws:PrincipalArn), you enforce least privilege and ensure only authorized traffic from your application can access the sensitive data. This directly addresses the audit finding without relying on other mechanisms that don't restrict access by source.

Exam trap

The trap here is that candidates often confuse 'public access' (open to the internet) with 'cross-account access' (open to any AWS account), leading them to choose S3 Block Public Access, which does not block cross-account access when the policy explicitly allows it via a principal like '*' or an account ARN.

How to eliminate wrong answers

Option A is wrong because enabling default encryption only encrypts new objects at rest; it does not restrict who can access the bucket or its contents, so it does not address the policy allowing any AWS account. Option B is wrong because S3 Block Public Access at the account level prevents public access via ACLs or bucket policies that grant public access, but the current policy allows access from any AWS account (not the general public), and Block Public Access may not block cross-account access if the policy explicitly allows it; it also could break legitimate cross-account access if applied incorrectly. Option D is wrong because enabling CloudTrail logs access events but does not prevent unauthorized access; it only provides auditing after the fact, not a security control to restrict access.

23
MCQhard

A company uses AWS KMS to encrypt data in Amazon S3. They have a Customer Master Key (CMK) with key rotation enabled. The S3 bucket has default encryption using SSE-KMS with this CMK. An application writes objects to the bucket. Which statement about the encryption is correct?

A.The CMK is used to generate a data key that encrypts the object, and the encrypted data key is stored with the object.
B.The CMK directly encrypts the object data.
C.When the CMK is rotated, all existing objects in the bucket are automatically re-encrypted with the new key.
D.Each object is encrypted with a unique data key that is stored alongside the object.
AnswerA

This is the correct description of envelope encryption with KMS.

Why this answer

Option A is correct because AWS KMS uses envelope encryption: when an object is written to S3 with SSE-KMS, KMS generates a unique data key from the CMK, encrypts the object with that data key, and then stores the encrypted data key alongside the object in S3. The CMK itself never directly encrypts the object data; it only encrypts the data key. This ensures that the CMK can be rotated without affecting the encrypted objects, as the encrypted data key remains decryptable by the new key material if the key ID is the same.

Exam trap

The trap here is that candidates often confuse the role of the CMK and the data key, mistakenly thinking the CMK directly encrypts the object (Option B), or they assume key rotation triggers re-encryption of existing data (Option C), when in fact envelope encryption decouples the key rotation from the stored ciphertext.

How to eliminate wrong answers

Option B is wrong because the CMK never directly encrypts the object data; AWS KMS uses envelope encryption where the CMK encrypts a data key, and that data key encrypts the object. Option C is wrong because key rotation creates new backing key material for the CMK but does not re-encrypt existing objects; the old backing key remains available for decryption, and objects encrypted before rotation are not automatically re-encrypted. Option D is wrong because while each object is encrypted with a unique data key, that data key is not stored alongside the object in plaintext; it is stored encrypted under the CMK, and the statement omits the critical detail that the data key is encrypted.

24
MCQhard

Refer to the exhibit. An IAM policy allows s3:GetObject for a bucket only from a specific IP range. A developer accesses the bucket from a laptop with IP address 192.0.2.55, but access is denied. What is the most likely reason?

A.The policy includes an explicit deny statement elsewhere.
B.The condition key should be 'aws:SourceIp' without the 'IpAddress' wrapper.
C.The laptop's IP address is not within the allowed range.
D.The request is made from an AWS service, such as the AWS Management Console, which does not use the laptop's public IP.
AnswerD

When using the console, requests originate from AWS IPs, not the client's IP.

Why this answer

Option D is correct because when a request is made via the AWS Management Console, the console itself acts as an intermediary. The console's requests originate from AWS service IPs, not the user's laptop public IP. Therefore, the `aws:SourceIp` condition in the IAM policy evaluates against the console's IP, which is not in the allowed range, causing the denial even though the laptop's IP is valid.

Exam trap

The trap here is that candidates assume the laptop's public IP is always used for the request, forgetting that the AWS Management Console acts as a proxy, so the `aws:SourceIp` condition evaluates the console's IP, not the user's.

How to eliminate wrong answers

Option A is wrong because the question states the policy allows s3:GetObject from a specific IP range, and there is no mention or evidence of an explicit deny statement elsewhere; the most likely reason is the IP mismatch due to the console proxy. Option B is wrong because the `IpAddress` wrapper is the correct syntax for the `aws:SourceIp` condition key in an IAM policy; omitting it would cause a syntax error, not a logical denial. Option C is wrong because the laptop's IP address (192.0.2.55) is within the allowed range as described in the scenario, so the denial must stem from the request not using that IP.

25
MCQeasy

Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to upload a file to s3://my-bucket/confidential/report.pdf. What will happen?

A.The upload fails because the Deny statement overrides the Allow.
B.The upload succeeds because the Deny statement applies only to the bucket, not the user.
C.The upload fails because the policy does not allow PutObject on that path.
D.The upload succeeds because the Allow statement grants PutObject.
AnswerA

Explicit Deny overrides any Allow.

Why this answer

Option B is correct because the Deny statement explicitly denies all s3 actions on the confidential prefix, overriding the Allow. Option A is wrong because the Deny takes precedence. Option C is wrong because the Deny applies to the specific path.

Option D is wrong because the Deny applies to the user.

26
MCQmedium

A developer is building an application that uploads files to S3. The application uses an IAM user with access keys. The developer wants to rotate the access keys regularly. Which approach is the most secure?

A.Use AWS Secrets Manager to automatically rotate the access keys.
B.Use the root account access keys and rotate them manually.
C.Manually create new keys every 90 days and update the application.
D.Create a new IAM user and update the application.
AnswerA

Secrets Manager can rotate IAM user keys.

Why this answer

Option C is correct because rotating keys automatically with Secrets Manager reduces human error. Option A is wrong because manual rotation is error-prone. Option B is wrong because creating a new user does not rotate keys.

Option D is wrong because using the root account is a security risk.

27
MCQmedium

A company runs a Node.js application on AWS Elastic Beanstalk. The application writes log files to /var/log/app/. The operations team wants to stream these logs to Amazon CloudWatch Logs for monitoring and alerting. The developer configures the Elastic Beanstalk environment to include a .ebextensions configuration file that sets up the CloudWatch Logs agent. The configuration file specifies the log group and the log stream prefix. After deploying the updated environment, the logs are not appearing in CloudWatch Logs. The developer checks the EC2 instance and confirms that the CloudWatch Logs agent is running and the configuration file is present in /etc/awslogs/. What is the most likely reason the logs are not being sent?

A.The CloudWatch Logs agent configuration file does not specify the correct log file path or the log files do not exist.
B.The CloudWatch Logs agent does not have read permissions on the /var/log/app/ directory.
C.The .ebextensions configuration file is not executed because it is in the wrong directory.
D.The IAM instance profile does not have the necessary permissions to write to CloudWatch Logs.
AnswerA

Correct: If the path is wrong or files are missing, the agent will not send logs.

Why this answer

Option D is correct because the CloudWatch Logs agent configuration must specify the path to the log files. If the path is incorrect or the log files are not being written, the agent will not send logs. Option A is incorrect because the agent runs as root; permissions to read /var/log/app/ are typically fine.

Option B is incorrect because CloudWatch Logs does not require IAM roles to be attached to the instance profile; the instance profile must have proper permissions, but that's separate. Option C is incorrect because the agent configuration can be in the .ebextensions file, and that is a valid method.

28
MCQmedium

Refer to the exhibit. A developer attached the IAM policy to a Lambda function's execution role. The function reads items from a DynamoDB table that uses AWS KMS customer managed key (CMK) for encryption at rest. When the function tries to read an item, it receives an access denied error. What is the cause?

A.The DynamoDB table is not encrypted with a KMS key.
B.The policy allows kms:Decrypt on all resources but the CMK key policy may not grant access.
C.The policy does not allow dynamodb:GetItem on the table.
D.The DynamoDB table does not exist.
AnswerB

Even if IAM allows, the key policy must also allow the role.

Why this answer

The function needs kms:Decrypt permission on the specific key. Option C is correct. Option A is wrong because the actions are allowed.

Option B is wrong because the key is specific. Option D is wrong because DynamoDB encryption uses KMS.

29
MCQmedium

A Lambda function receives events from EventBridge. The developer wants failed invocations to be retried and then stored for later analysis if retries are exhausted. Which configuration should be used?

A.Enable API Gateway access logging
B.Configure EventBridge retry policy and a dead-letter queue
C.Increase reserved concurrency to zero
D.Store events in CloudFormation outputs
AnswerB

Correct for the stated requirement.

Why this answer

Option B is correct because EventBridge supports a configurable retry policy (with a maximum event age up to 24 hours and up to 185 retries by default) and can route events that exceed the retry limit to an Amazon SQS dead-letter queue (DLQ). This ensures failed invocations are retried automatically and, if all retries are exhausted, the event is stored durably in the DLQ for later analysis or reprocessing.

Exam trap

The trap here is that candidates may confuse the Lambda function's own DLQ configuration (which applies to synchronous and asynchronous invocations) with EventBridge's rule-level retry policy and DLQ, but EventBridge manages retries and DLQ delivery independently of the Lambda service's built-in retry mechanism.

How to eliminate wrong answers

Option A is wrong because API Gateway access logging captures HTTP request/response data for REST or HTTP APIs, not Lambda invocation failures from EventBridge, and it does not provide retry or dead-letter storage. Option C is wrong because setting reserved concurrency to zero would prevent the Lambda function from executing at all, causing every invocation to fail immediately without retries or storage. Option D is wrong because CloudFormation outputs are used to export stack resource information (e.g., ARNs, endpoints) for cross-stack references, not for storing event data or handling failed invocations.

30
MCQmedium

A CloudFormation update may replace an RDS database. The developer wants to preview replacement risk before executing. What should be created?

A.A stack policy only
B.A change set
C.A nested stack output
D.A CloudWatch dashboard
AnswerB

Correct for the stated requirement.

Why this answer

A change set in AWS CloudFormation allows you to preview how proposed changes to a stack will be executed, including whether any resources will be replaced (e.g., an RDS database). By reviewing the change set, you can see if the update will cause replacement (indicated by 'Replacement: True') before you actually apply the changes, enabling risk assessment without modification.

Exam trap

The trap here is that candidates confuse a stack policy (which controls update permissions) with a change set (which provides a preview of changes), or they think monitoring tools like CloudWatch can predict infrastructure changes.

How to eliminate wrong answers

Option A is wrong because a stack policy only protects specified resources from being updated or deleted during a stack update; it does not provide a preview of replacement risk. Option C is wrong because a nested stack output is used to return values from a nested stack to the parent stack, not to preview update impacts. Option D is wrong because a CloudWatch dashboard is a monitoring tool for metrics and logs, not a mechanism to preview CloudFormation stack update behavior.

31
MCQhard

A developer is deploying a microservices application on Amazon ECS using Fargate. The application uses an Application Load Balancer (ALB) to distribute traffic. The developer needs to perform a blue/green deployment with automatic rollback if health checks fail. What should the developer use?

A.Configure ECS service auto scaling to replace tasks gradually.
B.Manually update the ECS service using the AWS Management Console.
C.Use AWS CloudFormation to update the ECS service with a new task definition.
D.Use AWS CodeDeploy with a blue/green deployment configuration.
AnswerD

CodeDeploy automates blue/green deployments and rollback for ECS.

Why this answer

AWS CodeDeploy natively supports blue/green deployments for Amazon ECS, allowing you to specify a blue/green configuration that automatically shifts traffic from the old (blue) task set to the new (green) task set. It integrates with the ALB to perform health checks and can automatically roll back the deployment if the health checks fail, meeting the requirement without manual intervention.

Exam trap

The trap here is that candidates often confuse ECS service auto scaling or CloudFormation updates with deployment strategies, but neither provides the built-in blue/green traffic shifting and automatic health-check-based rollback that CodeDeploy offers.

How to eliminate wrong answers

Option A is wrong because ECS service auto scaling adjusts the number of tasks based on load, not the deployment strategy; it does not perform blue/green deployments or automatic rollback on health check failures. Option B is wrong because manually updating the ECS service via the AWS Management Console does not provide a built-in blue/green deployment mechanism or automatic rollback; it would require manual monitoring and intervention. Option C is wrong because AWS CloudFormation can update an ECS service with a new task definition, but it does not natively support blue/green deployments or automatic rollback based on health checks; it would require custom logic or additional resources to achieve this.

32
MCQmedium

A developer is troubleshooting a Lambda function that processes S3 events. The function runs successfully in the AWS Management Console test but fails when triggered by actual S3 PUT events. The error logs show 'AccessDenied' when attempting to read the object from S3. What is the most likely cause?

A.The S3 bucket has versioning enabled and the event does not include the version ID.
B.The Lambda execution role lacks 's3:GetObject' permission for the bucket.
C.The S3 bucket policy does not grant 's3:GetObject' to the Lambda service principal.
D.The Lambda function is not in the same VPC as the S3 bucket.
AnswerB

The Lambda role must have permission to read the object from S3.

Why this answer

The Lambda function's execution role must have permission to read the S3 object. The error occurs only with actual events because the console test may use a different role or the event payload differs. Option C directly addresses the missing permission.

Option A is wrong because S3 events do not require VPC access. Option B is wrong because the bucket policy may not grant access to the Lambda service principal. Option D is wrong because S3 event notifications do not have versioning restrictions.

33
MCQhard

A company is using Amazon DynamoDB with on-demand capacity. A developer notices that write requests are being throttled during peak hours. What is the MOST effective way to resolve this issue?

A.Switch to provisioned capacity mode with auto-scaling.
B.Increase the write capacity units.
C.Review the partition key design and consider adding a suffix to distribute writes.
D.Increase the read capacity units.
AnswerC

Hot partitions can cause throttling even in on-demand mode.

Why this answer

Option D is correct because on-demand capacity can still throttle if you exceed the previous peak traffic by a large margin; the table can be split into multiple partitions to distribute write load. Option A is wrong because on-demand already auto-scales. Option B is wrong because increasing read capacity does not help writes.

Option C is wrong because there are no WCU limits in on-demand mode.

34
Multi-Selectmedium

Which TWO AWS services can be used to decouple components of a microservices architecture?

Select 2 answers
A.Amazon Route 53
B.Amazon EventBridge
C.Elastic Load Balancing
D.Amazon CloudWatch
E.Amazon SQS
AnswersB, E

EventBridge enables event-driven architectures, decoupling producers from consumers.

Why this answer

Options A and E are correct. SQS provides message queuing for asynchronous communication. EventBridge enables event-driven decoupling.

Option B is wrong because ELB is for load balancing, not decoupling. Option C is wrong because CloudWatch is for monitoring. Option D is wrong because Route 53 is DNS.

35
MCQmedium

A company uses AWS KMS to encrypt S3 objects. A developer needs to allow an IAM user to decrypt objects but not encrypt them. Which IAM policy action should be allowed?

A.kms:Decrypt
B.kms:GenerateDataKey
C.kms:Encrypt
D.kms:ReEncrypt
AnswerA

This action allows decryption of ciphertext.

Why this answer

The correct action is `kms:Decrypt` because the developer's requirement is to allow an IAM user to decrypt S3 objects but not encrypt them. AWS KMS uses separate permissions for encryption and decryption operations; `kms:Decrypt` specifically grants the ability to decrypt ciphertext without granting any encryption capabilities. By allowing only this action, the user can decrypt objects encrypted with the KMS key but cannot encrypt new data or perform any key management operations.

Exam trap

The trap here is that candidates often confuse `kms:Decrypt` with `kms:GenerateDataKey` or `kms:ReEncrypt`, mistakenly thinking those actions are required for decryption, when in fact they also enable encryption capabilities that violate the requirement.

How to eliminate wrong answers

Option B is wrong because `kms:GenerateDataKey` is used to generate a data key for client-side encryption, which involves creating both a plaintext key and an encrypted key; allowing this would enable the user to encrypt new data, violating the requirement to prevent encryption. Option C is wrong because `kms:Encrypt` directly allows the user to encrypt plaintext into ciphertext using the KMS key, which is explicitly prohibited. Option D is wrong because `kms:ReEncrypt` allows decrypting ciphertext and re-encrypting it under a different KMS key, which includes decryption capability but also introduces encryption operations, violating the restriction against encryption.

36
MCQhard

A developer invoked a Lambda function using the AWS CLI. The response includes 'FunctionError': 'Handled'. What does this indicate?

A.The function threw an exception that was caught by the code.
B.The function timed out.
C.The function executed successfully without any errors.
D.The function experienced an unhandled runtime error.
AnswerA

'Handled' indicates the function threw an error that was caught.

Why this answer

Option C is correct because 'Handled' means the function was invoked but threw an exception that was caught by the Lambda runtime, indicating the code threw an error that was handled (e.g., a custom error). Option A is wrong because successful invocation returns 'StatusCode': 200 without FunctionError. Option B is wrong because 'Unhandled' indicates an unhandled error.

Option D is wrong because a timeout would be 'Unhandled'.

37
MCQhard

Refer to the exhibit. A developer is trying to deploy an EC2 instance using AWS CloudFormation. The stack creation fails with an 'AccessDenied' error when CloudFormation tries to create the EC2 instance. The developer has the IAM policy above. What is the MOST likely reason for the failure?

A.The policy does not allow ec2:DescribeImages.
B.The IAM role specified in the CloudFormation template is not the same as the one in the PassRole resource.
C.The policy does not allow ec2:RunInstances.
D.The policy does not allow ec2:TerminateInstances.
AnswerB

CloudFormation needs PassRole for the exact role used.

Why this answer

Option D is correct because CloudFormation needs permission to pass the IAM role specified in the template. The policy only allows PassRole for a specific role, but CloudFormation may be passing a different role. Option A is wrong because DescribeImages is allowed.

Option B is wrong because RunInstances is allowed. Option C is wrong because CloudFormation does not call TerminateInstances during creation.

38
MCQmedium

A developer is building a serverless application using AWS SAM. The application includes an Amazon API Gateway endpoint with a Lambda function that processes user uploads. The developer wants to enable API caching in the development stage to speed up repeated requests, but disable caching in the production stage. What is the most efficient way to achieve this?

A.Configure caching in the SAM template using the CacheClusterEnabled property and use CloudFormation conditions to enable it only in the dev stage.
B.Create two separate SAM templates, one for dev with caching and one for prod without.
C.Enable caching in the API Gateway console after each deployment for the dev stage.
D.Use a custom CloudFormation resource to toggle caching based on a parameter.
AnswerA

Using conditions is the most efficient approach. The SAM template can include a condition that evaluates to true for the dev stage, enabling caching.

Why this answer

Option A is correct because AWS SAM extends AWS CloudFormation, allowing you to use CloudFormation conditions to conditionally enable the `CacheClusterEnabled` property on the `AWS::ApiGateway::Stage` resource. By defining a condition that evaluates to true only for the dev stage (e.g., based on a parameter like `StageName`), you can enable caching in dev and disable it in prod within a single SAM template, avoiding duplication and manual steps.

Exam trap

The trap here is that candidates may think caching must be configured per-deployment manually (Option C) or that separate templates are required (Option B), missing the power of CloudFormation conditions to conditionally enable features within a single SAM template.

How to eliminate wrong answers

Option B is wrong because creating two separate SAM templates introduces unnecessary duplication and maintenance overhead; the same effect can be achieved with a single template using CloudFormation conditions, which is more efficient. Option C is wrong because manually enabling caching in the API Gateway console after each deployment is error-prone, not repeatable, and violates infrastructure-as-code best practices; it also requires post-deployment steps that can be forgotten. Option D is wrong because using a custom CloudFormation resource to toggle caching is overly complex and introduces additional Lambda functions or custom logic when the native `CacheClusterEnabled` property combined with conditions already provides a straightforward, built-in solution.

39
MCQmedium

A company runs an application on Amazon EC2 instances that need to read files from an Amazon S3 bucket. The developer must grant access to the S3 bucket without storing long-term credentials on the instances. Which approach should the developer use?

A.Store the access key ID and secret access key in environment variables on the EC2 instance.
B.Create an IAM role with permissions to the S3 bucket and attach it to the EC2 instance profile.
C.Use an S3 bucket policy that grants access to the EC2 instance's public IP address.
D.Store the credentials in AWS Secrets Manager and have the application retrieve them at startup.
AnswerB

An IAM role provides temporary credentials automatically rotated by AWS, which is the secure and recommended approach.

Why this answer

Option B is correct because using an IAM role attached to an EC2 instance profile allows the application to obtain temporary security credentials from the AWS Security Token Service (STS) via the instance metadata service. This eliminates the need to store long-term credentials on the instance, adhering to the principle of least privilege and improving security posture.

Exam trap

The trap here is that candidates may think storing credentials in environment variables or Secrets Manager is acceptable, but the question explicitly requires no long-term credentials on the instance, making the IAM role the only correct answer that leverages temporary credentials via the instance metadata service.

How to eliminate wrong answers

Option A is wrong because storing access key ID and secret access key in environment variables on the EC2 instance exposes long-term credentials that could be compromised if the instance is accessed or the environment is leaked, violating the requirement to avoid storing long-term credentials. Option C is wrong because an S3 bucket policy that grants access based on the EC2 instance's public IP address is not a secure or reliable method; public IPs can change (unless using an Elastic IP) and do not authenticate the instance's identity, plus S3 bucket policies support principal-based access, not IP-based for EC2 instances in this context. Option D is wrong because while AWS Secrets Manager securely stores credentials, the application would still need to retrieve and use long-term credentials at startup, which contradicts the requirement to avoid storing long-term credentials on the instance; using an IAM role is the preferred approach for EC2 instances.

40
MCQmedium

A company wants to allow cross-account access to an S3 bucket in Account A from a role in Account B. The S3 bucket policy in Account A allows the role's ARN. However, access is denied. What is the most likely missing step?

A.Add a bucket policy that denies access to all principals.
B.The role in Account B must have an IAM policy that allows the S3 actions.
C.Disable block public access settings on the bucket.
D.Enable ACLs on the S3 bucket.
AnswerB

Cross-account access requires both the resource-based policy (bucket policy) and the identity-based policy (IAM role) to grant permissions.

Why this answer

Option B is correct because cross-account S3 access requires both a resource-based policy (the bucket policy in Account A) that grants access to the role ARN, and an identity-based policy (an IAM policy attached to the role in Account B) that explicitly allows the S3 actions. Without the IAM policy in Account B, the role lacks permission to perform the S3 operations, even though the bucket policy permits the access. This is a fundamental principle of AWS cross-account authorization: both the resource side and the principal side must grant the necessary permissions.

Exam trap

The trap here is that candidates often assume a bucket policy alone is sufficient for cross-account access, overlooking the requirement for an IAM policy on the requesting role to explicitly allow the S3 actions.

How to eliminate wrong answers

Option A is wrong because adding a bucket policy that denies access to all principals would explicitly block all access, including the intended cross-account access, making the problem worse. Option C is wrong because block public access settings are irrelevant to cross-account access via IAM roles; they only affect public access from the internet, not authenticated cross-account requests. Option D is wrong because enabling ACLs on the S3 bucket is not required for cross-account access; ACLs are a legacy access control mechanism and are not needed when using IAM policies and bucket policies, and they would not resolve the missing IAM policy issue.

41
MCQeasy

A developer uses AWS SAM (Serverless Application Model) to define a serverless application. The developer wants to run the application locally for testing. Which AWS SAM CLI command should be used?

A.sam local start-api
B.sam build
C.sam deploy
D.sam package
AnswerA

Starts a local API Gateway endpoint to invoke Lambda functions.

Why this answer

Option B is correct because 'sam local start-api' starts a local HTTP server that mimics API Gateway and runs your Lambda functions locally. Option A is wrong because 'sam build' only builds the application. Option C is wrong because 'sam deploy' deploys to AWS.

Option D is wrong because 'sam package' packages the application for deployment.

42
MCQhard

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application stores user session data in an Amazon ElastiCache for Redis cluster. Recently, users have been experiencing intermittent session timeouts and data loss. The developer examines the application logs and finds errors indicating that the Redis cluster is returning 'READONLY You can't write against a read-only replica.' The ElastiCache cluster is configured as a Redis replication group with one primary and two replicas. The application's connection code uses the primary endpoint. What is the most likely cause of this issue?

A.The ElastiCache cluster has been scaled down to a single node, causing the primary to become unavailable.
B.A failover event occurred, and the application is still trying to write to the old primary node, which is now a replica.
C.The ElastiCache security group is blocking write traffic to the primary endpoint.
D.The Redis cluster mode is enabled, and the application is not using the correct cluster endpoint.
AnswerB

Correct: After failover, the old primary becomes a replica and rejects writes.

Why this answer

Option A is correct because a failover event may have promoted one of the replicas to become the new primary. The application might have cached the old primary endpoint IP, or the DNS TTL could cause the application to still connect to the old primary (now a replica). Writing to a replica results in the READONLY error.

Option B is incorrect because ElastiCache does not automatically scale down. Option C is incorrect because ElastiCache cluster mode is for sharding, not primary-replica. Option D is incorrect because security groups block connections entirely, not cause intermittent writes.

43
MCQhard

A developer uses AWS CodePipeline to deploy a serverless application defined with AWS SAM. The pipeline consists of Source (S3), Build (CodeBuild), and Deploy (CloudFormation) stages. The developer wants to run integration tests after the stack is deployed but before the pipeline completes. Which approach should the developer use?

A.Add a test stage after the Deploy stage with an action that invokes a Lambda function to run tests.
B.Use the CloudFormation stack's Outputs to trigger a Lambda function that runs tests.
C.Configure a post-deployment hook in the SAM template that runs tests.
D.Add a manual approval step after Deploy, then run tests manually.
AnswerA

This is the correct approach: a stage with an action type 'Invoke' or 'Test' can run integration tests after deployment.

Why this answer

Option A is correct because AWS CodePipeline allows you to add a test stage after the Deploy stage, and you can configure an action that invokes an AWS Lambda function to run integration tests. This ensures tests run automatically after the CloudFormation stack is deployed but before the pipeline completes, meeting the requirement without manual intervention.

Exam trap

The trap here is that candidates may confuse CloudFormation Outputs with event-driven triggers or assume SAM has built-in post-deployment hooks, when in fact CodePipeline's custom action with Lambda is the correct mechanism for running automated tests after deployment.

How to eliminate wrong answers

Option B is wrong because CloudFormation stack Outputs are used to export values for cross-stack references, not to trigger Lambda functions; triggering Lambda from CloudFormation requires custom resources or event subscriptions, not Outputs. Option C is wrong because AWS SAM does not support post-deployment hooks in the SAM template; SAM uses lifecycle hooks (e.g., PreTraffic, PostTraffic) only for Lambda canary deployments, not for general integration testing. Option D is wrong because a manual approval step requires human intervention to run tests, which contradicts the requirement to run tests automatically before the pipeline completes.

44
MCQeasy

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application consists of an API Gateway, a Lambda function, and a DynamoDB table. The developer wants to enable canary deployments for the Lambda function. What should the developer do?

A.Configure a CodeDeploy deployment group in the SAM template.
B.Create a Lambda alias and configure traffic shifting manually.
C.Add the AutoPublishAlias and DeploymentPreference properties to the Lambda function in the SAM template.
D.Use AWS CodePipeline to orchestrate the canary deployment.
AnswerC

These properties enable canary deployments in SAM.

Why this answer

Option C is correct because the AWS SAM template supports canary deployments for Lambda functions by adding the `AutoPublishAlias` property (which automatically creates and publishes a new version to a Lambda alias) and the `DeploymentPreference` property (which defines the traffic-shifting strategy, such as `Canary10Percent5Minutes`). This enables CodeDeploy to gradually shift traffic from the current version to the new version without manual intervention.

Exam trap

The trap here is that candidates may think they need to manually create a Lambda alias or use CodePipeline for canary deployments, when in fact SAM's `AutoPublishAlias` and `DeploymentPreference` properties automate the entire canary deployment workflow via CodeDeploy.

How to eliminate wrong answers

Option A is wrong because CodeDeploy deployment groups are not directly configured in a SAM template; SAM abstracts this by generating the necessary CodeDeploy resources automatically when you use `DeploymentPreference`. Option B is wrong because manually creating a Lambda alias and configuring traffic shifting defeats the purpose of using SAM's built-in canary deployment support, which automates the entire process and integrates with CodeDeploy. Option D is wrong because AWS CodePipeline can orchestrate the overall CI/CD pipeline but is not required for canary deployments; SAM's `DeploymentPreference` property alone enables canary deployments without needing CodePipeline.

45
Multi-Selecthard

A company is running a serverless application using AWS Lambda and Amazon API Gateway. The application experiences increased latency during peak hours. CloudWatch metrics show that Lambda function duration remains stable, but API Gateway latency spikes. Which THREE actions should the developer take to reduce API Gateway latency?

Select 3 answers
A.Increase the Lambda function timeout.
B.Enable compression for API responses.
C.Increase the API Gateway throttling limits.
D.Enable API Gateway caching for the endpoints.
E.Switch API Gateway endpoint type from Edge-optimized to Regional.
AnswersB, D, E

Compression reduces response size, speeding up transfer.

Why this answer

Options A, B, and D are correct. Enabling caching reduces backend calls, using Regional endpoint reduces network latency, and enabling compression reduces payload size. Option C is wrong because throttling limits do not reduce latency.

Option E is wrong because increasing Lambda timeout does not affect API Gateway latency.

46
MCQhard

A developer is building a serverless application using AWS Lambda that processes messages from an Amazon SQS queue. The queue receives about 100 messages per second, and each message takes about 30 seconds to process. The Lambda function is configured with a reserved concurrency of 10. The developer notices that messages are frequently being sent to the dead-letter queue (DLQ) after three failed processing attempts. The Lambda function's execution role has the necessary permissions to read from the SQS queue and write to the DLQ. The SQS queue's visibility timeout is set to 60 seconds, and the Lambda function's timeout is set to 60 seconds. What is the most likely cause of the messages being sent to the DLQ?

A.The SQS queue is not configured to use long polling, causing the Lambda function to receive empty responses and waste time.
B.The reserved concurrency of 10 is too low to handle the incoming message rate, causing messages to be repeatedly retried until they exceed the maxReceiveCount.
C.The Lambda function timeout is too short for the processing time required.
D.The DLQ is incorrectly configured to receive all failed messages after the first attempt.
AnswerB

Correct: Low concurrency leads to processing delays and retries.

Why this answer

Option C is correct because the Lambda function's reserved concurrency of 10 limits the number of concurrent executions. With 100 messages per second and 30 seconds processing time, each invocation can process only 10 messages at a time (since concurrency is 10), so messages accumulate. The SQS queue's visibility timeout of 60 seconds means that if a message is not processed within 60 seconds, it becomes visible again and can be retried.

However, with high volume and low concurrency, messages may be repeatedly retrieved but not processed in time, leading to three failed attempts and then sent to DLQ. Option A is incorrect because the DLQ configuration does not cause reprocessing. Option B is incorrect because 60-second timeout is ample for 30-second processing.

Option D is incorrect because batch processing is optional and not required.

47
MCQhard

An application running on Amazon ECS Fargate is experiencing intermittent connection timeouts when calling an external API. The task has a public IP and a security group that allows outbound HTTPS. What is the most likely cause?

A.The ECS service is not configured to auto-assign public IP.
B.The task's security group does not allow inbound traffic.
C.The security group outbound rules are misconfigured.
D.The task is running in a private subnet without a NAT gateway.
AnswerD

Private subnets need a NAT gateway for outbound internet access.

Why this answer

Option D is correct because ECS Fargate tasks running in a private subnet do not have direct internet access. Without a NAT gateway, outbound traffic to the external API is routed to the subnet’s route table, which lacks an internet gateway target, causing connection timeouts. The task’s public IP assignment is irrelevant in a private subnet, as the subnet itself has no route to the internet.

Exam trap

The trap here is that candidates assume a public IP on the task guarantees internet access, overlooking that the subnet’s route table determines whether traffic can reach the internet, and a private subnet without a NAT gateway blocks all outbound internet traffic regardless of the task’s public IP assignment.

How to eliminate wrong answers

Option A is wrong because the task already has a public IP assigned (as stated in the question), so the ECS service configuration for auto-assigning public IP is not the issue. Option B is wrong because inbound traffic rules are irrelevant for outbound HTTPS connections; the security group only needs to allow outbound traffic, which it does. Option C is wrong because the security group outbound rules are correctly configured to allow HTTPS (port 443), so misconfiguration is not the cause.

48
MCQeasy

A developer is troubleshooting an AWS Lambda function that times out when processing large files from Amazon S3. The function has a 15-minute timeout and 512 MB memory. What should the developer do to resolve this issue?

A.Use Amazon S3 batch operations to split the files before processing.
B.Add an S3 Event Notification to trigger the function asynchronously.
C.Reduce the Lambda timeout to 5 minutes to force faster processing.
D.Increase the Lambda function memory to 3008 MB.
AnswerD

More memory improves CPU and network, speeding up execution.

Why this answer

Option C is correct because increasing memory also increases CPU and network throughput, which can reduce execution time. Option A is wrong because Lambda already supports up to 15 minutes. Option B is wrong because increasing memory is a more direct solution than splitting files.

Option D is wrong because S3 Event Notifications are configured, not something to add to solve timeout.

49
MCQeasy

A developer is building a serverless application that uses Amazon DynamoDB. The application needs to retrieve an item by its primary key frequently. Which DynamoDB API call should the developer use to achieve the lowest latency?

A.Scan
B.Query
C.GetItem
D.BatchGetItem
AnswerC

GetItem directly retrieves an item by its primary key. It is the most efficient operation for a single item lookup, providing the lowest latency and consuming the least read capacity.

Why this answer

The GetItem API call is the most efficient way to retrieve a single item by its primary key in DynamoDB, as it directly accesses the item using the hash key (and optionally the sort key) with consistent, single-digit millisecond latency. Unlike Scan or Query, GetItem does not need to evaluate any conditions or filter through other items, making it the lowest-latency option for this specific use case.

Exam trap

The trap here is that candidates often confuse Query with GetItem, assuming Query is always faster because it uses a key condition, but Query still requires evaluating the sort key and can return multiple items, whereas GetItem is the only API optimized for a single-item primary key lookup.

How to eliminate wrong answers

Option A is wrong because Scan reads every item in the table or index and then filters out the results, which incurs high latency and consumes significant read capacity, especially on large tables. Option B is wrong because Query retrieves all items with a given partition key value and can return multiple items, requiring additional processing and potentially higher latency than a direct key-based lookup. Option D is wrong because BatchGetItem is designed for retrieving multiple items in a single operation, but it adds overhead for batching and may return partial results, making it slower than GetItem for a single item retrieval.

50
MCQmedium

A company has an S3 bucket that stores sensitive data. They want to ensure that any object uploaded to the bucket is automatically encrypted with server-side encryption using AWS KMS (SSE-KMS). They also want to deny any uploads that do not specify the correct encryption. Which bucket policy condition should be used to enforce this requirement?

A.s3:x-amz-server-side-encryption equals aws:kms
B.s3:x-amz-server-side-encryption equals AES256
C.s3:x-amz-server-side-encryption-aws-kms-key-id equals a specific key ARN
D.aws:SecureTransport equals true
AnswerA

This condition specifies that the object must be encrypted with SSE-KMS. A Deny statement with this condition will reject uploads that do not use 'aws:kms' for server-side encryption.

Why this answer

Option A is correct because the condition `s3:x-amz-server-side-encryption equals aws:kms` enforces that any PUT request to the S3 bucket must include the `x-amz-server-side-encryption` header set to `aws:kms`, which triggers SSE-KMS encryption. This policy condition ensures that objects uploaded without specifying SSE-KMS are denied, meeting the requirement to automatically encrypt all uploaded objects with AWS KMS.

Exam trap

The trap here is that candidates confuse the condition for specifying a particular KMS key ARN (Option C) with the condition for simply requiring SSE-KMS encryption, leading them to pick an overly restrictive policy that would break uploads using the default KMS key.

How to eliminate wrong answers

Option B is wrong because `AES256` corresponds to SSE-S3 (S3-managed keys), not SSE-KMS, so it would enforce the wrong encryption type. Option C is wrong because `s3:x-amz-server-side-encryption-aws-kms-key-id` enforces a specific KMS key ARN, but the question only requires SSE-KMS encryption, not a particular key; using this condition would be overly restrictive and could deny valid uploads using the default KMS key. Option D is wrong because `aws:SecureTransport` enforces HTTPS (TLS) for all requests, which is a transport-layer security requirement, not an encryption-at-rest requirement for object uploads.

51
MCQeasy

The above CLI output shows the versioning status of an S3 bucket. A developer wants to enable MFA Delete on the bucket. What should the developer do?

A.Use the aws s3api put-bucket-acl command with MFA token.
B.Use the aws s3api put-bucket-versioning command with the --mfa parameter.
C.Enable Object Lock on the bucket, which automatically enables MFA Delete.
D.Use the aws s3api put-bucket-policy command to require MFA.
AnswerB

Correct: MFA Delete requires the --mfa parameter.

Why this answer

Option A is correct because the 'aws s3api put-bucket-versioning' command with MFA is required to enable MFA Delete. Option B is wrong because 's3api put-bucket-versioning' is the correct command. Option C is wrong because 's3api put-bucket-versioning' can enable MFA Delete without locking.

Option D is wrong because 's3api put-bucket-versioning' is the right command.

52
Multi-Selectmedium

A company's application runs on Amazon EC2 instances in an Auto Scaling group. The application experiences intermittent failures, and the developer suspects the application is not properly handling termination notifications. Which TWO steps should the developer take to diagnose the issue?

Select 2 answers
A.Enable detailed monitoring on the Auto Scaling group.
B.Configure a CloudWatch Events rule to capture Auto Scaling termination events.
C.Install the CloudWatch Logs agent on the instances to capture application logs.
D.Add a lifecycle hook to the Auto Scaling group to pause termination.
E.Use an Elastic Load Balancer to replace instances automatically.
AnswersB, D

CloudWatch Events can invoke a Lambda function to log or handle the event.

Why this answer

Options B and D are correct. B: Lifecycle hooks allow the instance to perform actions before termination. D: CloudWatch Events can capture lifecycle transitions.

Option A is wrong because detailed monitoring does not capture termination signals. Option C is wrong because CloudWatch Logs agent is for logs, not for termination notifications. Option E is wrong because replacing instances does not diagnose the issue.

53
MCQeasy

A developer is troubleshooting a Lambda function that occasionally times out. The function makes HTTPS calls to an external API. Which configuration change is MOST likely to resolve the issue without increasing the risk of further timeouts?

A.Increase the function's memory allocation.
B.Decrease the function's reserved concurrency.
C.Increase the function's timeout setting.
D.Change the function invocation type to synchronous.
AnswerC

Increasing timeout allows the function to wait longer for the external API response.

Why this answer

Option B is correct because adjusting the timeout setting gives the function more time to complete the external API call. Option A is wrong because increasing memory/CPU won't help if the external API is slow. Option C is wrong because synchronous invocation is not relevant to timeout.

Option D is wrong because reducing timeout would worsen the issue.

54
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment'. The deployment configuration is set to CodeDeployDefault.OneAtATime. What is the most likely cause of this failure?

A.The instances in the Auto Scaling group are not running a supported operating system.
B.The deployment configuration should be changed to AllAtOnce to avoid this error.
C.The IAM role for CodeDeploy does not have sufficient permissions.
D.The deployment failed on a single instance, causing the overall deployment to fail because the minimum number of healthy hosts was not maintained.
AnswerD

With OneAtATime, if one instance fails, the deployment fails because the minimum healthy hosts threshold is not met.

Why this answer

With CodeDeployDefault.OneAtATime, the deployment updates one instance at a time and requires that a minimum number of healthy hosts be maintained throughout the process. If a single instance fails its deployment, the overall deployment fails because the minimum healthy host threshold is breached—CodeDeploy cannot proceed to the next instance without risking service availability. This error indicates that the failure on one instance caused the entire deployment to abort, not that multiple instances failed independently.

Exam trap

The trap here is that candidates assume 'too many individual instances failed' means multiple instances failed independently, when in fact with OneAtATime a single instance failure is enough to fail the entire deployment because the minimum healthy hosts requirement is not maintained.

How to eliminate wrong answers

Option A is wrong because an unsupported operating system would cause a different error (e.g., 'Unsupported OS') and would affect all instances uniformly, not trigger a per-instance failure that cascades due to the OneAtATime configuration. Option B is wrong because changing to AllAtOnce would increase risk by deploying to all instances simultaneously, potentially causing a full outage; the error is not about the deployment speed but about the minimum healthy hosts requirement being violated. Option C is wrong because insufficient IAM permissions would typically result in an authorization error (e.g., 'AccessDenied') during the deployment setup or agent communication, not a per-instance failure that triggers the 'too many individual instances failed' message.

55
MCQhard

A company is using AWS CloudFormation to deploy infrastructure. The developer wants to create a custom resource that runs a Lambda function during stack creation and update. What must the developer do to ensure the custom resource works correctly?

A.The Lambda function must send a response to an S3 pre-signed URL.
B.The Lambda function must be defined in the same CloudFormation template.
C.The Lambda function must return a JSON object with the desired output.
D.The Lambda function must be written in Python.
AnswerA

Custom resources require the function to respond to the pre-signed URL.

Why this answer

Option D is correct because the Lambda function must send a response to the pre-signed S3 URL to signal completion. Option A is wrong because the function does not need to return a value directly. Option B is wrong because the function can be in any language.

Option C is wrong because the function can be in the same template or referenced by ARN.

56
MCQmedium

A company uses AWS Elastic Beanstalk to run a web application. They want to deploy a new version with zero downtime and roll forward if successful. They have two environments: a production environment (current version) and a staging environment (new version). After verifying the staging environment, they want to swap the URLs so that production now points to the new version. Which deployment strategy should they use?

A.Blue/green deployment with environment CNAME swap
B.All at once deployment
C.Rolling deployment with additional batch
D.Immutable deployment
AnswerA

This strategy creates two separate environments. After testing, swapping the CNAME (e.g., via 'eb swap') redirects traffic to the new environment without downtime.

Why this answer

Option A is correct because blue/green deployment with an environment CNAME swap allows you to run two separate Elastic Beanstalk environments (production and staging) simultaneously. After verifying the new version in the staging environment, you swap the CNAME records so that the production URL points to the staging environment, achieving zero downtime and a roll-forward strategy. This approach decouples the deployment from the existing environment, ensuring no disruption to live traffic during the swap.

Exam trap

The trap here is that candidates confuse immutable deployments (which also launch new instances) with blue/green deployments, but immutable deployments do not create a separate environment with its own URL for a CNAME swap, making them unsuitable for the described two-environment swap requirement.

How to eliminate wrong answers

Option B (All at once deployment) is wrong because it deploys the new version to all instances simultaneously, causing downtime during the deployment process and not allowing a roll-forward strategy with separate environments. Option C (Rolling deployment with additional batch) is wrong because it updates instances in batches while keeping the same environment, which can cause temporary capacity reduction and does not provide a separate staging environment for verification before swapping URLs. Option D (Immutable deployment) is wrong because it launches a new set of instances in the same environment and then swaps them in, but it does not create a separate environment with its own URL for a CNAME swap; it still operates within a single environment, making it unsuitable for the described two-environment swap scenario.

57
MCQmedium

A developer is building a REST API using Amazon API Gateway and wants to validate the incoming request body against a JSON schema before passing the request to the backend Lambda function. Which API Gateway feature should the developer use?

A.Request validation
B.Mapping templates
C.Integration request
D.Stage variables
AnswerA

Correct. Request validation uses a JSON schema to validate the request body and parameters.

Why this answer

API Gateway's request validation feature allows you to define a JSON schema (using JSON Schema Draft 4) for the request body and automatically reject requests that do not conform before they reach the backend. This offloads validation from the Lambda function, reducing cold start overhead and ensuring only valid payloads are processed. The developer can configure this in the API Gateway console or via the OpenAPI specification.

Exam trap

The trap here is that candidates often confuse request validation with mapping templates, assuming that mapping templates can validate the request body, but mapping templates only transform data and do not enforce schema constraints.

How to eliminate wrong answers

Option B is wrong because mapping templates transform the request body or parameters into a different format (e.g., from JSON to XML) for the backend, but they do not perform schema-based validation. Option C is wrong because the integration request defines how API Gateway passes the request to the backend (e.g., HTTP method, headers, query strings) and can include mapping templates, but it does not natively validate the request body against a JSON schema. Option D is wrong because stage variables are key-value pairs used to configure deployment stages (e.g., Lambda function aliases, endpoint URLs) and have no role in request body validation.

58
MCQmedium

A company uses AWS CodePipeline to deploy a static website to Amazon S3. The pipeline includes a deploy action that uses AWS CloudFormation to create the S3 bucket and upload files. The developer notices that the deploy action fails intermittently with a 'BucketAlreadyExists' error. What is the most likely cause?

A.The S3 bucket has versioning enabled.
B.The CloudFormation template has incorrect IAM permissions.
C.The S3 bucket name is already taken by another AWS account.
D.The S3 bucket policy is too restrictive.
AnswerC

S3 bucket names are globally unique.

Why this answer

Option C is correct because S3 bucket names are globally unique. If another AWS account has already created a bucket with the same name, the CloudFormation stack will fail. Option A is incorrect because the bucket policy is not related to existence errors.

Option B is incorrect because versioning does not affect bucket creation. Option D is incorrect because the error is not about file uploads.

59
Drag & Dropmedium

Drag and drop the steps to create a Lambda function that processes S3 events in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First set up permissions, then code, create function, configure trigger, and test.

60
MCQeasy

A company wants to encrypt data in transit between an EC2 instance and an S3 bucket. What should they do?

A.Use SSH to transfer files to S3.
B.Establish a VPN connection between the instance and S3.
C.Enable client-side encryption using the AWS SDK.
D.Use the S3 HTTPS endpoint for all API calls.
AnswerD

HTTPS encrypts data in transit.

Why this answer

Option C is correct because S3 supports HTTPS endpoints for encrypted data in transit. Option A is wrong because S3 does not support SSH. Option B is wrong because S3 does not support VPN connections.

Option D is wrong because client-side encryption encrypts data before transmission, but HTTPS is the standard for in-transit encryption.

61
MCQhard

A developer needs to grant an IAM role in Account B read-only access to objects in an S3 bucket in Account A. The bucket is encrypted with server-side encryption using AWS KMS (SSE-KMS) with a customer managed key (CMK) in Account A. Which combination of policies is required for the cross-account access to succeed?

A.The bucket policy in Account A grants s3:GetObject to the role, the KMS key policy grants kms:Decrypt to the role, and the role in Account B has an IAM policy allowing s3:GetObject and kms:Decrypt
B.The bucket policy in Account A grants s3:GetObject to the role, and the role in Account B has an IAM policy allowing s3:GetObject. No KMS permissions are needed because SSE-KMS uses AWS managed keys by default.
C.The bucket policy in Account A grants s3:GetObject to the role, and the KMS key policy grants kms:Decrypt to the role. The role in Account B does not need additional IAM policies because the bucket and key policies provide sufficient permissions.
D.Only the bucket policy in Account A needs to grant s3:GetObject to the role. KMS is not involved because the bucket is encrypted with SSE-KMS but the role can decrypt using the default KMS key.
AnswerA

All three policies are required: bucket policy and key policy in Account A grant the necessary permissions, and the IAM role in Account B must have the corresponding IAM policy to authorize the use of those grants.

Why this answer

Option A is correct because cross-account access to an SSE-KMS encrypted S3 bucket requires three layers of permissions: the bucket policy in Account A must grant s3:GetObject to the IAM role in Account B, the KMS key policy must grant kms:Decrypt to the same role, and the role's IAM policy in Account B must allow both s3:GetObject and kms:Decrypt. Without any one of these, the request will fail due to either an S3 authorization error or a KMS decryption failure.

Exam trap

The trap here is that candidates assume bucket and key policies alone are sufficient for cross-account access, forgetting that the requesting principal (the IAM role) must also have an IAM policy that explicitly allows the required actions.

How to eliminate wrong answers

Option B is wrong because SSE-KMS with a customer managed key (CMK) requires explicit kms:Decrypt permissions; AWS managed keys are not used here, and omitting KMS permissions will cause a 'KMS.AccessDeniedException' when the role tries to read encrypted objects. Option C is wrong because the role in Account B must have an IAM policy that allows s3:GetObject and kms:Decrypt; bucket and key policies alone cannot grant permissions to a principal in another account—the role's trust policy and IAM permissions are necessary to authorize the action. Option D is wrong because KMS is always involved when SSE-KMS is used; the bucket is encrypted with a CMK, not the default KMS key, and the role must have kms:Decrypt permissions to decrypt the objects.

62
MCQmedium

A developer runs the AWS CLI command to decrypt a file using a KMS key. What is the most likely cause of the error?

A.The encrypted file is corrupted.
B.The CLI cannot read the file.
C.The IAM user lacks kms:Decrypt permission on the key.
D.The KMS key ID is incorrect.
AnswerC

Explicitly says not authorized.

Why this answer

The IAM user DevUser does not have kms:Decrypt permission on the specified KMS key.

63
Multi-Selecthard

Which THREE are valid methods to encrypt data at rest in Amazon S3? (Choose 3)

Select 3 answers
A.Encryption in transit using SSL/TLS
B.Server-Side Encryption with S3-Managed Keys (SSE-S3)
C.Client-Side Encryption with AWS KMS
D.Server-Side Encryption with Customer-Provided Keys (SSE-C)
E.Server-Side Encryption with KMS-Managed Keys (SSE-KMS)
AnswersB, D, E

SSE-S3 is a valid method.

Why this answer

Options A, B, and C are valid methods. Option D (client-side encryption with KMS) is actually a form of SSE-C, but SSE-C uses customer-provided keys, not KMS. Option E (SSL/TLS) is encryption in transit, not at rest.

64
MCQhard

An IAM policy is attached to an EC2 instance role. The instance is part of a CodeDeploy deployment group. The deployment fails because the CodeDeploy agent cannot download the revision. What is the most likely reason?

A.The policy does not allow the codedeploy:GetDeployment action.
B.The policy does not allow the codedeploy:CreateDeployment action.
C.The policy does not specify a region in the resource ARN.
D.The policy does not allow s3:GetObject on the specific bucket where the revision is stored.
AnswerD

The policy only allows access to 'my-bucket', but the revision may be in another bucket.

Why this answer

The CodeDeploy agent on the EC2 instance downloads the application revision from an S3 bucket. For this to succeed, the IAM role attached to the instance must include an s3:GetObject permission on the specific bucket and object. Without it, the agent cannot retrieve the revision file, causing the deployment to fail.

Options A and B are irrelevant because the agent does not call CodeDeploy API actions like GetDeployment or CreateDeployment; those are used by the user or CI/CD pipeline initiating the deployment. Option C is incorrect because IAM policies for S3 actions do not require a region in the resource ARN.

Exam trap

The trap here is that candidates confuse the permissions needed by the CodeDeploy agent (S3 read access) with the permissions needed by the user or pipeline (CodeDeploy API actions), leading them to select a CodeDeploy action instead of the correct S3 action.

How to eliminate wrong answers

Option A is wrong because the CodeDeploy agent does not call the codedeploy:GetDeployment action; that action is used by the AWS CLI, SDK, or console to retrieve deployment details. Option B is wrong because the codedeploy:CreateDeployment action is performed by the user or automation tool initiating the deployment, not by the CodeDeploy agent on the instance. Option C is wrong because S3 is a global service and its resource ARNs do not include a region element; specifying a region in an S3 ARN would be syntactically invalid.

65
MCQhard

A developer deployed an AWS Lambda function that is invoked by an Amazon SQS queue. The function is configured with a batch size of 10 and a timeout of 30 seconds. CloudWatch metrics show that the function's Duration is consistently around 28 seconds, but occasionally spikes to 35 seconds causing timeouts. The function makes a synchronous HTTP call to an external API. Which approach will MOST effectively prevent timeouts while maximizing throughput?

A.Use async HTTP calls with a callback
B.Increase the function's timeout to 60 seconds
C.Reduce the batch size to 5
D.Increase the SQS visibility timeout to 60 seconds
AnswerA

Correct. Async calls allow the Lambda function to handle multiple HTTP requests concurrently, reducing overall execution time and preventing timeouts.

Why this answer

Option A is correct because using async HTTP calls with a callback prevents the Lambda function from blocking on the synchronous HTTP request. This allows the function to process the batch of 10 messages concurrently, reducing the overall execution time below the 30-second timeout even when individual API calls occasionally take longer. By not waiting for each response sequentially, the function maximizes throughput and avoids timeouts.

Exam trap

The trap here is that candidates often assume increasing the Lambda timeout or adjusting SQS settings will fix performance issues, when the real problem is synchronous blocking I/O that can be resolved with asynchronous programming to improve concurrency and throughput.

How to eliminate wrong answers

Option B is wrong because increasing the timeout to 60 seconds only masks the symptom without addressing the root cause—blocking on synchronous HTTP calls—and reduces throughput by keeping the function running longer per invocation. Option C is wrong because reducing the batch size to 5 decreases the number of messages processed per invocation, lowering throughput and not preventing timeouts caused by slow API calls within the batch. Option D is wrong because increasing the SQS visibility timeout does not affect the Lambda function's execution timeout; it only delays message redelivery if the function fails, which does not prevent the function from timing out.

66
MCQmedium

A company is deploying a new microservice using AWS CodeDeploy. The deployment group uses an EC2/On-Premises compute platform with an in-place deployment configuration. After the deployment, the new application version is not receiving traffic. The previous version continues to serve requests. What is the most likely cause?

A.The application revision is not stored in the correct S3 bucket.
B.The deployment configuration is set to CodeDeployDefault.OneAtATime.
C.The deployment group is not associated with a load balancer or target group.
D.The CodeDeploy agent is not installed on the EC2 instances.
AnswerC

Without a target group, the load balancer does not route traffic to the new instances.

Why this answer

In an in-place deployment with CodeDeploy on the EC2/On-Premises compute platform, traffic is routed to the new application version by a load balancer. If the deployment group is not associated with a load balancer or target group, CodeDeploy cannot register the instances or shift traffic to the new version, so the previous version continues serving requests. The deployment itself may succeed, but without the load balancer integration, the new application revision never receives incoming traffic.

Exam trap

The trap here is that candidates assume a successful deployment automatically means the new version is serving traffic, but without a load balancer association, CodeDeploy cannot manage traffic routing, leaving the old version active.

How to eliminate wrong answers

Option A is wrong because the application revision not being stored in the correct S3 bucket would cause the deployment to fail entirely (e.g., a 'RevisionNotFound' error), not silently leave the old version serving traffic. Option B is wrong because CodeDeployDefault.OneAtATime is a valid deployment configuration that controls the pace of instance updates (one instance at a time), but it does not prevent traffic from reaching the new version after deployment; it only affects the rollout speed. Option D is wrong because if the CodeDeploy agent were not installed on the EC2 instances, the deployment would fail with an 'AgentNotAvailable' error, and no new version would be installed at all, whereas the scenario describes a successful deployment with no traffic shift.

67
MCQhard

Based on the CloudTrail log entry, which security concern should be investigated?

A.The role used has too many permissions.
B.The instance was launched in an unauthorized region.
C.Multi-factor authentication (MFA) was not used when assuming the role.
D.The source IP address is from a suspicious location.
AnswerC

mfaAuthenticated is false, indicating no MFA.

Why this answer

The CloudTrail log entry shows that the `sts:AssumeRole` API call was made without the `aws:MultiFactorAuthPresent` key set to `true`. This indicates that the role was assumed without MFA, which violates the security best practice of requiring MFA for privileged role assumptions. The absence of MFA increases the risk of unauthorized access if the user's credentials are compromised.

Exam trap

The trap here is that candidates often focus on the source IP address or region as suspicious, but the key security indicator is the absence of MFA in the `sts:AssumeRole` call, which is a direct violation of the principle of least privilege and a common attack vector.

How to eliminate wrong answers

Option A is wrong because the CloudTrail log entry does not provide information about the permissions attached to the role; it only records the API call, not the effective permissions. Option B is wrong because the log entry does not indicate the region where the instance was launched; it only shows the region of the CloudTrail event (e.g., us-east-1), which is not necessarily the same as the instance's region. Option D is wrong because the source IP address in the log entry is from an AWS service (e.g., ec2.amazonaws.com) or an internal AWS IP, not an external suspicious location; CloudTrail logs for AWS API calls often show internal IPs for service-to-service calls.

68
Multi-Selecthard

A developer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket. The instance has an IAM role with a policy that allows s3:GetObject on the bucket. Which TWO additional checks should the developer perform to resolve the issue?

Select 2 answers
A.Check the network ACLs for the subnet.
B.Check if the S3 bucket policy has an explicit deny statement that affects the EC2 instance.
C.Check if the EC2 instance is in a VPC with an S3 VPC endpoint configured.
D.Check the security group rules attached to the EC2 instance.
E.Check if the S3 bucket uses SSE-KMS encryption and the EC2 role has kms:Decrypt permissions.
AnswersB, E

An explicit deny overrides any allow.

Why this answer

Option B is correct because S3 bucket policies can explicitly deny access even if the IAM role attached to the EC2 instance grants s3:GetObject. An explicit deny in a bucket policy overrides any allow, so checking for such a deny statement is essential. Option E is correct because if the S3 bucket uses SSE-KMS encryption, the EC2 instance's IAM role must have kms:Decrypt permissions to decrypt the object; without it, GetObject requests will fail.

Exam trap

The trap here is that candidates often focus only on IAM policies or network controls (NACLs/security groups) and overlook the combination of bucket policies with explicit denies and KMS encryption permissions, which are common real-world blockers.

69
MCQeasy

A developer is deploying a new version of an AWS Lambda function using the AWS CLI. The developer wants to ensure that the new version is stable before routing all traffic to it. The developer has already published version 1 and version 2 of the function. The developer wants to send 10% of the traffic to version 2 and 90% to version 1. The developer then plans to gradually increase the traffic to version 2. Which approach should the developer use?

A.Use the Lambda function's versioning feature to set the traffic weight directly on the function.
B.Create a Lambda alias named 'prod' and update the alias's routing configuration to send 10% traffic to version 2 and 90% to version 1.
C.Configure the API Gateway endpoint to route 10% of requests to version 2 and 90% to version 1.
D.Create a new alias and assign the traffic weights to the versions in the alias configuration.
AnswerB

Lambda aliases support weighted routing for canary deployments.

Why this answer

Option B is correct because Lambda aliases support traffic shifting via weighted routing. Option A is incorrect because Lambda function versions do not support traffic weights directly. Option C is incorrect because there is no built-in feature to configure traffic distribution on the function itself.

Option D is incorrect because API Gateway endpoint configuration doesn't handle Lambda traffic shifting.

70
MCQhard

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application stores session data in an RDS MySQL database. Recently, users have reported that they are being logged out unexpectedly and their session data is lost. The developer investigates and finds that the RDS instance's CPU utilization spikes periodically, coinciding with the logout events. The application uses connection pooling via an RDS Proxy. The developer suspects that the session table is being dropped or truncated. After checking the application logs, the developer finds no evidence of truncation commands. The RDS instance has automated backups enabled, and the binary logs are retained for 24 hours. The developer wants to identify the root cause and prevent future occurrences. Which course of action should the developer take?

A.Enable Multi-AZ deployment for RDS to improve availability and prevent data loss during failover.
B.Increase the RDS instance size to handle the CPU spikes and prevent future issues.
C.Disable RDS Proxy and implement connection pooling in the application code to reduce database load.
D.Check the session table's storage engine; if it uses MEMORY, change it to InnoDB to persist data across restarts.
AnswerD

MEMORY engine loses data on restart; InnoDB is durable.

Why this answer

The RDS CPU spikes and session loss suggest that the database is being restarted or failing over, causing in-memory session data to be lost. However, the session data is stored in a table, which should survive restarts. The issue might be that the session table is using the MEMORY storage engine, which loses data on restart.

Option C is correct: checking the table storage engine. Option A is wrong because RDS Proxy does not cause data loss. Option B is wrong because binary logs are for replication, not session persistence.

Option D is wrong because increasing instance size may delay but not prevent the issue.

71
MCQhard

A company has an AWS Lambda function that processes sensitive financial data. The function uses environment variables to store database connection strings. A security audit requires that all sensitive data be encrypted at rest and in transit. The developer must ensure that the environment variables are encrypted with a customer-managed key that is rotated quarterly. What should the developer do?

A.Use AWS Systems Manager Parameter Store with a SecureString parameter using an AWS managed key
B.Store the connection string in AWS Secrets Manager and enable automatic rotation with a custom Lambda function
C.Encrypt the environment variables using the Lambda service key
D.Use AWS KMS to encrypt the environment variables and set a manual rotation policy
AnswerB

Secrets Manager supports automatic rotation with custom Lambda functions, allowing you to rotate the secret every 90 days using a customer-managed KMS key.

Why this answer

Option B is correct because AWS Secrets Manager natively supports automatic rotation of secrets using a custom Lambda function, which meets the quarterly rotation requirement. Secrets Manager also encrypts secrets at rest using KMS, and the customer can specify a customer-managed key (CMK) for encryption, satisfying the encryption-at-rest and customer-managed key requirements. Additionally, Secrets Manager enforces encryption in transit via TLS when retrieving secrets, fulfilling the full security audit mandate.

Exam trap

AWS often tests the distinction between rotating the encryption key (KMS) versus rotating the secret value itself, leading candidates to incorrectly choose KMS-based options when the requirement is to rotate the stored credential.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store with a SecureString parameter can use an AWS managed key by default, but it does not support automatic rotation of the parameter value itself (only the KMS key can be rotated, not the stored secret), failing the quarterly rotation requirement. Option C is wrong because the Lambda service key is an AWS managed key, not a customer-managed key, and Lambda environment variables encrypted with the service key cannot be rotated quarterly by the customer. Option D is wrong because AWS KMS does not provide a built-in mechanism to automatically rotate the encrypted environment variable value; KMS only supports automatic key rotation (yearly by default), not quarterly, and manual rotation of the key does not rotate the stored connection string itself.

72
MCQmedium

A developer is configuring a load balancer in front of an EC2 instance running a web application. The application needs to authenticate users via an identity provider. Which AWS service should the developer use to handle authentication and authorization?

A.AWS Identity and Access Management (IAM)
B.Amazon Cognito
C.Amazon Route 53
D.Amazon CloudFront
AnswerB

Cognito user pools provide authentication for web apps.

Why this answer

Option B is correct because Amazon Cognito provides user pools for authentication and can be integrated with an Application Load Balancer. Option A is wrong because IAM is for AWS API access, not web app users. Option C is wrong because CloudFront is a CDN.

Option D is wrong because Route 53 is DNS.

73
MCQhard

A company uses AWS CloudFormation to manage its infrastructure. The developer wants to update a stack but only if the update does not cause any resource replacement. Which CloudFormation stack update option should be used?

A.Use the direct update option with a template.
B.Create a change set and review the changes before executing it.
C.Use the 'Force rollback' option to ensure no replacement.
D.Use the 'Preserve stack settings' option when updating the stack.
AnswerB

Change sets show which resources will be replaced, allowing you to avoid replacement.

Why this answer

Option D is correct because the 'Force rollback' option is not standard; CloudFormation uses change sets to preview replacements. The 'Update stack' with 'Preserve stack settings' does not prevent replacement. Option C is correct because using a change set allows you to see which resources will be replaced and abort if any replacement is detected.

Option A is wrong because 'Direct update' does not provide preview. Option B is wrong because 'Preserve stack settings' is not a real option.

74
MCQmedium

Refer to the exhibit. A developer ran the AWS CLI command to invoke a Lambda function. The response indicates an error. What should the developer do to see the error details?

A.Decode the LogResult value from base64 to see the logs.
B.Check CloudWatch Logs for the function's log group.
C.Increase the Lambda function timeout to avoid the error.
D.Read the output.txt file for the error message.
AnswerA

The LogResult field contains the last 4 KB of logs encoded in base64.

Why this answer

Option A is correct because the LogResult contains base64-encoded logs. Option B is wrong because the logs are not automatically in CloudWatch. Option C is wrong because the LogResult is base64, not plain text.

Option D is wrong because the error is Unhandled, not a timeout.

75
MCQeasy

A developer is building a serverless application using AWS Lambda functions that need to read and write to an Amazon DynamoDB table. What is the best practice for granting the Lambda function access to DynamoDB?

A.Create an IAM role with a trust policy that allows Lambda to assume it, and attach a permissions policy granting DynamoDB access.
B.Create an IAM user and store the access keys in the Lambda environment variables.
C.Attach a resource-based policy to the Lambda function that grants DynamoDB access.
D.Use the Lambda function's default VPC role to access DynamoDB via a VPC endpoint.
AnswerA

Lambda uses an execution role to obtain temporary credentials.

Why this answer

Option A is correct because AWS Lambda functions require an IAM role (execution role) with a trust policy that allows Lambda to assume it, and a permissions policy that grants the necessary DynamoDB actions (e.g., GetItem, PutItem). This is the standard and secure method for granting permissions to Lambda, as it avoids hardcoding credentials and follows the principle of least privilege.

Exam trap

The trap here is that candidates confuse resource-based policies (used for Lambda function invocation permissions) with execution roles (used for granting the Lambda function access to other AWS services), leading them to incorrectly choose Option C.

How to eliminate wrong answers

Option B is wrong because storing IAM user access keys in Lambda environment variables is insecure and violates best practices; keys can be exposed in logs or through the console, and they do not automatically rotate. Option C is wrong because Lambda functions do not support resource-based policies for granting access to other AWS services like DynamoDB; resource-based policies are used for cross-account access to the Lambda function itself, not for the function to access external resources. Option D is wrong because a VPC role or VPC endpoint does not grant IAM permissions; VPC endpoints enable private network connectivity but do not replace the need for an IAM role with DynamoDB access policies.

Page 1 of 22

Page 2