AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 676750

1616 questions total · 22pages · All types, answers revealed

Page 9

Page 10 of 22

Page 11
676
MCQmedium

A company is using Amazon S3 to store sensitive documents. The security team requires that all access to the bucket be logged for audit purposes. Which feature should be enabled?

A.S3 server access logging
B.Amazon CloudWatch Logs
C.S3 Inventory
D.AWS CloudTrail
AnswerA

Server access logs record detailed information about requests.

Why this answer

S3 server access logging provides detailed records for requests made to an S3 bucket, including the requester, bucket name, request time, action, and response status. This feature logs all access at the object level, which directly meets the audit requirement for sensitive documents. It delivers log files to a target bucket in a standardized format, enabling security teams to analyze access patterns and detect unauthorized activity.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (Option D) with S3 server access logging, assuming CloudTrail's data events provide the same granularity, but CloudTrail is designed for API call auditing and may miss certain access patterns (e.g., anonymous requests or cross-account access) unless explicitly configured, whereas S3 server access logging captures all requests by default.

How to eliminate wrong answers

Option B is wrong because Amazon CloudWatch Logs is a service for monitoring, storing, and accessing log files from AWS resources like EC2 or Lambda, but it does not natively capture S3 access logs without additional configuration (e.g., using S3 event notifications to push logs to CloudWatch). Option C is wrong because S3 Inventory provides a list of objects and their metadata (e.g., size, encryption status) for compliance and lifecycle management, but it does not log access requests or actions performed on the bucket. Option D is wrong because AWS CloudTrail records management events (e.g., bucket creation, policy changes) and data events (e.g., GetObject, PutObject) for S3, but it is not the primary feature for detailed, request-level logging; S3 server access logging is the dedicated feature for granular access logs, while CloudTrail is often used for governance and compliance at a higher level.

677
Matchingmedium

Match each DynamoDB concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Primary key for hashing

Range key for ordering

Alternate access pattern

Same partition key, different sort

In-memory cache for DynamoDB

Why these pairings

DynamoDB is a major topic in the exam.

678
MCQmedium

A developer notices that an Amazon RDS for MySQL DB instance's CPU utilization is consistently above 90% during peak hours. Which AWS service can the developer use to analyze the database queries and identify the root cause?

A.AWS X-Ray
B.Amazon CloudWatch Logs
C.Amazon RDS Performance Insights
D.AWS Trusted Advisor
AnswerC

Performance Insights shows database load and top SQL queries.

Why this answer

Option B is correct because Performance Insights provides database performance analysis with query-level metrics. Option A is wrong because CloudWatch Logs is for log data, not query analysis. Option C is wrong because X-Ray traces application requests, not database queries.

Option D is wrong because Trusted Advisor provides cost and security checks, not query analysis.

679
MCQmedium

A developer is using Amazon S3 to host a static website. The website uses JavaScript to fetch data from an API Gateway endpoint. Users report that the website loads but API calls fail with HTTP 403 errors. The developer checks the S3 bucket policy and finds it allows public read access. What is the most likely cause?

A.The S3 bucket policy blocks access from the API Gateway domain.
B.The S3 bucket is not configured for static website hosting.
C.The API Gateway API key is not included in the JavaScript code.
D.The S3 bucket does not have CORS configuration to allow cross-origin requests from the API Gateway domain.
AnswerD

CORS is required for browser-based cross-origin requests.

Why this answer

S3 static website hosting does not support CORS by default. Option C is correct. Option A is incorrect because S3 bucket policy allows read.

Option B is incorrect if bucket policy is correct. Option D is incorrect because authentication is not required for public content.

680
MCQmedium

A developer is managing an application that runs on an Amazon EC2 instance. The application uses an IAM role attached to the instance to access an S3 bucket. The developer recently updated the IAM role to add a new policy that grants access to a different S3 bucket. However, when testing, the application cannot access the new bucket and still returns 'Access Denied'. The developer verifies that the instance profile is correctly associated with the EC2 instance and that the new policy is attached. The application was restarted after the policy change. What is the MOST likely cause of the issue?

A.The S3 bucket has a bucket policy that denies access to the IAM role.
B.The temporary security credentials cached by the instance are still valid and do not reflect the new policy.
C.The application needs to be restarted multiple times to pick up the new policy.
D.The instance profile is not correctly attached to the EC2 instance.
AnswerB

The credentials are cached and will not include the new policy until they expire and are refreshed.

Why this answer

Option C is correct because the AWS SDK or CLI on the EC2 instance caches the temporary credentials from the instance metadata service. These credentials may not include the new policy if they were obtained before the policy update. The credentials are valid for a certain period (default 6 hours) and are not automatically refreshed when the role changes.

Option A is wrong because the instance profile is correctly associated. Option B is wrong because restarting the application does not refresh the credentials; it uses the cached credentials. Option D is wrong because S3 bucket policies are not required; the IAM role policy is sufficient.

681
Multi-Selecthard

A developer is configuring an S3 bucket to host a static website. The bucket must be accessible to anyone on the internet, but only for reading objects. Which THREE steps are necessary? (Choose THREE.)

Select 3 answers
A.Set the bucket ACL to public-read.
B.Create an Amazon CloudFront distribution with the bucket as origin.
C.Enable static website hosting on the bucket.
D.Disable S3 Block Public Access settings for the bucket.
E.Add a bucket policy that allows s3:GetObject for Principal "*" on the bucket.
AnswersC, D, E

Required for website access.

Why this answer

Option C is correct because enabling static website hosting on the S3 bucket is a prerequisite for serving content as a website. Without this setting, the bucket cannot serve HTTP requests for web pages, even if objects are publicly readable. This configuration provides an endpoint URL and allows index and error document routing.

Exam trap

The trap here is that candidates often assume setting a bucket ACL to public-read (Option A) is sufficient, but they forget that S3 Block Public Access settings must be disabled first, and ACLs are deprecated in favor of bucket policies for this use case.

682
MCQmedium

A team is using AWS CodeBuild to compile and test code. The build takes longer than expected. The team wants to reduce build times by caching dependencies. Which option should the team use to cache dependencies in CodeBuild?

A.Amazon DynamoDB
B.Amazon EFS
C.Amazon ECR
D.Local caching or Amazon S3 caching
AnswerD

CodeBuild supports local caching and S3 caching to speed up builds.

Why this answer

Option B is correct because CodeBuild supports local caching and S3 caching; local caching stores dependencies on the build instance. Option A is wrong because EFS is not supported for caching in CodeBuild. Option C is wrong because ECR is for container images, not general dependency caching.

Option D is wrong because DynamoDB is not used for caching in CodeBuild.

683
MCQmedium

A company is using Amazon S3 to store sensitive documents. The security team requires that all data be encrypted at rest using AWS KMS with a Customer Managed Key (CMK). The developer enabled default encryption on the S3 bucket with the CMK. However, some PUT requests are failing with 'Access Denied'. What is the MOST likely cause?

A.The S3 bucket's object ownership is set to BucketOwnerPreferred.
B.The KMS key policy does not grant the IAM user/role permissions to use the key.
C.The KMS key is in a different AWS Region than the S3 bucket.
D.The S3 bucket policy denies PutObject without encryption.
AnswerB

To use KMS encryption, the caller must have kms:GenerateDataKey permissions on the key.

Why this answer

Option B is correct because KMS key policies can restrict access to the key. Option A is wrong because S3 bucket policy affects S3 actions, not KMS. Option C is wrong because KMS keys are regional and cross-region access fails.

Option D is wrong because object ownership doesn't affect KMS permissions.

684
MCQmedium

A developer is setting up an IAM role for a CI/CD pipeline. The above IAM policy is attached to the role. The pipeline needs to deploy a revision to an Amazon S3 bucket and then trigger a CodeDeploy deployment. The deployment fails with an access denied error. What is the missing permission?

A.codedeploy:UpdateDeploymentGroup
B.codedeploy:RegisterApplicationRevision
C.s3:ListBucket
D.s3:GetObjectVersion
AnswerB

Required to register the revision in S3 with CodeDeploy.

Why this answer

Option C is correct because to trigger a CodeDeploy deployment, the 'codedeploy:RegisterApplicationRevision' permission is required when using S3 as the revision location. Option A is wrong because 's3:ListBucket' is not needed for uploading. Option B is wrong because 'codedeploy:UpdateDeploymentGroup' is for updating configuration, not deployment.

Option D is wrong because 's3:GetObjectVersion' is for versioning, not required.

685
Multi-Selecthard

A developer needs to securely distribute temporary AWS credentials to authenticated mobile users. Which two components are commonly involved?

Select 2 answers
A.Amazon Cognito identity pools
B.AWS root access keys
C.IAM roles with scoped permissions
D.An unrestricted S3 bucket policy
AnswersA, C

Correct for the stated requirement.

Why this answer

Amazon Cognito identity pools allow you to exchange identity tokens (from a user pool or external IdP) for temporary AWS credentials via the AWS Security Token Service (STS). These credentials are scoped to an IAM role with fine-grained permissions, enabling secure, least-privilege access to AWS resources from mobile apps without embedding long-term keys.

Exam trap

The trap here is that candidates confuse Cognito user pools (which handle authentication and issue JWTs) with identity pools (which provide temporary AWS credentials), or mistakenly think root keys or open bucket policies are acceptable for mobile distribution.

686
MCQhard

A Lambda function needs to read from a DynamoDB table and send messages to an SQS queue. The function's IAM role should follow the principle of least privilege. Which policy statement should be attached to the role?

A.{"Effect":"Allow","Action":["dynamodb:*"],"Resource":"arn:aws:dynamodb:us-east-1:123456789012:table/MyTable"}
B.{"Effect":"Allow","Action":["dynamodb:GetItem"],"Resource":"arn:aws:dynamodb:us-east-1:123456789012:table/MyTable"}, {"Effect":"Allow","Action":["sqs:SendMessage"],"Resource":"arn:aws:sqs:us-east-1:123456789012:MyQueue"}
C.{"Effect":"Allow","Action":["dynamodb:GetItem","sqs:SendMessage","sqs:ReceiveMessage"],"Resource":"*"}
D.{"Effect":"Allow","Action":["dynamodb:GetItem","dynamodb:PutItem"],"Resource":"*"}
AnswerB

Grants only GetItem on the specific table and SendMessage on the specific queue.

Why this answer

Option B is correct because it grants only the specific DynamoDB read action (GetItem) needed to read from the table and the specific SQS write action (SendMessage) needed to send messages to the queue, scoped to the exact resource ARNs. This adheres to the principle of least privilege by not allowing any unnecessary operations or resources.

Exam trap

The trap here is that candidates often choose a wildcard resource or overly broad actions (like dynamodb:* or sqs:*) because they think it's simpler, failing to recognize that the principle of least privilege requires scoping both actions and resources to the minimum necessary.

How to eliminate wrong answers

Option A is wrong because it grants all DynamoDB actions (dynamodb:*) on the table, which includes write, delete, and administrative operations far beyond the required read-only access. Option C is wrong because it uses a wildcard resource (*) for both DynamoDB and SQS, which would allow access to any table or queue in the account, violating least privilege. Option D is wrong because it includes dynamodb:PutItem (a write action) that is not needed, and also uses a wildcard resource (*) instead of restricting to the specific table ARN.

687
MCQmedium

A developer is deploying a serverless application using AWS SAM. The application includes an API Gateway endpoint backed by a Lambda function. The developer wants to enable canary deployments to shift 10% of traffic to the new version for 5 minutes before routing all traffic. Which configuration should the developer add to the SAM template?

A.DeploymentPreference with Type: Canary10Percent5Minutes
B.Add a CodeDeploy application and deployment group manually
C.DeploymentPreference with Type: Linear10PercentEvery1Minute
D.DeploymentPreference with Type: AllAtOnce
AnswerA

Canary10Percent5Minutes sends 10% traffic for 5 minutes then all.

Why this answer

SAM supports canary deployments using the DeploymentPreference property with a canary type. Option A is correct because it specifies a 10% canary for 5 minutes. Option B is linear, not canary.

Option C is all-at-once. Option D is a custom traffic shifting method.

688
Multi-Selecteasy

Which TWO strategies can be used to reduce the risk of a failed deployment when using AWS CodeDeploy? (Select TWO.)

Select 2 answers
A.Configure automatic rollback based on CloudWatch alarms.
B.Use a canary deployment to shift traffic gradually.
C.Disable health checks to prevent false positives.
D.Require a manual approval step before deployment.
E.Deploy to all instances at once to ensure consistency.
AnswersA, B

Automatic rollback reduces downtime and impact of failed deployments.

Why this answer

Options B and D are correct. Gradual traffic shifting (canary or linear) and automatic rollback based on CloudWatch alarms reduce risk. Option A is wrong because deploying to all instances at once increases risk.

Option C is wrong because skipping health checks increases risk. Option E is wrong because manual approval gate introduces delay but does not reduce risk of failure; it can help catch issues but not specifically reduce deployment failure risk.

689
MCQeasy

A developer needs to grant an IAM user read-only access to an S3 bucket named 'my-bucket'. Which IAM policy statement should be attached?

A.{"Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::my-bucket/*"}
B.{"Effect":"Allow","Action":["s3:GetObject","s3:ListBucket"],"Resource":["arn:aws:s3:::my-bucket","arn:aws:s3:::my-bucket/*"]}
C.{"Effect":"Deny","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}
D.{"Effect":"Allow","Action":["s3:PutObject","s3:DeleteObject"],"Resource":"arn:aws:s3:::my-bucket/*"}
AnswerB

This grants read-only access.

Why this answer

Option B is correct because it grants read-only access by allowing the `s3:GetObject` action (to read objects) and the `s3:ListBucket` action (to list objects in the bucket). The resources are correctly specified: `arn:aws:s3:::my-bucket` for the bucket-level `ListBucket` action and `arn:aws:s3:::my-bucket/*` for the object-level `GetObject` action. This combination provides the minimal permissions needed for read-only access without allowing write or delete operations.

Exam trap

The trap here is that candidates often forget to include both the bucket ARN and the object ARN, or they mistakenly use a single ARN like `arn:aws:s3:::my-bucket/*` for both actions, which would fail for `s3:ListBucket` because it requires the bucket-level ARN.

How to eliminate wrong answers

Option A is wrong because it allows all S3 actions (`s3:*`) on the bucket, which grants full administrative access, not read-only. Option C is wrong because it uses a `Deny` effect on `s3:GetObject`, which explicitly blocks read access, the opposite of what is needed. Option D is wrong because it allows `s3:PutObject` and `s3:DeleteObject`, which are write and delete operations, not read-only.

690
MCQhard

An application receives webhooks from a partner. The developer must verify that each request was signed by the partner and not modified in transit. What should the application validate?

A.The source port number
B.The CloudWatch log stream name
C.The HMAC or digital signature over the payload using the shared/public key material
D.The API Gateway request ID only
AnswerC

Correct for the stated requirement.

Why this answer

Option C is correct because webhook verification relies on validating a cryptographic signature (HMAC or digital signature) computed over the request payload using a pre-shared secret or public key. This ensures the payload was signed by the partner and has not been tampered with during transit, as any modification would invalidate the signature. The application must recompute the HMAC or verify the digital signature using the partner's public key and compare it to the signature provided in the request header.

Exam trap

The trap here is that candidates confuse request metadata (like source port or request ID) with cryptographic verification mechanisms, assuming any unique identifier can prove authenticity, when only HMAC or digital signatures provide integrity and sender verification.

How to eliminate wrong answers

Option A is wrong because the source port number is a transient network-layer attribute that can be spoofed or changed by NAT/firewalls, and it provides no cryptographic proof of authenticity or integrity. Option B is wrong because a CloudWatch log stream name is an AWS-specific logging resource identifier unrelated to request signing or payload integrity verification. Option D is wrong because an API Gateway request ID is a unique identifier for debugging and tracing, not a cryptographic mechanism to verify the sender's identity or detect payload tampering.

691
MCQeasy

A developer wants to deploy a serverless application using AWS SAM. The application consists of multiple Lambda functions, an API Gateway REST API, and a DynamoDB table. The developer wants to define the application in a single template and deploy it using the AWS CLI. Which command should the developer use to package and deploy the application?

A.sam build and sam deploy
B.sam package and sam deploy
C.aws cloudformation package and aws cloudformation deploy
D.aws s3 cp and aws cloudformation create-stack
AnswerB

These are the SAM CLI commands to package and deploy.

Why this answer

Option B is correct because 'sam package' uploads the artifacts to S3 and generates a packaged template, and 'sam deploy' deploys it. Option A is wrong because 'aws cloudformation package' requires manual deploy. Option C is wrong because 'sam build' is for building locally but not for packaging.

Option D is wrong because 'aws s3 cp' only uploads files, not a template.

692
Multi-Selectmedium

A DynamoDB table shows throttling on one partition key value. Which two signs point to a hot partition problem?

Select 2 answers
A.Most traffic targets the same partition key
B.The table has point-in-time recovery enabled
C.Consumed capacity is uneven despite total table capacity being available
D.CloudTrail is enabled in all regions
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because a hot partition occurs when a single partition key value receives a disproportionate share of read/write traffic, causing throttling on that partition even if the table's total provisioned capacity is not fully utilized. This imbalance means the partition's capacity is exhausted while other partitions remain underutilized, leading to request throttling for that specific key.

Exam trap

The trap here is that candidates confuse overall table capacity with partition-level capacity, assuming throttling only happens when total consumed capacity exceeds provisioned capacity, rather than recognizing that uneven key distribution can cause throttling on a single partition.

693
MCQhard

A company uses an S3 bucket to store sensitive documents. The bucket policy allows access only from a specific VPC endpoint. However, a developer in the same VPC is unable to access the bucket from an EC2 instance. What is the MOST likely cause?

A.The EC2 instance is routing traffic to S3 through the internet instead of the VPC endpoint.
B.The S3 bucket policy requires encryption in transit, which is not configured.
C.The VPC endpoint policy does not grant access to the developer's IAM role.
D.The EC2 instance does not have an IAM role assigned.
AnswerA

If traffic goes through the internet, the source IP won't match the VPC endpoint, causing denial.

Why this answer

S3 bucket policies that restrict access to a specific VPC endpoint require that requests originate from that endpoint. The EC2 instance must route S3 traffic through the VPC endpoint. If the instance has a public IP and routes directly to S3, the request won't go through the endpoint.

694
MCQhard

A developer wants to enforce that all requests to an Amazon S3 bucket must use HTTPS (TLS). The bucket is used for static website hosting. Which bucket policy condition should be used to deny requests that do not use HTTPS?

A."aws:SecureTransport": "false"
B."aws:SecureTransport": "true"
C."aws:SourceVpc": "true"
D."aws:Referer": "https"
AnswerA

The condition aws:SecureTransport with value 'false' matches requests that are not using HTTPS. Adding a Deny effect with this condition enforces HTTPS.

Why this answer

Option A is correct because the `aws:SecureTransport` condition key evaluates to `false` when the request is not sent over HTTPS (TLS). By using a Deny effect with this condition set to `false`, the policy blocks any HTTP requests to the S3 bucket, ensuring all traffic uses encrypted connections. This is a standard approach for enforcing TLS on S3 buckets, including those used for static website hosting.

Exam trap

The trap here is that candidates often confuse `aws:SecureTransport` with `aws:SourceVpc` or `aws:Referer`, or mistakenly think setting the condition to `true` in a Deny statement will block non-HTTPS traffic, when in fact it would block HTTPS traffic instead.

How to eliminate wrong answers

Option B is wrong because setting `aws:SecureTransport` to `true` would allow only HTTPS requests, but the question requires denying non-HTTPS requests; a Deny policy with `true` would block HTTPS traffic, which is the opposite of the desired outcome. Option C is wrong because `aws:SourceVpc` is used to restrict requests to those originating from a specific VPC, not to enforce HTTPS; setting it to `true` is invalid as this condition key expects a VPC ID, not a boolean. Option D is wrong because `aws:Referer` is used to restrict requests based on the HTTP Referer header (e.g., to prevent hotlinking), not to enforce HTTPS; the value `https` is a protocol scheme, not a valid referer pattern, and this condition does not check transport security.

695
MCQhard

A developer attached the above IAM policy to an IAM user. The user is trying to get an object from the bucket 'example-bucket' from an on-premises machine with public IP 203.0.113.5. What will happen?

A.Access is allowed because the user has an Allow effect
B.Access is denied because the condition is not met
C.Access is allowed if the user uses a VPN with the specified IP
D.Access is allowed because the user's IP is not denied
AnswerB

The condition requires the source IP to match 10.0.0.1/32.

Why this answer

Option C is correct because the policy allows s3:GetObject only from IP 10.0.0.1/32. Since the request comes from 203.0.113.5, the condition fails, and access is denied. Option A is wrong because the condition is not ignored.

Option B is wrong because the condition explicitly restricts to a specific IP. Option D is wrong because the condition restricts to a specific IP, not a VPN.

696
MCQmedium

Refer to the exhibit. An IAM policy statement is attached to an AWS Lambda function's execution role. The function needs to invoke another Lambda function named 'my-function'. However, the invocation fails with an access denied error. What is the most likely cause?

A.The action should be 'lambda:*' to allow all Lambda actions.
B.The Lambda function has a timeout set too low.
C.The resource ARN is missing the function name.
D.The policy is attached to the wrong IAM role.
AnswerD

If the execution role does not have this policy, invocation fails.

Why this answer

The policy allows lambda:InvokeFunction on the specific function ARN. Option B is correct because the resource ARN includes the function name, so it should work. Option A is incorrect because the ARN is correct.

Option C is incorrect because the action is allowed. Option D is incorrect because the error is access denied, not a timeout.

697
MCQmedium

A developer needs to call AWS APIs from application code running on EC2. Which credential source should the AWS SDK use by default?

A.Static credentials committed to Git
B.A credentials file copied into the AMI
C.The root account access key
D.Temporary credentials from the instance profile role
AnswerD

Correct for the stated requirement.

Why this answer

Option D is correct because the AWS SDK on EC2 automatically retrieves temporary credentials from the instance metadata service (IMDS) at http://169.254.169.254/latest/meta-data/iam/security-credentials/. These credentials are provided by the IAM role attached to the EC2 instance (the instance profile role) and are rotated automatically, eliminating the need to store long-term credentials on the instance.

Exam trap

The trap here is that candidates may think manually embedding credentials (via a file or environment variable) is acceptable, but the AWS SDK on EC2 is designed to use the instance profile role by default, and any static credential source is both insecure and not the default behavior.

How to eliminate wrong answers

Option A is wrong because committing static credentials to Git is a severe security risk and violates AWS best practices; the SDK does not default to Git-stored credentials. Option B is wrong because copying a credentials file into the AMI embeds long-term credentials in the image, which can be exposed if the AMI is shared or reused, and the SDK does not default to an AMI-embedded file. Option C is wrong because root account access keys are highly privileged, static, and should never be used in application code; the SDK does not default to root keys.

698
Multi-Selecteasy

A developer is troubleshooting an AWS Lambda function that is timing out. The function is configured with a 3-second timeout. Which of the following could cause the function to timeout? (Choose THREE.)

Select 3 answers
A.The function's reserved concurrency is set to 0.
B.The function has a dead-letter queue configured.
C.The function is configured to access a VPC without a NAT gateway.
D.The function experiences a cold start.
E.The function's deployment package is larger than 50 MB.
AnswersA, C, D

Reserved concurrency of 0 prevents the function from scaling, causing throttling.

Why this answer

Options A, B, and E are correct. Option A is correct because cold starts add latency. Option B is correct because a VPC with no NAT gateway can cause network timeouts.

Option C is wrong because a larger function size does not cause timeouts directly. Option D is wrong because DLQ is for async invocation failures, not timeouts. Option E is correct because hitting Lambda concurrency limits causes throttling, which can lead to timeout errors if the function waits.

699
MCQeasy

A developer wants to invoke an AWS Lambda function every hour to perform a maintenance task. Which AWS service should be used to schedule the invocation?

A.Amazon Simple Queue Service (SQS)
B.AWS Step Functions
C.Amazon CloudWatch Events (EventBridge)
D.Amazon Simple Notification Service (SNS)
AnswerC

EventBridge can trigger Lambda on a schedule.

Why this answer

Amazon CloudWatch Events (now Amazon EventBridge) can schedule Lambda invocations. Option C is correct. Option A (SQS) is for message queues.

Option B (SNS) is for notifications. Option D (Step Functions) is for workflows, not simple scheduling.

700
Multi-Selecthard

A company is implementing a CI/CD pipeline for a containerized application using Amazon ECS and AWS CodePipeline. The team wants to ensure zero-downtime deployments. Which THREE strategies should the team implement? (Choose THREE.)

Select 3 answers
A.Use a blue/green deployment strategy with an Application Load Balancer.
B.Use a rolling update with a fixed batch size of 100% of tasks.
C.Use ECS service auto scaling to maintain desired count during deployment.
D.Configure the ECS service with health check grace period.
E.Stop all existing tasks before starting new tasks.
AnswersA, C, D

Blue/green deployments allow traffic to be shifted gradually, ensuring zero downtime.

Why this answer

Options A, B, and D are correct. Using a blue/green deployment with a load balancer, configuring health checks, and using ECS service auto scaling ensure zero-downtime. Option C is incorrect because stopping all tasks causes downtime.

Option E is incorrect because a rolling update with a fixed batch size can cause downtime if not managed carefully, but it is not the best practice; the question asks for three correct strategies.

701
MCQeasy

A developer is building a serverless application and wants to invoke an AWS Lambda function every hour to perform a cleanup task. Which AWS service should the developer use to schedule the invocation?

A.AWS Step Functions
B.Amazon SNS
C.Amazon SQS
D.Amazon EventBridge (CloudWatch Events)
AnswerD

EventBridge can create rules to invoke Lambda functions on a schedule.

Why this answer

The correct answer is B. Amazon CloudWatch Events (now Amazon EventBridge) can schedule events to trigger Lambda functions at specified intervals. Option A is wrong because SQS is a message queue, not a scheduler.

Option C is wrong because Step Functions orchestrates workflows but does not schedule invocations directly. Option D is wrong because SNS is a notification service.

702
MCQmedium

A developer is monitoring an AWS Lambda function that is triggered by an Amazon SQS queue. The function's CloudWatch metrics show a high number of throttles. The function has a reserved concurrency of 10 and the SQS queue has a large backlog of messages. The function processes each message in about 2 seconds and has a timeout of 60 seconds. Which action will most effectively reduce the throttles and increase throughput?

A.Increase the reserved concurrency of the Lambda function to 50
B.Increase the batch size in the SQS event source mapping to 100
C.Increase the function timeout to 120 seconds
D.Decrease the reserved concurrency to 5
AnswerA

Increasing reserved concurrency allows more concurrent executions, reducing the chance of throttling and enabling more messages to be processed in parallel.

Why this answer

The high throttles indicate that the Lambda function's reserved concurrency of 10 is insufficient to handle the incoming messages from the SQS queue. By increasing reserved concurrency to 50, you allow more concurrent executions, which reduces throttling and increases throughput. The function's 2-second processing time and 60-second timeout are not the bottleneck; the concurrency limit is.

Exam trap

The trap here is that candidates may think increasing batch size or timeout will help, but they overlook that the root cause is the reserved concurrency cap, which directly limits the number of concurrent executions and is the primary driver of throttles.

How to eliminate wrong answers

Option B is wrong because increasing the batch size to 100 would cause the function to receive more messages per invocation, but with a reserved concurrency of 10, the function can only process 10 batches concurrently, so throttles would persist and latency could increase due to longer processing per batch. Option C is wrong because increasing the timeout to 120 seconds does not address the concurrency limit; the function already completes in 2 seconds, so a longer timeout has no effect on throttles. Option D is wrong because decreasing reserved concurrency to 5 would reduce the number of concurrent executions, worsening throttles and decreasing throughput.

703
MCQhard

A developer has attached the IAM policy shown in the exhibit to a user. The user reports that they can upload and delete objects in the bucket 'my-bucket', but cannot list the objects in the bucket. What is the MOST likely reason?

A.The IAM policy is missing the s3:GetObject permission for listing.
B.The bucket has a bucket policy that denies s3:ListBucket.
C.The user is using the ListObjectsV2 API call instead of ListObjects.
D.The bucket is in a different region than the default region configured in the AWS CLI.
AnswerB

An explicit deny in a bucket policy overrides an allow from an IAM policy.

Why this answer

Option A is correct. The ListBucket permission is granted at the bucket level (arn:aws:s3:::my-bucket), but the condition that the user must have s3:ListBucket permission is granted. However, the issue is that the user cannot list objects.

The policy looks correct. The most common reason for being unable to list objects despite having ListBucket permission is that the bucket policy denies listing, or the user is trying to list a specific prefix without proper permissions. But in this case, the policy allows ListBucket on the bucket.

Option B: The user is using an incorrect API call (e.g., ListObjectsV2) is unlikely. Option C: The bucket is in a different region would not affect permissions. Option D: The user needs s3:GetObject to list? No, listing requires ListBucket.

So the correct answer is that the bucket policy overrides the IAM policy. Let me adjust: Actually, the most likely reason is that the bucket has a bucket policy that denies s3:ListBucket. That is option A.

Yes.

704
MCQmedium

A company uses AWS KMS to encrypt data at rest in S3. The security team wants to audit all use of the KMS key, including decryption operations. What should the developer enable?

A.Enable AWS Config rules to monitor key usage.
B.Enable AWS CloudTrail with data events for the KMS key.
C.Enable S3 server access logging.
D.Create a CloudWatch Logs log group and stream KMS logs.
AnswerB

CloudTrail data events capture KMS Decrypt and other operations on the key, providing full auditability.

Why this answer

AWS CloudTrail logs all KMS API calls, including Decrypt, Encrypt, and GenerateDataKey. This provides the audit trail required. Option A is wrong because S3 server access logs do not include KMS operation details.

Option C is wrong because CloudWatch Logs is for log storage, not for capturing API calls. Option D is wrong because AWS Config records resource configuration changes, not API calls.

705
MCQeasy

A developer is deploying a serverless application using AWS SAM. The application includes an API Gateway endpoint and a Lambda function. The developer wants to ensure that the Lambda function can be invoked only by the API Gateway and not directly. Which configuration should be used?

A.Configure a VPC endpoint policy that allows only API Gateway.
B.Add a resource-based policy with 'aws:SourceAccount' condition.
C.Add a resource-based policy with 'aws:SourceVpce' condition set to the API Gateway VPC endpoint ID.
D.Add a resource-based policy with 'aws:SourceArn' condition set to the API Gateway ARN.
AnswerD

This restricts invocation to the specific API Gateway.

Why this answer

Option B is correct because the resource-based policy statement with 'aws:SourceArn' condition restricts invocation to the specific API Gateway ARN. Option A is wrong because 'aws:SourceAccount' alone does not restrict to API Gateway. Option C is wrong because VPC endpoint policies control access to the VPC endpoint, not Lambda invocation.

Option D is wrong because Lambda resource policies cannot use 'aws:SourceVpce'.

706
MCQhard

A developer runs the above CLI command to check a Lambda function's logs. The function is invoked but no logs appear in CloudWatch. The IAM role for the Lambda function has the AWSLambdaBasicExecutionRole managed policy attached. What is the most likely cause?

A.The log group's retention policy has deleted older logs.
B.The CloudWatch Logs service is not enabled in the region.
C.The Lambda function's IAM role does not have permission to create log groups.
D.The Lambda function is not being invoked.
AnswerA

Retention 30 days may have purged logs.

Why this answer

Option C is correct because the log group exists (storedBytes >0) but retention is 30 days, so logs older than 30 days are deleted. The developer may be looking at a timeframe beyond retention. Option A is incorrect because the role has the necessary permissions (AWSLambdaBasicExecutionRole includes CreateLogGroup, CreateLogStream, PutLogEvents).

Option B is incorrect because the function is being invoked (otherwise storedBytes would be 0). Option D is incorrect because storedBytes is not zero, indicating logs were written.

707
MCQhard

A company is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed to deploy.' The CodeDeploy agent logs show that the BeforeInstall lifecycle event script returned a non-zero exit code. What is the MOST likely cause of this issue?

A.The application revision is missing from the S3 bucket.
B.The BeforeInstall script has a bug that causes it to exit with a non-zero status.
C.The IAM instance profile does not have permissions to call CodeDeploy APIs.
D.The CodeDeploy agent is not running on the instances.
AnswerB

Lifecycle event scripts must exit with zero to indicate success; a non-zero exit indicates failure.

Why this answer

Option A is correct because a non-zero exit code from a lifecycle event script causes the deployment to fail on that instance. Option B is incorrect because if the agent were not running, the deployment would not even start. Option C is incorrect because a missing application revision would cause a different error.

Option D is incorrect because IAM permissions issues would prevent the agent from downloading the revision, not cause a script to fail.

708
Matchingmedium

Match each HTTP status code to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

OK

Created

Bad Request

Forbidden

Internal Server Error

Why these pairings

Understanding HTTP status codes is essential for API development.

709
Multi-Selecthard

Which TWO are best practices for optimizing DynamoDB performance? (Choose two.)

Select 2 answers
A.Use SQS to decouple write-heavy workloads and handle spikes.
B.Use partition keys with high cardinality to distribute traffic evenly.
C.Provision maximum write capacity units to handle any spike.
D.Use Scan operations instead of Query for retrieving data.
E.Enable strongly consistent reads for all read operations.
AnswersA, B

SQS buffers writes to DynamoDB.

Why this answer

Option A is correct because using SQS to decouple write-heavy workloads allows DynamoDB to absorb traffic spikes by buffering writes in a queue, preventing throttling and enabling batch processing. This pattern, often called 'queue-based load leveling,' ensures that DynamoDB's provisioned capacity is not overwhelmed by sudden bursts, improving overall system resilience and cost efficiency.

Exam trap

The trap here is that candidates often confuse 'handling spikes' with over-provisioning capacity (Option C) instead of using decoupling patterns like SQS, or they mistakenly believe that Scan operations are acceptable for frequent data retrieval, ignoring the cost and performance penalties.

710
MCQhard

A developer is deploying an application on Amazon ECS with Fargate. The application needs to access an S3 bucket that contains sensitive data. The developer wants to avoid storing AWS credentials in the container image. What is the MOST secure way to grant the application access to the S3 bucket?

A.Create an IAM task role with a policy that allows S3 access and specify it in the task definition.
B.Set the AWS credentials as environment variables in the task definition.
C.Store the credentials in an EFS volume and mount it to the container.
D.Use an IAM instance profile attached to the underlying EC2 instance.
AnswerA

Task roles provide credentials automatically via ECS.

Why this answer

Option D is correct because an IAM task role for ECS tasks allows the container to assume the role without storing credentials. Option A is wrong because environment variables are not secure. Option B is wrong because mounting credentials in a volume is insecure.

Option C is wrong because IAM roles for EC2 are for EC2 instances, not Fargate tasks.

711
MCQhard

Refer to the exhibit. A developer tried to create a CloudFormation stack that includes an EC2 instance. The stack creation failed and rolled back. What should the developer do to get more details about the failure?

A.Review the CloudFormation template syntax.
B.Use the `detect-stack-drift` command.
C.Run `aws cloudformation describe-stack-events` for the stack.
D.Update the stack with the same template to see the error.
AnswerC

Stack events provide detailed error messages.

Why this answer

Option B is correct because the `describe-stack-events` command shows detailed events including resource status reasons. Option A is wrong because the template itself is not the issue. Option C is wrong because the stack has rolled back.

Option D is wrong because there is no drift on a failed creation.

712
MCQmedium

A developer is building a RESTful API using Amazon API Gateway and Lambda. The API should support CORS for a specific origin (https://example.com) and allow only GET and POST methods. Which configuration in the OPTIONS method response will satisfy these requirements?

A.Access-Control-Allow-Origin: https://example.com, Access-Control-Allow-Methods: GET,POST
B.Access-Control-Allow-Origin: *, Access-Control-Allow-Methods: GET,POST,OPTIONS
C.Access-Control-Allow-Origin: https://example.com, Access-Control-Allow-Methods: GET,POST,OPTIONS
D.Access-Control-Allow-Origin: https://example.com, Access-Control-Allow-Headers: Content-Type
AnswerA

This configuration returns the specific origin and allowed methods, which is sufficient for the preflight request.

Why this answer

Option A is correct because the OPTIONS method response must include the `Access-Control-Allow-Origin` header set to the specific origin `https://example.com` to restrict CORS access, and the `Access-Control-Allow-Methods` header must list only the allowed HTTP methods (`GET,POST`). The OPTIONS method itself is a preflight request and does not need to be listed in the allowed methods; it is automatically handled by the browser. This configuration satisfies the requirement of supporting CORS for a single origin and only GET and POST methods.

Exam trap

The trap here is that candidates often mistakenly include `OPTIONS` in the `Access-Control-Allow-Methods` header, thinking it must be listed because the preflight request uses that method, but the correct behavior is to only list the actual HTTP methods (GET, POST) that the API supports for the main request.

How to eliminate wrong answers

Option B is wrong because it uses a wildcard origin (`*`), which does not satisfy the requirement for a specific origin (`https://example.com`), and it incorrectly includes `OPTIONS` in the allowed methods list, which is unnecessary and could cause confusion. Option C is wrong because it includes `OPTIONS` in the `Access-Control-Allow-Methods` header; the OPTIONS method is the preflight request itself and should not be listed as an allowed method in the response. Option D is wrong because it specifies `Access-Control-Allow-Headers` instead of `Access-Control-Allow-Methods`, and it omits the required `Access-Control-Allow-Methods` header entirely, so the browser would not know which HTTP methods are permitted.

713
MCQeasy

A developer is creating a CI/CD pipeline for a serverless application using AWS CodePipeline. The application consists of an AWS Lambda function, an Amazon API Gateway REST API, and an Amazon DynamoDB table. Which action should the developer take to automate the deployment of the API Gateway updates?

A.Use AWS Lambda to update the API Gateway configuration.
B.Store the API Gateway Swagger file in Amazon S3 and trigger a deployment.
C.Use AWS CloudFormation to define and deploy the API Gateway.
D.Use AWS CodeBuild to compile and deploy the API Gateway configuration.
AnswerC

CloudFormation provides infrastructure as code and automated deployments.

Why this answer

Option B is correct because AWS CloudFormation can deploy and update API Gateway as part of infrastructure as code. Option A is wrong because Lambda only updates function code. Option C is wrong because CodeBuild builds artifacts, doesn't deploy API Gateway directly.

Option D is wrong because S3 doesn't deploy API Gateway.

714
MCQmedium

A developer is deploying a web application on AWS Elastic Beanstalk. The application requires a fixed IP address for outbound traffic to a third-party API. What is the MOST cost-effective solution?

A.Launch the environment in a VPC with a NAT Gateway in a public subnet.
B.Attach an Internet Gateway to the VPC.
C.Use a VPC endpoint for the third-party API.
D.Assign an Elastic IP to each EC2 instance.
AnswerA

NAT Gateway provides a fixed public IP for outbound traffic.

Why this answer

Option A is correct because a NAT Gateway in a public subnet provides a fixed public IP for outbound traffic from EC2 instances in private subnets. Option B is wrong because an Internet Gateway does not provide a fixed IP. Option C is wrong because Elastic IPs attached to instances are not managed by Elastic Beanstalk easily.

Option D is wrong because a VPC endpoint is for private connectivity to AWS services, not third-party APIs.

715
MCQeasy

A developer is writing an AWS Lambda function that processes messages from an Amazon SQS queue. The function should process each message at least once, but duplicates are acceptable. The function is triggered by a Lambda event source mapping. If the function returns an error, what happens to the message?

A.The message is sent to a dead-letter queue (DLQ).
B.The message is deleted from the queue to prevent duplicate processing.
C.Lambda automatically retries the function with a 1-minute delay.
D.The message remains in the queue and becomes visible after the visibility timeout expires.
AnswerD

Lambda does not delete the message; it becomes visible again for reprocessing.

Why this answer

Option B is correct because with Lambda event source mapping, if the function fails, the message is not deleted from the queue and becomes visible again after the visibility timeout. Option A is wrong because DLQ is not automatically configured. Option C is wrong because Lambda does not automatically retry with a delay; the SQS visibility timeout controls retry.

Option D is wrong because the message is not deleted; it remains in the queue.

716
MCQmedium

A developer is building a mobile application that uses Amazon Cognito User Pools for authentication. The app needs to access a REST API hosted on AWS. The developer wants to use Cognito to authorize API requests. The API Gateway is configured with a Cognito User Pool authorizer. However, when testing, the API returns a 401 Unauthorized error even though the user is authenticated. The developer verified that the user exists in the user pool and the ID token is valid. What is the MOST likely cause and solution?

A.The API Gateway authorizer is not properly configured. The developer should delete and recreate the authorizer.
B.The developer is using the wrong token. The API Gateway authorizer requires the access token, not the ID token.
C.The API request is missing the Authorization header with the token. The developer should add the token to the Authorization header.
D.The API Gateway method request header is not mapped. The developer should add a mapping template to pass the token.
AnswerC

API Gateway expects the token in the Authorization header by default.

Why this answer

Option A is correct because the API Gateway authorizer expects an Authorization header with the token, and if the token is missing or in the wrong header, it returns 401. Option B is wrong because the method request header is not needed. Option C is wrong because the token should be the ID token, not access token.

Option D is wrong because the Authorizer is already configured.

717
MCQeasy

A developer is troubleshooting an AWS Lambda function that is timing out. The function processes S3 events and writes to DynamoDB. The average execution time is 5 seconds, but the function times out after 3 seconds. What is the most likely cause?

A.The S3 bucket is not configured to send event notifications.
B.DynamoDB write capacity is insufficient.
C.The Lambda function timeout is set to 3 seconds.
D.The Lambda function concurrency limit is exceeded.
AnswerC

Default timeout is 3 seconds; increase it to match execution time.

Why this answer

The lambda timeout setting defaults to 3 seconds. To fix, increase the timeout in the Lambda configuration to a value higher than the maximum expected execution time (e.g., 10 seconds). Option A is wrong because S3 event notifications are asynchronous and do not cause timeout.

Option B is wrong because DynamoDB write capacity issues would cause throttling, not timeout. Option D is wrong because Lambda concurrency limits affect invocation throttling, not execution timeout.

718
Multi-Selecthard

A company uses AWS CodePipeline to automate deployments. The pipeline has a source stage that pulls from CodeCommit, a build stage using CodeBuild, and a deploy stage using CodeDeploy. Recently, deployments have been failing because the CodeBuild project cannot download dependencies from the internet. The build environment does not have internet access due to VPC settings. Which THREE steps should a developer take to resolve this issue? (Choose THREE.)

Select 3 answers
A.Configure a NAT gateway in the public subnet to allow outbound internet access.
B.Move the source stage to use S3 instead of CodeCommit.
C.Place the CodeBuild project in a private subnet of the VPC.
D.Assign a public IP address to the CodeBuild project.
E.Create VPC endpoints for Amazon S3 to allow access to dependencies in S3.
AnswersA, C, E

NAT enables internet from private subnet.

Why this answer

Option B, C, and D are correct because placing CodeBuild in a private subnet with VPC endpoints for S3 and using a NAT gateway allows internet access for dependencies. Option A is wrong because CodeBuild does not need public IP. Option E is wrong because CodeCommit is not the issue.

719
MCQmedium

A developer is building a mobile backend using Amazon API Gateway and AWS Lambda. The API has a single endpoint that accepts POST requests with a JSON payload and stores the data in an Amazon DynamoDB table. The developer wants to implement caching to reduce latency and costs. The data is user-specific and should not be shared between users. The developer configures API Gateway caching with a TTL of 300 seconds. After testing, the developer notices that users are seeing other users' data. What should the developer do to fix this issue?

A.Enable cache key parameters in API Gateway, such as the Authorization header.
B.Store cached responses in DynamoDB and retrieve them based on user ID.
C.Use Lambda@Edge to cache responses at the CloudFront level.
D.Disable API Gateway caching and use DynamoDB Accelerator (DAX) instead.
AnswerA

Cache keys ensure that responses are cached per user by including user-specific headers.

Why this answer

Option C is correct because enabling cache keys for headers like Authorization ensures cached responses are per-user. Option A is wrong because disabling caching removes benefits. Option B is wrong because DynamoDB is for storage, not caching.

Option D is wrong because Lambda@Edge is for CloudFront, not API Gateway caching.

720
Multi-Selecteasy

A developer is building a serverless application that uses Amazon S3 for static website hosting and AWS Lambda for dynamic API calls. The developer wants to enable logging of all API requests. Which TWO services can be used to log API requests? (Choose TWO.)

Select 2 answers
A.Amazon CloudWatch Logs
B.AWS CloudTrail
C.VPC Flow Logs
D.Amazon S3 server access logs
E.Amazon Route 53 logs
AnswersA, B

Can capture API Gateway execution logs.

Why this answer

Options B and D are correct. B: Amazon CloudWatch Logs can capture API Gateway logs. D: AWS CloudTrail logs API calls for auditing.

Option A is wrong because S3 server access logs log S3 requests, not API calls. Option C is wrong because VPC Flow Logs log network traffic. Option E is wrong because Route 53 logs DNS queries.

721
MCQhard

A developer is deploying a microservices architecture on Amazon ECS using Fargate launch type. The services need to communicate with each other. The developer wants to use service discovery so that services can find each other by name. Which AWS service should the developer use?

A.Amazon Route 53 private hosted zones
B.Amazon ECR
C.Application Load Balancer
D.AWS Cloud Map
AnswerD

Cloud Map is integrated with ECS and provides service discovery.

Why this answer

Option B is correct because AWS Cloud Map is a service discovery service that allows you to register and discover services by name. Option A is wrong because Route 53 is for DNS resolution but not designed for dynamic service discovery in ECS. Option C is wrong because ELB is for load balancing, not service discovery.

Option D is wrong because ECR is a container registry.

722
Multi-Selecteasy

A developer is using AWS CodePipeline to automate the deployment of a web application. The pipeline has a source stage that pulls code from an Amazon S3 bucket. Which TWO actions can the developer take to automatically trigger the pipeline when new code is uploaded to the S3 bucket?

Select 2 answers
A.Configure an Amazon SQS queue to poll the S3 bucket for new objects and invoke the pipeline.
B.Configure an S3 event notification that sends to an Amazon SNS topic, which triggers an AWS Lambda function that starts the pipeline.
C.Configure an Amazon CloudWatch Events rule that detects S3 object creation events and triggers the pipeline.
D.Use an AWS Lambda function that periodically checks the S3 bucket for new objects.
E.Use AWS CodeStar to automatically detect changes in the S3 bucket.
AnswersB, C

This is a valid custom trigger mechanism.

Why this answer

Option A (S3 event notification to SNS, which triggers Lambda to start the pipeline) and Option B (CloudWatch Events rule for S3 PUT operations) are both valid. Option C (SQS polling) is not automatic. Option D (CodeStar) is not a trigger.

Option E (manual) is not automatic.

723
MCQeasy

A developer needs to grant an IAM user in Account A access to an S3 bucket in Account B. What is the correct combination of policies?

A.An S3 bucket policy in Account B that allows the IAM user's ARN.
B.An IAM policy in Account A allowing access to the S3 bucket, and a bucket policy in Account B allowing the IAM user.
C.An IAM policy in Account A allowing access, and a bucket ACL in Account B granting access to the IAM user.
D.Create an IAM role in Account B that the user can assume, and attach a bucket policy allowing the role.
AnswerB

Both policies are required for cross-account access.

Why this answer

Option B is correct because cross-account S3 access requires two policies: an IAM policy in the source account (Account A) granting the user permission to perform S3 actions on the bucket, and a bucket policy in the target account (Account B) that explicitly allows the IAM user's ARN. The bucket policy acts as a resource-based policy that delegates access to the external principal, while the IAM policy authorizes the user to make the request. Without both, the request will be denied by either the source account's implicit deny or the target account's default deny.

Exam trap

The trap here is that candidates often think a bucket policy alone is sufficient for cross-account access (Option A), forgetting that the IAM user's own account must also explicitly authorize the action through an IAM policy.

How to eliminate wrong answers

Option A is wrong because an S3 bucket policy alone in Account B that allows the IAM user's ARN is insufficient — the IAM user in Account A still needs an IAM policy that explicitly grants permission to perform the S3 action, otherwise the request is denied by the source account's implicit deny. Option C is wrong because bucket ACLs do not support granting access to IAM users from another AWS account; ACLs only support AWS accounts or predefined groups, not individual IAM user ARNs. Option D is wrong because while creating an IAM role in Account B and allowing the user to assume it is a valid cross-account access pattern, the question specifically asks for granting access to an IAM user directly, not via role assumption; additionally, the bucket policy would need to allow the role's ARN, not the user's ARN, making this a different mechanism than what the question describes.

724
MCQhard

A company uses a customer managed AWS KMS key to encrypt sensitive data stored in DynamoDB. A Lambda function reads from the DynamoDB table and needs to decrypt the data. The Lambda function's execution role has an IAM policy that allows kms:Decrypt on the key. However, access is denied. What must the developer add to the KMS key policy to resolve the issue?

A.Add a statement granting kms:Decrypt to the Lambda function's execution role.
B.Add a statement granting kms:Decrypt to the Lambda function's resource-based policy.
C.Add a statement granting kms:Decrypt to the Lambda service principal.
D.Add a statement granting kms:Decrypt to the account root user with a condition for the Lambda function.
AnswerA

Correct. The key policy must explicitly allow the IAM role to perform kms:Decrypt.

Why this answer

The correct answer is A because KMS key policies are resource-based policies that control access to the key itself. Even if the Lambda execution role has an IAM policy granting kms:Decrypt, the KMS key policy must explicitly allow the role (or the user/account) to perform that action. Without this statement in the key policy, the IAM permission is ineffective, resulting in an access denied error.

Exam trap

The trap here is that candidates often assume IAM permissions alone are sufficient for KMS operations, forgetting that KMS key policies act as an additional layer of access control that must explicitly allow the principal.

How to eliminate wrong answers

Option B is wrong because Lambda functions do not have resource-based policies that can grant KMS permissions; KMS actions must be authorized via the key policy or IAM, not a Lambda resource policy. Option C is wrong because granting kms:Decrypt to the Lambda service principal would allow any Lambda function in the account to decrypt using the key, which is overly permissive and not the correct way to grant access to a specific function. Option D is wrong because granting kms:Decrypt to the account root user with a condition for the Lambda function is unnecessarily complex and not a standard pattern; the root user already has full control over the key, and conditions cannot directly reference a Lambda function's identity in a reliable way.

725
MCQmedium

Refer to the exhibit. A developer runs the AWS CLI command to invoke a Lambda function asynchronously. What does the response indicate?

A.The function executed successfully and returned output.
B.The invocation was denied due to insufficient permissions.
C.The function was invoked synchronously and returned an error.
D.The function invocation was accepted but the function failed to execute successfully.
AnswerD

202 with FunctionError indicates asynchronous invocation failure.

Why this answer

Correct: D. The StatusCode 202 indicates the invocation was accepted. However, the FunctionError set to 'Unhandled' means the function invocation failed and the error was not handled by the function's error handling (e.g., a caught exception or DLQ).

Option A is wrong because 202 does not mean success. Option B is wrong because 202 means accepted, not denied. Option C is wrong because the invocation type is Event (async), not synchronous.

726
MCQmedium

A CodePipeline source stage should start when code is pushed to a repository, without scheduled polling. Which integration pattern should be used?

A.Manual approval only
B.Event-based trigger from the source provider/EventBridge integration
C.A cron job on an EC2 instance
D.CloudWatch Logs Insights
AnswerB

Correct for the stated requirement.

Why this answer

Option B is correct because AWS CodePipeline can integrate with Amazon EventBridge to listen for repository events (e.g., push events from CodeCommit, GitHub, or Bitbucket) and automatically start the pipeline. This event-driven pattern eliminates the need for scheduled polling, providing near-instantaneous execution when code changes are detected.

Exam trap

The trap here is that candidates may confuse manual approval (a pipeline action) with a trigger mechanism, or assume that CloudWatch Logs Insights can initiate pipeline executions, when in fact only EventBridge or webhook-based integrations provide the required event-driven, polling-free source trigger.

How to eliminate wrong answers

Option A is wrong because manual approval is a gate that pauses pipeline execution for human review, not a mechanism to trigger the pipeline on code push. Option C is wrong because a cron job on an EC2 instance would require custom scripting, polling the repository periodically, and introduces unnecessary complexity, latency, and maintenance overhead compared to a native event-driven integration. Option D is wrong because CloudWatch Logs Insights is a query tool for analyzing log data, not a trigger mechanism for CodePipeline source stages.

727
Multi-Selectmedium

Which THREE are valid methods to handle application configuration in AWS? (Choose three.)

Select 3 answers
A.AWS CloudFormation template parameters
B.AWS Secrets Manager
C.AWS IAM roles
D.Lambda environment variables
E.AWS Systems Manager Parameter Store
AnswersB, D, E

Manages secrets like database passwords.

Why this answer

AWS Secrets Manager is a valid method for handling application configuration because it securely stores and manages sensitive configuration data such as database credentials, API keys, and other secrets. It supports automatic rotation of secrets, fine-grained access control via IAM policies, and integrates with AWS services like RDS, Redshift, and Lambda. This makes it ideal for managing dynamic configuration values that require high security and lifecycle management.

Exam trap

The trap here is that candidates often confuse IAM roles with configuration storage, thinking that roles can hold configuration data, when in fact roles only define permissions and cannot store key-value pairs or secrets.

728
MCQhard

A developer notices that an AWS Lambda function, which uses Amazon RDS Proxy to connect to an Aurora MySQL database, is experiencing increased latency and occasional connection timeouts. The function is configured with a reserved concurrency of 100 and is deployed in a VPC. The RDS Proxy's maximum connections is set to 1000. CloudWatch metrics show that the DatabaseConnections metric for the proxy is consistently at 1000. What is the most likely cause of the increased latency and timeouts?

A.The Lambda function is not reusing database connections properly, exhausting the proxy connection pool
B.The RDS Proxy target group is not configured with the correct DB instance
C.The Lambda function's execution role is missing the rds-db:connect permission
D.The VPC does not have a NAT Gateway for outbound traffic
AnswerA

Correct. Each invocation opens a new connection without reuse, causing the proxy to reach its connection limit.

Why this answer

The RDS Proxy's DatabaseConnections metric is consistently at 1000, which equals the proxy's maximum connections setting. This indicates the proxy connection pool is fully saturated. When all connections are in use, new connection requests from Lambda invocations must wait, causing increased latency, and if the wait exceeds the timeout, connection timeouts occur.

The most likely cause is that the Lambda function is not reusing database connections (e.g., not using connection pooling or keeping connections open across invocations), exhausting the pool.

Exam trap

The trap here is that candidates may focus on the reserved concurrency (100) versus proxy max connections (1000) and assume the numbers are fine, missing that the real issue is connection reuse per invocation, not the total count.

How to eliminate wrong answers

Option B is wrong because if the target group were misconfigured, the proxy would fail to connect to the database entirely, not just experience latency and timeouts while the connection pool is full. Option C is wrong because missing the rds-db:connect permission would cause immediate authentication failures (e.g., 'Access denied') for all connection attempts, not gradual pool exhaustion. Option D is wrong because Lambda functions in a VPC use Elastic Network Interfaces (ENIs) for outbound traffic to RDS Proxy within the same VPC; a NAT Gateway is only needed for internet-bound traffic, not for connecting to RDS Proxy in the same VPC.

729
Multi-Selectmedium

A developer is implementing a solution to store application logs from multiple EC2 instances. The logs must be stored in a centralized location for analysis. Which services can the developer use to achieve this? (Choose TWO.)

Select 2 answers
A.Amazon CloudWatch Logs
B.AWS CloudTrail
C.Amazon Kinesis Data Analytics
D.Amazon DynamoDB
E.Amazon S3
AnswersA, E

CloudWatch Logs can collect and store logs from EC2 instances.

Why this answer

Option A is correct because CloudWatch Logs can aggregate logs from EC2 instances via the CloudWatch agent. Option C is correct because S3 can store log files as a centralized repository. Option B is wrong because CloudTrail is for API activity, not application logs.

Option D is wrong because DynamoDB is not optimized for log storage. Option E is wrong because Kinesis Data Analytics processes streams, not stores logs.

730
MCQhard

A company uses an AWS Lambda function to process files uploaded to an S3 bucket. The Lambda function needs to read the files and write results to a DynamoDB table. The Lambda function is configured with an IAM role that has policies allowing s3:GetObject on the bucket and dynamodb:PutItem on the table. Despite correct permissions, the function fails with an AccessDenied error when trying to put items. What is the most likely cause?

A.The Lambda function is in a VPC without a VPC endpoint for DynamoDB.
B.The DynamoDB table has a resource-based policy that explicitly denies access to the Lambda function's IAM role.
C.The S3 bucket is in a different region, causing cross-region access issues.
D.The DynamoDB table is encrypted with a customer managed KMS key, and the Lambda role does not have kms:Decrypt permission.
AnswerB

Resource-based policies can override IAM permissions.

Why this answer

The correct answer is B because DynamoDB tables can have resource-based policies that explicitly deny access even if the IAM role has the necessary permissions. Since explicit denies in resource-based policies override any allow in identity-based policies, the Lambda function's IAM role with dynamodb:PutItem permission is still blocked, causing the AccessDenied error.

Exam trap

The trap here is that candidates often assume IAM role permissions alone guarantee access, forgetting that resource-based policies on DynamoDB tables can explicitly deny access, which overrides any allow in identity-based policies.

How to eliminate wrong answers

Option A is wrong because a Lambda function in a VPC without a VPC endpoint for DynamoDB would cause a network timeout or connectivity error, not an AccessDenied error, as DynamoDB calls go over HTTPS and the error would be a timeout or connection failure, not an IAM permission denial. Option C is wrong because S3 and DynamoDB are both global services; cross-region access is fully supported and does not cause AccessDenied errors—the error would be a different type like a timeout or throttling if there were latency issues. Option D is wrong because while KMS permissions are needed for encrypted tables, the error message would be a KMS AccessDenied or a 400 error, not a generic AccessDenied on PutItem, and the question states the function fails specifically when trying to put items, not during encryption/decryption.

731
MCQeasy

A developer is storing application configuration data in DynamoDB. The data is frequently accessed by partition key, and items are small (less than 1KB). The read traffic is consistent and predictable. Which read capacity mode is most cost-effective for this workload?

A.On-demand
B.Provisioned with auto scaling
C.Provisioned with reserved capacity
D.Provisioned with fixed capacity
AnswerD

Fixed provisioned read capacity is the most cost-effective for consistent, predictable workloads because you pay a lower hourly rate for the capacity you configure.

Why this answer

Provisioned with fixed capacity is the most cost-effective option for this workload because the read traffic is consistent and predictable, and items are small (less than 1KB). With fixed provisioned capacity, you pay a flat hourly rate for a set number of read capacity units (RCUs), avoiding the per-request premium of on-demand mode or the overhead of auto scaling. Since the workload does not require elasticity, fixed capacity minimizes cost while ensuring sufficient throughput.

Exam trap

The trap here is that candidates often choose on-demand mode (Option A) thinking it is always simpler or more cost-effective, but for consistent, predictable workloads, provisioned fixed capacity is significantly cheaper because it avoids the per-request premium of on-demand pricing.

How to eliminate wrong answers

Option A is wrong because on-demand capacity mode charges per request (per RCU consumed) at a higher rate than provisioned capacity, making it more expensive for consistent, predictable workloads. Option B is wrong because provisioned with auto scaling adds unnecessary complexity and cost (e.g., scaling events may temporarily increase capacity) when the traffic is already predictable and does not require dynamic adjustments. Option C is wrong because reserved capacity is not a DynamoDB pricing model; DynamoDB offers reserved capacity for provisioned throughput via Reserved Capacity pricing (pre-purchasing RCUs at a discount), but the option is misleadingly named and not a standard read capacity mode—fixed provisioned capacity is the correct term for this scenario.

732
Multi-Selectmedium

A developer is using AWS Lambda and needs to ensure that the function can access an RDS database securely. Which THREE steps should be taken?

Select 3 answers
A.Place the Lambda function inside a VPC.
B.Store the database credentials in AWS Secrets Manager and retrieve them in the Lambda code.
C.Attach an IAM role to the Lambda function that grants rds:* permissions.
D.Configure the RDS instance to require client certificates.
E.Configure the security group of the RDS instance to allow inbound traffic from the Lambda function's security group.
AnswersA, B, E

Enables private access to RDS.

Why this answer

Option A, C, and E are correct. Option A: Lambda should be in a VPC to access RDS privately. Option C: Database credentials should be stored in Secrets Manager.

Option E: Security group should allow ingress from Lambda. Option B is wrong because Lambda does not use IAM roles for database authentication (it uses traditional credentials). Option D is wrong because Lambda cannot use client certificates for RDS.

733
MCQhard

A service publishes order events to SNS. Several consumers need different filtered subsets of events without changing publisher code. What should the developer configure?

A.Separate AWS accounts for each consumer
B.Lambda code that discards unwanted events after invocation
C.SNS subscription filter policies
D.SQS long polling only
AnswerC

Correct for the stated requirement.

Why this answer

Option C is correct because SNS subscription filter policies allow each consumer to define a JSON policy on their subscription that selectively delivers only messages matching specified attributes (e.g., event type, region). This enables multiple consumers to receive different filtered subsets of the same SNS topic without modifying the publisher's code, as the filtering happens server-side at the SNS service level.

Exam trap

The trap here is that candidates often confuse client-side filtering (Option B) with server-side filtering, or assume that SQS long polling (Option D) can filter messages, when in fact SNS subscription filter policies are the only native AWS mechanism for server-side message subsetting without publisher changes.

How to eliminate wrong answers

Option A is wrong because separate AWS accounts do not provide message filtering; they would require duplicating the SNS topic and publisher logic across accounts, adding complexity without solving the subset requirement. Option B is wrong because discarding unwanted events in Lambda after invocation wastes compute resources and incurs unnecessary costs, as the Lambda function is still triggered for every message, defeating the purpose of server-side filtering. Option D is wrong because SQS long polling only controls how often the consumer polls for messages, not which messages are delivered; it does not filter message content or attributes.

734
Multi-Selecteasy

Which TWO are valid deployment strategies supported by AWS CodeDeploy? (Choose TWO.)

Select 2 answers
A.Immutable deployment
B.In-place deployment
C.Canary deployment
D.All at once deployment
E.Blue/Green deployment
AnswersB, E

In-place is a CodeDeploy deployment type.

Why this answer

Options A and D are correct. CodeDeploy supports In-place (rolling) and Blue/Green deployments. Option B is incorrect because canary is not a CodeDeploy deployment type (it is for Lambda).

Option C is incorrect because immutable is not a CodeDeploy type (it is for Elastic Beanstalk). Option E is incorrect because all-at-once is not a CodeDeploy type (it is for Elastic Beanstalk).

735
Multi-Selecthard

A company uses AWS CodeDeploy to manage deployments to an Amazon EC2 Auto Scaling group. The deployment group is configured with a blue/green deployment type. The developer notices that after a deployment, the old instances (blue environment) are terminated immediately after the new instances (green environment) pass health checks. The company wants to keep the old instances running for 30 minutes to allow for quick rollback if issues are detected. Which TWO configuration changes should the developer make to achieve this? (Choose TWO.)

Select 2 answers
A.Set the 'terminateBlueInstancesOnDeploymentSuccess' action to 'KEEP_ALIVE'.
B.Set the 'blueInstanceTermination' property to 'WAIT'.
C.Set the 'terminationWaitTimeInMinutes' to 30.
D.Set the 'blueInstanceTermination' property to 'originalSettings'.
E.Set the 'waitTimeForBlueTermination' to 30.
AnswersA, C

This tells CodeDeploy not to terminate the blue instances immediately.

Why this answer

Options A and E are correct. To retain the old instances for a period, the developer must set the 'terminateBlueInstancesOnDeploymentSuccess' action to 'KEEP_ALIVE' (option A) and specify a 'terminationWaitTimeInMinutes' value of 30 (option E). Option B is incorrect because 'originalSettings' is not a valid retention type.

Option C is incorrect because 'blueInstanceTermination' setting is not a property; the correct property is 'terminateBlueInstancesOnDeploymentSuccess'. Option D is incorrect because 'waitTimeForBlueTermination' is not a valid property name.

736
Multi-Selecthard

A developer is deploying a new version of an AWS Lambda function. The function is behind an API Gateway endpoint. The developer wants to use canary deployments to gradually shift traffic to the new version. Which TWO steps should the developer perform?

Select 2 answers
A.Create a Lambda alias that points to the current version and configure routing to shift a percentage of traffic to the new version.
B.Configure Amazon CloudFront to distribute traffic between two API Gateway endpoints.
C.Update the API Gateway integration to point to the Lambda alias instead of a specific version.
D.Update the Lambda function code and publish a new version.
E.Create a new API Gateway stage for the new version and update DNS.
AnswersA, C

Alias routing enables canary deployments.

Why this answer

Options B and D are correct because creating a Lambda alias with routing configuration and updating the API Gateway to point to the alias enables canary deployments. Option A is wrong because updating the function code does not shift traffic. Option C is wrong because creating a new API Gateway stage is unnecessary.

Option E is wrong because CloudFront is not needed.

737
MCQeasy

A developer is building a serverless REST API using Amazon API Gateway and AWS Lambda. The API will be consumed by a web application hosted on a different domain. The developer needs to enable Cross-Origin Resource Sharing (CORS) for all HTTP methods. What is the most efficient way to achieve this?

A.Enable CORS on the API Gateway resource using the 'Enable CORS' feature in the API Gateway console, which adds the OPTIONS method and appropriate headers.
B.In the Lambda function code, add the 'Access-Control-Allow-Origin' header to every response.
C.Configure Amazon CloudFront in front of API Gateway to handle CORS.
D.Set a bucket policy on the S3 bucket that hosts the web application to allow cross-origin requests.
AnswerA

API Gateway's built-in CORS feature automatically configures the OPTIONS method and adds the necessary headers (Access-Control-Allow-Origin, etc.) to the method responses and integration responses.

Why this answer

Option A is correct because API Gateway's 'Enable CORS' feature automatically creates an OPTIONS method for the selected resource and configures the necessary response headers (e.g., Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers) to handle preflight requests. This is the most efficient approach as it centralizes CORS configuration at the API Gateway layer, eliminating the need for manual header management in Lambda or additional infrastructure.

Exam trap

The trap here is that candidates assume adding CORS headers only in the Lambda function code is sufficient, overlooking the mandatory preflight OPTIONS request that API Gateway must handle separately.

How to eliminate wrong answers

Option B is wrong because while adding headers in Lambda is necessary for the actual response, it does not handle the preflight OPTIONS request that browsers send before cross-origin requests; without a proper OPTIONS response, CORS will fail. Option C is wrong because CloudFront does not natively handle CORS preflight requests; it can pass through headers but still requires the origin (API Gateway) to be properly configured for CORS, making it an unnecessary extra layer. Option D is wrong because S3 bucket policies control access to S3 objects, not API Gateway endpoints; CORS for the API must be configured on the API Gateway resource itself, not on the web application's hosting bucket.

738
MCQhard

A developer is deploying an AWS Lambda function that processes data from an Amazon Kinesis stream. The function must be idempotent and handle duplicate records. The developer notices that the same record is being processed multiple times. What is the most likely cause of this issue?

A.The Kinesis data stream's retention period is too long, causing old records to be reprocessed.
B.The function's reserved concurrency is set too low, causing invocations to be throttled and retried.
C.The batch size is set too high, causing the function to process records in multiple batches.
D.The Kinesis stream's iterator age is too low, causing the function to reprocess records after a failure.
AnswerD

Low iterator age means the function may fall behind and reprocess records.

Why this answer

Option D is correct because a low iterator age can cause the Lambda function to reprocess records if the function fails or times out, leading to duplicates. Option A is wrong because the batch size affects how many records are sent per invocation, not duplicates. Option B is wrong because the concurrency limit throttles invocations but does not cause duplicates.

Option C is wrong because the retention period determines how long records are available, not duplicates.

739
MCQmedium

A company's application uses Amazon S3 to store user-uploaded images. Users report that recently uploaded images are sometimes not immediately available for viewing. The application uses S3 Event Notifications to trigger a Lambda function that processes images and stores metadata in DynamoDB. What is the MOST likely cause of the delay?

A.Lambda function has a cold start that adds several seconds to processing time.
B.S3 is eventually consistent for new object writes, so the object may not be immediately available.
C.S3 Event Notifications may have a slight delay, and the application polls for the processed image before the notification triggers Lambda.
D.DynamoDB has insufficient read capacity causing throttling on metadata retrieval.
AnswerC

Event notifications are asynchronous and may have latency.

Why this answer

Option B is correct because S3 Event Notifications are typically delivered within seconds but can be delayed; the application should not assume immediate eventual consistency for object reads after writes. Option A is wrong because S3 is eventually consistent for overwrite PUTS of existing keys, but new uploads are strongly consistent. Option C is wrong because Lambda cold start may cause a delay but not minutes.

Option D is wrong because DynamoDB is fast.

740
MCQhard

A developer is building an application that uses Amazon DynamoDB as a data store. The application reads the same item frequently but writes rarely. The developer wants to reduce read costs. Which DynamoDB feature should the developer use?

A.DynamoDB Accelerator (DAX)
B.DynamoDB Global Tables
C.DynamoDB Auto Scaling
D.Time to Live (TTL)
AnswerA

Caches reads, reducing the number of read capacity units consumed.

Why this answer

Option B is correct because DynamoDB Accelerator (DAX) is an in-memory cache that reduces read costs for frequently accessed items. Option A is wrong because auto scaling adjusts capacity, not cost per read. Option C is wrong because TTL is for automatic deletion.

Option D is wrong because Global Tables are for multi-region replication, not cost reduction.

741
MCQmedium

A developer is monitoring an AWS Lambda function that processes messages from an SQS queue. CloudWatch metrics show that the function's throttles are high when the queue backlog grows. The function has a reserved concurrency of 50 and a batch size of 10. The SQS queue has a visibility timeout of 30 seconds. The function processes each batch in about 5 seconds. Which action will most effectively reduce throttles?

A.Increase the SQS queue visibility timeout
B.Increase the Lambda function's reserved concurrency
C.Increase the Lambda function's batch size
D.Decrease the SQS queue message retention period
AnswerC

Increasing the batch size reduces the number of invocations needed to process the same number of messages, thereby reducing the number of concurrent executions and decreasing throttles.

Why this answer

Option C is correct because increasing the batch size allows each Lambda invocation to process more messages per batch (e.g., from 10 to a higher value up to 10,000 for standard queues). This reduces the number of concurrent invocations needed to clear the backlog, directly lowering the throttle count without requiring additional reserved concurrency. Since the function processes each batch in ~5 seconds and the visibility timeout is 30 seconds, there is ample time to handle larger batches, making this the most effective adjustment.

Exam trap

The trap here is that candidates often assume throttles are always solved by increasing concurrency (Option B), overlooking that batch size optimization can achieve the same throughput with fewer invocations, which is more efficient and directly addresses the backlog-driven throttle pattern.

How to eliminate wrong answers

Option A is wrong because increasing the visibility timeout does not reduce throttles; it only prevents messages from becoming visible again before processing completes, which is irrelevant since the function finishes in 5 seconds (well under the current 30-second timeout). Option B is wrong because increasing reserved concurrency would raise the throttle ceiling but does not address the root cause—the backlog grows due to insufficient throughput per invocation, and simply adding more concurrency may lead to other resource limits or costs without optimizing batch processing. Option D is wrong because decreasing the message retention period only causes messages to be deleted sooner if not processed, which does not reduce throttles and could lead to data loss; it does not affect the rate at which Lambda invocations are throttled.

742
MCQmedium

A developer is using Amazon API Gateway with a Lambda authorizer to secure a REST API. The developer wants to pass user context from the authorizer to the backend Lambda function. How should the developer accomplish this?

A.Include the user context in the principal identifier returned by the authorizer.
B.Encode the user context in the authorization token.
C.Use a custom header that maps to a resource path parameter.
D.Return a context object from the Lambda authorizer that maps to integration request parameters.
AnswerD

The authorizer's context output is automatically passed to the backend as a JSON object.

Why this answer

The Lambda authorizer returns an IAM policy and a context map. The context map is included in the integration request and passed to the backend. Option A is wrong because the principal ID is a single field, not a full context.

Option C is wrong because the authorization token is the input, not the output. Option D is wrong because resource paths are not used to pass context.

743
Drag & Dropmedium

Drag and drop the steps to set up a custom domain for an API Gateway API in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First have a domain, get a certificate, create custom domain in API Gateway, map to stage, and update DNS.

744
MCQhard

A company runs a containerized application on Amazon ECS using the Fargate launch type. The application needs to store temporary data that must persist across container restarts but does not need to be shared across multiple tasks. The data should be automatically deleted when the task stops. Which storage option should the developer use?

A.Attach an Amazon EBS volume to the task.
B.Use the ephemeral storage provided by Fargate.
C.Mount an Amazon EFS file system to the container.
D.Create a Docker volume using the 'tmpfs' driver.
AnswerB

Fargate provides ephemeral storage that is deleted when the task stops, but persists across container restarts within the same task.

Why this answer

Amazon EFS is a shared file system and persists beyond task lifecycle; not suitable for temporary data. Fargate ephemeral storage is temporary and deleted when the task stops, but it is not persistent across restarts. EBS volumes are not supported with Fargate.

A Docker volume using the 'tmpfs' driver is memory-backed and not persistent.

745
MCQeasy

A developer notices that an S3 bucket's 'PutObject' API calls are failing intermittently for a specific application. The application uses the AWS SDK for Java to upload files. The error message is 'RequestTimeout: Your socket connection to the server was not read from or written to within the timeout period.' The bucket is in the same region as the application. The developer checks the S3 metrics and sees no throttling errors. The application runs on EC2 instances behind an ALB. The developer suspects a network issue. What should the developer do to resolve the issue?

A.Add a bucket policy that grants s3:PutObject to the application's IAM role.
B.Use an S3 VPC endpoint to improve network reliability.
C.Increase the socket timeout in the AWS SDK configuration and ensure the network path (ALB) has a higher idle timeout.
D.Enable S3 Transfer Acceleration on the bucket and update the application to use the accelerated endpoint.
AnswerC

The ALB may have a default idle timeout of 60 seconds; increasing it and adjusting SDK timeout can prevent the error.

Why this answer

The 'RequestTimeout' error indicates that the connection is idle for too long. This often happens when using a proxy or load balancer that has a shorter idle timeout than the S3 SDK's timeout. Option A is correct: increasing the S3 client's timeout settings or using HTTP keep-alive.

Option B is wrong because the bucket policy is not related to timeouts. Option C is wrong because S3 Transfer Acceleration is for large files over long distances, not for timeouts. Option D is wrong because the issue is not about permissions.

746
MCQhard

A developer is deploying a web application on Amazon EKS. The application needs to read configuration data from an Amazon S3 bucket at startup. The developer wants to ensure that the configuration is securely accessed without embedding AWS credentials in the application code. Which solution should the developer use?

A.Use IAM roles for service accounts (IRSA) to assign an IAM role to the pod.
B.Store the AWS credentials in AWS Secrets Manager and retrieve them at startup.
C.Assign an IAM instance profile to the EC2 instances running the EKS nodes.
D.Embed the AWS access key and secret key in a Kubernetes ConfigMap.
AnswerA

IRSA allows pods to assume IAM roles securely.

Why this answer

IAM roles for service accounts (IRSA) allow Kubernetes pods to assume IAM roles. The developer can create an IAM role with an S3 read policy and associate it with a Kubernetes service account. The pod then uses that service account to access S3.

This avoids hardcoded credentials. The other options either expose credentials or are not best practice: AWS Secrets Manager stores secrets but not directly for S3 access; environment variables in a ConfigMap can contain credentials but that is insecure; IAM instance profile is for EC2 instances, not for EKS pods directly (though there are workarounds, IRSA is the recommended approach).

747
MCQhard

A developer needs to grant a user in another AWS account (Account B) read-only access to objects in an Amazon S3 bucket owned by Account A. The developer has already added a bucket policy that grants s3:GetObject access to the IAM user in Account B. However, the user in Account B still gets Access Denied when trying to read objects. What additional configuration is required?

A.The user in Account B must have an IAM policy that allows s3:GetObject on the bucket ARN
B.The bucket must be made public by unchecking 'Block all public access'
C.The developer must create a new IAM role in Account A and have the user in Account B assume that role
D.The user in Account B must use the S3 console instead of the AWS CLI
AnswerA

Cross-account access requires both a bucket policy that grants the user permissions and an IAM policy in the user's account that allows the action. The IAM policy is necessary because the default is to deny all actions.

Why this answer

The bucket policy in Account A grants s3:GetObject access to the IAM user in Account B, but this alone is insufficient. For cross-account access, the IAM user in Account B must also have an IAM policy attached that explicitly allows s3:GetObject on the bucket ARN. Without this, the user’s own account denies the request before it reaches Account A’s bucket policy, resulting in Access Denied.

Exam trap

The trap here is that candidates assume a bucket policy alone is sufficient for cross-account access, overlooking the requirement for an explicit IAM policy in the requesting account to allow the action.

How to eliminate wrong answers

Option B is wrong because making the bucket public by unchecking 'Block all public access' would grant anonymous access to everyone, which violates the principle of least privilege and is not required for a specific cross-account user. Option C is wrong because while creating an IAM role in Account A and having the user in Account B assume it is a valid alternative approach, it is not the additional configuration required here—the developer has already chosen a bucket policy approach, and the missing piece is the IAM policy in Account B. Option D is wrong because the S3 console and AWS CLI both enforce the same IAM permissions; the issue is a lack of permissions, not the tool used.

748
MCQeasy

A developer is troubleshooting a slow Amazon RDS MySQL database query. The query is frequently executed and takes 5 seconds to complete. Which AWS service should the developer use to analyze the query performance?

A.AWS CloudTrail
B.Amazon RDS Performance Insights
C.Amazon CloudWatch Logs
D.AWS X-Ray
AnswerB

Provides detailed query performance analysis.

Why this answer

Option A is correct because RDS Performance Insights provides database performance analysis with query-level metrics. Option B is wrong because CloudWatch Logs is for log data, not query analysis. Option C is wrong because X-Ray is for distributed tracing, not database queries.

Option D is wrong because CloudTrail is for API activity, not database performance.

749
MCQeasy

A developer needs to store application configuration settings that may change at runtime and wants to avoid redeploying the application. Which AWS service should be used?

A.AWS Systems Manager Parameter Store
B.AWS Secrets Manager
C.Amazon DynamoDB
D.AWS AppConfig
AnswerD

AppConfig enables dynamic configuration updates with validation and staged rollouts.

Why this answer

Option A is correct because AWS AppConfig is designed to manage application configuration and allow dynamic updates without redeployment. Option B is wrong because Secrets Manager is for secrets, not general config. Option C is wrong because SSM Parameter Store can store config but lacks advanced features like validation and staged rollouts.

Option D is wrong because DynamoDB is a database, not purpose-built for config management.

750
MCQeasy

An e-commerce platform uses AWS CodePipeline to deploy a web application to an Auto Scaling group behind an Application Load Balancer. The deployment strategy must minimize downtime and allow immediate rollback if the new version fails health checks. Which deployment configuration meets these requirements?

A.Use blue/green deployment with an immutable infrastructure.
B.Use all-at-once deployment to the Auto Scaling group.
C.Use canary deployment shifting 10% traffic for 5 minutes.
D.Use in-place rolling update with a batch size of 50%.
AnswerA

Creates a new environment, switches traffic when healthy, and retains the old environment for instant rollback.

Why this answer

Blue/green deployment with immutable infrastructure minimizes downtime by running the new version (green) alongside the old (blue) and switching traffic only after health checks pass. If the new version fails, rollback is immediate by routing traffic back to the blue environment without redeploying. AWS CodePipeline supports this via CodeDeploy with a blue/green configuration, ensuring zero-downtime deployments and instant rollback capability.

Exam trap

The trap here is that candidates confuse canary or rolling updates with immediate rollback capability, but only blue/green provides an instant traffic switch without redeployment, as the old environment remains intact.

How to eliminate wrong answers

Option B is wrong because all-at-once deployment replaces all instances simultaneously, causing downtime during the deployment and no ability to rollback without redeploying the old version. Option C is wrong because canary deployment shifts only 10% traffic for 5 minutes, which does not guarantee immediate rollback of the entire fleet if the new version fails; it requires manual or automated traffic shifting back, which is not instantaneous. Option D is wrong because in-place rolling update with a batch size of 50% replaces instances gradually but still causes partial downtime and requires a full redeployment to rollback, as the old instances are terminated during the update.

Page 9

Page 10 of 22

Page 11