AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 751825

1616 questions total · 22pages · All types, answers revealed

Page 10

Page 11 of 22

Page 12
751
Multi-Selectmedium

A company is using AWS CodeBuild to build a Docker image and push it to Amazon ECR. Which permissions are required for the CodeBuild service role? (Choose THREE.)

Select 3 answers
A.ecr:PutImage
B.ecr:DescribeRepositories
C.ecr:CreateImage
D.ecr:BatchGetImage
E.ecr:GetAuthorizationToken
AnswersA, B, E

Needed to upload the Docker image.

Why this answer

Option A is correct because `ecr:PutImage` is the permission required to push a Docker image to an Amazon ECR repository. When CodeBuild completes a build and runs `docker push`, it calls the ECR API `PutImage` to upload the image manifest. Without this permission, the push operation will fail with an access denied error.

Exam trap

The trap here is that candidates may confuse `ecr:PutImage` with the non-existent `ecr:CreateImage` or mistakenly think `ecr:BatchGetImage` is needed for pushing, when in fact it is only used for pulling images.

752
Multi-Selectmedium

Which TWO actions can be taken to enable automatic rollback for an AWS CloudFormation stack update that fails? (Select TWO.)

Select 2 answers
A.Set the '--on-failure' parameter to 'ROLLBACK' during stack update.
B.Specify a CloudWatch alarm in the '--rollback-configuration' parameter during stack update.
C.Use a change set to review the changes before updating.
D.Apply a stack policy that denies updates to critical resources.
E.Set the '--disable-rollback' parameter to 'false' during stack update.
AnswersB, E

This allows CloudFormation to monitor the alarm and rollback if it triggers.

Why this answer

Options A and C are correct. The '--rollback-configuration' parameter can specify CloudWatch alarm thresholds that trigger rollback. Option C: Setting '--disable-rollback' to false (i.e., not disabling rollback) means rollback is enabled.

Option B is wrong because '--on-failure' is only for stack creation, not update. Option D is wrong because a stack policy does not control rollback behavior. Option E is wrong because change sets do not enable automatic rollback.

753
MCQeasy

A developer stores database credentials for an application running on Amazon EC2. The security team requires that the credentials be automatically rotated every 30 days to reduce the risk of compromise. Which AWS service should the developer use to store and automatically rotate the credentials?

A.AWS Systems Manager Parameter Store
B.AWS Secrets Manager
C.AWS Key Management Service (KMS)
D.IAM Roles for EC2
AnswerB

Secrets Manager offers automatic rotation of secrets with built-in integration for RDS and other services. It can be configured to rotate every 30 days easily.

Why this answer

AWS Secrets Manager is the correct choice because it is specifically designed to securely store database credentials and other secrets, and it provides built-in, configurable automatic rotation (e.g., every 30 days) using AWS Lambda. This meets the security team's requirement without custom scripting or infrastructure management.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets but lacks native automatic rotation) with AWS Secrets Manager, leading them to choose Parameter Store for its lower cost or familiarity, despite the explicit rotation requirement.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store can store credentials but does not natively support automatic rotation; rotation would require custom automation with Lambda or other services, making it less suitable for this requirement. Option C is wrong because AWS Key Management Service (KMS) is a key management service for encryption keys, not for storing or rotating database credentials; it can encrypt secrets but does not manage rotation of the credentials themselves. Option D is wrong because IAM Roles for EC2 provide temporary credentials for AWS API access, not for storing or rotating database credentials; they cannot be used to store or rotate application-level database passwords.

754
MCQhard

A company runs a critical application on AWS Lambda that processes real-time data from Kinesis Data Streams. The function is idempotent, but occasionally duplicate records are processed due to retries. The company wants to ensure exactly-once processing. Which approach should the developer implement?

A.Use an SQS FIFO queue between Kinesis and Lambda.
B.Use a DynamoDB table to store processed record IDs and perform deduplication in the Lambda function.
C.Enable Lambda reserved concurrency to limit retries.
D.Reduce the batch size in the event source mapping.
AnswerB

This provides exactly-once semantics.

Why this answer

Option C is correct because using a DynamoDB table to track record IDs allows deduplication. Option A is incorrect because Lambda does not provide built-in deduplication. Option B is incorrect because SQS FIFO does not integrate with Kinesis directly.

Option D is incorrect because reducing batch size does not prevent duplicates from retries.

755
MCQeasy

A developer is using AWS CodeDeploy to deploy an application to an EC2 instance. The deployment fails with the error 'ScriptMissing' during the BeforeInstall lifecycle event. What is the most likely cause?

A.The BeforeInstall lifecycle event is not defined in the appspec.yml
B.The script file specified in the appspec.yml for the BeforeInstall hook is not present on the instance
C.The CodeDeploy agent on the instance is not running
D.The instance does not have the necessary permissions to execute the script
AnswerB

ScriptMissing error means the script file is missing.

Why this answer

The 'ScriptMissing' error in AWS CodeDeploy indicates that the deployment failed because a script file referenced in the appspec.yml for a lifecycle event (in this case, BeforeInstall) could not be found on the EC2 instance. CodeDeploy expects the script to be present at the specified path after the archive is extracted; if the file is missing or the path is incorrect, the agent reports this error. Option B correctly identifies that the script file is not present on the instance.

Exam trap

The trap here is that candidates confuse 'ScriptMissing' with permission issues or agent connectivity problems, but AWS CodeDeploy has distinct error codes for each failure mode, and 'ScriptMissing' specifically points to a missing file, not execution or agent status.

How to eliminate wrong answers

Option A is wrong because if the BeforeInstall lifecycle event is not defined in the appspec.yml, CodeDeploy would simply skip that event and not produce a 'ScriptMissing' error — the error specifically occurs when a hook is defined but its script is absent. Option C is wrong because if the CodeDeploy agent were not running, the deployment would fail with an 'AgentNotRunning' or 'InstanceUnreachable' error, not a 'ScriptMissing' error. Option D is wrong because insufficient permissions to execute the script would result in a 'ScriptFailed' error (e.g., exit code 126 or 127), not a 'ScriptMissing' error — the agent first checks for the file's existence before attempting execution.

756
Multi-Selectmedium

Which TWO are best practices for securing an AWS account? (Choose 2)

Select 2 answers
A.Disable AWS CloudTrail to reduce costs
B.Disable password rotation to avoid user inconvenience
C.Use the root user for daily administrative tasks
D.Enable multi-factor authentication (MFA) for privileged users
E.Use IAM roles for applications that run on EC2 instances
AnswersD, E

MFA adds an extra layer of security.

Why this answer

Options A and B are best practices: using IAM roles and enabling MFA. Option C is not a best practice (root user should not be used for daily tasks). Option D is not a best practice (password policies should enforce complexity).

Option E is not a best practice (CloudTrail should be enabled).

757
MCQmedium

An AWS Lambda function processes messages from an Amazon SQS queue and writes results to an Amazon DynamoDB table. The function is configured with a reserved concurrency of 5 and a batch size of 10. CloudWatch metrics show high throttling and a growing queue backlog. The function's execution time averages 1 second per message. What is the MOST effective action to reduce throttling while improving throughput?

A.Increase the reserved concurrency to 20.
B.Increase the batch size to 100.
C.Decrease the reserved concurrency to 2.
D.Increase the provisioned write capacity of the DynamoDB table.
AnswerA

Increasing reserved concurrency allows Lambda to scale and invoke more function instances concurrently. This directly reduces throttling and allows the function to process more messages from the SQS queue simultaneously, improving throughput and reducing backlog.

Why this answer

The Lambda function is throttling because its reserved concurrency of 5 limits it to 5 concurrent executions. With a batch size of 10 and 1-second execution time, the function can process at most 5 * 10 = 50 messages per second. Increasing reserved concurrency to 20 allows 20 concurrent executions, raising throughput to 200 messages per second, which directly reduces throttling and clears the backlog.

Exam trap

The trap here is that candidates may confuse Lambda throttling with downstream resource throttling (like DynamoDB) and choose to increase write capacity, or they may think increasing batch size alone will solve the problem without considering the concurrency bottleneck.

How to eliminate wrong answers

Option B is wrong because increasing batch size to 100 would cause each invocation to process more messages, but with only 5 concurrent executions, the function would still be limited to 5 invocations at a time, and the 1-second execution time per message would scale linearly, likely causing timeouts or increased latency without addressing the root cause of throttling. Option C is wrong because decreasing reserved concurrency to 2 would reduce throughput to 20 messages per second, worsening throttling and backlog. Option D is wrong because increasing DynamoDB write capacity addresses potential write throttling from DynamoDB, but the CloudWatch metrics show Lambda throttling, not DynamoDB throttling; the bottleneck is Lambda concurrency, not the database.

758
MCQmedium

A developer is using AWS CloudFormation to deploy a stack that includes an Amazon EC2 instance with user data. The user data script installs software and configures the application. The developer wants to ensure that the stack creation waits for the user data script to complete before marking the stack as CREATE_COMPLETE. What should the developer do?

A.Add a DependsOn attribute to the EC2 instance resource.
B.Use a CloudFormation WaitCondition and a WaitConditionHandle.
C.Add a CreationPolicy with a timeout to the EC2 instance resource and use cfn-signal in the user data.
D.Configure the EC2 instance to run the user data script as a service.
AnswerC

CreationPolicy waits for cfn-signal before completing.

Why this answer

Option A is correct because a cfn-signal sent from the user data and a CreationPolicy on the EC2 resource cause CloudFormation to wait for the signal. Option B is wrong because DependsOn only affects order, not wait for completion. Option C is wrong because WaitCondition is legacy and requires a separate handle; CreationPolicy is simpler.

Option D is wrong because user data runs as root; the script can send signals.

759
MCQmedium

A developer is using AWS CodePipeline to automate deployments. The pipeline has a manual approval action that requires a developer to approve before deploying to production. The developer wants to receive an email notification when an approval action is pending. Which AWS service should be used to send the notification?

A.Amazon Simple Email Service (SES)
B.AWS Lambda
C.Amazon Simple Notification Service (SNS)
D.Amazon CloudWatch Logs
AnswerC

SNS can send email notifications when pipeline state changes occur.

Why this answer

Option A is correct because Amazon SNS can send email notifications when integrated with CloudWatch Events (now Amazon EventBridge) for CodePipeline state changes. Option B is wrong because SES is for sending transactional emails, but not directly integrated with CodePipeline. Option C is wrong because CloudWatch Logs is for log storage.

Option D is wrong because Lambda can be used but is not the simplest service for just sending email notifications.

760
Multi-Selecteasy

A developer is using AWS Step Functions to orchestrate a workflow. The developer wants to handle errors and retries for a task. Which TWO fields can be used in a state definition to configure error handling? (Choose TWO.)

Select 2 answers
A.Retry
B.Catch
C.FailureState
D.ErrorOutput
E.ErrorAction
AnswersA, B

Retry defines how many times and how long to wait before retrying.

Why this answer

Option A is correct because the Retry field specifies retry policies for errors. Option C is correct because the Catch field defines fallback states when a retry is exhausted or not configured. Option B is wrong because ErrorOutput is not a valid field.

Option D is wrong because ErrorAction is not a standard field. Option E is wrong because FailureState is not a valid field; the correct field is Catch.

761
MCQeasy

A developer is deploying a new version of a Lambda function using an AWS CodePipeline pipeline. The deployment fails during the 'Deploy' stage with an error indicating that the function's code is too large. What should the developer do to resolve this issue?

A.Upload the Lambda deployment package to Amazon S3 and reference it from the function
B.Increase the Lambda function's timeout setting
C.Use Amazon CloudFront to distribute the Lambda code
D.Enable AWS X-Ray tracing on the Lambda function
AnswerA

S3 allows larger packages.

Why this answer

Option C is correct because Lambda has a deployment package size limit of 50 MB for direct upload via the console or API. For larger packages, developers should upload the deployment package to Amazon S3 and reference it. Option A is incorrect because increasing the Lambda timeout does not affect code size.

Option B is incorrect because Lambda does not support X-Ray for code size issues. Option D is incorrect because CloudFront is a CDN, not a solution for Lambda package size.

762
MCQmedium

A developer is troubleshooting an application that uses Amazon ElastiCache for Redis to improve performance. The application periodically experiences high latency during peak hours. The developer checks the ElastiCache metrics and sees that the 'Evictions' metric is consistently high and the 'CacheHitRate' metric is low. The cluster has a single node with a cache.t3.small instance type. Which action will most likely improve the cache hit rate and reduce latency?

A.Scale up to a larger node type (e.g., cache.t3.medium) to increase available memory.
B.Enable cluster mode and distribute data across multiple shards to reduce memory pressure.
C.Change the eviction policy to 'allkeys-lfu' to better manage which keys are evicted.
D.Add a read replica for the Redis cluster to offload read traffic.
AnswerA

Increasing memory reduces the need for evictions, allowing more data to remain in cache, which improves the cache hit rate and reduces latency.

Why this answer

The high 'Evictions' and low 'CacheHitRate' metrics indicate that the Redis node is running out of memory, forcing it to evict keys to make room for new data. Scaling up to a larger node type (cache.t3.medium) increases the available memory, allowing more data to be cached and reducing evictions, which directly improves the cache hit rate and reduces latency.

Exam trap

The trap here is that candidates may focus on optimizing eviction policies or adding replicas, but the core issue is insufficient memory capacity, which only scaling up can resolve.

How to eliminate wrong answers

Option B is wrong because enabling cluster mode and distributing data across multiple shards does not increase the total memory per node; it only partitions data, and if the total memory across shards is insufficient, evictions will still occur. Option C is wrong because changing the eviction policy to 'allkeys-lfu' only changes which keys are evicted (least frequently used) but does not address the root cause of insufficient memory; evictions will continue at the same rate. Option D is wrong because adding a read replica offloads read traffic but does not increase the primary node's memory, so evictions and low cache hit rate will persist on the primary node.

763
Multi-Selecteasy

A developer is using AWS X-Ray to trace requests through a microservices application. The developer notices that some traces are incomplete. Which TWO actions can help ensure complete traces?

Select 2 answers
A.Use the X-Ray SDK to instrument the application code.
B.Open port 2000 on the security groups for TCP traffic.
C.Deploy the X-Ray daemon as a centralized service in a separate instance.
D.Install the CloudWatch agent on all instances.
E.Ensure the X-Ray daemon is running on all EC2 instances.
AnswersA, E

SDK intercepts requests and sends trace data.

Why this answer

Option A: The X-Ray daemon must be running on each EC2 instance to send trace data. Option B: Instrumentation with the SDK sends trace data to the daemon. Option C is wrong because CloudWatch agent is separate.

Option D is wrong because the daemon uses UDP. Option E is wrong because the daemon is not centralized.

764
MCQhard

A developer is troubleshooting an application that uses an IAM role to access DynamoDB. The application is running on an EC2 instance and intermittently fails with an AccessDenied error. The IAM role has the following policy attached. What is the MOST likely cause?

A.The policy does not include the dynamodb:PutItem action.
B.The policy uses a NotAction element that inadvertently denies access.
C.The condition key aws:SourceIp might be blocking requests from the EC2 instance's IP.
D.The policy is missing the table ARN in the Resource field.
AnswerC

The condition restricts access to a specific IP range, which may not match the instance's IP.

Why this answer

Option D is correct because the IAM policy grants access to all tables ("*" in Resource) but only for specific actions. However, the condition "aws:SourceIp" might be too restrictive if the EC2 instance's IP changes (e.g., if it's behind a NAT gateway or uses an Elastic IP). Option A is wrong because the policy allows dynamodb:*.

Option B is wrong because there is no condition limiting to specific tables. Option C is wrong because the policy does not have a NotAction block.

765
MCQeasy

A developer is building a serverless application using AWS Lambda. The Lambda function needs to write logs to CloudWatch Logs. What is the recommended way to grant the necessary permissions?

A.Use AWS KMS to encrypt the log data and grant permissions.
B.Attach an IAM execution role with CloudWatch Logs permissions.
C.Create a resource-based policy on the Lambda function.
D.Store AWS access keys in environment variables.
AnswerB

Lambda assumes this role to access AWS services.

Why this answer

Option B is correct because AWS Lambda uses an IAM execution role to obtain temporary credentials for accessing other AWS services. To allow a Lambda function to write logs to CloudWatch Logs, you must attach an IAM role with a policy that includes permissions for the `logs:CreateLogGroup`, `logs:CreateLogStream`, and `logs:PutLogEvents` actions. This is the standard and recommended security practice for granting permissions to Lambda functions.

Exam trap

The trap here is that candidates often confuse resource-based policies (which control who can invoke the function) with execution roles (which control what the function can do), leading them to incorrectly select option C.

How to eliminate wrong answers

Option A is wrong because AWS KMS is used for encryption key management, not for granting permissions; it does not provide IAM-level access control for writing logs. Option C is wrong because resource-based policies on a Lambda function control who can invoke the function, not what the function itself can do (like writing to CloudWatch Logs); permissions for the function's actions are defined in its execution role. Option D is wrong because storing AWS access keys in environment variables is a security anti-pattern; Lambda should never use long-term credentials, and instead relies on the IAM execution role to provide temporary, automatically rotated credentials.

766
Multi-Selecteasy

A company uses AWS CodeBuild to compile and test a Java application. The build process takes a long time because dependencies are downloaded every time. Which TWO actions can reduce build time? (Choose TWO.)

Select 2 answers
A.Increase the compute type of the build environment to have more CPU and memory.
B.Change the build runtime to a language that compiles faster.
C.Configure the build project to run builds in parallel.
D.Enable local caching in the CodeBuild project to reuse dependency files between builds.
E.Use Amazon S3 to cache dependencies and restore them at the start of each build.
AnswersD, E

Local cache stores files on the build instance for subsequent builds.

Why this answer

Options A and D are correct: Caching dependencies in a local cache or in S3 reduces download time. Option B (increase compute) does not reduce dependency download. Option C (parallel builds) is for multiple builds.

Option E (change runtime) is not relevant.

767
MCQmedium

An application running on an EC2 instance needs to access a DynamoDB table. The instance is in a private subnet without internet access. Which method should be used to grant the instance access to DynamoDB securely?

A.Store AWS credentials in a file on the instance and use them in the application
B.Configure security group rules to allow outbound traffic to DynamoDB
C.Attach a NAT gateway to the private subnet and use IAM user credentials
D.Create a VPC endpoint for DynamoDB and attach an IAM role to the instance
AnswerD

VPC endpoint enables private connectivity; IAM role provides temporary credentials.

Why this answer

Option D is correct because a VPC Gateway Endpoint for DynamoDB allows EC2 instances in a private subnet to access DynamoDB without traversing the internet or requiring a NAT gateway. By attaching an IAM role to the EC2 instance, the application can securely obtain temporary credentials via the instance metadata service, eliminating the need to store long-term credentials on the instance.

Exam trap

The trap here is that candidates often confuse security groups with network routing, assuming that allowing outbound traffic to DynamoDB's IP range is sufficient, but without a VPC endpoint or internet gateway, the traffic has no route to reach the DynamoDB service.

How to eliminate wrong answers

Option A is wrong because storing AWS credentials in a file on the instance is a security risk and violates the principle of least privilege; it also requires managing long-term keys, which can be rotated or compromised. Option B is wrong because security groups control network traffic at the instance level, but DynamoDB is a managed service outside the VPC; without a VPC endpoint or internet access, security group rules alone cannot route traffic to DynamoDB. Option C is wrong because a NAT gateway would provide internet access, but it introduces additional cost and complexity, and using IAM user credentials on the instance still requires managing long-term keys; the recommended approach is to use an IAM role with a VPC endpoint.

768
MCQhard

An application running on Amazon ECS Fargate uses a DynamoDB table with on-demand capacity. The table has a partition key of 'userId' and a sort key of 'timestamp'. During peak hours, some requests experience throttling errors. The application performs updates to existing items using 'UpdateItem' with ConditionExpression to ensure the 'status' attribute is 'active'. Which design change will BEST reduce throttling?

A.Implement DynamoDB Accelerator (DAX) to cache frequent items.
B.Use 'TransactWriteItems' instead of 'UpdateItem' for atomic updates.
C.Change the table to provisioned capacity and increase read capacity units.
D.Create a global secondary index with the same partition key and a different sort key.
AnswerA

DAX reduces read load on the table, freeing capacity for writes.

Why this answer

Option D is correct because using DynamoDB Accelerator (DAX) can reduce throttling by offloading read requests from the table, allowing on-demand capacity to handle write-heavy workloads. Option A is wrong because increasing read capacity is not applicable to on-demand tables. Option B is wrong because 'UpdateItem' with ConditionExpression already performs atomic updates.

Option C is wrong because sparse indexes do not help with throttling.

769
MCQmedium

A developer is building a serverless application using API Gateway and Lambda. The developer needs to authenticate users with a JWT token. Which API Gateway feature should be used?

A.Lambda Authorizer
B.IAM Authorizer
C.JWT Authorizer
D.Amazon Cognito User Pools
AnswerC

API Gateway JWT authorizer validates JWTs from a third-party issuer.

Why this answer

Option C is correct because API Gateway's JWT Authorizer is specifically designed to validate JSON Web Tokens (JWTs) directly, without invoking a Lambda function. It verifies the token's signature, expiry, and issuer against a specified issuer URL and audience, making it the most efficient and purpose-built choice for JWT authentication in API Gateway.

Exam trap

The trap here is that candidates often confuse the JWT Authorizer with a Lambda Authorizer, thinking they need custom code to validate a JWT, when in fact the JWT Authorizer handles standard JWT validation natively without a Lambda function.

How to eliminate wrong answers

Option A is wrong because a Lambda Authorizer (formerly Custom Authorizer) is used when you need custom validation logic beyond simple JWT verification, such as calling an external identity provider or performing complex claims mapping; it introduces unnecessary latency and cost for straightforward JWT validation. Option B is wrong because IAM Authorizer uses AWS Signature Version 4 (SigV4) for request signing and is intended for AWS service-to-service or IAM user authentication, not for validating externally-issued JWTs. Option D is wrong because Amazon Cognito User Pools is a full identity provider that issues JWTs, but it is not an API Gateway authorizer feature; you would still need to use a JWT Authorizer or Lambda Authorizer to validate those tokens in API Gateway.

770
MCQhard

A Lambda function using a Kinesis event source repeatedly retries one bad record and blocks progress in the shard. Which feature helps isolate failed records after retry limits?

A.Increase memory to 10 GB only
B.Disable batch processing
C.Configure failure handling with bisect batch on error and an on-failure destination where supported
D.Convert the stream to an S3 bucket
AnswerC

Correct for the stated requirement.

Why this answer

Option C is correct because Lambda's Kinesis event source mapping supports a 'bisect batch on error' feature that splits a failed batch into two smaller batches, allowing the bad record to be isolated and retried separately. Additionally, configuring an on-failure destination (e.g., an SQS queue or SNS topic) sends the record to a dead-letter destination after the retry limit is exhausted, preventing the shard from blocking progress.

Exam trap

The trap here is that candidates often think increasing memory or disabling batch processing will solve the blocking issue, but they fail to recognize that only explicit failure handling with bisect and a dead-letter destination can isolate and remove the bad record without manual intervention.

How to eliminate wrong answers

Option A is wrong because increasing memory to 10 GB only allocates more CPU and memory to the function, but does not address the root cause of a single bad record blocking the shard; it does not provide any mechanism to isolate or skip failed records. Option B is wrong because disabling batch processing (setting batch size to 1) would still cause the same blocking behavior—each record would be processed individually, but a persistent bad record would still be retried indefinitely, blocking the shard. Option D is wrong because converting the stream to an S3 bucket is not a direct replacement for Kinesis event processing; S3 does not support the same record-level retry and failure handling semantics, and this would require a complete architectural change, not a simple configuration fix.

771
MCQeasy

A developer is building a web application that requires user authentication. The application will run on Amazon EC2 instances behind an Application Load Balancer. The developer wants to offload authentication to a managed service that supports social login providers. Which AWS service should the developer use?

A.AWS Identity and Access Management (IAM)
B.Amazon Cognito
C.AWS Directory Service
D.AWS Single Sign-On
AnswerB

Cognito offers user pools for sign-up/sign-in and supports social identity providers, making it ideal for offloading authentication.

Why this answer

Amazon Cognito is the correct choice because it is a fully managed identity service designed for web and mobile applications, providing user authentication, authorization, and support for social login providers (e.g., Google, Facebook, Amazon) via OAuth 2.0 and OpenID Connect. It offloads the entire authentication workflow from the EC2 instances and ALB, integrating seamlessly with the ALB's authentication action to validate tokens before traffic reaches the application.

Exam trap

The trap here is that candidates often confuse IAM's role-based access control with user authentication, overlooking that IAM cannot handle social login providers or external user identity federation for customer-facing apps.

How to eliminate wrong answers

Option A is wrong because AWS IAM is for managing AWS service access and permissions for users and roles, not for external user authentication with social login providers; it lacks built-in support for social identity federation. Option C is wrong because AWS Directory Service provides managed Microsoft Active Directory or LDAP-based directories for enterprise identity, which does not natively support social login providers like Google or Facebook. Option D is wrong because AWS Single Sign-On (now AWS IAM Identity Center) is designed for workforce identity and SSO across AWS accounts and business applications, not for customer-facing web app authentication with social logins.

772
Multi-Selecteasy

Which TWO deployment methods can be used to update an AWS Lambda function with no downtime? (Select TWO.)

Select 2 answers
A.Update the function code using update-function-code.
B.Use a weighted alias to gradually shift traffic to a new version.
C.Create a new version and update the alias to point to the new version.
D.Create a new Lambda function and delete the old one.
E.Update the function configuration to increase memory.
AnswersB, C

Canary deployment with no downtime.

Why this answer

Option B is correct because a weighted alias allows you to route a small percentage of traffic to a new Lambda version while keeping the majority on the current version, enabling canary deployments with zero downtime. Option C is correct because creating a new version and updating the alias to point to it performs an instant, atomic switch, ensuring all traffic is served by the new version without any interruption.

Exam trap

The trap here is that candidates often think update-function-code is a safe deployment method, but it modifies the mutable $LATEST version, which can cause downtime if an alias points to $LATEST and the update is not atomic.

773
MCQmedium

A developer is using AWS CodeDeploy to deploy an application to an Auto Scaling group of EC2 instances. The developer wants to minimize the number of instances that are taken out of service at any given time during the deployment. Which predefined deployment configuration should the developer use?

A.AllAtOnce
B.OneAtATime
C.HalfAtATime
D.Custom with 50% at a time
AnswerB

OneAtATime updates only one instance at a time, keeping the rest serving traffic, thus minimizing the number of instances out of service.

Why this answer

The OneAtATime deployment configuration shifts traffic to one new instance at a time, ensuring that only a single instance is taken out of service during the deployment. This minimizes the number of instances removed from the Auto Scaling group at any given moment, which directly meets the developer's requirement to reduce service disruption.

Exam trap

The trap here is that candidates might confuse 'HalfAtATime' with a predefined configuration, but AWS CodeDeploy does not offer 'HalfAtATime' as a predefined option; the predefined options are 'AllAtOnce', 'OneAtATime', and 'Custom', so the correct choice is the one that minimizes instances taken out of service—OneAtATime.

How to eliminate wrong answers

Option A (AllAtOnce) is wrong because it deploys to all instances simultaneously, taking the entire fleet out of service at once, which maximizes disruption. Option C (HalfAtATime) is wrong because it is not a predefined deployment configuration in AWS CodeDeploy; the correct predefined option for deploying to half the instances is 'HalfAtATime' but it would take 50% of instances out of service at a time, which is more than the single instance the developer wants. Option D (Custom with 50% at a time) is wrong because while custom configurations are possible, the developer specifically asked for a predefined configuration, and using a custom one would not be the simplest or most direct solution; moreover, deploying 50% at a time would still take more instances out of service than the desired minimum.

774
MCQmedium

A developer is deploying a new version of a web application to an EC2 Auto Scaling group using AWS CodeDeploy with a blue/green deployment strategy. The Auto Scaling group is associated with an Application Load Balancer (ALB). The developer wants to ensure that the new instances are registered with the ALB and pass health checks before any traffic is routed to them. Which CodeDeploy configuration should the developer use?

A.Set the 'Reroute traffic to replacement instances' to 'Immediately'.
B.Set the 'Reroute traffic to replacement instances' to 'Wait for time' and specify a wait time.
C.Set the 'Reroute traffic to replacement instances' to 'Wait for health check' and specify the ELB health check.
D.Set the deployment to terminate the original instances before rerouting traffic.
AnswerC

This configuration ensures that new instances must pass the ELB health check before traffic is rerouted, meeting the requirement of routing traffic only to healthy instances.

Why this answer

Option C is correct because setting 'Reroute traffic to replacement instances' to 'Wait for health check' and specifying the ELB health check ensures that CodeDeploy waits for the new instances to pass the ALB health checks before rerouting traffic. This aligns with the requirement that new instances must be registered and healthy before receiving traffic, preventing downtime or routing to unhealthy targets.

Exam trap

The trap here is that candidates may confuse 'Wait for time' (a simple delay) with 'Wait for health check' (which actually verifies instance health), leading them to choose Option B, but only Option C guarantees that health checks pass before traffic is rerouted.

How to eliminate wrong answers

Option A is wrong because setting 'Reroute traffic to replacement instances' to 'Immediately' would route traffic to new instances as soon as they are registered, without waiting for health checks, risking traffic being sent to unhealthy instances. Option B is wrong because 'Wait for time' only introduces a fixed delay, not a health check verification, so traffic could be routed before instances are healthy if the wait time is too short. Option D is wrong because terminating original instances before rerouting traffic would cause downtime, as there would be no healthy instances to serve traffic during the transition.

775
MCQhard

A company requires that all API calls to create an Amazon S3 bucket must include a specific tag (e.g., 'CostCenter'). Which IAM policy condition key should a developer use to enforce this requirement?

A.aws:RequestTag
B.aws:ResourceTag
C.s3:ExistingObjectTag
D.aws:TagKeys
AnswerA

This condition key checks tags that are included in the API request. You can require a specific tag key and value to be present on the CreateBucket request, ensuring that all buckets are tagged at creation.

Why this answer

Option A is correct because the `aws:RequestTag` condition key evaluates the tags that are included in the API request itself. When a developer attempts to create an S3 bucket, the IAM policy can use `aws:RequestTag` to require that a specific tag key (e.g., 'CostCenter') is present in the `CreateBucket` request. This ensures that the tag is applied at creation time, enforcing the company's tagging requirement.

Exam trap

The trap here is that candidates confuse `aws:RequestTag` (tags in the request) with `aws:ResourceTag` (tags on an existing resource), leading them to choose the wrong condition key for enforcing tagging at resource creation.

How to eliminate wrong answers

Option B is wrong because `aws:ResourceTag` evaluates the tags already attached to an existing resource, not the tags in the creation request, so it cannot enforce tagging at bucket creation. Option C is wrong because `s3:ExistingObjectTag` is used to conditionally allow actions based on tags on existing objects within a bucket, not on the bucket creation request itself. Option D is wrong because `aws:TagKeys` is used to restrict which tag keys can be used in a request, but it does not require that a specific tag key be present; it only controls the allowed set of keys.

776
MCQmedium

A company is using AWS Key Management Service (KMS) to encrypt data in S3. The security team wants to ensure that only the company's AWS account can access the KMS key. What should be done?

A.Disable the KMS key and re-enable it only when needed.
B.Modify the key policy to remove any statements that allow access from external AWS accounts.
C.Use an S3 bucket policy to deny access to any user not from the company's account.
D.Attach an IAM policy to the key that denies access to external accounts.
AnswerB

Key policies control access to the key.

Why this answer

Option C is correct because modifying the key policy to deny access to external accounts ensures only the own account can use the key. Option A is wrong because IAM policies alone cannot prevent access if the key policy grants access to others. Option B is wrong because disabling the key prevents all use.

Option D is wrong because S3 bucket policies do not control KMS key access.

777
Multi-Selecthard

A company is using AWS CodePipeline for CI/CD. The pipeline has a build stage using AWS CodeBuild, and a deploy stage using AWS CodeDeploy. The deployment is failing with 'Error: Health checks failed'. Which TWO steps should the developer take to troubleshoot this issue? (Select TWO.)

Select 2 answers
A.Verify that the target group's health check path and port are correctly configured.
B.Check the S3 bucket where the build artifacts are stored.
C.Check the CodeDeploy deployment logs for detailed error messages.
D.Check the CodeBuild build logs for errors.
E.Increase the number of EC2 instances in the Auto Scaling group.
AnswersA, C

Misconfigured health checks are a common cause of deployment failures.

Why this answer

Options B and D are correct. Checking the CodeDeploy deployment logs (B) will show detailed error messages. Verifying the target group's health check configuration (D) ensures the application is responding correctly.

Option A (checking CodeBuild logs) is irrelevant because the build stage succeeded. Option C (increasing instance count) does not address health check failure. Option E (checking S3 bucket) is not directly related.

778
MCQhard

An API Gateway HTTP API should allow access only to users authenticated by an external OIDC provider. Which authorizer type is most appropriate?

A.IAM authorizer
B.API key authorizer
C.JWT authorizer configured for the issuer and audience
D.S3 bucket policy
AnswerC

Correct for the stated requirement.

Why this answer

Option C is correct because an HTTP API Gateway with an external OIDC provider requires a JWT authorizer. The JWT authorizer validates the token's signature, issuer, and audience against the OIDC provider's configuration, ensuring only authenticated users gain access. This is the native AWS mechanism for integrating third-party OIDC identity providers like Auth0 or Okta.

Exam trap

The trap here is that candidates confuse the JWT authorizer with the Lambda authorizer, thinking a custom Lambda is always required for OIDC, but the JWT authorizer natively supports OIDC without custom code when the provider issues standard JWTs.

How to eliminate wrong answers

Option A is wrong because an IAM authorizer uses AWS Signature Version 4 for signing requests with IAM credentials, not OIDC tokens, and is designed for AWS-authenticated principals, not external identity providers. Option B is wrong because an API key authorizer only validates a static key passed in the header, which provides no authentication of the user's identity and cannot verify OIDC tokens. Option D is wrong because an S3 bucket policy controls access to S3 resources, not API Gateway endpoints, and has no mechanism to validate OIDC tokens.

779
MCQmedium

A developer is building a REST API with Amazon API Gateway and needs to authorize requests based on a custom JSON Web Token (JWT) that includes claims for user roles. Which authorization mechanism should the developer use?

A.Lambda authorizer
B.IAM authorizer
C.Amazon Cognito user pools authorizer
D.API Gateway resource policy
AnswerA

A Lambda authorizer can validate custom tokens and return an IAM policy based on JWT claims, offering full control over authorization logic.

Why this answer

A Lambda authorizer (formerly known as a custom authorizer) is the correct choice because it allows the developer to validate a custom JWT and extract claims such as user roles directly within the Lambda function. This enables fine-grained authorization logic that can inspect the JWT payload, verify its signature using a custom or third-party key, and return an IAM policy based on the claims, which API Gateway then enforces for the incoming request.

Exam trap

The trap here is that candidates often confuse a Lambda authorizer with a Cognito user pools authorizer, assuming any JWT can be validated by Cognito, but Cognito only accepts tokens it issued, not custom JWTs from other providers.

How to eliminate wrong answers

Option B is wrong because an IAM authorizer uses AWS Signature Version 4 to sign requests with IAM credentials, not a custom JWT; it cannot inspect or validate JWT claims like user roles. Option C is wrong because Amazon Cognito user pools authorizer only works with JWTs issued by a Cognito user pool, not with a custom JWT from an external identity provider or self-issued token. Option D is wrong because an API Gateway resource policy controls access at the account or VPC level based on source IP, VPC endpoint, or AWS account, not on individual request-level JWT claims or user roles.

780
MCQeasy

A developer needs to allow an IAM user to perform only specific actions on an S3 bucket. Which type of policy should be attached to the IAM user?

A.A service control policy
B.A bucket policy
C.A trust policy
D.An IAM policy
AnswerD

IAM policies are attached to users, groups, or roles to grant permissions.

Why this answer

An IAM policy (Option D) is the correct choice because it is an identity-based policy that can be directly attached to an IAM user, group, or role to grant or deny permissions for specific actions on AWS resources, including S3 buckets. This allows the developer to precisely control which S3 actions (e.g., s3:GetObject, s3:PutObject) the user can perform on a particular bucket, meeting the requirement of limiting the user to specific actions.

Exam trap

AWS often tests the distinction between identity-based policies (IAM policies) and resource-based policies (bucket policies), where candidates mistakenly choose a bucket policy thinking it can control user permissions directly, but bucket policies are tied to the resource, not the user identity.

How to eliminate wrong answers

Option A is wrong because a service control policy (SCP) is used in AWS Organizations to set permission boundaries for all accounts in an organization, not to grant permissions to individual IAM users. Option B is wrong because a bucket policy is a resource-based policy attached directly to an S3 bucket, not to an IAM user; while it can grant cross-account access, it does not control permissions for a specific IAM user within the same account. Option C is wrong because a trust policy is attached to an IAM role to define which principals (e.g., users, services) can assume that role, not to grant direct permissions for S3 actions to an IAM user.

781
Multi-Selectmedium

A company wants to audit all API calls made in their AWS account for security analysis. Which TWO services should be used together to achieve this?

Select 2 answers
A.Amazon S3
B.Amazon GuardDuty
C.AWS Config
D.AWS CloudTrail
E.Amazon CloudWatch Logs
AnswersD, E

Records API calls for auditing.

Why this answer

AWS CloudTrail is the service that records all API calls made in an AWS account, capturing details like the identity of the caller, time of the call, source IP address, and request parameters. Amazon CloudWatch Logs can then be used to store, monitor, and alert on those CloudTrail logs for security analysis, enabling custom metrics and real-time anomaly detection. Together, they provide a complete audit trail and operational visibility for security auditing.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks resource configuration changes) with CloudTrail (which records API calls), leading them to select AWS Config instead of CloudTrail for auditing API activity.

782
MCQmedium

The exhibit shows an IAM policy attached to a user. The user reports being unable to upload files to S3 bucket 'my-bucket'. What is the MOST likely cause?

A.The user needs s3:PutObjectAcl permission
B.The bucket policy denies the upload
C.The policy does not allow s3:ListBucket
D.The user does not have s3:GetObject permission
AnswerB

A bucket policy can override IAM permissions.

Why this answer

The PutObject action requires s3:PutObject permission, which is granted. However, the bucket may have a bucket policy that denies the upload. Option D is correct.

783
MCQmedium

A developer is using Amazon DynamoDB as the data store for a serverless application. The application experiences high read traffic, and the developer wants to reduce latency. The data is not frequently updated. Which DynamoDB feature should the developer use?

A.DynamoDB Auto Scaling
B.DynamoDB Global Tables
C.DynamoDB Accelerator (DAX)
D.DynamoDB Time to Live (TTL)
AnswerC

DAX provides in-memory caching for low-latency reads.

Why this answer

Option A is correct because DynamoDB Accelerator (DAX) is an in-memory cache that reduces read latency. Option B is wrong because Global Tables are for multi-region replication, not caching. Option C is wrong because TTL is for data expiration.

Option D is wrong because auto scaling adjusts throughput, not latency.

784
MCQeasy

A developer runs a CloudTrail lookup command and sees a CreateKey event. What does this event represent?

A.An existing KMS key was rotated.
B.A new database encryption key was created.
C.A new KMS customer master key was created.
D.A new service-linked key was created.
AnswerC

CreateKey is the API to create a CMK.

Why this answer

The `CreateKey` event in AWS CloudTrail indicates that a new KMS customer master key (CMK) was created. This is the only operation that generates a `CreateKey` event; key rotation, database encryption key creation, and service-linked key creation use different API calls (e.g., `RotateKey`, `CreateGrant`, or `CreateKey` with a different service principal).

Exam trap

The trap here is that candidates assume `CreateKey` only applies to CMKs, but AWS services also use this API for service-linked keys; however, the exam expects you to recognize that the event name is generic and the context (e.g., `userIdentity` or `requestParameters`) determines the key type.

How to eliminate wrong answers

Option A is wrong because key rotation is performed via the `RotateKey` API or automatic rotation settings, not `CreateKey`. Option B is wrong because database encryption keys are typically managed by the database service (e.g., RDS, DynamoDB) using KMS grants or direct CMK usage, not a standalone `CreateKey` event. Option D is wrong because service-linked keys are created by AWS services on your behalf using a different API call (e.g., `CreateKey` with a service principal), but the event name is still `CreateKey`; however, the question's context implies a standard CMK creation, and service-linked keys are a specific subset that would be logged with a different `requestParameters` (e.g., `KeyUsage` and `Origin`).

785
MCQhard

A company runs a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application experiences intermittent errors where some requests return HTTP 503 (Service Unavailable) errors. The developers have verified that the application code is healthy and the EC2 instances pass health checks. The ALB health check is configured to hit a specific endpoint (/health) with a healthy threshold of 2 and an unhealthy threshold of 2. The health check interval is 30 seconds, and the timeout is 5 seconds. The application's /health endpoint sometimes takes up to 6 seconds to respond due to a dependency on a third-party service. The developers want to minimize the 503 errors without changing the application code. Which action should the developer take?

A.Increase the health check timeout to 10 seconds to accommodate the slow /health endpoint.
B.Decrease the unhealthy threshold to 1 so that instances are marked unhealthy after one failed health check.
C.Increase the deregistration delay to 300 seconds to allow connections to drain.
D.Decrease the health check interval to 10 seconds to detect health changes faster.
AnswerA

Prevents false negatives due to slow responses.

Why this answer

Option C is correct because increasing the health check timeout to 10 seconds ensures that the ALB does not mark instances as unhealthy prematurely. Option A is wrong because decreasing the interval may cause more frequent health checks, increasing load. Option B is wrong because decreasing the unhealthy threshold may make instances appear unhealthy more quickly.

Option D is wrong because deregistration delay does not affect health checks.

786
MCQmedium

A company uses AWS Lambda to process incoming messages from an Amazon SQS queue. The Lambda function sometimes fails with a timeout error when the queue has a large backlog. What is the MOST efficient way to increase throughput without causing duplicate processing?

A.Increase the batch size in the event source mapping.
B.Increase the visibility timeout of the SQS queue.
C.Decrease the batch size in the event source mapping.
D.Increase the reserved concurrency of the Lambda function.
AnswerA

Increasing batch size allows more messages per invocation, directly improving throughput.

Why this answer

Option D is correct because increasing the batch size allows the function to retrieve more messages per invocation, improving throughput. Option A is wrong because increasing reserved concurrency alone may not help if the function is throttled due to concurrency limits; also, without adjusting batch size, each invocation still processes the same number of messages. Option B is wrong because decreasing the batch size reduces throughput.

Option C is wrong because increasing visibility timeout may help with retries but does not directly increase throughput.

787
MCQeasy

A developer needs to allow an EC2 instance to access an S3 bucket without storing credentials on the instance. Which approach is the most secure?

A.Create an IAM user with access keys and store them on the instance.
B.Use S3 bucket policy to allow the EC2 instance's public IP.
C.Store the access keys in Systems Manager Parameter Store and retrieve at runtime.
D.Use an IAM role for EC2 with a policy granting S3 access.
AnswerD

Best practice for EC2.

Why this answer

An IAM role attached to the EC2 instance provides temporary credentials via instance metadata, avoiding hardcoded keys.

788
Multi-Selecthard

A Lambda function processes a batch of SQS messages. Which two configurations reduce duplicate or failed-message impact?

Select 2 answers
A.Set visibility timeout to zero
B.Use a visibility timeout longer than expected processing time
C.Disable the dead-letter queue
D.Configure a dead-letter queue and partial batch response where appropriate
AnswersB, D

Correct for the stated requirement.

Why this answer

Option B is correct because a visibility timeout longer than the expected processing time prevents other consumers from reprocessing a message while it is still being handled, reducing duplicates. Option D is correct because a dead-letter queue captures messages that repeatedly fail processing, allowing analysis and preventing them from blocking the queue, while partial batch response enables the function to return a list of failed message IDs so that only those messages become visible again, reducing reprocessing of successful ones.

Exam trap

The trap here is that candidates often think setting visibility timeout to zero or disabling the DLQ simplifies processing, but in reality, these actions increase duplicate or failed-message impact by removing mechanisms that control reprocessing and isolate problematic messages.

789
Multi-Selectmedium

A company needs to store application secrets such as database passwords and API keys. The secrets must be automatically rotated every 30 days. Which THREE AWS services or features can be used together to meet this requirement? (Choose THREE.)

Select 3 answers
A.AWS Lambda to implement the rotation function
B.AWS CloudHSM
C.AWS Systems Manager Parameter Store
D.AWS Secrets Manager
E.AWS KMS to encrypt the secrets
AnswersA, D, E

Secrets Manager uses Lambda to rotate secrets.

Why this answer

AWS Lambda is correct because it can be used as a custom rotation function for AWS Secrets Manager. Secrets Manager natively supports automatic rotation using a Lambda function that updates the secret value in both the service and the database or third-party service. This allows the company to meet the 30-day rotation requirement by scheduling the Lambda function via a CloudWatch Events rule or Secrets Manager's built-in rotation schedule.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store with Secrets Manager, but Parameter Store lacks native automatic rotation, making it unsuitable for this requirement without additional custom infrastructure.

790
MCQhard

A company uses AWS Elastic Beanstalk to deploy a PHP application. The application requires write access to the /tmp directory on the EC2 instances. The deployment uses a custom platform. After a recent deployment, the application fails to write to /tmp. The operations team verifies that the instance security group and NACLs allow all outbound traffic. What is the MOST likely cause?

A.The application is running as an unprivileged user without write access to /tmp.
B.The security group is blocking outbound traffic to the S3 bucket.
C.The custom platform has a read-only root filesystem.
D.The instance profile does not have permissions to write to the S3 bucket.
AnswerC

Custom platforms can have read-only root filesystems; /tmp may be on root and thus read-only.

Why this answer

Option B is correct: Elastic Beanstalk uses instance profiles; if the profile lacks permissions to write to /tmp (though /tmp is local filesystem, but if using EFS or similar, it might be an issue; however, /tmp is typically writable by default. But the question implies a permissions issue: the instance profile might not have permissions to mount or access certain resources. Actually, /tmp is local, so permissions are OS-level.

The likely cause is that the custom platform has read-only root filesystem or the application user does not have write permission. Option B (instance profile) is plausible if /tmp is mounted from an external source. But a better answer: Option C (read-only root filesystem) is a common Elastic Beanstalk custom platform issue.

However, standard Elastic Beanstalk environments have writable /tmp. Given the custom platform, the most likely is that the platform configuration sets root filesystem as read-only. So Option C is correct.

791
MCQhard

A developer is using AWS CodeDeploy to deploy a new version of an application to an Auto Scaling group. The deployment fails because the new instances do not pass the health check. The developer wants to automatically roll back the deployment if the health check fails. Which CodeDeploy setting should be configured?

A.Set the deployment configuration to AllAtOnce to speed up the process.
B.Configure a lifecycle hook to terminate failing instances.
C.Use a blue/green deployment strategy instead of in-place.
D.Enable automatic rollback in the deployment group configuration.
AnswerD

Automatic rollback will revert to the last known good revision when health checks fail.

Why this answer

Option B is correct because CodeDeploy can automatically roll back a deployment when a deployment fails or when a CloudWatch alarm is triggered. Configuring automatic rollback on deployment failure is the direct solution.

792
MCQeasy

A developer is designing a REST API using Amazon API Gateway that experiences high traffic with many repeated requests for the same data. The developer wants to reduce backend load and improve response times. Which feature should the developer enable on the API Gateway method?

A.Enable API Gateway caching
B.Implement caching in the Lambda function using a local cache
C.Use an Amazon ElastiCache Redis cluster and modify the Lambda function to check the cache first
D.Place an Amazon CloudFront distribution in front of API Gateway
AnswerA

API Gateway caching caches the responses from the backend integration for a set TTL, significantly reducing the number of identical requests reaching the backend.

Why this answer

API Gateway caching stores responses from backend endpoints for a configurable Time-to-Live (TTL). When a request for the same data arrives, API Gateway serves the cached response directly without invoking the backend, reducing load and improving latency. This is the most straightforward and managed solution for repeated requests at the API layer.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing a distributed cache like ElastiCache or a CDN like CloudFront, when the simplest and most cost-effective managed service (API Gateway caching) directly addresses the requirement at the API layer.

How to eliminate wrong answers

Option B is wrong because implementing a local cache inside a Lambda function is ephemeral and not shared across concurrent invocations, so it cannot reduce backend load for repeated requests from different clients. Option C is wrong because while ElastiCache Redis can cache data, it requires additional code in the Lambda function to check the cache first, adding complexity and latency compared to API Gateway's built-in caching. Option D is wrong because CloudFront caches content at the edge, but it does not reduce backend load for API Gateway itself unless combined with API Gateway caching; CloudFront alone still forwards cache misses to API Gateway, which then invokes the backend.

793
MCQmedium

A developer is deploying a static website to Amazon S3. The website uses client-side JavaScript to make API calls to an AWS Lambda function via Amazon API Gateway. The developer wants to enable cross-origin resource sharing (CORS) on the API Gateway to allow the S3 website to make requests. After enabling CORS on the API Gateway and redeploying the API, the browser still reports CORS errors. The developer checks the API Gateway configuration and sees that the OPTIONS method is not defined. The developer has already enabled CORS via the API Gateway console, which should have created the OPTIONS method. However, it did not appear. What should the developer do to resolve the issue?

A.Update the JavaScript in the website to use a different HTTP method.
B.Update the S3 bucket policy to allow cross-origin requests from any origin.
C.Modify the Lambda function to return CORS headers in its response.
D.Manually add an OPTIONS method to the API Gateway resource and configure the CORS headers in the integration response.
AnswerD

If the automated CORS enablement didn't create the OPTIONS method, manual creation is required.

Why this answer

Option B is correct because enabling CORS via the console should automatically create an OPTIONS method; if it didn't, manually adding it is the next step. Option A is wrong because the S3 bucket policy is not the cause of CORS errors. Option C is wrong because the Lambda function does not handle OPTIONS requests; API Gateway does.

Option D is wrong because the browser's CORS check is based on the server response, not the client code.

794
Multi-Selectmedium

A developer is designing a highly available application using Amazon SQS and AWS Lambda. Which TWO strategies should the developer implement to ensure that messages are processed at least once? (Choose TWO.)

Select 2 answers
A.Configure a Dead Letter Queue (DLQ) to capture failed messages.
B.Enable long polling on the SQS queue.
C.Use a FIFO queue to ensure exactly-once processing.
D.Set the SQS queue's visibility timeout to be greater than the Lambda function's timeout.
E.Use the SQS DeleteMessage API inside the Lambda function only after successful processing.
AnswersD, E

If the function times out, the message becomes visible again, ensuring retry.

Why this answer

Options A and D are correct. Option A ensures at-least-once processing because after the visibility timeout, the message becomes visible again if not deleted. Option D ensures the function deletes the message only after successful processing.

Option B is wrong because long polling reduces empty responses but doesn't guarantee processing. Option C is wrong because DLQ is for failed messages. Option E is wrong because FIFO ensures exactly-once, not at-least-once.

795
MCQeasy

A developer is building a serverless application using AWS Lambda. The function needs to access an S3 bucket to read a configuration file. What is the best way to provide the Lambda function with the bucket name?

A.Hardcode the bucket name in the Lambda function code.
B.Store the bucket name in an environment variable for the Lambda function.
C.Read the bucket name from a text file stored in the same bucket.
D.Use a KMS key to encrypt the bucket name and decrypt it in the function.
AnswerB

Environment variables are the standard way to pass configuration to Lambda, promoting separation of code and configuration.

Why this answer

Option B is correct because AWS Lambda environment variables provide a secure, configurable, and decoupled way to pass the S3 bucket name to the function without hardcoding it in the code. This follows the principle of infrastructure as code and allows the same function code to be reused across different environments (e.g., dev, staging, prod) by simply changing the environment variable value. Environment variables are encrypted at rest by default using AWS KMS, ensuring the bucket name is not exposed in plaintext within the code repository.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing KMS encryption (Option D) or the circular dependency of reading from the same bucket (Option C), when the simplest and most secure approach—environment variables—is the correct answer for decoupling configuration from code.

How to eliminate wrong answers

Option A is wrong because hardcoding the bucket name in the Lambda function code violates the separation of configuration from code, making the function environment-specific and requiring code changes to point to a different bucket. Option C is wrong because reading the bucket name from a text file stored in the same bucket creates a circular dependency: the function needs the bucket name to access the bucket, but it must first read the file from the bucket to get the name, which is impossible without prior knowledge of the bucket. Option D is wrong because using a KMS key to encrypt the bucket name and decrypt it in the function adds unnecessary complexity and overhead; environment variables are already encrypted at rest by default, and the bucket name is not sensitive data that requires custom encryption—this approach does not solve the configuration problem.

796
MCQeasy

A developer is optimizing an S3 bucket that stores large CSV files for analytics. The files are accessed frequently for the first 30 days, then rarely accessed. After 90 days, the data must be retained for compliance but accessed infrequently. What is the MOST cost-effective lifecycle policy?

A.Use S3 Intelligent-Tiering to automatically move data between access tiers.
B.Transition to S3 One Zone-IA after 30 days, then delete after 90 days.
C.Transition to S3 Standard-IA after 30 days, then to S3 Glacier Deep Archive after 90 days.
D.Transition to S3 Glacier Flexible Retrieval after 30 days, then to S3 Glacier Deep Archive after 90 days.
AnswerC

Standard-IA is cost-effective for infrequent access after 30 days, and Deep Archive provides the lowest cost for long-term compliance.

Why this answer

Option D is correct because it transitions to S3 Standard-IA after 30 days (when access becomes rare) and to S3 Glacier Deep Archive after 90 days (for long-term compliance with lowest cost). Option A is wrong because S3 One Zone-IA is less durable. Option B is wrong because S3 Glacier Flexible Retrieval is more expensive than Deep Archive for long-term storage.

Option C is wrong because S3 Intelligent-Tiering has monitoring costs and is not needed if access patterns are known.

797
Multi-Selecteasy

Which TWO are benefits of using AWS CloudFormation for infrastructure deployment? (Choose two.)

Select 2 answers
A.Infrastructure is provisioned consistently across environments.
B.Automatically enforces compliance rules.
C.Automatically rolls back changes if stack creation fails.
D.Replaces the need for a CI/CD pipeline.
E.Provides real-time monitoring of deployed resources.
AnswersA, C

Infrastructure as code ensures consistency.

Why this answer

Options A and D are correct. CloudFormation provides consistent provisioning (infrastructure as code) and automated rollback on failure. Option B is wrong because it is not a compliance service.

Option C is wrong because it does not replace CI/CD. Option E is wrong because it does not provide real-time monitoring.

798
MCQeasy

A developer runs the command above. The output.txt file is empty. What could be the reason?

A.The payload is not valid JSON.
B.The Lambda function did not return any output.
C.The Lambda function timed out.
D.The function name is incorrect.
AnswerB

Lambda returns the handler's response; if no return, output is empty.

Why this answer

Option C is correct because by default, Lambda returns only the response if the function is invoked synchronously and the output goes to output.txt; if the function returns nothing or errors, output.txt may be empty. Option A is wrong because a non-existent function returns a 404. Option B is wrong because incorrect payload may cause error but still output to stderr.

Option D is wrong because Lambda invocation with --payload does not need an explicit return; empty output means the function returned nothing.

799
Multi-Selectmedium

Which THREE factors should a developer consider when designing a stateless application on AWS? (Choose 3)

Select 3 answers
A.Avoid storing data on the local file system of the instances
B.Store session state in a shared external datastore like ElastiCache
C.Store session state in the instance memory for low latency
D.Use sticky sessions on the load balancer to maintain session affinity
E.Use a shared database like Amazon DynamoDB for persistent data
AnswersA, B, E

Local storage is not shared and can be lost if the instance terminates.

Why this answer

Options A, C, and D are correct. A stateless application should store session state externally (e.g., ElastiCache), use a shared database for data storage, and avoid storing state on local instance storage. Option B is wrong because sticky sessions create statefulness.

Option E is wrong because storing state in memory makes the instance stateful.

800
MCQmedium

A company has a legacy application that generates log files on an EC2 instance. The developer needs to stream these log files to Amazon CloudWatch Logs in real time. The developer installed the CloudWatch agent on the EC2 instance and configured it to monitor the log files. However, the logs are not appearing in CloudWatch Logs. The developer checks the agent status and sees that the agent is running. What is the most likely cause of this issue?

A.The log file format is not compatible with the CloudWatch agent.
B.The EC2 instance is in a private subnet without internet access.
C.The EC2 instance does not have an IAM role with the necessary CloudWatch Logs permissions.
D.The CloudWatch agent configuration file does not specify an existing log group.
AnswerC

The CloudWatch agent requires permissions such as logs:PutLogEvents, logs:CreateLogStream, and logs:DescribeLogStreams.

Why this answer

Option A is correct because the CloudWatch agent needs an IAM role with permissions to put log events. Option B is wrong because the agent does not need internet access if using VPC endpoints. Option C is wrong because the agent configuration file does not require a log group to exist beforehand; it can create it.

Option D is wrong because the agent can handle various log formats; format mismatch would not prevent logs from appearing, but they might be parsed incorrectly.

801
MCQeasy

A developer needs to securely pass a secret API key to an AWS Lambda function. What is the MOST secure and recommended approach?

A.Store the API key in an Amazon DynamoDB table and query it from the Lambda function.
B.Hardcode the API key in the Lambda function code.
C.Store the API key in an environment variable of the Lambda function.
D.Store the API key in AWS Secrets Manager and retrieve it in the Lambda function code.
AnswerD

Secrets Manager encrypts secrets and integrates with Lambda.

Why this answer

Option B is correct because AWS Secrets Manager stores secrets securely and Lambda can retrieve them at runtime. Option A is wrong because environment variables are visible in the console. Option C is wrong because storing in DynamoDB is less secure and requires additional permissions.

Option D is wrong because hardcoding in code is insecure.

802
MCQeasy

A developer is building a RESTful API using AWS Lambda and Amazon API Gateway. The API needs to support HTTP methods GET, POST, and DELETE. The developer wants to minimize code and operational overhead. Which API Gateway integration type should the developer use?

A.Lambda proxy integration
B.Lambda custom integration
C.HTTP integration
D.Mock integration
AnswerA

Lambda proxy integration minimizes code and overhead by passing the full request to Lambda.

Why this answer

Lambda proxy integration is the simplest and most common approach. It passes the entire request to the Lambda function, which handles routing and response formatting, minimizing code and overhead. Custom integration requires mapping templates, HTTP integration forwards to an HTTP endpoint, and mock integration is for testing.

803
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets across all accounts have server-side encryption enabled. They have created an SCP that denies the s3:PutBucketAcl action unless the request includes the x-amz-server-side-encryption header. However, some application teams report that they cannot create buckets even when they include the required header. What is the MOST likely cause of this issue?

A.The SCP is incorrectly targeting s3:PutBucketAcl instead of s3:CreateBucket.
B.The SCP is not applied to the root OU, only to specific accounts.
C.The condition key in the SCP is misspelled.
D.The SCP is being overridden by a resource-based policy on the S3 bucket.
AnswerA

The SCP should deny s3:CreateBucket unless encryption header is present.

Why this answer

Option A is correct because the SCP denies s3:PutBucketAcl, not s3:CreateBucket. The SCP should deny s3:CreateBucket unless the encryption header is present. Option B is wrong because SCPs do not evaluate resource-based policies.

Option C is wrong because SCPs apply to all principals in the account. Option D is wrong because the issue is with the SCP action, not the header condition.

804
MCQmedium

A Lambda function needs temporary scratch space larger than the default while processing images. Which setting should be adjusted?

A.Reserved concurrency
B.Ephemeral storage size for /tmp
C.Function URL auth type
D.Dead-letter queue target
AnswerB

Correct for the stated requirement.

Why this answer

Lambda functions have a default /tmp storage of 512 MB, which is insufficient for large image processing tasks. Adjusting the ephemeral storage size (up to 10,240 MB) provides the necessary scratch space for temporary files, such as intermediate image buffers or resized outputs, without requiring external storage like EFS.

Exam trap

The trap here is that candidates confuse ephemeral storage with memory allocation or external storage services, assuming that increasing the function's memory or using S3 will solve the scratch space issue, when the /tmp directory is the only directly configurable scratch space within the Lambda execution environment.

How to eliminate wrong answers

Option A is wrong because reserved concurrency controls the maximum number of concurrent executions for a function, not storage capacity. Option C is wrong because the function URL auth type (e.g., AWS_IAM or NONE) determines authentication for HTTP invocations, not storage. Option D is wrong because a dead-letter queue target (e.g., SQS or SNS) is used for capturing failed asynchronous invocations, not for providing scratch space.

805
MCQhard

A company uses AWS CodePipeline to automate deployments. The pipeline source stage uses Amazon S3. The developer wants to automatically trigger the pipeline when a new version of the source file is uploaded. The developer has configured S3 event notifications to invoke a Lambda function that starts the pipeline. However, the pipeline is not triggering. What is the most likely cause?

A.S3 versioning is not enabled on the bucket.
B.The pipeline execution role does not have permission to read from the S3 bucket.
C.The Lambda function does not have permission to start the pipeline.
D.The S3 bucket does not have a bucket policy that allows S3 to invoke Lambda.
AnswerA

Event notifications for object creation work without versioning, but if the pipeline expects a specific version, versioning is needed. However, the most likely cause is that the event notification configuration is missing or the Lambda function is not properly invoked. But given the options, versioning is a common requirement for pipeline triggers.

Why this answer

Option D is correct because S3 event notifications require explicit versioning to be enabled on the bucket to detect object version changes. Option A is wrong because the Lambda function can start the pipeline without a version ID. Option B is wrong because bucket policy can be set to allow, not block.

Option C is wrong because the pipeline execution role is for pipeline actions, not the trigger.

806
MCQhard

A company runs a Node.js application on Amazon EC2 instances behind an Application Load Balancer (ALB). Users report intermittent 503 errors. The ALB target group health checks are failing. The developer checks the EC2 instance logs and sees no application errors. What is the MOST likely cause?

A.The health check path is set to '/' but the application serves on a different path.
B.The EC2 instances are running out of memory.
C.The health check path returns a 5xx status code due to a missing dependency.
D.The security group for the EC2 instances does not allow inbound traffic from the ALB.
AnswerC

Intermittent failure could be due to occasionally missing dependency causing health check to return 503.

Why this answer

Option D is correct because if health checks are failing but the application works, the health check path or configuration is likely wrong. Option A is wrong because security group rules blocking health checks would cause constant failure. Option B is wrong because the application is responding on the correct port.

Option C is wrong because health checks target a specific path, not the root.

807
Multi-Selectmedium

A developer is deploying an application using AWS CloudFormation. The stack includes an Amazon RDS DB instance. To ensure secure credential management, which TWO actions should the developer take? (Choose TWO.)

Select 2 answers
A.Use AWS Systems Manager Parameter Store with a SecureString parameter for the password.
B.Use AWS Secrets Manager to store the master password and reference it dynamically.
C.Hardcode the master password in the CloudFormation template.
D.Use IAM database authentication to manage credentials.
E.Leave the master password empty so that CloudFormation generates a random password.
AnswersA, B

Parameter Store with SecureString provides encrypted storage for the password.

Why this answer

Options B and D are correct. Using AWS Secrets Manager or Systems Manager Parameter Store to store database credentials securely is a best practice. Option A is incorrect because hardcoding credentials in the template is insecure.

Option C is incorrect because the default password is not automatically randomized; it must be explicitly set. Option E is incorrect because IAM database authentication is separate from credential storage.

808
MCQhard

A company runs a microservices architecture on Amazon ECS with Fargate. Each service exposes an HTTP API and needs to be accessible only from the company's internal network via a VPN. The services are deployed in private subnets. What is the MOST secure and scalable way to expose these services?

A.Create a VPC Endpoint service powered by PrivateLink and a Network Load Balancer in front of the services.
B.Place an Application Load Balancer in public subnets and point to the services' target groups.
C.Use a NAT Gateway to allow inbound traffic from the VPN to the services.
D.Use an Internet Gateway and route traffic from the VPN to the services.
AnswerA

PrivateLink allows private connectivity via NLB without internet exposure.

Why this answer

Correct: D. AWS PrivateLink with a Network Load Balancer allows you to expose services privately within your VPC without internet access. Option A is wrong because ALB in public subnets exposes services to the internet.

Option B is wrong because Internet Gateway is for public access. Option C is wrong because NAT Gateway is for outbound traffic, not inbound.

809
MCQhard

Refer to the exhibit. A developer is troubleshooting a failed CodeDeploy deployment to an EC2 Auto Scaling group. The instance logs show that the 'BeforeInstall' script failed with exit code 1. What should the developer do to resolve the issue?

A.Review the BeforeInstall script for errors and fix them.
B.Ensure the CodeDeploy agent is installed and running on the instance.
C.Verify that the scripts location in the AppSpec file is correct.
D.Check that the instance's IAM role has permissions to download the revision.
AnswerA

Exit code 1 indicates script error.

Why this answer

Option C is correct because the BeforeInstall hook script failed, and the developer should review the script's logic and fix any errors. Option A is wrong because the scripts location is correct if the error is exit code 1. Option B is wrong because the IAM role likely has sufficient permissions if the script runs.

Option D is wrong because the CodeDeploy agent is running if it executes scripts.

810
MCQeasy

A developer needs to allow an EC2 instance to access a DynamoDB table. Which IAM entity should be attached to the EC2 instance?

A.IAM group
B.IAM role
C.IAM user
D.Resource-based policy on the DynamoDB table
AnswerB

Roles provide temporary credentials to the instance.

Why this answer

An IAM role is the correct entity to attach to an EC2 instance because it provides temporary security credentials via the AWS Security Token Service (STS) that the instance can assume. This allows the EC2 instance to securely access the DynamoDB table without embedding long-term access keys in the instance. The role is attached to the instance profile, which the EC2 instance metadata service (IMDS) uses to retrieve credentials automatically.

Exam trap

The trap here is that candidates often confuse IAM roles with IAM users, thinking a user can be attached to an EC2 instance, but AWS does not allow attaching a user to a resource—only roles can be assumed by AWS services like EC2.

How to eliminate wrong answers

Option A is wrong because an IAM group is a collection of IAM users and cannot be directly attached to an EC2 instance; groups are used to manage permissions for users, not for AWS resources. Option C is wrong because an IAM user has long-term credentials (access key ID and secret access key) that would need to be stored on the EC2 instance, which is a security risk and not a best practice for granting permissions to an AWS service. Option D is wrong because a resource-based policy on the DynamoDB table can grant access to principals (like IAM roles or users) but cannot be attached to an EC2 instance; the EC2 instance itself must have an identity (role) to authenticate against the policy.

811
MCQhard

A company has a requirement that all API calls to AWS must be logged and monitored for suspicious activity. They want to receive alerts when root account activity is detected. Which AWS service and configuration should they use?

A.Enable AWS CloudTrail and configure SNS notifications for root account events.
B.Enable AWS CloudTrail and create a CloudWatch Events rule to match root account API calls and trigger a Lambda function.
C.Use VPC Flow Logs to capture API calls and analyze with Athena.
D.Use AWS Config rules to detect root account usage.
AnswerB

Correct combination for alerting.

Why this answer

Option B is correct because AWS CloudTrail captures all API calls, including those made by the root account. By creating a CloudWatch Events (now Amazon EventBridge) rule that matches the `userIdentity.type` field set to `Root` and the `eventSource` set to `signin.amazonaws.com`, you can trigger a Lambda function to send alerts or perform remediation. This provides real-time monitoring and notification for suspicious root account activity.

Exam trap

The trap here is confusing CloudTrail's logging capability with direct notification configuration—candidates often think SNS can be attached directly to CloudTrail, but CloudTrail requires an intermediary like CloudWatch Events to filter and route events to SNS or Lambda.

How to eliminate wrong answers

Option A is wrong because while CloudTrail logs root account events, SNS notifications cannot be directly configured on CloudTrail; you need a CloudWatch Events rule to filter and route the events to an SNS topic. Option C is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) at layer 3/4, not API call details; they cannot log or monitor AWS API calls. Option D is wrong because AWS Config rules evaluate resource configuration compliance (e.g., whether an S3 bucket is public), not user activity or API call patterns; they cannot detect root account usage.

812
Multi-Selecthard

A developer is deploying a serverless application using AWS SAM. The application includes an Amazon DynamoDB table and a Lambda function that reads from the table. The developer wants to ensure that the Lambda function has the minimum required permissions to read from the table. Which THREE statements about SAM policy templates are correct? (Choose THREE.)

Select 3 answers
A.SAM policy templates are AWS-managed policies that can be applied to Lambda function roles
B.SAM policy templates can be applied in the Globals section of the SAM template
C.SAM policy templates allow fine-grained resource-level permissions by specifying ARNs
D.SAM policy templates can be used to grant permissions to custom resources
E.The DynamoDBReadPolicy template grants read access to a DynamoDB table
AnswersA, B, E

Templates are managed policies.

Why this answer

Options A, D, and E are correct. SAM policy templates provide managed policies, can be used in the Globals section, and DynamoDBReadPolicy grants read access. Option B is incorrect because policy templates do not support custom resources.

Option C is incorrect because templates are for common use cases, not fine-grained resource-level permissions.

813
MCQeasy

A developer is troubleshooting a web application that intermittently returns HTTP 504 errors. The application runs on EC2 instances behind an Application Load Balancer. What is the most likely cause of these errors?

A.The target group is using an HTTPS health check but the instances only support HTTP.
B.The load balancer's cross-zone load balancing is disabled.
C.The load balancer idle timeout is set too low, and the application takes longer than the timeout to respond.
D.The security group for the EC2 instances is missing an inbound rule for the load balancer.
AnswerC

Idle timeout exceeded leads to 504.

Why this answer

HTTP 504 (Gateway Timeout) errors from an Application Load Balancer indicate that the load balancer successfully connected to the target (EC2 instance) but the target did not respond within the configured idle timeout period. The default idle timeout is 60 seconds, and if the application's processing time exceeds this value, the load balancer terminates the connection and returns a 504. Option C directly addresses this mismatch between the load balancer timeout and the application response time.

Exam trap

The trap here is that candidates often confuse HTTP 504 (Gateway Timeout) with HTTP 502 (Bad Gateway) or health check failures, leading them to select options related to security groups or health check mismatches instead of the correct idle timeout configuration.

How to eliminate wrong answers

Option A is wrong because HTTPS health checks require the target to support HTTPS; if the instances only support HTTP, the health check would fail and the instances would be marked unhealthy, leading to 503 errors (not 504). Option B is wrong because disabling cross-zone load balancing affects traffic distribution across Availability Zones, not the timeout behavior that causes 504 errors. Option D is wrong because a missing inbound security group rule for the load balancer would prevent the load balancer from establishing connections to the instances, resulting in 502 errors or health check failures, not intermittent 504 timeouts.

814
Multi-Selectmedium

Which THREE are best practices for deploying applications with AWS Elastic Beanstalk? (Choose THREE.)

Select 3 answers
A.Manually update EC2 instances in the environment.
B.Use environment configuration files (.ebextensions) to manage settings.
C.Use a blue/green deployment to minimize downtime.
D.Deploy to a staging environment before production.
E.Always use the default Elastic Beanstalk domain for production.
AnswersB, C, D

Configuration files ensure consistent deployments.

Why this answer

Options A, C, and D are correct. Using environment configurations as code, deploying to a staging environment, and using a blue/green deployment process are best practices. Option B is incorrect because manual changes should be discouraged.

Option E is incorrect because using the default domain is not a best practice; custom domains should be used.

815
MCQeasy

A developer is using AWS CodeBuild to compile and package a Java application. The build process takes longer than expected. The developer wants to speed up the build by reusing dependencies that have not changed between builds. Which feature should the developer enable?

A.Configure the build project to run builds concurrently
B.Enable build artifacts in the CodeBuild project
C.Enable caching for the CodeBuild project by specifying an S3 bucket for cache storage
D.Store the build's output artifacts in an S3 bucket
AnswerC

Caching reuses unchanged dependencies.

Why this answer

Option D is correct because caching in CodeBuild allows reusing previously downloaded dependencies. Option A is incorrect because build artifacts are outputs, not dependencies. Option B is incorrect because S3 is used for artifacts, not dependencies.

Option C is incorrect because concurrent builds run separate builds, not reuse dependencies.

816
Multi-Selecteasy

A developer is using an Amazon SQS queue with a Lambda function as a consumer. Messages are being sent to the queue but the Lambda function is not processing them. Which THREE of the following are possible causes?

Select 3 answers
A.The SQS queue has a dead-letter queue configured.
B.The SQS queue policy denies access to the Lambda function.
C.The Lambda function's execution role does not have sqs:ReceiveMessage permission.
D.The SQS queue has a rate limit that prevents Lambda from polling.
E.The event source mapping between SQS and Lambda is disabled.
AnswersB, C, E

A queue policy can explicitly deny access.

Why this answer

Option A is correct because the Lambda function may not have permission to poll the queue. Option B is correct because the SQS queue might have a policy that denies access. Option C is correct because the event source mapping might be disabled.

Option D is wrong because the DLQ is for failed messages, not for preventing processing. Option E is wrong because SQS has no rate limiting for Lambda polling.

817
MCQhard

A developer is trying to decrypt an S3 object using an AWS KMS key. The decryption fails with an 'AccessDenied' error. The IAM policy attached to the developer's user includes the statement in the exhibit. The KMS key policy includes the following statement: { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "kms:*", "Resource": "*" } What is the most likely reason for the failure?

A.The KMS key policy does not grant access to the developer's IAM user.
B.The KMS key policy specifies 'kms:*' which is too broad and causes a conflict.
C.The developer's IAM policy does not include 'kms:GenerateDataKey' permission.
D.The developer's IAM policy uses 'Resource' with the full key ARN but the key policy requires a different format.
AnswerC

S3 SSE-KMS decryption often requires GenerateDataKey as well.

Why this answer

The IAM policy only grants kms:Decrypt, but to decrypt an S3 object, the developer also needs kms:GenerateDataKey (if using envelope encryption) or kms:ReEncrypt. However, the most common issue is that the IAM policy does not allow the necessary action. Option B is correct because the developer's IAM policy lacks 'kms:GenerateDataKey' which is often needed.

Option A is wrong because the key policy allows IAM users. Option C is wrong because the key policy uses the root account. Option D is wrong because the key policy does not restrict the principal.

818
MCQeasy

A developer is deploying a serverless application using AWS CloudFormation. The stack creation fails with the error 'The following resource(s) failed to create: [MyLambdaFunction]'. The developer checks the CloudWatch logs but finds no logs for the Lambda function. What is the most likely reason?

A.The Lambda function code has a syntax error that prevents creation.
B.The Lambda function was never invoked.
C.The Lambda function's IAM role does not have permission to write to CloudWatch Logs.
D.The CloudFormation template has a syntax error.
AnswerC

If the role lacks logs:CreateLogGroup and logs:CreateLogStream, the function cannot create a log group, causing creation to fail.

Why this answer

Option C is correct because the error indicates the Lambda function resource failed to create, and the absence of CloudWatch logs suggests the function was created but lacked the necessary IAM permissions to write logs. Without the `logs:CreateLogGroup`, `logs:CreateLogStream`, and `logs:PutLogEvents` permissions, Lambda cannot write to CloudWatch Logs, so no logs appear even if the function is invoked. This is a common misconfiguration when deploying Lambda via CloudFormation without attaching the proper IAM policy.

Exam trap

The trap here is that candidates assume the absence of logs means the function was never invoked or had a code error, but the key clue is the creation failure—if the function resource itself fails to create, logs cannot exist, pointing to a permissions issue during the initial provisioning phase.

How to eliminate wrong answers

Option A is wrong because a syntax error in the Lambda function code would not prevent the resource from being created; CloudFormation would still create the function, but invocation would fail, and logs would appear (if permissions allow). Option B is wrong because the error message states the resource failed to create, meaning the function was never successfully created, so it cannot be invoked; the absence of logs is not due to lack of invocation but due to creation failure. Option D is wrong because a CloudFormation template syntax error would cause a different error (e.g., 'Template validation error') and would prevent the entire stack from being parsed, not just a single resource creation failure.

819
MCQeasy

A company wants to encrypt data at rest in an S3 bucket. Which AWS service can provide encryption keys that are managed by AWS and rotated automatically?

A.SSE-KMS (Server-Side Encryption with AWS KMS)
B.SSE-S3 (Server-Side Encryption with S3 Managed Keys)
C.SSE-C (Server-Side Encryption with Customer-Provided Keys)
D.Client-side encryption using AWS KMS.
AnswerB

AWS manages and rotates keys.

Why this answer

SSE-S3 uses encryption keys that are managed entirely by AWS and are rotated automatically on a regular basis. This option meets the requirement for AWS-managed keys with automatic rotation without any additional configuration or cost.

Exam trap

The trap here is that candidates often confuse SSE-KMS with AWS-managed keys, but SSE-KMS uses customer-managed keys by default, and automatic rotation is only available for AWS-managed keys in KMS (which are not the default for SSE-KMS).

How to eliminate wrong answers

Option A is wrong because SSE-KMS uses AWS KMS keys, which are managed by the customer (customer-managed keys) by default and require manual rotation or configuration for automatic rotation, and incur additional costs. Option C is wrong because SSE-C requires the customer to provide and manage their own encryption keys, and AWS does not rotate them. Option D is wrong because client-side encryption is performed by the client application before data is sent to S3, and the keys are managed by the client, not by AWS.

820
MCQeasy

A developer needs to deploy a containerized application on AWS. The application requires persistent storage for stateful data. Which AWS compute service should the developer choose?

A.Amazon ECS with Fargate
B.AWS Elastic Beanstalk
C.Amazon EKS with Fargate
D.AWS Lambda
AnswerA

Supports persistent storage using EFS or bind mounts.

Why this answer

Option B is correct because Amazon ECS with Fargate supports persistent storage via EFS or bind mounts. Option A is wrong because AWS Lambda is stateless and ephemeral. Option C is wrong because AWS Elastic Beanstalk is for web apps, not containers.

Option D is wrong because Amazon EKS also supports persistent storage, but it is more complex; ECS with Fargate is simpler and supports persistent storage.

821
MCQmedium

A company is building a serverless application using AWS Lambda to process user uploads to Amazon S3. The Lambda function needs to access a DynamoDB table to store metadata. What is the MOST secure way to grant the Lambda function access to DynamoDB?

A.Store IAM user access keys in the Lambda function's environment variables.
B.Use a resource-based policy on the DynamoDB table to allow the Lambda function's ARN.
C.Create an IAM role with a policy that grants DynamoDB access and attach it to the Lambda function.
D.Hardcode the DynamoDB credentials in the Lambda function code.
AnswerC

Using an IAM role is the secure way to grant permissions to Lambda functions.

Why this answer

Option B is correct because attaching an IAM role to the Lambda function with the least privilege permissions is the AWS best practice for granting permissions to AWS services. Option A is wrong because storing access keys in environment variables is insecure. Option C is wrong because resource-based policies are for granting cross-account access, not for Lambda's own permissions.

Option D is wrong because hardcoding credentials is a security risk.

822
MCQmedium

A company is using AWS CodeCommit and wants to ensure that all commits are signed with GPG keys. Which approach should be used to enforce this?

A.Use AWS Organizations service control policies (SCPs) to deny unsigned commits.
B.Enable 'Require signed commits' in the CodeCommit repository settings.
C.Create an IAM policy that denies codecommit:GitPush unless the commit is signed.
D.Use an AWS Lambda function as a pre-commit hook in the repository.
AnswerC

IAM policies can enforce signed commits using conditions.

Why this answer

Option C is correct because AWS CodeCommit does not natively support a 'require signed commits' toggle in the repository settings. Instead, you must use an IAM policy with a condition key like `codecommit:referencedRefName` and a custom condition (e.g., using the `git` protocol's signed commit metadata) to deny `codecommit:GitPush` actions when the commit is not signed. This is the only way to enforce GPG signing at the AWS service level.

Exam trap

The trap here is that candidates assume CodeCommit has a simple 'require signed commits' toggle like other Git platforms, but AWS requires a custom IAM policy because CodeCommit lacks native server-side GPG verification.

How to eliminate wrong answers

Option A is wrong because AWS Organizations SCPs cannot inspect the content of individual Git commits or enforce signing; they operate at the account or organizational level and cannot evaluate commit-level metadata. Option B is wrong because CodeCommit does not have a built-in 'Require signed commits' setting in its repository configuration; this feature exists in other Git hosting services like GitHub or GitLab but not in CodeCommit. Option D is wrong because CodeCommit does not support pre-commit hooks; hooks are a client-side Git feature and cannot be enforced server-side via AWS Lambda.

823
MCQmedium

A company has a Lambda function that processes messages from an SQS queue. The function sometimes fails to process a message, and the message is not retried. The developer wants to ensure that failed messages are retried at least once. What should the developer do?

A.Configure a dead-letter queue (DLQ) for the SQS queue.
B.Configure the SQS queue's redrive policy with a maxReceiveCount of 2 and a DLQ.
C.Set the Lambda function's retry attempts to 0 in the event source mapping.
D.Increase the SQS queue's visibility timeout to 6 hours.
AnswerB

This ensures messages are retried up to 2 times before being sent to the DLQ.

Why this answer

Option D is correct because setting the SQS redrive policy with a DLQ and configuring the Lambda function with a maximum retry count of 2 ensures retries. Option A is wrong because increasing the visibility timeout without a DLQ does not guarantee retries. Option B is wrong because DLQ alone does not enable retries.

Option C is wrong because Lambda's default retry behavior is not sufficient without proper DLQ configuration.

824
MCQeasy

A developer is deploying a serverless application using AWS SAM. The application includes an API Gateway REST API and a Lambda function. The developer wants to set up a custom domain name for the API in the production stage. Which resource should the developer define in the SAM template to achieve this with minimal effort?

A.AWS::ApiGateway::DomainName
B.AWS::Serverless::Api
C.AWS::ApiGateway::BasePathMapping
D.AWS::Route53::RecordSet
AnswerB

The AWS::Serverless::Api resource has a Domain property that allows you to specify a custom domain name, certificate ARN, and other settings. SAM handles the creation of the necessary DomainName and BasePathMapping resources automatically.

Why this answer

The AWS::Serverless::Api resource in an AWS SAM template provides a high-level abstraction that simplifies the configuration of API Gateway REST APIs, including the ability to set up a custom domain name via the Domain property. This approach requires minimal effort because SAM automatically creates the underlying AWS::ApiGateway::DomainName and AWS::ApiGateway::BasePathMapping resources, handles the TLS certificate association, and manages the stage deployment. Defining a raw AWS::ApiGateway::DomainName would require additional manual configuration for base path mapping and stage integration, making the Serverless::Api the most efficient choice.

Exam trap

The trap here is that candidates often think they must define the low-level AWS::ApiGateway::DomainName resource directly, overlooking that AWS SAM's AWS::Serverless::Api provides a built-in Domain property that automates the entire custom domain setup with minimal code.

How to eliminate wrong answers

Option A is wrong because AWS::ApiGateway::DomainName only defines the custom domain name and its TLS certificate; it does not automatically create the base path mapping or integrate with the API stage, so additional resources and manual wiring are needed. Option C is wrong because AWS::ApiGateway::BasePathMapping maps a base path to an API stage but does not create the custom domain name itself; it must be used in conjunction with a DomainName resource, increasing complexity. Option D is wrong because AWS::Route53::RecordSet creates a DNS record (e.g., CNAME or A alias) to point a custom domain to the API Gateway endpoint, but it does not configure the API Gateway custom domain name or TLS termination; it is a DNS-only resource and cannot replace the DomainName configuration.

825
MCQhard

A company has an IAM policy that allows access to an S3 bucket only if the request comes from a specific VPC endpoint. The developer notices that requests from an EC2 instance in that VPC are being denied. What is the most likely cause?

A.The VPC endpoint policy does not allow the required S3 action for the principal
B.The bucket policy does not have a condition checking aws:SourceVpce
C.The route table does not have a route to the S3 endpoint
D.The security group does not allow outbound HTTPS traffic
AnswerA

VPC endpoint policies can restrict what actions are allowed through the endpoint. If the policy denies 's3:GetObject' for the role or user, access will be denied even if IAM and bucket policies allow it.

Why this answer

The correct answer is A because the VPC endpoint policy is an additional layer of access control that can explicitly deny actions even if the bucket policy allows them. If the endpoint policy does not grant the required S3 action (e.g., s3:GetObject) for the IAM principal (the EC2 instance's role), requests will be denied regardless of the bucket policy. This is a common misconfiguration where developers focus only on the bucket policy and overlook the endpoint policy.

Exam trap

The trap here is that candidates assume the bucket policy is the only control point and overlook the VPC endpoint policy, which acts as a separate authorization layer that can silently deny requests even when the bucket policy appears correct.

How to eliminate wrong answers

Option B is wrong because the bucket policy condition checking aws:SourceVpce is necessary to restrict access to the VPC endpoint, but the question states the policy already allows access only from a specific VPC endpoint; the issue is that requests are denied, so the condition is likely present but the endpoint policy is blocking. Option C is wrong because the route table does not need a route to the S3 endpoint; VPC endpoints use prefix lists and route tables direct traffic to the endpoint via a gateway or interface endpoint, but missing routes would cause a timeout or connection failure, not an IAM denial. Option D is wrong because security groups do not apply to VPC endpoint traffic; S3 uses a gateway endpoint which is not associated with security groups, and outbound HTTPS traffic from the EC2 instance is allowed by default in the VPC.

Page 10

Page 11 of 22

Page 12