AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 826900

1616 questions total · 22pages · All types, answers revealed

Page 11

Page 12 of 22

Page 13
826
Multi-Selecteasy

A company is deploying a web application on AWS Elastic Beanstalk. The application uses an Amazon RDS database. The company wants to ensure that database credentials are not exposed in the application code or environment variables. Which TWO methods are secure ways to manage credentials? (Choose TWO.)

Select 2 answers
A.Store credentials in AWS Secrets Manager and retrieve them at runtime.
B.Store credentials in an Amazon S3 bucket with server-side encryption.
C.Hardcode credentials in the application configuration file.
D.Store credentials in AWS Systems Manager Parameter Store with SecureString parameter type.
E.Store credentials as environment variables in the Elastic Beanstalk environment.
AnswersA, D

Secrets Manager is designed for secrets.

Why this answer

Option A and Option C are correct. AWS Secrets Manager and AWS Systems Manager Parameter Store are both secure services for storing secrets. Option B is wrong because environment variables can be exposed.

Option D is wrong because hardcoding is insecure. Option E is wrong because storing in S3 without encryption is insecure.

827
MCQhard

A developer attaches this IAM policy. What happens when the developer attempts to launch a t2.micro instance?

A.The action is denied because ec2:RunInstances requires additional permissions.
B.The action is allowed because the Allow statement applies and the Deny condition excludes t2.micro.
C.The action is denied because the Deny statement overrides the Allow.
D.The action is allowed only if the user has ec2:DescribeInstances as well.
AnswerB

Deny condition does not match t2.micro.

Why this answer

The Deny applies to instances that are NOT t2.micro. Since the condition uses StringNotEquals, the Deny does not apply to t2.micro. So the Allow takes effect.

828
MCQeasy

A developer needs to send large files (up to 5 GB) from a web application to Amazon S3. The application runs on EC2 instances. Which approach is MOST efficient and reliable?

A.Save the file to EC2 instance store and then copy to S3.
B.Upload the file as a single S3 PutObject operation.
C.Use S3 multipart upload to upload the file in parts.
D.Use S3 Transfer Acceleration to upload the file.
AnswerC

Multipart upload improves throughput and allows retrying failed parts.

Why this answer

Option C is correct because multipart upload is recommended for files over 100 MB and allows parallel uploads with retry capability. Option A is wrong because uploading as a single operation is unreliable for large files. Option B is wrong because EC2 instance store is temporary and not durable.

Option D is wrong because S3 Transfer Acceleration speeds up transfers but does not improve reliability for large files; multipart upload is still better.

829
MCQmedium

A company is using AWS Lambda to process events from an SQS queue. The Lambda function runs for an average of 45 seconds and processes approximately 100 messages per second. The company notices that the Lambda function is being throttled, causing messages to remain in the queue for longer than expected. Which action would MOST effectively reduce throttling?

A.Increase the reserved concurrency for the Lambda function.
B.Increase the number of shards for the SQS queue.
C.Increase the batch size in the Lambda event source mapping.
D.Configure a Dead Letter Queue for the SQS queue.
AnswerA

Reserved concurrency guarantees a set number of concurrent executions, preventing throttling.

Why this answer

Increasing the number of shards for the SQS queue is not applicable because SQS does not use shards. Increasing reserved concurrency for the Lambda function ensures that the function has enough capacity to handle the load without being throttled. Increasing the batch size reduces the number of invocations but does not directly address throttling due to concurrency limits.

Using a Dead Letter Queue helps with failed messages but does not prevent throttling.

830
MCQmedium

A developer is building a serverless application using AWS SAM. The application includes a Lambda function that needs read-only access to an S3 bucket. The developer wants to use SAM's built-in policy templates to grant this permission. Which policy template should be used in the SAM template?

A.S3ReadPolicy
B.S3CrudPolicy
C.S3FullAccessPolicy
D.S3StreamPolicy
AnswerA

This template grants read-only permissions (s3:GetObject, s3:ListBucket) to the specified bucket.

Why this answer

The S3ReadPolicy template is the correct choice because it grants read-only access to an S3 bucket, which aligns with the requirement for the Lambda function. AWS SAM provides this built-in IAM policy template to simplify attaching least-privilege permissions, specifically allowing s3:GetObject, s3:ListBucket, and similar read operations.

Exam trap

The trap here is that candidates may confuse S3CrudPolicy with read-only access, but CRUD implies full data manipulation (create, read, update, delete), which is more permissive than the required read-only scope.

How to eliminate wrong answers

Option B (S3CrudPolicy) is wrong because it grants create, read, update, and delete permissions, which exceeds the required read-only access and violates the principle of least privilege. Option C (S3FullAccessPolicy) is wrong because it provides full administrative access to the S3 bucket, including delete and write operations, far beyond the read-only requirement. Option D (S3StreamPolicy) is wrong because it is not a valid SAM policy template; SAM does not include a template named S3StreamPolicy, and streaming permissions are typically associated with services like Kinesis or DynamoDB Streams, not S3.

831
MCQmedium

A company runs a critical application on Amazon ECS with Fargate. The application uses an Application Load Balancer (ALB) to distribute traffic. Recently, the company noticed that the ALB returns 502 Bad Gateway errors during peak traffic hours. The developer checks the ECS service metrics and sees that the number of running tasks remains constant, while CPU and memory utilization are below 50%. The ALB target group health checks are failing intermittently for some tasks. What is the MOST likely cause of the 502 errors?

A.The task definition's startup command is failing, causing the tasks to never become healthy.
B.The ECS service is not configured with auto scaling to handle the increased traffic.
C.The ALB idle timeout is set too low, causing connections to be closed before the application responds.
D.The security group for the ECS tasks is blocking traffic from the ALB.
AnswerC

A low idle timeout can cause the ALB to close connections prematurely, resulting in 502 errors.

Why this answer

Option A is correct because if the tasks are overloaded and cannot respond within the idle timeout, the ALB returns 502. The health checks fail because the tasks are slow to respond. Option B is wrong because the tasks are not at capacity and the service does not need to scale.

Option C is wrong because the security group is not likely the issue if health checks succeed sometimes. Option D is wrong because the tasks are not failing to start; they are running but slow.

832
MCQmedium

A company has an Amazon S3 bucket (Bucket-A) in Account A that contains sensitive data. A developer in Account B needs read-only access to objects in Bucket-A. The developer in Account A added a bucket policy granting s3:GetObject to the IAM user in Account B. However, the IAM user in Account B still receives Access Denied errors. What additional step is required?

A.Add an S3 bucket ACL granting the user in Account B Read access
B.Create an IAM policy in Account B that allows s3:GetObject for the specific bucket and attach it to the user
C.Generate a pre-signed URL for each object and share it with the user
D.Add a condition in the bucket policy to allow requests only from the user's IP address
AnswerB

The user must have explicit permission from their own account to perform the action, in addition to the bucket policy.

Why this answer

The bucket policy in Account A grants access to the IAM user in Account B, but the user's identity in Account B must also have an explicit IAM policy that allows the s3:GetObject action. Without this, the user in Account B lacks the necessary permissions to access the bucket, even though the bucket policy permits it. This is because cross-account access requires both a resource-based policy (bucket policy) in the source account and an identity-based policy (IAM policy) in the target account to authorize the request.

Exam trap

The trap here is that candidates often assume a bucket policy alone is sufficient for cross-account access, forgetting that the IAM user in the target account must also have an explicit allow policy for the action.

How to eliminate wrong answers

Option A is wrong because S3 bucket ACLs are legacy and do not support granting access to IAM users in another AWS account; they only grant access to AWS accounts or predefined groups, not specific IAM users. Option C is wrong because generating pre-signed URLs is a workaround for temporary access, not a required step to fix the existing bucket policy and IAM user configuration; it would bypass the need for proper IAM policies but is not the missing step for the described setup. Option D is wrong because adding an IP address condition is unrelated to the cross-account permission issue; it would restrict access based on network location but does not resolve the missing identity-based policy in Account B.

833
MCQhard

A company wants to deploy a microservices application on Amazon ECS. They need to update services with zero downtime and automatic rollback on failure. Which deployment controller should they use?

A.Rolling update (ECS default)
B.External deployment controller
C.Daemon scheduling strategy
D.Blue/green deployment
AnswerA

Supports zero downtime and rollback.

Why this answer

The correct answer is B. ECS supports rolling update (default) which gradually replaces tasks. With minimum healthy percent and maximum percent settings, zero downtime is possible, and rollback can be configured via CloudWatch alarms.

Option A (Blue/green) is available via CodeDeploy, not native ECS controller. Option C (External) is for external deployments. Option D (Daemon) runs one task per instance.

834
Multi-Selectmedium

A developer is troubleshooting a Lambda function that times out when processing large files from Amazon S3. The function is configured with a 3-minute timeout and 128 MB memory. Which TWO actions would MOST likely resolve the issue? (Choose TWO.)

Select 2 answers
A.Use S3 multipart upload for large files to improve throughput.
B.Increase the memory allocation for the Lambda function.
C.Change the S3 event notification to send messages to an Amazon SQS queue instead.
D.Update the Lambda function code to use a more efficient algorithm.
E.Increase the Lambda function timeout to 15 minutes.
AnswersA, B

Multipart upload can improve performance for large objects.

Why this answer

Option B is correct because increasing Lambda memory often increases CPU and network throughput, reducing processing time. Option D is correct because using S3 multipart upload for large files can reduce the time to download/upload. Option A is wrong because updating the function code may not help if the issue is resource constraints.

Option C is wrong because changing the trigger to SQS adds complexity and does not directly address the timeout. Option E is wrong because increasing timeout without addressing performance may just delay the failure.

835
MCQeasy

An application running on Amazon EC2 instances behind an Application Load Balancer (ALB) is experiencing intermittent 503 errors. The EC2 instances are in an Auto Scaling group. What is the MOST likely cause?

A.The SSL certificate on the ALB has expired.
B.The target group health checks are failing.
C.The ALB DNS name is not resolving.
D.The security group for the ALB is blocking traffic.
AnswerB

If health checks fail, the ALB stops routing traffic to those instances, causing 503 errors.

Why this answer

Option C is correct because an unhealthy target is the most common cause of 503 errors with ALB. Option A is wrong because DNS resolution happens at the client side, not at the ALB. Option B is wrong because SSL certificate issues cause 502 errors.

Option D is wrong because security group rules affect connectivity, not HTTP status codes.

836
MCQeasy

A developer is writing a Lambda function that processes records from a Kinesis stream. The function must handle duplicate records and ensure exactly-once processing. Which approach should the developer use?

A.Disable retries in the Lambda function to avoid processing duplicates.
B.Enable record ordering in the Kinesis stream.
C.Use a unique identifier for each record and store processed IDs in a DynamoDB table to skip duplicates.
D.Send the records to an SQS FIFO queue for deduplication.
AnswerC

This ensures idempotent processing.

Why this answer

Kinesis does not guarantee exactly-once delivery; the application must handle duplicates. Using a unique identifier to deduplicate in a DynamoDB table ensures idempotency. Enabling record ordering does not prevent duplicates.

Using a FIFO queue is not applicable for Kinesis. Disabling retries would lose data.

837
MCQmedium

A company is using an S3 bucket to store sensitive documents. They need to ensure that all objects are encrypted at rest using server-side encryption with AWS KMS. The bucket policy must enforce encryption by denying uploads that do not specify the required encryption. Which bucket policy statement should be added?

A.Condition: StringNotEquals: 's3:x-amz-server-side-encryption': 'aws:kms'
B.Condition: StringEquals: 's3:x-amz-server-side-encryption-aws:kms': 'true'
C.Condition: Null: 's3:x-amz-server-side-encryption': 'true'
D.Condition: StringNotEquals: 's3:x-amz-server-side-encryption': 'AES256'
AnswerA

Correctly denies if not using KMS.

Why this answer

Option A is correct because the bucket policy uses the `s3:x-amz-server-side-encryption` condition key with `StringNotEquals` to deny any upload where the header does not specify `aws:kms`. This ensures that only objects encrypted with AWS KMS (SSE-KMS) are allowed, enforcing server-side encryption at rest. The `Deny` effect combined with this condition blocks requests that either omit the encryption header or specify a different value like `AES256`.

Exam trap

The trap here is that candidates often confuse the condition key `s3:x-amz-server-side-encryption` with the KMS-specific key `s3:x-amz-server-side-encryption-aws:kms` (which does not exist), or they mistakenly use `Null` to check for the header's presence without validating its value, allowing SSE-S3 (AES256) uploads to bypass the policy.

How to eliminate wrong answers

Option B is wrong because `s3:x-amz-server-side-encryption-aws:kms` is not a valid condition key; the correct key is `s3:x-amz-server-side-encryption` and the value should be `aws:kms`, not a boolean. Option C is wrong because using `Null: 's3:x-amz-server-side-encryption': 'true'` only denies requests where the header is absent, but it does not enforce that the encryption type is `aws:kms`; a request with `AES256` would still be allowed. Option D is wrong because `StringNotEquals: 's3:x-amz-server-side-encryption': 'AES256'` denies requests that do not use AES256, which would incorrectly allow `aws:kms` but also block legitimate SSE-KMS uploads if the policy is meant to require KMS; it also fails to block requests with no encryption header.

838
MCQmedium

A company uses AWS CodePipeline to deploy a static website to Amazon S3. The pipeline has a source stage from CodeCommit, a build stage using CodeBuild, and a deploy stage that uses S3 deployment action. The website is served via Amazon CloudFront. After a successful pipeline run, the updated files are in S3, but CloudFront still serves old content. What is the MOST efficient solution?

A.Manually create a CloudFront invalidation after each deployment.
B.Reduce the CloudFront distribution's default TTL to 0.
C.Add a post-deploy invalidation step in CodePipeline to create a CloudFront invalidation.
D.Update the S3 bucket policy to allow public read access.
AnswerC

This automates cache invalidation after each deployment, ensuring fresh content.

Why this answer

Option C is correct. The easiest and most efficient way is to add a CloudFront invalidation step in the pipeline to invalidate the cache after the S3 deploy. Option A is wrong because reducing TTL is not immediate and still may serve stale content.

Option B is wrong because updating the S3 bucket policy does not affect CloudFront cache. Option D is wrong because manually invalidating is one-time but not automated for future deployments.

839
MCQmedium

A company requires that all data in an S3 bucket be encrypted at rest. The security team wants to enforce that only objects encrypted with AWS KMS are allowed. Which S3 bucket policy condition key should be used to deny PutObject requests if the object is not encrypted with KMS?

A.s3:x-amz-server-side-encryption-key-id
B.s3:x-amz-server-side-encryption
C.s3:x-amz-server-side-encryption-kms-key-id
D.s3:x-amz-server-side-encryption-aws-kms-key-id
AnswerD

This condition key allows you to require a specific KMS key ID.

Why this answer

Option D is correct because the `s3:x-amz-server-side-encryption-aws-kms-key-id` condition key specifically checks for the AWS KMS key ID (or alias) used for server-side encryption with AWS KMS (SSE-KMS). By using this key in a bucket policy with a `Deny` effect, you can enforce that only objects encrypted with a specific KMS key are allowed, rejecting any `PutObject` request that does not include the required `x-amz-server-side-encryption-aws-kms-key-id` header.

Exam trap

The trap here is that candidates confuse the valid condition key `s3:x-amz-server-side-encryption-aws-kms-key-id` with similar-sounding but invalid keys like `s3:x-amz-server-side-encryption-kms-key-id` (missing 'aws') or `s3:x-amz-server-side-encryption-key-id` (which does not exist), leading them to choose an option that AWS S3 will not evaluate.

How to eliminate wrong answers

Option A is wrong because `s3:x-amz-server-side-encryption-key-id` is not a valid S3 condition key; AWS S3 does not recognize this key. Option B is wrong because `s3:x-amz-server-side-encryption` only checks whether server-side encryption is enabled (e.g., AES256 or aws:kms), but it cannot enforce a specific KMS key ID, so it would allow SSE-S3 or any KMS key. Option C is wrong because `s3:x-amz-server-side-encryption-kms-key-id` is not a valid condition key; the correct key name includes 'aws' as `s3:x-amz-server-side-encryption-aws-kms-key-id`.

840
MCQmedium

A developer receives an AccessDenied error when trying to upload a file to an S3 bucket that has a bucket policy requiring encryption in transit. What is the most likely cause?

A.The object is not encrypted with server-side encryption
B.The IAM user does not have s3:PutObject permission
C.The request signature is expired
D.The request is not using HTTPS
AnswerD

The policy requires encryption in transit, which is HTTPS.

Why this answer

The bucket policy likely denies requests that are not using HTTPS. Option A (no encryption) would be denied if the policy requires encryption in transit. Option B (wrong permissions) would give a different error.

Option C (no server-side encryption) is about at-rest encryption, not in transit. Option D (expired signature) would give a different error.

841
Multi-Selecthard

A developer is troubleshooting an AccessDenied error when a Lambda function tries to write to CloudWatch Logs. The function's IAM role includes the following policy. Which TWO missing permissions are causing the error? (Choose TWO.)

Select 2 answers
A.logs:DescribeLogStreams
B.logs:CreateLogGroup
C.logs:CreateLogStream
D.logs:GetLogEvents
E.logs:PutLogEvents
AnswersC, E

Required to create a log stream.

Why this answer

Option C is correct because a Lambda function must call logs:CreateLogStream before it can write log events to a specific log stream. Without this permission, the function cannot create a new log stream when one does not already exist, resulting in an AccessDenied error. Option E is correct because logs:PutLogEvents is the permission required to actually write log events to an existing log stream; without it, the function cannot send log data to CloudWatch Logs.

Exam trap

The trap here is that candidates often assume only PutLogEvents is needed for writing logs, forgetting that the Lambda runtime must also create the log stream if it does not already exist, making CreateLogStream a required permission.

842
MCQeasy

A developer creates an AWS CloudFormation stack with the template snippet shown. The stack creation fails with the error: "Bucket with name my-unique-bucket-12345 already exists." What is the MOST likely cause?

A.The developer does not have permission to create S3 buckets.
B.The bucket name is already taken by another AWS account.
C.The CloudFormation template has a syntax error.
D.The bucket name was used by another stack in the same account.
AnswerB

S3 bucket names are globally unique.

Why this answer

Option C is correct because AWS S3 bucket names must be globally unique, and CloudFormation is trying to create a bucket with a name that already exists. Option A is wrong because the template is valid. Option B is wrong because the name is not taken by the same account.

Option D is wrong because IAM permissions would cause a different error.

843
MCQmedium

A developer is deploying a Node.js application on AWS Elastic Beanstalk. The application uses environment variables for database credentials. The developer wants to ensure that the credentials are encrypted at rest and rotated automatically. Which solution meets these requirements with minimal effort?

A.Store the credentials in AWS Secrets Manager and retrieve them in the application code. Configure automatic rotation.
B.Hardcode the credentials in the application code and use environment variables for different environments.
C.Store the credentials in AWS Systems Manager Parameter Store as SecureString parameters and reference them in the application code.
D.Use Elastic Beanstalk environment properties to set the credentials as plaintext environment variables.
AnswerA

Secrets Manager provides encryption and built-in rotation.

Why this answer

Correct: B. AWS Secrets Manager provides automatic rotation of secrets and encryption at rest. Option A is wrong because SSM Parameter Store with SecureString provides encryption but does not automatically rotate.

Option C is wrong because hardcoding credentials is insecure. Option D is wrong because environment variables in Elastic Beanstalk are not encrypted by default and do not rotate.

844
MCQhard

A developer is using AWS CodeDeploy with a blue/green deployment strategy for an EC2 Auto Scaling group. The deployment must automatically roll back if any of the new instances fail a health check within the first 10 minutes after deployment. Which configuration should the developer set?

A.Set the deployment configuration to 'CodeDeployDefault.EC2AllAtOnce'
B.Configure the deployment group to use an alarm-based rollback with a CloudWatch alarm on the ELB health check
C.Enable automatic rollback in the deployment group configuration and set the event to 'DEPLOYMENT_FAILURE' or 'DEPLOYMENT_STOP_ON_REQUEST'
D.Configure the deployment group with a 'LoadBalancerInfo' and enable 'originalInstanceTermination' for rollback
AnswerB

Alarm-based rollback allows you to define a CloudWatch alarm that triggers a rollback if the new instances are unhealthy. This meets the requirement.

Why this answer

Option B is correct because the requirement is to automatically roll back based on health check failures within a specific time window after deployment. AWS CodeDeploy supports alarm-based rollbacks where you can configure a CloudWatch alarm that monitors the ELB health check status of the new instances. When the alarm triggers within the configured monitoring period (e.g., 10 minutes), CodeDeploy automatically rolls back the deployment to the previous version, meeting the exact condition described.

Exam trap

The trap here is that candidates often confuse deployment configuration settings (like traffic shifting speed) with rollback triggers, or assume that enabling automatic rollback for deployment failures alone will cover post-deployment health check failures, but CodeDeploy requires a separate alarm-based rollback configuration to monitor health after instances are in service.

How to eliminate wrong answers

Option A is wrong because 'CodeDeployDefault.EC2AllAtOnce' is a deployment configuration that controls the traffic shifting speed (all instances at once), not a rollback mechanism based on health checks. Option C is wrong because enabling automatic rollback for 'DEPLOYMENT_FAILURE' or 'DEPLOYMENT_STOP_ON_REQUEST' only triggers rollback on deployment failures or manual stops, not on post-deployment health check failures within a time window. Option D is wrong because 'LoadBalancerInfo' and 'originalInstanceTermination' are used to configure traffic routing and instance termination behavior in blue/green deployments, not to trigger automatic rollbacks based on health checks.

845
Multi-Selectmedium

A company is using Amazon S3 to store log files. The logs are rarely accessed after 30 days but must be retained for 7 years for compliance. Which THREE actions should the company take to optimize storage costs?

Select 3 answers
A.Use S3 Lifecycle policy to delete objects after 30 days.
B.Store objects in S3 One Zone-IA from the start.
C.Use S3 Lifecycle policy to transition objects to S3 Glacier after 1 year.
D.Enable S3 Lifecycle policy to expire objects after 7 years.
E.Use S3 Lifecycle policy to transition objects to S3 Standard-IA after 30 days.
AnswersC, D, E

Glacier is low-cost for archival.

Why this answer

Option A is correct because transitioning to S3 Standard-IA after 30 days reduces cost for infrequent access. Option B is correct because transitioning to S3 Glacier after 1 year reduces cost for long-term retention. Option D is correct because lifecycle policies automate transitions.

Option C is wrong because S3 One Zone-IA is not durable enough for compliance. Option E is wrong because deleting after 30 days violates retention requirement.

846
MCQhard

A company uses AWS CodePipeline to deploy a containerized application to Amazon ECS with Fargate. The pipeline consists of a source stage (Amazon ECR), a build stage (CodeBuild), and a deploy stage (CodeDeploy with ECS Blue/Green). Recently, after a successful build, the deploy stage fails with the error 'Service deployment failed because the task definition is not compatible with the target group.' The task definition uses the 'awsvpc' network mode and specifies a port mapping of 80. The target group is configured to use port 80. What is the MOST likely cause of the failure?

A.The task definition port mapping does not match the target group port.
B.The task definition does not include a logging configuration for CloudWatch Logs.
C.The task definition uses the 'awsvpc' network mode, which is not supported for Blue/Green deployments.
D.The target group health check path is not configured correctly.
AnswerD

Health check failures cause deployment failure.

Why this answer

The error 'Service deployment failed because the task definition is not compatible with the target group' typically occurs when the target group's health check configuration is invalid or unreachable. In an ECS Blue/Green deployment with CodeDeploy, the target group health check path must be configured to return a valid HTTP response from the container; if the path is incorrect (e.g., missing or pointing to a non-existent endpoint), the target group marks instances as unhealthy, causing the deployment to fail even though the port mapping and network mode are correct.

Exam trap

The trap here is that candidates often assume the error is about port mismatches or network mode restrictions, but the real issue is the health check path configuration, which is a subtle but common cause of deployment failures in Blue/Green deployments.

How to eliminate wrong answers

Option A is wrong because the task definition port mapping (80) matches the target group port (80), so there is no mismatch. Option B is wrong because a logging configuration for CloudWatch Logs is optional and not required for task definition compatibility with a target group. Option C is wrong because the 'awsvpc' network mode is fully supported for ECS Blue/Green deployments with CodeDeploy; it is actually required for Fargate tasks.

847
MCQmedium

A developer invokes a Lambda function from the AWS CLI and receives the response shown in the exhibit. The output file contains an error message. What is the MOST likely cause of the FunctionError field being set to 'Unhandled'?

A.The function's execution role does not have permission to write to CloudWatch Logs.
B.The invocation request payload exceeded the 6 KB limit for synchronous invocation.
C.The function code threw an uncaught exception.
D.The function timed out before completing execution.
AnswerC

An uncaught exception results in 'Unhandled' FunctionError, and the error message is written to the output file.

Why this answer

Option B is correct. 'Unhandled' indicates that the function threw an exception that was not caught by the code, and the error was not mapped to a custom error response. Option A: If the function timed out, it would return a 200 status but with 'FunctionError' set to 'Unhandled' or 'Handled'? Actually, timeout results in 200 with 'FunctionError' set to 'Unhandled'. But the most common unhandled error is an uncaught exception.

Option C (permissions) would cause a 403 error. Option D (payload size) would cause a 413 error.

848
MCQmedium

A company is using AWS Lambda with a 1 GB memory configuration. The function processes large CSV files from S3 and occasionally times out after 15 seconds. The function currently uses synchronous invocation. What is the MOST cost-effective solution to handle larger files without losing data?

A.Increase the Lambda timeout to 15 minutes and keep memory at 1 GB.
B.Switch to asynchronous Lambda invocation to allow up to 15 minutes of processing.
C.Increase the Lambda memory to 3 GB to improve processing speed.
D.Use AWS Step Functions to orchestrate the processing in smaller chunks.
AnswerA

Lambda timeout can be set up to 15 minutes for synchronous invocations, and this is cost-effective.

Why this answer

Option B is correct because increasing the Lambda timeout up to 15 minutes (the maximum for synchronous invocation) and keeping memory at 1 GB is cost-effective. Option A is wrong because increasing memory also increases cost without guaranteeing timeout resolution. Option C is wrong because asynchronous invocation has a 15-minute timeout but may not be suitable for all use cases.

Option D is wrong because Step Functions add complexity and cost.

849
Multi-Selecteasy

A developer is using AWS SAM to deploy a serverless application. The developer wants to enable canary deployments for the Lambda function. Which TWO resources must be configured in the SAM template? (Choose TWO.)

Select 2 answers
A.DeploymentPreference property on the AWS::Serverless::Function resource.
B.AutoPublishAlias property on the AWS::Serverless::Function resource.
C.The function's CodeUri property pointing to the deployment package.
D.An event source mapping for the function.
E.The function's alias resource with a routing configuration.
AnswersA, B

This property defines the canary traffic shifting and rollback behavior.

Why this answer

Options A and B are correct. The AutoPublishAlias property enables canary deployments by creating a new version and updating the alias. The DeploymentPreference property specifies the canary configuration.

Option C is incorrect because the alias can be used for canary, but the deployment preference is required. Option D is incorrect because the function's code URI is always needed but not specific to canary. Option E is incorrect because the event source mapping is not related to canary deployment.

850
Multi-Selectmedium

Which TWO actions should a developer take to minimize downtime when deploying a new version of a production application running on Amazon ECS with Fargate?

Select 2 answers
A.Delete the existing service and recreate it with the new task definition
B.Configure the ECS service to use a blue/green deployment with CodeDeploy
C.Update the target group health check settings to a more lenient threshold
D.Stop all running tasks and then start new tasks with the updated image
E.Update the ECS service with a new task definition and set minimum healthy percent to 100 and maximum percent to 200
AnswersB, E

Blue/green deployments switch traffic after new version is ready.

Why this answer

Using a blue/green deployment (A) and updating the ECS service with a new task definition while setting the minimum healthy percent to 100% and maximum percent to 200% (B) both reduce downtime. Option C (delete and recreate) causes downtime. Option D (update target group) is part of blue/green but not a complete action.

Option E (stop all tasks) causes downtime.

851
Multi-Selecteasy

Which TWO AWS services can be used to store and retrieve application configuration data? (Choose two.)

Select 2 answers
A.AWS AppConfig
B.AWS Systems Manager Parameter Store
C.AWS Secrets Manager
D.Amazon S3
E.AWS CloudFormation
AnswersA, B

Managed service for application configuration.

Why this answer

Option B (AWS AppConfig) and Option D (AWS Systems Manager Parameter Store) are correct. AppConfig is designed for application configuration, and Parameter Store can store configuration parameters. Option A (Secrets Manager) is for secrets, not general config.

Option C (S3) is for objects. Option E (CloudFormation) is for infrastructure as code.

852
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets across all accounts are encrypted with AES-256 using SSE-S3. They also want to automatically remediate any bucket that is created without encryption. The team currently uses AWS CloudFormation StackSets to deploy resources. They need a solution that does not require manual intervention. Which approach should be taken?

A.Create an SCP that denies s3:PutBucketEncryption with a condition that the encryption is not SSE-S3.
B.Configure an AWS Config rule to detect buckets without SSE-S3 and use AWS Systems Manager Automation to apply SSE-S3 encryption automatically.
C.Create a CloudFormation template that includes a bucket with SSE-S3 enabled and deploy it via StackSets to all accounts.
D.Enable S3 Block Public Access at the organization level.
AnswerB

Detects and remediates non-compliant buckets.

Why this answer

Option B is correct because AWS Config can continuously evaluate S3 buckets against a custom rule that checks for SSE-S3 encryption. When a non-compliant bucket is detected, AWS Systems Manager Automation can automatically remediate it by applying the required encryption, meeting the requirement for automatic remediation without manual intervention.

Exam trap

The trap here is that candidates may confuse preventive controls (SCPs) with detective and corrective controls (Config + Automation), failing to realize that SCPs alone cannot remediate already non-compliant resources or enforce encryption on buckets created without encryption settings.

How to eliminate wrong answers

Option A is wrong because an SCP that denies s3:PutBucketEncryption would prevent any encryption changes, but it does not enforce encryption on newly created buckets (which default to no encryption) and does not provide automatic remediation. Option C is wrong because deploying a CloudFormation template via StackSets only creates buckets with encryption at deployment time; it does not detect or remediate buckets created outside of CloudFormation, such as those created manually or by other services. Option D is wrong because S3 Block Public Access controls public access settings, not encryption; it does not address the requirement to enforce SSE-S3 encryption.

853
MCQmedium

A DevOps engineer is troubleshooting a failed AWS CodeBuild build. The build project uses a custom Docker image stored in Amazon ECR. The build logs show: 'Error: Cannot pull Docker image: repository does not exist or may require 'docker login'.' The engineer has verified that the ECR repository exists and the IAM role used by CodeBuild has the 'ecr:GetDownloadUrlForLayer', 'ecr:BatchGetImage', and 'ecr:GetAuthorizationToken' permissions. What is the MOST likely cause?

A.The ECR repository is in a different AWS account and the IAM role does not have cross-account trust.
B.The CodeBuild project's environment image override is set to the wrong image name.
C.The image tag specified in the buildspec does not exist in the ECR repository.
D.The CodeBuild project is configured with a VPC that does not have a NAT gateway.
AnswerC

If the tag is missing, CodeBuild cannot pull the image, resulting in 'repository does not exist' error.

Why this answer

Option B is correct: The image tag or digest in the buildspec might be incorrect or not exist in the repository. Option A (VPC) would cause network timeout, not repository does not exist error. Option C (cross-account) would need different permissions.

Option D (image name) is plausible but the error explicitly says 'repository does not exist', indicating issue with repository name or tag.

854
MCQhard

A developer is deploying an application on EC2 that must access an S3 bucket. The developer wants to avoid hard-coding credentials. What is the MOST secure way to grant access?

A.Use an S3 bucket policy that allows access from the EC2 instance's public IP address.
B.Create an IAM role and attach it to the EC2 instance profile.
C.Set the AWS credentials as environment variables in the user data script.
D.Store the AWS access key ID and secret access key in a configuration file on the instance.
AnswerB

Instance profiles deliver temporary credentials securely; no hard-coded keys needed.

Why this answer

Creating an IAM role with an instance profile and assigning it to the EC2 instance is the most secure method. It provides temporary credentials automatically via the EC2 metadata service. Option A is wrong because storing keys in a config file is not secure.

Option B is wrong because S3 bucket policies are resource-based and should be used in combination with IAM roles, but the primary method is the instance profile. Option D is wrong because environment variables can be read by processes and are less secure than instance profiles.

855
MCQmedium

A developer is building a serverless application using AWS Lambda and API Gateway. The Lambda function needs to access a DynamoDB table that stores sensitive customer data. The developer wants to follow the principle of least privilege. Which IAM role configuration should be used?

A.Configure a resource-based policy on the Lambda function to allow DynamoDB access.
B.Attach the AmazonDynamoDBFullAccess managed policy to the Lambda execution role.
C.Use an S3 bucket policy to grant the Lambda function access to the DynamoDB table.
D.Create a custom IAM policy with specific DynamoDB actions (e.g., GetItem, PutItem) on the specific table and attach it to the Lambda execution role.
AnswerD

This follows the principle of least privilege by granting only necessary actions on the specific table.

Why this answer

Option D is correct because it adheres to the principle of least privilege by granting only the specific DynamoDB actions (e.g., GetItem, PutItem) required by the Lambda function, scoped to the exact table. The Lambda execution role is an IAM role that the Lambda service assumes, and attaching a custom policy with fine-grained permissions ensures minimal access. This approach avoids over-permissioning and follows AWS security best practices for serverless applications.

Exam trap

The trap here is that candidates confuse resource-based policies (used for granting invoke permissions to Lambda) with execution role policies (used for granting the Lambda function access to other AWS services), leading them to pick Option A, which does not control DynamoDB access.

How to eliminate wrong answers

Option A is wrong because resource-based policies on Lambda functions control which other AWS services or accounts can invoke the function, not the function's own access to downstream resources like DynamoDB; Lambda uses execution roles for outbound permissions. Option B is wrong because AmazonDynamoDBFullAccess is a managed policy that grants unrestricted access to all DynamoDB actions on all tables, violating the principle of least privilege. Option C is wrong because S3 bucket policies are used to control access to S3 resources, not DynamoDB tables; DynamoDB access is governed by IAM policies attached to the caller's role, not by S3 policies.

856
Multi-Selectmedium

A developer is deploying a web application on Amazon ECS with Fargate. The application needs to store session state. Which THREE options are suitable for storing session state in a distributed environment? (Choose THREE.)

Select 3 answers
A.Amazon S3
B.Amazon RDS for MySQL
C.Local ephemeral storage on the Fargate task
D.Amazon DynamoDB
E.Amazon ElastiCache for Redis
AnswersB, D, E

RDS can be used for session state, though it may require more management; it is a valid option.

Why this answer

Option A, option C, and option D are correct. Option A: ElastiCache for Redis is commonly used for session storage. Option C: DynamoDB is a good choice for session state due to low latency and scalability.

Option D: RDS for MySQL can be used but is less common due to relational overhead; however, it is still a valid option. Option B (local ephemeral storage) is not suitable because it is not shared across tasks. Option E (S3) is not designed for frequent read/write session data; it is object storage with higher latency.

857
MCQmedium

An IAM policy attached to an AWS Lambda function's execution role. What actions can this Lambda function perform?

A.Invoke the specified Lambda function and receive messages from the SQS queue.
B.Send messages to the SQS queue and invoke any Lambda function.
C.Invoke the specified Lambda function and receive messages from the SQS queue.
D.Invoke the specified Lambda function and send messages to the SQS queue.
AnswerD

Both actions are explicitly allowed.

Why this answer

Option C is correct. The policy allows invoking a specific Lambda function (which may be itself or another) and sending messages to a specific SQS queue. It does not allow receiving messages.

Option A (only invoke) is incomplete. Option B (only send) is incomplete. Option D (invoke and receive) is incorrect because receive is not allowed.

858
MCQhard

A company is deploying a containerized application on Amazon EKS. The developer wants to automate the deployment process using a CI/CD pipeline that builds a Docker image, pushes it to Amazon ECR, and updates the Kubernetes deployment. Which tool should the developer use to update the Kubernetes deployment?

A.kubectl set image command
B.AWS Systems Manager Automation
C.AWS CloudFormation with a custom resource
D.AWS CodeBuild with a buildspec that runs kubectl commands
AnswerA

Directly updates the deployment image.

Why this answer

Option B is correct because `kubectl set image` can update the image of a deployment. Option A is wrong because AWS CodeBuild can build and push the image but not update the deployment directly. Option C is wrong because AWS CloudFormation is for infrastructure provisioning.

Option D is wrong because AWS Systems Manager is for management, not Kubernetes updates.

859
MCQeasy

A developer is writing a script to programmatically create an Amazon EC2 instance. The script will run on an EC2 instance that already has an IAM role attached. Which AWS SDK method should the developer use to securely obtain temporary credentials for the script?

A.Retrieve the temporary credentials from the instance metadata endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/).
B.Store the access key ID and secret access key in the script.
C.Use AWS Secrets Manager to store and retrieve the credentials.
D.Use the AWS SDK's default credential provider chain.
AnswerA

Instance metadata provides temporary credentials from the IAM role automatically.

Why this answer

Option C is correct because instance metadata provides temporary credentials from the attached IAM role. Options A and B are wrong because hardcoding keys is insecure. Option D is wrong because AWS Secrets Manager is for secrets, not automatic credential retrieval for EC2.

860
MCQhard

A developer needs to grant read-only access to objects in an S3 bucket (in Account A) to an IAM role in Account B. The bucket uses server-side encryption with AWS KMS (SSE-KMS) using a customer managed key (CMK) in Account A. Which of the following is REQUIRED for the cross-account access to succeed?

A.The S3 bucket policy in Account A grants s3:GetObject to the IAM role in Account B, the KMS key policy in Account A grants kms:Decrypt to the IAM role in Account B, and the IAM role in Account B has a trust policy allowing the IAM user to assume it.
B.The S3 bucket policy in Account A grants s3:GetObject to the IAM role in Account B, and the IAM role in Account B has a trust policy allowing the IAM user to assume it. No KMS key policy is needed because the role can use the key via IAM policies.
C.The S3 bucket policy in Account A grants s3:GetObject to the IAM user in Account B, and the IAM user's IAM policy grants s3:GetObject.
D.The S3 bucket uses SSE-C, so the developer must provide the encryption key in the request. No KMS key policy is needed.
AnswerA

All three policies are required: the bucket policy for S3 access, the KMS key policy for decryption permissions, and the trust policy in Account B to allow the IAM user to assume the role.

Why this answer

Option A is correct because cross-account access to an S3 bucket with SSE-KMS using a customer managed key requires three distinct permissions: the S3 bucket policy must grant s3:GetObject to the IAM role in Account B, the KMS key policy must grant kms:Decrypt to that same role (since KMS key policies are resource-based and do not trust IAM policies from other accounts), and the IAM role in Account B must have a trust policy that allows the IAM user to assume it. Without the KMS key policy explicitly allowing the external role, the decryption step will fail, even if the S3 bucket policy permits the read operation.

Exam trap

The trap here is that candidates assume IAM policies in the target account are sufficient for KMS operations, forgetting that KMS key policies are resource-based and must explicitly grant cross-account access, unlike S3 bucket policies which can reference external principals directly.

How to eliminate wrong answers

Option B is wrong because it omits the required KMS key policy entry; KMS key policies are resource-based and do not automatically extend trust to IAM principals in another account, so the IAM role in Account B cannot use the CMK for decryption without an explicit grant in the key policy. Option C is wrong because it grants access to an IAM user rather than an IAM role, and cross-account access via S3 bucket policies must be granted to a principal in the other account (such as an IAM role), not directly to an IAM user; additionally, the IAM user's own policy is irrelevant because the bucket policy is the controlling resource-based policy for S3 access. Option D is wrong because the question explicitly states the bucket uses SSE-KMS, not SSE-C, so the scenario of providing an encryption key in the request does not apply.

861
MCQhard

The exhibit shows an IAM policy attached to a Lambda function's execution role. When the Lambda function tries to decrypt data using the KMS key, it receives an access denied error. What is the most likely cause?

A.The policy uses an incorrect action name for decryption.
B.The KMS key policy does not grant the Lambda execution role permission to use the key.
C.The policy does not include kms:DescribeKey permission.
D.The policy does not include kms:Decrypt permission.
AnswerB

Even if the IAM policy allows, the key policy must also allow; this is a common misconfiguration.

Why this answer

The policy grants kms:Decrypt but not kms:DescribeKey. However, the error is likely due to the Lambda function not having permission to call kms:Decrypt because the key's key policy might not grant the Lambda role. The key policy must explicitly allow the Lambda role to use the key.

Option A is wrong because kms:Decrypt is included. Option B is wrong because it's not about kms:DescribeKey. Option C is wrong because the action list is correct.

Option D is correct: the key policy must grant access to the Lambda role.

862
MCQmedium

The IAM policy above is attached to a user. The user tries to decrypt a KMS key with encryption context {"department": "finance"}. What will happen?

A.The action is allowed because the Allow statement matches the encryption context.
B.The action is denied because the Deny statement applies to all resources.
C.The action is denied because there is an explicit Deny that overrides any Allow.
D.The action is denied because the Allow statement does not explicitly allow.
AnswerA

The Allow condition matches, and the Deny condition does not, so the action is allowed.

Why this answer

Option C is correct because the first statement allows decryption when the encryption context equals "finance", and the second statement denies if it does not equal "finance". For the context {"department": "finance"}, it matches both: the Allow applies, and the Deny does not because the condition is not met (it equals, not not-equals). Since an explicit Allow overrides an explicit Deny? Actually, Deny always overrides Allow.

But here the Deny condition is not satisfied, so only the Allow applies. So the action is allowed. Option A is wrong because the Deny condition does not match.

Option B is wrong because the Allow condition matches. Option D is wrong because the Deny does not apply.

863
MCQeasy

The exhibit shows an S3 bucket policy. If an IAM user in the same AWS account attempts to download an object from the bucket from IP address 203.0.113.5, what will happen?

A.The request will succeed because the user has IAM permissions.
B.The request will succeed because the user is in the same account.
C.The request will succeed because the bucket policy does not explicitly deny.
D.The request will be denied.
AnswerD

The bucket policy condition restricts access to a specific IP range; the user's IP is outside that range.

Why this answer

The policy allows GetObject only if the source IP is in 192.0.2.0/24. The user's IP (203.0.113.5) is not in that range, so the request will be denied. The IAM user's own permissions do not override the bucket policy's explicit deny condition.

Option A is wrong because the bucket policy explicitly denies by not allowing the IP. Option C is wrong because the bucket policy is evaluated. Option D is wrong because the condition is not satisfied.

864
Multi-Selectmedium

A developer is deploying a web application using AWS Elastic Beanstalk. The application requires a custom platform that is not provided by Elastic Beanstalk. The developer has created a custom platform using the Packer tool and has stored the platform artifacts in an Amazon S3 bucket. Which TWO steps are necessary to use this custom platform in Elastic Beanstalk? (Choose TWO.)

Select 2 answers
A.Define a custom platform version in the Elastic Beanstalk environment's configuration using a platform definition file.
B.Set the environment's platform to 'Custom' and provide the S3 URL of the platform artifacts.
C.Create a Dockerfile in the application source bundle to define the custom platform.
D.Specify the custom platform ARN in the environment's configuration.
E.Upload the Packer template to the Elastic Beanstalk console.
AnswersA, D

This is necessary to register the custom platform.

Why this answer

Options A and D are correct. First, the developer must create a platform version resource in the Elastic Beanstalk environment configuration (option A). Then, the developer must specify the platform ARN in the environment's configuration (option D).

Option B is incorrect because the platform is defined by the platform version, not the environment name. Option C is incorrect because the Packer template is used to build the platform, but the platform version resource points to the artifacts in S3. Option E is incorrect because the custom platform does not require a Dockerfile; it uses a custom AMI or other artifacts.

865
Multi-Selecthard

A developer is using AWS CloudFormation to deploy a stack that includes an Amazon RDS DB instance. The stack creation fails because the DB instance creation takes longer than the CloudFormation timeout. Which THREE steps can the developer take to resolve this issue? (Choose THREE.)

Select 3 answers
A.Use a CloudFormation wait condition or a waiter to pause the stack creation until the DB instance is ready.
B.Change the DB instance class to a smaller size.
C.Reduce the stack creation timeout to trigger a rollback faster.
D.Increase the CloudFormation stack creation timeout.
E.Use a custom resource backed by an AWS Lambda function to create the DB instance and handle the creation asynchronously.
AnswersA, D, E

Waits for the resource to become available.

Why this answer

Options A, C, and E are correct. A: Increasing the timeout gives more time for the resource creation. C: A waiter can poll until the DB instance is available.

E: A custom resource with a Lambda function can handle the creation asynchronously. Option B is wrong because changing the instance class might not speed up creation; it could even take longer. Option D is wrong because reducing the timeout would make it fail sooner.

866
MCQmedium

A mobile application must let authenticated users upload only to their own S3 prefix. Which approach best follows least privilege?

A.Use Cognito identity credentials with an IAM policy scoped to the user's prefix using policy variables
B.Use a single hardcoded access key in the app
C.Make the bucket public and validate names in the client
D.Give every user AmazonS3FullAccess
AnswerA

Correct for the stated requirement.

Why this answer

Option A is correct because it uses Amazon Cognito identity pools to issue temporary AWS credentials scoped to a specific S3 prefix via IAM policy variables (e.g., `${cognito-identity.amazonaws.com:sub}`). This ensures each authenticated user can only upload to their own prefix (e.g., `uploads/${user_id}/`), adhering to the principle of least privilege by granting no more access than necessary.

Exam trap

The trap here is that candidates might choose Option B (hardcoded key) thinking it's simpler, missing that it exposes a static credential that can be compromised, or Option C (public bucket) assuming client-side validation is sufficient, when in fact AWS requires server-side enforcement for security.

How to eliminate wrong answers

Option B is wrong because hardcoding a single access key in the app violates security best practices — the key could be extracted from the mobile binary, granting unrestricted access to the entire bucket. Option C is wrong because making the bucket public and validating names client-side is insecure; a malicious user can bypass client-side checks and upload to any prefix. Option D is wrong because granting AmazonS3FullAccess to every user violates least privilege by giving all users full administrative control over all S3 buckets, including the ability to delete or modify any object.

867
Multi-Selecthard

A company is using AWS CloudFormation to manage infrastructure. A developer needs to create a stack that will launch an EC2 instance and associate an Elastic IP address. The Elastic IP must be released when the stack is deleted. Which TWO resources should the developer include in the CloudFormation template? (Choose TWO.)

Select 2 answers
A.AWS::EC2::Instance
B.AWS::EC2::EIP
C.AWS::EC2::NetworkInterface
D.AWS::EC2::Address
E.AWS::EC2::EIPAssociation
AnswersB, E

Creates the Elastic IP.

Why this answer

AWS::EC2::EIP and AWS::EC2::EIPAssociation are needed. Option B and D are correct. Option A (EC2::Instance) is needed but not part of the pair.

Option C (EC2::NetworkInterface) is not required. Option E (EC2::Address) is not a valid resource.

868
MCQhard

A developer is troubleshooting an application that uses Amazon SQS. Messages are being sent to a dead-letter queue (DLQ) after the maximum receive count is exceeded. The consumer processes messages but sometimes fails. The developer wants to ensure that messages are retried immediately after a failure, without waiting for the visibility timeout. Which solution should the developer implement?

A.Configure a delay queue so that messages are not immediately visible after failure.
B.After a failure, call ChangeMessageVisibility with a timeout of 0 to make the message immediately available for reprocessing.
C.Delete the message from the queue and re-send it after processing failure.
D.Increase the visibility timeout to allow more time for processing.
AnswerB

Setting visibility timeout to 0 makes the message immediately visible to other consumers, enabling immediate retry.

Why this answer

Option D is correct because calling ChangeMessageVisibility with a timeout of 0 makes the message immediately visible to other consumers for retry. Option A (delete and re-send) would create a new message with a new message ID, losing the original message attributes. Option B (increase visibility timeout) would delay retry.

Option C (delay queue) would add a delay before the message becomes available, which is opposite of what is needed.

869
Multi-Selectmedium

A company wants to ensure that only encrypted connections are used to access their S3 bucket. Which THREE methods can be used to enforce this?

Select 3 answers
A.Use Amazon CloudFront with the S3 bucket as origin and require HTTPS.
B.Enable default encryption on the bucket.
C.Enable S3 Block Public Access on the bucket.
D.Use a bucket policy that denies requests when aws:SecureTransport is false.
E.Use client-side encryption for all uploads.
AnswersA, D, E

CloudFront can enforce HTTPS.

Why this answer

Option A, Option C, and Option E are correct. A bucket policy with a condition on aws:SecureTransport denies HTTP. S3 Block Public Access does not enforce encryption.

Default encryption sets server-side encryption but does not enforce HTTPS. CloudFront can enforce HTTPS. Client-side encryption encrypts data before sending.

870
Multi-Selecthard

Which THREE actions are required to set up a blue/green deployment for an Amazon ECS service using AWS CodeDeploy? (Choose three.)

Select 3 answers
A.Create a second ECS service for the green environment.
B.Create an ECS application and deployment group in CodeDeploy.
C.Create a new Application Load Balancer for the green environment.
D.Specify the task definition and container images in the AppSpec file.
E.Configure the ECS service to use the CodeDeploy deployment controller.
AnswersB, D, E

This is required to define the deployment settings.

Why this answer

Option B is correct because CodeDeploy requires an ECS application and deployment group to manage the deployment lifecycle, including traffic shifting and rollback. The deployment group defines the ECS service, target groups, and load balancer listener for routing traffic between blue and green environments.

Exam trap

The trap here is that candidates mistakenly think they need to create a second ECS service or a new ALB for the green environment, but CodeDeploy handles the green infrastructure automatically within the same service and ALB.

871
MCQeasy

A developer is building a serverless application that needs to store user session data. The data is small (a few KB per user) and must be accessible across multiple invocations of the same Lambda function and across different Lambda functions. The session data should persist for the duration of the user session (up to 1 hour). Which storage solution should the developer use?

A.Amazon ElastiCache with Redis
B.Amazon DynamoDB with TTL
C.Amazon S3
D.Local storage (Lambda ephemeral storage /tmp)
AnswerA

ElastiCache with Redis is ideal for session state storage. It provides in-memory caching with low latency, supports TTL for automatic expiration, and can be accessed from any Lambda function via a VPC. It is a common pattern for serverless session management.

Why this answer

Amazon ElastiCache with Redis is the correct choice because it provides an in-memory data store with sub-millisecond latency, making it ideal for storing small, ephemeral session data that needs to be shared across multiple Lambda invocations and functions. Redis supports key-value storage with configurable Time-to-Live (TTL) for automatic expiration, aligning perfectly with the 1-hour session duration requirement. Unlike other options, ElastiCache is designed for low-latency, cross-function access without the overhead of database writes or file system limitations.

Exam trap

The trap here is that candidates often choose DynamoDB with TTL because it is a serverless, managed service with automatic expiration, but they overlook the fact that session data requires ultra-low latency and high throughput that only an in-memory cache like Redis can provide, and DynamoDB's per-request latency and cost model are suboptimal for this use case.

How to eliminate wrong answers

Option B (Amazon DynamoDB with TTL) is wrong because while DynamoDB can store session data and TTL can expire it, it introduces higher latency and cost for small, ephemeral data compared to an in-memory cache, and it is not optimized for the sub-millisecond access patterns typical of session management. Option C (Amazon S3) is wrong because S3 is an object storage service with higher latency (typically tens to hundreds of milliseconds), and it is not designed for frequent read/write operations on small data items, making it unsuitable for session data that must be accessed across multiple invocations. Option D (Local storage /tmp) is wrong because Lambda's ephemeral storage is isolated to a single invocation instance and cannot be shared across different Lambda functions or even across concurrent invocations of the same function, violating the requirement for cross-function accessibility.

872
MCQeasy

A developer is creating an Amazon S3 bucket to store sensitive documents. The bucket must encrypt objects at rest using an AWS Key Management Service (KMS) key. Which S3 bucket property should be configured?

A.Bucket policy
B.Default encryption
C.Versioning
D.Lifecycle configuration
AnswerB

Sets server-side encryption for all objects.

Why this answer

Option B is correct because S3 default encryption can be set to use SSE-KMS. Option A is wrong because bucket policies control access, not encryption. Option C is wrong because lifecycle policies manage object lifecycle.

Option D is wrong because versioning is for object versions, not encryption.

873
MCQhard

An application running on EC2 instances in an Auto Scaling group needs to access an S3 bucket. The security team wants to avoid storing long-term AWS credentials on the instances. Which approach should be used?

A.Store the credentials in AWS Systems Manager Parameter Store and retrieve them in User Data.
B.Create an IAM role and attach it to the EC2 instance profile.
C.Use an AWS Lambda function to generate temporary credentials and pass them to the instances.
D.Generate access keys for a dedicated IAM user and store them in a file on the AMI.
AnswerB

The SDK automatically retrieves temporary credentials from the instance metadata.

Why this answer

Option B is correct because it uses an IAM role attached to an EC2 instance profile, which allows the EC2 instances to automatically obtain temporary security credentials from the AWS Security Token Service (STS). This approach eliminates the need to store long-term credentials on the instances, as the credentials are rotated automatically and are retrieved via the instance metadata service (IMDS).

Exam trap

The trap here is that candidates may think storing credentials in Parameter Store or using Lambda to generate temporary credentials is more secure, but they overlook that an IAM role with an instance profile is the simplest and most secure method because it eliminates the need to handle credentials at all.

How to eliminate wrong answers

Option A is wrong because storing credentials in Systems Manager Parameter Store and retrieving them in User Data still requires the credentials to be stored as a secret, and User Data runs only at instance launch, leaving the credentials on the instance's local storage or memory, which violates the security requirement of not storing long-term credentials. Option C is wrong because using an AWS Lambda function to generate temporary credentials and pass them to the instances introduces unnecessary complexity and a potential security risk of passing credentials over the network; the instances can directly obtain temporary credentials via an IAM role without external orchestration. Option D is wrong because generating access keys for a dedicated IAM user and storing them in a file on the AMI embeds long-term credentials directly into the AMI, which persists across instances and violates the core security principle of avoiding stored credentials.

874
MCQmedium

A developer needs different configuration values for dev, test, and prod in the same SAM template. Which feature is suitable?

A.Parameters and environment-specific parameter overrides
B.Hardcoded ARNs in every function
C.One AWS root account per environment
D.Disabling stack updates
AnswerA

Correct for the stated requirement.

Why this answer

AWS SAM supports Parameters and environment-specific parameter overrides, allowing you to define a single template and supply different configuration values (e.g., database URLs, API keys) for dev, test, and prod environments at deployment time. This is achieved by passing a JSON or YAML file with the `--parameter-overrides` flag in the `sam deploy` command, or by using the `parameters` section in a `samconfig.toml` file. This approach avoids duplicating templates and keeps infrastructure-as-code DRY and maintainable.

Exam trap

The trap here is that candidates may think hardcoding ARNs or using separate root accounts is simpler, but the exam tests knowledge of AWS-recommended patterns like parameter overrides and multi-account strategies using AWS Organizations, not root accounts.

How to eliminate wrong answers

Option B is wrong because hardcoding ARNs in every function violates the principle of environment isolation and requires manual changes for each environment, increasing the risk of misconfiguration and deployment errors. Option C is wrong because using one AWS root account per environment is an anti-pattern; it introduces unnecessary administrative overhead, security risks, and violates the AWS Well-Architected Framework's recommendation to use separate AWS accounts (not root accounts) for environment isolation. Option D is wrong because disabling stack updates prevents any future changes to the stack, making it impossible to update configuration values or deploy new features, which is impractical for ongoing development and deployment.

875
MCQmedium

A developer is deploying a new version of an AWS Lambda function. The deployment failed because the new function code references a layer that is not available. Which AWS CLI command can be used to list all layers associated with the function?

A.aws lambda list-layer-versions --layer-name my-layer
B.aws lambda get-function --function-name my-function
C.aws lambda get-function-configuration --function-name my-function
D.aws lambda list-layers --function-name my-function
AnswerC

Returns configuration including attached layers.

Why this answer

Option C is correct because `aws lambda get-function-configuration` returns the function's configuration, including Layers. Option A is wrong because `list-layers` lists all layers in the account, not those attached to a specific function. Option B is wrong because `list-layer-versions` lists versions of a specific layer.

Option D is wrong because `get-function` returns the function code but does not include layers by default.

876
MCQhard

A company stores sensitive data in Amazon S3. A developer needs to implement a solution that automatically encrypts objects at rest using a key that is rotated annually. The developer must minimize operational overhead. Which solution meets these requirements?

A.Use Server-Side Encryption with S3-Managed Keys (SSE-S3) and set key rotation policy.
B.Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) with automatic key rotation.
C.Use Server-Side Encryption with Customer-Provided Keys (SSE-C) and manually rotate keys.
D.Use Client-Side Encryption with KMS.
AnswerB

SSE-KMS allows you to enable automatic annual key rotation, meeting the requirement with low overhead.

Why this answer

SSE-KMS with automatic key rotation meets the requirement for annual key rotation with minimal operational overhead because AWS KMS can automatically rotate the customer master key (CMK) every year (365 days) without any manual intervention. This ensures that objects in S3 are encrypted at rest using a key that is rotated on schedule, while the developer does not need to manage the rotation process.

Exam trap

The trap here is that candidates often confuse SSE-S3's automatic key rotation (which is fixed at one year and not configurable) with the ability to set a custom rotation policy, leading them to incorrectly choose option A.

How to eliminate wrong answers

Option A is wrong because SSE-S3 does not support customer-controlled key rotation; S3 manages the keys entirely and rotates them automatically every year, but the developer cannot set or control a custom key rotation policy. Option C is wrong because SSE-C requires the developer to provide and manage their own encryption keys, including manually rotating them, which increases operational overhead. Option D is wrong because client-side encryption requires the developer to implement encryption logic in the application and manage key rotation on the client side, adding significant operational overhead compared to a server-side solution.

877
MCQhard

A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all encryption keys be rotated automatically every 365 days. Which type of KMS key should be used?

A.Use a custom key store with automatic rotation enabled.
B.Use an AWS managed key (e.g., aws/s3).
C.Use a key with imported key material and set a rotation period of 365 days.
D.Use a customer managed key with automatic rotation enabled.
AnswerB

AWS managed keys are automatically rotated every 365 days, meeting the requirement without additional configuration.

Why this answer

AWS managed keys (e.g., aws/s3) automatically rotate every year (365 days) without any configuration required, which satisfies the security team's requirement. Customer managed keys with automatic rotation enabled rotate annually by default, but the question asks for the type of key that should be used, and AWS managed keys are the simplest choice that meets the requirement. Imported key material cannot be rotated automatically because AWS KMS cannot generate new key material for keys with imported material.

Exam trap

The trap here is that candidates assume only customer managed keys support automatic rotation, overlooking that AWS managed keys also rotate automatically every 365 days and are the simplest way to meet the requirement.

How to eliminate wrong answers

Option A is wrong because a custom key store (CloudHSM) does not support automatic key rotation; you must manually rotate keys in a custom key store. Option C is wrong because keys with imported key material cannot have automatic rotation enabled; AWS KMS cannot generate new key material for such keys, so rotation must be manual. Option D is wrong because while a customer managed key with automatic rotation enabled does rotate every 365 days, it is not the only option; the question asks which type of KMS key should be used, and AWS managed keys (Option B) also meet the requirement and are simpler to manage, making B the best answer.

878
MCQmedium

A company has an AWS Lambda function that processes messages from an Amazon SQS queue. The function sometimes fails due to transient errors. The developer wants to ensure that failed messages are retried automatically and then sent to a dead-letter queue after three failed attempts. How should the developer configure this?

A.Enable Lambda function's DLQ and set the retry attempts to 3.
B.Configure the Lambda function's reserved concurrency to 0 and set the DLQ on the function.
C.Configure the SQS queue with a redrive policy and a dead-letter queue. Set the maxReceiveCount to 3.
D.Use an Amazon SNS topic to send failed messages to a DLQ after three Lambda invocations.
AnswerC

SQS handles retries via visibility timeout and moves to DLQ after 3 receives.

Why this answer

Option A is correct because SQS redrive policy and dead-letter queue handle retries and failures. Option B is wrong because Lambda's retry is separate. Option C is wrong because DLQ on Lambda doesn't integrate with SQS retry logic.

Option D is wrong because Lambda destination is for success/failure, not retries.

879
Multi-Selecthard

A developer uses API Gateway with Cognito. Which two token validations are important when authorizing API access?

Select 2 answers
A.Validate issuer and audience/client ID
B.Accept any JWT signed with none algorithm
C.Validate scopes or group claims required by the route
D.Trust only the username string sent in a header
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because API Gateway with Cognito requires validating the JWT's issuer (iss) claim to ensure the token was issued by the expected Cognito user pool, and validating the audience (aud) or client ID (azp) claim to confirm the token was intended for the specific API Gateway application. Without these checks, an attacker could use a token from a different user pool or client to access the API.

Exam trap

The trap here is that candidates often focus only on signature verification (which is critical) but overlook the equally important validation of issuer and audience claims, which prevents token reuse across different user pools or clients.

880
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails during the BeforeInstall lifecycle event. What should the developer do to troubleshoot the issue?

A.Check the deployment group configuration.
B.Verify the build output from CodeBuild.
C.Check the appspec.yml file for errors in the BeforeInstall hook.
D.Review the deployment configuration settings.
AnswerC

Lifecycle hooks are defined in appspec.yml.

Why this answer

Option D is correct because the BeforeInstall hook scripts are in the appspec.yml file. Option A is wrong because the deployment group configuration is not the issue. Option B is wrong because the build output is already successful.

Option C is wrong because the deployment configuration settings are not related.

881
Multi-Selecthard

An event-driven application uses EventBridge rules to route partner events. Which two design choices improve maintainability?

Select 2 answers
A.Use event patterns that match stable business attributes
B.Put all routing logic in a single Lambda that invokes every target
C.Hardcode account root credentials in targets
D.Use a custom event bus or partner event source separation where appropriate
AnswersA, D

Correct for the stated requirement.

Why this answer

Option A is correct because using event patterns that match stable business attributes (e.g., order status, payment type) decouples routing logic from infrastructure details. This means if the underlying service changes its ARN or endpoint, the rule remains valid as long as the business attribute stays the same. It improves maintainability by reducing the need to update rules when non-functional aspects change.

Exam trap

The trap here is that candidates often confuse 'maintainability' with 'simplicity' and choose a single Lambda function (Option B) thinking it reduces complexity, but in reality it creates a hard-to-maintain monolith that violates AWS best practices for event-driven architectures.

882
MCQhard

A developer is using AWS X-Ray to trace a microservices application. The trace shows that a downstream service is failing with HTTP 500 errors intermittently. The developer wants to set up trace annotations to capture the error details for further analysis. Which AWS service can the developer use to search and filter traces based on these annotations?

A.Amazon CloudWatch Logs Insights
B.AWS X-Ray console search
C.Amazon Athena queries on X-Ray data
D.Amazon Kinesis Data Analytics
AnswerB

The X-Ray console provides a search feature that allows you to filter traces based on annotations and other attributes. It is the most direct way to find traces with specific annotations.

Why this answer

Option B is correct because AWS X-Ray's console search feature allows developers to query traces using annotations and metadata that are indexed by X-Ray. Annotations are key-value pairs attached to trace segments, and the X-Ray console search can filter traces based on these annotations, enabling the developer to isolate the intermittent HTTP 500 errors and analyze their details.

Exam trap

The trap here is that candidates often confuse CloudWatch Logs Insights with X-Ray's native search capabilities, mistakenly thinking that log query tools can directly search X-Ray trace annotations, when in fact X-Ray provides its own indexed search for annotations and metadata.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Logs Insights is designed for querying log data stored in CloudWatch Logs, not for searching or filtering X-Ray trace data or annotations; X-Ray traces are stored separately and not directly queryable by CloudWatch Logs Insights. Option C is wrong because Amazon Athena queries on X-Ray data would require exporting X-Ray trace data to Amazon S3 in a structured format (e.g., JSON or Parquet) and setting up a table schema, which is an indirect and complex approach not intended for real-time trace filtering based on annotations. Option D is wrong because Amazon Kinesis Data Analytics is used for real-time processing and analysis of streaming data (e.g., from Kinesis streams), not for querying or filtering stored X-Ray trace annotations.

883
MCQeasy

A developer needs to securely store database credentials for a Lambda function. The credentials must be automatically rotated every 90 days. Which AWS service should be used?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.Amazon DynamoDB
D.AWS KMS
AnswerA

Secrets Manager is designed for storing secrets and supports automatic rotation.

Why this answer

AWS Secrets Manager is the correct service because it is designed specifically for securely storing, managing, and automatically rotating database credentials and other secrets. It supports built-in rotation with AWS Lambda, allowing you to set a custom rotation interval (e.g., 90 days) without custom infrastructure. Secrets Manager also integrates natively with Amazon RDS, Redshift, and DocumentDB for automatic credential rotation.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets securely but lacks automatic rotation) with AWS Secrets Manager, leading them to choose Parameter Store when the question explicitly requires automatic rotation.

How to eliminate wrong answers

Option B (AWS Systems Manager Parameter Store) is wrong because while it can store secrets securely, it does not support automatic rotation of credentials out of the box; you would need to build custom rotation logic. Option C (Amazon DynamoDB) is wrong because it is a NoSQL database service, not a secrets management service, and storing credentials there would require manual encryption and rotation, violating security best practices. Option D (AWS KMS) is wrong because it is a key management service for creating and controlling encryption keys, not for storing or rotating secrets; it can be used to encrypt secrets but does not manage the secret lifecycle or rotation.

884
Drag & Dropmedium

Drag and drop the steps to set up a DynamoDB table with auto scaling in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the table, define scaling policies for both read and write, create a scaling target, and apply policies.

885
MCQhard

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application consists of several Lambda functions and an API Gateway. The developer wants to enable gradual deployment of Lambda function versions with automatic rollback based on CloudWatch alarms. What should the developer add to the SAM template?

A.Use 'AWS::Lambda::Version' and 'AWS::Lambda::Alias' resources to manually shift traffic and set up CloudWatch alarms to revert the alias if needed.
B.Add a 'DeploymentPreference' property with 'Type' set to 'Linear' and specify a 'Alarms' list for rollback.
C.Add 'AutoPublishAlias' and 'DeploymentPreference' properties to the Lambda function resource, specifying a canary deployment with a CloudWatch alarm for rollback.
D.Add a 'CodeDeployLambdaAlias' resource to the template and configure the deployment group with a canary deployment configuration.
AnswerC

SAM natively supports canary deployments using these properties.

Why this answer

Option B is correct because SAM supports canary deployments through the 'AutoPublishAlias' property combined with 'DeploymentPreference' that specifies a canary percent and interval, along with alarms for rollback. Option A is wrong because 'CodeDeployLambdaAlias' is not a SAM resource. Option C is wrong because 'DeploymentPreference' with 'Linear' shifts traffic linearly, but the question asks for gradual deployment with automatic rollback, which canary also provides; but canary is more commonly used for gradual.

Option D is wrong because 'Version' and 'Alias' alone do not provide automatic rollback.

886
MCQhard

A developer is deploying a serverless application using AWS SAM. The application consists of multiple Lambda functions and an Amazon API Gateway. The developer wants to enable canary deployments for the API Gateway stage to gradually shift traffic. Which SAM resource attribute should the developer use?

A.DeploymentPreference
B.CanarySetting
C.StageName
D.MethodSettings
AnswerA

The DeploymentPreference attribute in SAM is used to define traffic shifting and canary deployment settings for Lambda and API Gateway.

Why this answer

Option A is correct because the `DeploymentPreference` attribute in AWS SAM's `AWS::Serverless::Api` resource enables canary deployments for API Gateway stages. This attribute allows you to configure traffic shifting patterns, such as linear or canary, by specifying settings like `Type` (e.g., `Canary10Percent5Minutes`) and `Alarms` to automatically roll back on failures. It directly integrates with AWS CodeDeploy to manage the gradual traffic shift without manual intervention.

Exam trap

The trap here is that candidates confuse `CanarySetting` (a direct CloudFormation property for API Gateway stages) with the SAM-specific `DeploymentPreference` attribute, which is the correct abstraction for canary deployments in SAM templates.

How to eliminate wrong answers

Option B is wrong because `CanarySetting` is a property of the API Gateway `Stage` resource in AWS CloudFormation, not a SAM-specific attribute; SAM abstracts this into `DeploymentPreference` for simplicity. Option C is wrong because `StageName` is a property that defines the stage name (e.g., 'prod') but does not control traffic shifting or canary deployments. Option D is wrong because `MethodSettings` configures per-method settings like throttling or caching, not deployment strategies like canary releases.

887
Multi-Selecthard

A developer is building an API using Amazon API Gateway and AWS Lambda. The API must authenticate users using a third-party OAuth 2.0 provider. Which THREE components are required to implement this authentication?

Select 3 answers
A.The OAuth 2.0 access token in the Authorization header
B.Amazon CloudFront distribution for API caching
C.An API Gateway resource policy that invokes the Lambda authorizer
D.An AWS Lambda authorizer function
E.An Amazon Cognito user pool as the OAuth provider
AnswersA, C, D

The token is passed in the header for validation.

Why this answer

Option A, B, and D are required. A Lambda authorizer can validate tokens from a third-party OAuth provider. The token must be included in the request header.

API Gateway invokes the Lambda authorizer. Option C (Cognito user pool) is not required if using a third-party provider. Option E (CloudFront) is not needed for authentication.

888
MCQeasy

A developer is deploying a new version of a web application on AWS Elastic Beanstalk. The application currently runs in a single environment with an Auto Scaling group. The developer wants to ensure zero downtime during the deployment and that the new version can be fully tested before receiving any traffic. Which Elastic Beanstalk deployment policy should the developer use?

A.All at once
B.Rolling
C.Rolling with additional batch
D.Immutable
AnswerD

This creates a completely new Auto Scaling group with the new version, allowing full testing, and then swaps CNAME, achieving zero downtime.

Why this answer

Immutable deployment is the correct choice because it launches a completely new Auto Scaling group with the new application version, fully tests it before shifting any traffic, and then swaps the environment's instances in a single atomic action, ensuring zero downtime. This policy meets the requirement for full testing of the new version before it receives traffic, as traffic is only routed to the new instances after they pass health checks.

Exam trap

The trap here is that candidates often confuse 'Rolling with additional batch' with immutable deployments, mistakenly thinking the extra batch allows full testing, but in reality, the new version still receives traffic incrementally during the rolling update.

How to eliminate wrong answers

Option A is wrong because 'All at once' deploys the new version to all instances simultaneously, causing downtime during the deployment process. Option B is wrong because 'Rolling' updates instances in batches, but traffic continues to flow to instances being updated, and the new version is not fully tested before receiving traffic. Option C is wrong because 'Rolling with additional batch' adds a temporary batch of instances to maintain capacity, but the new version still receives traffic incrementally during the deployment, preventing full pre-traffic testing.

889
MCQmedium

A developer is working on a serverless application that uses AWS Lambda functions to process user uploads. The uploads are stored in an S3 bucket, and each upload triggers a Lambda function that resizes images and stores metadata in DynamoDB. Recently, users have reported that some images are not being resized. The developer checks the CloudWatch logs and sees that the Lambda function is invoked, but it fails with a timeout error after 15 seconds for a few large images. The function has a timeout of 15 seconds and a memory of 512 MB. The image sizes vary from 1 MB to 50 MB. The developer wants to handle large images without increasing the timeout significantly, as that would increase costs. The function is CPU-bound during image processing. Which solution should the developer implement?

A.Increase the memory allocated to the Lambda function to 3008 MB, which also increases CPU power, allowing faster processing within the same timeout.
B.Split the large images into smaller chunks before uploading to S3, then reassemble them after processing.
C.Increase the Lambda function timeout to 5 minutes to accommodate large images.
D.Use AWS Step Functions to orchestrate the image processing workflow, allowing longer timeouts for individual steps.
AnswerA

More memory improves CPU performance, reducing processing time.

Why this answer

Option B is correct because increasing memory also increases CPU allocation in Lambda, which speeds up processing. Option A is wrong because splitting the image is complex and may not help. Option C is wrong because moving to Step Functions adds complexity and still needs processing time.

Option D is wrong because increasing timeout alone may not help if CPU is the bottleneck.

890
MCQeasy

A developer notices that an RDS MySQL instance's CPU utilization is consistently above 80% during peak hours. Which AWS service can be used to analyze the database queries and identify the root cause?

A.RDS Performance Insights
B.RDS Enhanced Monitoring
C.AWS X-Ray
D.CloudWatch Logs Insights
AnswerA

Provides detailed analysis of database performance and top queries.

Why this answer

RDS Performance Insights provides a dashboard to analyze database load and identify top SQL queries. Option B is the correct service. CloudWatch Logs Insights (A) is for log analysis, not database query performance.

AWS X-Ray (C) traces requests, not database queries. RDS Enhanced Monitoring (D) provides OS-level metrics but not query-level detail.

891
MCQmedium

A developer needs to allow an IAM user in a different AWS account to assume a role in the developer's account. The role has permissions to access an S3 bucket. Which policy is required in the developer's account to enable this cross-account access?

A.An IAM role with a trust policy that allows the external account's root user or specific IAM users/roles to assume the role
B.An S3 bucket policy granting access to the external account
C.An IAM user policy in the external account allowing sts:AssumeRole
D.An AWS Organizations service control policy allowing cross-account access
AnswerA

Correct. The trust policy on the role specifies which principals from other accounts can assume it.

Why this answer

Option A is correct because cross-account IAM role access requires a trust policy attached to the role in the developer's account. This trust policy specifies the external AWS account ID (or specific IAM users/roles in that account) as the principal, allowing them to call sts:AssumeRole. Once the role is assumed, the developer's account grants the necessary S3 permissions via the role's permissions policy.

Exam trap

The trap here is that candidates often confuse the location of the trust policy (required in the account owning the role) with the permissions policy (required in the external account), or mistakenly think an S3 bucket policy alone can enable cross-account role assumption.

How to eliminate wrong answers

Option B is wrong because an S3 bucket policy alone cannot enable the initial assumption of a role; it only grants direct access to the bucket, not the ability to assume an IAM role. Option C is wrong because an IAM user policy in the external account allowing sts:AssumeRole is necessary but not sufficient—the developer's account must also have a trust policy that accepts the assumption request; the question asks for the policy required in the developer's account. Option D is wrong because AWS Organizations SCPs can restrict permissions but cannot grant cross-account access; they are used to set permission boundaries, not to allow role assumption.

892
MCQhard

A company uses AWS CloudTrail to log all API calls. The security team wants to be notified immediately when an IAM user creates a new access key. Which solution is most efficient?

A.Configure CloudTrail to send logs to CloudWatch Logs and create a metric filter with an alarm.
B.Create a CloudWatch Events rule that matches the CreateAccessKey API call and triggers a Lambda function to send an SNS notification.
C.Enable CloudTrail log file validation and periodically check the logs.
D.Use Amazon Athena to query CloudTrail logs daily.
AnswerB

This provides real-time notification.

Why this answer

Option B is correct because CloudWatch Events (now Amazon EventBridge) can directly match the CreateAccessKey API call from CloudTrail and trigger a Lambda function to send an SNS notification in near real-time. This is the most efficient solution as it avoids the overhead of log ingestion, metric filters, or periodic queries, providing immediate notification with minimal latency.

Exam trap

The trap here is that candidates often default to CloudWatch Logs metric filters (Option A) because they are familiar, but fail to recognize that EventBridge rules provide a simpler, lower-latency, and more cost-effective solution for real-time API call monitoring.

How to eliminate wrong answers

Option A is wrong because it requires sending CloudTrail logs to CloudWatch Logs and creating a metric filter with an alarm, which introduces additional cost, latency, and complexity compared to a direct EventBridge rule. Option C is wrong because CloudTrail log file validation only verifies file integrity, not real-time monitoring, and periodically checking logs is not immediate. Option D is wrong because using Athena to query CloudTrail logs daily provides only periodic, not immediate, notification and is inefficient for real-time alerting.

893
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a web application. The developer wants to update the environment's configuration, such as instance type and environment variables, without causing downtime. Which deployment policy should the developer use?

A.All at once
B.Blue/green
C.Immutable
D.Rolling
AnswerD

Rolling updates batches of instances.

Why this answer

Option B is correct because rolling updates update instances in batches, avoiding downtime. Option A is wrong because 'All at once' causes downtime. Option C is wrong because immutable updates create a new environment.

Option D is wrong because blue/green deployment is a separate environment swap.

894
MCQmedium

Refer to the exhibit. An IAM policy is attached to a Lambda function's execution role. The Lambda function is triggered by an S3 event and needs to invoke another Lambda function and decrypt an S3 object encrypted with a customer-managed KMS key. However, the invocation fails with an access denied error. What is the MOST likely cause?

A.The policy does not allow s3:GetObject on the S3 bucket.
B.The policy resource for Lambda is incorrect.
C.The policy is missing kms:GenerateDataKey and kms:Decrypt might not be sufficient for all decryption scenarios.
D.The policy does not allow kms:Decrypt for the key.
AnswerC

May need additional KMS actions like kms:DescribeKey.

Why this answer

Option C is correct because the policy allows kms:Decrypt but not kms:DescribeKey or other necessary actions for decryption; also, the function might need kms:Decrypt on the key. Option A is wrong because kms:Decrypt is allowed. Option B is wrong because the resource is specific.

Option D is wrong because the policy does not cover S3 actions, but the error is about invocation.

895
MCQeasy

A developer is building a REST API using Amazon API Gateway and AWS Lambda. The API needs to support a custom domain name and an SSL/TLS certificate. Which AWS service should the developer use to manage the SSL/TLS certificate?

A.AWS Key Management Service (AWS KMS)
B.AWS Certificate Manager (ACM)
C.AWS Identity and Access Management (IAM)
D.AWS Secrets Manager
AnswerB

ACM provides a simple way to create, manage, and deploy public and private SSL/TLS certificates for use with AWS services like API Gateway, CloudFront, and Elastic Load Balancers.

Why this answer

AWS Certificate Manager (ACM) is the correct service for provisioning, managing, and deploying SSL/TLS certificates for use with AWS services like API Gateway. ACM integrates directly with API Gateway to automatically renew certificates and attach them to custom domain names, ensuring secure HTTPS connections without manual intervention.

Exam trap

The trap here is that candidates confuse AWS KMS or Secrets Manager with certificate management, but ACM is the only service that directly provisions and manages SSL/TLS certificates for use with AWS services like API Gateway and CloudFront.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a service for creating and controlling encryption keys used to encrypt data at rest, not for managing SSL/TLS certificates. Option C is wrong because IAM is used for managing user identities and permissions, not for issuing or managing SSL/TLS certificates. Option D is wrong because AWS Secrets Manager is designed to securely store and rotate secrets like database credentials or API keys, not for managing SSL/TLS certificates.

896
MCQeasy

A developer runs the AWS CLI command shown in the exhibit. The deployment is created successfully, but the CodeDeploy agent on the target instances does not download the revision. What is the most likely cause?

A.The bundle type should be 'tar' instead of 'zip'.
B.The bucket name is incorrect.
C.The deployment group name is misspelled.
D.The S3 object version is not specified.
AnswerD

If versioning is enabled, the version ID may be required.

Why this answer

Option B is correct. The command does not specify the 'etag' or 'version' parameter. If the S3 bucket has versioning enabled, the revision might be ambiguous.

Option A is incorrect; the command creates a deployment, which is correct. Option C is incorrect; the bundle type is specified. Option D is incorrect; the bucket name is provided.

897
MCQeasy

A developer needs to securely store database credentials for an application running on AWS Lambda. Which AWS service should they use?

A.AWS Systems Manager Session Manager
B.AWS CloudHSM
C.AWS Systems Manager Parameter Store (Standard tier)
D.AWS Secrets Manager
AnswerD

Designed for secrets with automatic rotation.

Why this answer

Option B is correct because AWS Secrets Manager is designed to securely store and rotate secrets like database credentials. Option A is wrong because Parameter Store can store parameters but is less secure for secrets and lacks automatic rotation. Option C is wrong because SSM Session Manager is for shell access.

Option D is wrong because CloudHSM is for hardware security modules, not secret storage.

898
Multi-Selecthard

A company has a REST API deployed on Amazon API Gateway with a Lambda integration. The API is experiencing high latency. Which TWO actions would help diagnose the issue?

Select 2 answers
A.Use AWS X-Ray to trace requests.
B.Enable detailed CloudWatch Logs for the API Gateway stage.
C.Increase the Lambda function memory.
D.Change the API integration type from Lambda to HTTP.
E.Add Amazon CloudFront in front of API Gateway.
AnswersA, B

X-Ray provides end-to-end tracing to identify slow components.

Why this answer

Option B is correct because enabling detailed CloudWatch logs on API Gateway provides per-request metrics and logs. Option C is correct because AWS X-Ray can trace requests through API Gateway and Lambda to identify bottlenecks. Option A is wrong because increasing Lambda memory might reduce latency but does not help diagnose the cause.

Option D is wrong because changing the integration type changes the architecture, not diagnose. Option E is wrong because CloudFront is a CDN and would add complexity.

899
MCQmedium

A company uses AWS CodeBuild to run tests and build artifacts for a Java application. The build process is taking longer than expected. The developer wants to speed up the build by caching dependencies. What should the developer do?

A.Use a CodeCommit repository to store dependencies.
B.Store dependencies in an S3 bucket and download them in each build.
C.Enable local caching in the CodeBuild project configuration.
D.Mount an Amazon EFS file system to the build environment and store dependencies there.
AnswerC

Local caching speeds up builds by reusing cached dependencies.

Why this answer

Option C is correct because CodeBuild's local caching feature allows the build environment to cache dependencies (e.g., Maven local repository) in a local directory that persists across build runs for the same project. This eliminates the need to re-download dependencies on every build, significantly reducing build time. The cache is stored on the build instance's local storage and is automatically managed by CodeBuild.

Exam trap

The trap here is that candidates often assume external storage (S3 or EFS) is required for caching, but CodeBuild's built-in local caching is specifically designed for this purpose and avoids the latency of network-based storage.

How to eliminate wrong answers

Option A is wrong because CodeCommit is a Git-based source control service, not a dependency cache; storing dependencies there would require manual management and does not integrate with CodeBuild's caching mechanism. Option B is wrong because downloading dependencies from S3 in each build still incurs network latency and download time, negating the performance benefit of caching. Option D is wrong because mounting an EFS file system adds network filesystem overhead and latency, and EFS is designed for shared file storage across multiple instances, not for low-latency build caching within a single build environment.

900
Multi-Selecthard

A company is deploying a critical application using AWS CloudFormation. The stack contains a resource that, if deleted accidentally, would cause data loss. The company wants to protect this resource from being deleted during stack updates or deletions. Which THREE strategies can achieve this? (Choose THREE.)

Select 3 answers
A.Wrap the resource in a nested stack.
B.Enable termination protection on the CloudFormation stack.
C.Set the UpdateReplacePolicy attribute to 'Retain' on the resource.
D.Use a stack policy to deny delete actions on the resource.
E.Set the DeletionPolicy attribute to 'Retain' on the resource.
AnswersB, D, E

Termination protection prevents accidental stack deletion.

Why this answer

Options A, C, and D are correct. DeletionPolicy Retain, TerminationProtection, and StackPolicy can prevent deletion. Option B is wrong because it does not prevent deletion.

Option E is wrong because NestedStacks do not protect individual resources.

Page 11

Page 12 of 22

Page 13