AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 901975

1616 questions total · 22pages · All types, answers revealed

Page 12

Page 13 of 22

Page 14
901
MCQeasy

An application running on EC2 needs to access an S3 bucket. What is the most secure way to grant access?

A.Generate an IAM user access key and store it in a file on the instance
B.Use pre-signed URLs for each request
C.Make the S3 bucket public
D.Create an IAM role with S3 permissions and attach it to the EC2 instance
AnswerD

IAM roles are the secure method for granting permissions to EC2.

Why this answer

Using an IAM role attached to the EC2 instance is the most secure because it provides temporary credentials and avoids hardcoding keys. Option B (IAM user keys on the instance) is less secure. Option C (bucket policy with public access) is insecure.

Option D (pre-signed URLs) is not suitable for ongoing access.

902
MCQmedium

A company is using AWS Lambda to process messages from an Amazon SQS queue. The Lambda function sometimes fails to process a message due to a transient error. The company wants to automatically retry failed messages up to 3 times, with a 5-minute delay between retries. What should the company configure?

A.Configure a dead-letter queue on the Lambda function with a redrive policy that allows up to 3 retries and a 5-minute delay.
B.Use AWS Step Functions to poll the SQS queue and implement a retry loop with exponential backoff.
C.Set the Lambda function's reserved concurrency to 1 and enable the 'Retry attempts' option to 3 in the function configuration.
D.Configure the SQS queue with a delivery delay of 5 minutes and a redrive policy to move messages to a dead-letter queue after 3 receives.
AnswerA

Lambda supports a dead-letter queue (DLQ) with a redrive policy to retry failed invocations. The redrive policy can specify maxReceiveCount and delaySeconds.

Why this answer

Option A is correct because the Lambda dead-letter queue (DLQ) with a redrive policy allows specifying the maximum number of retries and the delay. Option B is wrong because Lambda's maximum retry count is limited to 2 for synchronous invocations. Option C is wrong because SQS delay queues are for delaying new messages, not retries.

Option D is wrong because Step Functions is overkill for this simple retry logic.

903
MCQmedium

A developer is building a web application that stores user session data in an ElastiCache Redis cluster. The cluster is in a VPC and is not publicly accessible. The developer needs to ensure that data in transit is encrypted. What should the developer do?

A.Enable encryption in transit on the ElastiCache Redis cluster.
B.Place an Application Load Balancer in front of the Redis cluster and enable TLS termination.
C.Configure the security group to only allow traffic from the application servers.
D.Use VPC peering to connect the application VPC to the ElastiCache VPC.
AnswerA

ElastiCache supports encryption in transit for Redis.

Why this answer

Option D is correct because enabling encryption in transit on the ElastiCache Redis cluster encrypts data between clients and the cluster. Option A is wrong because ElastiCache does not support TLS termination at the ALB. Option B is wrong because security groups do not encrypt traffic.

Option C is wrong because VPC peering does not encrypt traffic by default.

904
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The deployment group has a minimum of 2 instances and a maximum of 4. The deployment configuration is CodeDeployDefault.OneAtATime. What is the most likely cause of the failure?

A.The deployment group's maximum instances is set to 4, which exceeds the number of instances in the Auto Scaling group.
B.The Auto Scaling group has only 2 instances, and one instance fails during deployment, leaving less than the required healthy instances.
C.The IAM role attached to the instances does not have sufficient permissions to download the revision from Amazon S3.
D.The revision is not properly zipped or the AppSpec file is missing.
AnswerB

Correct because the deployment configuration requires one instance at a time, and with only 2 instances, a failure reduces healthy count below threshold.

Why this answer

Option A is correct because the deployment configuration specifies one instance at a time, but the Auto Scaling group may have only 2 instances, which is the minimum. If one instance fails, the healthy count drops below the required threshold, causing the deployment to fail. Option B is wrong because the IAM role typically does not cause such errors.

Option C is wrong because the deployment group size is not the issue. Option D is wrong because the revision is uploaded, not the cause.

905
Multi-Selecteasy

A developer needs to encrypt data at rest in an Amazon S3 bucket. Which THREE options are available for server-side encryption?

Select 3 answers
A.SSE-C
B.Client-side encryption
C.SSE-KMS
D.SSE-S3
E.AWS CloudHSM
AnswersA, C, D

Customer-provided encryption keys.

Why this answer

S3 offers three server-side encryption options: SSE-S3 (using S3-managed keys), SSE-KMS (using AWS KMS), and SSE-C (using customer-provided keys).

906
MCQeasy

A developer needs to deploy a new version of a Lambda function that uses environment variables for database credentials. Which AWS service should be used to securely store and retrieve the credentials?

A.Amazon DynamoDB with encryption at rest
B.Amazon S3 with server-side encryption
C.AWS Systems Manager Parameter Store
D.AWS Secrets Manager
AnswerD

Secrets Manager securely stores and rotates credentials.

Why this answer

AWS Secrets Manager is designed to securely store secrets such as database credentials and can automatically rotate them. Option B is correct because it provides encryption and access control. Option A (SSM Parameter Store) can store secrets but lacks automatic rotation.

Option C (S3) is not secure for secrets. Option D (DynamoDB) is not intended for secret storage.

907
MCQmedium

A company is using Amazon CloudFront to serve content from an Application Load Balancer (ALB) origin. The ALB is configured as an internal load balancer in a VPC. Users are getting HTTP 502 errors when accessing the CloudFront distribution. What is the MOST likely cause?

A.The ALB has AWS WAF enabled, blocking CloudFront IP addresses.
B.The CloudFront distribution's cache behavior is set to cache all objects.
C.The ALB is not internet-facing, so CloudFront cannot reach it.
D.The CloudFront distribution is not associated with a VPN connection to the VPC.
AnswerC

CloudFront cannot reach internal ALBs.

Why this answer

Option D is correct because CloudFront cannot reach an internal ALB unless it is internet-facing. Option A is wrong because CloudFront does not need a VPN. Option B is wrong because WAF does not cause 502 errors.

Option C is wrong because content caching does not cause 502.

908
MCQmedium

A developer created the above IAM role for a Lambda function. The function needs to write logs to CloudWatch Logs. What is missing?

A.The role needs a permissions policy that grants logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents.
B.The trust policy is incorrect; it should allow ec2.amazonaws.com.
C.The role name is invalid.
D.The trust policy should not allow Lambda to assume the role.
AnswerA

The role has no permissions policy.

Why this answer

The correct answer is A because Lambda functions require an IAM role with a permissions policy that explicitly allows the `logs:CreateLogGroup`, `logs:CreateLogStream`, and `logs:PutLogEvents` actions to write logs to CloudWatch Logs. Without these permissions, the Lambda function will fail to create log groups or streams and will be unable to send log events, resulting in missing or incomplete log output.

Exam trap

The trap here is that candidates may overlook the specific CloudWatch Logs permissions required for Lambda logging and instead focus on trust policy or naming issues, but the missing element is the permissions policy granting the necessary logging actions.

How to eliminate wrong answers

Option B is wrong because the trust policy should allow `lambda.amazonaws.com` (the Lambda service principal) to assume the role, not `ec2.amazonaws.com`, which is used for EC2 instances. Option C is wrong because there is no requirement for a specific role name; IAM role names can be any valid alphanumeric string and are not restricted to a particular format for Lambda. Option D is wrong because the trust policy must allow Lambda to assume the role; without this, the Lambda function cannot obtain temporary credentials to execute and access AWS resources.

909
MCQeasy

A developer is using AWS Elastic Beanstalk to deploy a web application. The developer needs to update the environment's configuration to use a larger instance type. What is the most efficient way to apply this change with minimal downtime?

A.Update the environment configuration through the Elastic Beanstalk console or CLI, and use a rolling update strategy to apply the change to instances in batches.
B.Perform a blue/green deployment by creating a new environment with the larger instance type, then swap the environment URLs.
C.Modify the Auto Scaling group launch configuration directly to use the larger instance type, then manually terminate each instance.
D.Terminate the current environment and create a new one with the larger instance type.
AnswerA

Rolling updates minimize downtime by updating instances one batch at a time.

Why this answer

Option C is correct because Elastic Beanstalk supports rolling updates and rolling deployments that can update the instance type without downtime by updating instances in batches. Option A is wrong because terminating and recreating causes downtime. Option B is wrong because Blue/green deployment requires creating a new environment and swapping URLs, which is more effort.

Option D is wrong because modifying the Auto Scaling group directly is not recommended as Elastic Beanstalk manages the resources; changes may be overwritten.

910
MCQhard

A company runs a critical application on AWS Lambda that processes real-time financial transactions. The Lambda function is triggered by an SQS queue that receives messages from an API Gateway. Recently, the team has observed an increase in processing errors and occasional data loss. Upon investigation, they find that the Lambda function's concurrency limit is set to 5, and the SQS queue has a visibility timeout of 30 seconds. The function typically takes 2 seconds to process a message, but during peak hours, the queue depth grows to thousands of messages. The errors occur when the Lambda function throws an exception, causing the message to return to the queue after the visibility timeout expires. However, some messages are never processed again and are eventually lost. The team suspects that the messages are being sent to the dead-letter queue (DLQ) after multiple retries, but the DLQ is not configured. The team needs to ensure that no messages are lost and that processing errors are handled appropriately. What should the team do to resolve this issue?

A.Increase the Lambda concurrency limit to 100 and set the SQS visibility timeout to 60 seconds.
B.Configure an Amazon CloudWatch alarm on the queue depth and set a Lambda function as the on-failure destination for asynchronous invocations.
C.Change the Lambda invocation mode to synchronous and use API Gateway as a proxy to invoke the function directly.
D.Configure a dead-letter queue on the SQS source queue and set the maximum receives to 3. Implement error handling in the Lambda function to catch exceptions and log them.
AnswerD

A DLQ captures failed messages after retries, preventing data loss and allowing manual or automated reprocessing.

Why this answer

Option B is correct. Configuring a dead-letter queue (DLQ) on the SQS queue ensures that messages that cannot be processed after a specified number of retries are moved to a separate queue for later analysis and reprocessing, preventing data loss. Option A is incorrect because increasing concurrency without a DLQ would still result in lost messages after retries are exhausted.

Option C is incorrect because synchronous invocation does not solve the retry and loss problem. Option D is incorrect because Lambda's on-failure destination is for async invocations, not SQS-triggered Lambda (which uses event source mapping).

911
MCQeasy

A developer needs to securely store database credentials for a serverless application. Which AWS service should be used?

A.AWS Key Management Service (KMS)
B.Amazon DynamoDB
C.AWS Secrets Manager
D.AWS Systems Manager Parameter Store
AnswerC

Secrets Manager is built for secrets with rotation capabilities.

Why this answer

AWS Secrets Manager is the correct service because it is purpose-built for securely storing, rotating, and managing database credentials and other secrets throughout their lifecycle. It integrates natively with Amazon RDS, Redshift, and DocumentDB to automatically rotate credentials, and it enforces encryption at rest using AWS KMS. For a serverless application, Secrets Manager provides a simple API call (e.g., GetSecretValue) to retrieve credentials without hardcoding them in code or environment variables.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets but lacks automatic rotation and deep RDS integration) with AWS Secrets Manager, leading them to choose Parameter Store when the question explicitly requires secure storage and management of database credentials for a serverless application.

How to eliminate wrong answers

Option A is wrong because AWS Key Management Service (KMS) is a managed service for creating and controlling encryption keys, not for storing secrets like database credentials; it can encrypt secrets but does not provide secret rotation or retrieval APIs. Option B is wrong because Amazon DynamoDB is a NoSQL database designed for high-performance key-value and document storage, not a secure secrets store; storing credentials there would require manual encryption and lack built-in rotation, access auditing, or automatic secret management. Option D is wrong because AWS Systems Manager Parameter Store is a service for storing configuration data and secrets, but it lacks native automatic rotation for database credentials (unless combined with a custom Lambda function) and does not offer the same level of integration with RDS or secret-specific features like cross-account access or secret versioning with staging labels.

912
MCQhard

A developer is troubleshooting a deployment failure in AWS CodePipeline. The deploy stage uses the above IAM policy for the service role. The pipeline fails when trying to update the Elastic Beanstalk environment. What is the most likely cause?

A.The policy restricts the UpdateEnvironment action to a specific environment ARN, but the pipeline is updating a different environment.
B.The policy does not allow DescribeEnvironmentResources, which is required for the deployment.
C.The policy denies all actions on the environment, preventing the update.
D.The policy denies DeleteEnvironment, which is required for the update.
AnswerA

The resource ARN must match the environment being updated.

Why this answer

Option C is correct because the policy allows 'UpdateEnvironment' only on a specific environment ARN, but the pipeline may be trying to update a different environment (e.g., if the environment name changed). Option A is wrong because 'DeleteEnvironment' is denied but not used. Option B is wrong because 'DescribeEnvironmentResources' is allowed.

Option D is wrong because 'DeleteEnvironment' denial does not affect updates.

913
MCQhard

A company has a production AWS Lambda function that processes critical financial transactions. The function's code is stored in an S3 bucket. A developer accidentally deletes the S3 bucket, causing the function to fail. The developer wants to prevent this in the future by ensuring that the Lambda function can always be updated and deployed even if the original S3 bucket is deleted. What should the developer do?

A.Enable AWS CloudTrail to monitor bucket deletions.
B.Update the Lambda function code directly using the AWS CLI or SDK, and remove the dependency on S3 for future updates.
C.Set up cross-region replication to another S3 bucket.
D.Enable versioning on the S3 bucket.
AnswerB

Lambda can be updated directly, eliminating the S3 dependency.

Why this answer

Option C is correct because Lambda functions can be updated directly with new code, making them independent of the original S3 bucket. Option A is incorrect because versioning prevents accidental deletion of objects, not the bucket itself. Option B is incorrect because replicating to another account still has the same dependency.

Option D is incorrect because CloudTrail logs actions but does not prevent failures.

914
MCQeasy

A developer is using AWS CloudFormation to deploy a stack that includes an Amazon S3 bucket with a bucket policy that grants public read access. The stack creation fails with the error 'Access Denied for bucket: bucket-policy does not allow access.' The developer has full administrative permissions in AWS. The developer verifies that the bucket policy is correctly formatted. What is the most likely cause of the failure?

A.The developer does not have permissions to create S3 buckets.
B.The S3 bucket name is already in use by another account.
C.The S3 Block Public Access settings are enabled at the account level, preventing the bucket policy from granting public access.
D.The S3 bucket is encrypted with AWS KMS, and the bucket policy does not include kms:Decrypt permissions.
AnswerC

S3 Block Public Access settings override bucket policies that grant public access.

Why this answer

Option A is correct because S3 bucket policies that grant public access require the S3 Block Public Access settings to be disabled at the account or bucket level. Option B is wrong because the bucket name is not the issue. Option C is wrong because KMS is not involved.

Option D is wrong because the policy is correct.

915
MCQeasy

A company is using AWS CodePipeline to automate the deployment of a web application. The pipeline has three stages: Source (Amazon S3), Build (AWS CodeBuild), and Deploy (AWS CodeDeploy). The application is deployed to an Auto Scaling group of EC2 instances. Recently, a deployment failed because the CodeDeploy agent on one of the instances was not running. The developer wants to ensure that the CodeDeploy agent is always running on all instances. What is the MOST efficient solution?

A.Use AWS CloudTrail to monitor the CodeDeploy agent status and trigger an AWS Lambda function to restart it.
B.Configure a CloudWatch alarm to detect when the CodeDeploy agent is not running and restart it automatically.
C.Modify the Auto Scaling group's launch configuration to include a user data script that installs and starts the CodeDeploy agent.
D.Use AWS Systems Manager Run Command to run a script that checks and restarts the CodeDeploy agent on a schedule.
AnswerC

User data runs at instance launch, ensuring the agent is installed and started.

Why this answer

Option B is correct because using an EC2 user data script to install and start the CodeDeploy agent ensures it runs on instance launch. Option A is wrong because manual restart is not efficient. Option C is wrong because CloudWatch does not restart agents; it can only monitor.

Option D is wrong because Systems Manager Run Command can fix the issue after detection, but user data is proactive.

916
Multi-Selecthard

Which TWO actions can help reduce the cold start time for an AWS Lambda function? (Choose 2)

Select 2 answers
A.Place the Lambda function in a VPC
B.Increase the function's memory allocation
C.Use a larger deployment package with all dependencies included
D.Implement a scheduled CloudWatch Event to invoke the function every 5 minutes
E.Use provisioned concurrency to pre-warm the function
AnswersB, D

More memory provides more CPU, reducing initialization time.

Why this answer

Options A and D are correct. Increasing memory allocation also increases CPU, which can speed up initialization. Keeping the function warm by using a scheduled CloudWatch Event invokes the function periodically to prevent the container from being reclaimed.

Option B is wrong because using a VPC adds network latency and increases cold start time due to ENI creation. Option C is wrong because using a larger deployment package increases download time. Option E is wrong because provisioned concurrency eliminates cold starts but is not a reduction factor; it's a different solution.

917
MCQeasy

A developer is using AWS CodePipeline to automate the deployment of a web application. The developer wants to run unit tests after the source stage and before deploying to a staging environment. Which action should the developer add to the pipeline?

A.AWS CodeBuild
B.AWS CodeCommit
C.AWS CloudFormation
D.AWS CodeDeploy
AnswerA

CodeBuild can run tests as part of the build.

Why this answer

Option B is correct because AWS CodeBuild is a build service that can run unit tests. Option A is wrong because CodeDeploy deploys, does not test. Option C is wrong because CodeCommit is a source repository.

Option D is wrong because CloudFormation is for infrastructure provisioning.

918
MCQeasy

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application consists of an AWS Lambda function and an Amazon API Gateway REST API. The developer runs 'sam deploy' but the deployment fails with the error: 'Error: Security Constraints Not Satisfied'. The developer checks the IAM policies and confirms that the Lambda function has the necessary permissions. What is the most likely cause?

A.The Lambda function is not configured to run inside a VPC.
B.The SAM template does not specify an S3 bucket for the deployment artifacts.
C.The API Gateway endpoint is configured with 'OPEN' access without any authorization.
D.The Lambda function's memory size is set too high.
AnswerC

SAM requires authorization for APIs.

Why this answer

Option A is correct because SAM enforces security constraints, and if the API is configured with open access (e.g., no authorization), SAM deployment will fail. Option B is wrong because SAM does not require a VPC. Option C is wrong because SAM manages S3 buckets.

Option D is wrong because the error is about security constraints.

919
MCQmedium

Refer to the exhibit. A developer created this CloudFormation template to host a static website. After deployment, the website returns 403 Forbidden errors. What is the most likely cause?

A.The bucket has versioning enabled, which blocks public access.
B.The bucket name is not unique.
C.The bucket policy does not allow public access.
D.The bucket does not have static website hosting enabled.
AnswerD

Static website hosting must be enabled for the bucket to serve content.

Why this answer

Option B is correct because the bucket policy allows GetObject but the bucket does not have 'Static website hosting' enabled. For S3 static website hosting, the bucket must have the static website hosting property configured. Option A is incorrect because the bucket policy allows public access.

Option C is incorrect because the bucket name is valid. Option D is incorrect because versioning does not affect access.

920
Multi-Selecteasy

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application includes an Amazon DynamoDB table and a Lambda function that reads from the table. The developer wants to define the DynamoDB table and the Lambda function in the SAM template. Which THREE resource types should the developer include in the template? (Choose THREE.)

Select 3 answers
A.AWS::DynamoDB::Table
B.AWS::Lambda::Function
C.AWS::Serverless::DynamoDB
D.AWS::Serverless::SimpleTable
E.AWS::Serverless::Function
AnswersA, D, E

Also defines a DynamoDB table, but with more configuration options.

Why this answer

Options A, B, and D are correct. In a SAM template, 'AWS::Serverless::Function' (option A) defines a Lambda function, 'AWS::Serverless::SimpleTable' (option B) defines a DynamoDB table, and 'AWS::DynamoDB::Table' (option D) can also be used for more advanced configurations. Option C, 'AWS::Serverless::DynamoDB', is not a valid SAM resource type (the correct one is 'AWS::Serverless::SimpleTable' or 'AWS::DynamoDB::Table').

Option E, 'AWS::Lambda::Function', is a CloudFormation resource, but SAM templates typically use 'AWS::Serverless::Function' for simplicity, though both are valid. However, since the question asks for SAM template, the recommended approach is to use serverless types.

921
MCQhard

A developer stores database credentials in Secrets Manager. The application sometimes receives AccessDeniedException from Lambda after secret rotation. What should be checked first?

A.Whether API Gateway caching is enabled
B.Whether the Lambda execution role and KMS key policy allow access to the new secret version and key
C.Whether the VPC has exactly three subnets
D.Whether CloudFront invalidation completed
AnswerB

Correct for the stated requirement.

Why this answer

The AccessDeniedException from Lambda after secret rotation indicates that the Lambda function cannot access the new secret version. This is most commonly caused by the Lambda execution role lacking the necessary permissions (e.g., secretsmanager:GetSecretValue) for the new secret version ARN, or the KMS key policy not granting the Lambda role access to decrypt the secret using the customer-managed KMS key. Checking these two policies first is the correct troubleshooting step because rotation creates a new version with a different ARN, and the IAM policy must allow access to all versions or use a wildcard.

Exam trap

The trap here is that candidates may overlook the KMS key policy and focus only on the Lambda execution role, but the AccessDeniedException can also stem from the KMS key not authorizing the Lambda role to decrypt the secret, especially when using a customer-managed key.

How to eliminate wrong answers

Option A is wrong because API Gateway caching is unrelated to Lambda's ability to access Secrets Manager; caching affects API responses, not secret retrieval permissions. Option C is wrong because the number of VPC subnets (three) is irrelevant to secret rotation access; Lambda requires at least one subnet per AZ for VPC connectivity, but this does not cause AccessDeniedException from Secrets Manager. Option D is wrong because CloudFront invalidation is a CDN cache-clearing mechanism and has no bearing on Lambda's IAM permissions or secret access.

922
MCQmedium

The above IAM policy is attached to an IAM user. The user is unable to invoke the Lambda function 'my-function'. What is the most likely reason?

A.The Lambda function does not have a resource-based policy allowing the user to invoke it
B.The resource ARN is missing the function version or alias
C.The action 'lambda:InvokeFunction' is not sufficient; need 'lambda:*'
D.The policy version is incorrect
AnswerA

Lambda functions require both an IAM policy (for the user) and a resource-based policy (for the function) to allow cross-user invocation.

Why this answer

Option D is correct because the function might have a resource-based policy that explicitly denies the user, or the function's permissions do not allow cross-account access. However, the most common issue is that the function's resource-based policy does not grant invoke permission to the user. The IAM policy allows the action, but the function also needs to allow the user via a resource-based policy.

Option A is wrong because the action is correct. Option B is wrong because the resource is specific. Option C is wrong because the version is correct.

923
MCQeasy

A startup is deploying a Node.js application using AWS Elastic Beanstalk. They have configured the environment to use a load-balanced, auto-scaled environment with a minimum of 2 instances and a maximum of 4. The application connects to an Amazon RDS MySQL database. After a successful deployment, users report that the application is intermittently returning errors. The developer checks the Elastic Beanstalk logs and finds that the application is timing out when connecting to the database. The developer also notices that the database connection string is hardcoded in the application code. What is the most likely cause of the intermittent errors?

A.The security group for the RDS instance does not allow inbound traffic from the Elastic Beanstalk environment's security group.
B.The RDS instance has reached its maximum number of concurrent connections because the application instances are not using connection pooling.
C.The application code has a bug that causes the database connection to be closed prematurely.
D.The RDS instance is not configured for Multi-AZ deployment, causing failover issues.
AnswerB

Hardcoded connections without pooling can exhaust RDS connections.

Why this answer

Option C is correct because when using a hardcoded connection string, each instance tries to connect using the same credentials, but RDS has a limit on the number of concurrent connections. As instances scale up, they may exceed the limit, causing intermittent timeouts. Option A is wrong because the security group is likely correct.

Option B is wrong because RDS Multi-AZ is for failover, not connection limits. Option D is wrong because the errors are database-related, not application logic.

924
MCQeasy

A developer wants to deploy a static website to AWS. The website consists of HTML, CSS, and JavaScript files. Which combination of services provides the most cost-effective and scalable solution?

A.Amazon S3 and Amazon CloudFront
B.Amazon Lightsail
C.Amazon EC2 and Application Load Balancer
D.AWS Elastic Beanstalk
AnswerA

S3 hosts static files, CloudFront caches globally.

Why this answer

Amazon S3 can host static websites, and CloudFront provides CDN for low latency and scalability. Option A is correct. Option B (EC2) is more expensive and requires management.

Option C (Elastic Beanstalk) is overkill. Option D (Lightsail) is a VPS but not as scalable for static content.

925
MCQhard

An application running on Amazon EC2 instances in an Auto Scaling group processes messages from an SQS queue. The application runs in a private subnet and needs to send metrics to Amazon CloudWatch. How can the developer ensure the EC2 instances can send metrics without traversing the internet?

A.Attach a NAT Gateway to the private subnet and update the route table.
B.Install the CloudWatch agent on each instance and configure it to use a proxy.
C.Attach an Internet Gateway to the VPC and assign public IPs to instances.
D.Create a VPC Endpoint for CloudWatch (com.amazonaws.region.monitoring).
AnswerD

VPC Endpoint enables private connectivity to CloudWatch.

Why this answer

VPC Endpoint for CloudWatch allows private connectivity. Option D is correct. Option A (NAT Gateway) requires internet.

Option B (Internet Gateway) is public. Option C (CloudWatch Agent) can send but still needs network path; endpoint is the solution.

926
Multi-Selectmedium

A developer is using AWS CodeCommit as the source repository for a CI/CD pipeline. The developer wants to trigger a build automatically when changes are pushed to a specific branch. Which services can be used to achieve this? (Choose TWO.)

Select 2 answers
A.AWS CodeBuild
B.Amazon CloudWatch Events
C.AWS CodeStar
D.AWS CodeDeploy
E.AWS CodePipeline
AnswersA, E

CodeBuild can be triggered by CodeCommit webhooks.

Why this answer

Option A is correct because CodePipeline can be configured with a CodeCommit source action that triggers on changes. Option C is correct because CodeBuild can be triggered directly by CodeCommit via webhooks. Option B is wrong because CloudWatch Events can trigger on CodeCommit events as well, but it is not a build service; however, it can trigger CodeBuild.

But the question asks for services that can achieve the trigger, and both CodePipeline and CodeBuild are valid. However, Option D is wrong because CodeDeploy is for deployment, not build. Option E is wrong because CodeStar is a management console, not a trigger service.

927
MCQmedium

A developer is using API Gateway to expose a Lambda function as a REST API. The API must be accessible from a web application hosted on a different domain. The developer configured CORS but the browser still shows CORS errors. What should the developer do to resolve the issue?

A.Enable CORS in API Gateway and ensure the OPTIONS method returns the required headers.
B.Configure the Lambda function to return HTTP 200 for preflight OPTIONS requests.
C.Set the Access-Control-Allow-Origin header in the Lambda function response.
D.Add the web application's domain to an API Gateway usage plan.
AnswerA

API Gateway must have CORS enabled, which automatically creates the OPTIONS method.

Why this answer

API Gateway requires explicit CORS configuration including OPTIONS method. Option D is correct. Option A is irrelevant.

Option B is not enough without enabling CORS. Option C is incorrect because Lambda does not handle CORS for API Gateway.

928
MCQmedium

A developer is deploying an application to Amazon ECS using AWS CodeDeploy with a blue/green deployment strategy. After the new task set is created, it fails health checks. The developer wants to immediately route traffic back to the original task set without waiting for CodeDeploy to complete the rollback process. Which action should the developer take?

A.Update the ECS service to set the desired count of the new task set to zero.
B.Use the CodeDeploy console to stop the deployment and then choose to reroute traffic.
C.Delete the new task set.
D.Update the Application Load Balancer listener rule to forward traffic to the original target group.
AnswerB

Correct. CodeDeploy allows you to stop the deployment and reroute traffic to the original task set.

Why this answer

Option B is correct because CodeDeploy's blue/green deployments for ECS include a built-in 'Reroute traffic' option that allows you to immediately redirect traffic back to the original task set when a deployment fails health checks. This action bypasses the normal rollback process, which would wait for the deployment to complete or for the configured rollback triggers to fire, giving the developer instant control over traffic routing.

Exam trap

The trap here is that candidates often assume deleting the new task set or scaling it to zero will automatically restore traffic, but they overlook that the ALB listener rule remains pointed at the new (now empty or deleted) target group, causing a complete outage until the listener is manually updated.

How to eliminate wrong answers

Option A is wrong because setting the desired count of the new task set to zero does not automatically reroute traffic to the original task set; the Application Load Balancer (ALB) listener rules would still point to the new target group, causing a service disruption until the listener is manually updated. Option C is wrong because deleting the new task set does not revert the ALB listener rules, so traffic would continue to be sent to the deleted target group, resulting in 503 errors. Option D is wrong because manually updating the ALB listener rule is an indirect workaround that bypasses CodeDeploy's orchestration and lifecycle hooks, potentially causing state inconsistencies and violating the deployment's intended rollback mechanism.

929
Matchingmedium

Match each AWS service to its primary use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Object storage

NoSQL database

Serverless compute

RESTful API creation

Message queuing

Why these pairings

These services are core to the AWS Certified Developer Associate exam.

930
MCQmedium

A company's API Gateway REST API is experiencing high latency. The API integrates with a Lambda function that queries an RDS database. The developer notices that the Lambda function's duration metric is low, but the API Gateway integration latency is high. What is the most likely cause?

A.The Lambda function has reached the concurrency limit.
B.The Lambda function is in a VPC, causing additional network hops.
C.The API Gateway cache is enabled and causing a cache miss for every request.
D.The RDS database is in a different region than the API Gateway.
AnswerB

VPC Lambda functions require an ENI, adding latency.

Why this answer

API Gateway integration latency includes network overhead and other factors. Option C is correct: if the Lambda function is in a VPC, the network traversal between API Gateway and the VPC can cause latency. Option A is wrong because the Lambda duration is low.

Option B is wrong because caching would reduce latency, not increase it. Option D is wrong because the database is not queried directly by API Gateway.

931
MCQhard

A developer is building an application that needs to read a secret API key from AWS Secrets Manager. The application runs on an EC2 instance that is part of an Auto Scaling group. The developer wants to ensure that only this application can retrieve the secret. Which set of steps should the developer take?

A.Store the secret in Secrets Manager, create an IAM user with a policy to read the secret, and embed the user's credentials in the application code
B.Store the secret in Secrets Manager, attach an IAM role to the EC2 instance that grants permission to read the secret, and configure the application to retrieve the secret using the AWS SDK
C.Store the secret as an environment variable in the EC2 user data
D.Store the secret in a configuration file on the instance and restrict file permissions
AnswerB

Correct. This follows the least privilege principle and uses temporary credentials from the instance profile, which are automatically rotated, providing a secure and scalable solution.

Why this answer

Option B is correct because it follows the principle of least privilege and uses IAM roles, which are the secure and recommended way to grant EC2 instances permissions to access AWS Secrets Manager. By attaching an IAM role to the EC2 instance, the application can securely retrieve the secret using the AWS SDK without embedding long-term credentials in code or configuration files. This ensures that only instances with that role can read the secret, and the credentials are automatically rotated by AWS.

Exam trap

The trap here is that candidates may think storing secrets in user data or configuration files is acceptable for simplicity, but the exam emphasizes secure, managed solutions like IAM roles and Secrets Manager to avoid hardcoding credentials and to enable automatic rotation.

How to eliminate wrong answers

Option A is wrong because embedding IAM user credentials in application code is a security anti-pattern; it exposes long-term static credentials that can be compromised and are difficult to rotate. Option C is wrong because storing the secret in EC2 user data is insecure; user data is visible to anyone who can describe the instance or view the console, and it does not provide access control or audit logging. Option D is wrong because storing the secret in a configuration file on the instance, even with restricted file permissions, does not protect against unauthorized access if the instance is compromised, and it lacks centralized management and rotation capabilities.

932
MCQhard

A company uses Amazon API Gateway with a Lambda integration. The API returns a 502 Bad Gateway error for some requests. The Lambda function writes logs to CloudWatch. Which steps should a developer take to troubleshoot this issue? (Select the BEST combination.)

A.Enable API Gateway detailed metrics and create a dashboard.
B.Verify the IAM role permissions for API Gateway to invoke Lambda.
C.Check the API Gateway throttling settings and request limit.
D.Increase the Lambda function timeout and review the CloudWatch logs for errors.
AnswerD

Timeout or unhandled exceptions cause 502; logs show errors.

Why this answer

Option C is correct because increasing Lambda timeout and checking CloudWatch logs can identify if the function is timing out or has an error. Option A is wrong because API Gateway throttling returns 429, not 502. Option B is wrong because IAM permissions would cause 403.

Option D is wrong because enabling detailed metrics helps but doesn't directly troubleshoot 502.

933
MCQhard

Refer to the exhibit. A developer in account 111111111111 tries to assume a role in account 123456789012. The error occurs. What is the MOST likely cause?

A.The role does not exist in the us-east-1 region.
B.The user does not have sts:AssumeRole permission on the target role.
C.The access keys used are expired.
D.The role ARN is incorrect.
AnswerB

User needs explicit permission.

Why this answer

Option C is correct because cross-account role assumption requires both a trust policy on the role allowing the user's account and an IAM policy granting the user sts:AssumeRole. The error indicates the user is not authorized, likely because of missing permissions on the user side (or trust policy). Option A is wrong because the error is AccessDenied, not access key issue.

Option B is wrong because the role name is provided correctly. Option D is wrong because region is not required for this API call.

934
MCQmedium

A company is building a serverless application using AWS Lambda and Amazon DynamoDB. The Lambda function processes user uploads from Amazon S3 and stores metadata in DynamoDB. The function is experiencing high latency during peak hours. Which action would MOST improve the performance without increasing the function timeout?

A.Increase the DynamoDB table's provisioned read and write capacity.
B.Increase the Lambda reserved concurrency.
C.Move the Lambda function into a VPC with a DynamoDB VPC endpoint.
D.Enable DynamoDB Accelerator (DAX) for the table.
AnswerA

Higher provisioned capacity reduces throttling and write latency, directly improving performance.

Why this answer

Option D is correct because increasing DynamoDB provisioned read/write capacity reduces throttling and latency. Option A is wrong because Lambda reserved concurrency limits throughput. Option B is wrong because DynamoDB Accelerator (DAX) is for read-heavy workloads, but the function writes metadata.

Option C is wrong because moving to a VPC adds network latency.

935
MCQhard

Refer to the exhibit. A CloudFormation stack creation failed. What is the most likely cause of the failure?

A.The IAM role's trust policy does not allow Lambda to assume the role.
B.The Lambda function name conflicts with an existing function.
C.The Lambda function code has a syntax error.
D.The Lambda execution role does not have the required permissions to write to CloudWatch Logs.
AnswerA

The trust policy must include 'lambda.amazonaws.com' as a principal.

Why this answer

The error message says the role cannot be assumed by Lambda. This is usually because the trust policy of the IAM role does not include 'lambda.amazonaws.com' as a trusted entity. Option D is correct.

Option A is wrong because the error is about the role, not the code. Option B is wrong because the error mentions the role, not permissions. Option C is wrong because the error is not about resource conflict.

936
MCQeasy

A development team needs to deploy a containerized web application on AWS. The deployment must be automated, scalable, and minimize manual intervention. Which AWS service should the team use to orchestrate the deployment of containers across a cluster of Amazon EC2 instances?

A.AWS Lambda
B.AWS CloudFormation
C.Amazon ECS
D.Amazon S3
AnswerC

ECS orchestrates containers on EC2 instances.

Why this answer

Option C is correct because Amazon ECS is a fully managed container orchestration service that integrates with EC2 to run containers. Option A is wrong because S3 is object storage. Option B is wrong because Lambda is for serverless functions.

Option D is wrong because CloudFormation is for infrastructure as code.

937
MCQhard

A developer is designing a workflow using AWS Step Functions that includes a task to invoke an AWS Lambda function. The Lambda function sometimes times out due to long-running operations. The developer needs the workflow to wait for the Lambda function to complete asynchronously and retry on failure. Which Step Functions pattern should the developer use?

A.Use a Task state with .waitForTaskToken and have the Lambda function return the token upon completion.
B.Use a Task state that directly invokes the Lambda function synchronously.
C.Use a Parallel state to run multiple Lambda functions concurrently.
D.Use a Choice state to branch based on the Lambda function's output.
AnswerA

Allows asynchronous execution with callback.

Why this answer

Option A is correct because the Task token (.waitForTaskToken) allows the Lambda function to run asynchronously and call back with the token upon completion, enabling long-running operations. Option B is wrong because it's synchronous and tied to Lambda's timeout. Option C is wrong because it's for parallel execution.

Option D is wrong because it doesn't involve Lambda.

938
MCQhard

A company has a production environment running on AWS. The environment includes an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The application is deployed using AWS CodeDeploy with a blue/green deployment strategy. Recently, the deployment started failing because the new instances do not pass the health checks configured on the ALB. The health check path is '/health'. The developer has verified that the application starts correctly and responds to the health check on the new instances when accessed directly via the instance's private IP. However, the health checks from the ALB are failing. The security group for the ALB allows inbound traffic on port 80 from 0.0.0.0/0, and the security group for the EC2 instances allows inbound traffic on port 80 from the ALB's security group. The VPC has both public and private subnets. The Auto Scaling group launches instances in private subnets. The ALB is in public subnets. What is the MOST likely cause of the health check failure?

A.The application is not listening on port 80 on the new instances.
B.The health check path is configured incorrectly in the ALB target group.
C.The ALB is not in the same VPC as the instances.
D.The network ACL on the private subnets is blocking inbound traffic from the ALB's subnets.
AnswerD

Network ACLs are stateless and can block traffic even if security groups allow it.

Why this answer

Option A is correct because the ALB's health checks originate from its own IP addresses, which are in the public subnets. The instance security group must allow traffic from the ALB's security group, which it does. However, the issue might be that the instances have a restrictive network ACL on the private subnets that blocks inbound traffic from the ALB's subnet.

Option B is wrong because the application works when accessed directly. Option C is wrong because the health check path is correct. Option D is wrong because the ALB is in public subnets and can reach private instances via NAT if needed.

939
MCQhard

A company has an S3 bucket with a policy that denies access to all users. The bucket owner wants to grant read access to a specific IAM user. What must be done?

A.Create a new bucket and copy objects there.
B.Add an Allow statement in the bucket policy for the user.
C.Remove the Deny statement from the bucket policy.
D.Add the user to the bucket ACL with read permission.
AnswerC

Removing the explicit deny allows other permissions to take effect.

Why this answer

Option C is correct because an explicit deny in a bucket policy overrides any allow. The deny must be removed or modified. Option A is wrong because the bucket policy's explicit deny overrides.

Option B is wrong because ACLs are legacy and still overridden by explicit deny. Option D is wrong because cross-account is not the issue.

940
MCQhard

A developer is troubleshooting an AWS Elastic Beanstalk environment that is failing health checks. The environment runs a web application on Tomcat. The developer checks the logs and finds no errors. What is the most likely cause of the health check failure?

A.The application's health check URL is returning a non-200 status code.
B.The security group for the instances does not allow traffic from the load balancer.
C.The application is throwing exceptions that are not logged.
D.The application is listening on a port other than 80.
AnswerA

The default health check is a 200 response on the root path.

Why this answer

The most likely cause is that the application's health check URL is returning a non-200 status code. Elastic Beanstalk uses the load balancer to perform health checks against a configurable path (default: /). If the application responds with any status other than 200 OK, the load balancer marks the instance as unhealthy, even if the application logs show no errors.

This is a common misconfiguration where the health check endpoint is not implemented or returns an unexpected status.

Exam trap

The trap here is that candidates assume health check failures are always due to network or infrastructure issues (security groups, ports) rather than application-level misconfigurations like a missing or incorrect health check endpoint.

How to eliminate wrong answers

Option B is wrong because if the security group blocked traffic from the load balancer, the instances would be unreachable entirely, not just failing health checks, and the logs would likely show connection timeouts or refused connections. Option C is wrong because unlogged exceptions would still typically result in a non-200 response or an error page, which would be reflected in the health check status; the question states logs show no errors, making this unlikely. Option D is wrong because Elastic Beanstalk configures the load balancer to forward traffic to the correct port (e.g., 8080 for Tomcat), and the health check is sent to that same port; listening on a different port would cause a connection failure, not a health check failure with no errors in logs.

941
MCQhard

A company is using AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error message 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The developer checks the deployment logs and finds that the ApplicationStop hook failed on some instances. What is the most likely cause of this failure?

A.The ValidateService hook script is failing.
B.The BeforeInstall hook script is incorrectly configured.
C.The Auto Scaling group does not have enough capacity to perform the deployment.
D.The ApplicationStop script is not compatible with the instance operating system or is missing.
AnswerD

Incompatible or missing scripts cause hook failures.

Why this answer

Option A is correct because the ApplicationStop hook fails if the script attempts to stop a process that is not running or the script has a bug. Option B is wrong because the BeforeInstall hook runs after ApplicationStop. Option C is wrong because the ValidateService hook runs after deployment.

Option D is wrong because insufficient capacity would cause a different error.

942
MCQeasy

A developer needs to store application configuration data, such as database connection strings and third-party API keys, securely. The data must be encrypted at rest and automatically rotated. Which AWS service should the developer use?

A.Amazon S3 with server-side encryption
B.AWS Key Management Service (KMS)
C.AWS Systems Manager Parameter Store
D.AWS Secrets Manager
AnswerD

Designed for secrets with automatic rotation capability.

Why this answer

AWS Secrets Manager is designed for storing secrets with automatic rotation. Option B is correct. Option A (SSM Parameter Store) can store secrets but does not offer automatic rotation by default.

Option C (KMS) is for encryption keys. Option D (S3) is not suitable for secrets without additional complexity.

943
MCQeasy

A developer is using AWS CodeBuild to compile and test code. The build phase fails with the error: 'BUILD_FAILED: Error: No such file or directory.' What is the most likely cause?

A.The build environment has a network timeout when accessing external dependencies.
B.The buildspec.yml file references a file or directory that does not exist in the source code.
C.The IAM role for CodeBuild does not have permissions to access the source repository.
D.The build environment does not have the required environment variables set.
AnswerB

The error 'No such file or directory' indicates the build process cannot find a specified file.

Why this answer

Option C is correct because the error indicates that a file referenced in the buildspec.yml does not exist, often due to an incorrect path. Options A and B are incorrect: missing environment variables cause different errors, and insufficient permissions cause access denied errors. Option D is incorrect because network timeout errors are not related to file not found.

944
MCQeasy

A developer is deploying a new version of a Lambda function using AWS CodeDeploy. The deployment fails with a 'DeploymentLimitExceeded' error. What is the most likely cause?

A.The deployment group has reached the maximum number of concurrent deployments.
B.The Lambda function has reached the maximum number of versions.
C.Another deployment is in progress for the same Lambda function.
D.The IAM role for CodeDeploy does not have sufficient permissions.
AnswerA

CodeDeploy limits concurrent deployments per deployment group.

Why this answer

AWS CodeDeploy has a limit on the number of concurrent deployments per deployment group. Option D is correct. The error indicates the limit is exceeded.

Option A is incorrect because deployment limits are per deployment group, not per function. Option B is incorrect because the error is not about version conflicts. Option C is incorrect because the error is not about IAM permissions.

945
MCQhard

A developer is using AWS Lambda with a function that processes messages from an SQS queue. The function is configured with a batch size of 10 and reserved concurrency of 5. The queue has a large backlog, and messages are being throttled, leading to retries and eventual DLQ. The function is idempotent and can handle up to 100 messages per invocation. What is the most effective way to increase throughput without increasing throttling?

A.Increase reserved concurrency to 100
B.Increase batch size to 100
C.Increase both batch size to 100 and reserved concurrency to a higher value
D.Decrease batch size to 1 and increase reserved concurrency to 50
AnswerC

Increasing batch size reduces the number of invocations, lowering throttling risk. Increasing reserved concurrency allows more invocations to run concurrently, fully utilizing the function's capacity. This combination maximizes throughput without causing excessive throttling.

Why this answer

Option C is correct because increasing both the batch size to 100 and the reserved concurrency to a higher value directly addresses the two bottlenecks: the batch size limits how many messages are processed per invocation, and reserved concurrency limits how many concurrent invocations can run. With a batch size of 10 and reserved concurrency of 5, the maximum messages processed per second is 50 (10 × 5), assuming each invocation takes 1 second. Increasing batch size to 100 allows each invocation to process more messages, reducing the number of invocations needed, while increasing reserved concurrency allows more parallel processing, together eliminating throttling without exceeding Lambda's account-level concurrency limits.

Exam trap

The trap here is that candidates often think increasing reserved concurrency alone is sufficient to handle a large backlog, but they overlook that the batch size limits how many messages are processed per invocation, and without increasing both, the function may still be throttled due to excessive invocations or hitting account-level concurrency limits.

How to eliminate wrong answers

Option A is wrong because increasing reserved concurrency alone to 100 does not address the batch size of 10, meaning each invocation still processes only 10 messages, leading to more invocations and potential throttling if the account-level concurrency limit is reached. Option B is wrong because increasing batch size to 100 alone without increasing reserved concurrency (still 5) limits the maximum concurrent invocations to 5, which may still throttle if the SQS queue has a large backlog and the function's execution time is long, as the total throughput is capped at 5 invocations × 100 messages per invocation per second. Option D is wrong because decreasing batch size to 1 drastically reduces efficiency (each invocation processes only 1 message), and increasing reserved concurrency to 50 would require 50 concurrent invocations to match the original throughput, which increases the risk of throttling due to account-level concurrency limits and does not leverage the function's ability to handle up to 100 messages per invocation.

946
MCQeasy

A developer is deploying a static website to Amazon S3. The developer wants to enable versioning to easily roll back to a previous version if the new deployment has issues. After enabling versioning on the bucket, the developer uploads the new files. How can the developer roll back to the previous version?

A.Copy the previous version of the object to the same key, making it the current version.
B.Delete the current version of the object from the bucket.
C.Use the S3 console 'Restore' action on the bucket.
D.Enable 'Show versions' and then select the previous version to make it current.
AnswerA

This replaces the current version with the previous one.

Why this answer

Option B is correct because with versioning enabled, you can restore a previous version by copying it to the same key, making it the current version. Option A is wrong because deleting the current version does not restore the previous one. Option C is wrong because there is no 'Restore' action like in RDS.

Option D is wrong because you cannot simply 'enable' a previous version; you must copy it.

947
MCQhard

A company runs a stateful web application on EC2 instances in an Auto Scaling group. Users report that their session data is lost when instances are replaced during scaling events. What is the best solution to preserve session state?

A.Use ElastiCache as a centralized session store.
B.Enable sticky sessions on the Application Load Balancer.
C.Store sessions in the Application Load Balancer.
D.Use an S3 bucket to store session data.
AnswerA

ElastiCache provides fast, durable session storage.

Why this answer

ElastiCache provides a centralized, in-memory session store that is external to the EC2 instances. This ensures session data persists independently of the instance lifecycle, so when an instance is replaced during a scaling event, the new instance can retrieve the session from ElastiCache, preserving user state. This is the best solution because it decouples session state from compute resources, aligning with the stateless application pattern recommended for Auto Scaling groups.

Exam trap

The trap here is that candidates often confuse sticky sessions (option B) with session persistence, not realizing that sticky sessions only maintain request routing to the same instance, not the session data itself when the instance is replaced.

How to eliminate wrong answers

Option B is wrong because sticky sessions (session affinity) only route a user to the same instance, but they do not preserve session data when that instance is terminated and replaced; the session is still lost. Option C is wrong because the Application Load Balancer does not store session data; it only forwards requests and can manage cookies for stickiness, but the session state itself must be stored elsewhere. Option D is wrong because S3 is an object store with higher latency and is not designed for low-latency, frequent read/write operations required for session management; it would introduce unacceptable performance overhead and is not a session store.

948
MCQeasy

A developer wants to securely store API keys for a third-party service and retrieve them at runtime in a Lambda function. Which AWS service should be used?

A.AWS Secrets Manager
B.AWS CloudFormation
C.Amazon DynamoDB with encryption at rest
D.AWS Systems Manager Parameter Store
AnswerA

Secrets Manager is purpose-built for secrets, with rotation and fine-grained access control.

Why this answer

AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, rotating, and retrieving secrets such as API keys, database credentials, and OAuth tokens at runtime. It integrates natively with AWS Lambda via the AWS SDK, allowing developers to fetch secrets with minimal latency and without hardcoding sensitive values in code. Secrets Manager also supports automatic rotation of secrets using built-in or custom Lambda functions, which is critical for maintaining security compliance.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secure strings) with AWS Secrets Manager, but the exam expects you to know that Secrets Manager is the only service that provides automatic rotation and is specifically designed for secrets management, not just parameter storage.

How to eliminate wrong answers

Option B (AWS CloudFormation) is wrong because it is an Infrastructure as Code (IaC) service for provisioning AWS resources, not a secret store; it cannot securely store or retrieve API keys at runtime. Option C (Amazon DynamoDB with encryption at rest) is wrong because while it can store encrypted data, it lacks native secret rotation, versioning, and fine-grained access control for secrets; using it for API keys would require custom encryption/decryption logic and manual rotation management. Option D (AWS Systems Manager Parameter Store) is wrong because although it can store secure strings, it does not support automatic secret rotation, and its integration with Lambda for runtime retrieval is less seamless than Secrets Manager; Parameter Store is better suited for configuration data like database URLs, not for high-security secrets like API keys.

949
MCQhard

An application uses DynamoDB Streams to trigger downstream processing. The processor must receive both old and new item images after updates. Which stream view type should be configured?

A.KEYS_ONLY
B.NEW_AND_OLD_IMAGES
C.NEW_IMAGE only
D.OLD_IMAGE only
AnswerB

Correct for the stated requirement.

Why this answer

B is correct because DynamoDB Streams must be configured with the NEW_AND_OLD_IMAGES stream view type to capture both the item's state before and after a write operation (update, insert, or delete). This ensures the downstream processor receives the complete old and new item data, which is required for use cases like auditing, change data capture, or reconciling state changes.

Exam trap

The trap here is that candidates often confuse the stream view types and assume NEW_IMAGE alone is sufficient for updates, forgetting that the requirement explicitly demands both old and new images for complete state comparison.

How to eliminate wrong answers

Option A is wrong because KEYS_ONLY captures only the key attributes of the modified item, not the full old or new images, so the processor would lack the complete item data needed for downstream logic. Option C is wrong because NEW_IMAGE only captures the item's state after the update, omitting the previous state, which fails the requirement to receive both old and new images. Option D is wrong because OLD_IMAGE only captures the item's state before the update, omitting the new state, which also fails the requirement for both images.

950
MCQeasy

A developer is building a REST API using API Gateway and AWS Lambda. The API must only be accessible by authenticated users who belong to a specific group within an Amazon Cognito user pool. Which API Gateway authorization mechanism should the developer use?

A.AWS IAM authorization
B.Amazon Cognito User Pool authorizer
C.Lambda authorizer
D.API key
AnswerB

A Cognito User Pool authorizer validates the JWT token and can enforce group membership via claim-based conditions, meeting the requirement exactly.

Why this answer

The Amazon Cognito User Pool authorizer is the correct choice because it directly integrates with Cognito user pools to validate JWT tokens issued by the pool. This allows the developer to restrict access to only authenticated users who belong to a specific group within the user pool, as group membership is encoded in the JWT claims.

Exam trap

The trap here is that candidates often confuse 'authentication' with 'authorization' and choose AWS IAM authorization (Option A) because they think IAM is the standard for AWS access control, but IAM does not natively integrate with Cognito user pool groups for fine-grained API access.

How to eliminate wrong answers

Option A is wrong because AWS IAM authorization uses IAM roles and policies to control access, which requires managing AWS credentials and does not natively validate Cognito user pool group membership. Option C is wrong because a Lambda authorizer (custom authorizer) can validate tokens or other logic, but it is overkill for this use case and requires additional Lambda code and maintenance; the simpler, native Cognito User Pool authorizer is preferred when the user pool is already in use. Option D is wrong because API keys are used for throttling and usage plans, not for authentication or authorization of individual users; they do not verify user identity or group membership.

951
Multi-Selectmedium

Which TWO actions should a developer take to securely store secrets (e.g., database passwords) used by a Lambda function?

Select 2 answers
A.Use AWS Secrets Manager to store and retrieve the secret at runtime.
B.Upload the secret to an S3 bucket and read it from the Lambda function.
C.Use AWS Systems Manager Parameter Store with a SecureString parameter.
D.Store the secret as an environment variable in the Lambda function.
E.Hardcode the secret in the Lambda function code.
AnswersA, C

Secrets Manager encrypts secrets and allows fine-grained access control and automatic rotation.

Why this answer

Options B and D are correct. AWS Secrets Manager can automatically rotate secrets, and the Lambda function retrieves them at runtime via API. Option A is wrong because environment variables are visible in the console and logs.

Option C is wrong because storing secrets in source code is insecure. Option E is wrong because S3 is not designed for secret management and would require encryption and access control.

952
MCQmedium

A developer is optimizing a DynamoDB table for a gaming leaderboard. The table stores player scores and is read-heavy. Queries often fetch the top 10 scores. Which indexing strategy best reduces RCU consumption?

A.Create a sparse index on player ID.
B.Use a local secondary index on score.
C.Enable DynamoDB Accelerator (DAX) for caching.
D.Create a global secondary index with score as the sort key.
AnswerD

GSI allows efficient query for top scores.

Why this answer

A global secondary index (GSI) with score as the sort key allows efficient retrieval of the top 10 scores by querying the index in descending order, reading only the required items. This minimizes read capacity unit (RCU) consumption compared to scanning the base table, as each query reads exactly 10 items (or fewer) rather than consuming RCUs for a full table scan or filtering large result sets.

Exam trap

The trap here is that candidates often confuse local secondary indexes (LSIs) with global secondary indexes (GSIs), not realizing that LSIs are tied to the base table's partition key and cannot efficiently retrieve global top scores across all partitions.

How to eliminate wrong answers

Option A is wrong because a sparse index on player ID would not help retrieve top scores; it only indexes items where player ID is present, and querying by player ID does not sort by score. Option B is wrong because a local secondary index (LSI) on score is constrained to the same partition key as the base table, requiring a full partition scan to get top scores across all partitions, which consumes more RCUs. Option C is wrong because DynamoDB Accelerator (DAX) is an in-memory cache that reduces latency and read load, but it does not change the underlying query pattern or RCU consumption for fetching top scores; the base table or index still needs to be queried, and DAX caches results after the first read, not reducing RCUs for the initial query.

953
MCQeasy

A developer is using AWS CodeDeploy to deploy an application to an Amazon ECS service using the Fargate launch type. The developer wants to ensure that the deployment rolls back automatically if the new task set fails health checks. Which configuration should the developer set?

A.Set the deployment type to in-place.
B.Enable rollback in the deployment group settings.
C.Set the deployment configuration to CodeDeployDefault.OneAtATime.
D.Configure CloudWatch alarms to trigger a rollback.
AnswerB

Correct. Configuring the deployment group to roll back on health check failures triggers an automatic rollback when the new task set fails health checks.

Why this answer

Option B is correct because enabling rollback in the deployment group settings allows CodeDeploy to automatically revert the deployment to the previous working task set if the new task set fails health checks. This is a native feature of CodeDeploy that monitors the health of the ECS service and triggers a rollback without manual intervention.

Exam trap

The trap here is that candidates often confuse CloudWatch alarms as the only way to trigger a rollback, but CodeDeploy's built-in rollback feature directly responds to health check failures without needing an alarm.

How to eliminate wrong answers

Option A is wrong because in-place deployments are not supported for Amazon ECS with the Fargate launch type; ECS deployments using CodeDeploy must use blue/green deployments. Option C is wrong because CodeDeployDefault.OneAtATime is a deployment configuration for Lambda or EC2/On-Premises, not for ECS; ECS deployments use a different set of configurations like CodeDeployDefault.ECSAllAtOnce. Option D is wrong because CloudWatch alarms can be configured to trigger a rollback, but they are an additional optional feature, not the primary mechanism to ensure automatic rollback on health check failure; the core requirement is enabling rollback in the deployment group settings.

954
MCQhard

A developer attaches the above S3 bucket policy to my-bucket. A user tries to upload an object using HTTP (not HTTPS). What will happen?

A.The upload succeeds because the Deny effect only applies if the condition is true
B.The upload succeeds if the user also has an Allow in another policy
C.The upload is denied
D.The upload succeeds because there is no Allow statement
AnswerC

The condition triggers the Deny effect.

Why this answer

Option A is correct because the policy denies s3:PutObject if SecureTransport is false. Since the request uses HTTP, SecureTransport is false, so the Deny applies and the upload fails. Option B is wrong because the condition is evaluated.

Option C is wrong because the Deny overrides any Allow. Option D is wrong because the policy explicitly denies.

955
Multi-Selectmedium

A company is using AWS CloudTrail to monitor API activity. Which TWO actions are required to ensure the integrity and security of the log files?

Select 2 answers
A.Enable log file validation.
B.Enable MFA Delete on the CloudTrail S3 bucket.
C.Enable S3 bucket versioning on the CloudTrail bucket.
D.Use an S3 VPC endpoint to access the CloudTrail bucket.
E.Use server-side encryption with AWS KMS managed keys (SSE-KMS).
AnswersA, E

Provides integrity verification using digest files.

Why this answer

Options A and E are correct because enabling log file validation creates a digest file for integrity, and using SSE-KMS encrypts the logs. Option B is wrong because CloudTrail does not have versioning. Option C is wrong because MFA delete helps with S3 versioning, not CloudTrail.

Option D is wrong because CloudTrail does not support VPC endpoints by default; you need to set up a gateway endpoint.

956
MCQmedium

A developer attaches this IAM policy to a user. The user tries to upload an object to example-bucket without specifying encryption. What will happen?

A.The upload succeeds only if the object is smaller than 5 GB.
B.The upload succeeds but the object is not encrypted.
C.The upload succeeds because S3 default encryption is applied.
D.The upload fails with an access denied error.
AnswerD

The condition requires encryption header, so request is denied.

Why this answer

Option B is correct because the condition requires s3:x-amz-server-side-encryption to be AES256; if not specified, the condition fails and the request is denied. Option A is wrong because S3 default encryption would apply but the policy condition is not met. Option C is wrong because the condition does not require the header to be set; it requires it to be AES256 if present.

Option D is wrong because the policy does not specify any encryption key.

957
Multi-Selecteasy

A developer is using AWS Elastic Beanstalk to deploy a Python web application. The developer wants to run database migrations before the application starts. Which TWO methods can the developer use to achieve this? (Choose TWO.)

Select 2 answers
A.Use an AWS Lambda function that triggers on deployment.
B.Use an .ebextensions configuration file with container_commands.
C.Add a pre-deployment hook to the application source code.
D.Use a Procfile to define a web process that runs migrations before starting the application.
E.Add a cron.yaml file to schedule the migration.
AnswersB, D

container_commands run during deployment before the application starts.

Why this answer

Options B and D are correct. Option B: .ebextensions with container_commands can run commands during deployment. Option D: A Procfile can define a command that runs migrations as part of the web process.

Option A is wrong because cron.yaml is for scheduled tasks. Option C is wrong because an AWS Lambda function is not automatically integrated. Option E is wrong because it is not a standard Elastic Beanstalk mechanism.

958
MCQhard

A company is using AWS Step Functions to orchestrate a workflow that processes orders. The workflow includes a task that calls a Lambda function to validate the order. If the validation fails, the workflow should wait for manual approval before proceeding. What is the MOST efficient way to implement this manual approval step?

A.Publish a message to an Amazon SNS topic that triggers an email to the approver. The workflow continues after a fixed timeout.
B.Schedule a CloudWatch Events rule to trigger a Lambda function that checks for approval status in a DynamoDB table.
C.Use Amazon Cognito to manage user identities and require the approver to authenticate via a web portal.
D.Use a Step Functions activity task that sends a message to an Amazon SQS queue. The approval process polls the queue and sends a task success response with the .taskToken.
AnswerD

Step Functions activity tasks support callback tokens for manual intervention.

Why this answer

Option A is correct because Step Functions has a built-in 'Wait for Callback' pattern with .taskToken and activity tasks that can integrate with SQS to wait for manual approval. Option B is wrong because an SNS topic does not provide a callback mechanism. Option C is wrong because CloudWatch Events is for scheduling and events, not for manual approval workflows.

Option D is wrong because Cognito is for user authentication, not workflow approval.

959
MCQeasy

A developer is using AWS CodeCommit as a source repository and AWS CodePipeline for CI/CD. The developer wants to automatically trigger a pipeline execution when changes are pushed to the main branch. Which action should the developer take?

A.Configure CodePipeline to poll the CodeCommit repository every minute.
B.Set up a webhook in CodeCommit to notify CodePipeline on push events.
C.Create an Amazon CloudWatch Events rule that detects changes to the CodeCommit repository and triggers the pipeline.
D.Use an SNS topic to send a notification to CodePipeline when a push occurs.
AnswerC

CloudWatch Events can trigger CodePipeline on repository changes.

Why this answer

Option C is correct because configuring a CloudWatch Events rule to detect CodeCommit repository changes and trigger the pipeline is the standard method. Option A is wrong because CodePipeline does not poll repositories directly. Option B is wrong because webhooks are not supported by CodeCommit.

Option D is wrong because SNS notifications do not trigger pipelines directly.

960
MCQhard

A developer is using AWS CodePipeline with a two-stage pipeline: Source (CodeCommit) and Deploy (Elastic Beanstalk). The developer wants to add a test stage that runs unit tests using AWS CodeBuild. The test stage should run only when a specific branch (development) is pushed. Which approach should the developer use?

A.Create a separate pipeline for the development branch and configure it with the test stage.
B.Add a test stage in the pipeline and configure a 'branch' filter on the source action to only trigger for the development branch.
C.Add a test stage in the pipeline and configure a 'branch' condition on the test action using a Lambda function.
D.Add a test stage in the pipeline and use a 'Manual approval' action that requires a human to verify the branch.
AnswerB

This is the recommended approach. The source action's 'Branch' field can be set to 'development', so the pipeline only executes when changes are pushed to that branch. The test stage will then run as part of that execution.

Why this answer

Option B is correct because AWS CodePipeline allows you to configure a 'branch' filter directly on the source action (CodeCommit) to restrict which branch triggers the pipeline execution. By adding a test stage with a CodeBuild action and setting the source action's 'Branch' filter to 'development', the pipeline will only run the test stage when changes are pushed to that specific branch. This is the simplest and most native approach, requiring no additional compute or manual intervention.

Exam trap

The trap here is that candidates often overcomplicate the solution by considering Lambda functions or separate pipelines, when AWS CodePipeline natively supports branch filtering directly on the source action, which is the simplest and most correct approach.

How to eliminate wrong answers

Option A is wrong because creating a separate pipeline for the development branch duplicates infrastructure and management overhead, whereas a single pipeline with a branch filter achieves the same goal more efficiently. Option C is wrong because using a Lambda function to check the branch condition on the test action is unnecessarily complex and not a native feature of CodePipeline; branch filtering is designed to be configured at the source stage, not on individual actions. Option D is wrong because a manual approval action does not automatically restrict execution to a specific branch; it only pauses the pipeline for human verification, which is not a branch-based trigger and adds unnecessary delay.

961
MCQmedium

A company has a REST API running on Amazon EC2 instances behind an Application Load Balancer. The API is accessed by mobile clients. The company wants to add authentication and authorization without modifying the backend code. Which AWS service should be used?

A.Amazon Cognito user pools integrated with the Application Load Balancer
B.AWS Identity and Access Management (IAM)
C.Amazon API Gateway with a Lambda authorizer
D.Amazon CloudFront with Lambda@Edge
AnswerA

Cognito user pools can be integrated with ALB to authenticate users.

Why this answer

Correct: B. Amazon Cognito with an Application Load Balancer can authenticate users before requests reach the backend. Option A is wrong because IAM is for AWS service access, not end-user authentication.

Option C is wrong because API Gateway is not used here; the backend is EC2/ALB. Option D is wrong because CloudFront is a CDN, not an authentication service.

962
MCQeasy

A developer wants to deploy a new version of an application to an EC2 Auto Scaling group using AWS CodeDeploy. The developer wants to minimize downtime and ensure that if the deployment fails, it automatically rolls back to the previous version. Which deployment type should the developer choose?

A.In-place
B.Blue/green
C.Canary
D.Linear
AnswerB

Blue/green deployments minimize downtime by routing traffic to a new set of instances and allow easy rollback by reverting traffic.

Why this answer

Blue/green deployment is the correct choice because it creates a separate, new Auto Scaling group (green) alongside the existing one (blue), allowing traffic to be shifted to the new environment after validation. This minimizes downtime by keeping the old environment fully operational during the deployment, and CodeDeploy can automatically roll back by redirecting traffic to the blue environment if the deployment fails.

Exam trap

The trap here is that candidates often confuse deployment types across compute platforms, mistakenly applying canary or linear (which are valid for Lambda/ECS) to EC2 Auto Scaling groups, where only in-place or blue/green are supported by CodeDeploy.

How to eliminate wrong answers

Option A is wrong because in-place deployment updates instances in the existing Auto Scaling group one at a time, which can cause partial downtime and does not support automatic rollback to a previous version without manual intervention or a separate rollback configuration. Option C is wrong because canary is a traffic-shifting pattern used in AWS CodeDeploy for Lambda or ECS deployments, not for EC2 Auto Scaling groups, and it does not inherently provide automatic rollback. Option D is wrong because linear is also a traffic-shifting pattern for Lambda or ECS, not applicable to EC2 Auto Scaling groups, and it lacks built-in automatic rollback behavior.

963
MCQmedium

A company is building a RESTful API using Amazon API Gateway and AWS Lambda. The API must allow users to authenticate using an identity provider that supports OpenID Connect (OIDC). The developer wants to offload authentication and authorization to API Gateway. Which API Gateway feature should the developer use?

A.Amazon Cognito User Pools authorizer
B.Custom Lambda authorizer
C.Native JWT authorizer (HTTP API)
D.AWS IAM authorizer
AnswerC

API Gateway HTTP APIs support JWT authorizers that can validate tokens from any OIDC identity provider.

Why this answer

Option C is correct because the Native JWT authorizer for HTTP APIs in API Gateway directly validates JSON Web Tokens (JWTs) from an OIDC-compliant identity provider without requiring custom code. This offloads both authentication and authorization to API Gateway by configuring the issuer URL and audience, matching the requirement to use an OIDC provider.

Exam trap

The trap here is that candidates often confuse the Native JWT authorizer (available only for HTTP APIs) with the Cognito User Pools authorizer (available for REST APIs), assuming any OIDC provider requires a Lambda authorizer or Cognito integration.

How to eliminate wrong answers

Option A is wrong because Amazon Cognito User Pools authorizer is a proprietary solution that requires users to authenticate through Cognito, not a generic OIDC identity provider; it does not support arbitrary OIDC providers. Option B is wrong because a Custom Lambda authorizer involves writing and managing custom code to validate tokens, which contradicts the requirement to offload authentication and authorization to API Gateway. Option D is wrong because AWS IAM authorizer uses AWS Signature Version 4 for request signing and is designed for AWS credentials, not OIDC tokens from a third-party identity provider.

964
MCQeasy

A company is using Amazon SQS to decouple microservices. The producer sends messages, and the consumer processes them. The consumer occasionally fails to process a message due to transient errors. What is the BEST way to ensure such messages are retried automatically?

A.Use a delay queue to postpone message processing.
B.Configure a dead-letter queue with a redrive policy on the source queue.
C.Use a FIFO queue with content-based deduplication.
D.Increase the visibility timeout to give the consumer more time.
AnswerB

Redrive policy allows automatic retries up to maxReceiveCount.

Why this answer

Option A is correct because setting the 'redrive policy' with a dead-letter queue (DLQ) allows messages to be retried up to maxReceiveCount, and then moved to DLQ. Option B is wrong because delay queues delay all messages, not retry failures. Option C is wrong because FIFO queues still need redrive policy.

Option D is wrong because visibility timeout alone does not retry on failure.

965
MCQhard

A company uses AWS CodePipeline with a cross-account action that deploys to an S3 bucket in another account. The deployment fails with 'Access Denied'. The pipeline role has permissions to assume a role in the target account, and the target role has S3 putObject permissions. What additional configuration is required?

A.Add a bucket policy on the S3 bucket to allow the assumed role to put objects
B.Add a trust policy on the target IAM role to allow the pipeline role to assume it
C.Enable versioning on the S3 bucket
D.Enable KMS encryption on the S3 bucket and grant decrypt permissions
AnswerA

The S3 bucket policy must grant the assumed role (from the other account) the s3:PutObject permission.

Why this answer

Option A is correct because in a cross-account CodePipeline deployment to an S3 bucket, the pipeline role in the source account assumes a target IAM role in the destination account. While the target role has S3 putObject permissions, S3 bucket policies are evaluated separately from IAM policies. The bucket policy must explicitly grant the assumed role (or its principal) the s3:PutObject action; otherwise, the request is denied by default, even if the IAM role allows it.

Exam trap

The trap here is that candidates assume IAM role permissions alone are sufficient for cross-account S3 access, forgetting that S3 bucket policies act as an additional authorization layer that must explicitly allow the cross-account principal.

How to eliminate wrong answers

Option B is wrong because the trust policy on the target IAM role is already in place — the question states the pipeline role has permissions to assume the role in the target account, so the trust relationship is configured. Option C is wrong because enabling versioning on the S3 bucket is unrelated to access control; versioning affects object version management, not authorization. Option D is wrong because KMS encryption and decrypt permissions are only relevant if the bucket uses SSE-KMS; the question does not mention encryption, and the 'Access Denied' error is due to missing bucket policy, not encryption key issues.

966
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. The application uses sessions stored in an ElastiCache Redis cluster. Recently, users have been experiencing session timeouts and errors. The developer notices that the Redis cluster is running out of memory. What should the developer do to resolve this issue?

A.Increase the session timeout in the application configuration.
B.Enable the 'allkeys-lru' eviction policy in the Redis parameter group.
C.Reduce the number of EC2 instances behind the load balancer.
D.Migrate from Redis to a Memcached cluster.
AnswerB

Eviction policies allow Redis to free memory by removing keys when limit is reached.

Why this answer

Option A is correct because enabling eviction policies (like allkeys-lru) allows Redis to remove less frequently used keys when memory is full, preventing out-of-memory errors. Scaling up is a longer-term solution but may not be needed if eviction is enabled.

967
Multi-Selecthard

A Lambda function writes order records to DynamoDB after receiving API Gateway requests. Which two practices improve reliability during client retries?

Select 2 answers
A.Use an idempotency token from the request in a conditional DynamoDB write
B.Generate a new random primary key for every retry
C.Return the same result for repeated requests with the same idempotency key
D.Disable API Gateway request validation
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because using an idempotency token from the request in a conditional DynamoDB write ensures that if a client retries the same request, the Lambda function can check whether the token already exists in the table. If it does, the write is skipped, preventing duplicate order records. This pattern leverages DynamoDB's conditional writes (e.g., `attribute_not_exists(idempotencyKey)`) to guarantee exactly-once processing, which is critical for reliability during retries.

Exam trap

The trap here is that candidates may confuse idempotency with uniqueness — they might think generating a new random key (Option B) is a valid retry strategy, but it actually creates duplicates, whereas the correct approach is to reuse the same token and conditionally reject duplicates.

968
MCQhard

A developer notices that an AWS Lambda function is timing out after 15 seconds. The function makes HTTP requests to an external API. How can the developer resolve this issue without changing the function code?

A.Increase the reserved concurrency
B.Increase the timeout setting of the Lambda function
C.Place the Lambda function in a VPC
D.Decrease the memory allocation of the Lambda function
AnswerB

The timeout can be increased up to 15 minutes (900 seconds).

Why this answer

Option D is correct because increasing the Lambda timeout allows the function to wait longer. Option A is wrong because reducing memory may increase execution time. Option B is wrong because VPC does not affect timeout.

Option C is wrong because reserved concurrency does not affect timeout.

969
MCQmedium

A company hosts a web application on EC2 instances behind an ALB. The application uses cookies to track user sessions. The security team is concerned about session hijacking. Which action should be taken to protect the cookies?

A.Enable encryption on the ALB using a custom SSL certificate.
B.Store session data in ElastiCache instead of cookies.
C.Set the Secure and HttpOnly flags on the session cookie.
D.Use AWS WAF to block requests without a valid session cookie.
AnswerC

These flags prevent cookie theft via XSS and ensure transmission over HTTPS only.

Why this answer

Setting the Secure and HttpOnly flags on the session cookie is the correct action because the Secure flag ensures the cookie is only sent over HTTPS, preventing interception via man-in-the-middle attacks, while the HttpOnly flag prevents client-side scripts (e.g., JavaScript) from accessing the cookie, mitigating cross-site scripting (XSS)-based session hijacking. This directly addresses the security team's concern by hardening the cookie against common attack vectors without requiring architectural changes.

Exam trap

The trap here is that candidates often confuse encryption of the connection (Option A) with securing the cookie itself, or they assume moving session state server-side (Option B) eliminates the need for cookie security flags, when in fact the session identifier cookie still requires Secure and HttpOnly protection.

How to eliminate wrong answers

Option A is wrong because enabling encryption on the ALB with a custom SSL certificate protects data in transit between the client and ALB, but it does not secure the cookie itself from being read by JavaScript or transmitted over non-HTTPS connections if the application sets the cookie without the Secure flag. Option B is wrong because storing session data in ElastiCache instead of cookies changes where session state is stored (server-side vs. client-side), but it does not inherently protect the session identifier cookie from hijacking; the cookie still needs Secure and HttpOnly flags to prevent interception and script access. Option D is wrong because AWS WAF can block requests based on rules, but it cannot validate the integrity or security attributes of a session cookie; it would only filter based on presence or content, not prevent hijacking if the cookie is already stolen.

970
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a Python web application. After a recent deployment, the environment health turns 'Severe' and the application becomes unresponsive. The developer checks the logs and finds multiple '502 Bad Gateway' errors from the nginx proxy. The application was working before the deployment. What is the MOST likely cause?

A.The new application code has a bug that causes the application to crash.
B.The Procfile is missing from the application source.
C.The environment's load balancer is not configured correctly.
D.The environment variables are not set correctly.
AnswerA

Crashing application causes nginx to return 502.

Why this answer

A 502 Bad Gateway error from nginx means the reverse proxy cannot communicate with the application backend. Since the application was working before the deployment and became unresponsive immediately after, the most likely cause is a bug in the new code that causes the application process to crash or hang. Elastic Beanstalk's nginx proxy expects a healthy response from the application on the designated port; if the application fails to start or crashes repeatedly, nginx returns 502 errors.

Exam trap

The trap here is that candidates often confuse a 502 error with a load balancer misconfiguration or environment variable issue, but the key clue is that the problem started immediately after a code deployment, pointing directly to a bug in the new application code.

How to eliminate wrong answers

Option B is wrong because a missing Procfile would cause the environment to fail at the platform initialization stage, not produce intermittent 502 errors after a successful deployment. Option C is wrong because the load balancer configuration did not change between deployments; if it were misconfigured, the application would have been unhealthy before the deployment as well. Option D is wrong because environment variables are managed separately from the application source code and are not typically altered during a code deployment; incorrect variables would likely cause application logic errors, not a complete crash leading to 502 responses.

971
MCQhard

A Lambda function in a VPC must retrieve secrets from Secrets Manager without traversing the public internet. Which configuration should be used?

A.A public NAT gateway only
B.An internet gateway attached to the Lambda subnet
C.A VPC peering connection to every AWS region
D.An interface VPC endpoint for Secrets Manager with appropriate security groups
AnswerD

Correct for the stated requirement.

Why this answer

An interface VPC endpoint (AWS PrivateLink) for Secrets Manager allows Lambda functions within a VPC to securely retrieve secrets using private IP addresses, without traversing the public internet. This is achieved by creating an elastic network interface in the VPC subnet with a security group that controls access, ensuring traffic stays within the AWS network.

Exam trap

The trap here is that candidates often confuse NAT gateways or internet gateways as solutions for private service access, not realizing that AWS PrivateLink endpoints are the correct mechanism to keep traffic within the AWS backbone.

How to eliminate wrong answers

Option A is wrong because a public NAT gateway enables outbound internet access from private subnets but does not provide a private path to Secrets Manager; traffic would still traverse the internet. Option B is wrong because an internet gateway attached to the Lambda subnet would expose the Lambda function to the public internet, defeating the requirement to avoid public internet traversal and introducing security risks. Option C is wrong because VPC peering connections connect VPCs within the same or different regions but do not provide access to AWS services like Secrets Manager; they are used for inter-VPC communication, not service endpoints.

972
MCQhard

A company is using AWS CodeDeploy with an in-place deployment to an Auto Scaling group. The deployment fails with the error 'Deployment failed because the deployment group does not have enough instances to deploy to'. The Auto Scaling group has a minimum size of 2, maximum size of 5, and desired capacity of 2. The deployment configuration is CodeDeployDefault.AllAtOnce. What is the most likely cause?

A.The Auto Scaling group needs to have at least 3 instances to use AllAtOnce.
B.The deployment configuration is not compatible with Auto Scaling groups.
C.The instances in the Auto Scaling group are not passing health checks.
D.The deployment group has only 2 instances, and the deployment failed on one instance, causing the minimum healthy hosts threshold to be violated.
AnswerD

With AllAtOnce, all instances are deployed simultaneously; if one fails, the deployment fails because the minimum healthy hosts is not met.

Why this answer

The error 'Deployment failed because the deployment group does not have enough instances to deploy to' occurs when the number of healthy instances in the deployment group falls below the minimum required by the deployment configuration. With CodeDeployDefault.AllAtOnce, the minimum healthy hosts threshold is 0, but the deployment still requires at least one healthy instance to succeed. In this scenario, the Auto Scaling group has a desired capacity of 2, and if one instance fails during deployment, the remaining healthy instance count drops to 1, which violates the implicit requirement that the deployment must complete on all instances without exceeding the failure threshold.

The error message is misleading but points to the fact that the deployment failed on one instance, leaving the group with insufficient healthy hosts to meet the deployment's success criteria.

Exam trap

The trap here is that candidates misinterpret the error message 'does not have enough instances' as a sizing or configuration issue, when it actually indicates that the deployment failed on one or more instances, reducing the healthy instance count below what is needed to complete the deployment.

How to eliminate wrong answers

Option A is wrong because CodeDeployDefault.AllAtOnce does not require a minimum of 3 instances; it deploys to all instances simultaneously and the minimum healthy hosts threshold is 0, meaning it can work with any number of instances as long as at least one remains healthy. Option B is wrong because CodeDeployDefault.AllAtOnce is fully compatible with Auto Scaling groups; in-place deployments to Auto Scaling groups are a standard use case for CodeDeploy. Option C is wrong because the error message specifically indicates a lack of instances to deploy to, not a health check failure; while health check failures could cause instances to be terminated, the error here is about the deployment group size, not instance health status.

973
MCQmedium

A developer is using AWS AppSync to build a GraphQL API. The API needs to allow clients to receive real-time updates when data changes in a DynamoDB table. Which AppSync feature should the developer use?

A.Resolvers
B.Subscriptions
C.Queries
D.Mutations
AnswerB

Subscriptions enable real-time notifications. When a mutation is performed, subscribed clients receive the updated data via WebSocket.

Why this answer

Subscriptions in AWS AppSync are the feature designed for real-time updates. They use WebSocket connections to push data to clients automatically when a mutation modifies the underlying data source, such as a DynamoDB table. By configuring a subscription on a specific mutation, the developer enables clients to receive live changes without polling.

Exam trap

The trap here is that candidates often confuse mutations (which trigger the update) with subscriptions (which deliver the update), leading them to select 'Mutations' instead of 'Subscriptions'.

How to eliminate wrong answers

Option A is wrong because resolvers are functions that map GraphQL operations (queries, mutations, subscriptions) to data sources like DynamoDB; they do not themselves provide real-time push capabilities. Option C is wrong because queries are request-response operations that fetch data on demand, not real-time updates. Option D is wrong because mutations are write operations that modify data; while they can trigger subscriptions, they are not the mechanism for delivering real-time updates to clients.

974
MCQmedium

A developer is using AWS CodeBuild to build a Java application. The build succeeds locally but fails in CodeBuild with the error 'BUILD FAILED: Unable to find a Java installation.' The buildspec.yml file includes a 'runtime-versions' section specifying Java 11. The CodeBuild project uses the 'aws/codebuild/amazonlinux2-x86_64-standard:4.0' image. What is the MOST likely cause of the failure?

A.The runtime-versions section in buildspec.yml is not correctly formatted.
B.The CodeBuild project does not have sufficient permissions to download Java.
C.The buildspec.yml file is not in the root of the source directory.
D.The build commands reference a non-existent Maven dependency.
AnswerA

Incorrect formatting can cause Java not to be installed.

Why this answer

The error 'Unable to find a Java installation' indicates that the CodeBuild environment does not have Java available at runtime. When using a standard managed image like 'aws/codebuild/amazonlinux2-x86_64-standard:4.0', Java must be explicitly declared in the 'runtime-versions' section of buildspec.yml. The most likely cause is that the 'runtime-versions' section is incorrectly formatted (e.g., using 'java: 11' instead of the correct 'java: corretto11'), causing CodeBuild to skip installing Java.

Exam trap

The trap here is that candidates assume 'java: 11' is a valid runtime identifier, but CodeBuild requires the exact runtime name (e.g., 'corretto11' or 'openjdk11'), and a formatting error in runtime-versions leads to a missing Java installation rather than a syntax error.

How to eliminate wrong answers

Option B is wrong because CodeBuild managed images already include the necessary package repositories and permissions to download and install runtimes specified in 'runtime-versions'; insufficient permissions would cause a different error (e.g., access denied to S3 artifacts). Option C is wrong because if the buildspec.yml were not in the root directory, CodeBuild would fail with a 'buildspec.yml not found' error, not a Java installation error. Option D is wrong because a non-existent Maven dependency would produce a Maven build error (e.g., 'Could not resolve dependency'), not a missing Java installation error.

975
MCQeasy

A developer needs to grant cross-account access to an S3 bucket owned by Account A to a user in Account B. Which approach is the most secure?

A.Create an IAM role in Account A with a trust policy allowing the user from Account B to assume it.
B.Share the access keys of an IAM user in Account A with the user in Account B.
C.Add a bucket policy in Account A that grants access to the user in Account B, and attach an IAM policy to the user in Account B allowing the S3 actions.
D.Attach an IAM policy to the user in Account B that grants access to the S3 bucket.
AnswerC

This uses a resource-based policy (bucket policy) and IAM policy, following least privilege.

Why this answer

Option C is the most secure because it combines a resource-based bucket policy in Account A that explicitly grants access to the user in Account B with an identity-based IAM policy attached to that user in Account B. This dual-policy approach ensures that the user can only access the bucket when both policies allow the action, following the principle of least privilege and avoiding the need to share long-term credentials.

Exam trap

The trap here is that candidates often assume an IAM policy in the target account alone is sufficient for cross-account S3 access, forgetting that the owning account must explicitly allow the access via a resource-based policy like a bucket policy.

How to eliminate wrong answers

Option A is wrong because creating an IAM role in Account A with a trust policy for the user in Account B would require the user to assume the role, which is a valid cross-account access method but is less direct and adds unnecessary complexity for simple S3 bucket access; it is not the most secure or straightforward approach for this specific scenario. Option B is wrong because sharing access keys of an IAM user in Account A with a user in Account B violates security best practices by exposing long-term credentials, increasing the risk of credential leakage and unauthorized access. Option D is wrong because attaching an IAM policy to the user in Account B alone cannot grant access to an S3 bucket in Account A; cross-account access requires a resource-based policy (bucket policy or ACL) in the owning account to explicitly allow the external user.

Page 12

Page 13 of 22

Page 14