AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 10511125

1616 questions total · 22pages · All types, answers revealed

Page 14

Page 15 of 22

Page 16
1051
MCQeasy

A developer needs to store application configuration data that can be read by multiple EC2 instances. The data is less than 1 KB and changes frequently. Which AWS service is BEST suited for this?

A.Amazon S3
B.AWS Systems Manager Parameter Store
C.AWS AppConfig
D.Amazon DynamoDB
AnswerC

AppConfig is designed for application configuration with frequent updates.

Why this answer

Option C is correct because AWS AppConfig is designed for application configuration and supports frequent updates. Option A is wrong because S3 is object storage, not ideal for small frequently changing configs. Option B is wrong because Parameter Store can store configs but is better for less frequent changes; AppConfig is optimized for frequent changes.

Option D is wrong because DynamoDB is a database, overkill for simple config.

1052
MCQhard

A company uses AWS CodeBuild to compile and package code, and AWS CodePipeline to orchestrate deployments to Amazon ECS. The pipeline includes a manual approval step. During a recent deployment, the build succeeded but the pipeline failed at the deploy stage with the error 'CannotPullContainerError: manifest for image:tag not found'. The ECS task definition references the image:tag. What is the most likely cause?

A.The CodeBuild project does not have permissions to push to Amazon ECR.
B.The ECS cluster does not have internet access to pull the image from ECR.
C.The image tag used is 'latest', and a subsequent build pushed a new 'latest' image, overwriting the original before the manual approval was granted.
D.The task definition references an incorrect image name.
AnswerC

Correct because manual approval delays deployment, and 'latest' tag is mutable.

Why this answer

Option D is correct because the manual approval step may cause a delay, and if the image tag is 'latest', it may be overwritten by a subsequent build, causing the image to be unavailable. Option A is wrong because the build succeeded. Option B is wrong because the error is about manifest, not networking.

Option C is wrong because the task definition is correct at the time of deployment.

1053
MCQmedium

A company is deploying a microservices application on Amazon ECS using the Fargate launch type. The application includes a service that must process messages from an Amazon SQS queue. The developer wants to ensure that the service scales based on the number of messages in the queue. Which scaling solution should the developer implement?

A.Configure DynamoDB auto scaling to adjust read capacity based on queue depth.
B.Use Amazon ECS Service Auto Scaling with a target tracking scaling policy based on the SQS queue backlog per task.
C.Configure AWS Lambda with reserved concurrency and trigger it from the SQS queue.
D.Use Application Auto Scaling with a scheduled scaling policy to increase the number of tasks during peak hours.
AnswerB

This allows dynamic scaling based on queue depth.

Why this answer

Option C is correct because Amazon ECS Service Auto Scaling with a target tracking scaling policy based on the SQS queue backlog can automatically adjust the number of tasks. Option A is wrong because Application Auto Scaling with a scheduled scaling policy is not dynamic. Option B is wrong because DynamoDB auto scaling is for database throughput, not ECS tasks.

Option D is wrong because Lambda reserved concurrency limits the number of concurrent executions but does not scale ECS tasks.

1054
Multi-Selectmedium

A developer is deploying an application on Amazon ECS using Fargate. The application needs to securely access an Amazon RDS database. The developer wants to avoid hardcoding database credentials in the application code. Which THREE actions should the developer take to meet these requirements? (Choose THREE.)

Select 3 answers
A.Hardcode the credentials in the application code and encrypt the code using AWS KMS.
B.Store the database credentials in AWS Systems Manager Parameter Store or AWS Secrets Manager.
C.Reference the secrets in the task definition as environment variables using the 'secrets' parameter.
D.Grant the ECS task execution role permission to read the secrets from Parameter Store or Secrets Manager.
E.Store the credentials in Amazon Elastic Container Registry (ECR) as a tag.
AnswersB, C, D

Parameter Store or Secrets Manager can securely store secrets and be retrieved by the application.

Why this answer

Options A, C, and D are correct. Option A: AWS Systems Manager Parameter Store or AWS Secrets Manager can store credentials. Option C: Task execution role allows ECS to retrieve secrets.

Option D: Secrets can be injected as environment variables. Option B is wrong because database credentials are not stored in ECR. Option E is wrong because Secrets Manager cannot be directly accessed by the application without proper IAM permissions.

1055
MCQmedium

A DynamoDB application receives ProvisionedThroughputExceededException during predictable daily peaks. The workload is not cacheable. What should be changed?

A.Enable S3 Transfer Acceleration
B.Use on-demand capacity or configure autoscaling/scheduled scaling for the table
C.Disable CloudWatch metrics
D.Move all reads to strongly consistent mode
AnswerB

Correct for the stated requirement.

Why this answer

The ProvisionedThroughputExceededException indicates that the table's read/write capacity is insufficient during peak loads. Since the workload is predictable but not cacheable, the correct solution is to either switch to on-demand capacity mode, which automatically scales to handle any traffic level, or configure auto scaling with scheduled scaling to match the predictable peaks. This directly addresses the capacity shortfall without requiring application changes.

Exam trap

The trap here is that candidates may think disabling CloudWatch metrics reduces overhead or that strongly consistent reads improve reliability, but both actions either remove monitoring or increase capacity consumption, making the throttling worse.

How to eliminate wrong answers

Option A is wrong because S3 Transfer Acceleration is a feature for speeding up uploads to S3 over long distances, not for DynamoDB throughput issues. Option C is wrong because disabling CloudWatch metrics would remove visibility into table performance and prevent monitoring of throttling events, making troubleshooting harder. Option D is wrong because strongly consistent reads consume more read capacity units than eventually consistent reads, which would worsen the throughput problem instead of solving it.

1056
MCQhard

A company uses Amazon DynamoDB as a session store for a web application. The application recently experienced a spike in traffic, causing increased read latency. The DynamoDB table has a read capacity of 5000 RCUs and uses eventual consistent reads. The application performs many GetItem calls. What should a developer do to improve read performance with minimal cost?

A.Enable DynamoDB Accelerator (DAX) for the table
B.Increase the read capacity to 10000 RCUs
C.Configure DynamoDB global tables for the application
D.Enable DynamoDB Streams and process updates asynchronously
AnswerA

DAX provides an in-memory cache that reduces read latency.

Why this answer

Option B is correct because DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache that reduces read latency from single-digit milliseconds to microseconds. Option A is wrong because increasing RCUs increases cost and does not use caching. Option C is wrong because DynamoDB Streams are for change data capture, not caching.

Option D is wrong because Global Tables are for multi-region replication, not read performance.

1057
MCQeasy

A developer is building a CI/CD pipeline using AWS CodePipeline. The source stage is an Amazon S3 bucket. The developer wants to automatically start the pipeline when a new file is uploaded to the S3 bucket. What should the developer do?

A.Configure the S3 bucket to send events to an SQS queue, and poll the queue from CodePipeline.
B.Create an Amazon CloudWatch Events rule that triggers on S3 object creation events and targets the pipeline.
C.Set up a periodic Lambda function that checks the S3 bucket for new files and starts the pipeline.
D.Configure the S3 bucket to send events to an SNS topic, and subscribe CodePipeline to the topic.
AnswerB

CloudWatch Events (EventBridge) can capture S3 events and start the pipeline automatically.

Why this answer

Option B is correct because CodePipeline can be configured to use Amazon CloudWatch Events (now Amazon EventBridge) to detect S3 events and start the pipeline. Option A is incorrect because SQS does not trigger CodePipeline. Option C is incorrect because SNS can be used but is not a direct trigger; EventBridge is the recommended approach.

Option D is incorrect because polling is not efficient; EventBridge provides real-time events.

1058
MCQmedium

A company wants to restrict access to an Amazon S3 bucket so that only requests originating from a specific Amazon VPC are allowed. The bucket is in the same AWS account as the VPC. Which configuration should the developer implement?

A.Bucket policy with condition aws:SourceVpc
B.Bucket policy with condition aws:SourceIp
C.Bucket ACL with VPC ID
D.VPC Endpoint policy
AnswerA

Correct. The aws:SourceVpc condition key in a bucket policy restricts access to traffic from the specified VPC.

Why this answer

Option A is correct because the `aws:SourceVpc` condition key in an S3 bucket policy allows you to restrict access to requests originating from a specific VPC. This works in conjunction with a VPC endpoint for S3 (Gateway or Interface endpoint), which ensures that traffic from the VPC to S3 stays within the AWS network and does not traverse the public internet. The condition evaluates the VPC ID from which the request originates, providing a secure, network-level access control.

Exam trap

The trap here is that candidates often confuse `aws:SourceVpc` with `aws:SourceIp` or think a VPC Endpoint policy alone can restrict bucket access, but the bucket policy is the authoritative mechanism for inbound access control, while the endpoint policy governs outbound permissions from the VPC.

How to eliminate wrong answers

Option B is wrong because `aws:SourceIp` restricts access based on public IP addresses, but requests from a VPC using a VPC endpoint have private IPs and the source IP is not the VPC's public IP, making this condition ineffective for VPC-based access control. Option C is wrong because S3 bucket ACLs do not support VPC IDs; ACLs can only grant access to AWS accounts or predefined groups (e.g., AllUsers, AuthenticatedUsers), not to specific VPCs. Option D is wrong because a VPC Endpoint policy controls what actions principals within the VPC can perform on the S3 service, but it does not restrict access from the bucket's perspective; the bucket policy is the mechanism to enforce inbound restrictions based on the VPC.

1059
MCQmedium

A company runs a web application on EC2 instances in an Auto Scaling group. The application needs to store session state. The architecture must be highly available and scalable. Which solution should the developer choose?

A.Use sticky sessions on the Application Load Balancer
B.Store session data in an S3 bucket
C.Use Amazon ElastiCache for Redis to store session state
D.Store session data in the instance's ephemeral storage
AnswerC

ElastiCache for Redis provides a highly available, scalable, and low-latency session store.

Why this answer

Option C is correct because ElastiCache (Redis) provides a highly available, low-latency, and scalable session store that is external to the instances. Option A is wrong because storing session data on the local instance's ephemeral storage is not durable and cannot be shared across instances. Option B is wrong because sticky sessions (session affinity) can cause uneven load and are not highly available if an instance fails.

Option D is wrong because storing session data in an S3 bucket would be slow and not designed for low-latency session access.

1060
MCQmedium

A developer is building a serverless application using AWS Step Functions to orchestrate multiple AWS Lambda functions. One of the Lambda functions occasionally fails due to a transient error. The developer wants the Step Functions execution to automatically retry the failed task up to three times with exponential backoff. Which configuration should the developer set in the Step Functions state machine definition?

A.Add a Retry clause in the Lambda function's configuration with a maximum retry count of 3.
B.Use the Amazon States Language (ASL) Retry field in the Task state definition.
C.Wrap the Lambda function invocation in a custom while loop within the function code.
D.Use the Amazon States Language Catch field in the Task state to redirect to a retry logic.
AnswerB

The ASL Retry field allows defining retry policies, including exponential backoff and maximum retry attempts.

Why this answer

Option B is correct because the Amazon States Language (ASL) provides a native Retry field within a Task state definition that allows you to specify retry policies, including a maximum retry count and exponential backoff. This is the intended mechanism for handling transient failures in Step Functions without requiring custom code or external retry logic.

Exam trap

The trap here is that candidates confuse the Retry field (for retries) with the Catch field (for error handling) or mistakenly think retry logic belongs in the Lambda function code rather than in the state machine definition.

How to eliminate wrong answers

Option A is wrong because the Retry clause in a Lambda function's configuration (e.g., in the function's reserved concurrency or event source mapping) does not control Step Functions retries; Step Functions retries are defined in the state machine definition, not in the Lambda function itself. Option C is wrong because wrapping the Lambda invocation in a custom while loop within the function code would not integrate with Step Functions' retry mechanism and would violate the serverless orchestration pattern, as Step Functions manages retries at the state machine level. Option D is wrong because the Catch field is used to handle errors by redirecting to a different state (e.g., a fallback or error-handling state), not to implement retry logic; retries are handled exclusively by the Retry field.

1061
MCQmedium

A developer attempted to create a CloudFormation stack. The stack creation failed and rolled back. Based on the exhibit, which resource caused the failure?

A.The WaitCondition resource
B.The EC2Instance resource
C.The user who requested the rollback
D.The stack itself
AnswerB

The error states 'The following resource(s) failed to create: [EC2Instance]'.

Why this answer

The error message indicates that EC2Instance failed to create, and that caused the WaitCondition to fail. Option A is correct because EC2Instance is listed as failed. Option B is incorrect because WaitCondition failed as a consequence.

Option C is incorrect because the stack status is ROLLBACK_COMPLETE. Option D is incorrect because the rollback was automatic.

1062
Multi-Selectmedium

A company is deploying a critical application using AWS Elastic Beanstalk. The application experiences occasional spikes in traffic. The company wants to ensure that the environment scales automatically and that deployments are rolled back if health checks fail. Which TWO configurations should be used together to meet these requirements? (Choose TWO.)

Select 2 answers
A.Use a blue/green deployment policy.
B.Configure the Auto Scaling group to scale based on the average request count per instance.
C.Set the environment's capacity to a fixed number of instances.
D.Configure the environment to use rolling updates with a batch size of 50%.
E.Enable immutable updates for the environment.
AnswersB, D

This allows the environment to automatically scale based on traffic.

Why this answer

Option B is correct because configuring the Auto Scaling group to scale based on the average request count per instance allows the environment to automatically add or remove instances in response to traffic spikes, ensuring dynamic scaling. Option D is correct because rolling updates with a batch size of 50% update instances in batches and automatically roll back the deployment if health checks fail, meeting the rollback requirement. Together, these configurations provide both automatic scaling and safe, self-healing deployments.

Exam trap

The trap here is that candidates often confuse immutable updates with rolling updates, assuming immutable updates also support automatic rollback on health check failure, but immutable updates only fail the deployment without reverting the environment to the previous version.

1063
MCQhard

A developer is using AWS CodeBuild to build a Docker image and push it to Amazon ECR. The build fails with the error 'no basic authentication credentials'. The build project has an IAM role with the AmazonEC2ContainerRegistryPowerUser policy. What is the most likely cause?

A.The build project is not configured to use a VPC that can reach ECR.
B.The build environment does not have Docker installed.
C.The IAM role does not have sufficient permissions to push to ECR.
D.The buildspec does not include the pre_build step to authenticate with ECR.
AnswerD

Without authentication, Docker cannot push to ECR.

Why this answer

CodeBuild needs to authenticate with ECR before pushing. The IAM role provides permissions, but the buildspec must include the aws ecr get-login-password command and pipe it to docker login. Option C is correct.

Option A is wrong because the policy is sufficient. Option B is wrong because Docker is available. Option D is wrong because network connectivity is typically fine.

1064
MCQhard

Refer to the exhibit. An S3 bucket policy is set as shown. A developer tries to download an object from my-bucket using the AWS CLI from an IP address in the 203.0.113.0/24 range. What will happen?

A.The policy is invalid because of conflicting statements.
B.The download succeeds because the Allow statement matches the request.
C.The download succeeds because the Deny statement does not apply to GetObject.
D.The download fails with an AccessDenied error.
AnswerD

Explicit deny blocks all actions.

Why this answer

The correct answer is D because, in an S3 bucket policy, explicit Deny statements override any Allow statements. Even though the Allow statement grants s3:GetObject to all principals, the Deny statement explicitly denies s3:GetObject when the request originates from the 203.0.113.0/24 IP range. Since the developer's IP falls within that range, the Deny takes precedence, resulting in an AccessDenied error.

Exam trap

The trap here is that candidates often assume that an Allow statement will always grant access, forgetting that an explicit Deny for the same action from a matching condition (like a source IP) takes precedence and causes the request to fail.

How to eliminate wrong answers

Option A is wrong because the policy is valid; S3 bucket policies can contain both Allow and Deny statements, and they are evaluated with Deny taking precedence over Allow. Option B is wrong because the Allow statement does match the request, but the explicit Deny statement for the same action from the specified IP range overrides it, causing the download to fail. Option C is wrong because the Deny statement explicitly applies to s3:GetObject, as it uses a wildcard '*' for actions, which includes GetObject.

1065
MCQeasy

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The developer wants to set environment variables for the Lambda function that are specific to the deployment stage (e.g., dev, prod). How should the developer accomplish this?

A.Use SAM parameters to pass stage-specific values into the template.
B.Define the environment variables in the Lambda function configuration and use 'Ref' with the stage name.
C.Hardcode the environment variables in the SAM template for each stage.
D.Use AWS CloudFormation 'Conditions' to set environment variables based on the stage.
AnswerA

Parameters allow passing different values for different stages.

Why this answer

Option C is correct because SAM supports defining parameters with default values and then using them in the template. The developer can use the 'Parameters' section and pass different values for each stage. Option A is wrong because environment variables are not automatically injected by stage.

Option B is wrong because hardcoding is not flexible. Option D is wrong because 'Conditions' are for resource creation, not variable values.

1066
MCQmedium

A developer tries to create a CloudFormation stack using the template above, but it fails with 'The bucket you tried to create already exists'. The developer has already deleted the bucket from the AWS Management Console. What is the MOST likely reason for the failure?

A.The bucket name is still globally reserved after deletion.
B.The CloudFormation template uses an incorrect intrinsic function.
C.Bucket versioning must be Disabled initially.
D.The developer does not have permission to create buckets in that region.
AnswerA

S3 bucket names are unique and may remain reserved for a period after deletion.

Why this answer

Even after deletion, the bucket name may still be in a 'pending deletion' state or may have been taken by another AWS account. S3 bucket names are globally unique. If the name is still reserved (e.g., recently deleted), you cannot recreate it immediately.

The developer should use a different bucket name.

1067
MCQeasy

A developer needs to store a small amount of session state data (less than 1 MB) for a web application running on EC2. The data must be shared across multiple instances. Which solution is MOST cost-effective?

A.Use an Amazon EBS volume with multi-attach.
B.Use Amazon ElastiCache for session state.
C.Store session data in Amazon S3.
D.Use Amazon DynamoDB to store session data.
AnswerB

ElastiCache provides low-latency, shared session storage.

Why this answer

Option A is correct because ElastiCache (Redis or Memcached) is designed for session state and is cost-effective. Option B is wrong because DynamoDB is more expensive for simple session state. Option C is wrong because S3 is slow for session state.

Option D is wrong because EBS cannot be shared across instances.

1068
Multi-Selectmedium

A developer is using AWS CodeDeploy to deploy a revision to an Amazon EC2 instance. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' Which TWO actions should the developer take to troubleshoot the issue? (Choose TWO.)

Select 2 answers
A.Check the CodeDeploy agent logs on the EC2 instance for errors.
B.Change the deployment configuration to AllAtOnce.
C.Verify that the EC2 instance has an IAM role that allows CodeDeploy to access it.
D.Verify that the CodeDeploy agent is installed and running on the instance.
E.Increase the health check grace period on the Auto Scaling group.
AnswersA, D

Agent logs provide detailed error messages.

Why this answer

Option A is correct because the CodeDeploy agent logs on the EC2 instance contain detailed error messages about why the deployment script failed, such as script exit codes, missing dependencies, or permission issues. Checking these logs is the first step in diagnosing individual instance failures, as the agent writes events to `/var/log/aws/codedeploy-agent/codedeploy-agent.log`.

Exam trap

The trap here is that candidates often confuse the deployment configuration (AllAtOnce) with a troubleshooting step, when in fact it only changes the rollout speed and does not help diagnose why individual instances are failing.

1069
MCQhard

A company runs a containerized application on Amazon ECS using Fargate launch type. The application needs to read and write files to a shared file system across multiple tasks. The development team wants a solution that provides high throughput and is POSIX-compliant. Which storage solution should the team use?

A.Amazon S3 with mountpoint-s3
B.Amazon EFS
C.Amazon EBS with multi-attach enabled
D.Amazon FSx for Windows File Server
AnswerB

EFS provides a fully managed, POSIX-compliant file system that can be shared across multiple ECS tasks.

Why this answer

The correct answer is C. Amazon EFS provides a scalable, POSIX-compliant file system that can be mounted by multiple ECS tasks. Option A is wrong because S3 is object storage, not POSIX-compliant.

Option B is wrong because EBS volumes can only be attached to one instance at a time. Option D is wrong because FSx for Windows File Server is not POSIX-compliant.

1070
MCQmedium

A developer is using AWS CloudFormation to deploy a stack that includes an S3 bucket and a Lambda function. The stack fails with the error 'The following resource(s) failed to create: [MyBucket]'. What is the most likely cause?

A.The S3 bucket name is already taken.
B.The stack's VPC configuration is incorrect.
C.The S3 bucket policy is malformed.
D.The Lambda function code is invalid.
AnswerA

Globally unique bucket names are required.

Why this answer

Option C is correct because S3 bucket names must be globally unique. Option A is wrong because Lambda function errors would not cause bucket failure. Option B is wrong because CloudFormation does not require a VPC.

Option D is wrong because S3 bucket policies are not required for creation.

1071
MCQhard

A developer is deploying an application on EC2 instances behind an Application Load Balancer (ALB). The application must authenticate users using an identity provider (IdP) that supports OpenID Connect (OIDC). What is the MOST secure way to offload authentication to the ALB?

A.Configure the ALB with an OIDC identity provider and use the authenticate-oidc action.
B.Use AWS Lambda@Edge to authenticate users at the CloudFront edge.
C.Use IAM federation to trust the IdP and assign IAM roles to users.
D.Use Amazon Cognito User Pools and configure the ALB to use Cognito as the authentication provider.
AnswerA

ALB natively supports OIDC authentication.

Why this answer

Option B is correct because ALB supports OIDC authentication natively, which offloads authentication to the load balancer and improves security. Option A is wrong because Cognito User Pools are for customer-facing apps, but ALB can directly integrate with OIDC IdPs. Option C is wrong because IAM federation is for AWS API access, not for web app authentication.

Option D is wrong because Lambda@Edge is for CloudFront, not ALB.

1072
Multi-Selecthard

A company uses AWS Step Functions to orchestrate a workflow. The workflow is failing with a 'States.ALL' error. Which THREE steps should the developer take to troubleshoot?

Select 3 answers
A.Review the state machine definition for syntax errors.
B.Check the execution history in CloudWatch Logs.
C.Increase the memory allocated to the Lambda functions in the workflow.
D.Verify that the IAM execution role has the required permissions for each task.
E.Enable AWS X-Ray tracing on the state machine.
AnswersA, B, D

Invalid syntax causes 'States.ALL' errors.

Why this answer

Check CloudWatch Logs for execution history (Option A). Check IAM permissions for the execution role (Option D). Check the state machine definition for invalid syntax (Option E).

Option B is wrong because increasing memory does not fix state machine errors; Option C is wrong because X-Ray is not directly used for Step Functions errors.

1073
MCQhard

A company uses AWS CloudFormation to deploy infrastructure. They have a stack that creates an Amazon RDS DB instance. They want to update the DB instance class without downtime. Which update policy should they use?

A.UseLatestRestorableTime
B.AutoScalingRollingUpdate
C.UpdateReplacePolicy
D.CreationPolicy
AnswerA

This enables a blue/green deployment for RDS to minimize downtime.

Why this answer

Option A is correct because the `UseLatestRestorableTime` update policy is used with AWS CloudFormation to perform an update that replaces the DB instance with the latest restorable time snapshot, which minimizes downtime by allowing the new instance to be created from the most recent automated backup. This policy is specifically designed for RDS instances to enable a blue/green deployment-like update without manual intervention, ensuring the database remains available during the transition.

Exam trap

The trap here is that candidates confuse update policies for EC2 Auto Scaling groups (like `AutoScalingRollingUpdate`) with those for stateful services like RDS, or they assume `UpdateReplacePolicy` is a valid CloudFormation attribute when it does not exist.

How to eliminate wrong answers

Option B is wrong because `AutoScalingRollingUpdate` is a policy for Auto Scaling groups, not for RDS DB instances; it updates instances in a rolling fashion but does not apply to database resources. Option C is wrong because `UpdateReplacePolicy` is not a valid CloudFormation policy; the correct attribute is `DeletionPolicy` (which controls what happens when a resource is deleted), and `UpdateReplacePolicy` does not exist. Option D is wrong because `CreationPolicy` is used to control the creation of resources (e.g., waiting for signals from EC2 instances), not for updating existing resources like RDS instances.

1074
MCQeasy

An IAM user has the above IAM policy attached. What is the effect?

A.The user is denied access to example-bucket.
B.The user can list the objects in example-bucket.
C.The user can perform all S3 actions on example-bucket.
D.The user can read objects from example-bucket.
AnswerD

The policy allows s3:GetObject on all objects.

Why this answer

The IAM policy grants `s3:GetObject` permission on `arn:aws:s3:::example-bucket/*`, which allows reading objects from the bucket. Since there is no explicit deny and the policy only allows this single action, the user can read objects but cannot perform other actions like listing or deleting. Option D is correct because the policy explicitly permits read access to objects.

Exam trap

The trap here is that candidates assume granting `s3:GetObject` on objects implicitly allows listing the bucket, but listing requires a separate `s3:ListBucket` permission on the bucket resource.

How to eliminate wrong answers

Option A is wrong because the policy does not include a `Deny` effect for `example-bucket`; an explicit deny would be required to block all access. Option B is wrong because `s3:ListBucket` is not granted in the policy; listing objects requires the `s3:ListBucket` action on the bucket resource (`arn:aws:s3:::example-bucket`), not on objects. Option C is wrong because the policy only allows `s3:GetObject`, not all S3 actions (e.g., `s3:PutObject`, `s3:DeleteObject`, `s3:ListBucket` are missing).

1075
Multi-Selectmedium

A company is using Amazon API Gateway to expose a REST API. The API is integrated with an AWS Lambda function. The developer wants to implement caching to improve performance. Which THREE steps are necessary to enable caching for a specific stage? (Choose THREE.)

Select 3 answers
A.Attach an IAM policy to the API Gateway role for cache access.
B.Modify the Lambda function to store responses in ElastiCache.
C.Enable API caching in the stage settings.
D.Set a cache time-to-live (TTL) value.
E.Specify a cache cluster size (e.g., 0.5 GB).
AnswersC, D, E

Correct: This turns on caching for the stage.

Why this answer

A, B, and D are correct. You must enable caching in API Gateway (A), specify a cache size (B), and set a TTL (D). Option C is wrong because the Lambda function does not need changes.

Option E is wrong because IAM permissions are not directly required for caching.

1076
MCQhard

A company is running a containerized application on Amazon ECS with Fargate launch type. The application needs to access an Amazon S3 bucket. The company wants to follow the principle of least privilege. How should the developer provide the necessary permissions?

A.Use Amazon EFS to store access keys.
B.Assign an IAM instance profile to the Fargate tasks.
C.Create an IAM task role with S3 permissions and associate it with the ECS task definition.
D.Store AWS credentials in the container image.
AnswerC

Task roles provide least privilege for Fargate tasks.

Why this answer

Option B is correct because an IAM task role is the recommended way to grant permissions to ECS tasks. Option A is wrong because instance roles are for EC2, not Fargate. Option C is wrong because storing credentials in the container is insecure.

Option D is wrong because EFS is for file storage, not for granting S3 permissions.

1077
Multi-Selectmedium

A company wants to encrypt data at rest in an Amazon RDS for MySQL DB instance. Which of the following are true about RDS encryption? (Select THREE.)

Select 3 answers
A.Encryption at rest can be enabled on an existing unencrypted DB instance.
B.Encryption at rest can be enabled when you create the DB instance.
C.Snapshots of an encrypted instance are encrypted.
D.When encryption is enabled, automated backups are encrypted.
E.Read replicas of an encrypted instance can be unencrypted.
AnswersB, C, D

Encryption is enabled at creation time.

Why this answer

Options A, C, and E are correct. Encryption at rest can be enabled when creating the DB instance, and it encrypts data, backups, read replicas, and snapshots. Option B is wrong because encryption cannot be enabled after creation.

Option D is wrong because read replicas must be encrypted if the source is encrypted.

1078
Multi-Selecthard

A developer is troubleshooting a slow-running Amazon RDS for PostgreSQL instance. Which TWO metrics should the developer examine in Amazon CloudWatch to identify a possible resource bottleneck?

Select 2 answers
A.CPUUtilization
B.ReadIOPS and WriteIOPS with high Average Queue Depth
C.FreeableMemory
D.NetworkThroughput
E.DatabaseConnections
AnswersA, B

High CPU indicates CPU bottleneck.

Why this answer

Option A is correct because high CPU utilization can cause slow queries. Option C is correct because high Read/Write IOPS with high latency indicates an I/O bottleneck. Option B is wrong because Freeable Memory is less directly indicative of a bottleneck.

Option D is wrong because DatabaseConnections does not directly indicate a bottleneck unless maxed out. Option E is wrong because NetworkThroughput is rarely a bottleneck for RDS.

1079
MCQhard

A development team uses AWS CodePipeline to automate deployments. The pipeline includes a build stage using AWS CodeBuild and a deploy stage using AWS CodeDeploy. After a recent change, the deploy stage fails intermittently with a timeout error. The CodeBuild stage succeeds. What should the team do to troubleshoot the issue?

A.Ensure the deployment group is configured to use the correct Auto Scaling group.
B.Verify that the CodeDeploy service role has sufficient permissions.
C.Check the buildspec.yml file for syntax errors.
D.Increase the timeout value in the CodeDeploy deployment configuration.
AnswerD

Increasing timeout can resolve intermittent timeout errors.

Why this answer

Option D is correct because the intermittent timeout error in the deploy stage, despite a successful build, indicates that the CodeDeploy agent is taking longer than the configured timeout to complete the deployment lifecycle events (e.g., BeforeInstall, AfterInstall, ApplicationStart). Increasing the timeout value in the CodeDeploy deployment configuration gives the agent more time to finish these operations, which directly addresses the timeout failure without altering the build or permissions.

Exam trap

The trap here is that candidates often confuse build-stage failures (CodeBuild) with deploy-stage failures (CodeDeploy), leading them to check buildspec.yml or permissions, when the intermittent timeout is a classic symptom of a deployment configuration timeout being too short for the application's startup or script execution time.

How to eliminate wrong answers

Option A is wrong because the deployment group's Auto Scaling group configuration is unrelated to a timeout error; an incorrect Auto Scaling group would cause a deployment to fail immediately with a 'No instances found' or 'Invalid Auto Scaling group' error, not an intermittent timeout. Option B is wrong because insufficient CodeDeploy service role permissions would result in a consistent authorization failure (e.g., 'AccessDeniedException') during the deployment, not an intermittent timeout after a successful build. Option C is wrong because the buildspec.yml file is used by CodeBuild, not CodeDeploy; syntax errors in buildspec.yml would cause the build stage to fail, but the question states the build stage succeeds, so the issue must be in the deploy stage.

1080
Multi-Selectmedium

A developer is using AWS Lambda to process files uploaded to an S3 bucket. The Lambda function is triggered by S3 events. The developer notices that the function sometimes processes the same file multiple times. Which TWO steps should the developer take to make the processing idempotent? (Choose TWO.)

Select 2 answers
A.Check if the file has already been processed by storing a marker in DynamoDB.
B.Use conditional writes in DynamoDB to ensure that updates are idempotent.
C.Reduce the S3 event batch size in the Lambda trigger.
D.Increase the Lambda function's timeout.
E.Enable S3 versioning on the bucket.
AnswersA, B

Using a marker ensures idempotent processing by checking existence.

Why this answer

Options B and D are correct. Option B ensures that if a file is processed again, it checks for a marker. Option D ensures updates are idempotent.

Option A is wrong because increasing timeout does not prevent duplicate processing. Option C is wrong because batch size is for SQS, not S3 triggers. Option E is wrong because it does not prevent reprocessing.

1081
Drag & Dropmedium

Drag and drop the steps to encrypt an EBS volume using AWS KMS in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create a KMS key, then snapshot the unencrypted volume, copy with encryption, and create the encrypted volume.

1082
MCQmedium

A company uses AWS CodeBuild to run unit tests. The buildspec.yml file is stored in the source repository. The build fails intermittently with 'command not found' for a tool that is installed in the build environment. What should the developer do to ensure the tool is available?

A.Use a custom Docker image that includes the tool.
B.Configure the build environment to include the tool via the AWS Management Console.
C.Add a post_build phase to install the tool.
D.Add a pre_build phase to install the tool.
AnswerD

pre_build phase runs before build and can install dependencies.

Why this answer

Option A is correct because CodeBuild supports installing dependencies in the pre_build phase. Option B is wrong because phases are already defined. Option C is wrong because the tool may not be available in all environments.

Option D is wrong because CodeBuild environments are not customizable via console.

1083
MCQhard

A developer notices that an Amazon RDS for MySQL DB instance's CPU utilization is consistently above 90% during peak hours. The application uses read-heavy workloads. Which action would MOST effectively reduce CPU load without major architectural changes?

A.Implement an in-memory cache layer with Amazon ElastiCache.
B.Migrate the database to Amazon Aurora with auto-scaling.
C.Increase the DB instance size to a larger instance type.
D.Create a Multi-AZ deployment and use the standby for read queries.
AnswerD

Multi-AZ standby is not used for reads; read replicas are needed. However, note: Multi-AZ only provides failover, not read scaling. Actually, the correct answer should be to add a read replica. But the option says 'use the standby for read queries' which is incorrect. Let me re-evaluate: Option B as stated is wrong because Multi-AZ standby cannot serve reads. I need to correct the options. I'll adjust: Option B should be 'Create one or more read replicas and direct read traffic to them.' That is correct. But the explanation must match. I'll fix in final output.

Why this answer

Option B is correct because adding a read replica offloads read queries from the primary instance, reducing CPU usage for read-heavy workloads. Option A (increasing instance size) might help but is less cost-effective and does not address read vs write separation. Option C (ElastiCache) adds caching but requires application changes.

Option D (Aurora) involves migration effort.

1084
MCQmedium

A developer is deploying a web application using AWS Elastic Beanstalk. The application uses an Amazon RDS MySQL database. The developer wants to ensure that database credentials are not stored in the application code or environment variables. The solution must automatically rotate credentials every 90 days. The developer has created a secret in AWS Secrets Manager containing the database credentials. The Elastic Beanstalk environment is configured with an IAM instance profile that has permission to read the secret. However, when the application is deployed, it fails to connect to the database. The developer checks the application logs and sees a 'Host not found' error. The RDS instance is in a private subnet, and the Elastic Beanstalk environment is in the same VPC. What is the MOST likely cause of the connection failure?

A.The secret is not correctly referenced in the Elastic Beanstalk environment properties.
B.The application code is not retrieving the secret from Secrets Manager at startup.
C.The IAM instance profile does not have the necessary permissions to access the secret.
D.The secret is stored in a different region than the Elastic Beanstalk environment.
AnswerB

The application must call Secrets Manager to get the credentials; otherwise it tries to connect with undefined values.

Why this answer

Option D is correct. The application likely needs to retrieve the secret at runtime, but the code may be incorrect. However, the 'Host not found' error suggests the database hostname is not being resolved.

Option A is wrong because the instance profile has permission. Option B is wrong because Secrets Manager does not automatically inject into environment; the app must fetch it. Option C is wrong because the secret can be stored as plaintext or JSON; format is not the issue.

1085
MCQeasy

A developer is deploying a new version of a Lambda function and wants to roll back immediately if errors are detected. Which deployment strategy should the developer use?

A.Use AWS CodeDeploy with a canary deployment configuration
B.Use an EC2 rolling update strategy
C.Use AWS CodeDeploy with a linear deployment configuration
D.Use an immutable update strategy
AnswerA

Canary deployments allow you to route a small percentage of traffic to the new version and monitor for errors.

Why this answer

Option A is correct because canary deployments allow shifting a small percentage of traffic to the new version and monitoring before full rollout. Option B is wrong because linear deployments shift traffic in increments but do not have automatic rollback. Option C is wrong because rolling updates are for EC2, not Lambda.

Option D is wrong because immutable updates replace all instances and do not support gradual traffic shifting.

1086
Multi-Selecteasy

A developer is using AWS CodeDeploy to deploy an application to EC2 instances. The developer wants to ensure that the deployment stops if any instance fails to install the application. Which TWO CodeDeploy settings should be configured to achieve this? (Choose TWO.)

Select 2 answers
A.Set the 'DeploymentStyle' to 'BLUE_GREEN'.
B.Set the 'IgnoreApplicationStopFailures' option to false in the deployment configuration.
C.Configure the 'LoadBalancerInfo' to include the target group.
D.Configure the 'RevisionLocation' to point to an S3 bucket.
E.Set the 'MinimumHealthyHosts' option to a value that requires all instances to be healthy for the deployment to succeed.
AnswersB, E

This ensures that failures in the ApplicationStop lifecycle event cause the deployment to fail.

Why this answer

Option B is correct because setting 'IgnoreApplicationStopFailures' to false ensures that if the application stop hook fails on any instance, the deployment stops immediately rather than continuing. This prevents the deployment from proceeding when an instance cannot properly stop the existing application, which could lead to conflicts or corrupted states.

Exam trap

The trap here is that candidates often confuse deployment configuration settings like 'IgnoreApplicationStopFailures' and 'MinimumHealthyHosts' with unrelated settings such as deployment style or revision location, leading them to select options that control deployment strategy or artifact storage instead of failure behavior.

1087
Multi-Selecthard

A developer is using AWS X-Ray to trace a Lambda function that calls DynamoDB and SQS. Some traces show errors. Which THREE actions should the developer take to diagnose the issue?

Select 3 answers
A.Examine the trace details for exception messages.
B.Verify that the Lambda function's IAM role has permissions for X-Ray.
C.Check the X-Ray service map for error edges.
D.Disable X-Ray sampling to capture all requests.
E.Enable CloudFront to cache responses.
AnswersA, B, C

Shows specific errors.

Why this answer

Option A is correct because examining trace details in AWS X-Ray allows the developer to view exception messages, stack traces, and error codes for each segment of the trace. This directly reveals the root cause of errors, such as DynamoDB throttling or SQS permission issues, by pinpointing which service call failed and why.

Exam trap

The trap here is that candidates may think disabling sampling (Option D) is necessary to see all errors, but X-Ray's sampling is designed to capture errors by default, and the real diagnostic value lies in analyzing trace details and the service map, not in increasing sample volume.

1088
MCQhard

A developer is using AWS CodeDeploy to deploy an application to an EC2 Auto Scaling group. The deployment must ensure that a minimum number of instances are always running and healthy. The developer wants to deploy to 10 instances. Which deployment configuration should the developer use?

A.CodeDeployDefault.OneAtATime
B.CodeDeployDefault.AllAtOnce
C.CodeDeployDefault.HalfAtATime
D.CodeDeployDefault.MinHealthyHostsPercentage: 90
AnswerA

This configuration deploys to one instance at a time, keeping the maximum number of healthy instances at any time.

Why this answer

Option A, CodeDeployDefault.OneAtATime, is correct because it ensures that only one instance is updated at a time, which guarantees that a minimum number of instances (9 out of 10) remain healthy and running throughout the deployment. This configuration is ideal for maintaining high availability and meeting strict uptime requirements.

Exam trap

The trap here is that candidates often confuse the predefined deployment configurations with custom settings, assuming that 'MinHealthyHostsPercentage: 90' is a valid named configuration, when in fact it is a parameter that must be specified as part of a custom configuration, not a built-in option.

How to eliminate wrong answers

Option B (CodeDeployDefault.AllAtOnce) is wrong because it deploys to all 10 instances simultaneously, which can cause a complete outage if the deployment fails or the application has issues. Option C (CodeDeployDefault.HalfAtATime) is wrong because it deploys to 5 instances at a time, which does not guarantee that a minimum number of instances (e.g., 9) are always running; it only ensures half are updated at once, potentially leaving only 5 healthy instances. Option D (CodeDeployDefault.MinHealthyHostsPercentage: 90) is wrong because it is not a valid predefined deployment configuration in AWS CodeDeploy; it is a custom configuration option that can be set via the API or CLI, but it is not a built-in named configuration like the others.

1089
MCQeasy

A developer is encrypting an S3 bucket using server-side encryption with AWS KMS (SSE-KMS). What is a benefit of using SSE-KMS over SSE-S3?

A.Reduced latency for encrypted object retrieval
B.Lower cost than SSE-S3
C.Ability to control access to the encryption key separately
D.Automatic encryption of objects at rest
AnswerC

SSE-KMS uses a customer master key (CMK) that can be managed with IAM and key policies.

Why this answer

Option C is correct because SSE-KMS provides separate permissions for the encryption key, allowing fine-grained control. Option A is wrong because both SSE-S3 and SSE-KMS encrypt data at rest. Option B is wrong because SSE-KMS incurs additional KMS costs.

Option D is wrong because SSE-KMS uses envelope encryption, which does not reduce latency.

1090
Multi-Selectmedium

A company uses AWS CodePipeline to deploy a web application to an EC2 instance. The deployment often fails because the application is still running when new files are copied. Which THREE actions can be combined to achieve zero-downtime deployments?

Select 3 answers
A.Use AWS CodeDeploy with an in-place deployment configuration.
B.Configure the EC2 instances behind an Auto Scaling group and use a rolling update.
C.Define an AppSpec file that includes 'BeforeInstall' and 'AfterInstall' hooks to stop and start the application.
D.Use AWS CodeBuild to build and deploy the application.
E.Use Amazon Inspector to check the application before deployment.
AnswersA, B, C

CodeDeploy can manage application lifecycle during deployment.

Why this answer

Options A, B, and D are correct. Using CodeDeploy (A) with an in-place deployment can manage the lifecycle. The AppSpec file (B) can define hooks to stop the application before install and start it after.

Auto Scaling group (D) with a rolling update can ensure instances are replaced without downtime. Option C is wrong because CodeBuild is for building, not deployment. Option E is wrong because Amazon Inspector is for security scanning.

1091
MCQhard

A developer is deploying a microservice using Amazon ECS with Fargate. The service needs to scale based on CPU utilization. Which combination of actions is required? (Select TWO)

A.Configure an ELB target group health check
B.Create a CloudWatch alarm on the ECS service's CPUUtilization metric
C.Create a target tracking scaling policy for the ECS service
D.Enable auto scaling on the ECS cluster
E.Create an Application Auto Scaling step scaling policy
AnswerB, C

The alarm triggers scaling actions.

Why this answer

To scale ECS services, you create a CloudWatch alarm on CPU utilization and associate it with an Application Auto Scaling target tracking policy. Options B and D are correct.

1092
MCQeasy

A company stores sensitive customer data in Amazon S3. The security policy requires that all data be encrypted at rest using server-side encryption with a customer-managed AWS KMS key. Which S3 server-side encryption option should the developer use?

A.SSE-S3
B.SSE-KMS
C.SSE-C
D.Client-side encryption
AnswerB

SSE-KMS allows you to use a customer-managed KMS key for encryption.

Why this answer

SSE-KMS is the correct option because it provides server-side encryption with a customer-managed AWS KMS key, allowing the company to control key rotation, access policies, and audit usage via AWS CloudTrail. This meets the security policy requirement for encryption at rest using a customer-managed key, which SSE-S3 (using AWS-managed keys) and SSE-C (using customer-provided keys) do not fulfill.

Exam trap

The trap here is that candidates often confuse SSE-KMS with SSE-S3, assuming both use AWS-managed keys, but SSE-KMS uniquely supports customer-managed keys and additional control features like key rotation and audit logging.

How to eliminate wrong answers

Option A (SSE-S3) is wrong because it uses AWS-managed keys, not customer-managed keys, so it does not meet the policy requirement for customer control over the encryption key. Option C (SSE-C) is wrong because it requires the customer to provide their own encryption keys in each request, and AWS does not manage or store the key, which contradicts the requirement for a customer-managed AWS KMS key. Option D (Client-side encryption) is wrong because it encrypts data before sending it to S3, not at rest on the server side, and does not use S3 server-side encryption at all.

1093
MCQeasy

A developer is building a web application that must encrypt data in transit. Which AWS service should be used to manage SSL/TLS certificates?

A.AWS KMS
B.AWS Secrets Manager
C.AWS CloudHSM
D.AWS Certificate Manager (ACM)
AnswerD

ACM provides and manages SSL/TLS certificates.

Why this answer

AWS Certificate Manager (ACM) is the correct service because it is specifically designed to provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services (e.g., Elastic Load Balancers, CloudFront, API Gateway). It handles the full lifecycle of certificates, including renewal, which directly addresses the requirement to encrypt data in transit using HTTPS.

Exam trap

The trap here is that candidates often confuse AWS KMS (used for encryption keys for data at rest) with SSL/TLS certificate management for data in transit, leading them to select KMS instead of ACM.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a key management service for symmetric and asymmetric encryption keys used for data at rest, not for managing SSL/TLS certificates for data in transit. Option B is wrong because AWS Secrets Manager is designed to rotate and manage secrets such as database credentials and API keys, not SSL/TLS certificates. Option C is wrong because AWS CloudHSM provides dedicated hardware security modules for generating and storing encryption keys, but it does not manage SSL/TLS certificates or integrate directly with AWS services for automatic certificate deployment and renewal.

1094
Drag & Dropmedium

Drag and drop the steps to authenticate a user using Amazon Cognito User Pools in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the user pool and app client, then authenticate to receive tokens, and use tokens for authorization.

1095
Multi-Selecthard

A developer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket despite having an IAM role with the correct permissions attached. Which THREE steps should the developer take to diagnose the issue?

Select 3 answers
A.Use the AWS CLI command 'aws sts assume-role' to test the role credentials.
B.Check the security group of the EC2 instance for outbound rules.
C.Check the IAM policy attached to the role for any explicit Deny statements.
D.Verify that the IAM role is correctly associated with the EC2 instance.
E.Modify the S3 bucket policy to grant access to the instance's security group.
AnswersA, C, D

Helps verify role trust and permissions.

Why this answer

Option A, C, and E are correct. Option A verifies permissions. Option C checks if the instance actually has the role.

Option E ensures the instance is in the correct region or service is up. Option B is wrong because modifying the bucket policy is not a diagnostic step. Option D is wrong because security groups do not affect S3 access via IAM roles.

1096
MCQhard

A developer is building a REST API using Amazon API Gateway and AWS Lambda. The API receives a large number of requests with duplicate payloads from the same client within a short time window. To reduce Lambda invocations and improve performance, the developer wants to return the previously computed response for identical requests based on a unique client ID in the header. How can the developer achieve this using API Gateway features?

A.Enable API Gateway caching on the stage and configure the client ID header as a cache key parameter. Set a cache TTL of 5 minutes.
B.Configure a usage plan with a quota and throttle settings to limit requests per client ID.
C.Use request validation to reject requests that have the same client ID within 5 minutes.
D.Reduce the Lambda function's batch size to 1 and implement caching logic inside the function using an external cache like ElastiCache.
AnswerA

API Gateway caching uses cache key parameters to index responses. By including the client ID header in the cache key, different clients get separate cached responses. The TTL controls how long the response is cached.

Why this answer

Option A is correct because API Gateway caching allows you to store responses for a configurable TTL and use the client ID header as a cache key parameter. This means that when a request with the same client ID arrives within the TTL window, API Gateway returns the cached response directly without invoking the Lambda function, reducing invocations and improving performance.

Exam trap

The trap here is that candidates may confuse API Gateway caching (which returns cached responses for identical cache keys) with usage plans or throttling (which only limit request rates) or with Lambda-level caching (which still incurs invocation costs).

How to eliminate wrong answers

Option B is wrong because usage plans with quota and throttle settings limit the rate or total number of requests, but they do not return previously computed responses for duplicate payloads; they simply reject or delay requests. Option C is wrong because request validation in API Gateway only checks the structure and presence of required headers or body fields, not the content or duplication of payloads; it cannot reject requests based on a client ID being repeated. Option D is wrong because reducing the Lambda batch size to 1 is irrelevant (Lambda functions process one event at a time by default) and implementing caching inside the function with ElastiCache would still invoke Lambda for every request, missing the goal of reducing invocations; API Gateway caching avoids Lambda invocation entirely for cached responses.

1097
MCQeasy

A developer needs to securely store database credentials used by an application running on EC2. Which AWS service should be used?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.Amazon S3
D.AWS Certificate Manager (ACM)
AnswerA

Secrets Manager is designed for secure storage and automatic rotation of secrets like database credentials.

Why this answer

Option A is correct because AWS Secrets Manager is designed to securely store and rotate secrets such as database credentials. Option B is wrong because AWS Certificate Manager is for SSL/TLS certificates. Option C is wrong because Systems Manager Parameter Store can store secrets, but Secrets Manager provides built-in rotation and is more suitable for database credentials.

Option D is wrong because S3 is an object store, not designed for secret management.

1098
MCQhard

A developer is deploying a microservices application using Amazon ECS with Fargate. The application consists of multiple services that need to communicate with each other over HTTP. The developer wants to ensure that service-to-service communication is encrypted in transit and that the services can discover each other by logical service names instead of IP addresses. Which combination of AWS services should the developer use?

A.Elastic Load Balancing with AWS Systems Manager
B.Amazon Route 53 with AWS Direct Connect
C.AWS Lambda with Amazon API Gateway
D.AWS App Mesh with AWS Cloud Map
AnswerD

App Mesh provides mTLS and Cloud Map provides service discovery, meeting both requirements.

Why this answer

AWS App Mesh provides service mesh capabilities including mTLS for encryption and service discovery using virtual services. AWS Cloud Map is used for service discovery with logical names. Together, they enable encrypted service-to-service communication.

Route 53 is for DNS but not mTLS. ELB is for load balancing, not service discovery. Systems Manager is for configuration management, not networking.

Direct Connect is a dedicated network connection.

1099
Multi-Selectmedium

Which TWO statements are true about AWS CodeDeploy deployment groups? (Choose two.)

Select 2 answers
A.A deployment group can only target a single EC2 instance.
B.A deployment group can use an Auto Scaling group as its target.
C.A deployment group can be shared across multiple CodeDeploy applications.
D.A deployment group is a collection of deployment targets for an application.
E.A deployment group cannot be associated with a load balancer.
AnswersB, D

Auto Scaling groups are common targets.

Why this answer

Option B is correct because AWS CodeDeploy deployment groups can target an Auto Scaling group, enabling automatic deployment to all instances in the group and integration with scaling events. This allows CodeDeploy to automatically deploy revisions to new instances launched by the Auto Scaling group, ensuring consistent application versions across the fleet.

Exam trap

The trap here is that candidates often confuse deployment groups with being application-specific and think they can be shared across applications, or they incorrectly assume that deployment groups are limited to single instances or cannot integrate with load balancers.

1100
MCQmedium

A developer is building an application that processes user-uploaded images. The application uses Amazon S3 to store the images and AWS Lambda to generate thumbnails. When a user uploads an image to an S3 bucket, an S3 event notification triggers a Lambda function. The Lambda function processes the image and saves the thumbnail to another S3 bucket. The developer notices that sometimes the Lambda function is not triggered after an upload. The developer checks the Lambda function's CloudWatch logs and sees no invocation records for those uploads. The S3 bucket event notification configuration appears correct. What is the most likely cause of this issue?

A.The destination S3 bucket does not have the correct bucket policy to allow the Lambda function to write thumbnails.
B.The S3 event notification is configured as an asynchronous invocation, and the event is lost.
C.The Lambda function's execution role does not have permission to read from the S3 bucket.
D.The S3 bucket and the Lambda function are in different AWS regions.
AnswerD

S3 event notifications can only trigger Lambda functions in the same region.

Why this answer

Option A is correct because S3 event notifications might not be delivered if the bucket is in a different region than the Lambda function; the Lambda function must be in the same region as the S3 bucket for S3 event notifications. Option B is wrong because the Lambda function's IAM role does not affect invocation; it affects execution. Option C is wrong because S3 event notifications are not asynchronous; they are delivered synchronously.

Option D is wrong because the destination bucket's permissions are not relevant to the invocation trigger.

1101
Multi-Selecthard

A developer is debugging an AWS Lambda function that is invoked by an Amazon S3 event notification. The function sometimes fails with a 'ResourceNotFoundException' when trying to access a DynamoDB table. The function's execution role has the following policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "dynamodb:*", "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/MyTable" } ] } What are TWO possible causes for this intermittent failure?

Select 2 answers
A.The Lambda function's execution role is not attached to the function.
B.The Lambda function is inside a VPC without a DynamoDB VPC endpoint.
C.The DynamoDB table name contains a typo in the Lambda code.
D.The IAM policy does not include the 'dynamodb:GetItem' action specifically.
E.The DynamoDB table is in a different AWS Region than the Lambda function.
AnswersC, E

If the code references a different table name, the ARN won't match.

Why this answer

Option B is correct because if the table is in a different region, the resource ARN region would be wrong. Option D is correct because if the table name is different, the ARN would not match. Option A is wrong because the policy allows all DynamoDB actions.

Option C is wrong because the function has the policy. Option E is wrong because VPC endpoints do not affect IAM permissions.

1102
Multi-Selecteasy

A developer needs to securely transfer files from an on-premises server to an S3 bucket. Which TWO methods meet the security requirements?

Select 2 answers
A.Use the S3 sync command without any additional configuration.
B.Use AWS Transfer Family with SFTP protocol.
C.Generate a presigned URL and use it with wget.
D.Use the AWS CLI with the cp command over HTTPS.
E.Use FTP with TLS.
AnswersB, D

SFTP provides encrypted file transfers.

Why this answer

Option B is correct because AWS Transfer Family provides a fully managed service that supports SFTP (SSH File Transfer Protocol) for securely transferring files to Amazon S3. It uses SSH for authentication and encryption, ensuring data in transit is protected without requiring any changes to the on-premises server's existing SFTP infrastructure.

Exam trap

The trap here is that candidates often assume the AWS CLI cp command over HTTPS (Option D) is inherently secure, but the exam expects them to recognize that while HTTPS encrypts data in transit, the question asks for 'methods' that meet security requirements, and both B and D are correct—Option D is indeed valid because the AWS CLI uses HTTPS by default, making it a secure method; however, the trap is that some might incorrectly eliminate D thinking it lacks encryption, when in fact it does use TLS.

1103
MCQhard

A developer is designing a serverless application that uses Amazon API Gateway and AWS Lambda. The application needs to handle a sudden spike in traffic. The Lambda function performs CPU-intensive operations. What should the developer do to ensure the application scales without errors?

A.Set the API Gateway throttling limits to a high value.
B.Use an Amazon SQS queue to buffer requests before processing.
C.Configure the Lambda function with reserved concurrency and provisioned concurrency.
D.Increase the Lambda function timeout to the maximum value.
AnswerC

Reserved concurrency ensures capacity, provisioned concurrency reduces cold starts.

Why this answer

Option C is correct because Lambda concurrency limits control scaling, and provisioned concurrency prevents cold starts. Option A is wrong because API Gateway throttling would reject requests. Option B is wrong because increasing timeout doesn't help scaling.

Option D is wrong because reserved concurrency sets a limit, not a guarantee.

1104
MCQeasy

A developer is building a microservice that needs to invoke another AWS Lambda function and wait for the result to continue processing. Which Lambda invocation type must the developer use to achieve synchronous invocation?

A.RequestResponse
B.Event
C.DryRun
D.None of the above
AnswerA

This invocation type causes the client to wait for the function to execute and return a response, enabling synchronous processing.

Why this answer

The RequestResponse invocation type is the correct choice for synchronous invocation of a Lambda function, where the caller waits for the function to execute and receive a response. This is the default invocation type when using the Invoke API with InvocationType set to 'RequestResponse', and it is required for microservices that need to block until the downstream Lambda returns a result.

Exam trap

The trap here is that candidates may confuse the Event invocation type (asynchronous) with synchronous behavior, or mistakenly think DryRun is a valid Lambda invocation type, leading them to select 'None of the above' when they don't recognize RequestResponse as the correct term.

How to eliminate wrong answers

Option B is wrong because the Event invocation type is asynchronous; it queues the invocation and returns immediately with an HTTP status code of 202, without waiting for the function to execute or return a result. Option C is wrong because DryRun is not a valid Lambda invocation type; it is a parameter used with other AWS services (e.g., EC2) to test permissions without executing the action. Option D is wrong because 'None of the above' is incorrect since RequestResponse is a valid and correct invocation type for synchronous invocation.

1105
Multi-Selectmedium

A company is deploying a web application on AWS Elastic Beanstalk. The application requires a relational database. The company wants to decouple the database lifecycle from the environment lifecycle. Which TWO steps should the company take to achieve this? (Choose TWO.)

Select 2 answers
A.Use Amazon DynamoDB instead of Amazon RDS
B.Create an Amazon RDS DB instance outside of Elastic Beanstalk
C.Add an Amazon RDS DB instance to the Elastic Beanstalk environment using the Elastic Beanstalk console
D.Configure the Elastic Beanstalk environment to use environment properties to pass the DB connection string
E.Create a separate Elastic Beanstalk environment for the database
AnswersB, D

Separate lifecycle.

Why this answer

Option B is correct because creating an Amazon RDS DB instance outside of Elastic Beanstalk decouples the database lifecycle from the environment lifecycle. This means the database can be retained, modified, or terminated independently of the Elastic Beanstalk environment, preventing data loss when the environment is terminated or recreated. The application can then connect to the external RDS instance via environment properties passed to the EC2 instances.

Exam trap

The trap here is that candidates often think adding an RDS instance via the Elastic Beanstalk console is the correct way to decouple the database, but it actually couples the database lifecycle to the environment, leading to potential data loss when the environment is terminated.

1106
MCQhard

The above resource-based policy is attached to an SQS queue. An application running on an EC2 instance with the IAM role 'AppRole' tries to send a message to the queue but receives an access denied error. What is the most likely cause?

A.The SQS queue is encrypted with a KMS key that the role cannot use
B.The principal ARN in the policy is incorrect
C.The SQS queue policy does not include the correct region
D.The IAM role does not have an identity-based policy allowing sqs:SendMessage
AnswerD

The role needs an IAM policy that allows the action, or the queue policy alone is insufficient if the role has no permissions.

Why this answer

The resource-based policy allows the role to send messages, but the role itself must also have an IAM policy that allows sqs:SendMessage. Without that, the request is denied because both the identity-based policy and the resource-based policy must grant access (unless one is an explicit deny).

1107
MCQeasy

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application consists of an API Gateway endpoint and an AWS Lambda function. The developer wants to define a stage name for the API Gateway deployment. Which section of the SAM template should the developer use?

A.Globals
B.Conditions
C.Outputs
D.Parameters
AnswerA

Globals section includes Api.StageName to set stage name for all APIs.

Why this answer

Option B is correct because the Globals section allows setting properties that apply to all resources, including Api.StageName. Option A is wrong because Outputs are for stack outputs. Option C is wrong because Parameters are for input values.

Option D is wrong because Conditions are for conditional resource creation.

1108
MCQmedium

A developer notices that an AWS Lambda function is timing out after 3 seconds. The function processes messages from an SQS queue. What is the MOST likely cause of the timeout?

A.The SQS dead-letter queue is not configured.
B.The SQS queue visibility timeout is too short.
C.The Lambda function timeout is set too low.
D.The Lambda function's reserved concurrency is set to zero.
AnswerC

The default timeout is 3 seconds; increasing it resolves the timeout.

Why this answer

The function's timeout setting is likely lower than the time needed for processing. Option A is correct because the default Lambda timeout is 3 seconds, and increasing it can resolve the issue. Option B is wrong because SQS visibility timeout controls message redelivery, not function timeout.

Option C is wrong because reserved concurrency affects scaling, not individual function timeout. Option D is wrong because the DLQ is for failed messages, not timeout control.

1109
MCQmedium

A developer is using Amazon API Gateway to expose a Lambda function as a REST API. The Lambda function queries an Amazon RDS database. Under heavy load, the database connection pool is exhausted, causing errors. What is the BEST way to manage database connections in this serverless architecture?

A.Migrate the database to Amazon DynamoDB.
B.Increase the concurrency limit of the Lambda function.
C.Use Amazon RDS Proxy to pool and share database connections.
D.Use Amazon ElastiCache to cache database connections.
AnswerC

RDS Proxy manages connection pooling, allowing Lambda functions to share connections efficiently.

Why this answer

Option D is correct because RDS Proxy is designed to manage database connection pooling for serverless applications, reducing connection exhaustion. Option A is incorrect because increasing Lambda concurrency would make the problem worse. Option B is incorrect because storing connections in ElastiCache does not help with database connections.

Option C is incorrect because using DynamoDB would change the database, not solve the connection management issue.

1110
MCQmedium

A team uses AWS CloudFormation to manage infrastructure. They want to update a stack that contains an Amazon RDS database. During the update, they need to modify the DB instance class. Which update policy should they use to minimize downtime?

A.SnapshotUpdate
B.AutoScalingReplacingUpdate
C.ReplacingUpdate
D.AutoScalingRollingUpdate
AnswerB

This policy replaces the DB instance with a new one while keeping the old one until the new is healthy.

Why this answer

Option C is correct because the AWS::RDS::DBInstance resource supports the UpdatePolicy with AutoScalingReplacingUpdate, which can perform a rolling replacement. However, to minimize downtime, they should use a blue/green deployment pattern. But among the options, 'AutoScalingReplacingUpdate' is the correct policy for replacing instances with minimal downtime.

Option A is incorrect because 'AutoScalingRollingUpdate' is for Auto Scaling groups. Option B is incorrect because 'ReplacingUpdate' is not a valid CloudFormation policy. Option D is incorrect because 'SnapshotUpdate' is not a standard policy.

1111
MCQeasy

A developer is troubleshooting an AWS CloudFormation stack creation failure. The stack creation failed with the error: 'Resource creation cancelled'. What does this error typically indicate?

A.The IAM user does not have permission to create the resource.
B.Another resource in the stack failed, causing a rollback.
C.The template has a syntax error.
D.The resource type is not supported by CloudFormation.
AnswerB

CloudFormation cancels creation of remaining resources if one fails.

Why this answer

Option B is correct because 'Resource creation cancelled' means a different resource in the stack failed, causing rollback. Option A is wrong because insufficient IAM permissions would give an access denied error. Option C is wrong because the error is not about template validation.

Option D is wrong because the error is not about resource limit.

1112
MCQhard

A developer is troubleshooting an Amazon API Gateway REST API that returns 504 Gateway Timeout errors for certain requests. The backend is a Lambda function that performs a resource-intensive operation that occasionally takes up to 30 seconds. API Gateway has a default integration timeout of 29 seconds. The developer cannot reduce the execution time. What should the developer do to resolve the timeout issue?

A.Increase the API Gateway integration timeout to 30 seconds.
B.Refactor the Lambda function to use asynchronous invocation, return a 202 immediately, and have the client poll for results.
C.Enable API Gateway caching to avoid repeated calls.
D.Use multiple Lambda functions to parallelize processing.
AnswerB

Correct. Asynchronous processing avoids the timeout by decoupling the request from the long-running work.

Why this answer

Option B is correct because it decouples the client from the long-running Lambda execution. By invoking the Lambda asynchronously, the API Gateway can return a 202 Accepted response immediately, well within the 29-second integration timeout. The client then polls a separate endpoint (e.g., using a presigned S3 URL or a DynamoDB status record) to retrieve the final result, completely sidestepping the timeout limitation.

Exam trap

The trap here is that candidates assume the integration timeout is configurable to any value, but AWS enforces a hard 29-second limit for REST APIs, making Option A technically impossible.

How to eliminate wrong answers

Option A is wrong because Amazon API Gateway has a hard maximum integration timeout of 29 seconds for REST APIs (and 30 seconds for HTTP APIs). You cannot increase it beyond that limit, so setting it to 30 seconds is not possible. Option C is wrong because caching only serves previously computed responses for identical requests; it does not reduce the execution time of a new, uncached request that still takes up to 30 seconds.

Option D is wrong because parallelizing the Lambda function does not reduce the total execution time of a single resource-intensive operation; the request still waits for all parallel tasks to complete, which can still exceed the 29-second timeout.

1113
MCQmedium

A company wants to enforce that all uploads to an Amazon S3 bucket must be encrypted using server-side encryption. The developer needs to write an IAM policy condition that denies any s3:PutObject request that does not include the server-side encryption header. Which IAM condition key should be used?

A.s3:x-amz-server-side-encryption
B.s3:x-amz-server-side-encryption-aws-kms-key-id
C.s3:x-amz-acl
D.s3:x-amz-storage-class
AnswerA

This condition key checks the server-side encryption header in the request, allowing you to require encryption.

Why this answer

Option A is correct because the `s3:x-amz-server-side-encryption` condition key matches the `x-amz-server-side-encryption` request header, which is used to specify server-side encryption (SSE-S3 or SSE-KMS) for S3 PutObject requests. By denying requests that do not include this header, the policy enforces that all uploads must be encrypted at rest using server-side encryption.

Exam trap

The trap here is that candidates confuse the condition key for requiring encryption (`s3:x-amz-server-side-encryption`) with the key for specifying a particular KMS key (`s3:x-amz-server-side-encryption-aws-kms-key-id`), leading them to pick option B when the question only asks about enforcing the presence of any server-side encryption header.

How to eliminate wrong answers

Option B is wrong because `s3:x-amz-server-side-encryption-aws-kms-key-id` is used to enforce a specific KMS key ID for SSE-KMS, not to require the presence of any server-side encryption header. Option C is wrong because `s3:x-amz-acl` controls access control list settings, not encryption. Option D is wrong because `s3:x-amz-storage-class` controls the storage class (e.g., STANDARD, GLACIER), not encryption.

1114
MCQhard

An application stores session data in DynamoDB and must expire sessions automatically after a timestamp. Which feature should be used?

A.DynamoDB global tables
B.DynamoDB transactions
C.DynamoDB export to S3
D.DynamoDB Time to Live
AnswerD

Correct for the stated requirement.

Why this answer

DynamoDB Time to Live (TTL) allows you to define a timestamp attribute per item, and DynamoDB automatically deletes items once that timestamp is reached. This is the ideal feature for expiring session data without requiring custom scan-and-delete logic, reducing cost and operational overhead.

Exam trap

The trap here is that candidates may confuse DynamoDB TTL with DynamoDB Streams or Lambda triggers for cleanup, but TTL is the native, serverless mechanism that requires no custom code for expiration.

How to eliminate wrong answers

Option A is wrong because DynamoDB global tables replicate data across regions for low-latency access and disaster recovery, not for automatic expiration of items. Option B is wrong because DynamoDB transactions provide ACID guarantees for multi-item operations, not scheduled deletion based on time. Option C is wrong because DynamoDB export to S3 is used for point-in-time backups or data lake integration, not for expiring items within the table.

1115
MCQeasy

A Lambda function is timing out after 3 seconds when processing an S3 event. The function reads a file from S3 and writes to DynamoDB. The timeout is set to 5 seconds. What is the MOST likely cause of the timeout?

A.The function is attached to a VPC without a NAT gateway, causing network timeouts when accessing S3 and DynamoDB.
B.DynamoDB write capacity is insufficient, causing write requests to be throttled.
C.The function's memory allocation is too low, causing CPU throttling.
D.The function is hitting the reserved concurrency limit and being throttled.
AnswerA

Lambda functions in a VPC without internet access or VPC endpoints cannot reach S3 or DynamoDB, causing calls to hang until the Lambda timeout.

Why this answer

Option C is correct because the default Lambda timeout is 3 seconds, and the function's configured timeout (5 seconds) is higher, so it should not timeout at 3 seconds unless the function itself is hanging. However, the stem says 'timing out after 3 seconds' which suggests the function execution is being terminated at 3 seconds. The most common cause is that the function's configured timeout is actually 3 seconds (not 5 as stated).

But the stem says 'the timeout is set to 5 seconds', so if it times out at 3, it could be due to a VPC configuration causing network delays. Actually, the most likely cause is that the function is in a VPC without a proper internet gateway or NAT gateway, causing network calls to S3 and DynamoDB to hang. Option C addresses that.

Option A (insufficient memory) would cause slower execution but not a hard timeout at exactly 3 seconds. Option B (concurrency limit) would cause throttling, not timeout. Option D (DynamoDB throttling) would cause retries and slower performance but not a hard timeout at 3 seconds.

1116
MCQeasy

A developer needs to temporarily grant an IAM user permissions to perform a specific task. The permissions should expire after 12 hours. Which approach should the developer use?

A.Attach a policy to the user and detach it after 12 hours.
B.Use AWS STS to generate temporary security credentials.
C.Use cross-account IAM roles.
D.Create a new IAM user with the required permissions and delete the user after 12 hours.
AnswerB

Temporary and time-limited.

Why this answer

AWS Security Token Service (STS) can generate temporary security credentials that are valid for a configurable duration, up to a maximum of 12 hours for IAM users. This allows the developer to grant permissions that automatically expire without manual intervention, meeting the requirement precisely.

Exam trap

The trap here is that candidates may confuse temporary credentials with manual policy management or cross-account roles, but the key requirement is automatic expiration within the same account, which only STS provides.

How to eliminate wrong answers

Option A is wrong because manually attaching and detaching a policy after 12 hours requires human intervention or custom automation, which is error-prone and does not provide automatic expiration. Option C is wrong because cross-account IAM roles are designed for granting access across different AWS accounts, not for temporary permissions within the same account. Option D is wrong because creating and deleting an IAM user is an overly complex and risky approach; it also does not automatically expire permissions after exactly 12 hours without additional scripting.

1117
MCQmedium

A company is using AWS Elastic Beanstalk for a Node.js application. The environment's health is 'Severe' and the logs show 'ELB health check target http://:80/ is not responding'. What is the MOST likely cause?

A.The application is not deployed to the EC2 instances.
B.The application is listening on a different port than the health check expects.
C.The security group for the EC2 instances is blocking traffic on port 80.
D.The load balancer is not configured to listen on port 80.
AnswerB

The health check URL shows port 80, but the application may be configured to listen on a custom port, causing the health check to fail.

Why this answer

Option D is correct because the health check path is set to HTTP port 80 by default, but the application may be listening on a custom port. Option A is wrong because if the application is not deployed, the error would be different. Option B is wrong because the health check error is about the target, not the load balancer.

Option C is wrong because the security group would block all traffic, not just health checks.

1118
MCQhard

A DevOps engineer is implementing a blue/green deployment for a microservice running on Amazon ECS with Fargate. The service is fronted by an Application Load Balancer. During deployment, the new task set fails health checks, but the deployment does not automatically roll back. What is the MOST likely reason?

A.The ECS service deployment controller is set to 'ECS' instead of 'CODE_DEPLOY'.
B.The CodeDeploy application and deployment group are not configured for automatic rollback.
C.The health check grace period is set too high.
D.The ECS service is configured with a 'minimum healthy percent' of 100 percent.
AnswerA

With ECS deployment controller, blue/green deployments do not support automatic rollback; must use CODE_DEPLOY controller to enable CodeDeploy and automatic rollback.

Why this answer

Option A is correct. For blue/green deployments on ECS, you must specify a deployment controller type of 'CODE_DEPLOY' to use CodeDeploy and enable automatic rollback. If the controller is 'ECS' (the default), the deployment is managed by ECS and does not support automatic rollback on health check failures in blue/green mode.

Option B is wrong because ECS does roll back if health checks fail when using ECS deployment controller with rolling update, but not for blue/green. Option C is wrong because CodeDeploy is not used if deployment controller is not CODE_DEPLOY. Option D is wrong because health check grace period delays health checks but does not prevent rollback if checks fail after grace period.

1119
MCQeasy

A developer is building a web application that must encrypt data in transit between the client and the server. Which AWS service should be used to offload SSL/TLS termination?

A.Application Load Balancer (ALB)
B.Amazon CloudFront
C.Network Load Balancer (NLB)
D.Amazon Route 53
AnswerA

ALB supports SSL/TLS termination.

Why this answer

An Application Load Balancer (ALB) supports SSL/TLS termination by decrypting HTTPS traffic from clients and forwarding it as HTTP to backend targets. This offloads the cryptographic processing from application servers, reducing their CPU load and centralizing certificate management. ALB uses listener rules with SSL/TLS certificates stored in AWS Certificate Manager (ACM) or uploaded via IAM, and it supports TLS 1.2 and 1.3 protocols.

Exam trap

The trap here is that candidates confuse Network Load Balancer's ability to handle TLS traffic (via passthrough) with SSL/TLS termination, but NLB cannot decrypt traffic—only ALB and Classic Load Balancer (CLB) can terminate SSL/TLS at Layer 7.

How to eliminate wrong answers

Option B (Amazon CloudFront) is wrong because CloudFront is a content delivery network (CDN) that caches content at edge locations; while it can terminate SSL/TLS, its primary purpose is not to offload termination for a single web application but to accelerate delivery globally, and it does not function as a load balancer for backend targets. Option C (Network Load Balancer) is wrong because NLB operates at Layer 4 (TCP/UDP) and does not terminate SSL/TLS; it can pass through TLS traffic to targets but cannot decrypt it, so it cannot offload termination. Option D (Amazon Route 53) is wrong because Route 53 is a DNS service that resolves domain names to IP addresses; it has no capability to terminate SSL/TLS or handle HTTPS traffic.

1120
MCQmedium

A developer is troubleshooting an EC2 instance that is unreachable via SSH. The instance passed the status checks, and the security group allows SSH from the developer's IP. What should the developer check next?

A.The security group's outbound rules.
B.The route table for the subnet.
C.The network ACL's outbound rules.
D.The instance's system log for kernel errors.
AnswerC

NACLs are stateless and must allow outbound traffic for the ephemeral ports.

Why this answer

The network ACL is stateless and must allow both inbound and outbound traffic. Option B is correct: the outbound ephemeral port range must be allowed for the return traffic. Option A is wrong because the security group is stateful and allows return traffic automatically.

Option C is wrong because the instance is reachable for status checks. Option D is wrong because route tables do not affect direct connectivity to the instance from the internet if it has a public IP.

1121
MCQhard

A developer is debugging an issue where an IAM user cannot list objects in an S3 bucket. The user has the following IAM policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example-bucket" } ] }. What is missing?

A.The Resource ARN is incorrect.
B.The bucket has a bucket policy that denies access.
C.The user needs to enable S3 ACLs.
D.The policy needs to also allow s3:GetObject on the objects.
AnswerD

ListBucket lists objects but doesn't allow reading them; GetObject is needed to view object details.

Why this answer

The IAM policy only grants the s3:ListBucket permission, which allows listing the objects in the bucket but not reading their contents. To actually list objects, the s3:ListBucket action is sufficient; however, the question implies the user cannot list objects at all. The missing permission is s3:GetObject, which is required to retrieve object metadata and data when using certain S3 operations like GetObject or HeadObject.

Without s3:GetObject, the user may fail to list objects if the bucket policy or ACLs require read access for the listing operation to succeed.

Exam trap

The trap here is that candidates often assume s3:ListBucket alone is enough to list objects in the console or CLI, but they overlook that the console also needs s3:GetObject to display object metadata, leading them to incorrectly choose options like bucket policy or ACLs.

How to eliminate wrong answers

Option A is wrong because the Resource ARN 'arn:aws:s3:::example-bucket' is correct for the s3:ListBucket action, which targets the bucket itself, not individual objects. Option B is wrong because the question does not mention any bucket policy, and the IAM policy alone is sufficient to grant the listed permission; a bucket policy that denies access would be an explicit denial, but the issue is about missing permissions, not an explicit deny. Option C is wrong because S3 ACLs are not required for IAM users to list objects; IAM policies and bucket policies are the primary mechanisms for access control, and ACLs are legacy and disabled by default for new buckets.

1122
MCQhard

A developer is using AWS CodeBuild to build a Java application. The build fails with 'OutOfMemoryError: Java heap space'. How can the developer fix this without changing the source code?

A.Add -Xmx1024m to the buildspec commands
B.Change the build image to a smaller one
C.Set the memory parameter in the build project
D.Increase the compute type of the build project
AnswerD

Larger compute types have more memory, which can resolve heap space errors.

Why this answer

Option A is correct because increasing the compute type provides more memory. Option B is wrong because CodeBuild does not support custom JVM options in buildspec. Option C is wrong because changing the image may not help.

Option D is wrong because CodeBuild doesn't have a memory setting separate from compute type.

1123
Multi-Selecthard

A developer is deploying an application that uses Amazon SQS queues. The messages contain sensitive data that must be encrypted at rest. Which TWO actions should the developer take? (Choose TWO.)

Select 2 answers
A.Encrypt the messages client-side before sending to SQS.
B.Store the messages in an S3 bucket with default encryption instead of using SQS.
C.Configure the SQS queue to use a customer managed KMS key.
D.Enable server-side encryption (SSE) for the SQS queue using AWS KMS.
E.Use AWS CloudHSM to generate and store the encryption keys.
AnswersC, D

You can specify a KMS key for SSE.

Why this answer

Option C is correct because configuring an SQS queue to use a customer managed KMS key gives you control over the key lifecycle, including rotation and access policies, while still leveraging AWS KMS for server-side encryption. Option D is also correct because enabling server-side encryption (SSE) for SQS using AWS KMS encrypts messages at rest automatically, without requiring client-side changes. Together, these two actions ensure that sensitive data in SQS messages is encrypted at rest using KMS, meeting the requirement.

Exam trap

The trap here is that candidates often think client-side encryption (Option A) is required for encryption at rest, but SQS SSE with KMS provides server-side encryption at rest without needing to modify the application code, making client-side encryption redundant for this specific requirement.

1124
MCQhard

A company uses AWS OpsWorks for configuration management. They want to deploy a new application version to a stack. Which lifecycle event should they use to run deployment scripts?

A.Configure
B.Undeploy
C.Setup
D.Deploy
AnswerD

Runs when you deploy an app.

Why this answer

The Deploy lifecycle event in AWS OpsWorks is specifically designed to run deployment scripts when you deploy a new application version to a stack. This event occurs after the application code has been installed, allowing you to execute custom scripts for tasks like database migrations, cache clearing, or service restarts. It is the correct choice because it aligns with the deployment phase of the application lifecycle.

Exam trap

The trap here is that candidates confuse the Deploy event with the Setup or Configure events, mistakenly thinking that code deployment happens during initial instance setup or configuration updates, rather than understanding that Deploy is the dedicated event for application version releases.

How to eliminate wrong answers

Option A is wrong because the Configure lifecycle event runs whenever an instance enters or leaves the online state, not for deploying application code; it is used for updating configuration files or adjusting settings based on the stack's current state. Option B is wrong because Undeploy is not a standard lifecycle event in AWS OpsWorks; the correct event for removing an application is the Shutdown lifecycle event, which runs when an instance is stopped or terminated. Option C is wrong because the Setup lifecycle event runs only once when an instance is first booted, to install packages and configure the instance, not for deploying new application versions.

1125
Multi-Selectmedium

A company uses AWS CodePipeline to deploy a web application. The pipeline has a Source stage (CodeCommit), a Build stage (CodeBuild), and a Deploy stage (CodeDeploy). The developer wants to add a manual approval step before the Deploy stage. Which TWO configurations are required?

Select 2 answers
A.An Amazon SES identity to send emails.
B.An AWS Lambda function to send approval emails.
C.An Amazon CloudWatch alarm to trigger the approval.
D.An IAM role that allows CodePipeline to publish to the SNS topic.
E.An Amazon SNS topic to notify the approver.
AnswersD, E

The pipeline needs permission to publish to SNS.

Why this answer

Options B and D are correct because a manual approval action requires an SNS topic for notification and an IAM role for the pipeline to publish to SNS. Option A is wrong because Lambda is not required. Option C is wrong because CloudWatch is not needed.

Option E is wrong because SES is not used.

Page 14

Page 15 of 22

Page 16