AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 11261200

1616 questions total · 22pages · All types, answers revealed

Page 15

Page 16 of 22

Page 17
1126
Multi-Selecteasy

Which TWO practices help optimize costs in Amazon DynamoDB? (Choose 2.)

Select 2 answers
A.Purchase reserved capacity for all tables regardless of usage.
B.Use Auto Scaling to adjust read/wapacity based on traffic.
C.Create multiple Global Secondary Indexes for query flexibility.
D.Enable DAX (DynamoDB Accelerator) for all tables.
E.Use on-demand capacity mode for unpredictable workloads.
AnswersB, E

Auto scaling matches capacity to demand, reducing waste.

Why this answer

Option B is correct because DynamoDB Auto Scaling automatically adjusts provisioned read and write capacity based on actual traffic patterns, preventing over-provisioning and reducing costs during low-demand periods. Option E is correct because on-demand capacity mode charges per request, making it cost-effective for unpredictable workloads where capacity planning is difficult, avoiding the cost of idle provisioned capacity.

Exam trap

The trap here is that candidates often assume more indexes or always-on DAX improve performance without considering the associated cost overhead, or they mistakenly think reserved capacity is always cheaper regardless of usage patterns.

1127
MCQhard

A developer attached the IAM policy above to an IAM user. The user reports that they receive an AccessDenied error when trying to upload a file to the S3 bucket using the AWS CLI without specifying any server-side encryption. What is the reason for the error?

A.The policy does not allow the s3:PutObject action on the bucket itself.
B.The request does not include the required server-side encryption header.
C.The IAM user does not have permissions to use the s3:PutObject action.
D.The bucket policy overrides the IAM policy.
AnswerB

The condition requires the encryption header to be set to AES256.

Why this answer

Option B is correct because the policy requires s3:x-amz-server-side-encryption to be AES256. If not specified, the condition fails and the request is denied. Option A is wrong because the resource is correct.

Option C is wrong because the action is allowed. Option D is wrong because putting an object without encryption does not match the condition.

1128
MCQhard

A company has a Lambda function that writes to an S3 bucket. The IAM role used by the function has an inline policy allowing s3:PutObject on the bucket. However, writes fail with an access denied error. What is the MOST likely cause?

A.The S3 bucket is in a different region.
B.The S3 bucket uses SSE-KMS encryption and the function lacks kms:Decrypt permissions.
C.The Lambda function does not have the correct execution role.
D.The S3 bucket has a bucket policy that denies the request.
AnswerD

A bucket policy can override IAM permissions with an explicit deny.

Why this answer

Option D is correct because S3 bucket policies can explicitly deny access even if IAM allows it. Option A is wrong because the function role has permissions. Option B is wrong because S3 does not require VPC endpoints.

Option C is wrong because KMS encryption requires additional permissions, but access denied could be due to bucket policy deny.

1129
MCQhard

A developer is tasked with rotating database credentials stored in AWS Secrets Manager for an RDS MySQL instance. The rotation must occur automatically every 30 days. What is the BEST approach?

A.Store the credentials in AWS Systems Manager Parameter Store and use a scheduled Lambda to rotate them.
B.Use RDS automatic password rotation and have the application fetch the new password from RDS.
C.Use an IAM role for the RDS instance and rotate the role's credentials.
D.Configure automatic rotation in Secrets Manager using a rotation Lambda function.
AnswerD

Secrets Manager supports automatic rotation with a custom Lambda.

Why this answer

Option B is correct because Secrets Manager can rotate credentials automatically using a Lambda function. Option A is wrong because IAM roles are for EC2, not database credentials. Option C is wrong because Parameter Store does not support automatic rotation.

Option D is wrong because RDS generates a new master password but does not update Secrets Manager automatically.

1130
Multi-Selectmedium

A developer is designing a system that ingests high-volume data from IoT devices. The data must be processed in near real-time and then stored in Amazon S3 for analytics. Which TWO AWS services should the developer use together to meet these requirements? (Choose TWO.)

Select 2 answers
A.Amazon SQS
B.Amazon SNS
C.Amazon Kinesis Data Streams
D.Amazon EC2
E.AWS Lambda
AnswersC, E

Kinesis Data Streams ingests high-volume streaming data.

Why this answer

Options A and D are correct. Amazon Kinesis Data Streams can ingest high-volume streaming data, and AWS Lambda can process the stream in near real-time. Option B is wrong because SQS is for message queues, not streaming.

Option C is wrong because SNS is for pub/sub, not streaming. Option E is wrong because EC2 is not serverless and requires management.

1131
Multi-Selecthard

A developer is designing a serverless application that processes streaming data from IoT devices. The application must be able to handle data from millions of devices and store the data in a durable, scalable data store. Which AWS services should the developer use? (Choose THREE.)

Select 3 answers
A.Amazon Kinesis Data Streams
B.Amazon RDS
C.Amazon DynamoDB
D.AWS Lambda
E.Amazon SQS
AnswersA, C, D

Kinesis Data Streams can ingest high-throughput streaming data.

Why this answer

Option A is correct because Kinesis Data Streams can ingest large volumes of streaming data. Option C is correct because Lambda can process the data in real-time. Option E is correct because DynamoDB is a scalable, durable data store suitable for IoT data.

Option B is wrong because SQS is not a streaming service. Option D is wrong because RDS is not as scalable for high-throughput streaming data.

1132
MCQeasy

A developer is building a serverless application using AWS Lambda. The function needs to access a private S3 bucket in the same AWS account. What is the BEST way to grant the Lambda function access to the bucket?

A.Create an IAM execution role with an S3 access policy and attach it to the Lambda function.
B.Store AWS credentials in environment variables and use them in the function code.
C.Attach an inline IAM policy directly to the Lambda function.
D.Add a bucket policy to the S3 bucket allowing the Lambda function's ARN.
AnswerA

Correct: The execution role is the standard way to grant permissions to Lambda.

Why this answer

Option A is correct because the Lambda execution role can be attached to the function and include an IAM policy granting access to the S3 bucket. This follows the principle of least privilege and avoids hardcoding credentials. Option B is wrong because bucket policies are resource-based and not attached to functions.

Option C is wrong because environment variables would expose credentials. Option D is wrong because Lambda does not have an inline policy property - policies are attached via roles.

1133
Multi-Selecthard

A developer is using AWS Lambda with an Amazon DynamoDB trigger. The Lambda function processes items from a DynamoDB Stream. The developer needs to ensure that the function processes each change exactly once and in order. Which TWO configurations should the developer use?

Select 2 answers
A.Use a FIFO queue as an event source instead of DynamoDB Streams.
B.Increase the Lambda function's concurrency limit.
C.Set a reserved concurrency for the Lambda function to limit concurrent executions.
D.Set the batch size to 1 in the event source mapping.
E.Enable the batch window in the event source mapping.
AnswersC, D

Prevents too many parallel invocations.

Why this answer

Option A is correct because a Lambda reservation ensures concurrency for the function. Option C is correct because specifying a batch size of 1 processes each record individually, ensuring order. Option B is wrong because DynamoDB Streams is already ordered by default; no need for FIFO.

Option D is wrong because increasing concurrency is unnecessary. Option E is wrong because batch window is not needed.

1134
Multi-Selecthard

A company is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment group has a deployment configuration of CodeDeployDefault.AllAtOnce. During a deployment, some instances fail the deployment. Which THREE actions should the developer take to improve the deployment health?

Select 3 answers
A.Increase the minimum number of healthy instances in the Auto Scaling group.
B.Change the deployment configuration to CodeDeployDefault.OneAtATime.
C.Configure a lifecycle hook to run validation tests before the instance is marked as healthy.
D.Use a larger instance type to handle the deployment load.
E.Add an Elastic Load Balancer health check to the deployment group.
AnswersB, C, E

Deploys to one instance at a time, reducing blast radius.

Why this answer

Option A (use CodeDeployDefault.OneAtATime) is correct because it reduces risk by deploying to one instance at a time. Option B (add a health check) is correct to catch issues early. Option D (use lifecycle hooks) is correct to run tests before instances are marked healthy.

Option C is wrong because it does not help with deployment failures. Option E is wrong because it does not affect deployment health.

1135
MCQhard

An application uses Amazon Cognito user pools for authentication. A developer wants to restrict access to an API Gateway endpoint to only authenticated users from a specific user pool. What is the best approach?

A.Attach an IAM policy to the API Gateway resource that allows only the Cognito user pool ARN.
B.Use a Cognito User Pool authorizer in API Gateway.
C.Use an API Gateway resource policy that allows access only from the Cognito user pool.
D.Use a Lambda authorizer that validates the JWT token against the user pool.
AnswerB

API Gateway directly supports Cognito user pool authorizers for JWT validation.

Why this answer

Option B is correct because a Cognito User Pool authorizer in API Gateway is the native, fully managed way to restrict access to an API endpoint to authenticated users from a specific user pool. It automatically validates the JWT token issued by the user pool and caches the result, requiring no custom code. This approach integrates directly with API Gateway's authorization flow, ensuring only tokens from the specified user pool are accepted.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing a Lambda authorizer (option D) because they think they need custom validation logic, forgetting that API Gateway has a built-in Cognito User Pool authorizer that handles JWT validation natively without any custom code.

How to eliminate wrong answers

Option A is wrong because IAM policies cannot reference a Cognito user pool ARN as a principal or resource for API Gateway; IAM policies control access based on IAM users/roles, not user pool identities. Option C is wrong because API Gateway resource policies control access by source IP, VPC, or AWS account, not by Cognito user pool tokens or user pool ARN. Option D is wrong because while a Lambda authorizer could validate a JWT against a user pool, it is unnecessary overhead and not the 'best approach' when a built-in Cognito User Pool authorizer exists that is simpler, faster, and requires no custom code.

1136
MCQmedium

A company runs a production application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application receives high traffic and needs to process incoming HTTP requests, store the request payload in an S3 bucket for auditing, and return a response. The development team uses AWS Lambda to process the payload. The team wants to ensure that the solution is scalable, fault-tolerant, and decoupled. The current approach is to have the EC2 instances send requests directly to the Lambda function via the AWS SDK. However, the team notices that during traffic spikes, some requests are lost and the Lambda function throttles. What should the team do to improve the architecture?

A.Increase the Lambda function's reserved concurrency to the maximum allowed.
B.Place API Gateway in front of Lambda and have EC2 send requests to API Gateway.
C.Use Amazon Kinesis Data Streams instead of Lambda to process the payload.
D.Have the EC2 instances send messages to an Amazon SQS queue, and configure the SQS queue as an event source for the Lambda function.
AnswerD

SQS decouples the producers from consumers, provides a buffer, and Lambda can poll at its own pace, reducing throttling.

Why this answer

Option C is correct because using SQS decouples the EC2 instances from Lambda, provides buffering, and reduces throttling. Option A is incorrect because increasing Lambda concurrency may not solve the loss of requests; requests can still be dropped if Lambda is overwhelmed. Option B is incorrect because API Gateway still requires synchronous invocation and may still cause throttling.

Option D is incorrect because Kinesis is for real-time streaming, not ideal for simple request queuing.

1137
MCQmedium

A developer receives an AccessDenied error when trying to put an object into an S3 bucket using the AWS SDK. The IAM user has an attached policy that grants s3:PutObject on the bucket. What is the MOST likely cause of the error?

A.The request is being throttled by S3.
B.The object key is too long.
C.The AWS SDK version is outdated.
D.The bucket policy explicitly denies the action.
AnswerD

An explicit deny in a bucket policy overrides any allow from an IAM policy.

Why this answer

Option B is correct because S3 buckets often have a bucket policy that explicitly denies access, which would override the IAM user's permissions. Option A is wrong because S3 does not support resource-based policies at the object level. Option C is wrong because the error is AccessDenied, not a timeout or throttling.

Option D is wrong because the issue is at the API call level, not the SDK version.

1138
MCQmedium

A developer needs to encrypt secrets such as database passwords used by an application running on EC2. Which AWS service should be used to securely store and rotate these secrets?

A.AWS CloudHSM
B.AWS Secrets Manager
C.AWS KMS
D.AWS Systems Manager Parameter Store
AnswerB

Designed for secrets with rotation.

Why this answer

AWS Secrets Manager is the correct choice because it is specifically designed to securely store, manage, and automatically rotate secrets such as database passwords, API keys, and other credentials. It integrates natively with AWS services like RDS, Redshift, and DocumentDB to enable automatic rotation of secrets without custom code, and it enforces encryption at rest using AWS KMS. This makes it the ideal service for the use case described, where secrets must be both stored securely and rotated automatically.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store secrets, but Parameter Store lacks native automatic rotation, which is the key requirement in this question.

How to eliminate wrong answers

Option A is wrong because AWS CloudHSM provides dedicated hardware security modules for cryptographic key storage and operations, but it does not offer a managed service for storing or rotating secrets like database passwords; it is a lower-level key management solution. Option C is wrong because AWS KMS is a key management service that creates and controls encryption keys used to encrypt data, but it does not store secrets or provide automatic rotation of secrets; it only supports automatic rotation of the KMS key itself, not the secret value. Option D is wrong because AWS Systems Manager Parameter Store can store secrets as SecureString parameters with KMS encryption, but it lacks built-in automatic rotation capabilities; any rotation would require custom implementation using AWS Lambda or other automation.

1139
MCQmedium

A developer is using Amazon DynamoDB and notices that read requests are frequently throttled. The table has provisioned read capacity of 100 read capacity units (RCUs) and is used by a web application that experiences bursty traffic. The developer wants to minimize throttling without manual intervention. Which action should the developer take?

A.Enable DynamoDB Accelerator (DAX)
B.Increase the write capacity
C.Use a global table
D.Enable auto scaling for read capacity
AnswerA

DAX provides an in-memory cache that absorbs read bursts, reducing the number of reads hitting the DynamoDB table and thus minimizing throttling.

Why this answer

Enabling DynamoDB Accelerator (DAX) reduces the number of read requests hitting the table by serving them from an in-memory cache. This offloads read traffic, effectively reducing the consumed RCUs and minimizing throttling during bursty traffic without requiring manual intervention or capacity changes.

Exam trap

The trap here is that candidates often choose auto scaling (Option D) thinking it handles bursts, but auto scaling has a lag time and cannot prevent throttling during sudden spikes, whereas DAX provides immediate relief by caching reads.

How to eliminate wrong answers

Option B is wrong because increasing write capacity does not address read throttling; it only affects write operations and would not reduce read request throttling. Option C is wrong because global tables replicate data across regions for disaster recovery and low-latency writes, but they do not reduce read throttling on a single table; each replica still has its own read capacity. Option D is wrong because auto scaling adjusts capacity based on sustained usage, but during bursty traffic it may not react quickly enough to prevent throttling, and it requires manual setup and still incurs costs for higher capacity; DAX provides a more immediate and cost-effective solution by caching reads.

1140
MCQmedium

A developer is deploying a containerized application on Amazon ECS with the Fargate launch type. The application needs to read data from an Amazon S3 bucket. The developer wants to follow the principle of least privilege. How should the developer grant the necessary permissions to the ECS tasks?

A.Store AWS access keys as environment variables in the task definition.
B.Create an IAM task role and reference it in the task definition using the 'taskRoleArn' parameter.
C.Create an IAM user and embed its credentials in the container image.
D.Use an S3 bucket policy that grants access based on the security group of the ECS tasks.
AnswerB

The ECS task role provides temporary credentials to the container, and the AWS SDK automatically retrieves them. This is the recommended secure practice.

Why this answer

Option B is correct because Amazon ECS with the Fargate launch type supports IAM task roles, which allow you to assign an IAM role to the ECS task itself. By referencing the IAM task role in the task definition using the 'taskRoleArn' parameter, the containerized application can securely obtain temporary credentials from the ECS container agent via the AWS STS service, adhering to the principle of least privilege without embedding long-lived credentials.

Exam trap

The trap here is that candidates may confuse IAM roles with IAM users or think that network-level controls like security groups can be used for S3 access, but AWS S3 does not evaluate security groups for authorization; only IAM policies and bucket policies are evaluated.

How to eliminate wrong answers

Option A is wrong because storing AWS access keys as environment variables in the task definition exposes long-term credentials in plaintext, violating the principle of least privilege and increasing the risk of credential leakage. Option C is wrong because embedding IAM user credentials in the container image is a security anti-pattern that hardcodes long-lived secrets, making rotation difficult and violating best practices for container security. Option D is wrong because S3 bucket policies cannot grant permissions based on security groups; security groups are network-level constructs for EC2 instances and are not evaluated by AWS S3 for access control decisions.

1141
MCQmedium

A developer needs to allow an EC2 instance to read objects from a specific S3 bucket. Which is the MOST secure way to grant permissions?

A.Store AWS access keys in the EC2 instance's user data
B.Use an S3 bucket policy that allows access from the EC2 instance's public IP
C.Create an IAM role with S3 read permission and attach it to the EC2 instance as an instance profile
D.Attach a security group to the EC2 instance that allows S3 access
AnswerC

IAM roles provide temporary credentials and are the secure way to grant permissions to EC2.

Why this answer

Option D is correct because an IAM role with an instance profile is the recommended way to grant permissions to AWS services running on EC2. Option A is wrong because storing access keys on the instance is insecure. Option B is wrong because S3 bucket policies alone cannot grant permissions to an EC2 instance without an IAM role.

Option C is wrong because security groups are for network-level access, not S3.

1142
Multi-Selecthard

A company is using AWS CloudFormation to deploy a web application. The template creates an Auto Scaling group, an Application Load Balancer, and a security group. The developer wants to ensure that the stack update fails if the new Auto Scaling group instances fail health checks. Which THREE steps should the developer take? (Choose THREE.)

Select 3 answers
A.Configure the Auto Scaling group to send a signal to CloudFormation using cfn-signal.
B.Associate the Auto Scaling group with an ALB target group.
C.Add a CreationPolicy to the Auto Scaling group.
D.Add an UpdatePolicy to the Auto Scaling group with a rolling update configuration.
E.Use the AWS::CloudFormation::Init metadata to run a health check script.
AnswersA, B, C

cfn-signal is used to notify CloudFormation of success or failure.

Why this answer

Option A is correct because the Auto Scaling group must associate with the ALB target group for health checks. Option B is correct because creation policies allow CloudFormation to wait for a signal of success. Option D is correct because a CloudFormation signal (cfn-signal) is used to report success/failure.

Option C is wrong because UpdatePolicy is used for rolling updates, not for signaling health checks. Option E is wrong because AWS::CloudFormation::Init is for software configuration, not health check signaling.

1143
MCQmedium

A developer is implementing an e-commerce application where a purchase operation must deduct inventory and create an order atomically. The inventory and orders are stored in separate DynamoDB tables. Which DynamoDB feature should the developer use to execute these operations as a single, all-or-nothing transaction?

A.DynamoDB Streams
B.DynamoDB Transactions
C.DynamoDB Accelerator (DAX)
D.DynamoDB Global Tables
AnswerB

Correct. DynamoDB Transactions (TransactWriteItems) guarantee atomic, consistent, isolated, and durable (ACID) operations across one or more tables.

Why this answer

DynamoDB Transactions provide ACID (Atomicity, Consistency, Isolation, Durability) guarantees across one or more tables within a single AWS account and region. This allows the developer to combine the deduct-inventory and create-order operations into a single all-or-nothing transaction, ensuring that both succeed or both fail without partial updates.

Exam trap

The trap here is that candidates often confuse DynamoDB Streams with transactional capabilities, assuming that capturing changes in order guarantees atomicity, but Streams are asynchronous and cannot enforce all-or-nothing semantics across multiple tables.

How to eliminate wrong answers

Option A is wrong because DynamoDB Streams capture a time-ordered sequence of item-level changes in a table, but they do not provide atomicity or transactional coordination across multiple tables. Option C is wrong because DynamoDB Accelerator (DAX) is an in-memory caching layer that improves read performance but does not offer transactional write capabilities. Option D is wrong because DynamoDB Global Tables provide multi-region replication for disaster recovery and low-latency reads, but they do not enable atomic multi-table transactions within a single region.

1144
MCQhard

A development team uses AWS Elastic Beanstalk for a Node.js application. They want to deploy a new version with zero downtime. Which deployment policy should they choose?

A.Immutable
B.All at once
C.Rolling
D.Rolling with additional batch
AnswerA

Launches new instances and swaps CNAME, zero downtime.

Why this answer

The correct answer is C. Immutable deployment launches new instances in a new Auto Scaling group, then swaps the CNAME, ensuring zero downtime. Option A (All at once) causes downtime.

Option B (Rolling) has a brief window with old and new versions but may reduce capacity. Option D (Rolling with additional batch) is similar to rolling but adds instances, still not zero downtime.

1145
MCQeasy

A developer is creating an IAM policy to allow an EC2 instance to access an S3 bucket. Which AWS service should the developer use to securely provide credentials to the EC2 instance?

A.Use Amazon Cognito identity pools to generate temporary credentials for the instance.
B.Create an IAM user with access keys and store them on the instance.
C.Create an IAM role and attach it to the EC2 instance profile.
D.Store the AWS access key in AWS Secrets Manager and retrieve it at runtime.
AnswerC

IAM roles provide temporary credentials via instance profiles, which is the secure best practice for EC2.

Why this answer

IAM roles are designed to be assumed by AWS services like EC2. Instance profiles deliver temporary credentials to the EC2 instance automatically, avoiding hard-coded keys. Option A is wrong because access keys are long-term and not recommended for EC2.

Option C is wrong because Secrets Manager is for secrets, not EC2 instance credentials. Option D is wrong because Cognito is for user identity.

1146
MCQmedium

A developer is troubleshooting an issue where an EC2 instance cannot access an S3 bucket even though the instance has an IAM role with full S3 access. The instance can access the internet. What is the most likely cause?

A.The instance is in a private subnet without a NAT gateway or VPC endpoint for S3.
B.S3 Transfer Acceleration is not enabled on the bucket.
C.The security group attached to the instance blocks outbound traffic to S3.
D.The IAM role is not correctly associated with the instance.
AnswerA

Private subnets need a NAT gateway or VPC endpoint to reach S3.

Why this answer

The most likely cause is that the EC2 instance resides in a private subnet, which has no direct route to the internet or to S3. Without a NAT gateway or a VPC endpoint for S3, the instance cannot reach the S3 API endpoints, even though it has an IAM role granting full S3 access. The instance's ability to access the internet is irrelevant if it's in a private subnet, as internet traffic must go through a NAT device or a VPC endpoint.

Exam trap

The trap here is that candidates often assume that an IAM role with full S3 access is sufficient for an EC2 instance to access S3, overlooking the critical requirement of network connectivity, especially when the instance is in a private subnet without a NAT gateway or VPC endpoint.

How to eliminate wrong answers

Option B is wrong because S3 Transfer Acceleration is a feature that speeds up uploads over long distances using edge locations; it is not required for basic connectivity to S3. Option C is wrong because security groups by default allow all outbound traffic, and the question states the instance can access the internet, so outbound traffic to S3 is not blocked. Option D is wrong because the IAM role is correctly associated with the instance (the question states the instance has an IAM role with full S3 access), so the issue is not with the role association.

1147
MCQeasy

A developer deploys a new version of an AWS Lambda function using the AWS CLI. After the deployment, the function starts returning errors. The developer needs to quickly revert to the previous version without redeploying. What should the developer do?

A.Use AWS CodeDeploy to automatically roll back the deployment.
B.Update the alias to point to the previous version.
C.Use the AWS CLI to update the function code with the previous code.
D.Delete the current function and recreate it using the previous deployment package.
AnswerB

Updating the alias to point to the previous version provides an instant rollback.

Why this answer

Option B is correct because AWS Lambda aliases are immutable pointers to specific function versions. By updating the alias to point to the previous version, the developer can instantly revert traffic to the stable code without any redeployment, as the alias is used as the invocation target (e.g., via the function's ARN with the alias name). This approach leverages Lambda's built-in versioning and alias routing, which is the fastest and safest rollback mechanism.

Exam trap

The trap here is that candidates may think they need to redeploy or use a separate deployment service (like CodeDeploy) to revert, when in fact Lambda's alias and versioning system provides a built-in, instant rollback mechanism without any code changes.

How to eliminate wrong answers

Option A is wrong because AWS CodeDeploy is a separate service for automated deployments, not a built-in Lambda rollback feature; using it would require additional setup and is not the quickest revert method from the CLI. Option C is wrong because updating the function code with the previous code via the AWS CLI would overwrite the current version, effectively redeploying the old code rather than instantly reverting, and it does not leverage versioning. Option D is wrong because deleting and recreating the function is unnecessarily destructive and time-consuming, and it would lose the version history and any associated triggers or configurations.

1148
MCQhard

A company has an S3 bucket that contains sensitive data. The security team requires that all objects uploaded to the bucket must be encrypted at rest using AWS KMS. Which combination of actions will enforce this?

A.Configure the bucket to use SSE-S3 by default.
B.Enable default encryption on the bucket with SSE-KMS.
C.Use a bucket policy that allows only PutObject with KMS encryption.
D.Use a bucket policy that denies PutObject if the x-amz-server-side-encryption header is not 'aws:kms'.
AnswerD

This enforces KMS encryption on every upload.

Why this answer

Option D is correct because a bucket policy that denies PutObject requests when the `x-amz-server-side-encryption` header is not set to `aws:kms` enforces encryption at rest using AWS KMS for all uploads. This policy explicitly rejects any upload that does not include the required KMS encryption header, ensuring compliance with the security team's requirement. Default encryption settings (like SSE-S3 or SSE-KMS) can be overridden by the client, so a bucket policy is the only way to enforce encryption at the API level.

Exam trap

The trap here is that candidates often confuse default encryption with enforcement, not realizing that default encryption can be overridden by client-specified headers, whereas a bucket policy with a deny condition is the only way to mandate encryption at the API level.

How to eliminate wrong answers

Option A is wrong because configuring the bucket to use SSE-S3 by default encrypts objects with S3-managed keys, not AWS KMS, which does not meet the requirement for KMS encryption. Option B is wrong because enabling default encryption with SSE-KMS only applies when the client does not specify encryption headers; a client can still upload without KMS encryption by explicitly setting a different encryption header (e.g., `AES256`), bypassing the default. Option C is wrong because allowing only PutObject with KMS encryption does not deny requests that lack KMS encryption; it merely permits some requests, but without a deny statement, unencrypted uploads could still succeed if other permissions allow them.

1149
MCQmedium

Refer to the exhibit. A developer created an IAM role for a Lambda function. When the Lambda function invokes, it fails with an access denied error when trying to write logs to CloudWatch Logs. What is the most likely cause?

A.The trust policy does not allow the Lambda service to assume the role.
B.The CloudWatch Logs log group has a resource-based policy that denies the Lambda function.
C.The role lacks a permissions policy that allows CloudWatch Logs actions.
D.The Lambda function is not associated with this role.
AnswerC

Without a permissions policy, the role cannot perform any actions.

Why this answer

Option C is correct because the Lambda function's IAM role must include a permissions policy that grants the `logs:CreateLogGroup`, `logs:CreateLogStream`, and `logs:PutLogEvents` actions. Without these permissions, the Lambda runtime cannot write logs to CloudWatch Logs, resulting in an access denied error. The error occurs at invocation time when the Lambda service attempts to create or write to the log stream on behalf of the function.

Exam trap

The trap here is that candidates often confuse trust policies with permissions policies, assuming that if the role is assumed successfully, all subsequent API calls will work, but the trust policy only governs role assumption, not the actions the role can perform.

How to eliminate wrong answers

Option A is wrong because the trust policy is what allows the Lambda service to assume the role; if it were missing or incorrect, the error would be 'Lambda cannot assume the role' rather than an access denied on CloudWatch Logs writes. Option B is wrong because CloudWatch Logs log groups do not have resource-based policies by default; such policies are optional and typically used for cross-account access, not for denying a function that already has the correct role. Option D is wrong because the question states the developer created the role for the Lambda function, implying the function is associated with it; if it were not associated, the error would be about missing execution role or permissions, not specifically CloudWatch Logs access denied.

1150
MCQmedium

A developer is optimizing costs for an S3 bucket that stores infrequently accessed data but requires millisecond retrieval. The bucket receives 100 PUT requests per second and 10 GET requests per second. Which storage class is most cost-effective?

A.S3 Standard
B.S3 One Zone-IA
C.S3 Glacier Deep Archive
D.S3 Intelligent-Tiering
AnswerD

Auto-tiering optimizes cost.

Why this answer

S3 Intelligent-Tiering is the most cost-effective choice because it automatically moves objects between access tiers based on changing access patterns, optimizing costs without performance impact. The workload has a high write-to-read ratio (100 PUTs vs 10 GETs per second) and requires millisecond retrieval, which Intelligent-Tiering supports while avoiding the retrieval fees and minimum storage duration penalties of One Zone-IA or Glacier Deep Archive.

Exam trap

The trap here is that candidates often choose S3 One Zone-IA for infrequently accessed data, overlooking the high PUT rate and millisecond retrieval requirement, which make Intelligent-Tiering more cost-effective due to its automatic tiering and lack of retrieval fees.

How to eliminate wrong answers

Option A (S3 Standard) is wrong because it is designed for frequently accessed data and would be more expensive for infrequently accessed data due to higher storage costs. Option B (S3 One Zone-IA) is wrong because it incurs a minimum 30-day storage charge and per-GB retrieval fees, making it less cost-effective for a high PUT rate with infrequent reads, and it lacks the automatic tiering optimization of Intelligent-Tiering. Option C (S3 Glacier Deep Archive) is wrong because it has a retrieval time of 12–48 hours, which does not meet the millisecond retrieval requirement, and it is not suitable for active data with 100 PUTs per second.

1151
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment'. The deployment configuration is CodeDeployDefault.AllAtOnce. What is the most likely cause?

A.The application is not running on the instances before the deployment.
B.The Auto Scaling group has more than 100 instances.
C.The new application revision contains an error that prevents it from running.
D.The deployment group is not associated with the correct Amazon EC2 instances.
AnswerC

With AllAtOnce, if the revision fails on all instances, the overall deployment fails.

Why this answer

Option D is correct because with AllAtOnce, all instances are targeted simultaneously. If the new revision has a critical error, all instances fail, causing the overall deployment to fail. Option A is wrong because CodeDeploy does not have a hard limit on instances.

Option B is wrong because the deployment group is the Auto Scaling group itself, not individual instances. Option C is wrong because if the application was not running, the deployment would fail on each instance but not necessarily all at once.

1152
Multi-Selectmedium

Which TWO AWS services can be used to build a serverless event-driven application that processes data from Amazon S3 and stores results in Amazon DynamoDB? (Choose 2.)

Select 2 answers
A.AWS Lambda
B.Amazon Kinesis Data Streams
C.Amazon EC2
D.AWS Step Functions
E.Amazon EMR
AnswersA, D

Lambda can be triggered by S3 events to process data.

Why this answer

B and D are correct. AWS Lambda can be triggered by S3 events to process data, and AWS Step Functions can orchestrate the workflow. Option A (Amazon Kinesis) is for streaming data, not S3 events.

Option C (Amazon EC2) is server-based. Option E (Amazon EMR) is for big data processing.

1153
MCQmedium

A developer is deploying a new version of a Lambda function using AWS CodeDeploy with a linear canary deployment. The function is part of a serverless application. After the deployment starts, the developer notices that the new version is receiving only 10% of traffic initially, but after 10 minutes, the traffic increases to 100%. What should the developer do to ensure a more gradual traffic shift?

A.Use Lambda function aliases with weighted traffic shifting.
B.Use multiple Lambda function versions and update the alias gradually.
C.Configure AWS CloudFormation to update the Lambda alias.
D.Modify the CodeDeploy deployment configuration to use a linear 10% every 5 minutes instead of canary.
AnswerD

CodeDeploy linear deployments shift traffic in increments over a specified time, allowing a more gradual shift.

Why this answer

Option D is correct because the developer is using a canary deployment configuration that shifts 10% of traffic immediately and then waits 10 minutes before shifting to 100%. To achieve a more gradual traffic shift, the developer should modify the CodeDeploy deployment configuration to use a linear 10% every 5 minutes, which will increment traffic by 10% every 5 minutes, taking 50 minutes to reach 100%.

Exam trap

The trap here is that candidates may confuse the built-in CodeDeploy deployment configurations (canary vs. linear) with manual alias weight adjustments, thinking that modifying the alias directly is the correct approach instead of changing the deployment configuration.

How to eliminate wrong answers

Option A is wrong because Lambda function aliases with weighted traffic shifting are used for manual or custom traffic routing, not for controlling the pace of a CodeDeploy deployment. Option B is wrong because using multiple Lambda function versions and updating the alias gradually is a manual process that does not leverage CodeDeploy's built-in deployment configurations for automated traffic shifting. Option C is wrong because configuring AWS CloudFormation to update the Lambda alias does not change the CodeDeploy deployment configuration; CloudFormation can manage the alias but cannot alter the traffic shift pattern defined in the CodeDeploy deployment group.

1154
MCQmedium

A developer monitors an AWS Lambda function that processes records from an Amazon SQS queue and writes results to an Amazon DynamoDB table. CloudWatch Logs show that execution time has increased over the past week, and the function frequently times out at the 5-minute timeout. The function's code has not been changed recently. CloudWatch metrics show a high rate of DynamoDBProvisionedThroughputExceededException errors. The DynamoDB table has 5 write capacity units (WCUs). What action will MOST effectively reduce the function's execution time?

A.Increase the Lambda function's timeout to 10 minutes.
B.Increase the write capacity units (WCUs) on the DynamoDB table.
C.Increase the Lambda function's memory allocation to 3008 MB.
D.Use an Amazon SQS FIFO queue instead of a standard queue for the Lambda trigger.
AnswerB

The DynamoDBProvisionedThroughputExceededException indicates the table's write capacity is exhausted. Increasing WCUs reduces throttling and speeds up writes, reducing the Lambda function's execution time.

Why this answer

The high rate of DynamoDBProvisionedThroughputExceededException errors indicates that the Lambda function is being throttled by DynamoDB due to insufficient write capacity. When writes are throttled, the Lambda function must retry, which increases execution time and can lead to timeouts. Increasing the WCUs on the DynamoDB table directly addresses the root cause by allowing the function to write without throttling, thereby reducing execution time.

Exam trap

The trap here is that candidates often assume increasing Lambda timeout or memory will fix performance issues, but the real bottleneck is the DynamoDB write capacity, which directly causes the throttling errors and increased execution time.

How to eliminate wrong answers

Option A is wrong because increasing the timeout to 10 minutes does not resolve the underlying throttling issue; it only masks the symptom by allowing the function to run longer while still being throttled. Option C is wrong because increasing memory allocation (up to 3008 MB) primarily improves CPU performance and network throughput, but does not fix DynamoDB throttling caused by insufficient WCUs. Option D is wrong because switching to an SQS FIFO queue does not affect DynamoDB write capacity; FIFO queues enforce message ordering and deduplication but do not reduce the throttling rate from DynamoDB.

1155
MCQmedium

A developer is building a web application that uses Amazon DynamoDB as the database. The application needs to store user session data and must support eventual consistency reads for most use cases, but strongly consistent reads for critical operations. The developer wants to minimize costs. Which read capacity unit (RCU) configuration should the developer use?

A.Use on-demand capacity mode to pay per request, avoiding provisioned capacity costs.
B.Use provisioned capacity with 1 RCU per item, since eventually consistent reads consume half the RCUs.
C.Use provisioned capacity with sufficient RCUs to handle strongly consistent reads, as they consume the same as eventually consistent.
D.Use provisioned capacity with enough RCUs for peak traffic, and use DynamoDB Accelerator (DAX) for caching.
AnswerA

On-demand mode is ideal for unpredictable traffic and eliminates the overhead of capacity planning, often resulting in lower costs for variable workloads like session data.

Why this answer

Option A is correct because on-demand capacity mode charges per request (read/write), eliminating the need to provision fixed RCUs. For a session store with mixed consistency requirements, on-demand is cost-effective when traffic is unpredictable or low, as you only pay for actual reads and writes. Eventually consistent reads consume half the RCUs of strongly consistent reads, but on-demand pricing automatically accounts for this difference without manual configuration.

Exam trap

The trap here is that candidates assume provisioned capacity is always cheaper, but for variable workloads like session stores, on-demand can minimize costs by eliminating unused capacity, especially when mixed consistency models are needed.

How to eliminate wrong answers

Option B is wrong because 1 RCU per item is not a fixed rule; RCU consumption depends on item size (1 RCU = one strongly consistent read of up to 4 KB per second) and eventually consistent reads consume 0.5 RCUs, not a fixed 1 RCU per item. Option C is wrong because strongly consistent reads and eventually consistent reads do not consume the same RCUs; eventually consistent reads use half the RCUs (0.5 RCU per 4 KB item) compared to strongly consistent reads (1 RCU per 4 KB item). Option D is wrong because provisioning for peak traffic with DAX adds cost and complexity; DAX is a caching layer that reduces read load but incurs additional charges, contradicting the goal to minimize costs.

1156
MCQeasy

A developer is building a REST API using Amazon API Gateway and AWS Lambda. The API should allow users to retrieve data from an Amazon DynamoDB table. The developer wants to minimize latency for frequently accessed data. What should the developer do?

A.Deploy a CloudFront distribution in front of the API Gateway.
B.Increase the Lambda function memory to improve performance.
C.Use DynamoDB Accelerator (DAX) as a caching layer.
D.Enable API Gateway caching.
AnswerC

DAX is an in-memory cache specifically for DynamoDB, reducing query latency for frequently accessed data.

Why this answer

The correct answer is C. Using DynamoDB Accelerator (DAX) provides an in-memory cache that reduces latency for frequently accessed data. Option A is wrong because API Gateway caching caches the entire API response, which may not be efficient for all requests.

Option B is wrong because increasing Lambda memory does not directly reduce latency for DynamoDB queries. Option D is wrong because CloudFront is for content delivery, not for reducing database latency.

1157
MCQmedium

A developer launches an Amazon EC2 instance that needs to read and write data to an Amazon DynamoDB table. The developer must follow the principle of least privilege and ensure that no long-term credentials are stored on the instance. Which approach should the developer use?

A.Create an IAM user with programmatic access, store the access key and secret key in a configuration file on the EC2 instance.
B.Store the DynamoDB credentials in AWS Systems Manager Parameter Store as a SecureString, and retrieve them from the EC2 instance at runtime.
C.Create an IAM role with the necessary DynamoDB permissions, and attach the role to the EC2 instance profile. The SDK will automatically retrieve temporary credentials from the instance metadata.
D.Use a Lambda function to generate temporary credentials for the EC2 instance and pass them via user data at launch.
AnswerC

An IAM role provides temporary credentials that are automatically rotated. The EC2 instance retrieves them via the instance metadata service, eliminating the need for long-term credentials.

Why this answer

Option C is correct because it uses an IAM role attached to the EC2 instance profile, which allows the AWS SDK to automatically retrieve temporary credentials from the instance metadata service (IMDS). This follows the principle of least privilege by granting only the necessary DynamoDB permissions and eliminates the need to store any long-term credentials on the instance, as the credentials are rotated automatically by AWS STS.

Exam trap

The trap here is that candidates may choose Option B (Parameter Store) thinking it securely stores credentials, but they overlook that the instance still needs an IAM role to access Parameter Store, and the retrieved credentials are static rather than automatically rotated temporary credentials, which fails the 'no long-term credentials' requirement.

How to eliminate wrong answers

Option A is wrong because storing an IAM user's access key and secret key in a configuration file on the EC2 instance violates the requirement of no long-term credentials on the instance and increases the risk of credential exposure. Option B is wrong because while Parameter Store can securely store credentials, the EC2 instance would still need an IAM role or long-term credentials to retrieve them, and the retrieved credentials (if stored as a SecureString) are static, not temporary, thus not fully meeting the 'no long-term credentials' requirement. Option D is wrong because using a Lambda function to generate temporary credentials and passing them via user data at launch would require the instance to store those credentials locally, and the credentials would not be automatically rotated or refreshed, leading to potential security issues and operational complexity.

1158
MCQhard

A developer is using AWS CodePipeline to deploy a microservices application to Amazon ECS using the 'Rolling update' deployment type. The pipeline includes a source stage (CodeCommit), build stage (CodeBuild), and deploy stage (CodeDeploy to ECS). After a recent commit, the build stage succeeds, but the deploy stage fails with 'The service has reached the maximum number of running tasks.' What is the MOST likely cause?

A.The task definition is misconfigured and the task fails to start.
B.The ECS service is configured with auto scaling and has reached the maximum task count.
C.The ECS service has reached the AWS account service quota for Fargate tasks.
D.The CodeDeploy deployment configuration uses a 'canary' instead of 'rolling' update.
AnswerB

Auto scaling can set a maximum tasks; if already at max, a rolling update that tries to start new tasks before stopping old ones will fail.

Why this answer

Option A is correct because ECS service auto scaling can set a maximum number of tasks; if the desired count is already at max, the deployment cannot add new tasks. Option B is wrong because deployment type does not affect task count limits. Option C is wrong because ECS service quota is a hard limit, but the error specifically mentions 'maximum number of running tasks' which aligns with auto scaling settings.

Option D is wrong because a misconfigured task definition would cause task start failures, not a max task count error.

1159
Multi-Selectmedium

A developer is troubleshooting an issue where an S3 bucket policy is not granting access to an IAM user. Which TWO actions should the developer take to resolve the issue?

Select 2 answers
A.Enable S3 Transfer Acceleration.
B.Verify the bucket's ACLs allow access.
C.Check the bucket policy for any explicit denies.
D.Check the IAM user's attached policies.
E.Enable CloudTrail to log bucket access.
AnswersC, D

Explicit deny overrides allow.

Why this answer

Option A and C are correct because checking the bucket policy and IAM user policy are the two places where permissions are evaluated. Option B is wrong because ACLs are legacy. Option D is wrong because CloudWatch does not show bucket policies.

Option E is wrong because S3 Transfer Acceleration is not related to permissions.

1160
MCQmedium

A service needs loosely coupled asynchronous communication where one producer sends events to many different AWS service targets using rules. Which service fits best?

A.Amazon EFS
B.AWS CloudHSM
C.Amazon EventBridge
D.AWS DataSync
AnswerC

Correct for the stated requirement.

Why this answer

Amazon EventBridge is a serverless event bus service that enables loosely coupled asynchronous communication. It allows a single producer to publish events, and then uses rules to route those events to multiple AWS service targets (e.g., Lambda, SQS, Step Functions) simultaneously, fulfilling the requirement exactly.

Exam trap

The trap here is that candidates may confuse Amazon EventBridge with Amazon SNS (Simple Notification Service), but the question explicitly mentions 'rules' to filter events, which is a core EventBridge feature, whereas SNS uses topic subscriptions without rule-based filtering.

How to eliminate wrong answers

Option A is wrong because Amazon EFS is a file storage service for EC2 instances, not an event-driven communication service; it cannot route events or support producer-to-multiple-target patterns. Option B is wrong because AWS CloudHSM provides hardware security modules for cryptographic key storage, not event routing or asynchronous messaging. Option D is wrong because AWS DataSync is a data transfer service for moving large datasets between on-premises and AWS storage, not for event-driven, loosely coupled communication with rules.

1161
MCQhard

A developer is building a real-time chat application using WebSockets via API Gateway. The backend uses AWS Lambda functions to handle connect, disconnect, and message events. The application needs to broadcast messages to all connected clients. What is the most scalable and cost-effective way to maintain the list of connection IDs and broadcast messages?

A.Use an SQS FIFO queue to store connection IDs and have a Lambda function poll the queue to broadcast.
B.Store connection IDs in a DynamoDB table. Use a Lambda function to query all connection IDs and send messages using the API Gateway Management API.
C.Maintain an in-memory list of connection IDs in a global variable of a single Lambda function.
D.Use Amazon ElastiCache Redis to store connection IDs and use Redis Pub/Sub for broadcasting.
AnswerB

DynamoDB is fully managed, scalable, and cost-effective for storing and retrieving connection IDs.

Why this answer

Option A is correct. DynamoDB is a scalable, low-latency database that can store connection IDs and allow Lambda to query all connections for broadcasting. Option B is wrong because an in-memory list in a single Lambda instance does not scale across multiple instances.

Option C is wrong because ElastiCache is more expensive and complex than DynamoDB for this use case. Option D is wrong because SQS is not designed for real-time broadcasting and would require polling.

1162
MCQhard

A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The bucket policy also grants access to the role. An application running on the instance is unable to read objects. The instance has the correct instance profile. What is the MOST likely cause?

A.The bucket policy has a condition that does not match the request context.
B.The EC2 instance's security group blocks outbound traffic to S3.
C.The S3 bucket is in a different AWS account.
D.The instance profile is not attached to the EC2 instance.
AnswerA

Conditions can cause implicit denies even if the role is allowed.

Why this answer

The most likely cause is that the bucket policy includes a condition (e.g., aws:SourceIp, aws:SourceVpce, or aws:SecureTransport) that does not match the request context from the EC2 instance. Even though the IAM role grants access, the bucket policy's explicit condition denies the request if the condition key evaluates to false, resulting in an implicit deny. This is a common misconfiguration where the role has permissions but the bucket policy's conditions are too restrictive.

Exam trap

The trap here is that candidates often overlook bucket policy conditions and assume that if the IAM role has S3 permissions and the instance profile is attached, access should work, ignoring that bucket policies can impose additional restrictions that override role permissions.

How to eliminate wrong answers

Option B is wrong because security groups operate at the network layer (stateful filtering) and do not block outbound traffic to S3 by default; S3 uses HTTPS (TCP/443) which is typically allowed, and security groups do not inspect application-layer conditions. Option C is wrong because cross-account access is fully supported with proper IAM roles and bucket policies; the bucket being in a different account would not inherently cause failure if permissions are correctly configured. Option D is wrong because the question explicitly states the instance has the correct instance profile, so the instance profile attachment is not the issue.

1163
MCQeasy

A developer is debugging an AWS Lambda function that is invoked by an Amazon S3 bucket notification. The function fails with an 'AccessDenied' error when trying to read an object from the same bucket. What should the developer check first?

A.Check if S3 bucket versioning is enabled.
B.Verify that the S3 bucket uses server-side encryption with AWS KMS.
C.Ensure the S3 bucket is not blocked by S3 Block Public Access.
D.Review the Lambda function's execution role for s3:GetObject permission.
AnswerD

Missing s3:GetObject is a common cause of AccessDenied.

Why this answer

Option D is correct because the Lambda execution role must have s3:GetObject permission for the bucket. Option A is wrong because S3 Block Public Access does not affect Lambda access. Option B is wrong because encryption settings do not cause AccessDenied if permissions are correct.

Option C is wrong because bucket versioning is not related to access.

1164
MCQeasy

Refer to the exhibit. A developer created this CloudFormation template for an S3 bucket. What is the expected behavior?

A.Noncurrent versions of objects are deleted 30 days after they become noncurrent.
B.The bucket will have versioning disabled because the rule conflicts.
C.Current versions are transitioned to another storage class after 30 days.
D.Objects are automatically deleted after 30 days.
AnswerA

The NoncurrentVersionExpirationInDays deletes noncurrent versions after the specified days.

Why this answer

Option B is correct because the lifecycle rule will delete noncurrent versions after 30 days. Option A is wrong because versioning is enabled, so old versions are kept. Option C is wrong because the rule only applies to noncurrent versions.

Option D is wrong because the action is expiration, not transition.

1165
MCQhard

Refer to the exhibit. A developer created this IAM policy to allow a CI/CD service to trigger CodePipeline and CodeBuild. However, the pipeline fails with an 'AccessDenied' error when trying to start the CodeBuild project. What is the likely cause?

A.The policy should use 'Effect': 'Deny' for the CodeBuild actions.
B.The policy does not include 'codebuild:StartBuild' for the specific CodeBuild project ARN.
C.The policy must include 'codebuild:BatchGetBuilds' for the specific project.
D.The policy is attached to the developer's IAM user instead of the CodePipeline service role.
AnswerD

CodePipeline uses a service role to perform actions; the policy must be attached to that role.

Why this answer

Option B is correct because the policy allows 'codebuild:StartBuild' on all resources, but CodePipeline needs to start builds on behalf of the pipeline. The CodeBuild project resource ARN is not specified; however, the 'Resource' is '*', so that should be fine. Actually, the issue might be that the policy allows StartBuild for CodeBuild, but the pipeline's service role needs permissions.

The policy shown is for a user, not for the pipeline's service role. The question says 'a developer created this IAM policy', but the pipeline uses a service role. So the correct answer is that the policy should be attached to the pipeline's service role, not the developer.

Option A is wrong because the action is correct. Option C is wrong because the resource is '*', covering all projects. Option D is wrong because the policy does not need to be attached to the user; it needs to be attached to the pipeline's role.

1166
MCQeasy

A developer is troubleshooting an Amazon RDS for MySQL instance that is experiencing high CPU utilization. The application performs many read operations. The developer wants to reduce the load on the database. What is the MOST effective solution?

A.Upgrade the DB instance to a larger instance class.
B.Create a read replica and direct read queries to it.
C.Enable Multi-AZ for automatic failover.
D.Purchase reserved instances to reduce costs.
AnswerB

Read replicas handle read traffic, reducing the load on the primary instance and lowering CPU utilization.

Why this answer

Option C is correct because adding a read replica offloads read traffic from the primary instance, reducing CPU utilization. Option A is wrong because vertical scaling increases capacity but does not specifically address read load efficiently. Option B is wrong because reserved instances do not reduce CPU usage.

Option D is wrong because Multi-AZ provides high availability, not performance improvement.

1167
MCQhard

A company is using AWS CodePipeline with a multi-branch strategy. The pipeline includes a source stage from AWS CodeCommit, a build stage using AWS CodeBuild, and a deploy stage using AWS CodeDeploy. The team wants to automatically deploy changes only when a pull request is merged to the 'main' branch. Which configuration should be used?

A.Configure a CodeCommit trigger to start the pipeline on push events to the 'main' branch.
B.Create a manual approval step before deployment and require a pull request merge as a trigger.
C.Use a scheduled trigger to run the pipeline every hour and check for changes.
D.Configure the source stage to use the 'main' branch and enable periodic polling.
AnswerA

A push event to main (including pull request merges) triggers the pipeline automatically.

Why this answer

Option D is correct: CodePipeline should use a webhook trigger with an event filter for push events to the 'main' branch. Option A (all branches) would deploy every push. Option B (manual approval) defeats automation.

Option C (scheduled) is not event-driven.

1168
MCQeasy

A developer is troubleshooting an AWS Lambda function that writes to an S3 bucket. The function is failing with an 'AccessDenied' error. The Lambda execution role has the following policy. What is the likely issue? { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": "arn:aws:s3:::my-bucket/*" } ] }

A.The resource ARN should be 'arn:aws:s3:::my-bucket' instead of 'my-bucket/*'.
B.The action should be 's3:PutObject' only, not 's3:GetObject'.
C.The role is missing s3:ListBucket permission.
D.The bucket uses SSE-KMS encryption, and the role lacks kms:Decrypt permission.
AnswerD

Without KMS permissions, PutObject fails with AccessDenied.

Why this answer

Option A is correct because the policy only grants access to objects in the bucket, not to the bucket itself for operations like ListBucket, but for PutObject, the resource is correct. However, the error may be due to a missing permission for s3:PutObject on the bucket level if the bucket policy also requires it. Actually, the most common issue for PutObject is the resource ARN, which is correct.

But if the bucket is encrypted, you need kms:Decrypt permissions. Option A points to missing KMS permissions, which is plausible. Option B is wrong because the resource is correct.

Option C is wrong because S3 does not require s3:ListBucket for PutObject. Option D is wrong because the action is allowed.

1169
MCQeasy

A developer is building a serverless application using AWS Lambda that processes files uploaded to an S3 bucket. The function needs to read the file content and store metadata in DynamoDB. Which AWS service should be used to trigger the Lambda function when a new object is created in S3?

A.Amazon CloudWatch Events
B.Amazon SQS
C.Amazon SNS
D.Amazon S3 Event Notifications
AnswerD

S3 can directly invoke Lambda via event notifications on object creation.

Why this answer

Correct: C. S3 can be configured to send events to Lambda, SQS, or SNS when objects are created. Option A is wrong because SQS is a queue service, not a direct trigger source for S3 events.

Option B is wrong because SNS is a notification service, but S3 can directly invoke Lambda without SNS. Option D is wrong because CloudWatch Events is used for scheduled or pattern-based events, not S3 object creation.

1170
MCQeasy

What is required for the Lambda function to access the code in the S3 bucket?

A.The S3 bucket policy must grant access to the Lambda service.
B.The Lambda function must be in a VPC with an S3 VPC endpoint.
C.The S3 bucket must be configured as a static website with CloudFront.
D.The Lambda execution role must have s3:GetObject permission on the S3 bucket.
AnswerD

The role needs permission to read the code.

Why this answer

Lambda functions access code stored in S3 buckets using an IAM execution role. The execution role must include the `s3:GetObject` permission for the specific bucket and object path to allow the Lambda service to download the deployment package. Without this permission, the Lambda function will fail with an access denied error during initialization.

Exam trap

The trap here is that candidates often confuse resource-based policies (bucket policies) with identity-based policies (IAM roles), assuming a bucket policy granting access to the Lambda service principal is sufficient, when in fact the Lambda execution role must explicitly have the `s3:GetObject` permission.

How to eliminate wrong answers

Option A is wrong because the S3 bucket policy granting access to the Lambda service is not sufficient; the Lambda execution role must also have the necessary IAM permissions, and the bucket policy alone does not authorize the Lambda function's principal. Option B is wrong because placing the Lambda function in a VPC with an S3 VPC endpoint is only required when the Lambda function needs to access S3 without traversing the public internet, but it is not a requirement for the Lambda function to access its own code in S3; the default public S3 endpoint works without a VPC. Option C is wrong because configuring the S3 bucket as a static website with CloudFront is unrelated to Lambda's code retrieval; Lambda downloads the deployment package directly from S3 via the S3 API, not through a website or CloudFront.

1171
Multi-Selectmedium

A company stores sensitive data in an S3 bucket. The security team requires that all data be encrypted at rest and in transit. Which THREE measures should be implemented?

Select 3 answers
A.Use HTTPS for all requests to S3
B.Enable server-side encryption (SSE) on the S3 bucket
C.Add a bucket policy that denies requests without encryption in transit
D.Use client-side encryption
E.Enable MFA Delete on the bucket
AnswersA, B, C

Encrypts data in transit.

Why this answer

Option A is correct because HTTPS encrypts data in transit between the client and S3 using TLS, ensuring confidentiality and integrity during transmission. This satisfies the requirement for encryption in transit, as HTTP requests would send data in plaintext.

Exam trap

The trap here is that candidates may confuse client-side encryption as a bucket-level security measure, but it is an application-side implementation that does not enforce encryption at the S3 bucket level, and MFA Delete is a red herring unrelated to encryption requirements.

1172
MCQhard

An application uses DynamoDB as its database with on-demand capacity. The application experiences increased latency during peak hours. CloudWatch metrics show ConsumedWriteCapacityUnits is below ProvisionedWriteCapacityUnits, but ThrottledWriteEvents is zero. What is the most likely cause?

A.The table is experiencing write throttling.
B.The table has too many read capacity units.
C.The provisioned capacity is insufficient.
D.The workload has hot partitions.
AnswerD

Hot partitions cause latency even if overall capacity is sufficient.

Why this answer

Option C is correct because even though capacity is not exceeded, hot partitions can cause latency. On-demand capacity is per-table, not per-partition. Option A is wrong because throttled events are zero.

Option B is wrong because on-demand capacity is automatically managed. Option D is wrong because RCUs are not related to write latency.

1173
MCQeasy

A developer is deploying a Node.js application to AWS Elastic Beanstalk. The application needs to read environment-specific configuration variables. Which configuration file should the developer use to define these variables within the Elastic Beanstalk environment?

A.package.json
B..ebextensions/*.config
C.Dockerfile
D.buildspec.yml
AnswerB

Correct: .ebextensions files allow setting environment properties.

Why this answer

Option A is correct because .ebextensions configuration files in YAML or JSON format are used to set environment properties in Elastic Beanstalk. Option B is wrong because Dockerfile is for Docker containers, not for environment variables. Option C is wrong because the application's package.json is not used for environment-specific configuration.

Option D is wrong because the buildspec.yml is for CodeBuild, not Elastic Beanstalk.

1174
MCQhard

A developer is building a serverless application using AWS Lambda and Amazon API Gateway. The API has a REST endpoint that triggers a Lambda function to write data to an Amazon DynamoDB table. Under high traffic, some requests are failing with 5xx errors. The developer notices that the Lambda function's duration is spiking. Which combination of actions should the developer take to improve performance and reduce errors?

A.Enable DynamoDB Accelerator (DAX) for the table and set a Lambda reserved concurrency.
B.Use an Amazon SQS queue as a buffer between API Gateway and Lambda.
C.Increase the Lambda function's memory and enable DynamoDB auto-scaling.
D.Switch the API endpoint to HTTP API and enable API Gateway caching.
AnswerA

DAX reduces read latency and load on DynamoDB; reserved concurrency prevents overloading the function.

Why this answer

Option B is correct because enabling DynamoDB acceleration and Lambda concurrency limits address both performance and throttling. Option A is wrong because increasing memory reduces duration but not concurrency issues. Option C is wrong because DAX is not for API Gateway.

Option D is wrong because SQS adds latency for real-time APIs.

1175
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The developer has updated the application code and wants to deploy the new version with a rolling deployment strategy to minimize downtime. Which configuration should the developer use?

A.Set the deployment policy to 'Rolling'
B.Set the deployment policy to 'Immutable'
C.Set the deployment policy to 'All at once'
D.Set the deployment policy to 'Blue/green'
AnswerA

Rolling updates instances in batches, keeping the application available.

Why this answer

Option B is correct because Rolling deployment updates instances in batches, minimizing downtime. Option A is wrong because All at once causes downtime. Option C is wrong because Immutable creates new instances and swaps, but Rolling is more cost-effective.

Option D is wrong because Blue/green is a separate deployment method.

1176
MCQhard

A CodeDeploy deployment to Lambda should shift 10 percent of traffic for 10 minutes before full rollout and automatically roll back on alarms. Which configuration should be used?

A.Canary deployment preference with CloudWatch alarms
B.All-at-once deployment without alarms
C.Manual alias update after deployment
D.S3 static website deployment
AnswerA

Correct for the stated requirement.

Why this answer

A is correct because CodeDeploy's canary deployment preference shifts 10% of traffic to the new Lambda version for 10 minutes, then automatically shifts the remaining 90% after the specified interval. CloudWatch alarms are configured to trigger an automatic rollback if the alarm state is breached during the canary period, meeting the requirement for a gradual shift with automated rollback on failure.

Exam trap

The trap here is that candidates may confuse 'canary' with 'linear' deployments, or assume that any gradual shift (like 'linear10PercentEvery10Minutes') is equivalent, but the requirement specifies a single 10% shift for 10 minutes before full rollout, which matches the canary preference, not a linear incremental shift.

How to eliminate wrong answers

Option B is wrong because 'All-at-once' deploys all traffic instantly without a gradual 10% shift or a 10-minute waiting period, and it lacks any alarm-based rollback mechanism. Option C is wrong because manually updating an alias after deployment bypasses CodeDeploy's automated traffic shifting and rollback capabilities, requiring manual intervention for both the shift and any rollback. Option D is wrong because an S3 static website deployment is unrelated to Lambda traffic shifting; it is used for hosting static content, not for managing Lambda alias traffic or CodeDeploy deployments.

1177
Multi-Selecthard

A company is using AWS CloudFormation to deploy a stack with a Lambda function and an API Gateway REST API. The deployment must be updated without downtime. The current stack has a Lambda function with an alias 'prod'. Which THREE steps should the developer take to achieve a zero-downtime deployment? (Choose THREE.)

Select 3 answers
A.Update the existing 'prod' alias to point to the new function version.
B.Create a new Lambda function version and assign it to a new alias 'blue'.
C.Use AWS CodeDeploy to gradually shift traffic from the 'prod' alias to the 'blue' alias.
D.Delete the old Lambda function version after the update.
E.Update the API Gateway stage to point to the 'blue' alias and test the new version.
AnswersB, C, E

This creates a separate target for the new code.

Why this answer

Options A, C, and E are correct: Using a second alias for the new version, updating the API Gateway stage to point to the new alias, and then switching traffic gradually. Option B (changing alias directly) causes downtime. Option D (deleting old version) is not part of update.

1178
MCQmedium

A developer is troubleshooting a slow-running Amazon RDS for MySQL query. The query performance has degraded over time. Which approach should the developer take first to identify the cause?

A.Enable Performance Insights and review the database load
B.Upgrade the DB instance to a larger instance class
C.Create a read replica to offload read traffic
D.Enable the MySQL query cache
AnswerA

Performance Insights helps identify the top waits and queries causing the slowdown.

Why this answer

Option C is correct because enabling RDS Performance Insights gives a quick view of database load and wait events. Option A is wrong because query caching is not directly available in RDS MySQL and may not help. Option B is wrong because a read replica does not fix the performance issue.

Option D is wrong because increasing instance size may be unnecessary without first diagnosing the bottleneck.

1179
MCQeasy

An S3 bucket has versioning enabled with MFA Delete. A developer tries to permanently delete a specific version of an object using the AWS CLI without providing MFA. What is the result?

A.A delete marker is created for the object version.
B.The object version is permanently deleted.
C.The request is denied with an AccessDenied error.
D.The object version is marked with a delete marker.
AnswerC

MFA Delete requires MFA authentication for permanent deletions.

Why this answer

Option B is correct because when MFA Delete is enabled, permanent deletion of object versions requires MFA authentication. Without MFA, the request fails. Option A is wrong because the delete marker is not created; the request is denied.

Option C is wrong because the request does not succeed. Option D is wrong because a delete marker is not created when trying to delete a specific version.

1180
MCQmedium

A developer has an AWS Lambda function that needs to read objects from an S3 bucket in another account. The Lambda function's execution role includes an IAM policy that allows s3:GetObject on the bucket. The bucket owner has added a bucket policy that grants s3:GetObject to the Lambda execution role. However, the Lambda function receives Access Denied errors. The S3 bucket uses SSE-KMS for encryption. What is the most likely cause?

A.The S3 bucket does not have versioning enabled.
B.The Lambda function's execution role does not have an explicit allow for s3:GetObject.
C.The Lambda function is not in the same AWS region as the S3 bucket.
D.The Lambda function does not have kms:Decrypt permission on the KMS key used by the bucket.
AnswerD

SSE-KMS requires both S3 read permissions and KMS decrypt permission. The bucket policy does not grant KMS permissions; the KMS key policy must allow the Lambda execution role.

Why this answer

When an S3 bucket uses SSE-KMS, the Lambda function must have explicit kms:Decrypt permission on the KMS key to decrypt the object after s3:GetObject retrieves the encrypted data. Even though the bucket policy and execution role allow s3:GetObject, the missing KMS permission causes an Access Denied error because S3 returns the encrypted object and the Lambda runtime cannot decrypt it without the key.

Exam trap

The trap here is that candidates focus on the S3 bucket policy and IAM role for s3:GetObject, overlooking that SSE-KMS introduces a separate KMS authorization layer that must be explicitly configured.

How to eliminate wrong answers

Option A is wrong because S3 versioning is unrelated to access permissions or KMS decryption; it controls object version retention, not read access. Option B is wrong because the scenario explicitly states the execution role includes an IAM policy that allows s3:GetObject, so an explicit allow exists. Option C is wrong because cross-region access between Lambda and S3 is fully supported; region mismatch does not cause Access Denied errors unless the bucket policy explicitly restricts by source IP or VPC, which is not mentioned.

1181
MCQmedium

Refer to the exhibit. A developer runs the AWS CLI command to decrypt a file using a KMS key. The command fails with an AccessDeniedException. What is the most likely cause?

A.The IAM user 'DevUser' does not have the kms:Decrypt permission on the KMS key.
B.The ciphertext blob is not base64-encoded.
C.The KMS key is disabled.
D.The KMS key ID is incorrect.
AnswerA

The error explicitly says the user is not authorized to perform kms:Decrypt.

Why this answer

The AccessDeniedException indicates that the IAM user 'DevUser' lacks the required kms:Decrypt permission on the specified KMS key. KMS key policies and IAM policies work together to control access; without an explicit allow for kms:Decrypt on that key, the API call is denied regardless of other permissions.

Exam trap

The trap here is that candidates often confuse AccessDeniedException with other KMS errors like InvalidCiphertextException or DisabledException, but the exam expects you to recognize that only a missing permission produces an AccessDeniedException when the key exists and is enabled.

How to eliminate wrong answers

Option B is wrong because the AWS CLI decrypt command automatically handles base64 decoding of the ciphertext blob if the --ciphertext-blob parameter is provided as a file or base64-encoded string; an incorrect encoding would produce a ValidationError, not AccessDeniedException. Option C is wrong because a disabled KMS key would return a DisabledException, not AccessDeniedException. Option D is wrong because an incorrect key ID would result in a NotFoundException or InvalidKeyIdException, not AccessDeniedException.

1182
Multi-Selectmedium

A developer is troubleshooting a slow-running query on an Amazon RDS for MySQL database. The query is used by a reporting application and takes over 30 seconds to complete. The database is a db.r5.large instance with 200 GB of gp2 storage. Which TWO actions should the developer take to improve query performance?

Select 2 answers
A.Terminate idle connections to free up resources.
B.Review the slow query log to identify the query and its execution plan.
C.Increase the allocated storage to 500 GB to improve I/O performance.
D.Add appropriate indexes to the tables involved in the query.
E.Enable Multi-AZ deployment for better read performance.
AnswersB, D

Slow query log provides insights for optimization.

Why this answer

Option A and D are correct: reviewing the slow query log helps identify the query, and adding appropriate indexes can speed up execution. Option B is wrong because increasing storage does not directly improve query speed. Option C is wrong because terminating idle connections has no impact.

Option E is wrong because Multi-AZ is for high availability, not performance.

1183
MCQmedium

A developer is writing a Lambda function that needs to access an RDS database. The function currently fails with a timeout. What is the most likely cause?

A.The Lambda function is not in the same VPC as the RDS instance
B.The Lambda function has a cold start delay
C.The RDS instance is not publicly accessible
D.The Lambda function does not have an IAM role granting RDS access
AnswerA

Without VPC connectivity, the Lambda function cannot reach the RDS instance, causing a timeout.

Why this answer

If the Lambda function is in a VPC without a proper VPC configuration (NAT Gateway or VPC endpoints), it cannot access the RDS database. Option A is possible but less likely than network issues. Option C (wrong permissions) would cause access denied, not timeout.

Option D (cold start) would not cause a timeout to RDS.

1184
MCQeasy

A developer notices that an S3 bucket policy allows public read access to all objects. The bucket contains sensitive data that should only be accessible by authorized IAM users. What is the BEST way to remediate this?

A.Enable default encryption on the bucket.
B.Modify the bucket policy to remove the public statement and use IAM policies for access.
C.Enable S3 Block Public Access at the account level.
D.Enable S3 Object Ownership and use ACLs.
AnswerB

Using IAM policies allows fine-grained access control.

Why this answer

Option B is correct because the bucket policy currently grants public read access, which overrides any IAM-based restrictions. By removing the public statement from the bucket policy and relying solely on IAM policies, access is controlled at the user level, ensuring only authorized IAM users can read objects. This aligns with the principle of least privilege and follows AWS best practices for securing S3 data.

Exam trap

The trap here is that candidates often confuse encryption with access control, thinking that enabling encryption (Option A) will prevent unauthorized access, when in fact encryption only protects data at rest and does not affect public read permissions.

How to eliminate wrong answers

Option A is wrong because enabling default encryption only encrypts data at rest; it does not restrict access, so public read access would still be allowed. Option C is wrong because S3 Block Public Access at the account level would prevent all public access, but it is a broad, account-wide setting that may inadvertently block legitimate public access for other buckets; the question asks for the best remediation for this specific bucket, not a blanket account-level change. Option D is wrong because S3 Object Ownership and ACLs are legacy access control mechanisms that are less secure and more complex to manage than IAM policies, and they do not directly address the public read access granted by the bucket policy.

1185
Multi-Selecteasy

A developer is using AWS KMS to encrypt data. Which TWO are valid operations that can be performed using KMS?

Select 2 answers
A.Store customer-managed keys on an HSM in your data center.
B.Generate data keys for envelope encryption.
C.Hash data using a keyed hash function.
D.Encrypt data using a customer master key.
E.Generate SSL/TLS certificates for a domain.
AnswersB, D

KMS generates data keys via GenerateDataKey API.

Why this answer

Option A is correct because KMS can encrypt data up to 1 KB. Option D is correct because KMS can generate data keys for client-side encryption. Option B is wrong because KMS does not host SSL/TLS certificates.

Option C is wrong because KMS does not hash data. Option E is wrong because KMS does not provide a key store for customer-managed keys outside AWS.

1186
MCQhard

A developer notices that an IAM user has permissions to terminate EC2 instances, but the user should only be allowed to stop instances. The developer needs to update the policy to prevent termination while allowing stop. Which IAM policy statement should be added?

A.{"Effect":"Deny","Action":"ec2:TerminateInstances","Resource":"*"}
B.{"Effect":"Allow","Action":"ec2:TerminateInstances","Resource":"*"}
C.{"Effect":"Allow","Action":["ec2:StopInstances","ec2:TerminateInstances"],"Resource":"*"}
D.{"Effect":"Allow","Action":"ec2:RebootInstances","Resource":"*"}
AnswerA

Deny explicit blocks termination.

Why this answer

Option B is correct because a Deny statement for ec2:TerminateInstances will explicitly block termination, overriding any Allow. Option A is wrong because it allows termination. Option C is wrong because it allows both.

Option D is wrong because ec2:RebootInstances is unrelated.

1187
MCQeasy

A developer wants to store session state for a web application running on multiple EC2 instances. Which AWS service provides a fully managed, in-memory data store that is ideal for this use case?

A.Amazon ElastiCache for Redis
B.Amazon S3
C.Amazon DynamoDB
D.Amazon RDS for MySQL
AnswerA

Redis is an in-memory data store commonly used for session management.

Why this answer

Option B is correct because Amazon ElastiCache for Redis is a fully managed in-memory data store that supports session state management with features like persistence, replication, and high availability.

1188
MCQhard

A company uses AWS CloudFormation to deploy a stack that includes an RDS MySQL instance. During an update, the stack fails with a 'DELETE_FAILED' status on a security group resource. The security group has a dependency on the RDS instance. What is the MOST likely cause?

A.The RDS instance is not fully deleted because of a deletion protection flag.
B.The security group has a rule that references itself.
C.The security group must be deleted manually before updating the stack.
D.The security group is attached to an EC2 instance outside the stack.
AnswerA

Deletion protection prevents RDS deletion, blocking security group deletion.

Why this answer

Option C is correct because the RDS instance is in a 'deleting' state and the security group cannot be deleted until the RDS instance is fully deleted. Option A is wrong because the security group is not the issue. Option B is wrong because CloudFormation does not require manual deletion.

Option D is wrong because the issue is not about the security group being in use by other resources.

1189
Multi-Selecthard

A developer is deploying a containerized application on Amazon ECS with Fargate. The application requires access to an Amazon RDS database. The developer needs to securely pass database credentials to the container. Which THREE methods can the developer use?

Select 3 answers
A.Store the credentials in AWS Systems Manager Parameter Store and reference the parameter in the task definition.
B.Store the credentials in AWS Secrets Manager and reference the secret in the task definition.
C.Use IAM roles for tasks and retrieve credentials from AWS Secrets Manager at runtime.
D.Hardcode the credentials in the container image.
E.Define environment variables in the task definition with the credentials.
AnswersA, B, C

Parameter Store can securely store and inject secrets.

Why this answer

Options A, C, and D are correct. Option B is wrong because hardcoding credentials is insecure. Option E is wrong because environment variables in the task definition are visible in plain text.

1190
MCQeasy

A developer is troubleshooting an issue where an IAM role assumed by an EC2 instance does not have permission to call the DynamoDB PutItem API. The role has a policy that allows all DynamoDB actions on a specific table. Which of the following is the most likely cause?

A.The IAM role has not been attached to the EC2 instance profile.
B.The DynamoDB table is not in the same region as the EC2 instance.
C.The IAM role policy does not include the 'dynamodb:PutItem' action or the resource ARN is incorrect.
D.The EC2 instance does not have the necessary network connectivity to DynamoDB.
AnswerC

If the policy is missing the action or has wrong ARN, the API call will be denied.

Why this answer

Option C is correct because the most likely cause is that the IAM role's policy either does not explicitly include the 'dynamodb:PutItem' action or the resource ARN is incorrectly specified. Even if the policy allows all DynamoDB actions (e.g., via 'Action': 'dynamodb:*'), a missing or mismatched resource ARN (such as not targeting the specific table ARN) will cause the API call to fail with an access denied error. The developer should verify that the policy statement includes the correct action and that the Resource element points to the exact DynamoDB table ARN.

Exam trap

The trap here is that candidates often assume a policy with 'dynamodb:*' automatically grants all actions, but they overlook that the resource ARN must exactly match the table being accessed, or that the policy might be missing the specific action name if it's not a wildcard.

How to eliminate wrong answers

Option A is wrong because if the IAM role were not attached to the EC2 instance profile, the instance would not have any AWS credentials at all, resulting in an 'Access Denied' or 'No credentials' error, not a specific permission issue with DynamoDB PutItem. Option B is wrong because DynamoDB is a global service and IAM policies do not require the table to be in the same region as the EC2 instance; cross-region access is fully supported as long as the resource ARN in the policy matches the table's region. Option D is wrong because network connectivity issues (e.g., missing VPC endpoints, security group rules, or internet gateway) would cause a timeout or connection error, not an IAM permission error; the error message for a permission issue is distinct (e.g., 'AccessDeniedException').

1191
MCQmedium

A company deploys a critical application on Amazon ECS with Fargate using a blue/green deployment strategy with AWS CodeDeploy. The deployment group has two target groups, one for blue and one for green. The Application Load Balancer (ALB) is configured with a listener that forwards traffic to the blue target group initially. A recent deployment to the green environment failed, and the green service is in a steady state with zero healthy tasks. The developer needs to ensure that the blue service continues to serve traffic without interruption. The developer checks the CodeDeploy console and sees that the deployment is stuck in the 'InProgress' state with a status of 'Green fleet is not healthy.' What should the developer do to restore the deployment to a healthy state?

A.Update the ECS task definition for the green service to a working version and wait for the deployment to complete.
B.Manually update the ECS service for the blue environment to increase the desired count.
C.Stop the deployment in CodeDeploy and re-point the ALB listener to the blue target group.
D.Roll back the deployment to the previous version using the CodeDeploy console.
AnswerC

Stopping the deployment and rerouting traffic ensures blue continues to serve traffic without interruption.

Why this answer

Option B is correct because stopping the deployment and rerouting traffic to the blue target group ensures the blue service continues to serve traffic. Option A is wrong because manually updating the blue service does not address the stuck deployment. Option C is wrong because updating the green service may not fix the deployment.

Option D is wrong because rolling back may not be available if the deployment is stuck.

1192
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. A developer wants to update a stack that includes an Amazon RDS database. The update requires replacing the database with a new instance. Which stack update policy should the developer use to minimize downtime?

A.Snapshot
B.Retain
C.Delete
D.Replacement with Snapshot
AnswerD

Creates a new instance and takes a snapshot of the old one.

Why this answer

Option C is correct because the Replacement policy with Snapshot allows CloudFormation to create a new DB instance, take a snapshot of the old instance, and then delete the old instance, minimizing downtime. Option A is wrong because Delete does not preserve data. Option B is wrong because Retain keeps the old instance, causing downtime.

Option D is wrong because Snapshot without Replacement is not a valid update policy.

1193
MCQeasy

A developer needs to deploy a containerized application on AWS. The application requires persistent storage that can be shared across multiple containers running on different EC2 instances. Which AWS service should the developer use?

A.Amazon S3
B.Amazon Elastic Block Store (EBS)
C.Amazon RDS
D.Amazon Elastic File System (EFS)
AnswerD

EFS is a shared file system for multiple instances.

Why this answer

Amazon EFS provides NFS-based file storage that can be mounted to multiple EC2 instances and ECS tasks. Option A is correct. Option B (EBS) is block storage attached to a single instance.

Option C (S3) is object storage, not a filesystem. Option D (RDS) is a relational database.

1194
Multi-Selecthard

A company is running a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application uses Amazon ElastiCache for session state. Recently, users are experiencing intermittent session timeouts and slow page loads. The developer suspects the issue is related to the ElastiCache cluster. Which THREE actions should the developer take to troubleshoot and resolve the issue? (Choose THREE.)

Select 3 answers
A.Monitor the ElastiCache cluster's CPU utilization and cache hit ratio in CloudWatch.
B.Enable Encryption in transit for the ElastiCache cluster.
C.Scale the ElastiCache cluster by adding more nodes or using a larger node type.
D.Review the application's cache key design and ensure that data is evenly distributed across shards.
E.Enable Multi-AZ replication for the ElastiCache cluster.
AnswersA, C, D

CPU utilization and cache hit ratio help identify performance bottlenecks.

Why this answer

Options B, C, and D are correct. Option B helps identify slow queries and cache hits. Option C helps scale for increased load.

Option D helps distribute traffic evenly. Option A is wrong because multi-AZ is for high availability, not performance. Option E is wrong because Encryption in transit addresses security, not performance.

1195
MCQhard

A developer notices that an application is generating duplicate entries in a DynamoDB table. The application uses a Lambda function triggered by an SQS queue. Messages are processed with at-least-once delivery. Which design change will reduce duplicates?

A.Increase the visibility timeout of the SQS queue.
B.Use a FIFO SQS queue with content-based deduplication.
C.Use DynamoDB Transactions to ensure atomic writes.
D.Implement idempotent processing by checking a condition expression in DynamoDB PutItem.
AnswerD

Idempotent writes using ConditionExpression prevent duplicate inserts.

Why this answer

SQS provides at-least-once delivery, so duplicates are possible. Making the Lambda function idempotent using a unique message deduplication ID (e.g., using the message ID as a condition in DynamoDB) prevents duplicates.

1196
MCQhard

A developer is troubleshooting access to an S3 bucket from an EC2 instance. The instance has an IAM role with a policy that allows s3:GetObject on the bucket. However, the application receives an AccessDenied error. The bucket policy is as follows: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/AppRole" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*" } ] } The EC2 instance is using the correct IAM role. What is the most likely cause of the error?

A.The bucket uses default encryption with SSE-S3, and the application does not support it.
B.The IAM role attached to the EC2 instance has a different ARN than the one specified in the bucket policy.
C.The IAM role policy allows s3:GetObject, but the bucket policy also must allow it, which it does.
D.The bucket policy requires MFA, but the application does not provide it.
AnswerB

Mismatch in role ARN causes denial.

Why this answer

Option C is correct because the bucket policy explicitly allows only the role with the exact ARN 'arn:aws:iam::123456789012:role/AppRole'. If the instance's role ARN is different, the request is denied. Option A is wrong because S3 does not require SSE for GetObject.

Option B is wrong because MFA is not specified in the error. Option D is wrong because IAM role policies and bucket policies are evaluated separately; an allow in the bucket policy must match the principal.

1197
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The environment is currently running a previous version. The developer uploads a new application version and deploys it to the environment. After the deployment, the environment health status turns 'Severe' and the new version is not accessible. The developer needs to quickly revert to the previous working version. What should the developer do?

A.Create a new environment with the previous version and swap CNAMEs.
B.Use the Elastic Beanstalk console to deploy the previous application version.
C.Roll back the environment configuration to a previous saved configuration.
D.Terminate the environment and launch a new one with the previous version.
AnswerB

Elastic Beanstalk supports deploying a specific version directly.

Why this answer

Option B is correct because Elastic Beanstalk allows you to deploy a previous application version directly from the console or CLI without creating a new environment. This action replaces the current application version in the existing environment, restoring the previously working code and resolving the health status. It is the fastest and most straightforward way to revert while preserving the environment's configuration and resources.

Exam trap

The trap here is that candidates confuse 'deploying a previous application version' (which directly fixes the code) with 'rolling back environment configuration' (which only affects settings), leading them to incorrectly choose Option C.

How to eliminate wrong answers

Option A is wrong because creating a new environment and swapping CNAMEs is an unnecessary, time-consuming process that introduces a new environment with its own resources and potential configuration drift, whereas a simple version rollback achieves the same result instantly. Option C is wrong because rolling back the environment configuration reverts settings like instance type or scaling rules, not the application version; the application code remains the broken version. Option D is wrong because terminating the environment and launching a new one with the previous version destroys all existing resources (e.g., RDS database if attached, logs, monitoring data) and requires reconfiguration, which is far more disruptive than a direct version deployment.

1198
MCQhard

A company is using AWS Lambda to process messages from an Amazon SQS queue. The Lambda function is configured with a reserved concurrency of 10. The SQS queue receives a burst of 1000 messages. The Lambda function processes each message in about 5 seconds. What is the most likely behavior of the system?

A.Lambda rejects the messages and sends them to the dead-letter queue.
B.Lambda automatically scales up to 1000 concurrent executions to process all messages quickly.
C.Lambda increases the reserved concurrency to accommodate the burst.
D.Lambda processes up to 10 messages concurrently, and the rest remain in the queue until processing capacity is available.
AnswerD

With reserved concurrency of 10, only 10 functions run at a time; remaining messages wait in the queue.

Why this answer

The correct answer is D. Lambda will poll the SQS queue, but with reserved concurrency of 10, only 10 Lambda functions can run concurrently. The remaining messages will remain in the queue until the running functions finish.

Option A is wrong because Lambda does not block the queue. Option B is wrong because Lambda does not scale beyond reserved concurrency. Option C is wrong because Lambda does not automatically increase concurrency beyond the limit.

1199
Multi-Selecteasy

A developer needs to securely store database credentials and retrieve them programmatically from a Lambda function. Which AWS services can be used for this purpose? (Choose TWO.)

Select 2 answers
A.AWS Systems Manager Parameter Store (SecureString)
B.AWS Secrets Manager
C.AWS CloudFormation
D.AWS Identity and Access Management (IAM)
E.Amazon S3
AnswersA, B

Can store encrypted parameters.

Why this answer

Options A and D are correct. AWS Secrets Manager and AWS Systems Manager Parameter Store (SecureString) are designed to securely store secrets and retrieve them programmatically. Option B (CloudFormation) is for infrastructure as code.

Option C (S3) is for object storage, not secure secrets management. Option E (IAM) is for permissions, not for storing secrets.

1200
MCQmedium

A developer is using AWS CodeDeploy to deploy an application to an Amazon ECS service with the Fargate launch type. The deployment uses a blue/green strategy. After the new task set is created and passes the initial health checks, the traffic is shifted to the new task set. However, the new task set is immediately replaced by the old one after a few minutes, causing a rollback. What is the most likely reason?

A.The lifecycle hooks for the new task set are failing.
B.The target group for the new task set is not configured correctly.
C.The deployment group's rollback configuration triggers due to alarm threshold.
D.The new task set fails the post-traffic shift validation tests.
AnswerD

CodeDeploy performs validation after traffic shift; if the validation fails (e.g., health check failure or Lambda hook failure), it triggers an automatic rollback to the original task set.

Why this answer

Option D is correct because in a blue/green deployment on ECS with CodeDeploy, after traffic is shifted to the new task set, CodeDeploy runs post-traffic shift validation tests (e.g., via Lambda hooks or target group health checks). If these tests fail, CodeDeploy automatically triggers a rollback by replacing the new task set with the original (old) task set. This matches the described behavior where the new task set is immediately replaced after a few minutes.

Exam trap

The trap here is that candidates often confuse pre-traffic shift hooks (which prevent traffic from being shifted) with post-traffic shift hooks (which cause a rollback after traffic is already shifted), leading them to incorrectly select lifecycle hook failures or target group misconfiguration.

How to eliminate wrong answers

Option A is wrong because lifecycle hooks (e.g., BeforeAllowTraffic, AfterAllowTraffic) run before or during traffic shifting, not after the new task set is already serving traffic; failing hooks would prevent traffic from being shifted in the first place, not cause a delayed rollback. Option B is wrong because if the target group for the new task set were misconfigured, the initial health checks would fail and traffic would never be shifted to the new task set; the scenario states traffic is shifted successfully. Option C is wrong because alarm-based rollback would require a CloudWatch alarm to be explicitly configured in the deployment group's rollback settings, and the question does not mention any alarm being triggered; the immediate replacement after a few minutes is characteristic of a validation test failure, not an alarm threshold breach.

Page 15

Page 16 of 22

Page 17