AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 12011275

1616 questions total · 22pages · All types, answers revealed

Page 16

Page 17 of 22

Page 18
1201
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application experiences high latency during peak hours. The developer wants to scale the application automatically based on CPU utilization. Which configuration should the developer use?

A.Configure an Auto Scaling step scaling policy based on MemoryReservation metric.
B.Use AWS CloudFront to cache responses and reduce load on the application.
C.Configure an Auto Scaling simple scaling policy based on Average CPU Utilization > 70% for scale-out and < 30% for scale-in.
D.Configure an Auto Scaling target tracking policy based on NetworkIn metric.
AnswerC

Correct approach using CPU utilization thresholds.

Why this answer

Elastic Beanstalk uses Auto Scaling groups. Option B correctly configures a scale-out policy based on CPU > 70% and a scale-in policy for CPU < 30%. Option A uses incorrect metric (Memory).

Option C uses incorrect service (CloudFront). Option D uses incorrect metric (NetworkIn).

1202
MCQmedium

A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all objects uploaded to a specific S3 bucket must be encrypted with a specific KMS key (key ID: xyz). The developer needs to enforce this by denying any PutObject request that does not use the correct key. Which bucket policy condition should be used?

A.s3:x-amz-server-side-encryption-aws-kms-key-id
B.kms:EncryptionContext
C.s3:EncryptionAlgorithm
D.kms:GrantOperations
AnswerA

This condition checks the KMS key ID used for SSE-KMS encryption, allowing you to enforce a specific key.

Why this answer

Option A is correct because the `s3:x-amz-server-side-encryption-aws-kms-key-id` condition key allows you to enforce that a specific KMS key ID (e.g., `xyz`) is used for server-side encryption with AWS KMS (SSE-KMS). By including this condition in a bucket policy with a `Deny` effect, any `PutObject` request that does not specify the required key ID will be denied, meeting the security team's requirement.

Exam trap

The trap here is confusing S3-specific condition keys (like `s3:x-amz-server-side-encryption-aws-kms-key-id`) with KMS condition keys (like `kms:EncryptionContext`), leading candidates to pick a KMS condition key that does not apply to S3 bucket policies.

How to eliminate wrong answers

Option B is wrong because `kms:EncryptionContext` is a condition key used to control access based on the encryption context in KMS API calls (e.g., `Encrypt`, `Decrypt`), not to enforce the KMS key ID used for S3 object encryption. Option C is wrong because `s3:EncryptionAlgorithm` is not a valid S3 condition key; S3 uses `s3:x-amz-server-side-encryption` to specify the encryption type (e.g., AES256 or aws:kms), not the algorithm. Option D is wrong because `kms:GrantOperations` is a condition key used to restrict the operations allowed in a KMS grant, not to enforce the KMS key ID in S3 PutObject requests.

1203
MCQeasy

A Lambda function that processes S3 events is failing with timeout errors. The function downloads a 100 MB file from S3 and processes it. The current timeout is 30 seconds. What is the most cost-effective way to troubleshoot this issue?

A.Use a larger EC2 instance type instead of Lambda
B.Increase the function timeout to 5 minutes
C.Provision a dedicated Lambda instance for the function
D.Increase the function memory allocation to 2048 MB
AnswerD

More memory provides more CPU, reducing processing time and cost.

Why this answer

Option B is correct because increasing the function's memory also increases CPU allocation, which can speed up processing and reduce runtime. Option A is wrong because Lambda supports up to 15 minutes, but increasing timeout without addressing performance may not help. Option C is wrong because using a larger instance type is not applicable to Lambda.

Option D is wrong because Lambda does not support dedicated instances.

1204
Multi-Selecteasy

Which TWO of the following are valid use cases for Amazon S3 event notifications?

Select 2 answers
A.Automatically replicate objects to another bucket
B.Automatically delete objects after 30 days
C.Encrypt objects automatically with KMS
D.Send a notification to an SQS queue when a new object is created
E.Trigger a Lambda function to process an image after upload
AnswersD, E

S3 can publish events to SQS.

Why this answer

S3 event notifications can trigger Lambda functions and send messages to SQS or SNS. Options B and D are correct.

1205
MCQeasy

A developer is using AWS CloudFront to serve static content. Users in some geographic regions report slow load times. Which CloudFront feature can the developer use to reduce latency for these users?

A.Change the CloudFront price class to include all edge locations.
B.Create multiple origins in different regions.
C.Enable S3 Transfer Acceleration on the origin S3 bucket.
D.Use Lambda@Edge to optimize content delivery.
AnswerA

Price Class All ensures CloudFront uses all edge locations, reducing latency for users in all regions.

Why this answer

CloudFront has a global network of edge locations. If latency is high in certain regions, the developer can add additional edge locations by using Origin Shield or ensuring the price class includes those regions. However, CloudFront automatically uses all edge locations; the issue may be that the origin is far.

Adding more edge locations (via price class) helps. But the simplest is to use a regional edge cache or Origin Shield. Option A is wrong because S3 Transfer Acceleration is for uploads to S3, not CloudFront distribution.

Option B is wrong because Lambda@Edge runs at edge, but it adds compute, not reduce latency for static content. Option C is wrong because multiple origins are for different content, not latency. Option D is correct: enabling additional edge locations via price class (e.g., Price Class All) ensures all edge locations serve content.

1206
MCQhard

Refer to the exhibit. A developer is creating an IAM policy for a CI/CD service to deploy to CodeDeploy. The policy allows creating deployments and registering application revisions. However, deployments fail with an access denied error. What is the missing permission?

A.codedeploy:ListDeployments
B.codedeploy:BatchGetDeployments
C.codedeploy:StopDeployment
D.codedeploy:UpdateDeploymentGroup
AnswerD

UpdateDeploymentGroup may be needed if the deployment group is being modified.

Why this answer

Option D is correct because to update a deployment group, the codedeploy:UpdateDeploymentGroup permission is required. The CI/CD service may need to update the deployment group configuration. Option A is incorrect because codedeploy:ListDeployments is read-only.

Option B is incorrect because codedeploy:StopDeployment is not needed for creation. Option C is incorrect because codedeploy:BatchGetDeployments is read-only.

1207
MCQeasy

A developer is deploying a new version of a Lambda function using an alias for blue/green deployment. Traffic is gradually shifted to the new version. During the shift, a high error rate is observed. What should the developer do to minimize impact?

A.Use the Lambda function's provisioned concurrency to pre-warm the new version.
B.Manually revert the alias to point back to the old version.
C.Configure the alias with a canary deployment and an error rate alarm for automatic rollback.
D.Delete the new version and redeploy after fixing the issue.
AnswerC

Canary deployment with alarm-based rollback minimizes impact.

Why this answer

Option C is correct because it automates the rollback process using AWS CodeDeploy's canary deployment with an Amazon CloudWatch alarm on the error rate. When the alarm triggers, CodeDeploy automatically shifts traffic back to the previous version, minimizing impact without manual intervention. This is the recommended approach for safe blue/green deployments with Lambda aliases.

Exam trap

The trap here is that candidates may think manual reversion (Option B) is the simplest fix, but the exam emphasizes automated rollback strategies (like canary deployments with alarms) as the best practice for minimizing impact during blue/green deployments.

How to eliminate wrong answers

Option A is wrong because provisioned concurrency pre-warms execution environments to reduce cold starts, but it does not address a high error rate during traffic shifting; errors are typically caused by code defects, not cold starts. Option B is wrong because manually reverting the alias is a valid fallback but is slower and error-prone compared to an automated rollback; the question asks to minimize impact, and manual reversion introduces delay and potential for human error. Option D is wrong because deleting the new version and redeploying after fixing the issue is a reactive approach that does not minimize impact during the shift; it requires manual intervention and does not provide automatic recovery.

1208
Multi-Selecthard

A company uses AWS CloudFormation to deploy infrastructure. A developer needs to update a stack that includes an RDS DB instance. The update requires modifying the DB instance's DB engine version. Which THREE strategies can the developer use to minimize downtime during the update?

Select 3 answers
A.Use the RDS modify-db-instance command to upgrade the engine version in-place.
B.Update the stack directly by modifying the DB engine version property in the template.
C.Use RDS Blue/Green Deployments to create a staging environment, apply the change, and switch over.
D.Delete the current stack and create a new stack with the new engine version.
E.Create a read replica with the new engine version, promote it to primary, and update the stack to point to the new instance.
AnswersA, C, E

In-place upgrade may cause a brief downtime but is a valid strategy if the downtime is acceptable.

Why this answer

Options A, B, and D are correct. Option A: RDS supports upgrading to a new engine version without data loss. Option B: Creating a read replica, promoting it, and updating the stack can reduce downtime.

Option D: Using a blue/green deployment with RDS Blue/Green Deployments allows switching with minimal downtime. Option C is incorrect because deleting the stack would cause data loss. Option E is incorrect because modifying the stack without any strategy may cause downtime.

1209
MCQmedium

A developer is managing an application running on Amazon EC2 instances behind an Application Load Balancer. Users report that the application becomes unresponsive after several hours, and restarting the instance temporarily fixes the issue. The developer suspects a memory leak but cannot add custom instrumentation. Which AWS service can collect memory utilization metrics and help identify the memory leak with minimal configuration?

A.Use Amazon CloudWatch Logs agent to capture application logs.
B.Use the EC2 instance metadata service to query memory usage.
C.Install the CloudWatch agent on the EC2 instances to collect memory metrics and emit them to CloudWatch.
D.Use AWS X-Ray to trace memory allocation.
AnswerC

Correct. The CloudWatch agent can collect memory metrics and send them to CloudWatch for monitoring.

Why this answer

The CloudWatch agent can collect custom metrics, including memory utilization, from EC2 instances and publish them to Amazon CloudWatch. This allows the developer to monitor memory usage over time and identify a memory leak without modifying the application code. The default EC2 metrics do not include memory utilization, so the CloudWatch agent is the minimal-configuration solution for this requirement.

Exam trap

The trap here is that candidates assume EC2 automatically provides memory metrics in CloudWatch, but in reality, only CPU, network, and disk metrics are available by default; memory requires the CloudWatch agent.

How to eliminate wrong answers

Option A is wrong because the CloudWatch Logs agent captures application logs, not memory utilization metrics; logs could indirectly indicate issues but do not provide direct memory metrics needed to identify a leak. Option B is wrong because the EC2 instance metadata service provides information about the instance itself (e.g., instance ID, AMI ID) but does not expose memory utilization data; it is not a monitoring service for OS-level metrics. Option D is wrong because AWS X-Ray traces requests and identifies performance bottlenecks in distributed applications, not memory allocation or utilization; it is designed for tracing, not OS-level resource monitoring.

1210
MCQmedium

A developer is troubleshooting a DynamoDB table that is experiencing high write throttling (ProvisionedThroughputExceededException) on certain days. The table has provisioned write capacity of 1000 WCU. The table has a partition key of 'user_id' which is a UUID. The table is accessed by multiple services. CloudWatch metrics show that the WriteThrottleEvents are spiking during specific hours, and the ConsumedWriteCapacityUnits often reaches 1000. What is the most likely cause of the throttling?

A.The partition key is not distributed evenly, causing a hot partition.
B.The provisioned write capacity is insufficient to handle the traffic spikes.
C.The table does not have DynamoDB Accelerator (DAX) enabled.
D.The table is configured with eventual consistency, which throttles writes.
AnswerB

The consumed capacity is reaching the provisioned limit, causing throttling.

Why this answer

The correct answer is B because the ConsumedWriteCapacityUnits consistently reaches the provisioned 1000 WCU during specific hours, and WriteThrottleEvents spike at those same times. This indicates that the provisioned capacity is insufficient to handle peak traffic, causing requests to be throttled. The partition key (UUID) is well-distributed, so a hot partition is unlikely.

Exam trap

The trap here is that candidates often assume throttling must be caused by a hot partition (Option A) when the partition key is not a UUID, but in this case the UUID ensures even distribution, so the real issue is simply insufficient capacity during traffic spikes.

How to eliminate wrong answers

Option A is wrong because the partition key is a UUID, which is inherently random and evenly distributes writes across partitions, making a hot partition improbable. Option C is wrong because DAX is an in-memory cache for reads, not writes, and does not affect write throttling or provisioned write capacity. Option D is wrong because eventual consistency applies only to reads, not writes; writes are always strongly consistent and throttling is based on write capacity, not consistency settings.

1211
MCQmedium

A developer is deploying a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The developer uses AWS CodeDeploy to deploy new application versions. The deployment group is configured with an in-place deployment. The developer wants to ensure that the deployment does not cause any downtime. Which additional configuration is required?

A.Change the deployment type to blue/green deployment.
B.Set the minimum healthy hosts percentage to 100%.
C.Configure the CodeDeploy deployment group to enable load balancer deregistration and re-registration.
D.Create an Auto Scaling group and configure the deployment to use a rolling update.
AnswerC

This ensures traffic is routed away from instances being updated, preventing downtime.

Why this answer

Option B is correct because using a load balancer with in-place deployment, CodeDeploy can register instances with the load balancer and deregister them before deployment, then re-register after. This minimizes downtime. Option A is wrong because creating an Auto Scaling group is not necessary; the deployment can work with existing instances.

Option C is wrong because using blue/green deployment is an alternative, but the question specifically asks for in-place. Option D is wrong because increasing the minimum healthy hosts percentage helps but does not eliminate downtime if instances are not properly drained.

1212
MCQmedium

A company is using AWS CodeBuild to compile and test a Java application. The build takes 15 minutes, but the company wants to reduce build time by caching dependencies. Which file should the developer modify to enable caching in the build project?

A.CodeBuild console settings
B.pom.xml
C.buildspec.json
D.buildspec.yml
AnswerD

buildspec.yml includes cache.paths to cache directories.

Why this answer

Option B is correct because the buildspec.yml can specify cache.paths to cache directories like .m2. Option A is wrong because pom.xml is for Maven project configuration, not build caching. Option C is wrong because buildspec.json is not a standard file; buildspec.yml is used.

Option D is wrong because the CodeBuild console settings can enable cache, but the question asks which *file* to modify.

1213
MCQeasy

A developer wants to encrypt data in transit between an application and an S3 bucket. Which option achieves this?

A.Enable server-side encryption with S3 managed keys (SSE-S3).
B.Configure an IAM policy to require encryption.
C.Use HTTPS when making requests to S3.
D.Use AWS KMS to encrypt the data before upload.
AnswerC

HTTPS encrypts data in transit.

Why this answer

Option A is correct because HTTPS provides encryption in transit. Option B is wrong because SSE-S3 encrypts at rest, not in transit. Option C is wrong because SSE-KMS encrypts at rest.

Option D is wrong because IAM is for access control.

1214
MCQmedium

A development team is using AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with a 'HealthCheck' error. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). What is the MOST likely cause of this error?

A.The ALB target group health check is misconfigured or the application is not responding to health check requests.
B.The EC2 instances do not have the correct IAM instance profile attached.
C.The deployment configuration is set to 'AllAtOnce' which does not support health checks.
D.The deployment group is not configured with the ALB target group.
AnswerA

CodeDeploy uses ALB health checks to validate instance health; a failing health check causes the deployment to fail.

Why this answer

Option B is correct because CodeDeploy uses the ALB health check to determine instance health during deployment. If the health check fails, CodeDeploy considers the instance unhealthy and may fail the deployment. Option A is wrong because CodeDeploy does not require IAM roles for EC2 instances? Actually it does, but missing role would cause different error.

Option C is wrong because the deployment group is correctly configured with the ALB. Option D is wrong because an incorrect deployment configuration would not cause a health check error specifically.

1215
MCQmedium

A developer is building a serverless application using AWS Lambda and Amazon API Gateway. The API requires that the same Lambda function handle different HTTP methods (GET, POST, DELETE) for the same resource. The developer wants to minimize code and configuration. Which integration type should the developer use?

A.Lambda proxy integration
B.Lambda custom integration
C.HTTP integration
D.Mock integration
AnswerA

With proxy integration, the whole request is passed to Lambda, allowing the function to handle multiple methods with minimal API Gateway setup.

Why this answer

Lambda proxy integration (option A) is correct because it automatically passes the entire HTTP request (method, headers, query parameters, path parameters) to the Lambda function as a single event object, allowing the same function to inspect the `httpMethod` field and branch logic for GET, POST, DELETE without any additional API Gateway mapping or transformation configuration. This minimizes both code (the function handles routing internally) and configuration (no need to define separate integration requests/responses per method).

Exam trap

The trap here is that candidates often confuse 'custom integration' (option B) with 'proxy integration' (option A), mistakenly thinking custom integration offers more flexibility when in fact it requires more configuration and does not automatically pass the full request context.

How to eliminate wrong answers

Option B (Lambda custom integration) is wrong because it requires you to explicitly define request/response mapping templates for each HTTP method, increasing configuration complexity and defeating the goal of minimizing code and configuration. Option C (HTTP integration) is wrong because it proxies requests to an HTTP endpoint, not to a Lambda function, so it cannot directly invoke the same Lambda for multiple methods without an intermediate HTTP service. Option D (Mock integration) is wrong because it returns a static response defined in API Gateway without invoking any backend, so it cannot handle dynamic business logic for different HTTP methods.

1216
MCQhard

A developer attached the above IAM policy to an IAM user. The user tries to upload an object to the S3 bucket my-bucket without specifying server-side encryption. What will happen?

A.The upload will succeed because the Deny statement is redundant.
B.The upload will succeed because the Allow statement grants PutObject permission.
C.The upload will succeed but the object will be stored without encryption.
D.The upload will be denied because the Deny statement explicitly denies PutObject without AES256 encryption.
AnswerD

Explicit Deny always overrides Allow.

Why this answer

Option A is correct because the Deny statement will match (since s3:x-amz-server-side-encryption is not AES256), and explicit Deny overrides Allow. Option B is incorrect because the Allow statement requires encryption, but the Deny explicitly denies if not AES256. Option C is incorrect because the Deny is not redundant; it enforces encryption.

Option D is incorrect because the upload will be denied, not proceed without encryption.

1217
MCQeasy

A developer wants to securely store database credentials for a Lambda function. Which AWS service should be used?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.Amazon S3 with server-side encryption
D.Amazon DynamoDB
AnswerA

Secrets Manager is purpose-built for secrets management.

Why this answer

Option B is correct because AWS Secrets Manager is designed to store and rotate secrets. Option A is wrong because Parameter Store can store secrets but is not as feature-rich for rotation. Option C is wrong because DynamoDB is a database, not a secret store.

Option D is wrong because S3 is not secure by default for secrets.

1218
MCQmedium

A developer is deploying an application on Amazon EC2 instances that need to securely retrieve secrets from AWS Secrets Manager. What is the MOST secure way to provide the necessary permissions without hardcoding credentials?

A.Store the secret in an environment variable.
B.Attach an IAM role to the EC2 instance with permission to access Secrets Manager.
C.Embed the secret in the application code.
D.Use a configuration file stored in S3 with bucket policy.
AnswerB

IAM roles provide temporary credentials securely; the application can use the AWS SDK to fetch secrets without hardcoding.

Why this answer

Attaching an IAM role to the EC2 instance is the most secure method because it leverages temporary security credentials obtained via the EC2 instance metadata service (IMDS). This eliminates the need to hardcode, embed, or store any long-term credentials on the instance, adhering to the AWS Well-Architected Framework's security pillar. The IAM role's policy grants the instance precise permissions to call Secrets Manager APIs like GetSecretValue, ensuring least privilege.

Exam trap

The trap here is that candidates may think environment variables or S3 configuration files are secure enough, but the exam emphasizes that any form of static credential storage (including environment variables) is insecure compared to IAM roles, which provide automatic, temporary, and rotated credentials.

How to eliminate wrong answers

Option A is wrong because storing the secret in an environment variable still exposes the secret in plaintext within the instance's process space and can be read by any user or process with access to the environment, violating security best practices. Option C is wrong because embedding the secret in application code hardcodes the credential, making it visible in source control, logs, or binary analysis, and prevents rotation without redeployment. Option D is wrong because using a configuration file stored in S3 with a bucket policy does not inherently provide secure access; the EC2 instance would still need credentials to retrieve the file, and the bucket policy alone cannot grant permissions to the instance without an IAM role or user, while also exposing the secret in transit and at rest if not encrypted.

1219
MCQhard

A company uses AWS KMS with imported key material. The key material is expired. What must the developer do to continue using the KMS key?

A.Use the existing key until it expires
B.Create a new KMS key and re-import the same key material
C.Enable automatic key rotation
D.Delete the existing key and create a new one with new key material
AnswerD

You must create a new key and import new key material.

Why this answer

Option D is correct because imported key material has an expiration date; you must reimport new key material before it expires. Option A is wrong because the key cannot be used after expiration. Option B is wrong because automatic renewal is not supported for imported key material.

Option C is wrong because you cannot change the key material of an existing KMS key.

1220
MCQeasy

A developer needs to store application logs from multiple EC2 instances in a centralized location for analysis. The logs should be retained for 90 days. Which AWS service should be used to collect and store the logs?

A.Amazon Kinesis Data Firehose
B.Amazon CloudWatch Logs
C.AWS CloudTrail
D.Amazon S3 with S3 Server Access Logs
AnswerB

CloudWatch Logs can collect, store, and retain logs with configurable retention.

Why this answer

Correct: C. Amazon CloudWatch Logs can collect logs from EC2 instances via the CloudWatch agent and store them with customizable retention. Option A is wrong because S3 is object storage, not designed for real-time log collection.

Option B is wrong because Kinesis Data Firehose is for streaming data to destinations like S3, but it's more complex for simple log collection. Option D is wrong because CloudTrail records API activity, not application logs.

1221
MCQmedium

A company is deploying a new microservice on AWS Lambda behind an API Gateway. The development team wants to ensure that new versions of the Lambda function can be rolled out gradually and automatically rolled back if error rates exceed a threshold. Which deployment strategy should the team use?

A.Use AWS CodeDeploy with a canary deployment strategy that shifts 10% of traffic to the new version for 5 minutes, then shifts the remaining 90%. Configure a CloudWatch alarm to automatically roll back if error rates exceed 2%.
B.Use AWS Lambda function aliases with weighted alias traffic shifting. Update the weights manually and monitor error rates using CloudWatch. Roll back by reverting the alias weights.
C.Use AWS CodeDeploy with a linear deployment strategy that shifts 10% of traffic every 5 minutes. Configure a CloudWatch alarm to monitor error rates and manually roll back if needed.
D.Use AWS CodeDeploy with a blue/green deployment and an Application Load Balancer (ALB) to shift traffic to the new version. Configure CloudWatch alarms to trigger a rollback if errors exceed 5%.
AnswerA

Canary deployment allows gradual traffic shifting and automatic rollback via CloudWatch alarms.

Why this answer

Option C is correct because AWS CodeDeploy supports canary deployments with automatic rollback based on CloudWatch alarms. Option A is wrong because blue/green deployment with an NLB is more complex than needed and does not natively support gradual traffic shifting for Lambda. Option B is wrong because a linear deployment using CodeDeploy also works, but the question emphasizes automatic rollback based on error rates, which is more directly supported with canary alarms.

Option D is wrong because manual traffic shifting via Route53 is not automated and does not provide automatic rollback.

1222
MCQmedium

A developer is building a serverless application that processes images uploaded to an S3 bucket. The processing includes generating thumbnails and storing metadata in DynamoDB. The developer wants to ensure that the processing function is triggered only when new objects are created, not when existing objects are updated. Which S3 event notification configuration should be used?

A.Use s3:ObjectCreated:*
B.Use s3:ObjectCreated:Post
C.Use s3:ObjectCreated:Put
D.Use s3:ObjectCreated:Copy
AnswerC

This triggers only on PUT requests, which typically represent new object creation.

Why this answer

Option B is correct because the s3:ObjectCreated:Put event type triggers only on PUT requests (new object creation), not on other events like POST or Copy. Option A triggers on all object creation events. Option C triggers on all events.

Option D is valid but not the most precise.

1223
MCQhard

An application uses an Application Load Balancer (ALB) with a target group of EC2 instances. Users report intermittent HTTP 503 errors. The ALB access logs show that the error occurs when the request rate exceeds 10,000 requests per second. What is the most likely cause?

A.The EC2 instances are failing health checks.
B.The SSL certificate is expiring.
C.The ALB is exceeding its connection limit.
D.The target group's connection draining is too short.
AnswerC

ALB has a default limit that can be increased via a limit increase request.

Why this answer

Option A is correct because ALB has a default limit of 10,000 new connections per second (which may be lower depending on region) and exceeding it causes 503 errors. Option B is wrong because connection draining is a graceful shutdown, not causing errors. Option C is wrong because the instances are healthy.

Option D is wrong because the issue is not SSL negotiation.

1224
MCQhard

An organization wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. The security team needs to deny any console access if MFA is not enabled. Which IAM policy statement should be used?

A.Deny action '*' unless 'aws:MultiFactorAuthPresent' is true.
B.Deny action '*' if 'aws:MultiFactorAuthPresent' is false.
C.Deny action '*' if 'aws:MultiFactorAuthPresent' is false using BoolIfExists.
D.Allow action '*' if 'aws:MultiFactorAuthPresent' is true.
AnswerB

This explicitly denies access when MFA is not present.

Why this answer

Option B is correct because it uses a Deny statement with the condition 'aws:MultiFactorAuthPresent' set to 'false', which explicitly blocks any action when MFA is not present. This is the standard approach to enforce MFA for console access, as it overrides any Allow policies by default. The Deny effect ensures that even if other policies grant access, the lack of MFA results in denial.

Exam trap

The trap here is that candidates confuse 'Deny' with 'Allow' logic or misuse 'BoolIfExists' thinking it handles missing keys, but for console access the key is always present, so 'Bool' is required to correctly enforce the denial.

How to eliminate wrong answers

Option A is wrong because it uses 'unless' syntax, which is not valid in IAM policy language; IAM uses condition operators like 'Bool', 'StringEquals', etc., not 'unless'. Option C is wrong because 'BoolIfExists' is used when the condition key might not exist (e.g., for API calls that don't support MFA), but for console access the key is always present, so 'Bool' is appropriate and 'BoolIfExists' could inadvertently allow access if the key is missing. Option D is wrong because an Allow statement alone cannot enforce denial; it would only grant access when MFA is present but would not block access when MFA is absent if other policies allow it, and it fails to explicitly deny non-MFA access.

1225
MCQmedium

A company uses AWS Secrets Manager to rotate database credentials. The rotation process uses a Lambda function that updates the secret. The developer notices that the rotation sometimes fails because the Lambda function does not have permission to update the secret. What is the MOST likely cause?

A.The secret has a resource-based policy that denies the Lambda function.
B.The Lambda function's execution role does not have the necessary IAM permissions to update the secret.
C.The KMS key used to encrypt the secret is not accessible by the Lambda function.
D.The Lambda function is not in the same VPC as the Secrets Manager endpoint.
AnswerB

The execution role must allow secretsmanager:PutSecretValue.

Why this answer

Option C is correct because the Lambda function's execution role needs permissions to update the secret. Option A is wrong because rotation does not require VPC endpoints. Option B is wrong because the secret itself does not have a resource policy blocking access.

Option D is wrong because KMS key permissions are for encryption, not secret update.

1226
MCQmedium

A company is using Amazon API Gateway to expose a REST API. The API is integrated with an AWS Lambda function. Lately, the API is returning 502 Bad Gateway errors. What is the MOST likely cause?

A.The API Gateway request throttling limit has been exceeded.
B.The API Gateway API key is invalid.
C.The Lambda function is returning an unhandled exception.
D.The Lambda function's execution role does not allow API Gateway to invoke it.
AnswerC

API Gateway expects a specific response format; any error from Lambda results in a 502.

Why this answer

Option B is correct because 502 errors in API Gateway with Lambda integration typically indicate that the Lambda function returned an error. Option A is wrong because throttling would cause 429 Too Many Requests. Option C is wrong because IAM permissions would cause 403 Forbidden.

Option D is wrong because API keys are used for client authentication, not for backend integration.

1227
Multi-Selecthard

A CodeDeploy blue/green ECS deployment uses an ALB. Which two resources are required?

Select 2 answers
A.Two target groups for original and replacement task sets
B.A single target group shared by both task sets only
C.An S3 static website endpoint
D.Listener configuration that allows traffic shifting/testing
AnswersA, D

Correct for the stated requirement.

Why this answer

Option A is correct because a blue/green deployment in CodeDeploy for ECS requires two distinct target groups: one for the original (blue) task set and one for the replacement (green) task set. The ALB routes traffic to the appropriate target group based on the listener rules, allowing CodeDeploy to shift traffic gradually from the blue to the green task set during deployment.

Exam trap

The trap here is that candidates often assume a single target group is sufficient because they think the ALB can differentiate between task sets internally, but in reality, each task set must have its own target group to enable independent traffic routing and rollback.

1228
MCQhard

A developer is using SQS to decouple microservices. The producer sends messages, but the consumer (an EC2 instance) does not process them. The CloudWatch metric 'ApproximateNumberOfMessagesVisible' is increasing. The consumer's IAM role has 'sqs:ReceiveMessage' and 'sqs:DeleteMessage' permissions. What is the most likely cause?

A.A dead-letter queue is configured and messages are being moved there.
B.The consumer does not have permission to call 'sqs:ReceiveMessage'.
C.The consumer is not using long polling, so calls to ReceiveMessage return empty frequently.
D.The queue is encrypted with SSE, and the consumer does not have permission to use the KMS key.
AnswerC

Short polling may return empty responses even when messages are available.

Why this answer

The consumer must also have 'sqs:ChangeMessageVisibility' to extend the visibility timeout if needed, but the key issue is that the consumer may not be calling ReceiveMessage with the correct queue URL or there is a network issue. However, the most common cause is that the visibility timeout is too short and messages are not being deleted before becoming visible again, but that would cause the metric to fluctuate. Another possibility is that the consumer is polling the wrong queue.

Option D is correct: the consumer is not using long polling, which can lead to empty responses and the impression that there are no messages. Option A is wrong because the permissions include ReceiveMessage. Option B is wrong because a DLQ would receive messages after max receives, but messages are still visible.

Option C is wrong because the queue is not encrypted by default.

1229
MCQmedium

A developer is working on an application that uses Amazon SQS as a message queue. The application polls the queue using long polling with a wait time of 20 seconds. Recently, the team noticed that messages are being processed multiple times. The application is idempotent, but duplicate processing is causing unnecessary costs. What should the developer do to reduce duplicate message processing?

A.Use a DynamoDB table to track processed message IDs and ignore duplicates.
B.Switch to a FIFO queue to enable exactly-once processing.
C.Increase the visibility timeout to a value greater than the maximum processing time.
AnswerA

This ensures idempotency even if messages are delivered multiple times, effectively reducing the impact of duplicates.

Why this answer

Option D is correct. Enabling the visibility timeout to be at least as long as the processing time ensures that if the consumer fails to delete the message within the visibility timeout, the message becomes visible again, causing duplicates. Option A is wrong because SQS already provides at-least-once delivery; deduplication is not natively supported for standard queues.

Option B is wrong because increasing the visibility timeout helps but does not eliminate duplicates entirely. Option C is wrong because FIFO queues provide exactly-once processing but may not be suitable if the application requires higher throughput or ordering not needed.

1230
MCQhard

A developer is creating an AWS Lambda function that processes events from an Amazon S3 bucket. The function writes logs to Amazon CloudWatch Logs. The developer wants to ensure that the Lambda function has the minimum required permissions. Which IAM policy should be attached to the Lambda execution role?

A.A policy that includes 'logs:CreateLogStream', 'logs:PutLogEvents', and 's3:*' on the bucket.
B.A policy that includes 'logs:*' and 's3:*' on the bucket.
C.A policy that includes 'logs:PutLogEvents' and 's3:ListBucket' on the bucket.
D.A policy that includes 'logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents', and 's3:GetObject' on the specific bucket.
AnswerD

This provides the minimum permissions required for the function to work.

Why this answer

The correct answer is A. The policy grants permissions to write logs to CloudWatch Logs and to get objects from the specific S3 bucket. Option B is wrong because it uses a wildcard for S3 actions, which grants more permissions than needed.

Option C is wrong because it grants unnecessary S3 list permissions. Option D is wrong because it uses 's3:*' which is too permissive.

1231
Multi-Selecteasy

A developer is using AWS CodeBuild to run unit tests as part of a CI/CD pipeline. The developer wants to store the test results for later analysis. Which TWO AWS services can the developer use to store and view the test reports?

Select 2 answers
A.AWS CodeBuild test reports
B.AWS X-Ray
C.Amazon Athena
D.Amazon S3
E.Amazon CloudWatch Logs
AnswersA, D

Native test report feature.

Why this answer

Option B is correct because CodeBuild can publish test reports to the CodeBuild console. Option E is correct because CodeBuild can also upload raw test results to S3. Option A is wrong because X-Ray is for tracing.

Option C is wrong because CloudWatch Logs is for logs, not structured reports. Option D is wrong because Athena is for querying data in S3, not storing reports.

1232
MCQhard

A company uses IAM roles to grant permissions to EC2 instances. The security team notices that an instance is using a role that has administrator privileges, which is a security risk. What is the BEST way to restrict the instance's permissions without disrupting the application?

A.Remove the existing role from the instance and let the application fail.
B.Create a new IAM role with only required permissions, attach it to the instance profile, and update the instance to use the new profile.
C.Modify the trust policy of the existing role to deny access to the instance.
D.Attach a permissions boundary to the existing role that limits the maximum permissions.
AnswerB

This isolates the change to the specific instance and allows the application to continue.

Why this answer

Option C is correct because creating a new role with only necessary permissions and updating the instance profile allows the application to continue with minimal disruption. Option A would cause downtime. Option B affects all instances using that role.

Option D is not sufficient because the application might still use the previous role until restarted.

1233
MCQmedium

A developer is using AWS Lambda to process records from an Amazon Kinesis Data Stream. The Lambda function is invoked with a batch of records. The function processes each record and then returns a response. The developer notices that some records are being processed multiple times. The function's execution time is within the Lambda timeout. The Kinesis stream has 10 shards. The developer wants to ensure that each record is processed exactly once. What should the developer do?

A.Reduce the number of shards to minimize the chance of duplicates.
B.Modify the Lambda function to use the sequence number of each record to deduplicate processing.
C.Configure the Lambda function's error handling to retry only failed records.
D.Increase the batch size to process more records per invocation.
AnswerB

The sequence number is unique per shard; storing the last processed sequence number in external storage (e.g., DynamoDB) allows the function to skip already processed records.

Why this answer

Option B is correct because the Lambda function should use the sequence number to track processed records and avoid reprocessing. Option A is wrong because increasing batch size does not prevent duplicates. Option C is wrong because reducing concurrency can help but does not guarantee exactly-once processing.

Option D is wrong because error handling does not address duplicate processing.

1234
MCQmedium

A developer notices that an AWS Lambda function, configured to access an Amazon RDS database in the same VPC, is timing out. The function has a 30-second timeout. CloudWatch Logs show that the function starts execution but never reaches the database. The VPC configuration includes private subnets without a NAT gateway. The RDS database is in the same VPC. What is the most likely cause of the timeout?

A.The Lambda function does not have internet access because it is in a VPC without a public IP.
B.The security group of the RDS database does not allow inbound traffic from the Lambda function's security group.
C.The Amazon RDS database is not publicly accessible and the Lambda function cannot resolve the database endpoint.
D.The VPC does not have a VPC endpoint for Amazon RDS, and the Lambda function cannot access the database through the NAT gateway.
AnswerB

This is the most common cause: the RDS security group must allow inbound connections from the Lambda's security group on the database port.

Why this answer

Option B is correct because the Lambda function is timing out when trying to connect to the RDS database, which is in the same VPC. The most likely cause is that the RDS database's security group does not have an inbound rule allowing traffic from the Lambda function's security group on the database port (e.g., 3306 for MySQL, 5432 for PostgreSQL). Without this rule, the TCP connection attempt is silently dropped or rejected, causing the Lambda function to wait until its 30-second timeout expires.

Exam trap

The trap here is that candidates often assume the Lambda function needs internet access or a NAT gateway to communicate with an RDS database in the same VPC, overlooking the fact that security group rules are the primary control for inbound traffic within a VPC.

How to eliminate wrong answers

Option A is wrong because the Lambda function does not need internet access to reach an RDS database in the same VPC; private subnet communication within a VPC does not require a public IP or NAT gateway. Option C is wrong because the RDS database being publicly accessible is irrelevant when both resources are in the same VPC; DNS resolution of the database endpoint works via the VPC's internal DNS, and the Lambda function can resolve it without public access. Option D is wrong because a VPC endpoint for Amazon RDS is used for accessing RDS API operations (e.g., CreateDBInstance), not for database client connections (e.g., MySQL/PostgreSQL protocol), and the scenario explicitly states there is no NAT gateway, but the Lambda function does not need one to communicate within the VPC.

1235
MCQhard

A web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). During rolling updates of the Auto Scaling group, users intermittently receive HTTP 502 (Bad Gateway) errors. The developer checks the ALB access logs and notices that requests are being routed to instances that are in the 'Draining' state. The ALB has connection draining enabled with a timeout of 30 seconds. The Auto Scaling group terminates instances after they are taken out of service. What is the most likely cause of the 502 errors?

A.The connection draining timeout is too short, causing the ALB to terminate connections before in-flight requests finish.
B.The health check interval is set too long, causing the ALB to consider unhealthy instances as healthy.
C.Cross-zone load balancing is disabled, so the ALB is routing requests to instances that are already draining.
D.The Auto Scaling group's minimum size is too small, causing the ALB to have no healthy targets.
AnswerA

When connection draining is enabled, the ALB waits for the draining timeout before deregistering the instance. If the timeout is too short, requests still in progress are terminated, resulting in 502 errors.

Why this answer

The 502 errors occur because the ALB's connection draining timeout of 30 seconds is too short to allow all in-flight requests to complete before the Auto Scaling group terminates the instances. When an instance enters the 'Draining' state, the ALB stops sending new requests but waits up to the draining timeout for existing connections to finish. If the timeout expires before requests complete, the ALB forcibly closes connections, resulting in HTTP 502 (Bad Gateway) errors for clients whose requests were still in progress.

Exam trap

The trap here is that candidates often confuse connection draining timeout with health check interval, assuming that a long health check interval causes the ALB to route to unhealthy instances, when in fact the 502 errors are caused by the ALB forcibly terminating connections before in-flight requests complete due to an insufficient draining timeout.

How to eliminate wrong answers

Option B is wrong because a long health check interval would cause the ALB to consider unhealthy instances as healthy for longer, but the issue here is that requests are being routed to instances already in the 'Draining' state, not that unhealthy instances are mistakenly considered healthy. Option C is wrong because cross-zone load balancing affects how traffic is distributed across Availability Zones, not the routing of requests to draining instances; the ALB routes to draining instances only when connection draining is active, regardless of cross-zone settings. Option D is wrong because a small minimum size would cause a lack of healthy targets, leading to 503 errors, not 502 errors; the 502 errors here are specifically tied to connection termination during draining, not insufficient capacity.

1236
Multi-Selectmedium

A Kinesis consumer Lambda shows increasing IteratorAge. Which two changes may improve throughput when processing is CPU-bound?

Select 2 answers
A.Reduce the number of stream shards
B.Increase Lambda memory to provide more CPU
C.Disable checkpointing
D.Increase stream shard count to allow more parallel batches
AnswersB, D

Correct for the stated requirement.

Why this answer

Increasing Lambda memory proportionally increases CPU allocation, which directly improves throughput for CPU-bound processing by reducing per-record processing time. This lowers the IteratorAge as the consumer can process records faster than they arrive.

Exam trap

The trap here is that candidates often think reducing shards reduces load, but it actually reduces parallelism and worsens IteratorAge, while disabling checkpointing is mistakenly seen as a performance shortcut but only compromises reliability.

1237
Multi-Selecteasy

A developer is using Amazon RDS for MySQL and notices that the database performance has degraded. The developer suspects that slow queries are the cause. Which THREE actions should the developer take to identify and address the slow queries?

Select 3 answers
A.Enable the slow query log in RDS and review the logs.
B.Increase the DB instance size to improve performance.
C.Enable Performance Insights to analyze database performance.
D.Use the RDS console to review metrics for high CPU or IOPS usage.
E.Create a read replica to offload read traffic.
AnswersA, C, D

Slow query log records queries that take a long time to execute.

Why this answer

Options A, C, and E are correct. Option A: Enabling slow query log captures queries that exceed a threshold. Option C: Performance Insights provides a dashboard to identify database load and wait events.

Option E: Reviewing queries with high latency helps pinpoint problematic SQL. Option B is wrong because increasing instance size is a reactive scaling action, not a diagnostic step. Option D is wrong because read replicas help with read scaling, not diagnosing slow queries.

1238
MCQhard

A developer notices that the Lambda function 'my-function' is not generating any logs in CloudWatch, although the function is invoked successfully. The developer runs the command above. What is the MOST likely cause?

A.The log group retention policy is set to 0 days.
B.The Lambda function is configured to log to a custom log group.
C.The Lambda function has reserved concurrency set to 0.
D.The Lambda function's execution role is missing the 'logs:CreateLogStream' and 'logs:PutLogEvents' permissions.
AnswerD

Without these permissions, the function cannot write logs.

Why this answer

The log group exists but has 0 stored bytes, meaning no log streams have been created. This typically indicates that the Lambda function's execution role does not have permissions to create log streams and put log events. The function runs but fails silently to write logs.

1239
MCQeasy

A developer is deploying a new version of a Lambda function using the AWS CLI. Which command should the developer use to update the function code?

A.aws lambda update-function-code
B.aws lambda update-function-configuration
C.aws lambda invoke
D.aws lambda create-function
AnswerA

This updates the function code.

Why this answer

The correct answer is B. The update-function-code command updates the code of a Lambda function. Option A (update-function-configuration) updates configuration settings only.

Option C (create-function) is for creating a new function, not updating. Option D (invoke) is for invoking the function.

1240
Multi-Selecthard

A developer is designing a serverless application that uses Amazon DynamoDB as the data store. The application must handle sudden spikes in read traffic without throttling. Which THREE actions should the developer take?

Select 3 answers
A.Configure DynamoDB auto scaling for the table
B.Implement exponential backoff and retry in the application code
C.Use a global secondary index with a different partition key
D.Use strongly consistent reads for all queries
E.Enable DynamoDB Accelerator (DAX) for caching
AnswersA, B, E

Auto scaling adjusts capacity based on traffic.

Why this answer

DAX provides caching for reads, DynamoDB auto scaling adjusts capacity, and exponential backoff handles throttling gracefully. Options A, C, and D are correct.

1241
MCQmedium

A developer is deploying a Lambda function using CloudFormation. The function code is stored in an S3 bucket. The developer wants to automatically update the function when the S3 object is updated. Which approach should be used?

A.Set the 'DeletionPolicy' attribute to 'Retain' on the Lambda function resource.
B.Use the 'S3ObjectVersion' property in the Lambda function's 'Code' property to reference the specific version of the S3 object.
C.Use an S3 event notification to invoke a Lambda function that updates the CloudFormation stack.
D.Set a 'DependsOn' attribute on the Lambda function to the S3 bucket.
AnswerB

CloudFormation will update the function when the S3 object version changes.

Why this answer

Option C is correct because setting the 'S3ObjectVersion' property in the CloudFormation template triggers a stack update when the object version changes. Option A is wrong because CloudFormation does not automatically detect S3 updates. Option B is wrong because 'DeletionPolicy' controls what happens on stack deletion, not updates.

Option D is wrong because 'DependsOn' only sets dependencies, not triggers.

1242
MCQeasy

A development team uses AWS Elastic Beanstalk to deploy a containerized application. They notice that after a successful deployment, the environment's health turns from Green to Red. The application logs show no errors. What is the most likely cause?

A.The ELB health check endpoint returns a 503 status code after the new version is deployed.
B.The deployment failed due to a missing environment variable.
C.The application's Docker image is not compatible with the platform version.
D.The Auto Scaling group's minimum instance count is too low.
AnswerA

Correct because Elastic Beanstalk health is based on ELB health checks.

Why this answer

Option B is correct because Elastic Beanstalk uses an ELB health check to determine environment health. If the health check path returns a non-200 status, the environment turns red. Option A is wrong because it would cause deployment failure, not post-deployment health issues.

Option C is wrong because it would cause scaling issues, not immediate health change. Option D is wrong because it would affect deployment, not health.

1243
MCQhard

A company wants to encrypt data at rest in an Amazon RDS for PostgreSQL database. The database is already running, and the company wants to enable encryption without significant downtime. Which approach should be taken?

A.Take a snapshot of the database and enable encryption on the snapshot.
B.Take a snapshot, copy the snapshot with encryption, and restore a new encrypted instance from the encrypted snapshot.
C.Modify the RDS instance and enable encryption in the configuration.
D.Create a read replica with encryption and promote it.
AnswerB

This is the standard process to enable encryption on an existing RDS instance.

Why this answer

Option D is correct because you cannot encrypt an existing unencrypted RDS instance; you must create a snapshot, copy it with encryption, and restore a new encrypted instance. Option A is wrong because you cannot modify the instance to enable encryption directly. Option B is wrong because you cannot attach a KMS key to an existing instance.

Option C is wrong because you cannot encrypt an existing snapshot; you must copy it with encryption.

1244
Multi-Selecthard

A company is deploying a containerized application on Amazon ECS using AWS Fargate. The application needs to handle variable traffic. The developer wants to set up automatic scaling based on CPU utilization. Which THREE steps are required to achieve this? (Choose three.)

Select 3 answers
A.Update the ECS service to set the desired count to a static value.
B.Create a CloudWatch alarm for CPUUtilization metric.
C.Define a task definition with CPU and memory limits.
D.Register the ECS service as a scalable target with Application Auto Scaling.
E.Create a scaling policy that specifies the target CPU utilization.
AnswersB, D, E

The alarm triggers the scaling policy.

Why this answer

Option B is correct because a CloudWatch alarm for the CPUUtilization metric is required to trigger the scaling action. This alarm monitors the average CPU utilization of the ECS service and, when breached, invokes the Application Auto Scaling policy to adjust the desired count. Without this alarm, the scaling policy has no trigger to act upon.

Exam trap

The trap here is that candidates often confuse the prerequisite task definition (which is always needed for any ECS service) with a scaling-specific step, or they mistakenly think setting a static desired count is part of scaling configuration, when in fact it must be dynamic and managed by the scaling policy.

1245
MCQhard

A developer wants exactly-once processing semantics for commands submitted to a queue where duplicate command IDs must be rejected within five minutes. Which SQS feature is most directly relevant?

A.Standard queue delay seconds
B.Dead-letter queue redrive policy
C.FIFO queue deduplication ID
D.Visibility timeout extension
AnswerC

Correct for the stated requirement.

Why this answer

FIFO queues support exactly-once processing by using a deduplication ID. When a message with a given deduplication ID is sent, SQS automatically rejects any duplicate within a 5-minute deduplication interval. This directly meets the requirement to reject duplicate command IDs within five minutes.

Exam trap

The trap here is that candidates confuse visibility timeout (which controls reprocessing) with deduplication (which prevents duplicate submissions), leading them to select option D instead of the correct FIFO deduplication ID feature.

How to eliminate wrong answers

Option A is wrong because standard queue delay seconds only postpone message delivery, they do not provide deduplication or exactly-once semantics. Option B is wrong because a dead-letter queue redrive policy moves messages after repeated processing failures, it does not prevent duplicate submissions. Option D is wrong because visibility timeout extension only prevents other consumers from processing a message while it is being handled, it does not reject duplicates.

1246
MCQmedium

A company is deploying a microservices architecture on Amazon ECS. Each service needs to store secrets such as database passwords. Which service should be used to securely inject these secrets into containers?

A.AWS Secrets Manager
B.Amazon Elastic File System (EFS)
C.Amazon S3
D.AWS Systems Manager Parameter Store
AnswerA

Secrets Manager integrates with ECS to inject secrets as environment variables.

Why this answer

Option C is correct because AWS Secrets Manager integrates with ECS to inject secrets. Option A is wrong because EFS is a file system. Option B is wrong because SSM Parameter Store can be used but Secrets Manager is preferred for secrets.

Option D is wrong because S3 is not secure for secrets.

1247
MCQmedium

A company uses AWS KMS to encrypt data at rest. A developer wants to allow a Lambda function to decrypt data using a KMS key. What is the minimum permissions required?

A.kms:Decrypt on all keys.
B.kms:Encrypt and kms:Decrypt on the key.
C.kms:Decrypt on the key in the Lambda execution role.
D.Full access to KMS.
AnswerC

Decrypt is needed, and the key must be specified.

Why this answer

The Lambda function's execution role needs kms:Decrypt permission for the specific key.

1248
MCQmedium

A developer configures an AWS Lambda function to process image files uploaded to an S3 bucket. The bucket receives a mix of .jpg, .png, and .pdf files. To reduce costs, the developer wants the Lambda function to be invoked only for image files (.jpg and .png). How should the developer configure the S3 event notification?

A.Configure the S3 event notification to invoke the Lambda function for all object create events, and add logic in the Lambda function to exit early if the object is not an image.
B.Add a suffix filter to the S3 event notification that includes .jpg and .png.
C.Set the S3 bucket policy to deny PutObject requests that do not have a .jpg or .png suffix.
D.Create two separate S3 buckets: one for images and one for other files, and configure the event notification only on the image bucket.
AnswerB

S3 event notifications support filters based on object key patterns. Using a suffix filter restricts the notification to only objects ending with .jpg or .png, preventing Lambda invocations for other file types.

Why this answer

Option B is correct because S3 event notifications support suffix filters that allow you to specify which object key suffixes (e.g., .jpg and .png) trigger the event. By adding a suffix filter for .jpg and .png, only image file uploads invoke the Lambda function, directly reducing unnecessary invocations and costs without requiring any code changes in the function.

Exam trap

The trap here is that candidates may think suffix filters can accept multiple extensions in a single filter value (e.g., '.jpg,.png'), but S3 requires separate notification configurations for each suffix, and they might incorrectly choose Option A as a simpler 'code-based' solution without realizing it fails the cost-reduction requirement.

How to eliminate wrong answers

Option A is wrong because it still invokes the Lambda function for every object create event, including non-image files, which defeats the cost-reduction goal and wastes Lambda invocations and execution time. Option C is wrong because S3 bucket policies cannot filter based on object key suffixes for PutObject requests; they operate on principals, actions, and conditions like s3:object-lock-mode, not on file extensions, and denying non-image uploads would block valid .pdf uploads entirely, which is not the requirement. Option D is wrong because it introduces unnecessary operational complexity by requiring two buckets, and it does not leverage the built-in filtering capability of S3 event notifications, which is the simplest and most cost-effective solution.

1249
MCQmedium

A developer is building a REST API using Amazon API Gateway that will serve static content from an Amazon S3 bucket. The API should cache responses for frequently accessed objects to reduce latency. Which API Gateway feature should the developer enable?

A.API Gateway caching with TTL set per method.
B.Amazon CloudFront as a custom domain.
C.Lambda@Edge for caching.
D.S3 Transfer Acceleration.
AnswerA

This is the correct feature to cache backend responses and reduce latency.

Why this answer

API Gateway caching allows you to cache responses from your backend (e.g., an S3 bucket) for a specified Time-to-Live (TTL) per method, reducing the number of calls to the backend and lowering latency for frequently accessed objects. This feature is natively integrated with API Gateway and requires no additional services or complex configurations, making it the most direct solution for caching static content served through a REST API.

Exam trap

The trap here is that candidates often confuse API Gateway caching with CloudFront, assuming that a CDN is required for caching, when in fact API Gateway has its own built-in caching feature that is simpler to enable for REST APIs serving static content.

How to eliminate wrong answers

Option B is wrong because Amazon CloudFront as a custom domain is a content delivery network (CDN) that can cache content at edge locations, but it is not an API Gateway feature; it is a separate service that would be placed in front of API Gateway, not enabled within API Gateway itself. Option C is wrong because Lambda@Edge is used for customizing CloudFront behavior (e.g., modifying requests/responses) and is not a caching mechanism; it runs code at edge locations but does not provide built-in response caching like API Gateway caching. Option D is wrong because S3 Transfer Acceleration is designed to speed up uploads to S3 over long distances using AWS edge locations, but it does not cache responses or reduce latency for GET requests served through API Gateway.

1250
MCQeasy

A developer runs a script that uses the AWS CLI to copy a large number of files from an on-premises server to an S3 bucket. The copy operation fails partway through with a 'RequestTimeout' error. What is the MOST efficient way to resume the copy and ensure all files are transferred?

A.Delete the S3 bucket and restart the copy operation.
B.Use the aws s3 sync command to synchronize the source directory with the S3 bucket.
C.Use the cp command with the --recursive flag to copy the remaining files.
D.Increase the --cli-read-timeout value in the AWS CLI configuration and retry the original command.
AnswerB

Sync only uploads files that are new or changed.

Why this answer

The `aws s3 sync` command is the most efficient way to resume the copy because it automatically compares the source directory with the destination S3 bucket and transfers only the files that are missing or have been modified. This avoids re-uploading already transferred files, directly addressing the partial failure without manual intervention or unnecessary overhead.

Exam trap

The trap here is that candidates often confuse `cp --recursive` with `sync`, assuming both can resume a copy, but only `sync` performs a differential comparison to avoid re-uploading already transferred files.

How to eliminate wrong answers

Option A is wrong because deleting the S3 bucket and restarting the entire copy operation is extremely inefficient and unnecessary; it would re-upload all files, including those already successfully transferred. Option C is wrong because the `cp --recursive` command does not perform any comparison or state tracking; it would blindly copy all files from the source again, potentially re-uploading already transferred files and wasting time and bandwidth. Option D is wrong because increasing the `--cli-read-timeout` only extends the time the CLI waits for a response from the S3 service; it does not address the root cause of the partial failure (e.g., network interruptions or throttling) and would not resume the copy from where it left off, nor does it skip already transferred files.

1251
MCQeasy

A developer is troubleshooting an S3 bucket policy that is denying all access. The policy has an explicit Deny for s3:PutObject. What is the most likely reason for the denial even though an Allow exists?

A.The bucket policy has an explicit Deny for all actions.
B.The user is not authorized because the bucket is in a different account.
C.IAM evaluates explicit Deny before Allow.
D.The AWS account root user has denied access.
AnswerC

Explicit Deny always overrides Allow.

Why this answer

IAM evaluates explicit Deny before Allow, so an explicit Deny overrides any Allow.

1252
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails, and the rollback is triggered. However, the rollback also fails. What is a likely cause?

A.The rollback deployment uses an AppSpec file that references a lifecycle hook that does not exist in the current environment.
B.The target group for the load balancer is not properly configured.
C.The Amazon S3 bucket containing the deployment artifacts is missing.
D.The Auto Scaling group does not have sufficient capacity to run the rollback.
AnswerA

Rollback deploys the previous revision; if that revision's AppSpec references a non-existent resource, the rollback fails.

Why this answer

Option D is correct because if the rollback tries to deploy the previous version, but that version's AppSpec file references a hook that no longer exists in the environment (e.g., a previously deleted directory), the rollback fails. Options A, B, and C are incorrect: insufficient capacity would cause the original deployment to fail differently, a misconfigured target group would affect traffic but not rollback, and a missing S3 bucket would cause the original deployment to fail, not the rollback specifically.

1253
Multi-Selectmedium

A company has a VPC with public and private subnets. The private subnets contain Amazon RDS databases. Which TWO actions are required to secure the database instances?

Select 2 answers
A.Configure security groups to allow only necessary traffic from application servers.
B.Attach an IAM role to the RDS instance to control access.
C.Use network ACLs to allow inbound traffic on port 3306 from anywhere.
D.Place the RDS instances in public subnets with a route to an internet gateway.
E.Place the RDS instances in private subnets.
AnswersA, E

Security groups act as a virtual firewall for the database.

Why this answer

Option A is correct because placing RDS in a private subnet prevents direct internet access. Option C is correct because security groups control inbound traffic to the database. Option B is wrong because public subnets would expose the database.

Option D is wrong because NACLs are stateless and not the primary security mechanism for RDS. Option E is wrong because IAM roles are not used to connect to RDS (user/password or IAM database authentication).

1254
Multi-Selecthard

A developer is investigating why an AWS Lambda function that processes Kinesis records is experiencing high latency. Which THREE factors could contribute to this? (Select THREE.)

Select 3 answers
A.Low number of shards in the Kinesis stream.
B.High batch size in the event source mapping.
C.High concurrency limit for the Lambda function.
D.Using Lambda@Edge to process the records.
E.Insufficient memory allocated to the Lambda function.
AnswersA, B, E

Fewer shards mean less parallelism, leading to throttling and retries.

Why this answer

High batch size can cause longer processing time per invocation. Insufficient memory slows execution. A low Kinesis shard count can cause throttling and retries, increasing latency.

Option B is wrong because higher concurrency (within limits) reduces latency, not increases. Option E is wrong because Lambda@Edge is for CloudFront, not Kinesis.

1255
MCQeasy

An application running on Amazon EC2 generates logs that need to be streamed to Amazon CloudWatch Logs. The developer installs and configures the CloudWatch agent. However, logs are not appearing in the log group. What is the most likely cause?

A.The EC2 instance does not have an IAM role with CloudWatch Logs write permissions.
B.The CloudWatch agent cannot be installed on Amazon Linux 2.
C.The CloudWatch agent must be configured from the AWS Management Console.
D.The log group must be created manually before the agent can send logs.
AnswerA

The agent needs permissions to put log events.

Why this answer

The CloudWatch agent requires an IAM role with permissions to write logs. Without the proper permissions, the agent cannot send logs. Option A is correct.

Option B is wrong because the agent can be installed on EC2. Option C is wrong because the log group is created automatically if not existing. Option D is wrong because the agent is configured via a config file, not the console.

1256
Multi-Selectmedium

A company wants to encrypt data at rest in Amazon S3 using server-side encryption. Which options are managed by AWS KMS? (Choose TWO.)

Select 2 answers
A.SSE-S3
B.SSE-KMS
C.Envelope encryption with KMS
D.SSE-C
E.Client-side encryption
AnswersB, C

SSE-KMS uses AWS KMS for key management.

Why this answer

SSE-KMS (option B) is a server-side encryption option where AWS KMS manages the customer master key (CMK) used to encrypt S3 objects. Envelope encryption with KMS (option C) is the underlying mechanism used by SSE-KMS, where a data key is generated by KMS to encrypt the object, and that data key is then encrypted by the CMK. Both options involve AWS KMS managing the encryption keys, making them the correct choices for the question.

Exam trap

The trap here is that candidates often confuse SSE-S3 (which is server-side encryption but not KMS-managed) with SSE-KMS, or they think envelope encryption is a separate client-side concept rather than the core mechanism of SSE-KMS.

1257
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application requires a relational database. The developer wants to ensure that the database is not accidentally deleted when the Elastic Beanstalk environment is terminated. Which approach should the developer take?

A.Create the database as part of the Elastic Beanstalk environment by adding an RDS database configuration in the .ebextensions.
B.Create the RDS instance outside of Elastic Beanstalk and configure the application to connect to it using environment variables.
C.Use an Amazon DynamoDB table instead of a relational database.
D.Configure a retention policy on the RDS instance within the Elastic Beanstalk environment.
AnswerB

The database is independent of the environment lifecycle, so it will not be deleted when the environment is terminated.

Why this answer

Option B is correct because creating the RDS instance outside of Elastic Beanstalk decouples the database lifecycle from the environment lifecycle. When the Elastic Beanstalk environment is terminated, the external RDS instance remains intact and is not deleted. The application can connect to it using environment variables configured in the Elastic Beanstalk environment, ensuring persistence of data.

Exam trap

The trap here is that candidates may assume that adding a retention policy (Option D) is possible within Elastic Beanstalk, but Elastic Beanstalk does not expose a retention policy for RDS instances created as part of the environment; the database is always deleted with the environment unless it is created externally.

How to eliminate wrong answers

Option A is wrong because adding an RDS database configuration in .ebextensions creates the database as part of the Elastic Beanstalk environment, which means it will be deleted when the environment is terminated. Option C is wrong because DynamoDB is a NoSQL database, not a relational database, and the question explicitly requires a relational database. Option D is wrong because Elastic Beanstalk does not support configuring a retention policy on an RDS instance created within the environment; the database is tied to the environment's lifecycle and will be deleted upon termination.

1258
MCQhard

A developer is using AWS CodePipeline to deploy a serverless application. The pipeline has a CodeBuild stage that runs unit tests. Recently, the build stage started failing with a 'ResourceNotFoundException: The specified bucket does not exist' error. The buildspec.yml references an artifact bucket. What is the most likely cause?

A.The artifact bucket was deleted or is in a different AWS Region.
B.The IAM service role for CodeBuild does not have s3:GetObject on the bucket.
C.The CodeBuild project does not have permission to write to CloudWatch Logs.
D.The buildspec.yml uses an invalid bucket name syntax.
AnswerA

CodePipeline requires an artifact bucket in the same region, and deletion causes ResourceNotFoundException.

Why this answer

Option A is correct because CodePipeline uses a separate artifact bucket owned by the service, which must be in the same region. Option B is wrong because build logs do not affect artifact storage. Option C is wrong because IAM permissions would give AccessDenied, not ResourceNotFound.

Option D is wrong because the default artifact bucket is managed by CodePipeline, not CodeBuild.

1259
MCQhard

A developer is using AWS CodeBuild to build a Java application. The buildspec.yml file includes commands to run unit tests and package the application. Recently, the build started failing with the error 'No space left on device.' The developer notices that the build environment is using the general1.large compute type with 8 GB of disk space. The developer needs to resolve the disk space issue without modifying the application code. The build environment is managed by CodeBuild and the developer cannot change the instance type. What should the developer do?

A.Add a command in the buildspec.yml to clean the cache directory before the build phase.
B.Use an Amazon EFS file system as a cache to store dependencies.
C.Change the compute type to general1.medium with 8 GB disk space.
D.Mount an additional Amazon EBS volume to the build container.
AnswerA

Cleaning the cache frees up disk space, resolving the 'No space left on device' error.

Why this answer

Option D is correct because cleaning up the cache before building frees up disk space. Option A is wrong because CodeBuild does not allow mounting EBS volumes. Option B is wrong because EFS cache is not supported.

Option C is wrong because the instance type cannot be changed. The error is due to disk space exhaustion, and clearing the cache resolves it.

1260
MCQmedium

A company uses AWS OpsWorks for Chef Automate to manage their infrastructure. A developer needs to deploy a new application version to a stack of EC2 instances. The developer wants to minimize downtime and ensure that the deployment is rolled back automatically if any instance fails. Which deployment strategy should the developer use?

A.Canary deployment
B.Rolling deployment with rollback on error
C.In-place deployment with a single batch
D.Blue/green deployment
AnswerB

OpsWorks supports rolling updates and can roll back on failure.

Why this answer

Option B is correct because rolling deployments update instances in batches, and if any instance fails, the deployment can be rolled back. Option A is wrong because blue/green is not built into OpsWorks. Option C is wrong because in-place updates can cause downtime.

Option D is wrong because canary is not a standard OpsWorks strategy.

1261
MCQmedium

A company wants to encrypt data in transit between an Application Load Balancer and its EC2 instances. The instances run a custom web server. Which configuration should the developer implement?

A.Configure the ALB listener with a TLS certificate and set the target group protocol to HTTPS. Install the server certificate on the EC2 instances.
B.Use AWS Certificate Manager to issue a certificate for the EC2 instances and configure the web server to use it.
C.Configure the ALB listener with a TLS certificate and set the target group protocol to HTTP.
D.Enable client certificate authentication on the ALB.
AnswerA

This encrypts traffic between ALB and instances.

Why this answer

To encrypt data in transit between an Application Load Balancer (ALB) and EC2 instances, the ALB listener must be configured with a TLS certificate for client-to-ALB encryption, and the target group protocol must be set to HTTPS to enable encryption between the ALB and the instances. The EC2 instances must have a server certificate installed (e.g., from ACM or self-signed) to terminate the TLS connection, ensuring end-to-end encryption. This setup allows the ALB to re-encrypt traffic after decrypting it from the client, using HTTPS for the backend connection.

Exam trap

The trap here is that candidates often assume setting the ALB listener to HTTPS alone encrypts the entire path, forgetting that the target group protocol must also be HTTPS to encrypt the ALB-to-instance traffic, or they mistakenly think ACM certificates can be directly installed on EC2 instances.

How to eliminate wrong answers

Option B is wrong because AWS Certificate Manager (ACM) cannot issue certificates directly to EC2 instances; ACM certificates are designed for use with AWS services like ALB, CloudFront, or API Gateway, and cannot be exported for installation on custom web servers. Option C is wrong because setting the target group protocol to HTTP sends unencrypted traffic between the ALB and EC2 instances, failing to encrypt data in transit as required. Option D is wrong because client certificate authentication on the ALB is used for mutual TLS (mTLS) to verify client identity, not for encrypting data in transit between the ALB and backend instances.

1262
Multi-Selectmedium

Which TWO actions can help protect an S3 bucket from data leaks? (Choose two.)

Select 2 answers
A.Enable versioning.
B.Enable default encryption.
C.Enable MFA Delete.
D.Block public access at the bucket level.
E.Configure cross-region replication.
AnswersB, D

Encrypts data at rest to protect against unauthorized access.

Why this answer

Options A and C are correct. Option A: Blocking public access prevents accidental public exposure. Option C: Enabling default encryption ensures data is encrypted at rest.

Option B is wrong because versioning helps with recovery, not leak prevention. Option D is wrong because MFA delete prevents unauthorized deletion, not leaks. Option E is wrong because cross-region replication is for redundancy, not leak prevention.

1263
Multi-Selectmedium

A developer is debugging an application that uses Amazon SQS. The application occasionally processes the same message twice. Which TWO configurations can help prevent duplicate processing?

Select 2 answers
A.Increase the visibility timeout to ensure messages are deleted before becoming visible again.
B.Configure a dead-letter queue to capture duplicates.
C.Increase the delivery delay to defer message processing.
D.Enable long polling to reduce empty responses.
E.Use a FIFO queue with content-based deduplication.
AnswersA, E

A longer visibility timeout reduces the chance of re-processing.

Why this answer

Option A is correct: enabling content-based deduplication for FIFO queues ensures exactly-once processing. Option B is correct: increasing the visibility timeout gives the consumer more time to process and delete the message before it becomes visible again. Option C is wrong: increasing the delivery delay only delays the first delivery.

Option D is wrong: enabling long polling improves efficiency but does not prevent duplicates. Option E is wrong: using a dead-letter queue handles failed messages, not duplicates.

1264
MCQeasy

A developer is deploying a new version of an application to Amazon ECS using the Fargate launch type. The task fails to start and the error message indicates that the task cannot pull the container image from Amazon ECR. What is the MOST likely cause?

A.The task definition family name is incorrect.
B.The task execution role lacks permissions to pull from ECR.
C.The container port is not mapped to a host port.
D.The CPU or memory limits are too low for the container.
AnswerB

Without proper ECR permissions, the task cannot pull the image.

Why this answer

Option A is correct because the task execution role needs ecr:GetDownloadUrlForLayer and ecr:BatchGetImage permissions. Option B is wrong because Fargate does not use a host port mapping. Option C is wrong because CPU/memory limits would cause task failure, not image pull error.

Option D is wrong because task definition family is not related to image pull.

1265
MCQeasy

A developer is building a serverless application using AWS Lambda that needs to connect to an Amazon RDS MySQL database. The function will be deployed in a VPC. Which resource should the developer use to ensure secure and efficient database connections?

A.NAT Gateway
B.RDS Proxy
C.VPC Endpoint
D.AWS PrivateLink
AnswerB

RDS Proxy is designed for applications like Lambda that open many short-lived connections. It pools connections to the database, reducing connection overhead and improving scalability and security.

Why this answer

RDS Proxy is the correct choice because it manages a pool of database connections, allowing Lambda functions to reuse them efficiently and avoid exhausting MySQL connection limits under high concurrency. It also enforces IAM authentication and securely stores credentials in AWS Secrets Manager, eliminating the need to hardcode database passwords in the function code.

Exam trap

The trap here is that candidates often confuse VPC Endpoints or PrivateLink with database connectivity, not realizing that RDS Proxy is the only service designed specifically to solve connection management and security for Lambda functions accessing RDS in a VPC.

How to eliminate wrong answers

Option A is wrong because a NAT Gateway provides outbound internet access for private subnets but does not manage or secure database connections; it would not help with connection pooling or credential management. Option C is wrong because a VPC Endpoint (Gateway or Interface) enables private connectivity to AWS services like S3 or DynamoDB, not to RDS databases; it does not handle connection pooling or authentication for MySQL. Option D is wrong because AWS PrivateLink is used to expose services privately across VPCs or accounts via Network Load Balancers and interface endpoints, but it does not provide the connection pooling, IAM integration, or failover capabilities that RDS Proxy offers for Lambda-to-RDS connections.

1266
MCQeasy

A developer is using AWS Elastic Beanstalk to deploy a Python web application. The application requires a specific version of a Python package that is not pre-installed on the Elastic Beanstalk platform. How should the developer ensure the package is installed on all environment instances?

A.Use the AWS CLI to run a script on each instance after deployment.
B.Include a .ebextensions configuration file that runs a command to install the package.
C.Add the package to a requirements.txt file and deploy it with the application source bundle.
D.Create a custom Dockerfile and use the Docker platform in Elastic Beanstalk.
AnswerB

.ebextensions files run custom configurations during provisioning.

Why this answer

Option B is correct because the .ebextensions configuration files allow you to run custom commands during environment creation and updates. Option A is wrong because the requirements.txt file is automatically processed only if the platform supports it, but for additional packages not in the default, .ebextensions is more reliable. Option C is wrong because the AWS CLI is not for modifying Elastic Beanstalk environment packages.

Option D is wrong because the Dockerfile is only for Docker platforms, not the Python platform.

1267
Multi-Selectmedium

A company is deploying a critical application using AWS CloudFormation. The stack creation fails due to a resource creation failure. The developer needs to troubleshoot the issue. Which TWO actions should the developer take to identify the root cause? (Choose TWO.)

Select 2 answers
A.View the stack events in the CloudFormation console.
B.Check the stack outputs.
C.Delete the stack and recreate it with the same parameters.
D.Review the stack template for logical errors.
E.Check AWS CloudTrail logs for the stack creation attempt.
AnswersA, D

Events show detailed error messages for resource failures.

Why this answer

Options A and C are correct. A: The Events tab shows error messages for each resource. C: The stack template can be reviewed to check for logical errors.

Option B is wrong because deleting the stack removes all resources and logs. Option D is wrong because CloudTrail logs API calls, not CloudFormation-specific errors. Option E is wrong because the outputs are only available after successful creation.

1268
Multi-Selecteasy

Which TWO services can be used to encrypt data at rest in Amazon S3? (Choose two.)

Select 2 answers
A.SSE-KMS
B.AWS IAM
C.AWS Certificate Manager (ACM)
D.AWS CloudHSM
E.SSE-S3
AnswersA, E

AWS KMS-managed keys.

Why this answer

Options A and B are correct. Option A: SSE-S3 uses S3-managed keys. Option B: SSE-KMS uses AWS KMS for key management.

Option C is wrong because CloudHSM is not directly integrated with S3 for encryption. Option D is wrong because IAM is an access management service, not encryption. Option E is wrong because ACM is for SSL/TLS certificates, not encryption at rest.

1269
Multi-Selecthard

A developer is building a CI/CD pipeline using AWS CodePipeline. The pipeline has a source stage from Amazon S3, a build stage using AWS CodeBuild, and a deploy stage using AWS CodeDeploy. The developer wants to ensure that a manual approval step is required before deploying to production. Which THREE components must be configured? (Choose THREE.)

Select 3 answers
A.Create an AWS Lambda function to process approval logic.
B.Set up an Amazon SNS topic to notify approvers of pending approval.
C.Add an approval action in the pipeline before the deploy stage.
D.Attach an IAM policy to the approver group that allows codepipeline:PutApprovalResult.
E.Configure Amazon CloudWatch Events to trigger the approval step.
AnswersB, C, D

Correct: SNS is used to send approval requests.

Why this answer

B, C, and D are correct. You need an approval action (B), SNS notification for approvers (C), and an IAM policy for approvers to allow approval (D). Option A is wrong because CloudWatch Events is not required for approval.

Option E is wrong because Lambda is not required; approval action is built-in.

1270
MCQhard

A company's DynamoDB table has a read capacity of 10,000 RCUs and receives consistent traffic. Recently, users have reported increased latency for read requests. The application uses strongly consistent reads. The developer checks CloudWatch metrics and sees that 'ConsumedReadCapacityUnits' is at 9,500 but 'ThrottledRequests' is high. What is the most likely cause?

A.The application is using eventually consistent reads but expecting strongly consistent results.
B.A hot partition is exceeding its partition-level read capacity.
C.The DynamoDB table has auto scaling enabled and is scaling down too aggressively.
D.The provisioned read capacity is too low for the traffic.
AnswerB

Even with sufficient table capacity, a single partition can throttle if its share of RCUs is exceeded.

Why this answer

Strongly consistent reads consume twice the RCUs of eventually consistent reads. If the application requests strongly consistent reads, the actual consumed capacity is double the read request units, so 9,500 RCUs consumed may represent only 4,750 read requests, but the provisioned capacity is 10,000. However, throttling occurs because the partition-level capacity may be exceeded.

Option C is correct: a hot partition causes throttling even if table-level capacity is not exhausted. Option A is incorrect because the table has capacity. Option B is incorrect because RCUs are sufficient.

Option D is incorrect as strongly consistent reads are working.

1271
MCQeasy

A company is deploying a new microservice using AWS Lambda. The deployment pipeline uses AWS CodeBuild and AWS CodePipeline. The team wants to automatically roll back to the previous function version if the new version fails CloudWatch alarms. Which deployment strategy should they implement?

A.Canary deployment with a CloudWatch alarm-based rollback
B.Rolling update with a pre-traffic hook
C.Immutable deployment with an automated rollback
D.Blue/Green deployment with an AWS CodeDeploy configuration
AnswerA

Lambda canary deployments shift traffic gradually and can roll back based on alarms.

Why this answer

Option D is correct because AWS Lambda supports traffic shifting with canary deployments, and the team can configure CloudWatch alarms to trigger a rollback to the previous version. Option A is incorrect because a rolling update is not natively supported by Lambda. Option B is incorrect because Blue/Green deployment is a separate concept but not the standard term for Lambda traffic shifting.

Option C is incorrect because immutable deployments are not automatically rolled back based on alarms.

1272
MCQhard

A company runs a containerized application on Amazon ECS Fargate. The application writes logs to stdout. The operations team wants to centralize log monitoring and set up alarms for error patterns. What should a developer do to meet these requirements with minimal operational overhead?

A.Use Amazon Kinesis Data Firehose to stream logs to Amazon S3 and then to CloudWatch Logs.
B.Modify the application code to use the AWS SDK for CloudWatch Logs to put log events.
C.Install the CloudWatch agent in the container and configure it to send logs.
D.Configure the ECS task definition to use the awslogs log driver and set the log group.
AnswerD

awslogs driver sends stdout to CloudWatch Logs natively.

Why this answer

Option B is correct because the awslogs driver automatically sends stdout logs to CloudWatch Logs, enabling alarms and central monitoring. Option A is wrong because CloudWatch agent is for EC2. Option C is wrong because Kinesis adds complexity.

Option D is wrong because CloudWatch Logs for ECS requires no extra SDK.

1273
Multi-Selectmedium

A developer is optimizing costs for an AWS account. The account has multiple EC2 instances running different workloads. Some instances are used for development and are only needed during business hours. Which THREE actions can the developer take to reduce costs? (Select THREE.)

Select 3 answers
A.Purchase Reserved Instances for the production instances.
B.Use Spot Instances for fault-tolerant workloads.
C.Use EBS gp3 volumes instead of gp2 to save on storage costs.
D.Increase the instance size to handle peak load more efficiently.
E.Use AWS Instance Scheduler to stop development instances during non-business hours.
AnswersA, B, E

Reserved Instances provide a discount over On-Demand for steady-state usage.

Why this answer

Options A, B, and D are correct. Using Spot Instances (A) reduces costs for fault-tolerant workloads. Scheduling instances to stop during off-hours (B) saves money.

Reserving instances (D) provides discounts for steady-state workloads. Option C (increasing instance size) increases costs. Option E (using EBS gp3) may reduce storage costs but is not specific to the described scenario.

1274
MCQmedium

A company uses AWS CodePipeline with CodeBuild to test and deploy a web application. The pipeline has been failing at the deploy stage with an error: 'Access Denied'. CloudTrail shows the CodePipeline service role is making the call. What is the MOST likely cause?

A.The CodeBuild project does not have internet access.
B.The CodePipeline service role lacks permissions for the deploy action.
C.The deploy provider (e.g., ECS, S3) is not in the same AWS region.
D.The source code repository does not have the correct branch.
AnswerB

The service role must have permissions to perform the deploy action on the target resource.

Why this answer

The error 'Access Denied' in the deploy stage, with CloudTrail showing the CodePipeline service role making the call, indicates that the IAM role assumed by CodePipeline does not have the necessary permissions to perform the deploy action against the target provider (e.g., ECS, S3, Elastic Beanstalk). CodePipeline uses its service role to invoke the deploy action, and if that role lacks the required `codedeploy:*`, `s3:PutObject`, or `ecs:UpdateService` permissions, the API call will be denied.

Exam trap

The trap here is that candidates confuse the CodeBuild service role with the CodePipeline service role, assuming the build role is responsible for deployment, when in fact CodePipeline uses its own role for the deploy action.

How to eliminate wrong answers

Option A is wrong because CodeBuild not having internet access would cause build failures (e.g., cannot download dependencies), not a deploy-stage 'Access Denied' error, and CloudTrail shows the CodePipeline service role, not CodeBuild, is making the call. Option C is wrong because deploy providers can be in different regions (cross-region actions are supported with appropriate IAM and resource policies), and the error is 'Access Denied', not a region mismatch. Option D is wrong because an incorrect source branch would cause the pipeline to fetch the wrong code or fail at the source stage, not produce an 'Access Denied' error at the deploy stage.

1275
MCQhard

Refer to the exhibit. A developer has attached the above IAM policy to an IAM role used by an AWS Lambda function. The Lambda function reads and writes objects to an S3 bucket. However, the function fails when trying to write objects. What is the MOST likely cause?

A.The S3 bucket policy denies the Lambda function.
B.The S3 bucket uses AWS KMS encryption, and the policy does not include KMS permissions.
C.The Lambda function does not have permission to read objects.
D.The Lambda function is not using the correct IAM role.
AnswerB

KMS permissions are required for encrypted buckets.

Why this answer

Option B is correct because the bucket is encrypted with AWS KMS, and the policy does not include kms:Decrypt and kms:GenerateDataKey permissions. Option A is wrong because GetObject works. Option C is wrong because the bucket policy is not shown.

Option D is wrong because the function role has the policy.

Page 16

Page 17 of 22

Page 18