AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 12761350

1616 questions total · 22pages · All types, answers revealed

Page 17

Page 18 of 22

Page 19
1276
MCQeasy

A developer is using AWS CodeBuild to build a Java application. The build succeeds locally but fails on CodeBuild with a 'Cannot find symbol' error for a class that is in a dependency JAR. What is the MOST likely cause?

A.The build is timing out before dependencies are fully downloaded.
B.The CodeBuild compute type does not have enough memory to compile the project.
C.The dependency cache is not enabled in CodeBuild, so dependencies are not available.
D.The buildspec file has incorrect syntax causing the build to skip dependency resolution.
AnswerC

Without caching, CodeBuild downloads dependencies each time, but if the repository is unreachable or the dependency is not in the repository, it will be missing.

Why this answer

Option C is correct because CodeBuild by default does not include cached dependencies; each build downloads dependencies from scratch unless a cache is configured. The local build works because Maven/Gradle caches dependencies locally. Option A (buildspec syntax) would cause a different error.

Option B (build timeout) would cause a timeout, not a compilation error. Option D (insufficient compute) would cause performance issues but not a missing symbol.

1277
MCQmedium

A developer is using AWS CodeBuild to build a Java application. The buildspec.yml file currently runs unit tests. The developer wants to generate a code coverage report and publish it to the CodeBuild console for analysis. Which CodeBuild feature should be used?

A.Test reports
B.Build artifacts
C.Amazon CloudWatch Logs
D.Amazon S3 access logs
AnswerA

CodeBuild test reports enable you to generate and view code coverage and test result reports directly in the CodeBuild console, integrating with tools like JaCoCo.

Why this answer

AWS CodeBuild's test reports feature allows developers to create reports from test result files, including code coverage reports, and publish them to the CodeBuild console for analysis. This feature supports various report formats such as JaCoCo, Cobertura, and SimpleCov, enabling the developer to visualize coverage metrics directly in the console without external tools.

Exam trap

The trap here is that candidates confuse build artifacts (which store compiled binaries) with test reports (which store structured test and coverage data), or assume CloudWatch Logs can visualize coverage metrics when it only provides raw log text.

How to eliminate wrong answers

Option B is wrong because build artifacts are used to store output files (e.g., JARs, WARs) in Amazon S3 or CodeBuild, not for generating or publishing test or coverage reports. Option C is wrong because Amazon CloudWatch Logs captures build logs and output from CodeBuild runs, but it does not parse or display structured code coverage reports. Option D is wrong because Amazon S3 access logs track requests made to an S3 bucket, not CodeBuild test results or coverage data.

1278
MCQmedium

A developer runs the commands above. The key is disabled. An application that uses this key to encrypt S3 objects starts failing. What should the developer do to fix the issue?

A.Delete the key and recreate it
B.Create a new KMS key and update the application to use it
C.Enable the KMS key
D.Enable automatic key rotation
AnswerC

Enabling the key will allow the application to use it again.

Why this answer

The key is disabled, so enabling it will restore functionality. Option A (create new key) would require updating the application. Option B (rotate key) is not necessary.

Option D (delete key) would make things worse.

1279
MCQmedium

A developer is creating a new IAM policy to allow an application to read objects from a specific S3 bucket and write logs to a CloudWatch log group. Which policy statement is correct?

A.{"Effect":"Allow","Action":["ec2:DescribeInstances"],"Resource":"*"}
B.{"Effect":"Allow","Action":["s3:ListBucket"],"Resource":"arn:aws:s3:::my-bucket/*"}
C.{"Effect":"Allow","Action":["s3:GetObject","logs:CreateLogStream","logs:PutLogEvents"],"Resource":["arn:aws:s3:::my-bucket/*","arn:aws:logs:us-east-1:123456789012:log-group:MyLogGroup:*"]}
D.{"Effect":"Allow","Action":["s3:PutObject"],"Resource":"arn:aws:s3:::my-bucket/*"}
AnswerC

Correct actions and resources.

Why this answer

Option D is correct because it grants both s3:GetObject on the bucket and logs:CreateLogStream and logs:PutLogEvents on the log group. Option A is wrong because it uses s3:ListBucket instead of s3:GetObject. Option B is wrong because it uses s3:PutObject instead of GetObject.

Option C is wrong because it uses ec2:DescribeInstances which is irrelevant.

1280
MCQmedium

A company's security policy requires that all data in transit between an Application Load Balancer (ALB) and its backend EC2 instances be encrypted. The ALB currently uses HTTPS listeners. What configuration ensures encryption between the ALB and targets?

A.Add a security group rule allowing port 443 from the ALB to the instances.
B.Configure the target group to use HTTPS protocol.
C.Use a Network Load Balancer with a TLS listener.
D.Set the listener protocol to HTTPS with a certificate.
AnswerB

Target group protocol determines encryption between ALB and instances.

Why this answer

Option B is correct because the target group protocol must be HTTPS to encrypt traffic between ALB and targets. Option A is wrong because the listener protocol only handles client-to-ALB traffic. Option C is wrong because security group rules do not encrypt traffic.

Option D is wrong because a TLS listener is for client-to-ALB, not backend.

1281
MCQhard

A company uses AWS KMS customer master keys (CMKs) to encrypt sensitive data in Amazon S3. A compliance requirement mandates that the backing keys for the CMKs be automatically rotated every year. The developer must implement this with minimal operational overhead. Which solution meets the requirement?

A.Enable automatic key rotation for the CMK in AWS KMS.
B.Create a new CMK every year and update the S3 bucket policy to use the new key.
C.Use an AWS managed key (aws/s3) which automatically rotates annually.
D.Use SSE-S3 encryption with automatically rotated keys instead of KMS.
AnswerA

When enabled, AWS KMS automatically rotates the backing key of a CMK once per year, satisfying the compliance requirement.

Why this answer

Option A is correct because AWS KMS supports automatic key rotation for customer managed CMKs. When enabled, KMS automatically rotates the backing key annually (approximately every 365 days) with no additional operational overhead. This satisfies the compliance requirement for yearly rotation without manual intervention.

Exam trap

The trap here is that candidates may confuse AWS managed keys (which rotate automatically but not on a customer-defined schedule) with customer managed CMKs, or assume that manual key rotation is required when automatic rotation is available.

How to eliminate wrong answers

Option B is wrong because manually creating a new CMK each year and updating the S3 bucket policy introduces significant operational overhead and violates the 'minimal operational overhead' requirement. Option C is wrong because AWS managed keys (aws/s3) are automatically rotated, but the rotation schedule is managed by AWS and is not guaranteed to be exactly every year; additionally, the question specifies using customer master keys (CMKs), not AWS managed keys. Option D is wrong because SSE-S3 uses server-side encryption with Amazon S3-managed keys, not AWS KMS CMKs, and the rotation schedule is managed by S3, not the customer, so it does not meet the requirement of using KMS CMKs with annual rotation.

1282
MCQhard

A developer is deploying a containerized application on Amazon ECS with Fargate. The application needs to read configuration data from AWS Systems Manager Parameter Store. The developer wants to ensure that the ECS task definition can access the parameter without hardcoding the value. What should the developer do?

A.Store the configuration in Amazon ECR as a label and reference it in the task definition.
B.Use the 'configs' section in the task definition to load from Parameter Store.
C.Add a 'parameters' section in the task definition to load from Parameter Store.
D.Use the 'secrets' field in the task definition to reference the parameter ARN.
AnswerD

The secrets field allows referencing Parameter Store parameters.

Why this answer

Option B is correct because ECS supports injecting parameters from Parameter Store as environment variables by referencing the parameter ARN with the 'valueFrom' field. Option A is wrong because secrets are not stored in ECR. Option C is wrong because there is no 'parameters' section in task definition.

Option D is wrong because the task definition does not have a 'configs' section.

1283
MCQmedium

A company is building a serverless application using AWS Lambda. The application processes messages from an Amazon SQS queue. The Lambda function is idempotent and handles duplicate messages correctly. The company needs to ensure that messages are processed in the order they were sent. Which solution should the company use?

A.Use Amazon SNS to fan out messages to Lambda.
B.Use Amazon Kinesis Data Streams as the event source for Lambda.
C.Configure the Lambda function to poll an SQS standard queue with a batch size of 10.
D.Configure the Lambda function to poll an SQS FIFO queue with a batch size of 1.
AnswerD

Using an SQS FIFO queue with batch size 1 ensures messages are processed in order and exactly once.

Why this answer

Option A is correct because using an SQS FIFO queue ensures exactly-once processing and preserves message order. Lambda can poll FIFO queues with a batch size of 1 to maintain order. Option B is wrong because standard queues do not guarantee order.

Option C is wrong because Kinesis Data Streams does not integrate natively with Lambda's event source mapping for ordered processing of individual messages. Option D is wrong because SNS does not provide ordering guarantees.

1284
MCQeasy

A developer attaches this IAM policy to an IAM user. The user is trying to access an object in example-bucket from an IP address 203.0.113.5. What will happen?

A.Access is denied because the condition is not satisfied.
B.Access is allowed because the condition is not mandatory.
C.Access is denied because the resource ARN is incorrect.
D.Access is allowed because the policy allows the action.
AnswerA

IP address does not match.

Why this answer

The policy allows access only from the 192.0.2.0/24 range. The user's IP 203.0.113.5 is outside that range, so access is implicitly denied.

1285
MCQhard

A developer is deploying a serverless application that includes an AWS Lambda function with a dependency on a native library (e.g., a compiled C library). The developer uses AWS SAM. The Lambda function runs correctly in the local development environment but fails with an 'Unable to import module' error when deployed. What is the most likely cause?

A.The Lambda function's IAM role does not have permission to access the library.
B.The Lambda function's handler configuration is incorrect.
C.The native library is compiled for a different operating system than Lambda (Amazon Linux).
D.The Lambda function's timeout is too short.
AnswerC

Lambda uses Amazon Linux; libraries must be compiled for it.

Why this answer

Option C is correct because Lambda runs on Amazon Linux, and native libraries must be compiled for that platform. The local development environment may be a different OS. Option A is wrong because the IAM role does not affect module imports.

Option B is wrong because a timeout would cause a different error. Option D is wrong because the handler name is correct locally.

1286
MCQmedium

A developer is building a serverless application using AWS Lambda functions that process events from Amazon SQS. The developer notices that some messages are being processed multiple times. What is the MOST likely cause of this issue?

A.The Lambda function's reserved concurrency is set too high.
B.The SQS visibility timeout is too short for the Lambda function's execution time.
C.The SQS queue has a dead-letter queue configured.
D.The Lambda function's batch size is set to more than 1.
AnswerB

If the visibility timeout expires before Lambda finishes processing, the message becomes visible again and can be processed by another invocation.

Why this answer

Option A is correct because Lambda's SQS event source mapping uses long polling and may receive a message, then the visibility timeout expires before processing completes, causing the message to become visible again. Option B is wrong because dead-letter queues do not cause duplication. Option C is wrong because Lambda functions process one message at a time by default from SQS.

Option D is wrong because reserved concurrency limits concurrency, not duplication.

1287
MCQhard

A developer runs the above AWS CLI command to invoke a Lambda function. The response shows StatusCode 200 but FunctionError is 'Unhandled'. What does this indicate?

A.The function timed out.
B.The payload was malformed and the function did not run.
C.The function code threw an unhandled exception.
D.The function lacks execution permissions.
AnswerC

'Unhandled' indicates an uncaught exception in the code.

Why this answer

Option C is correct because 'Unhandled' means the Lambda function threw an exception that was not caught by the code. Option A is wrong because a timeout would result in a different error. Option B is wrong because a permission error would give a 403 status.

Option D is wrong because the function was invoked but the error is in the code.

1288
MCQmedium

A developer is deploying a serverless application using AWS SAM. The developer runs 'sam deploy' but receives an error that the S3 bucket does not exist. How should the developer fix this?

A.Use sam publish to deploy the application.
B.Run sam build to generate the bucket.
C.Create an S3 bucket and specify it with --s3-bucket.
D.Run sam package to create the bucket automatically.
AnswerC

Bucket must exist before deploy.

Why this answer

The correct answer is B. The --s3-bucket parameter specifies the bucket for artifacts. If it doesn't exist, create it.

Option A (sam package) is a step before deploy but does not create the bucket. Option C (sam build) builds locally. Option D (sam publish) is for publishing to Serverless Application Repository.

1289
MCQhard

Messages in an SQS queue are processed successfully but later reappear and are processed again. What is the most likely configuration issue?

A.The queue uses long polling
B.The queue has a dead-letter queue
C.The messages are encrypted with SSE-SQS
D.The visibility timeout is shorter than the processing time or messages are not deleted after processing
AnswerD

Correct for the stated requirement.

Why this answer

When a message is processed but not deleted from the SQS queue, or when the visibility timeout expires before processing completes, the message becomes visible again in the queue and can be consumed by another worker. This causes duplicate processing. The correct fix is to ensure the visibility timeout is set longer than the expected processing time and that the message is explicitly deleted after successful processing.

Exam trap

The trap here is that candidates may confuse message reappearance with dead-letter queue behavior, but dead-letter queues only trigger after a configurable number of receive attempts, not after a single successful processing cycle.

How to eliminate wrong answers

Option A is wrong because long polling reduces empty responses and cost by waiting for messages, but does not cause messages to reappear after processing. Option B is wrong because a dead-letter queue captures messages that have failed processing multiple times, not cause reprocessing of successfully handled messages. Option C is wrong because SSE-SQS encrypts messages at rest, which has no effect on message visibility or deletion behavior.

1290
Multi-Selectmedium

A developer is configuring an Amazon S3 bucket for static website hosting. The website includes JavaScript that makes AJAX calls to an API Gateway endpoint. Which TWO actions should the developer take to allow cross-origin requests?

Select 2 answers
A.Use Amazon CloudFront to serve the website and set CORS headers.
B.Add a CORS configuration to the S3 bucket.
C.Enable CORS on the API Gateway API.
D.Configure the S3 bucket policy to allow cross-origin access.
E.Modify the Lambda function to include CORS headers in the response.
AnswersC, D

API Gateway must have CORS enabled to accept cross-origin requests from the browser.

Why this answer

Options A and C are correct. Option A: S3 bucket policy can allow cross-origin access to the bucket itself, but for API Gateway, CORS must be enabled on the API. Option B is incorrect because the CORS configuration should be on the API Gateway, not the S3 bucket.

Option C: Enabling CORS on API Gateway allows the browser to make cross-origin requests. Option D is incorrect because CloudFront does not inherently handle CORS; it must be configured. Option E is incorrect because Lambda functions do not handle CORS directly; API Gateway does.

1291
MCQmedium

A company is using an S3 bucket to store sensitive data. They want to ensure that all objects uploaded to the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). What is the most secure way to enforce this?

A.Enable default encryption on the bucket with SSE-KMS.
B.Create a bucket policy that denies PutObject without encryption.
C.Create a bucket policy that denies PutObject unless the x-amz-server-side-encryption header is set to aws:kms.
D.Enable S3 Block Public Access on the bucket.
AnswerC

This denies uploads that do not use SSE-KMS.

Why this answer

Option D is correct because an S3 bucket policy that denies PutObject requests without the x-amz-server-side-encryption header set to aws:kms ensures that any upload without SSE-KMS is rejected. Option A is wrong because default encryption can be changed by the uploader. Option B is wrong because enabling S3 Block Public Access does not enforce encryption.

Option C is wrong because bucket policies alone do not enforce encryption; they need a condition key.

1292
Multi-Selecteasy

Which TWO actions can help reduce Lambda cold start times? (Choose two.)

Select 2 answers
A.Increase the deployment package size.
B.Increase the memory allocated to the function.
C.Use Provisioned Concurrency.
D.Place the function in a VPC.
E.Reduce the function timeout.
AnswersB, C

More memory = more CPU, faster initialization.

Why this answer

Option B is correct because increasing memory also increases CPU, which speeds up initialization. Option C is correct because using Provisioned Concurrency keeps environments warm. Option A is incorrect because larger deployment packages increase cold start.

Option D is incorrect because VPC adds network overhead, increasing cold start. Option E is incorrect because reducing memory decreases CPU, worsening cold start.

1293
MCQmedium

An application uses IAM roles to grant EC2 instances access to S3. The developer notices that the application works correctly in one account but fails with access denied in another account. What is the most likely cause?

A.The IAM role is not attached to the EC2 instance
B.The EC2 instance does not have internet access
C.The S3 bucket policy does not grant access to the IAM role
D.The KMS key policy does not allow decryption
AnswerC

Cross-account access requires the S3 bucket policy to explicitly allow the IAM role.

Why this answer

The most likely cause is that the S3 bucket policy in the second account does not explicitly grant the IAM role from the first account (or the second account's own IAM role) the necessary permissions. When an IAM role is used, both the role's trust policy and the resource-based policy (S3 bucket policy) must allow the action; if the bucket policy denies or omits the role's ARN, access will be denied even if the role itself has S3 permissions.

Exam trap

The trap here is that candidates assume IAM role permissions alone are sufficient, forgetting that resource-based policies (like S3 bucket policies) can override or deny access even when the identity-based policy allows it.

How to eliminate wrong answers

Option A is wrong because if the IAM role were not attached to the EC2 instance, the application would fail in both accounts, not just one—the issue is cross-account or cross-policy inconsistency. Option B is wrong because EC2 instances access S3 via AWS API endpoints over the internet or VPC endpoints; lack of internet access would cause a timeout or connectivity error, not an 'access denied' (HTTP 403) response. Option D is wrong because the question does not mention KMS encryption; if S3 objects were encrypted with a KMS key, a KMS key policy issue would produce a different error (e.g., 'AccessDenied' for kms:Decrypt), but the scenario specifically states an S3 access denied, not a KMS-related failure.

1294
Multi-Selecthard

A security audit reveals that an S3 bucket is publicly accessible. The bucket policy is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}. Which TWO actions should be taken to remediate this issue? (Select TWO.)

Select 2 answers
A.Remove the public access grant from the bucket ACL.
B.Create an IAM user policy that denies s3:GetObject for anonymous users.
C.Enable versioning on the bucket.
D.Modify the bucket policy to remove the Allow effect for Principal "*".
E.Enable default encryption on the bucket.
AnswersA, D

ACL might also grant public access.

Why this answer

Option A is correct because the bucket ACL may still grant public access even if the bucket policy is the primary issue. Removing the public access grant from the ACL ensures that no anonymous principals have s3:GetObject permissions via ACLs, which is a separate access control mechanism from bucket policies. This is a direct remediation step to eliminate public read access.

Exam trap

The trap here is that candidates may think only the bucket policy needs fixing, overlooking that ACLs can independently grant public access, so both the policy and ACL must be remediated.

1295
MCQmedium

A company is using AWS Lambda to process sensitive data. The Lambda function needs to access an S3 bucket in the same account. What is the BEST practice for granting permissions?

A.Use an S3 bucket policy that allows access from the Lambda function's ARN.
B.Create an IAM role with a policy granting S3 access and attach it to the Lambda function.
C.Generate a key pair and use it to authenticate the Lambda function to S3.
D.Store the AWS access key ID and secret access key in the Lambda environment variables.
AnswerB

This follows least privilege and best practice.

Why this answer

Option A is correct because attaching an IAM role with a policy that grants S3 access to the Lambda function follows the principle of least privilege and best practice. Option B is wrong because storing secrets in environment variables is insecure. Option C is wrong because Lambda does not use key pairs.

Option D is wrong because S3 bucket policies are not the primary mechanism for Lambda access; IAM roles are preferred.

1296
Multi-Selecthard

A company runs a serverless application on AWS using API Gateway, AWS Lambda, and DynamoDB. The application processes user uploads and stores metadata in DynamoDB. Recently, users have reported that some uploads fail with a 500 Internal Server Error. The CloudWatch Logs for the Lambda function show 'ProvisionedThroughputExceededException' errors for DynamoDB, followed by 'Task timed out after 3.00 seconds' errors. The Lambda function has a 3-second timeout and 128 MB of memory. The DynamoDB table has 5 read capacity units and 5 write capacity units. The application uses a single Lambda function that processes each upload synchronously. The company expects a steady increase in uploads. Which combination of actions should a developer take to resolve the errors and prepare for future growth? (Choose TWO.)

Select 2 answers
A.Increase the DynamoDB table's write capacity units to a higher value.
B.Switch the Lambda function to asynchronous invocation with a DLQ.
C.Modify the Lambda function to implement retries with exponential backoff on DynamoDB write operations.
D.Increase the Lambda function's timeout to 30 seconds.
E.Increase the Lambda function's reserved concurrency to 100.
AnswersA, C

This directly addresses the ProvisionedThroughputExceededException by providing more write capacity.

Why this answer

The errors are caused by DynamoDB throttling due to insufficient write capacity. Option A increases write capacity to handle the load. Option C implements retries with exponential backoff to handle occasional throttling without failing.

Option B would not help because the errors are from DynamoDB, not Lambda concurrency. Option D would increase latency but not solve throttling. Option E might cause duplicate processing.

1297
MCQmedium

A developer has an AWS Lambda function that processes messages from an Amazon SQS queue. The function is configured with a batch size of 10, reserved concurrency of 5, and a timeout of 5 minutes. The SQS queue has a large backlog, and CloudWatch metrics show high throttling (Throttles) for the Lambda function. The function is idempotent and can process up to 100 messages in a single invocation. What is the MOST effective way to increase throughput without increasing the reserved concurrency?

A.Increase the batch size to 100.
B.Increase the reserved concurrency to 10.
C.Reduce the batch size to 1.
D.Enable the SQS queue to use long polling.
AnswerA

Increasing the batch size allows each invocation to process more messages, reducing the number of invocations and the likelihood of throttling without increasing reserved concurrency.

Why this answer

Increasing the batch size to 100 allows each Lambda invocation to process up to 100 messages from the SQS queue instead of the current 10. Since the function is idempotent and can handle 100 messages per invocation, this change maximizes the number of messages processed per invocation without altering the reserved concurrency of 5. With a batch size of 100, each of the 5 concurrent invocations can process up to 100 messages, yielding a potential throughput of 500 messages per invocation cycle, which directly reduces the backlog and throttling by consuming messages faster.

Exam trap

The trap here is that candidates may think increasing reserved concurrency is the only way to improve throughput, but the question explicitly forbids that, and they overlook that increasing the batch size can achieve the same goal by processing more messages per invocation without adding more concurrent executions.

How to eliminate wrong answers

Option B is wrong because increasing reserved concurrency to 10 would increase throughput but directly violates the constraint of not increasing reserved concurrency, and it would also increase the risk of throttling other functions sharing the account concurrency limit. Option C is wrong because reducing the batch size to 1 would drastically decrease throughput, as each invocation would process only one message, requiring more invocations to handle the same backlog and potentially increasing throttling due to more concurrent executions. Option D is wrong because enabling long polling for the SQS queue reduces the number of empty responses and improves efficiency in message retrieval, but it does not increase the number of messages processed per invocation or reduce throttling caused by the Lambda function's concurrency limit.

1298
MCQeasy

A developer is creating a new DynamoDB table to store order data. The orders have a unique order ID and are retrieved by order ID. Occasionally, the developer needs to query orders by customer ID. Which design approach would minimize costs and provide the fastest queries?

A.Use the order ID as the partition key and create a global secondary index on customer ID
B.Use the customer ID as the partition key and order ID as the sort key
C.Use the order ID as the partition key and scan the table for customer ID queries
D.Use the customer ID as the partition key and create a local secondary index on order ID
AnswerA

This provides fast queries by order ID (primary) and by customer ID via GSI, minimizing cost and performance impact.

Why this answer

Option A is correct because using the order ID as the partition key ensures the most efficient primary key access for the primary query pattern (retrieving by order ID). Creating a Global Secondary Index (GSI) on customer ID allows efficient querying by customer ID without scanning the base table, and GSIs have separate read/write capacity from the base table, so you only pay for the index when it is used. This design minimizes costs by avoiding unnecessary scans and provides the fastest queries for both access patterns.

Exam trap

The trap here is that candidates often choose Option B (customer ID as partition key) thinking it naturally supports both access patterns, but they overlook the hot partition problem and the fact that retrieving a single order by order ID would require a scan or a query with a known customer ID, which is not always available.

How to eliminate wrong answers

Option B is wrong because using customer ID as the partition key would cause all orders for the same customer to be stored in the same partition, leading to hot partitions and potential throttling, and it does not provide efficient retrieval by order ID (which would require a scan or a query with a known customer ID). Option C is wrong because scanning the entire table to find orders by customer ID is extremely inefficient and costly, as it reads every item in the table and incurs read capacity for all items, even those not matching the query. Option D is wrong because a Local Secondary Index (LSI) requires the same partition key as the base table (customer ID), which would still cause hot partitions for high-volume customers, and LSIs share the base table's read/write capacity, so they do not provide the same cost flexibility as a GSI.

1299
MCQhard

Refer to the exhibit. A developer creates a CloudFormation stack with the template. After the stack is created, the developer tries to access https://my-app-data-123.s3.amazonaws.com/index.html but gets a 403 Forbidden error. The S3 bucket has public access blocked at the account level. What should the developer do to allow public read access?

A.Enable static website hosting on the bucket.
B.Modify the bucket policy to include the AWS account ID as Principal.
C.Add a bucket policy that grants s3:ListBucket.
D.Disable the block public access settings at the account level.
AnswerD

Account-level block prevents public access despite bucket policy.

Why this answer

Account-level public access block overrides bucket policy. Option D is correct. Option A is wrong because bucket policy already allows.

Option B is wrong because account setting overrides. Option C is wrong because static website hosting is not required for direct S3 access.

1300
MCQhard

A company is deploying a critical application using AWS CloudFormation. The stack creation fails with a 'ROLLBACK_COMPLETE' status. The engineer wants to troubleshoot the failure without deleting the stack. What should the engineer do?

A.Use the 'aws cloudformation create-change-set' command with a rollback trigger.
B.Recreate the stack using the '--on-failure DO_NOTHING' option.
C.Use the 'aws cloudformation describe-stack-events' command to view the error messages.
D.Delete the stack and recreate it with the '--disable-rollback' flag.
AnswerC

Stack events contain detailed error messages that indicate the cause of the failure.

Why this answer

Option D is correct because CloudFormation retains the stack after a rollback, and the engineer can view the events in the AWS Management Console or CLI to see the specific error messages. Options A and B are incorrect because stack deletion is not required. Option C is incorrect because rollback triggers are for rollback, not troubleshooting.

1301
MCQmedium

Refer to the exhibit. A developer ran the AWS CLI command and received the output shown. What is the most likely cause of the UPDATE_FAILED status?

A.The Lambda function's execution role does not have sufficient permissions.
B.The Lambda function's timeout value is too high.
C.The CloudFormation template specified an unsupported runtime for the Lambda function.
D.The Lambda function name conflicts with an existing function.
AnswerC

The error message states the runtime is not supported.

Why this answer

Option B is correct because the error message indicates that the runtime nodejs18.x is not supported. The developer likely specified an unsupported runtime in the CloudFormation template. Option A is incorrect because IAM permissions would give a different error.

Option C is incorrect because the function name is valid. Option D is incorrect because timeout is not a runtime issue.

1302
Multi-Selectmedium

A developer is deploying a new microservice on AWS Elastic Beanstalk. The service uses an RDS database. The developer wants to ensure that database credentials are not stored in the application's source code. Which TWO methods should the developer use to securely provide credentials to the application?

Select 2 answers
A.Use AWS Secrets Manager to store and retrieve the credentials at runtime.
B.Store the credentials in a configuration file within the application source code.
C.Use Elastic Beanstalk environment properties to set the credentials.
D.Store the credentials in an encrypted file on an EC2 instance.
E.Store the credentials in an S3 bucket with a public read policy.
AnswersA, C

Secrets Manager provides secure storage and rotation.

Why this answer

Options B and D are correct. Elastic Beanstalk can set environment variables from a source, and AWS Secrets Manager is a secure service for managing secrets. Option A is wrong because the source code is not secure.

Option C is wrong because an S3 bucket with a public policy is insecure. Option E is wrong because EC2 Parameter Store is a better name for Systems Manager Parameter Store, but the concept is correct; however, Secrets Manager is more appropriate for credentials.

1303
MCQhard

A developer is migrating a monolithic application to a microservices architecture on AWS. The application uses a relational database. The developer wants to use Amazon RDS for the database and needs to ensure that each microservice can only access its own set of tables. Which approach should the developer take?

A.Create a single RDS instance with a separate database per microservice.
B.Use RDS with IAM database authentication and create database users with limited privileges for each microservice.
C.Use RDS in a VPC and restrict network access per microservice using security groups.
D.Use Amazon RDS Proxy to control access.
AnswerB

IAM database authentication allows you to create database users with specific privileges (e.g., SELECT, INSERT on certain tables) and use IAM roles to authenticate, providing fine-grained access control.

Why this answer

Option B is correct because IAM database authentication allows the developer to create database users with granular, table-level privileges using standard SQL GRANT statements, ensuring each microservice can only access its own set of tables. By combining IAM roles with database user credentials, the developer can enforce least-privilege access without sharing a single database user across services. This approach directly addresses the requirement for per-microservice table isolation while leveraging RDS's native authentication and authorization capabilities.

Exam trap

The trap here is that candidates often confuse network-level isolation (security groups) with database-level authorization, assuming that restricting network access per microservice is sufficient to enforce table-level separation, when in fact security groups cannot differentiate between tables within the same database instance.

How to eliminate wrong answers

Option A is wrong because creating a separate database per microservice on a single RDS instance does not prevent a microservice from connecting to another microservice's database if it has the same database user credentials or network access; it only provides logical separation, not access control. Option C is wrong because security groups control network-layer access to the RDS instance as a whole, not to individual tables or databases within it; once a microservice can connect to the RDS endpoint, it can access any table unless further database-level permissions are enforced. Option D is wrong because Amazon RDS Proxy manages connection pooling and provides some IAM authentication support, but it does not enforce table-level access control; it still relies on the underlying database user permissions for authorization.

1304
Multi-Selectmedium

A developer is designing a microservices architecture using Amazon ECS with Fargate. The application needs to store and retrieve user session data. Which TWO AWS services can be used to store session state?

Select 2 answers
A.Amazon DynamoDB
B.Amazon ElastiCache for Redis
C.Amazon S3
D.Amazon EFS
E.Amazon RDS for MySQL
AnswersA, B

DynamoDB is a low-latency NoSQL database suitable for session state.

Why this answer

Option A (ElastiCache Redis) and Option C (DynamoDB) are both suitable for storing session state. Option B (S3) is object storage, not optimal for low-latency session state. Option D (RDS MySQL) is relational and can work but is not a typical choice for session state due to overhead.

Option E (EFS) is file storage, not suitable for session data.

1305
MCQhard

A developer is troubleshooting slow response times in a serverless application. The application consists of an Amazon API Gateway REST API that invokes an AWS Lambda function, which then writes data to an Amazon DynamoDB table with on-demand capacity. The function also calls an external API for enrichment. The developer observes that the API Gateway integration latency is high, but the Lambda function duration is low. What is the most likely cause?

A.The Lambda function is experiencing cold starts due to low invocation frequency.
B.The DynamoDB on-demand capacity is throttling requests.
C.The external API call is adding network latency due to its geographic location.
D.The API Gateway request/response payload size is large, increasing transfer time.
AnswerD

Large payloads take longer to transfer between API Gateway and Lambda, increasing integration latency even if the Lambda function executes quickly.

Why this answer

Option D is correct because high API Gateway integration latency combined with low Lambda duration indicates that the delay is occurring in the data transfer between API Gateway and Lambda, not within the function itself. A large request/response payload increases the network transfer time over the HTTPS connection, which is measured as part of integration latency but not reflected in the function's billed duration.

Exam trap

The trap here is that candidates confuse 'integration latency' with 'Lambda duration' and assume the issue must be inside the function (cold starts, throttling, or external calls), rather than recognizing that integration latency specifically captures network transfer time between API Gateway and the backend.

How to eliminate wrong answers

Option A is wrong because cold starts would increase the Lambda function duration (reported as 'duration' in CloudWatch), not the API Gateway integration latency, and the question states Lambda duration is low. Option B is wrong because DynamoDB on-demand capacity throttling would cause errors or retries in the Lambda function, increasing its duration, not API Gateway integration latency. Option C is wrong because external API call latency would be included in the Lambda function's duration, not in the API Gateway integration latency metric, which measures only the time between API Gateway and Lambda invocation.

1306
MCQeasy

A development team uses AWS Elastic Beanstalk to deploy a web application. They want to perform a blue/green deployment to minimize downtime. What should they do to implement this?

A.Create an Auto Scaling group and manually replace instances.
B.Update the existing environment with the new version and set the deployment policy to 'Rolling'.
C.Use AWS CodeDeploy to perform a blue/green deployment on the EC2 instances.
D.Create a new environment, deploy the new version, and then swap the environment URLs.
AnswerD

This is the standard blue/green deployment in Elastic Beanstalk.

Why this answer

Option D is correct because blue/green deployment in Elastic Beanstalk is achieved by creating a separate environment (the green environment) with the new application version, then swapping the CNAME records (URLs) of the two environments. This instantly routes traffic from the old (blue) environment to the new (green) environment with zero downtime, and allows quick rollback by swapping back.

Exam trap

The trap here is that candidates confuse the built-in Elastic Beanstalk blue/green deployment (environment swap) with the deployment policies (e.g., Rolling, Immutable) that operate within a single environment, or they incorrectly assume CodeDeploy is the only way to perform blue/green deployments.

How to eliminate wrong answers

Option A is wrong because manually replacing instances in an Auto Scaling group is not a blue/green deployment; it is a manual, error-prone process that does not provide instant traffic switching or easy rollback. Option B is wrong because updating the existing environment with a 'Rolling' deployment policy updates instances in batches within the same environment, which does not create a separate, isolated environment for the new version and still risks partial downtime. Option C is wrong because AWS CodeDeploy is a separate service that can perform blue/green deployments on EC2 instances, but the question specifically asks about using AWS Elastic Beanstalk, which has its own built-in blue/green deployment mechanism via environment URL swaps.

1307
MCQmedium

A developer is troubleshooting an AWS CloudFormation stack that failed to create. The error message says 'The following resource(s) failed to create: [MyEC2Instance]'. What is the first step the developer should take?

A.Update the stack with a new template.
B.Delete the stack and try again.
C.Review the CloudFormation template for syntax errors.
D.View the stack events in the CloudFormation console to see the specific error for the resource.
AnswerD

Stack events provide detailed error messages for each resource.

Why this answer

Option D is correct because when a CloudFormation stack fails to create, the error message only indicates which resource failed, not why. The first troubleshooting step is to view the stack events in the CloudFormation console, which provides detailed error messages for each resource, such as an API call failure, insufficient permissions, or a resource limit exceeded. This allows the developer to diagnose the root cause before making any changes.

Exam trap

The trap here is that candidates often jump to fixing the template or retrying the stack, overlooking that the specific error details are available in the stack events, which is the fastest path to identifying the actual cause.

How to eliminate wrong answers

Option A is wrong because updating the stack with a new template without understanding the failure reason could introduce additional errors or mask the underlying issue. Option B is wrong because deleting the stack and retrying without investigation wastes time and may repeat the same failure if the root cause (e.g., a missing parameter or IAM role) is not addressed. Option C is wrong because syntax errors in the template would typically be caught during validation before stack creation, and the error message specifically indicates a resource creation failure, not a template syntax issue.

1308
MCQhard

A developer wants a Lambda function to process SQS messages in batches but avoid losing the whole batch when only one record fails. Which feature should be enabled?

A.Partial batch response for SQS event source mapping
B.Reserved concurrency of one
C.Maximum message size increase
D.SQS short polling
AnswerA

Correct for the stated requirement.

Why this answer

Partial batch response for SQS event source mapping allows the Lambda function to report which messages in a batch failed processing. When enabled, Lambda retries only the failed messages instead of the entire batch, preventing successful messages from being reprocessed or lost. This is achieved by returning a `batchItemFailures` array in the function's response, which tells Lambda which message IDs to retry.

Exam trap

The trap here is that candidates may confuse partial batch response with SQS dead-letter queues or retry policies, but the key differentiator is that partial batch response is a Lambda event source mapping feature that specifically allows per-message failure handling within a batch.

How to eliminate wrong answers

Option B is wrong because reserved concurrency of one limits the Lambda function to a single concurrent execution, which does not affect how individual messages within a batch are handled; it only throttles overall throughput. Option C is wrong because maximum message size increase is a queue-level setting in SQS that controls the maximum payload size (up to 256 KB for standard queues), not a mechanism for handling partial batch failures. Option D is wrong because SQS short polling returns immediately with available messages but does not provide any per-message failure handling within a batch; it only affects message retrieval latency.

1309
MCQmedium

A company's application running on Amazon ECS Fargate is experiencing high CPU utilization. The task definition has CPU set to 256 units. What should be done to improve performance?

A.Increase the desired count of tasks.
B.Increase the CPU value in the task definition and redeploy the service.
C.Increase the memory value in the task definition.
D.Switch to EC2 launch type.
AnswerB

Allocating more CPU per task reduces utilization.

Why this answer

Option B is correct because increasing CPU units in the task definition and redeploying the service will allocate more CPU to the tasks. Option A is wrong because horizontal scaling can help but the root cause is insufficient CPU per task. Option C is wrong because increasing memory does not affect CPU.

Option D is wrong because changing the launch type changes billing but not CPU allocation.

1310
Multi-Selecteasy

Which TWO AWS services can be used to automatically deploy code to Amazon EC2 instances? (Choose two.)

Select 2 answers
A.AWS Elastic Beanstalk
B.AWS CodeDeploy
C.AWS CloudFormation
D.AWS OpsWorks
E.AWS CodeBuild
AnswersA, B

Elastic Beanstalk deploys applications and manages EC2 instances.

Why this answer

AWS Elastic Beanstalk is a PaaS service that automates the deployment of applications to EC2 instances by handling capacity provisioning, load balancing, and health monitoring. It automatically deploys code when you upload a new application version, making it a correct choice for automated deployment to EC2.

Exam trap

The trap here is that candidates often confuse AWS CloudFormation's ability to deploy infrastructure with deploying application code, or they mistakenly think AWS CodeBuild's build process includes deployment, when in fact CodeBuild only produces artifacts and requires a separate service like CodeDeploy for actual deployment.

1311
MCQeasy

A developer is deploying a web application on AWS Elastic Beanstalk. The application needs to run on multiple instances behind a load balancer. Which deployment policy will cause the LEAST downtime?

A.All at once
B.Rolling
C.Rolling with additional batch
D.Immutable
AnswerC

Zero downtime.

Why this answer

Option D is correct because rolling with additional batch adds new instances before taking old ones out of service, resulting in zero downtime. Option A is wrong because all at once causes downtime. Option B is wrong because rolling causes some downtime.

Option C is wrong because immutable launches a full new set, causing temporary doubling of instances.

1312
MCQeasy

A developer is creating an AWS Lambda function that processes files uploaded to an S3 bucket. The developer wants to invoke the Lambda function automatically when a new file is uploaded. Which approach should the developer use?

A.Use Amazon API Gateway to expose an endpoint and have S3 call it.
B.Configure S3 to send events to an SQS queue, and configure Lambda to poll the queue.
C.Configure S3 event notifications to invoke the Lambda function directly.
D.Use Amazon CloudWatch Events to trigger Lambda on S3 PUT events.
AnswerC

S3 can directly invoke Lambda via event notifications.

Why this answer

Option C is correct because S3 can send event notifications to Lambda directly. Option A is wrong because SQS is an intermediate step that adds complexity. Option B is wrong because CloudWatch Events is not the native way to trigger Lambda from S3.

Option D is wrong because API Gateway is for HTTP APIs, not for S3 events.

1313
MCQhard

A company runs a containerized application on Amazon ECS with Fargate launch type. The application needs to access an Amazon RDS MySQL database using credentials stored in AWS Secrets Manager. The ECS task role has the following IAM policy: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["secretsmanager:GetSecretValue"],"Resource":"arn:aws:secretsmanager:us-east-1:123456789012:secret:prod-db-*"}]}. The application fails to retrieve the secret with an AccessDeniedException. What is the most likely cause?

A.The task execution role does not have permission to retrieve the secret.
B.The secret's resource-based policy denies access to the task role.
C.The task is in a private subnet without a VPC endpoint to Secrets Manager.
D.The secret name does not match the pattern in the policy.
AnswerB

Secrets Manager secrets have resource-based policies that can deny access.

Why this answer

Option B is correct because the resource-based policy on the secret must explicitly grant the ECS task role permission to retrieve the secret, even if the task role has an allow policy. Option A is wrong because the task role policy uses a wildcard, which matches the secret name. Option C is wrong because Fargate tasks can access Secrets Manager via VPC endpoints without internet.

Option D is wrong because the task role, not the task execution role, is used for accessing secrets from the application.

1314
MCQhard

A company runs a production web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application uses a custom health check endpoint /health that returns HTTP 200 when the application is healthy. Recently, the operations team noticed that the Auto Scaling group is repeatedly launching and terminating instances (flapping) even though the application is stable. The health check grace period is set to 300 seconds. The ALB health check interval is 30 seconds, unhealthy threshold is 2, and healthy threshold is 5. The Auto Scaling group uses the ELB health check type. The application logs show no errors. What is the MOST likely cause of the flapping?

A.The EC2 instance type is not suitable for the application, causing slow responses.
B.The healthy threshold is set too high, causing instances to be considered unhealthy for too long.
C.The ALB is experiencing high latency and marking instances unhealthy.
D.The Auto Scaling group has a target tracking scaling policy that is too aggressive.
AnswerB

A high healthy threshold (5) means instances take longer to be marked healthy, leading to cycles of termination and launch.

Why this answer

Option D is correct. The healthy threshold is 5, meaning an instance must pass 5 consecutive health checks to be considered healthy. With a 30-second interval, it takes 2.5 minutes to become healthy, but the health check grace period is 300 seconds (5 minutes).

However, if the instance initially fails health checks because the application takes longer than 30 seconds to start, it will be marked unhealthy. More importantly, the healthy threshold of 5 is high, so after the grace period, the instance may still be considered unhealthy if it has not passed 5 checks. The combination of high healthy threshold and low unhealthy threshold can cause flapping.

Option A is wrong because the ALB is not failing. Option B is wrong because scaling policies are not mentioned. Option C is wrong because the instance type is unlikely to cause this.

1315
MCQhard

A developer is investigating why an AWS Lambda function is not writing logs to CloudWatch Logs. The function has been invoked multiple times, but the log group shows 0 stored bytes. What is the most likely cause?

A.The CloudWatch Logs log group does not exist.
B.The Lambda execution role lacks permissions to write to CloudWatch Logs.
C.The Lambda function is failing before any logging code is executed.
D.The Lambda function is configured to use a different log group name.
AnswerB

Without the necessary IAM permissions (logs:CreateLogStream, logs:PutLogEvents), the function cannot write logs.

Why this answer

The correct answer is A. The Lambda function's execution role does not have permissions to create log streams and put log events. Option B is wrong because the log group exists.

Option C is wrong because the function has been invoked, so it is not failing before logging. Option D is wrong because the log group name is correct.

1316
MCQeasy

A developer is using AWS Lambda to process messages from an Amazon SQS queue. The function needs to access an Amazon DynamoDB table. What is the MOST secure way to grant the Lambda function access to DynamoDB?

A.Use the Lambda function's execution role to grant full administrative access to DynamoDB.
B.Store the AWS access key and secret access key as environment variables in the Lambda function.
C.Assign an IAM role to the Lambda function with a policy that grants the required DynamoDB permissions.
D.Create an IAM user with DynamoDB access and use its credentials in the Lambda function.
AnswerC

Using an IAM role is the secure and recommended way to grant permissions to AWS services.

Why this answer

Option C is correct because assigning an IAM role to the Lambda function with a policy that allows DynamoDB actions follows the principle of least privilege and is the recommended approach. Option A is wrong because embedding access keys in environment variables is insecure. Option B is wrong because IAM users are for human users, not services.

Option D is wrong because granting full admin access violates least privilege.

1317
MCQeasy

An application deployed on AWS Lambda needs access to an Amazon RDS database. The Lambda function is in a VPC with a public subnet. The RDS instance is in a private subnet. The function can connect to the database but experiences frequent timeouts. What is the MOST likely cause?

A.The Lambda function timeout is set too low for the database queries.
B.The IAM role for the Lambda function does not have the 'rds:Connect' permission.
C.The Lambda function does not have enough memory allocated.
D.The Lambda function's security group does not allow outbound traffic to the RDS security group.
AnswerD

If the security group blocks outbound traffic to the RDS port, connections will timeout.

Why this answer

Option C is correct: Lambda functions in a VPC need a NAT gateway to access the internet, but for RDS in private subnet, they need a VPC endpoint or the Lambda function must be in the same VPC with proper routing. Timeouts often occur if the Lambda function does not have a route to the RDS subnet (e.g., missing route table entry or security group issue). Option A (memory) would not cause connection timeouts.

Option B (timeout) is set but not the cause. Option D (IAM) would cause access denied, not timeout.

1318
MCQmedium

A developer is building a serverless application using AWS Lambda and needs to securely store database credentials. Which AWS service should be used to store and retrieve the credentials?

A.AWS CloudFormation
B.AWS Secrets Manager
C.AWS Systems Manager Parameter Store
D.AWS Key Management Service (KMS)
AnswerB

Designed for secret storage with automatic rotation.

Why this answer

Option B is correct because AWS Secrets Manager is designed to securely store and automatically rotate secrets such as database credentials. Option A is wrong because SSM Parameter Store can store parameters but lacks automatic rotation. Option C is wrong because KMS is for encryption keys, not credential storage.

Option D is wrong because CloudFormation is for infrastructure as code.

1319
MCQmedium

A company is building a serverless application using AWS Lambda and Amazon API Gateway. The application needs to process user uploads to an S3 bucket. The Lambda function should be invoked only when new objects are created in the bucket. Which service should be used to trigger the Lambda function?

A.Amazon Kinesis Data Streams
B.Amazon S3 event notifications
C.Amazon CloudWatch Events
D.Amazon Simple Queue Service (SQS)
AnswerB

S3 can be configured to send event notifications directly to Lambda when an object is created.

Why this answer

Option B is correct because S3 can send events directly to Lambda when objects are created. Option A is wrong because SQS requires polling. Option C is wrong because CloudWatch Events can't directly trigger from S3 object creation.

Option D is wrong because Kinesis requires a stream consumer.

1320
MCQmedium

A developer is using Amazon SQS to decouple microservices. The consumer service processes messages from the queue. To reduce processing time, the developer wants to receive multiple messages in a single API call. What is the maximum number of messages that can be received at once?

A.5
B.100
C.20
D.10
AnswerD

The maximum number of messages per ReceiveMessage call is 10.

Why this answer

Option B is correct because the maximum number of messages that can be retrieved in a single ReceiveMessage call is 10. Option A is wrong because 5 is the default but not the max. Option C and D are wrong because they exceed the maximum.

1321
Multi-Selecthard

A developer is designing a microservices architecture using Amazon ECS with Fargate. The services need to communicate with each other. Which TWO options can the developer use for service discovery?

Select 2 answers
A.AWS Cloud Map
B.AWS Global Accelerator
C.Amazon ECS Service Connect
D.Amazon Route 53 private hosted zones
E.Application Load Balancer internal
AnswersA, C

Managed service discovery.

Why this answer

Option A is correct because Cloud Map provides DNS-based service discovery. Option D is correct because Service Connect is a native ECS feature for service discovery. Option B is wrong because R53 private hosted zones are for custom domain names, not dynamic service discovery.

Option C is wrong because ALB is for load balancing, not service discovery. Option E is wrong because Global Accelerator is for global traffic.

1322
MCQhard

A company is designing a multi-account strategy using AWS Organizations. They want to enable cross-account access for developers using IAM roles. Each developer has an IAM user in the 'developers' account. The 'production' account has an IAM role 'AdminRole' that can be assumed by the 'developers' account. Which trust policy should be attached to 'AdminRole'?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":"sts:AssumeRole"}]} where 123456789012 is the developers account ID.
B.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:user/*"},"Action":"sts:AssumeRole"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:role/AdminRole"},"Action":"sts:AssumeRole"}]}
AnswerA

The root user of the account is used to allow all IAM users/roles in that account to assume the role.

Why this answer

Option A is correct because the trust policy on the 'AdminRole' in the production account must allow the entire 'developers' account (using its root ARN) to assume the role. When an IAM user in the developers account calls sts:AssumeRole, AWS evaluates the trust policy; specifying the root ARN of the developers account (arn:aws:iam::123456789012:root) delegates trust to the entire account, and the individual user's permissions are then controlled by an IAM policy attached to the user or a group that grants sts:AssumeRole for this role.

Exam trap

The trap here is that candidates often confuse the trust policy's Principal with the resource being accessed, mistakenly specifying the role's own ARN (Option D) or limiting to specific users (Option C), instead of using the root ARN of the trusted account to allow any authorized entity in that account to assume the role.

How to eliminate wrong answers

Option B is wrong because it specifies a Service principal (ec2.amazonaws.com), which is used for AWS services like EC2 to assume a role, not for cross-account IAM users. Option C is wrong because it restricts the principal to IAM users with a wildcard (arn:aws:iam::123456789012:user/*), which would not allow IAM roles or the root account to assume the role, and also does not cover cases where the developer might be using an IAM role in the developers account. Option D is wrong because it specifies the ARN of the AdminRole itself as the principal, which would create a self-referential trust policy that does not grant access to any external account; the principal must be the trusted account's root or specific IAM entities.

1323
MCQmedium

A company has a Lambda function that processes records from an SQS queue. The function is failing intermittently with timeout errors. The processing time per record varies, but the SQS queue has a visibility timeout of 30 seconds. The Lambda function has a timeout of 1 minute. What is the MOST likely cause of the timeout errors?

A.The Lambda function's reserved concurrency is set too low.
B.The SQS queue has too many messages causing Lambda to throttle.
C.The SQS visibility timeout is shorter than the Lambda function timeout.
D.The SQS queue's default visibility timeout of 30 seconds is too long.
AnswerC

If the visibility timeout is shorter than the Lambda timeout, the message becomes visible again before processing completes, causing duplicate invocations and potential timeouts.

Why this answer

Option B is correct because the Lambda function's maximum execution time is 15 minutes, but the SQS visibility timeout of 30 seconds is shorter than the Lambda timeout of 1 minute. If the Lambda function takes longer than 30 seconds, the message becomes visible again and another Lambda invocation may process it, causing duplicate processing and potential timeouts. Option A is incorrect because Lambda can scale to handle many messages.

Option C is irrelevant because batch size affects concurrency but not individual function timeout. Option D is incorrect because 30 seconds is a typical visibility timeout.

1324
Multi-Selecthard

A company uses AWS CloudFormation to manage infrastructure. They need to update a stack that includes an Amazon RDS DB instance. To minimize downtime, they want to perform a rolling update. Which THREE properties must be set in the CloudFormation template?

Select 3 answers
A.CreationPolicy attribute with ResourceSignal
B.UpdatePolicy attribute with AutoScalingReplacingUpdate
C.UpdatePolicy attribute with AutoScalingRollingUpdate
D.DeletionPolicy attribute set to Snapshot
E.UpdatePolicy attribute with UseOnlineResizing
AnswersA, B, C

Ensures new instances are healthy before continuing.

Why this answer

Option A (UpdatePolicy with AutoScalingReplacingUpdate) is correct for rolling updates on Auto Scaling groups. Option B (CreationPolicy with ResourceSignal) is correct to wait for signals. Option D (DeletionPolicy) is incorrect because it controls deletion behavior.

Option C (UpdatePolicy with AutoScalingRollingUpdate) is correct for rolling update configuration. Option E (UpdatePolicy with UseOnlineResizing) is not a valid property. So correct are A, B, C.

1325
Multi-Selecthard

A developer is designing a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application requires that only authenticated users can invoke the API, and the data must be encrypted at rest. Which THREE steps should the developer take?

Select 3 answers
A.Enable CloudWatch Logs for API Gateway to log all requests.
B.Create a customer managed KMS key and use it to encrypt DynamoDB tables.
C.Enable DynamoDB encryption at rest using the AWS-owned CMK.
D.Implement a Lambda authorizer in API Gateway to validate a JWT token.
E.Use IAM authorization on the API Gateway methods.
AnswersA, C, D

Logging helps with security auditing.

Why this answer

Option B is correct because API Gateway can use a Lambda authorizer to validate a JWT token. Option C is correct because DynamoDB encryption at rest is enabled by default. Option D is correct because CloudWatch Logs can log API requests for auditing.

Option A is wrong because IAM authorization is for IAM users/roles, not for end-user authentication via JWT. Option E is wrong because KMS is not needed for default encryption.

1326
MCQeasy

Refer to the exhibit. A CloudFormation stack update resulted in a rollback. What is the most likely reason for the rollback?

A.A user manually cancelled the update of the Lambda function.
B.The Lambda function update timed out.
C.The Lambda function's IAM role did not have sufficient permissions.
D.The Lambda function code was invalid.
AnswerA

The reason is 'Resource update cancelled by user'.

Why this answer

Option D is correct because the event shows that the Lambda function update failed with reason 'Resource update cancelled by user'. This indicates that someone cancelled the update. Option A is wrong because there is no permission error shown.

Option B is wrong because the error is not about timeout. Option C is wrong because the error is explicit.

1327
MCQhard

A company uses AWS Lambda to process sensitive data. The Lambda function needs to access an RDS database with a password stored in AWS Secrets Manager. The function currently retrieves the secret using the AWS SDK. What is the best practice to secure this setup?

A.Configure the Lambda function to use IAM database authentication for RDS.
B.Store the password as a Lambda environment variable encrypted with KMS.
C.Use the AWS CLI within the Lambda function to fetch the secret each time.
D.Rotate the secret daily using Secrets Manager and cache it in Lambda.
AnswerA

IAM auth uses short-lived tokens, no password needed.

Why this answer

Option A is correct because IAM database authentication eliminates the need to store or retrieve a password entirely. The Lambda function assumes an IAM role that generates a temporary authentication token (valid for 15 minutes) using the AWS SDK, which is then used to connect to RDS via TLS. This approach follows the principle of least privilege and removes the risk of static credentials being exposed or misused.

Exam trap

The trap here is that candidates assume Secrets Manager is always the best practice for secrets, but the question specifically asks for the best practice to secure the setup, and IAM authentication removes the secret entirely, which is more secure than any secret management approach.

How to eliminate wrong answers

Option B is wrong because storing the password as a Lambda environment variable, even if encrypted with KMS, still introduces a static secret that could be exposed through logs, error messages, or function configuration views. Option C is wrong because using the AWS CLI within a Lambda function is inefficient (adds cold-start latency and dependency on the CLI binary) and still requires the function to handle the secret in memory, whereas the SDK is the recommended method. Option D is wrong because daily rotation and caching in Lambda does not address the fundamental risk of a static password; the secret still exists and could be compromised, whereas IAM authentication removes the password entirely.

1328
MCQmedium

A company has a requirement to automatically rotate database credentials every 30 days. Which AWS service can meet this requirement with minimal development effort?

A.AWS KMS
B.AWS IAM
C.AWS Systems Manager Parameter Store
D.AWS Secrets Manager
AnswerD

Secrets Manager has built-in rotation for supported databases.

Why this answer

AWS Secrets Manager is the correct choice because it provides built-in, automated rotation of database credentials without custom code. You can define a rotation schedule (e.g., every 30 days) and Secrets Manager will automatically update the secret and the database password using a Lambda function, meeting the requirement with minimal development effort.

Exam trap

The trap here is that candidates often confuse Systems Manager Parameter Store (which can store secrets but lacks automatic rotation) with Secrets Manager, overlooking the critical requirement for automated rotation with minimal effort.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a key management service for encryption keys, not for storing or rotating database credentials. Option B is wrong because AWS IAM manages users, roles, and permissions, but it does not natively rotate database credentials or store secrets. Option C is wrong because AWS Systems Manager Parameter Store can store secrets but lacks built-in automatic rotation; you would need to build custom automation to rotate credentials every 30 days, which contradicts the 'minimal development effort' requirement.

1329
MCQmedium

A company stores sensitive documents in an Amazon S3 bucket. The security team requires that all objects uploaded must be encrypted at rest using a specific customer-managed AWS KMS key (key-id: 1234-5678). The developer must enforce this by denying any PutObject request that does not use the correct key. Which S3 bucket policy condition should be used?

A.s3:x-amz-server-side-encryption with value 'aws:kms'
B.s3:x-amz-server-side-encryption-aws-kms-key-id with value 'arn:aws:kms:us-east-1:123456789012:key/1234-5678'
C.s3:x-amz-acl with value 'bucket-owner-full-control'
D.aws:SourceArn with value the bucket ARN
AnswerB

This condition checks the KMS key ARN used in the request. Only requests that specify exactly this key will be allowed, enforcing the security requirement.

Why this answer

Option B is correct because the condition key `s3:x-amz-server-side-encryption-aws-kms-key-id` allows you to enforce that a specific customer-managed AWS KMS key (identified by its full ARN) is used for server-side encryption. By denying PutObject requests that do not match this key ID, the security team ensures all uploaded objects are encrypted at rest with the required KMS key.

Exam trap

The trap here is that candidates often confuse `s3:x-amz-server-side-encryption` (which only checks if SSE-KMS is enabled) with `s3:x-amz-server-side-encryption-aws-kms-key-id` (which checks the specific key ID), leading them to pick Option A, which does not enforce the required customer-managed key.

How to eliminate wrong answers

Option A is wrong because `s3:x-amz-server-side-encryption` with value `aws:kms` only enforces that SSE-KMS is used, but does not restrict which KMS key is used; any KMS key (including default AWS-managed keys) would satisfy the condition. Option C is wrong because `s3:x-amz-acl` with value `bucket-owner-full-control` controls access permissions via ACLs, not encryption requirements, and is irrelevant to enforcing encryption key usage. Option D is wrong because `aws:SourceArn` is used to restrict requests based on the source ARN (e.g., to prevent cross-service confused deputy attacks), not to enforce encryption key selection.

1330
Multi-Selecteasy

Which TWO of the following are best practices for securing AWS account root user?

Select 2 answers
A.Delete the root user access keys.
B.Use the root user for daily administrative tasks.
C.Set a password policy that locks the root user after 10 failed attempts.
D.Share the root user password with senior developers for emergencies.
E.Enable multi-factor authentication (MFA) for the root user.
AnswersA, E

Access keys are rarely needed for root.

Why this answer

Option B and C are correct. Option B: MFA adds extra security. Option C: Access keys should be deleted to prevent misuse.

Option A is wrong because root user should not be used for daily tasks. Option D is wrong because root user is not automatically locked. Option E is wrong because sharing password is insecure.

1331
MCQhard

A company uses AWS Lambda functions behind an API Gateway REST API. The Lambda functions are written in Python and use the boto3 SDK to interact with DynamoDB. After a recent deployment, some users report sporadic 502 Bad Gateway errors when calling the API. The Lambda function logs show occasional 'AccessDeniedException' errors. What is the most likely cause and solution?

A.The Lambda function is timing out. Increase the timeout value in the Lambda configuration.
B.The DynamoDB table is throttling requests. Enable auto-scaling for the table.
C.The Lambda execution role lacks permissions to access DynamoDB. Update the role to include the necessary DynamoDB actions.
D.The API Gateway request is too large. Set the payload size limit higher in API Gateway settings.
AnswerC

This directly addresses the AccessDeniedException by granting required permissions.

Why this answer

Option A is correct because the sporadic 502 errors and AccessDeniedException in logs indicate that the Lambda execution role is missing permissions for DynamoDB operations, and the errors occur when the function attempts to access DynamoDB. Adding the required DynamoDB permissions resolves the issue.

1332
MCQmedium

A developer is deploying a web application on AWS Elastic Beanstalk. The environment must maintain the same number of running instances throughout the deployment to ensure capacity. The developer also wants to minimize downtime. Which deployment policy should be used?

A.Rolling with additional batch
B.All at once
C.Rolling
D.Immutable
AnswerA

This policy adds an extra batch of instances before starting the rolling update, ensuring that capacity never drops below the original number of instances, thus maintaining full capacity and minimizing downtime.

Why this answer

Rolling with additional batch is correct because it first launches a new batch of instances in addition to the existing ones, ensuring full capacity is maintained throughout the deployment. Once the new instances are healthy, instances are updated in batches, and the original batch is terminated only after the new ones are fully serving traffic, minimizing downtime.

Exam trap

The trap here is that candidates often confuse 'rolling' with 'rolling with additional batch,' assuming both maintain capacity, but only the latter adds extra instances upfront to avoid any capacity reduction during the update.

How to eliminate wrong answers

Option B (All at once) is wrong because it replaces all instances simultaneously, causing downtime as the application is unavailable during the deployment. Option C (Rolling) is wrong because it updates instances in batches but temporarily reduces capacity by terminating a batch before deploying the new one, violating the requirement to maintain the same number of running instances. Option D (Immutable) is wrong because it launches a completely new set of instances in a new Auto Scaling group, then swaps the environment URL, which maintains capacity but does not minimize downtime due to the time required to provision and health-check the new instances before the swap.

1333
MCQhard

A company has a multi-account architecture using AWS Organizations. The security team wants to centrally manage IAM policies that apply to all accounts. Which AWS feature should the developer use?

A.Service control policies (SCPs) in AWS Organizations.
B.IAM cross-account roles.
C.AWS Config conformance packs.
D.IAM policies attached to the root user.
AnswerA

SCPs allow you to set permission guardrails across all accounts in the organization.

Why this answer

S CPs are used in AWS Organizations to centrally control the maximum permissions for accounts. They affect all IAM users and roles in the member accounts. Option A is wrong because IAM roles are per-account.

Option B is wrong because IAM policies are per-account. Option D is wrong because AWS Config is for compliance, not permission management.

1334
MCQmedium

A developer is deploying a new version of an AWS Lambda function. The function uses an environment variable for a database password. The developer wants to securely store the password and automatically rotate it. Which combination of AWS services should the developer use?

A.Use AWS KMS to generate a data key and store it in the Lambda environment variable.
B.Store the password in AWS Secrets Manager and retrieve it in the Lambda function using the AWS SDK.
C.Store the password in AWS Systems Manager Parameter Store and reference it in the Lambda function.
D.Encrypt the password using AWS KMS and store it in Amazon DynamoDB.
AnswerB

Secrets Manager supports automatic rotation and secure retrieval.

Why this answer

AWS Secrets Manager securely stores secrets and supports automatic rotation. Lambda can retrieve the secret at runtime. Option B is correct.

Option A is incorrect because Parameter Store does not natively support rotation. Option C is incorrect because DynamoDB is not a secure secret store. Option D is incorrect because KMS encrypts data but does not store or rotate secrets.

1335
MCQhard

A developer is troubleshooting an IAM policy that is supposed to allow a Lambda function to read objects from an S3 bucket. The Lambda function role has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:GetObject","s3:ListBucket"],"Resource":["arn:aws:s3:::example-bucket/*","arn:aws:s3:::example-bucket"]}]}. Despite this, the Lambda function receives an AccessDenied error when trying to read objects. What is the most likely cause?

A.The S3 bucket has a bucket policy that explicitly denies the Lambda function's access.
B.The IAM policy does not include the s3:GetObjectVersion action.
C.The Lambda function is in a different AWS account than the S3 bucket.
D.The IAM policy uses an incorrect resource ARN format.
AnswerA

Bucket policy deny overrides IAM allow.

Why this answer

The IAM policy attached to the Lambda function role correctly grants s3:GetObject and s3:ListBucket permissions on the bucket and its objects. However, if the S3 bucket itself has a bucket policy that explicitly denies access to the Lambda function's role, that explicit deny overrides any allow from IAM policies, resulting in an AccessDenied error. This is because AWS evaluates all policies (identity-based and resource-based) and an explicit deny always takes precedence.

Exam trap

The trap here is that candidates often assume the IAM policy alone is sufficient and overlook the possibility of a bucket policy that explicitly denies access, which overrides any IAM allow.

How to eliminate wrong answers

Option B is wrong because the s3:GetObjectVersion action is only needed when accessing a specific version of an object using version ID; the error occurs on a standard read, which only requires s3:GetObject. Option C is wrong because cross-account access would still work if the bucket policy grants access to the Lambda function's role; the error is not inherently caused by being in a different account. Option D is wrong because the resource ARN format is correct: 'arn:aws:s3:::example-bucket/*' for objects and 'arn:aws:s3:::example-bucket' for the bucket itself, which is the standard format for S3 ARNs.

1336
MCQmedium

A developer is troubleshooting a Lambda function that intermittently times out. The function makes HTTP requests to an external API. The function's CloudWatch logs show 'Task timed out after 3.01 seconds'. What is the MOST likely cause?

A.The Lambda function timeout is set to 3 seconds, but the HTTP request takes longer.
B.The Lambda function has insufficient reserved concurrency causing throttling.
C.The Lambda function is not configured with a VPC and cannot reach the external API.
D.The Lambda function is not starting execution due to a missing IAM role.
AnswerA

The default Lambda timeout is 3 seconds. The log shows the task timed out after 3.01 seconds, indicating the function timeout was exceeded.

Why this answer

Option C is correct because the Lambda function timeout is set to 3 seconds by default, causing the timeout error. Option A is wrong because VPC configuration does not cause timeout logs about 'Task timed out' - that message specifically refers to the function timeout. Option B is wrong because the function has no reserved concurrency issue.

Option D is wrong because the logs indicate the function started execution.

1337
Multi-Selecteasy

Which TWO of the following are benefits of using Amazon API Gateway to manage APIs? (Choose two.)

Select 2 answers
A.Built-in caching of database queries to Amazon RDS
B.Direct integration with Amazon S3 for file storage
C.Throttling and rate limiting of API requests
D.Generation of client SDKs for multiple programming languages
E.Automatic connection pooling for backend databases
AnswersC, D

API Gateway supports throttling at the API level.

Why this answer

Correct: A and D. API Gateway provides throttling to protect backend services and can generate SDKs for multiple languages. Option B is wrong because API Gateway does not provide a built-in caching layer for RDS; it can cache responses but not RDS queries directly.

Option C is wrong because API Gateway does not manage database connections. Option E is wrong because API Gateway does not handle file storage.

1338
MCQmedium

A company has an AWS Lambda function that processes messages from an Amazon SQS queue. The function is triggered by the SQS queue. Recently, the function started failing due to timeout errors when processing large messages. The function's timeout is set to the maximum of 15 minutes. What should a developer do to resolve this issue?

A.Increase the SQS queue's visibility timeout.
B.Increase the maximum message size in the SQS queue.
C.Decrease the SQS batch size in the Lambda trigger.
D.Split the large messages into smaller messages before sending to SQS.
AnswerD

Smaller messages reduce processing time per invocation.

Why this answer

Option D is correct because splitting large messages into smaller ones reduces processing time. Option A is wrong because increasing visibility timeout doesn't help if function times out. Option B is wrong because batch size reduction may not help per-message timeout.

Option C is wrong because SQS message size limit is 256 KB, cannot increase.

1339
Multi-Selecteasy

Which TWO actions are required to enable server-side encryption for an Amazon RDS instance? (Choose 2)

Select 2 answers
A.Enable encryption on the database after creation
B.Use client-side encryption in the application
C.Configure the DB instance to use a VPC
D.Use AWS KMS to manage the encryption key
E.Specify encryption at rest when creating the DB instance
AnswersD, E

RDS uses KMS for encryption keys.

Why this answer

To enable encryption for RDS, you must specify encryption at instance creation (A) and use KMS (B). Option C is for enabling encryption at the table level, not instance. Option D is for RDS Proxy.

Option E is for client-side encryption.

1340
MCQmedium

A developer has an IAM policy that allows 's3:GetObject' for a specific S3 bucket. However, when the developer tries to download an object using the AWS CLI, access is denied. What could be the issue?

A.The bucket policy explicitly denies access to the user.
B.The bucket is in a different region than the CLI configuration.
C.The bucket ACL does not grant the user access.
D.The object is encrypted with SSE-KMS and the user lacks kms:Decrypt permission.
AnswerD

With SSE-KMS, the user needs both S3 and KMS permissions to download.

Why this answer

Option D is correct because when an S3 object is encrypted with SSE-KMS, the `s3:GetObject` permission alone is insufficient. The AWS CLI must also have `kms:Decrypt` permission on the KMS key used to encrypt the object. Without this, the S3 service cannot decrypt the object before returning it, resulting in an access denied error even though the S3 policy allows the GetObject action.

Exam trap

The trap here is that candidates assume S3 access control is solely based on S3-specific permissions (like s3:GetObject) and overlook the fact that KMS permissions are required when SSE-KMS is used, leading them to incorrectly choose a bucket policy or ACL issue.

How to eliminate wrong answers

Option A is wrong because the question states the IAM policy allows 's3:GetObject', and while a bucket policy can explicitly deny access, the scenario does not mention any bucket policy; the denial could be due to other factors. Option B is wrong because S3 is a global service and bucket operations are not restricted by the CLI's configured region; the CLI automatically routes requests to the correct regional endpoint based on the bucket's location. Option C is wrong because S3 bucket ACLs are legacy and, by default, object access is controlled by IAM policies and bucket policies; ACLs are not evaluated when the request is made by an IAM user with an IAM policy that grants access, unless the bucket policy explicitly requires ACL evaluation.

1341
MCQmedium

A developer needs to prevent accidental public access to all S3 buckets in an account. Which account-level control should be enabled?

A.S3 Transfer Acceleration
B.S3 Block Public Access
C.S3 Inventory
D.S3 Object Lambda
AnswerB

Correct for the stated requirement.

Why this answer

S3 Block Public Access is an account-level control that provides a centralized way to enforce that no S3 buckets or objects in the account can be made publicly accessible, regardless of individual bucket policies or ACLs. This setting overrides any bucket-level public access settings, effectively preventing accidental exposure of data to the internet.

Exam trap

The trap here is that candidates may confuse bucket-level controls (like bucket policies or ACLs) with account-level controls, or mistakenly think features like Transfer Acceleration or Inventory provide security, when only S3 Block Public Access offers a centralized, account-wide safeguard against public exposure.

How to eliminate wrong answers

Option A is wrong because S3 Transfer Acceleration is a feature that speeds up uploads over long distances using AWS edge locations, not a security control for preventing public access. Option C is wrong because S3 Inventory is used to generate reports on object metadata and replication status for auditing and compliance, not to block public access. Option D is wrong because S3 Object Lambda allows you to add custom code to process data during S3 GET, HEAD, and LIST requests, but it does not provide any access control or public access blocking functionality.

1342
Multi-Selectmedium

A developer is designing a serverless application that processes orders. The order processing must be transactional: either all steps succeed or none. Which TWO AWS services can be combined to achieve this?

Select 2 answers
A.AWS Step Functions
B.Amazon SNS with filtering
C.Amazon SQS with FIFO queues
D.Amazon DynamoDB transactions
E.AWS Lambda with DLQ
AnswersA, D

Step Functions can coordinate multiple AWS services with error handling.

Why this answer

Options B and D are correct. Step Functions (B) can orchestrate a workflow with error handling and rollback. DynamoDB transactions (D) provide ACID transactions for multiple items.

Option A is wrong because SQS does not provide transactional processing. Option C is wrong because Lambda alone does not manage transactions across multiple steps. Option E is wrong because SNS is for pub/sub messaging, not transactions.

1343
MCQmedium

A company uses AWS IAM roles to grant permissions to EC2 instances. An application running on an instance fails to access an S3 bucket. The IAM role has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}. What is the likely cause?

A.The instance does not have an instance profile.
B.The policy does not include s3:ListBucket permission.
C.The trust policy of the role does not allow EC2 to assume it.
D.The IAM role is not attached to the EC2 instance.
AnswerB

ListBucket is needed for many S3 operations like listing objects.

Why this answer

The IAM policy allows only `s3:GetObject` on objects within `my-bucket`, but the application likely needs to list the bucket's contents first (e.g., via `s3:ListBucket`) to know which objects to retrieve. Without `s3:ListBucket` permission on the bucket resource (`arn:aws:s3:::my-bucket`), any attempt to list objects (such as through the AWS CLI `aws s3 ls` or SDK operations like `listObjects`) will fail with an AccessDenied error, even though `GetObject` is allowed. This is a common oversight when granting S3 access, as listing is a separate action required for many operations.

Exam trap

The trap here is that candidates assume `s3:GetObject` on `/*` is sufficient for all read operations, forgetting that listing objects requires a separate bucket-level permission (`s3:ListBucket`) on the bucket itself, not the objects.

How to eliminate wrong answers

Option A is wrong because an instance profile is automatically created and attached when an IAM role is assigned to an EC2 instance via the console or CLI; if the role were attached, the instance profile would exist. Option C is wrong because the trust policy of the role is configured by default to allow the EC2 service to assume the role when the role is created for EC2; if the application is failing due to missing permissions, the trust policy is not the issue. Option D is wrong because the question states the IAM role is used to grant permissions to EC2 instances, implying it is attached; if it were not attached, the instance would have no IAM credentials at all, leading to a different error (e.g., no credentials found) rather than an S3 access failure.

1344
MCQmedium

A developer is using AWS CloudFormation to deploy a stack that includes an Amazon ECS service. The developer wants to ensure that the ECS service is updated with a new task definition before the old tasks are stopped. Which deployment controller type should be used?

A.ECS (rolling update).
B.Recreate.
C.CodeDeploy (blue/green).
D.External.
AnswerA

Rolling update gradually replaces tasks, ensuring new tasks are healthy before stopping old ones.

Why this answer

Option C is correct because the 'ECS' deployment controller (rolling update) updates tasks gradually, ensuring new tasks are running before old ones are stopped. Option A is wrong because 'CodeDeploy' is for blue/green deployments. Option B is wrong because 'External' means updates are managed externally.

Option D is wrong because 'Recreate' stops all tasks before starting new ones.

1345
MCQhard

A company uses AWS Secrets Manager to rotate database credentials for an RDS MySQL instance. The rotation Lambda function fails with the error: 'Secret is scheduled for deletion.' What is the MOST likely cause?

A.The secret has been marked for deletion and is in the waiting period.
B.The secret's rotation schedule has been disabled.
C.The Lambda function does not have permission to access the secret.
D.The RDS instance is not in the same VPC as the Lambda function.
AnswerA

Secrets marked for deletion cannot be rotated.

Why this answer

The error 'Secret is scheduled for deletion' indicates that the secret has been marked for deletion and is currently in the mandatory waiting period (default 7 to 30 days). During this period, AWS Secrets Manager prevents any operations on the secret, including rotation, to ensure the deletion is intentional. The rotation Lambda function fails because it cannot access or modify a secret that is pending deletion.

Exam trap

The trap here is that candidates may confuse the 'scheduled for deletion' error with a permissions or network issue, but the error message directly points to the secret's lifecycle state, which is a distinct concept in AWS Secrets Manager.

How to eliminate wrong answers

Option B is wrong because disabling the rotation schedule would prevent the Lambda function from being triggered, but it would not cause a 'Secret is scheduled for deletion' error; the secret would still be accessible. Option C is wrong because a permissions issue would result in an 'AccessDeniedException' or similar authorization error, not a deletion-specific error message. Option D is wrong because VPC mismatch would cause a network timeout or connectivity error, not a deletion-related error; the Lambda function would still be able to call the Secrets Manager API if network access is configured.

1346
MCQhard

An organization uses AWS Lambda functions behind an Amazon API Gateway REST API. They want to deploy a new version of the Lambda function using canary deployments. What is the recommended approach?

A.Use AWS CodeDeploy to create a canary deployment for the Lambda function.
B.Use API Gateway canary release deployment to shift traffic to the new Lambda version.
C.Deploy the new Lambda version using AWS SAM with AutoPublishAlias and DeploymentPreference.
D.Configure the Lambda function alias with traffic shifting using weights.
AnswerD

Lambda aliases can route a percentage of traffic to a new version.

Why this answer

Option D is correct because Lambda function aliases support traffic shifting by assigning weights to different versions, enabling canary deployments without external services. This is the native AWS mechanism for gradually routing a percentage of invocations to a new version while monitoring for errors, then shifting all traffic once stable.

Exam trap

The trap here is confusing API Gateway canary releases (which shift traffic between API stages) with Lambda alias traffic shifting (which shifts traffic between function versions), leading candidates to pick Option B when the question specifically asks about deploying a new Lambda function version.

How to eliminate wrong answers

Option A is wrong because AWS CodeDeploy can orchestrate canary deployments for Lambda, but it is not the recommended approach when using API Gateway; the question asks for the recommended approach, and native Lambda alias traffic shifting is simpler and more direct. Option B is wrong because API Gateway canary release deployments shift traffic between API stages (e.g., prod vs. canary), not between Lambda function versions; the canary is at the API level, not the Lambda function level. Option C is wrong because AWS SAM with AutoPublishAlias and DeploymentPreference is a valid method for canary deployments, but it is a framework-level abstraction that ultimately configures Lambda alias traffic shifting under the hood; the question asks for the recommended approach, and the native, direct method is configuring the alias with weights.

1347
MCQmedium

A company uses Amazon CloudFront to distribute content from an S3 bucket. The content is static and rarely changes. The developer wants to reduce the load on the origin and improve performance for users. Which configuration change would achieve this?

A.Disable caching for the distribution.
B.Enable Lambda@Edge to process requests at edge locations.
C.Decrease the TTL (Time to Live) for the cache behavior.
D.Increase the TTL (Time to Live) for the cache behavior.
AnswerD

Higher TTL allows longer caching, reducing origin requests.

Why this answer

Option D is correct because increasing the TTL allows CloudFront to cache content longer, reducing requests to the origin. Option A is wrong because decreasing TTL increases origin load. Option B is wrong because disabling caching defeats the purpose.

Option C is wrong because Lambda@Edge adds compute but does not reduce origin load.

1348
MCQeasy

A company uses AWS Elastic Beanstalk to run a web application. They want to deploy a new version with zero downtime. They have a production environment running the current version and a staging environment running the new version. After thoroughly testing the staging environment, they want to swap the URLs so that production now points to the new version. Which deployment strategy should they use?

A.Blue/green deployment with CNAME swap
B.Rolling deployment
C.Immutable deployment
D.All at once deployment
AnswerA

This strategy uses two separate environments and swaps their CNAME records, enabling zero-downtime switching to the new version.

Why this answer

Blue/green deployment with a CNAME swap is the correct strategy because it allows you to run two identical environments (blue = current production, green = new version) and switch traffic atomically by updating the DNS CNAME record. This achieves zero downtime since the production environment remains active until the swap is complete, and the staging environment has been fully tested. Elastic Beanstalk supports this by letting you perform a CNAME swap between environments via the console, CLI, or API.

Exam trap

The trap here is that candidates confuse blue/green deployment with immutable deployment, but immutable deployment does not allow you to maintain a separate staging environment for testing before the swap; it only replaces instances in the same environment.

How to eliminate wrong answers

Option B (Rolling deployment) is wrong because it updates instances in batches within the same environment, which can cause temporary capacity reduction and potential downtime if the new version has issues. Option C (Immutable deployment) is wrong because it launches a new Auto Scaling group with the new version, then swaps instances, but it does not allow you to pre-test the new version in a separate staging environment before traffic is routed. Option D (All at once deployment) is wrong because it deploys the new version to all instances simultaneously, causing downtime during the deployment process and no ability to test the new version in isolation.

1349
Multi-Selectmedium

A company is running a web application on EC2 instances behind an Application Load Balancer. The application experiences high latency during peak hours. A developer needs to improve performance. Which TWO actions should the developer take? (Choose TWO.)

Select 2 answers
A.Configure Auto Scaling to add more instances during peak hours.
B.Increase the ALB idle timeout.
C.Implement Amazon ElastiCache to cache frequently accessed data.
D.Use larger EC2 instance types.
E.Enable EBS optimization on the instances.
AnswersA, C

Auto Scaling adds capacity to handle increased load.

Why this answer

Options A and C are correct. Auto Scaling adds instances during peak hours, spreading the load. ElastiCache caches database results, reducing latency.

Option B is wrong because increasing instance size helps but is less elastic. Option D is wrong because increasing ALB idle timeout does not affect latency. Option E is wrong because EBS optimization is about network throughput, not application latency.

1350
MCQhard

Refer to the exhibit. A developer attached this bucket policy to an S3 bucket named 'my-bucket'. The IAM role 'AppRole' is used by an application running on EC2 instances with an IP address of 192.0.2.10. The application tries to upload an object to 'my-bucket/confidential/report.pdf'. Will the upload succeed?

A.Yes, but only if the application also has an IAM policy that allows s3:PutObject.
B.No, because the Deny statement denies all s3 actions on the 'confidential/' prefix.
C.No, because the Allow statement only allows GetObject and PutObject on the entire bucket, but the Deny overrides.
D.Yes, because the Deny statement uses a condition that does not match the application's IP.
AnswerD

The Deny applies only if the IP is NOT in 192.0.2.0/24; the IP is in that range, so Deny is not triggered.

Why this answer

Option B is correct because the Deny statement explicitly denies all s3 actions on the 'confidential/' prefix unless the source IP is within 192.0.2.0/24. The application's IP is 192.0.2.10, which is within that range, so the condition is not met (the Deny does not apply). The Allow statement grants s3:PutObject on the bucket, so the upload succeeds.

Option A is incorrect because the Deny does not apply. Option C is incorrect because the Allow does apply. Option D is incorrect because the condition is met (IP is within range).

Page 17

Page 18 of 22

Page 19