AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 13511425

1616 questions total · 22pages · All types, answers revealed

Page 18

Page 19 of 22

Page 20
1351
MCQmedium

A developer is building a RESTful API using Amazon API Gateway (HTTP API) and AWS Lambda. The API receives a large number of requests with duplicate payloads within a short time window. To improve performance and reduce costs, the developer wants to ensure that if the same request (based on a unique client ID) is sent within 5 minutes, the Lambda function is not invoked again, and the previously calculated response is returned. Which API Gateway feature should the developer use?

A.Enable API caching on the stage with a TTL of 300 seconds and configure the client ID as a cache key parameter.
B.Enable request validation to reject duplicate requests.
C.Configure a usage plan with a throttle rate to limit requests from each client.
D.Enable stage variables to store the previous response.
AnswerA

API Gateway caching stores responses for a configurable TTL. By setting the TTL to 300 seconds and including the client ID in the cache key (e.g., as a query string parameter or request header), identical requests will return the cached response without invoking the Lambda function, reducing costs and improving performance.

Why this answer

Option A is correct because API Gateway's caching feature stores responses from your endpoint for a specified time-to-live (TTL). By setting the TTL to 300 seconds (5 minutes) and configuring the client ID as a cache key parameter, API Gateway will use the client ID to uniquely identify requests. If a request with the same client ID arrives within the TTL window, API Gateway returns the cached response without invoking the Lambda function, reducing costs and improving performance.

Exam trap

The trap here is that candidates confuse throttling (which limits request rate) with caching (which stores and returns previous responses), leading them to pick Option C instead of A.

How to eliminate wrong answers

Option B is wrong because request validation in API Gateway checks for required headers, query strings, or body structure, but it does not detect or reject duplicate requests based on content or client ID. Option C is wrong because a usage plan with throttling limits the rate of requests per client (e.g., requests per second), but it does not cache responses or prevent Lambda invocation for duplicate requests within a time window; it simply rejects excess requests. Option D is wrong because stage variables are used to pass configuration values (like endpoint URLs) to integration functions at deployment time, not to store or return previous responses.

1352
Multi-Selecteasy

A developer is troubleshooting an AWS Lambda function that is failing with a timeout error. The function has a 15-minute timeout and processes messages from an Amazon SQS queue. Which TWO actions should the developer take to resolve the issue?

Select 2 answers
A.Reduce the SQS visibility timeout.
B.Increase the Lambda function timeout to 15 minutes.
C.Increase the SQS batch size in the Lambda event source mapping.
D.Configure a dead-letter queue for the SQS queue.
E.Use SQS batch operations in the Lambda function to process multiple messages at once.
AnswersC, E

Larger batches reduce overhead and improve throughput.

Why this answer

Options A and D are correct. A: Increasing batch size reduces the number of invocations, but each invocation processes more messages quickly. D: Using SQS batch operations can improve throughput.

Option B is wrong because dead-letter queue is for failed messages after retries. Option C is wrong because reducing visibility timeout would cause more retries. Option E is wrong because Lambda can have up to 15 minutes; the issue is processing speed.

1353
MCQhard

Refer to the exhibit. An IAM policy is attached to a user who needs to deploy a serverless application. The user reports that they cannot upload a new version of a Lambda function using the AWS CLI. What is the MOST likely reason?

A.The Lambda invoke permission is scoped to a specific function.
B.The policy does not include lambda:UpdateFunctionCode.
C.The user does not have permission to write to the S3 bucket.
D.The user is not in the same AWS region as the Lambda function.
AnswerB

UpdateFunctionCode action is missing.

Why this answer

The error occurs because the IAM policy attached to the user does not include the `lambda:UpdateFunctionCode` permission, which is required to upload a new version of a Lambda function via the AWS CLI. Without this action, the `update-function-code` command fails, even if other Lambda permissions like `lambda:InvokeFunction` are present. The policy must explicitly allow `lambda:UpdateFunctionCode` to enable code updates.

Exam trap

The trap here is that candidates assume the error is due to S3 permissions (Option C) because they think Lambda code must be uploaded from S3, but the CLI can upload directly from a local file, and the real missing permission is `lambda:UpdateFunctionCode`.

How to eliminate wrong answers

Option A is wrong because `lambda:InvokeFunction` permission scoped to a specific function does not affect the ability to upload code; it only controls invocation access. Option C is wrong because the error is about uploading a new Lambda function version, not about writing to an S3 bucket; the CLI command `update-function-code` can accept a zip file directly without S3. Option D is wrong because AWS CLI operations for Lambda are region-scoped by the user's configuration, not by IAM policy; the user can specify the region via `--region` flag or config, and the policy does not restrict regions.

1354
MCQhard

A developer is deploying a microservices application on Amazon ECS with the Fargate launch type. The application uses an Application Load Balancer (ALB) to route traffic. The developer wants to perform a blue/green deployment with automated traffic shifting using AWS CodeDeploy. What is the minimum number of target groups required for this deployment?

A.One
B.Two
C.Three
D.Four
AnswerB

Two target groups are needed: one for the blue (original) tasks and one for the green (replacement) tasks. CodeDeploy shifts traffic between them.

Why this answer

In a blue/green deployment with AWS CodeDeploy and an Application Load Balancer (ALB) on Amazon ECS (Fargate), two target groups are required: one for the 'blue' (current) environment and one for the 'green' (new) environment. CodeDeploy shifts traffic from the blue target group to the green target group by updating the ALB listener rules, allowing zero-downtime deployments and automated rollback if needed.

Exam trap

The trap here is that candidates often confuse blue/green deployments with canary deployments or assume that a single target group with multiple ports can serve both environments, but AWS CodeDeploy for ECS explicitly requires two distinct target groups to manage traffic shifting and rollback.

How to eliminate wrong answers

Option A is wrong because a single target group cannot differentiate between the blue and green environments; traffic shifting requires two separate target groups to route traffic to the old and new task sets independently. Option C is wrong because three target groups are unnecessary; the blue/green deployment model only needs one target group for each environment (two total), and no additional target group is required for the ALB listener. Option D is wrong because four target groups are excessive; the deployment does not require any extra target groups beyond the two used for blue and green.

1355
MCQhard

Refer to the exhibit. An IAM policy is attached to a user. The user tries to download an object from s3://my-bucket/secret/config.txt. What will happen?

A.The user is denied access only if the bucket policy also denies access.
B.The user can download the object because the Deny statement only applies to 's3:*' actions, not s3:GetObject.
C.The user can download the object because the Allow statement grants s3:GetObject on the bucket.
D.The user is denied access because the Deny statement explicitly denies access to the 'secret/' prefix.
AnswerD

Explicit Deny always overrides Allow.

Why this answer

The Deny statement explicitly denies all s3 actions on the 'secret/' prefix. Deny statements override Allow statements. Option C is correct.

Option A is wrong because the Deny is explicit. Option B is wrong because the Deny applies to the 'secret/' prefix. Option D is wrong because the Deny is not conditional.

1356
MCQmedium

A developer runs the AWS CLI command above to view the latest log stream for a Lambda function. The output shows a log stream with lastEventTimestamp of 1710493200000 (approximately 1 hour ago). However, the function was invoked 5 minutes ago and did not produce any errors. What is the MOST likely explanation?

A.The Lambda function was not actually invoked 5 minutes ago.
B.The Lambda function execution role lacks permissions to write to CloudWatch Logs.
C.The log stream was deleted after the last invocation.
D.The command returned only the oldest log stream because of the limit and ordering parameters.
AnswerD

Descending order with limit 1 returns the most recent log stream, but the most recent may be older if there are multiple streams.

Why this answer

Option D is correct because the command only returns one log stream due to the limit 1 parameter. There may be newer log streams that are not shown. Option A is wrong because the function did not fail.

Option B is wrong because the log stream exists. Option C is wrong because the function was invoked recently.

1357
MCQmedium

A company wants to use AWS KMS to encrypt data in an S3 bucket. They need to rotate the CMK annually. Which key type should they use to enable automatic rotation?

A.AWS managed key (aws/s3)
B.Customer managed key (CMK)
C.Custom key store
D.AWS owned key
AnswerA

Automatic rotation annually.

Why this answer

AWS managed keys (aws/s3) support automatic annual rotation automatically without any configuration. When you use an AWS managed key for S3, AWS KMS rotates the key material once every year, which satisfies the requirement for annual rotation without manual intervention.

Exam trap

The trap here is that candidates often assume customer managed keys (CMKs) are the only way to get automatic rotation, but AWS managed keys (aws/s3) already provide automatic annual rotation without any setup, making them the correct choice for this specific requirement.

How to eliminate wrong answers

Option B is wrong because customer managed keys (CMKs) do not support automatic rotation by default; you must enable automatic rotation manually, and even then, the rotation period is fixed at one year, but the key must be explicitly configured. Option C is wrong because custom key stores use AWS CloudHSM clusters and do not support automatic key rotation at all; rotation must be performed manually by generating new keys. Option D is wrong because AWS owned keys are used by AWS services on your behalf and are not visible or manageable by you, so you cannot control or verify rotation schedules.

1358
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets across all accounts are encrypted using SSE-KMS with a specific KMS key from the central security account. They also want to prevent any unencrypted bucket creation. A developer in the development account creates a new S3 bucket and enables default encryption using SSE-S3. The bucket creation succeeds, but the security team wants to prevent this. The developer argues that the bucket still encrypts data at rest. Compliance requires SSE-KMS only. What should the security team do to enforce this policy across all accounts?

A.Create an IAM policy in the central security account that denies s3:PutBucketEncryption if the encryption is not SSE-KMS.
B.Use AWS Config to detect non-compliant buckets and automatically apply default encryption with SSE-KMS.
C.Enable CloudTrail to log all S3 API calls and manually review for non-compliant buckets.
D.Create a service control policy (SCP) that denies s3:PutObject and s3:PutBucketEncryption unless the encryption is SSE-KMS with the specific KMS key.
AnswerD

SCPs can enforce conditions across all accounts in the organization.

Why this answer

Option D is correct because a service control policy (SCP) applied at the AWS Organizations root or OU level can centrally deny S3 bucket creation and encryption configuration unless SSE-KMS with the specific KMS key is used. SCPs affect all accounts in the organization, preventing developers from bypassing the policy by creating buckets with SSE-S3, as the SCP condition key `s3:x-amz-server-side-encryption` and `s3:x-amz-server-side-encryption-aws-kms-key-id` enforce the required encryption at the API level before the bucket is created.

Exam trap

The trap here is that candidates often confuse IAM policies (which are account-scoped) with SCPs (which are organization-wide), and assume that AWS Config remediation or CloudTrail can proactively enforce encryption, when in fact only SCPs can deny the API call at the point of creation across all accounts.

How to eliminate wrong answers

Option A is wrong because an IAM policy in the central security account only applies to principals in that account, not to developers in other accounts, and cannot prevent bucket creation across the organization. Option B is wrong because AWS Config can detect non-compliant buckets and trigger remediation (e.g., via Lambda), but it is reactive—it does not prevent the initial creation of an unencrypted bucket, which the security team explicitly wants to block. Option C is wrong because CloudTrail logging only provides auditing after the fact, not proactive enforcement; manual review is impractical and does not prevent non-compliant bucket creation.

1359
MCQmedium

A developer is building a serverless application that processes user-submitted images. The images are uploaded to an S3 bucket, which triggers an AWS Lambda function that creates a thumbnail and stores it in another S3 bucket. The developer notices that sometimes the Lambda function is invoked multiple times for a single image upload. What should the developer configure to ensure idempotent processing?

A.Enable S3 event notifications with a suffix filter.
B.Use an SQS queue to decouple S3 events.
C.Implement a DynamoDB table to track processed objects.
D.Increase the Lambda function's timeout.
AnswerC

Correct. Storing processed object keys (e.g., with a condition check before writing) enables the Lambda function to detect duplicates and skip reprocessing, ensuring idempotency.

Why this answer

Option C is correct because S3 event notifications can occasionally deliver duplicate events (at-least-once semantics). By storing the unique object key (or ETag) in a DynamoDB table with a TTL, the Lambda function can check if the object has already been processed and skip duplicate invocations, ensuring idempotent processing.

Exam trap

The trap here is that candidates often assume SQS or filters guarantee exactly-once delivery, but AWS services like S3 and SQS both use at-least-once semantics, so idempotency must be implemented at the consumer level.

How to eliminate wrong answers

Option A is wrong because suffix filters only control which objects trigger notifications based on file extension; they do not prevent duplicate invocations for the same object. Option B is wrong because while an SQS queue can buffer events and reduce throttling, it does not eliminate duplicate events—S3 still sends at-least-once notifications to SQS, so duplicates can still occur. Option D is wrong because increasing the Lambda timeout only allows the function to run longer; it does not address the root cause of duplicate invocations or provide idempotency.

1360
MCQmedium

A developer uses AWS CodeBuild to run unit tests. The build succeeds but the tests fail. The developer wants to fail the build if tests fail. What should the developer do?

A.Ensure the test command exits with a non-zero status on failure.
B.Run tests in the post_build phase.
C.Set the command to always exit 0.
D.Enable build badges.
AnswerA

CodeBuild fails build on non-zero exit.

Why this answer

In CodeBuild, the build phase succeeds or fails based on the exit code of the commands in the buildspec. By default, if a test command exits with a non-zero status, CodeBuild marks the build as FAILED. Therefore, ensuring the test command exits with a non-zero status on failure is the correct approach to fail the build when tests fail.

Exam trap

The trap here is that candidates may think moving tests to a different phase (post_build) or enabling badges will fix the issue, but the core mechanism is the exit code of the command, not the phase or visual indicators.

How to eliminate wrong answers

Option B is wrong because running tests in the post_build phase does not change the exit code behavior; the post_build phase also respects exit codes, but the issue is about the test command's exit status, not the phase. Option C is wrong because setting the command to always exit 0 would suppress the failure indication, causing the build to succeed even when tests fail, which is the opposite of the desired outcome. Option D is wrong because enabling build badges only adds a visual status badge to the repository; it does not affect build success or failure behavior.

1361
MCQmedium

A developer is building a serverless application that processes personally identifiable information (PII). The application uses API Gateway, Lambda, and DynamoDB. The developer needs to ensure that the PII is encrypted at rest in DynamoDB. The company already uses AWS KMS with a customer-managed key for other services. The developer wants to reuse the same KMS key for DynamoDB. After enabling encryption with the KMS key, the Lambda function fails to write to the table with an AccessDenied error. The Lambda execution role has dynamodb:PutItem permission. What is the most likely cause?

A.The Lambda execution role lacks kms:Encrypt and kms:Decrypt permissions on the customer-managed KMS key.
B.The Lambda execution role does not have DynamoDB write permissions.
C.The DynamoDB table has a resource-based policy that denies access.
D.The Lambda function is not in a VPC, so it cannot access the KMS key.
AnswerA

Required for encrypted DynamoDB table.

Why this answer

When a DynamoDB table is encrypted with a customer-managed KMS key, any operation that reads or writes data to the table requires the caller to have permissions to use that KMS key. Even though the Lambda execution role has dynamodb:PutItem permission, the PutItem operation internally triggers KMS Encrypt and Decrypt calls to manage the encryption of the item. Without kms:Encrypt and kms:Decrypt permissions on the specific KMS key, the request fails with an AccessDenied error.

Exam trap

The trap here is that candidates assume DynamoDB's built-in encryption with a KMS key is transparent and does not require additional IAM permissions beyond the DynamoDB actions, but in reality, the caller must have explicit KMS permissions on the key for any read or write operation.

How to eliminate wrong answers

Option B is wrong because the question explicitly states that the Lambda execution role has dynamodb:PutItem permission, so the failure is not due to missing DynamoDB write permissions. Option C is wrong because there is no mention of a resource-based policy on the DynamoDB table, and the error is specifically related to KMS permissions, not a table policy denying access. Option D is wrong because Lambda functions do not need to be in a VPC to access KMS; KMS is a regional service accessible over the public AWS network, and VPC configuration is irrelevant to KMS key access permissions.

1362
Drag & Dropmedium

Drag and drop the steps to troubleshoot an application that cannot connect to an RDS database in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with network connectivity, then security groups, credentials, direct connection test, and finally database logs.

1363
Multi-Selecthard

Which THREE actions can a developer take to improve the cold start latency of an AWS Lambda function?

Select 3 answers
A.Use a language runtime with faster startup time, such as Python or Node.js.
B.Place the Lambda function inside a VPC.
C.Enable provisioned concurrency for the function.
D.Increase the function's memory allocation.
E.Increase the function's timeout setting.
AnswersA, C, D

These runtimes have lower initialization overhead compared to Java or .NET.

Why this answer

Options A, B, and C are correct. Provisioned concurrency keeps environments warm. Using a smaller runtime (e.g., Python vs Java) reduces startup time.

Allocating more memory also increases CPU, speeding up initialization. Option D is wrong because VPC adds latency due to ENI setup. Option E is wrong because increasing timeout does not affect cold start.

1364
MCQhard

A developer deployed a new Lambda function that processes messages from an SQS queue. The function runs correctly for small workloads but starts timing out after 15 seconds when traffic increases. The function has a reserved concurrency of 10 and a timeout of 30 seconds. CloudWatch logs show occasional throttling errors (429). What is the MOST likely cause?

A.The function memory is too low.
B.The reserved concurrency is too low.
C.The SQS batch size is too large.
D.The function timeout is too low.
AnswerB

Low reserved concurrency causes throttling (429) and delays leading to timeouts.

Why this answer

Option D is correct because the function is experiencing throttling due to insufficient reserved concurrency, causing requests to be delayed and eventually time out. Option A is wrong because the timeout is set to 30 seconds, but the issue is throttling, not timeout. Option B is wrong because SQS batch size does not cause throttling.

Option C is wrong because Lambda scales horizontally, not vertically.

1365
MCQeasy

A developer is deploying an application on Amazon ECS using the Fargate launch type. The application needs to read configuration data from an Amazon S3 bucket. How should the developer securely provide the S3 bucket name to the container at runtime?

A.Define an environment variable in the ECS task definition with the bucket name.
B.Hardcode the bucket name in the application code.
C.Use AWS Systems Manager Parameter Store and retrieve the bucket name at startup.
D.Store the bucket name in the container image's environment file.
AnswerA

Environment variables can be set in the task definition and accessed by the container.

Why this answer

Option B is correct because environment variables in the task definition can include the bucket name, and using IAM roles (task role) ensures secure access. Option A is wrong because hardcoding is insecure. Option C is wrong because storing in the container image is not dynamic.

Option D is wrong because storing in a parameter store is good, but environment variables with IAM roles are simpler for this use case.

1366
MCQeasy

A developer is designing a web application that will run on EC2 instances behind an Application Load Balancer. The application needs to authenticate users. Which service should the developer use to manage user identities and provide single sign-on?

A.AWS IAM
B.Amazon Cognito
C.AWS Directory Service
D.AWS Security Token Service (STS)
AnswerB

User pools for app authentication.

Why this answer

Amazon Cognito is the correct choice because it is a fully managed identity service designed for web and mobile applications. It provides user sign-up, sign-in, and access control, and supports single sign-on (SSO) through federation with social identity providers (e.g., Google, Facebook) and enterprise identity providers via SAML 2.0 or OIDC. This makes it ideal for authenticating users in an application running behind an Application Load Balancer.

Exam trap

The trap here is confusing AWS IAM (for AWS resource access) with a customer-facing identity service, leading candidates to choose IAM for user authentication instead of Cognito.

How to eliminate wrong answers

Option A is wrong because AWS IAM is designed for managing permissions for AWS services and resources, not for authenticating end users of a web application; it lacks built-in user registration, sign-in UI, and SSO federation for external identities. Option C is wrong because AWS Directory Service is primarily for integrating with Microsoft Active Directory or creating managed directories for enterprise workloads, not for providing a simple, scalable user identity store with social login or SSO for web applications. Option D is wrong because AWS Security Token Service (STS) is used to issue temporary security credentials for AWS API requests, not for managing user identities or providing authentication and SSO for application users.

1367
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. A developer wants to update a stack but needs to ensure that certain resources are not accidentally deleted. The developer wants to protect specific resources from stack updates that would delete them. Which CloudFormation feature should the developer use?

A.Enable termination protection on the stack
B.Use a Change Set to review changes before applying them
C.Use a stack policy to prevent deletion of specific resources
D.Set the DeletionPolicy attribute to Retain on the resources
AnswerD

DeletionPolicy: Retain prevents deletion of specific resources during stack update or deletion.

Why this answer

Option C is correct because termination protection prevents a stack from being deleted, but not individual resources. Stack policy controls which resources can be updated or deleted. Option A is incorrect because a stack policy can protect resources.

Option B is incorrect because a Change Set shows changes but does not prevent deletion. Option D is incorrect because DeletionPolicy is a resource attribute that can preserve resources, but it is set at resource level, not during update.

1368
Multi-Selecthard

A developer is using Amazon Kinesis Data Streams to ingest real-time events. The application uses the Kinesis Client Library (KCL) to process records. The developer notices that one shard is falling behind while others are processing fine. Which THREE actions can help improve processing of the lagging shard? (Choose THREE.)

Select 3 answers
A.Use Enhanced Fan-Out to reduce contention.
B.Decrease the record size by compressing the data.
C.Reduce the number of shards in the stream.
D.Increase the number of KCL workers processing the shard.
E.Split the hot shard into multiple shards using resharding.
AnswersA, D, E

Reduces read throttling.

Why this answer

Options A, C, and D are correct. A: Increasing the number of workers can increase parallelism within a shard. C: Using Enhanced Fan-Out allows multiple consumers to read from the same shard without contention.

D: Resharding splits the hot shard into multiple shards. Option B is wrong because decreasing the record size reduces data volume but is not a direct fix for lag. Option E is wrong because reducing shard count reduces parallelism.

1369
MCQhard

A company uses AWS CodeBuild to build and test code. The buildspec.yml includes a pre-build phase that downloads dependencies from a private repository. The developer wants to securely store the credentials for the private repository. Which AWS service should the developer use to store these credentials and reference them in the buildspec?

A.Store the credentials in an S3 bucket with server-side encryption.
B.Store the credentials in AWS Secrets Manager and use the AWS CLI in the build phase to retrieve them.
C.Store the credentials in the buildspec.yml file as environment variables.
D.Store the credentials in AWS Systems Manager Parameter Store and reference them in the buildspec.
AnswerD

Parameter Store can securely store and retrieve credentials.

Why this answer

Option B is correct because AWS Systems Manager Parameter Store can securely store credentials and be referenced in buildspec using parameter-store syntax. Option A is incorrect because environment variables in buildspec are not secure. Option C is incorrect because Secrets Manager is for secrets, not directly referenced in buildspec.

Option D is incorrect because S3 is not secure for credentials.

1370
Multi-Selectmedium

Which TWO actions can help reduce latency for a web application hosted on EC2 instances behind an Application Load Balancer? (Select TWO.)

Select 2 answers
A.Increase the EC2 instance size to a larger type.
B.Use Amazon CloudFront as a content delivery network.
C.Disable keep-alive connections on the ALB.
D.Use multiple Availability Zones for the ALB.
E.Enable HTTP/2 on the Application Load Balancer.
AnswersB, E

CloudFront caches content at edge locations, reducing latency.

Why this answer

Enabling HTTP/2 on the ALB reduces latency by multiplexing requests. Using a Content Delivery Network (CloudFront) caches content at edge locations, reducing latency for users. Option B is wrong because increasing instance size may not reduce latency, especially if the bottleneck is network or I/O.

Option C is wrong because multiple subnets increase availability, not latency. Option E is wrong because disabling keep-alive increases latency by requiring new connections.

1371
MCQmedium

A developer is using the AWS Serverless Application Model (SAM) to define a serverless application with an API Gateway endpoint. The developer wants to enable API caching only in the development stage to speed up testing, but disable it in the production stage to ensure data freshness. What is the most efficient way to achieve this with SAM?

A.Use AWS SAM parameters with a condition to set CacheClusterEnabled based on the stage parameter.
B.Deploy two separate SAM templates, one for each stage.
C.Use a custom resource to toggle caching after deployment.
D.Enable caching globally and configure a usage plan with a quota for production.
AnswerA

Correct. This allows a single template to behave differently per stage without manual edits.

Why this answer

AWS SAM parameters allow you to define a stage parameter (e.g., 'dev' or 'prod') and use a condition to conditionally set the `CacheClusterEnabled` property on the `AWS::Serverless::Api` resource. This is the most efficient approach because it uses a single template and SAM's built-in intrinsic functions (like `Fn::Equals`) to toggle caching based on the deployment stage, avoiding separate templates or post-deployment custom resources.

Exam trap

The trap here is that candidates may think caching must be managed via usage plans or custom resources, overlooking SAM's ability to conditionally set API Gateway stage properties directly through parameters and conditions in a single template.

How to eliminate wrong answers

Option B is wrong because deploying two separate SAM templates duplicates infrastructure code and increases maintenance overhead, which is less efficient than using a single parameterized template. Option C is wrong because using a custom resource to toggle caching after deployment adds unnecessary complexity and latency, and SAM already supports conditional resource properties natively. Option D is wrong because enabling caching globally and using a usage plan with a quota does not disable caching for production; usage plans control throttling and API keys, not the API Gateway cache behavior, and caching would still be active in production, violating the requirement for data freshness.

1372
Multi-Selectmedium

A developer is deploying a web application using AWS Elastic Beanstalk. The application needs to store session state. Which THREE services can be used for session state storage? (Choose THREE.)

Select 3 answers
A.Amazon ElastiCache for Redis
B.Amazon DynamoDB
C.Amazon S3
D.Amazon CloudFront
E.Amazon RDS
AnswersA, B, E

Redis is an in-memory store ideal for sessions.

Why this answer

Options A, B, and D are correct. DynamoDB is a common session store; ElastiCache Redis is a popular in-memory session store; RDS can store sessions in a database. Option C is wrong because S3 is object storage, not suitable for session state due to latency and cost.

Option E is wrong because CloudFront is a CDN, not a storage service.

1373
MCQmedium

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be rotated automatically every 12 months. Which type of KMS key should be used?

A.Custom key store (CloudHSM)
B.AWS owned key
C.AWS managed key
D.Customer managed key
AnswerC

AWS managed keys are automatically rotated every year (12 months), meeting the requirement.

Why this answer

AWS managed keys are automatically rotated every year. Customer managed keys support automatic rotation, but the default rotation period is 1 year. Custom key stores do not support automatic rotation.

AWS managed keys are the simplest way to meet the requirement.

1374
MCQmedium

A developer is using AWS CodeDeploy to deploy an application to a fleet of EC2 instances in an Auto Scaling group. The application must remain available during the deployment. The developer wants to update one instance at a time, ensuring that only one instance is taken offline at any moment. Which deployment configuration should the developer choose?

A.CodeDeployDefault.OneAtATime
B.CodeDeployDefault.HalfAtATime
C.CodeDeployDefault.AllAtOnce
D.CodeDeployDefault.LambdaCanary10Percent5Minutes
AnswerA

This configuration deploys to exactly one instance at a time. It ensures minimal disruption because only one instance is removed from service during each deploy interval.

Why this answer

CodeDeployDefault.OneAtATime is the correct deployment configuration because it deploys the application to only one instance at a time, ensuring that the remaining instances continue to serve traffic. This matches the requirement to take only one instance offline at any moment, preserving high availability throughout the deployment.

Exam trap

The trap here is that candidates may confuse 'one at a time' with 'half at a time' or 'all at once' due to misreading the requirement for minimal disruption, or they may incorrectly apply a Lambda-specific configuration to an EC2 deployment.

How to eliminate wrong answers

Option B is wrong because CodeDeployDefault.HalfAtATime deploys to half of the instances simultaneously, which would take multiple instances offline at once, violating the requirement to update only one instance at a time. Option C is wrong because CodeDeployDefault.AllAtOnce deploys to all instances concurrently, taking the entire fleet offline simultaneously and causing downtime. Option D is wrong because CodeDeployDefault.LambdaCanary10Percent5Minutes is a deployment configuration for AWS Lambda functions, not for EC2 instances in an Auto Scaling group, and it uses a canary traffic-shifting pattern irrelevant to EC2-based deployments.

1375
MCQmedium

A developer set up a Lambda function that reads from an SQS queue and processes messages. The function sometimes times out. How can the developer improve security while minimizing execution time?

A.Use encryption at rest for the SQS queue
B.Enable a dead-letter queue (DLQ) for the SQS queue
C.Increase the Lambda function timeout to 15 minutes
D.Reduce the SQS visibility timeout to match the Lambda function's timeout
AnswerD

A shorter visibility timeout reduces the chance of duplicate processing and improves security.

Why this answer

Option A is correct because reducing the visibility timeout prevents other consumers from processing the same message before the function completes. Option B is wrong because increasing the timeout would not improve security. Option C is wrong because using a DLQ does not affect execution time.

Option D is wrong because encryption does not improve execution time.

1376
MCQmedium

A developer is creating a web application that uses Amazon Cognito for user authentication. The application needs to verify the identity of users before allowing access to the API. Which Cognito feature should the developer use?

A.User Pools
B.Identity Pools
C.Cognito Sync
D.Cognito Events
AnswerA

User Pools handle user authentication and produce tokens that can be verified to grant API access.

Why this answer

Amazon Cognito User Pools provide a fully managed identity and access management service specifically designed for user authentication and authorization in web and mobile applications. They handle user sign-up, sign-in, and identity verification through features like multi-factor authentication (MFA) and JSON Web Token (JWT) issuance, making them the correct choice for verifying user identity before granting API access.

Exam trap

The trap here is confusing Identity Pools (which grant AWS credentials) with User Pools (which authenticate users), leading candidates to select Identity Pools when the question explicitly asks about verifying user identity, not granting AWS resource access.

How to eliminate wrong answers

Option B (Identity Pools) is wrong because Identity Pools are used to exchange user tokens (from a User Pool or other identity provider) for temporary AWS credentials to access AWS services like DynamoDB or S3, not for authenticating users directly. Option C (Cognito Sync) is wrong because Cognito Sync is a deprecated service for synchronizing user profile data across devices, not for identity verification. Option D (Cognito Events) is wrong because Cognito Events are AWS Lambda triggers that run during User Pool operations (e.g., pre-sign-up), but they do not perform user authentication themselves.

1377
Multi-Selecteasy

A company is using AWS Elastic Beanstalk to deploy a web application. The environment is running behind a load balancer. The developer needs to ensure that the application logs are centralized and retained for analysis. Which TWO services can be used to collect and store logs from the EC2 instances?

Select 2 answers
A.Amazon CloudWatch Logs
B.AWS X-Ray
C.Amazon Kinesis Data Firehose
D.AWS CloudTrail
E.Amazon S3
AnswersA, E

Agent can send logs directly to CloudWatch Logs.

Why this answer

CloudWatch Logs agent sends logs to CloudWatch Logs for centralized storage. S3 can be used as a destination for log exports. X-Ray is for tracing, not log collection.

Kinesis Data Firehose can stream logs to destinations but is not directly installed on instances. CloudTrail records API calls, not application logs.

1378
MCQmedium

A company is using Amazon DynamoDB as the database for a web application. The application reads and writes items based on a primary key. The traffic pattern shows that reads are 10 times more frequent than writes. The development team wants to reduce read latency and costs. They are considering adding a cache layer. The data is not sensitive, but stale data is acceptable for up to 5 minutes. The application runs on EC2 instances. What should the team do to implement caching?

A.Use Amazon DynamoDB Accelerator (DAX) as a caching layer.
B.Store frequently accessed items in an S3 bucket and read from S3.
C.Set up an Amazon ElastiCache Memcached cluster and update the application to check the cache before reading from DynamoDB.
D.Use Amazon CloudFront to cache responses from the application.
AnswerC

Memcached is a simple, scalable cache for read-heavy workloads with acceptable staleness.

Why this answer

Option D is correct because Amazon ElastiCache with Memcached provides a distributed cache that is suitable for read-heavy workloads and handles frequent reads. Option A is incorrect because DAX is a DynamoDB accelerator that is tightly coupled with DynamoDB and may be overkill. Option B is incorrect because CloudFront is for content delivery, not for caching database queries.

Option C is incorrect because S3 is not suitable for low-latency caching of database items.

1379
MCQmedium

A developer has deployed a serverless application using AWS SAM. After a recent update, the API Gateway endpoints return 500 errors. The Lambda function logs show no errors. What should the developer investigate first?

A.Increase the Lambda function timeout.
B.Check the Lambda function's reserved concurrency.
C.Review the CloudFormation stack events for any failures.
D.Verify the API Gateway integration response and mapping templates.
AnswerD

Incorrect mapping can cause API Gateway to return 500 even if Lambda executes successfully.

Why this answer

Option D is correct because when API Gateway returns 500 errors but Lambda logs show no errors, the issue is typically in the API Gateway integration response or mapping templates. API Gateway may fail to transform the Lambda response into the expected format, causing an internal server error without the Lambda function ever throwing an exception.

Exam trap

The trap here is that candidates assume 500 errors always originate from the Lambda function, but the question explicitly states Lambda logs show no errors, forcing the candidate to look at the API Gateway integration layer instead.

How to eliminate wrong answers

Option A is wrong because increasing the Lambda function timeout would not resolve 500 errors if the function is completing successfully (as indicated by no errors in logs); timeout issues would manifest as 504 errors, not 500. Option B is wrong because reserved concurrency controls the number of concurrent executions, not response formatting; concurrency issues would cause throttling (429 errors) or invocation failures, not 500 errors with successful logs. Option C is wrong because CloudFormation stack events would show deployment failures, but the question states the application was deployed successfully and only after an update the errors appeared; stack events would not reveal runtime integration issues between API Gateway and Lambda.

1380
MCQeasy

A developer wants to securely store database credentials used by a Lambda function. The credentials should be automatically rotated every 90 days. Which service should be used?

A.AWS Secrets Manager
B.AWS Key Management Service (KMS)
C.AWS Identity and Access Management (IAM)
D.AWS Systems Manager Parameter Store
AnswerA

Secrets Manager is designed for storing secrets with automatic rotation.

Why this answer

AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, retrieving, and automatically rotating database credentials and other secrets. It supports native rotation with built-in integration for Amazon RDS (MySQL, PostgreSQL, Oracle, SQL Server, MariaDB) and Amazon DocumentDB, allowing you to configure automatic rotation every 90 days without custom code. The service encrypts secrets at rest using AWS KMS and enforces fine-grained access control via IAM policies.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store secrets, but Parameter Store lacks native automatic rotation, which is explicitly required by the 90-day rotation requirement in the question.

How to eliminate wrong answers

Option B (AWS KMS) is wrong because it is a key management service for creating and controlling encryption keys, not a secret storage service; it cannot store or rotate database credentials. Option C (IAM) is wrong because it manages users, groups, roles, and permissions for AWS API access, not database credentials; it has no mechanism to store or rotate secrets. Option D (AWS Systems Manager Parameter Store) is wrong because while it can store secrets as SecureString parameters, it does not natively support automatic rotation of credentials; you would need to build a custom rotation solution using Lambda, whereas Secrets Manager provides built-in rotation.

1381
MCQmedium

A developer is using AWS Lambda with an Amazon RDS MySQL database. The Lambda function frequently times out when connecting to the database. What is the MOST likely cause?

A.The Lambda function is not configured with enough memory
B.The Lambda function is not using a reserved concurrency limit
C.The Lambda function is not attached to the same VPC as the RDS instance
D.The Lambda function's execution role lacks RDS permissions
AnswerC

Lambda must be in the same VPC or use VPC peering to access RDS.

Why this answer

Lambda functions in a VPC require a VPC endpoint for internet access or NAT gateway; without it, they cannot reach RDS if the RDS is in a private subnet. Option C is correct.

1382
MCQmedium

A developer is troubleshooting a Lambda function that times out sporadically. The function reads from an S3 bucket and processes CSV files. Which of the following is the MOST likely cause?

A.VPC configuration missing a NAT gateway.
B.Cold starts due to low invocation frequency.
C.S3 GET request throttling during high traffic.
D.Insufficient memory allocated to the Lambda function.
AnswerC

High request rates can lead to S3 throttling, causing intermittent delays and timeouts.

Why this answer

Sporadic timeouts often occur due to throttling or limits. S3 throttling (especially for GET requests) can cause delays. Cold starts would cause initial delays but not sporadic ones.

Memory exhaustion would cause failures, not timeouts. VPC configuration would cause consistent timeouts.

1383
MCQhard

Refer to the exhibit. A developer creates a CloudFormation stack with the above template. The stack creation fails with the error 'The runtime parameter of nodejs18.x is not supported.' What is the most likely cause?

A.The ZipFile property cannot contain inline code for Node.js functions.
B.The IAM role is missing necessary permissions for CloudWatch Logs.
C.The Handler property is incorrect; it should be 'index.handler' but with the correct filename.
D.The runtime 'nodejs18.x' is not a valid Lambda runtime; use a supported runtime like 'nodejs16.x'.
AnswerD

Node.js 18.x is not supported; must use a supported version.

Why this answer

The error indicates that the Node.js 18.x runtime is not supported. At the time of this exam, Node.js 18.x is not a valid Lambda runtime; supported runtimes include nodejs14.x, nodejs16.x, and nodejs20.x. The developer should use a supported runtime.

The other options are not related to the error: ZipFile is valid for inline code, the handler is correct, and the IAM role is properly defined.

1384
MCQhard

A team is using AWS CodePipeline with multiple stages: Source, Build, Test, and Deploy. The Deploy stage uses AWS CodeDeploy to deploy to an EC2 Auto Scaling group. The pipeline runs successfully, but the application still serves the old version. What is the most likely cause?

A.The CodeDeploy deployment group is associated with a different Auto Scaling group than the one serving traffic.
B.The load balancer's target group is not pointing to the correct instances.
C.The build artifact in the Source stage is corrupted.
D.The CodeBuild stage failed silently and did not produce a new artifact.
AnswerA

The deployment goes to the wrong instances, so the live instances are not updated.

Why this answer

Option A is correct because if the CodeDeploy deployment group is configured to deploy to a different Auto Scaling group, the new revision is deployed to the wrong instances. Option B is incorrect because the pipeline succeeded, so the artifact is not corrupted. Option C is incorrect because a misconfigured load balancer would cause health check issues but not serve the old version.

Option D is incorrect because a failed CodeBuild stage would prevent the pipeline from reaching Deploy.

1385
MCQhard

A company is using AWS CloudFormation to manage infrastructure. The developer wants to update a stack but needs to prevent specific resources from being replaced. What CloudFormation feature should the developer use?

A.Use a custom resource to manage the update logic.
B.Apply a stack policy that denies updates to the specific resources.
C.Create a change set to review the changes before execution.
D.Use a deletion policy attribute on the resources to protect them.
AnswerB

Stack policies can prevent updates to specified resources.

Why this answer

A stack policy is a JSON-based policy that defines which resources in a CloudFormation stack can be updated, replaced, or deleted. By applying a stack policy that denies updates to specific resources, the developer can prevent those resources from being replaced during a stack update, even if the template change would normally trigger a replacement.

Exam trap

The trap here is confusing a deletion policy (which only protects against stack deletion) with a stack policy (which controls update-time replacement), leading candidates to incorrectly choose Option D.

How to eliminate wrong answers

Option A is wrong because custom resources are used to implement custom provisioning logic (e.g., calling an external API) during stack operations, not to prevent resource replacement. Option C is wrong because a change set only allows you to preview the changes that will be made; it does not prevent specific resources from being replaced. Option D is wrong because a deletion policy (e.g., Retain, Snapshot) only controls what happens when a resource is deleted from the stack; it does not prevent the resource from being replaced during an update.

1386
MCQeasy

A developer is building a serverless application that needs to process messages from an Amazon SQS queue and store the results in an Amazon DynamoDB table. Which AWS service should the developer use to orchestrate the processing logic without managing servers?

A.Amazon Elastic Container Service (ECS) with Fargate
B.Amazon EC2 instances with a custom application
C.AWS Lambda
D.AWS Step Functions
AnswerC

Lambda is a serverless compute service that can be triggered by SQS and write to DynamoDB.

Why this answer

AWS Lambda is the correct choice because it is a serverless compute service that can be triggered by SQS messages via event source mappings, process each message, and write results to DynamoDB without provisioning or managing any servers. The developer simply uploads the processing code, and Lambda handles scaling, concurrency, and execution, making it ideal for this event-driven, serverless workflow.

Exam trap

The trap here is that candidates often confuse AWS Step Functions as a serverless orchestrator for simple tasks, but Step Functions is designed for coordinating multi-step workflows and state machines, not for directly processing individual SQS messages, which is a core Lambda use case.

How to eliminate wrong answers

Option A is wrong because Amazon ECS with Fargate, while serverless in terms of infrastructure management, still requires defining a container image, task definitions, and cluster configuration, which adds unnecessary overhead for a simple message-processing task that can be handled by a single function. Option B is wrong because Amazon EC2 instances require manual server provisioning, patching, scaling, and management, which violates the 'without managing servers' requirement of the question. Option D is wrong because AWS Step Functions is a state machine orchestration service designed to coordinate multiple AWS services and handle complex workflows, not to directly process individual SQS messages; using it here would introduce unnecessary complexity and cost compared to a direct Lambda trigger.

1387
Multi-Selecthard

Which THREE components are required to perform a blue/green deployment of an application running on Amazon ECS using AWS CodeDeploy? (Select THREE.)

Select 3 answers
A.An Amazon ECS cluster
B.An Application Load Balancer
C.An AWS CodeDeploy deployment group
D.An AWS CodeDeploy application
E.A target tracking scaling policy
AnswersB, C, D

The ALB is used to shift traffic between blue and green task sets.

Why this answer

Options A, B, and D are correct. CodeDeploy requires a CodeDeploy application and deployment group. An ECS service with a load balancer is also required.

Option C is wrong because an ECS cluster is required, but the question asks for components, and the cluster is implicit; however, the deployment group references the ECS service, so the cluster is needed. But among options, A, B, D are explicitly required. Option E is wrong because a target tracking scaling policy is not required for blue/green deployment.

1388
MCQeasy

A developer wants to securely transmit secrets to an EC2 instance at launch. Which approach is recommended?

A.Store secrets in environment variables within an AMI
B.Hardcode secrets in the application code
C.Pass secrets in user data as plain text
D.Use EC2 Instance Metadata Service (IMDSv2) to retrieve secrets from AWS Secrets Manager
AnswerD

IMDSv2 provides a secure way to access secrets via IAM roles.

Why this answer

Option D is correct because the recommended approach to securely transmit secrets to an EC2 instance at launch is to use an IAM role attached to the instance, which grants the instance permission to retrieve secrets from AWS Secrets Manager via the EC2 Instance Metadata Service (IMDSv2). IMDSv2 requires a session-oriented PUT request to obtain a token, mitigating the risk of SSRF attacks, and secrets are never stored on disk or transmitted in plaintext during launch.

Exam trap

The trap here is that candidates may think user data is secure because it is only accessible at launch, but they overlook that user data is stored in plaintext and can be read via the metadata service or CloudTrail, whereas IMDSv2 with Secrets Manager provides encryption and access control.

How to eliminate wrong answers

Option A is wrong because storing secrets in environment variables within an AMI embeds them in the snapshot, making them accessible to anyone who can launch or inspect the AMI, violating security best practices. Option B is wrong because hardcoding secrets in application code exposes them in version control, build artifacts, and logs, and violates the principle of never storing secrets in code. Option C is wrong because passing secrets in user data as plain text leaves them visible in the EC2 console, CloudTrail logs, and to any process that can read the instance metadata (if IMDSv1 is enabled), and user data is not encrypted at rest.

1389
MCQmedium

Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to upload an object to the S3 bucket 'example-bucket' from an IP address 198.51.100.5. What will happen?

A.The request is allowed because the user is an IAM user.
B.The request is allowed because the action s3:PutObject is allowed.
C.The request is denied because the source IP does not match the condition.
D.The request is denied because the bucket policy is missing.
AnswerC

The IP condition restricts access.

Why this answer

The policy allows s3:PutObject only if the source IP is within 192.0.2.0/24. The user's IP 198.51.100.5 is not in that range, so the request is denied. Option A is correct.

Option B is incorrect because the condition is not met. Option C is incorrect because the policy does not enable public access. Option D is incorrect because the user is not root.

1390
MCQmedium

A developer deployed this CloudFormation template. What happens to a message after it has been received from 'MyQueue' 3 times but not deleted?

A.The message is moved to the dead-letter queue.
B.The message remains in the queue and is retried indefinitely.
C.The message is deleted from the queue.
D.The message is deleted after the visibility timeout expires.
AnswerA

The RedrivePolicy moves the message to the DLQ after 3 receives.

Why this answer

Option D is correct because the RedrivePolicy specifies maxReceiveCount: 3, so after 3 receives, the message is sent to the dead-letter queue (MyDeadLetterQueue). Option A is wrong because the message is not deleted; it is moved. Option B is wrong because it is not kept in the queue indefinitely; it is moved after 3 receives.

Option C is wrong because the message is not deleted automatically after the 3rd receive; it is redirected.

1391
MCQeasy

A developer is writing a Lambda function that needs to access an Amazon RDS MySQL database. The function will be invoked frequently. What is the BEST practice for managing the database connection?

A.Close the database connection at the end of each invocation.
B.Open a new database connection inside the handler for each invocation.
C.Open the database connection outside the handler function and reuse it.
D.Use Amazon RDS Proxy to manage the connection pool.
AnswerC

Reusing connections across invocations reduces latency and resource usage.

Why this answer

Option A is correct because opening a connection inside the handler and reusing it across invocations within the same container reduces overhead. Option B is wrong because opening a connection each invocation is inefficient. Option C is wrong because RDS Proxy is for connection pooling but adds complexity when not needed.

Option D is wrong because closing the connection after each invocation defeats caching.

1392
MCQmedium

A developer is troubleshooting an application that uses Amazon ElastiCache for Redis to cache database query results. The application experiences high latency during cache misses. The developer notices that frequently accessed keys (hot keys) are often missing from the cache, suggesting they are being evicted. Which action should the developer take to reduce cache misses for hot keys?

A.Increase the number of cache nodes.
B.Switch to the 'allkeys-lru' eviction policy.
C.Disable the TTL on all cached keys.
D.Increase the size of the cache cluster.
AnswerB

allkeys-lru evicts the least recently used keys from all keys, which tends to retain frequently used hot keys.

Why this answer

Option B is correct because the 'allkeys-lru' eviction policy allows Redis to evict any key (including those with TTL) based on least-recently-used access, which helps retain frequently accessed hot keys. By default, ElastiCache for Redis uses the 'volatile-lru' policy, which only evicts keys with an expiration set, leaving hot keys without TTL vulnerable to eviction when memory pressure occurs. Switching to 'allkeys-lru' ensures that even keys without TTL can be considered for eviction, reducing the likelihood of hot keys being removed.

Exam trap

The trap here is that candidates assume scaling up or out is the only solution for cache misses, overlooking that the eviction policy directly controls which keys are removed under memory pressure, and 'volatile-lru' by default excludes keys without TTL from eviction consideration.

How to eliminate wrong answers

Option A is wrong because increasing the number of cache nodes (scaling out) distributes data across shards but does not change the eviction policy; hot keys can still be evicted under memory pressure if the policy does not protect them. Option C is wrong because disabling TTL on all cached keys would prevent expiration-based eviction but does not address eviction due to memory limits; Redis would still evict keys under the 'volatile-lru' policy, and without TTL, those keys become ineligible for eviction, potentially causing out-of-memory errors. Option D is wrong because increasing the size of the cache cluster (scaling up) adds more memory, which delays eviction but does not change the eviction policy; hot keys without TTL remain vulnerable to eviction once memory is exhausted.

1393
MCQhard

A developer needs to ensure that every cryptographic operation performed on an AWS KMS customer master key (CMK) used for server-side encryption in Amazon S3 is recorded in AWS CloudTrail for auditing. The developer has already enabled CloudTrail and is logging management events. However, the security team wants to see all calls to the KMS Decrypt and Encrypt APIs for this specific key. What must the developer do?

A.Enable CloudTrail data events for the S3 bucket containing the encrypted objects.
B.Create an additional CloudTrail trail that logs all management events for the KMS key.
C.Enable CloudTrail data events for the specific KMS key ARN.
D.Enable CloudTrail Insights events on the existing trail.
AnswerC

CloudTrail data events for KMS record every call to Decrypt, Encrypt, GenerateDataKey, etc. By specifying the key ARN in the data event selector, only operations on that key are logged, meeting the audit requirement without excessive logging.

Why this answer

Option C is correct because CloudTrail data events can be configured to log individual API operations (such as Decrypt and Encrypt) on specific KMS keys. By default, CloudTrail management events do not include these data-plane operations; enabling data events for the specific KMS key ARN ensures every cryptographic call is recorded for auditing.

Exam trap

The trap here is that candidates confuse S3 server-side encryption with KMS data events, assuming that logging S3 bucket data events will capture KMS calls, when in fact KMS data-plane operations require explicit data event logging on the KMS key itself.

How to eliminate wrong answers

Option A is wrong because enabling CloudTrail data events for the S3 bucket captures S3 object-level operations (e.g., GetObject, PutObject), not the KMS Decrypt and Encrypt API calls themselves. Option B is wrong because management events already include KMS key management actions (e.g., CreateKey, DisableKey) but not data-plane cryptographic operations; creating another trail with management events does not capture Decrypt/Encrypt. Option D is wrong because CloudTrail Insights events detect unusual API activity patterns but do not log individual Decrypt/Encrypt calls; they are an analysis feature, not a logging configuration for specific API operations.

1394
MCQmedium

A developer has an AWS Lambda function that processes messages from an Amazon SQS queue. The function is experiencing high invocation errors. The developer sees that the function's reserved concurrency is set to 0. What is the impact?

A.The function's memory is insufficient, causing out-of-memory errors.
B.The function is throttled due to high request volume.
C.The function's code has an error causing it to fail.
D.The function is not receiving any invocations because it has no concurrency available.
AnswerD

With reserved concurrency 0, the function cannot be invoked.

Why this answer

Reserved concurrency of 0 means the function cannot scale, so no invocations occur. This causes all messages to stay in the queue or go to DLQ. Option B is correct.

Option A is wrong because throttling is not the main issue. Option C is wrong because the function never runs. Option D is wrong because concurrency limit is 0.

1395
MCQhard

A company runs a web application on EC2 instances behind an Application Load Balancer. The security team discovers that the application is vulnerable to SQL injection attacks. The team wants to implement a web application firewall (WAF) to block these attacks. The architecture includes an ALB, EC2 instances in an Auto Scaling group, and an RDS database. The ALB currently has a listener on port 443 with an SSL certificate. The developer must integrate AWS WAF with minimal changes to the existing infrastructure. Which action should the developer take?

A.Subscribe to AWS Shield Advanced and enable automatic mitigation.
B.Install a WAF agent on each EC2 instance in the Auto Scaling group.
C.Place a CloudFront distribution in front of the ALB and associate WAF with CloudFront.
D.Associate AWS WAF directly with the Application Load Balancer.
AnswerD

WAF integrates natively with ALB.

Why this answer

Option B is correct because AWS WAF can be associated directly with an ALB, which is the simplest integration. Option A is wrong because CloudFront adds complexity and cost, and is not necessary. Option C is wrong because WAF does not run on EC2; it's a managed service.

Option D is wrong because Shield Advanced does not provide WAF rules for SQL injection.

1396
Multi-Selecteasy

A developer is using Amazon DynamoDB for a gaming leaderboard. The table has a sort key of 'score' (Number). The developer wants to retrieve the top 10 players. Which TWO operations can achieve this? (Choose TWO.)

Select 2 answers
A.TransactGetItems
B.Scan and sort results client-side, then take first 10
C.BatchGetItem
D.GetItem
E.Query with ScanIndexForward set to false and Limit set to 10
AnswersB, E

Scan returns all items; client-side sorting and limiting achieves top 10.

Why this answer

Options B and D are correct. Query requires a partition key and can use ScanIndexForward to get descending order, then limit to 10. Scan can also retrieve all items and sort client-side, then limit to 10.

Option A is wrong because GetItem retrieves a single item. Option C is wrong because BatchGetItem retrieves multiple items by key, not sorted. Option E is wrong because TransactGetItems is for transactional reads.

1397
MCQhard

A company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer. The application needs to authenticate users via an external OpenID Connect (OIDC) identity provider. The company wants to offload authentication to the load balancer and use IAM roles to access AWS resources. Which solution should the developer implement?

A.Configure the ALB target group to authenticate using the OIDC identity provider.
B.Use AWS Lambda@Edge to authenticate users at the edge.
C.Configure the ALB to use the OIDC identity provider for user authentication. Use the identity token to assume an IAM role via web identity federation.
D.Use Amazon Cognito user pools as the OIDC provider and integrate with ALB.
AnswerC

ALB supports OIDC authentication and the application can use the token to assume an IAM role.

Why this answer

Option B is correct because ALB can authenticate users via OIDC and pass the user's identity to the application via HTTP headers. The application can then use the token to assume an IAM role using web identity federation. Option A is wrong because Cognito is not required; ALB supports OIDC directly.

Option C is wrong because Lambda@Edge is for CloudFront, not ALB. Option D is wrong because ALB does not support OIDC directly with just a target group; authentication is configured on the listener rule.

1398
MCQhard

A company wants to encrypt data at rest in Amazon S3 using server-side encryption with KMS (SSE-KMS). They want to ensure that only certain IAM roles can decrypt objects. What must be configured?

A.IAM role policy to allow kms:Decrypt
B.S3 bucket policy to allow decrypt
C.KMS key policy to allow the IAM roles to decrypt
D.KMS key policy to allow s3.amazonaws.com to decrypt
AnswerC

KMS key policy must grant kms:Decrypt to the specific IAM roles.

Why this answer

Option C is correct because SSE-KMS uses a customer master key (CMK) to encrypt and decrypt S3 objects. The KMS key policy is the primary access control mechanism for a CMK; it must explicitly grant the IAM roles the kms:Decrypt permission. Without this policy statement, even if the IAM roles have a policy allowing kms:Decrypt, they will be denied access because KMS key policies can override IAM permissions when the key policy does not grant access to the account's IAM principals.

Exam trap

The trap here is that candidates assume an IAM role policy granting kms:Decrypt is sufficient, forgetting that KMS key policies act as an independent access control layer that can explicitly deny or allow access, and without the key policy granting the role, the IAM policy is ineffective.

How to eliminate wrong answers

Option A is wrong because an IAM role policy allowing kms:Decrypt is necessary but not sufficient; the KMS key policy must also grant the role permission to use the key, and if the key policy does not include the role, the IAM policy alone will not allow decryption. Option B is wrong because S3 bucket policies control access to S3 actions (like s3:GetObject) but cannot grant KMS decryption permissions; KMS actions are governed solely by KMS key policies and IAM policies. Option D is wrong because allowing the service principal s3.amazonaws.com to decrypt would grant decryption to any S3 request that uses the key, bypassing the IAM role restriction and violating the requirement that only certain IAM roles can decrypt.

1399
MCQmedium

A developer is deploying a microservice using AWS CodeDeploy with an Amazon ECS compute platform. The service must be updated with a blue/green deployment strategy. The developer wants to ensure that if the deployment fails, the new task set is automatically terminated and the original task set continues to serve traffic. Which configuration should the developer set?

A.Set the deployment configuration to 'AllAtOnce' and enable termination of the original task set
B.Define a blue/green deployment using an AppSpec file with a 'Hooks' section to specify a 'BeforeAllowTraffic' hook that checks health. If the check fails, CodeDeploy automatically rolls back.
C.Set the deployment group's 'Rollback configuration' to automatically roll back failed deployments and configure the 'Deployment configuration' to terminate the original task set on success, but keep it on failure.
D.Use a manual approval step in the pipeline to decide whether to terminate the new task set.
AnswerC

By enabling automatic rollback in the deployment group, CodeDeploy will automatically roll back to the original task set if the deployment fails. The 'terminate original task set on success' setting ensures that after a successful deployment, the old task set is terminated. The rollback configuration handles the failure case by terminating the new task set and keeping the original.

Why this answer

Option C is correct because AWS CodeDeploy for Amazon ECS blue/green deployments allows you to configure automatic rollback on failure within the deployment group settings. By enabling 'Rollback configuration' to automatically roll back failed deployments and setting the 'Deployment configuration' to terminate the original task set only on success (keeping it on failure), you ensure that if the deployment fails, the new task set is automatically terminated and the original task set continues to serve traffic. This directly meets the requirement without manual intervention.

Exam trap

The trap here is that candidates often confuse the 'Rollback configuration' with hook-based health checks, not realizing that hooks alone do not trigger automatic rollback—you must explicitly enable rollback in the deployment group settings.

How to eliminate wrong answers

Option A is wrong because 'AllAtOnce' is a deployment configuration for EC2/On-Premises compute platforms, not for Amazon ECS; ECS blue/green deployments use a 'canary' or 'linear' configuration, and 'AllAtOnce' does not control termination of the original task set. Option B is wrong because while a 'BeforeAllowTraffic' hook can check health, CodeDeploy does not automatically roll back based on hook failures; hooks only shift traffic after success, and rollback must be explicitly configured in the deployment group. Option D is wrong because a manual approval step in the pipeline does not automatically terminate the new task set on failure; it requires human intervention and does not integrate with CodeDeploy's native rollback mechanism.

1400
MCQhard

A developer is troubleshooting an AWS Lambda function that processes large CSV files (up to 1 GB) uploaded to an Amazon S3 bucket. The function uses Python and the pandas library to perform data transformations. Recently, the function started timing out on large files. CloudWatch Logs show that the function's execution time is close to the 15-minute Lambda timeout, and memory utilization peaks at around 80% of the configured 3,008 MB. The function has not been modified in months. Which action will most likely resolve the timeout issue without requiring code changes?

A.Increase the memory allocation of the Lambda function to the maximum available (10,240 MB)
B.Increase the function timeout to the maximum allowed (900 seconds is already the max)
C.Use S3 Select to filter columns and rows before invoking the Lambda function
D.Increase the batch size of the S3 event notification to invoke the function with multiple files
AnswerA

More memory provides more CPU, speeding up the CPU-intensive pandas processing and reducing execution time below the timeout.

Why this answer

Increasing the memory allocation to the maximum (10,240 MB) proportionally increases the CPU and network throughput allocated to the Lambda function, which directly reduces execution time for CPU-bound pandas operations. Since memory utilization is only at 80% of the current 3,008 MB, the bottleneck is likely CPU, not memory, and Lambda's CPU scales linearly with memory configuration. This action resolves the timeout without any code changes.

Exam trap

The trap here is that candidates assume the function needs more memory because memory utilization is at 80%, but the real bottleneck is CPU, which is tied to memory allocation in Lambda's pricing and performance model.

How to eliminate wrong answers

Option B is wrong because the Lambda function timeout is already at 900 seconds (15 minutes), which is the maximum allowed; increasing it further is impossible. Option C is wrong because S3 Select filters data before the Lambda function is invoked, which would require modifying the S3 event notification or adding a separate trigger, thus requiring code changes to the Lambda function or infrastructure. Option D is wrong because increasing the batch size of the S3 event notification would invoke the function with multiple files at once, which would increase the processing load and worsen the timeout issue, not resolve it.

1401
Multi-Selectmedium

A developer is troubleshooting a slow-performing Amazon RDS for MySQL database. Which TWO actions should the developer take to improve query performance?

Select 2 answers
A.Delete unused indexes to reduce write overhead.
B.Enable Multi-AZ deployment for better read performance.
C.Increase the instance size to provide more CPU and memory.
D.Enable the slow query log to identify poorly performing queries.
E.Delete the binary log files to free up storage.
AnswersC, D

More resources can improve performance.

Why this answer

Option A: Enabling slow query log helps identify problematic queries. Option D: Increasing instance size provides more resources. Option B is wrong because Multi-AZ is for availability.

Option C is wrong because deleting unused indexes improves write performance, not read. Option E is wrong because deleting logs doesn't improve performance.

1402
MCQeasy

An IAM policy is attached to a user. What is the effect when the user tries to download an object from the 'confidential' folder in 'my-bucket' from an IP address within the 192.0.2.0/24 range?

A.The request is denied.
B.The request results in an error due to conflicting statements.
C.The request is allowed.
D.The request is denied because the Deny statement overrides the Allow.
AnswerC

The Deny condition is not satisfied, so the Allow applies.

Why this answer

Option A is correct because the Deny statement has a condition that checks if the source IP is NOT in the specified range. Since the condition is not met (the IP is in the range), the Deny does not apply, and the Allow statement allows s3:GetObject on the bucket. Option B is wrong because the Deny does not apply.

Option C is wrong because the Deny condition is not met. Option D is wrong because the policy does not result in an error.

1403
MCQeasy

A developer is creating a deployment pipeline using AWS CodePipeline. The pipeline includes a source stage from Amazon S3, a build stage using AWS CodeBuild, and a deploy stage using AWS CloudFormation. The developer wants to ensure that the pipeline can automatically create the CloudFormation stack if it does not exist. Which action mode should the developer use in the CloudFormation deploy action?

A.UPDATE_ONLY
B.CREATE_UPDATE
C.REPLACE_ON_FAILURE
D.CREATE_ONLY
AnswerB

This creates or updates the stack.

Why this answer

Option B is correct because the 'CREATE_UPDATE' action mode creates a new stack if it does not exist or updates it if it does. Option A is wrong because 'REPLACE_ON_FAILURE' only replaces a failed stack. Option C is wrong because 'CREATE_ONLY' only creates a stack, not update.

Option D is wrong because 'UPDATE_ONLY' only updates an existing stack, fails if not exist.

1404
Multi-Selecthard

A company is designing a secure CI/CD pipeline using AWS CodePipeline and AWS CodeBuild. The pipeline must securely store and access sensitive parameters (e.g., API keys) used during the build. Which TWO services can be used to securely store and retrieve these parameters?

Select 2 answers
A.AWS Systems Manager Parameter Store (SecureString)
B.AWS Secrets Manager
C.Amazon S3 with server-side encryption
D.AWS Key Management Service (KMS) alone
E.AWS CloudFormation parameter store
AnswersA, B

Parameter Store can store secrets as SecureString parameters and is integrated with CodeBuild.

Why this answer

AWS Systems Manager Parameter Store (SecureString) and AWS Secrets Manager are both designed to securely store secrets and can be accessed by CodeBuild via IAM roles.

1405
MCQmedium

A developer is building a RESTful API using Amazon API Gateway and AWS Lambda. The API needs to support custom domain names with SSL/TLS certificates. The developer has created the custom domain name in API Gateway and uploaded the certificate to AWS Certificate Manager (ACM) in the same region. However, when accessing the custom domain, users get an SSL error. What is the most likely cause?

A.The certificate was not issued by a trusted certificate authority.
B.The custom domain name's DNS record does not point to API Gateway's regional domain name.
C.The API Gateway API is not deployed to a stage that is mapped to the custom domain name.
D.The certificate is in the wrong region relative to the API Gateway regional endpoint.
AnswerB

The DNS record (e.g., CNAME) must map the custom domain to the API Gateway endpoint. Without the correct DNS mapping, the SSL handshake will fail.

Why this answer

The most likely cause is that the custom domain name's DNS record does not point to API Gateway's regional domain name. When using a custom domain name with API Gateway, you must create a DNS record (typically a CNAME or A record using Route 53 alias) that maps your custom domain to the API Gateway-generated regional domain name (e.g., d-xxxxx.execute-api.region.amazonaws.com). Without this correct DNS mapping, the SSL/TLS handshake fails because the certificate presented by API Gateway does not match the domain name the client is connecting to, resulting in an SSL error.

Exam trap

The trap here is that candidates often confuse SSL errors with API configuration issues like missing stage mappings or incorrect certificate authorities, but SSL errors occur at the transport layer due to DNS misconfiguration or certificate domain mismatch, not at the application layer.

How to eliminate wrong answers

Option A is wrong because AWS Certificate Manager (ACM) only issues certificates that are trusted by major browsers and operating systems; if ACM issued the certificate, it is automatically from a trusted CA, so this is not the cause. Option C is wrong because while the API must be deployed to a stage and the stage must be mapped to the custom domain name for the API to respond, an SSL error occurs at the TLS handshake level before any API routing happens; a missing stage mapping would cause a 404 or 403 error, not an SSL error. Option D is wrong because the developer created the custom domain name in API Gateway and uploaded the certificate to ACM in the same region, so the region mismatch is not the issue; the certificate must be in the same region as the API Gateway regional endpoint, which it is.

1406
MCQhard

Refer to the exhibit. A developer creates a CloudFormation stack with this template. The developer wants to ensure that all objects uploaded to the bucket are encrypted at rest using SSE-KMS. However, the current policy allows anyone to put objects without encryption. What additional change is needed to enforce SSE-KMS?

A.Set the bucket's default encryption configuration to SSE-KMS.
B.Add a bucket policy that denies PutObject if encryption is not set.
C.Modify the condition to use s3:x-amz-server-side-encryption-aws-kms-key-id.
D.Remove the condition to allow all PutObject requests.
AnswerA

Default encryption ensures encryption even if not specified in request.

Why this answer

Option B is correct because the policy condition only checks for the header, but if the user does not specify it, the request is denied. However, the bucket policy should also deny PutObject if the header is not present, which is already done via the condition. But the issue is that the bucket does not have a default encryption setting.

Option A is wrong because the condition already requires the header. Option C is wrong because the condition is already correct. Option D is wrong because bucket policy already exists.

1407
MCQeasy

A developer needs to store application configuration that can be accessed by multiple microservices running on Amazon ECS. The configuration must be encrypted at rest and automatically rotate secrets. Which AWS service should be used?

A.AWS Systems Manager Parameter Store
B.AWS CloudFormation
C.Amazon S3
D.AWS Secrets Manager
AnswerA

Parameter Store provides encrypted parameter storage and can be used for configuration; it integrates with Secrets Manager for rotation.

Why this answer

Option C is correct because AWS Systems Manager Parameter Store supports encryption (using KMS) and can store configuration data as parameters. For automatic rotation of secrets, AWS Secrets Manager is better, but Parameter Store can integrate with Secrets Manager. In this scenario, Parameter Store is the appropriate choice for configuration storage with encryption.

1408
MCQeasy

A company has an S3 bucket that contains sensitive financial data. The security team requires that all access to the bucket be logged for audit purposes. The developer needs to enable logging that captures who accessed the bucket, the actions performed, and the source IP addresses. The logs must be stored in a separate bucket for security. Which solution meets these requirements?

A.Use Amazon CloudWatch Logs to capture S3 access logs by enabling S3 data events in CloudWatch.
B.Enable S3 server access logging on the bucket and store logs in the same bucket.
C.Enable AWS CloudTrail with S3 data events and deliver logs to a separate S3 bucket.
D.Enable VPC Flow Logs on the VPC that contains the S3 bucket.
AnswerC

CloudTrail captures data events with details.

Why this answer

Option A is correct because AWS CloudTrail S3 data events can log object-level operations and can be delivered to a separate bucket. Option B is wrong because S3 server access logs provide similar data but are not as manageable. Option C is wrong because CloudWatch Logs is for monitoring, not auditing.

Option D is wrong because VPC Flow Logs capture network traffic, not S3 API calls.

1409
Multi-Selecthard

A developer is designing a CI/CD pipeline using AWS CodePipeline. The pipeline deploys a Lambda function. Which THREE practices should be followed to ensure security?

Select 3 answers
A.Use IAM roles for pipeline actions instead of access keys.
B.Scan code dependencies for known vulnerabilities.
C.Use CloudFront to distribute pipeline artifacts.
D.Store database credentials in AWS Secrets Manager and retrieve them during deployment.
E.Encrypt artifacts in transit using TLS.
AnswersA, B, D

IAM roles provide temporary credentials and are more secure.

Why this answer

Option A is correct because IAM roles provide temporary credentials for AWS services, eliminating the need to manage long-term access keys. CodePipeline can assume an IAM role to perform actions like deploying a Lambda function, which reduces the risk of credential leakage. This follows the principle of least privilege and is a security best practice for automated pipelines.

Exam trap

The trap here is that candidates may confuse CloudFront's artifact distribution capability with S3's role in CodePipeline, or assume TLS encryption is an optional security practice rather than a default AWS behavior.

1410
MCQhard

A DynamoDB table uses partition key customerId. One enterprise customer generates most traffic and is throttled while the table has unused capacity elsewhere. What design change best addresses the hot partition?

A.Enable point-in-time recovery
B.Reduce item size by removing attributes
C.Use strongly consistent reads only
D.Add write sharding or redesign the partition key to distribute that customer's workload
AnswerD

Correct for the stated requirement.

Why this answer

Option D is correct because the hot partition is caused by a single customerId receiving a disproportionate amount of traffic, exceeding the 3000 RCU or 1000 WCU per partition limit. By adding write sharding (e.g., appending a random suffix to the partition key) or redesigning the partition key to include a more granular attribute, you distribute that customer's writes across multiple partitions, eliminating the bottleneck and utilizing the table's unused capacity.

Exam trap

The trap here is that candidates mistakenly believe reducing item size or changing read consistency can resolve a hot partition, when only redistributing the partition key's workload addresses the underlying throughput imbalance.

How to eliminate wrong answers

Option A is wrong because point-in-time recovery (PITR) enables continuous backups and restores to any point within the last 35 days; it does not affect request distribution or throttling. Option B is wrong because reducing item size can lower consumed capacity per operation but does not change how requests are distributed across partitions; the hot partition remains throttled if the same customerId still receives high traffic. Option C is wrong because strongly consistent reads consume twice the RCU of eventually consistent reads and do not alter partition key distribution; they would actually increase throttling risk on the hot partition.

1411
MCQeasy

A developer is building a data processing pipeline that uses AWS Lambda to process files uploaded to an S3 bucket. The S3 bucket receives thousands of files per second, and the developer wants to minimize processing latency. Which approach should the developer use to trigger the Lambda function?

A.Configure an SQS queue and have the Lambda function poll the queue for S3 event notifications.
B.Use Amazon CloudWatch Events to trigger the Lambda function on a schedule.
C.Configure S3 event notifications to directly invoke the Lambda function.
D.Publish S3 events to an SNS topic and subscribe the Lambda function to that topic.
AnswerC

Direct invocation provides the lowest latency.

Why this answer

Option B is correct because S3 event notifications can directly invoke Lambda asynchronously, providing low-latency processing. Option A (SQS) adds polling latency. Option C (CloudWatch Events) is for scheduled events, not S3 events.

Option D (SNS) adds an extra hop and requires subscription.

1412
MCQeasy

A developer wants to trigger an AWS Lambda function every time a new object is created in an Amazon S3 bucket. Which S3 event notification configuration should be used?

A.s3:ObjectCreated:*
B.s3:ObjectRestore:*
C.s3:ReducedRedundancyLostObject:*
D.s3:ObjectRemoved:*
AnswerA

Matches all object creation events.

Why this answer

Option A is correct because s3:ObjectCreated:* captures all object creation events. Option B is wrong because s3:ObjectRemoved:* is for deletion events. Option C is wrong because s3:ObjectRestore:* is for restore events.

Option D is wrong because s3:ReducedRedundancyLostObject:* is for loss of reduced redundancy objects.

1413
MCQmedium

A developer deployed a new version of a Lambda function using an alias that points to the new version. However, the function continues to invoke the old version. What is the MOST likely cause?

A.The IAM execution role for the Lambda function does not have permission to invoke the new version.
B.The alias was not updated to point to the new version after deployment.
C.The Lambda function's reserved concurrency is set to 0, preventing new invocations.
D.The function name in the invocation request is different from the deployed function.
AnswerB

An alias is a pointer to a specific version. If the alias still points to the old version, new invocations will use the old code.

Why this answer

Option B is correct because if the version number in the alias is not updated, the alias still points to the old version. Option A (concurrency) does not affect which version is invoked. Option C (different function name) would cause a different error.

Option D (IAM permissions) would cause access denied errors, not invocation of old code.

1414
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application requires custom configuration, such as setting environment variables for the EC2 instances. Which file should the developer include in the application source bundle under the appropriate directory to achieve this?

A.Include a buildspec.yml file in the root directory.
B.Include a .ebextensions/options.config file.
C.Include an appspec.yml file.
D.Include a cron.yaml file.
AnswerB

Files in the .ebextensions directory with a .config extension are automatically processed by Elastic Beanstalk. They can set environment variables using the option_settings key, among other configurations.

Why this answer

Option B is correct because AWS Elastic Beanstalk uses `.ebextensions` directory with `.config` files (e.g., `options.config`) to define custom configuration, including environment variables for EC2 instances. These YAML or JSON files are processed during environment creation and updates, allowing you to set `option_settings` that override or augment the default platform configuration.

Exam trap

The trap here is that candidates confuse Elastic Beanstalk configuration files with other AWS service configuration files (CodeBuild's `buildspec.yml` or CodeDeploy's `appspec.yml`) or assume `cron.yaml` can handle general environment settings, leading them to pick a wrong option based on familiarity with other services.

How to eliminate wrong answers

Option A is wrong because `buildspec.yml` is used by AWS CodeBuild to define build commands and output artifacts, not by Elastic Beanstalk for environment configuration. Option C is wrong because `appspec.yml` is used by AWS CodeDeploy to manage deployment lifecycle hooks and file permissions, not by Elastic Beanstalk for custom EC2 settings. Option D is wrong because `cron.yaml` is used by Elastic Beanstalk for periodic tasks (worker environment cron jobs), not for setting environment variables or general configuration.

1415
MCQhard

A company is deploying a microservices-based application on Amazon ECS using Fargate. The application consists of three services: frontend, backend, and database. The database service uses Amazon Aurora Serverless. The frontend and backend services are deployed as separate ECS services. The company uses AWS CodePipeline for CI/CD. Each service has its own CodePipeline pipeline that builds a Docker image and pushes it to Amazon ECR, then updates the ECS service with the new image. Recently, the backend service deployment started causing intermittent errors. After investigation, the developer found that the backend service is being updated while the frontend service is still pointing to the old backend version, causing API incompatibility. The developer needs to ensure that the backend service is updated before the frontend service, and that both are updated atomically. The developer also wants to automate the update process using CodePipeline. What should the developer do?

A.Add a manual approval step between the backend and frontend pipelines.
B.Create a single pipeline that deploys both services simultaneously by updating both ECS services in a single CodeDeploy deployment.
C.Configure the frontend pipeline to trigger after the backend pipeline completes using Amazon CloudWatch Events.
D.Create a single pipeline with separate stages: first deploy backend, then after successful deployment, deploy frontend.
AnswerD

Sequential stages in one pipeline ensure order and atomicity of the release.

Why this answer

Option D is correct because a single pipeline with sequential stages ensures the backend is deployed first, and the frontend deploys only after the backend is stable. Option A is wrong because triggers don't control order. Option B is wrong because manual approval is not atomic and can be error-prone.

Option C is wrong because updating services is not atomic; they should be in one pipeline.

1416
Multi-Selectmedium

A developer is deploying an application using AWS Elastic Beanstalk. The application requires a relational database. Which THREE components are created by Elastic Beanstalk when you add a database to your environment?

Select 3 answers
A.A DB subnet group
B.An Amazon RDS DB instance
C.An AWS CloudFormation stack
D.An Amazon DynamoDB table
E.A security group for the database
AnswersB, C, E

Elastic Beanstalk provisions an RDS instance.

Why this answer

Options A, C, and D are correct. Elastic Beanstalk creates an Amazon RDS DB instance, a security group for the DB, and a CloudFormation stack that manages the resources. Option B is incorrect because the DB subnet group is created but not listed as a separate component; it is part of the RDS configuration.

Option E is incorrect because Elastic Beanstalk does not create a DynamoDB table by default.

1417
MCQmedium

A developer is using AWS CloudFormation to deploy a stack. The stack creation fails with the error 'API: iam:CreateRole User: arn:aws:iam::123456789012:user/DevUser is not authorized to perform: iam:CreateRole'. The developer is using an IAM user with AdministratorAccess policy attached. What is the MOST likely cause of this error?

A.The account has reached the IAM role limit.
B.The CloudFormation stack is using a service role that does not have iam:CreateRole permission.
C.The CloudFormation stack is being created in a region where IAM is not supported.
D.The AdministratorAccess policy has been modified to remove IAM permissions.
AnswerB

If a service role is used, CloudFormation assumes that role to create resources. If the role lacks permissions, the operation fails.

Why this answer

Option D is correct because CloudFormation uses a service role to create resources if a service role is specified. If the service role does not have the necessary permissions, the stack creation will fail even if the user has full permissions. Option A (region issue) is not relevant.

Option B (resource limit) would give a limit exceeded error. Option C (policy version) would not cause this specific error.

1418
Multi-Selectmedium

A developer is designing a messaging system where orders are placed into an SQS queue and processed by a Lambda function. The developer wants to ensure that failed messages are not lost and can be analyzed later. Which TWO steps should the developer take? (Choose 2.)

Select 2 answers
A.Configure a dead-letter queue (DLQ) for the SQS queue.
B.Enable Lambda function retries on failure.
C.Set the redrive policy to move messages to the DLQ after a specified number of receive attempts.
D.Increase the visibility timeout of the SQS queue.
E.Set up a CloudWatch alarm to monitor the queue depth.
AnswersA, C

DLQ captures messages that failed processing.

Why this answer

A and C are correct. Configuring a dead-letter queue (A) captures failed messages for later analysis. Setting the redrive policy (C) allows moving messages to the DLQ after a number of failed attempts.

Option B (increasing visibility timeout) may help but does not preserve failed messages. Option D (Lambda retries) is already done by default but does not preserve messages. Option E (CloudWatch alarms) only alerts, does not preserve messages.

1419
MCQhard

A company is deploying a new microservice on AWS Lambda that processes high-resolution images and stores results in Amazon S3. The Lambda function currently uses 1024 MB of memory and has a timeout of 2 minutes. During peak load, many invocations are timing out. The function is CPU-bound during image processing. Which change is MOST likely to reduce timeouts without increasing costs unnecessarily?

A.Increase the function memory to 3008 MB.
B.Enable provisioned concurrency to reduce cold starts.
C.Increase the function memory to 2048 MB.
D.Increase the function timeout to 5 minutes.
AnswerC

Lambda allocates CPU proportionally to memory; more memory speeds up CPU-bound tasks, reducing execution time.

Why this answer

Option C is correct because increasing memory from 1024 MB to 2048 MB proportionally increases CPU allocation in AWS Lambda (up to 1.7 GHz per vCPU at 1769 MB). Since the function is CPU-bound, this directly reduces processing time, mitigating timeouts without the cost spike of 3008 MB. The cost increase is linear with memory, so doubling memory doubles cost per invocation, but the reduced duration often offsets this, keeping total cost similar or lower.

Exam trap

The trap here is that candidates assume increasing timeout (Option D) is the simplest fix for timeouts, ignoring that CPU-bound functions need more CPU, not just more time, and that provisioned concurrency (Option B) is mistakenly thought to improve execution speed rather than just reducing cold start latency.

How to eliminate wrong answers

Option A is wrong because increasing memory to 3008 MB provides more CPU than needed for a CPU-bound task, leading to unnecessary cost without proportional performance gain (Lambda CPU scales linearly up to ~1769 MB, then plateaus). Option B is wrong because provisioned concurrency addresses cold starts, not timeout issues caused by insufficient CPU during peak load; it does not reduce execution time for CPU-bound processing. Option D is wrong because increasing the timeout to 5 minutes does not fix the root cause (CPU-bound processing is too slow); it only delays the timeout, allowing the function to run longer but still at the same slow speed, potentially increasing costs due to longer execution duration.

1420
MCQeasy

A developer deploys a new version of an AWS Lambda function using the AWS CLI. The deployment fails with a 'ResourceConflictException' error. What is the most likely cause?

A.The function's handler name is incorrect in the deployment package.
B.The Lambda function's IAM role is missing necessary permissions.
C.The Lambda function's memory limit is set too low for the deployment package.
D.Another deployment is currently in progress for the same Lambda function.
AnswerD

AWS Lambda does not allow concurrent updates; a 'ResourceConflictException' indicates an ongoing update.

Why this answer

The error occurs when trying to update a Lambda function's code while a deployment is in progress or when the function's reserved concurrency is being modified. Option B is correct because publishing a new version during an active deployment causes a conflict. Options A, C, and D are incorrect because missing IAM roles, incorrect handler names, or exceeding memory limits cause different errors.

1421
MCQmedium

A developer is deploying a web application on EC2 instances behind an Application Load Balancer (ALB). The application uses HTTPS. The developer creates a certificate in AWS Certificate Manager (ACM) and associates it with the ALB listener on port 443. However, when users access the application, they receive a browser warning that the connection is not secure. The ALB is configured with a default SSL/TLS policy. What is the most likely cause of the issue?

A.The certificate is in a different region than the ALB.
B.The certificate was not imported correctly into ACM.
C.The ALB is using an outdated SSL/TLS policy.
D.The ALB cannot terminate HTTPS; the developer must configure HTTPS on the EC2 instances.
AnswerA

ACM certificates must be in the same region as the ALB.

Why this answer

ACM certificates are region-specific. If the certificate is created in a different AWS region than the ALB, the ALB cannot use it, causing the browser to warn that the connection is not secure. The ALB will fall back to its default self-signed certificate or no valid certificate, triggering the browser warning.

Exam trap

The trap here is that candidates assume ACM certificates are globally available, but they are region-specific, and the ALB must reference a certificate in the same region.

How to eliminate wrong answers

Option B is wrong because if the certificate were not imported correctly into ACM, it would not appear as valid or would fail association, but the question states the certificate was created in ACM and associated, so import is not the issue. Option C is wrong because an outdated SSL/TLS policy would cause compatibility issues or weaker security, not a browser warning about an insecure connection; the warning indicates no trusted certificate is presented. Option D is wrong because ALB can terminate HTTPS by default when a certificate is associated; the developer does not need to configure HTTPS on EC2 instances for termination at the load balancer.

1422
MCQmedium

A company wants to securely store database credentials for a Lambda function. Which AWS service should be used?

A.AWS Secrets Manager
B.AWS CloudHSM
C.AWS Systems Manager Parameter Store (Standard tier)
D.Amazon S3 with server-side encryption
AnswerA

Secrets Manager provides automatic rotation and encryption.

Why this answer

AWS Secrets Manager is designed for storing secrets like database credentials with automatic rotation.

1423
MCQeasy

A company runs an application on Amazon EC2 instances that need to read data from an Amazon DynamoDB table. The developer must grant access to DynamoDB without storing any long-term credentials on the instance. Which approach should the developer use?

A.Store the AWS access key and secret key in a configuration file.
B.Use an IAM role and attach it to the EC2 instance profile.
C.Use an IAM user and store credentials in AWS Secrets Manager.
D.Use the DynamoDB table's resource-based policy to allow the EC2 instance.
AnswerB

This provides temporary credentials that are automatically rotated, following the principle of least privilege and security best practices.

Why this answer

Option B is correct because attaching an IAM role to an EC2 instance profile allows the instance to obtain temporary security credentials from the AWS Security Token Service (STS) via the instance metadata service. This eliminates the need to store long-term credentials on the instance, adhering to the principle of least privilege and improving security posture.

Exam trap

The trap here is that candidates may think resource-based policies (Option D) can grant access to EC2 instances, but DynamoDB resource-based policies only support principals like AWS accounts, IAM users, or IAM roles—not EC2 instances directly—and the correct mechanism for EC2 is always an IAM role attached to the instance profile.

How to eliminate wrong answers

Option A is wrong because storing AWS access keys and secret keys in a configuration file on the EC2 instance introduces long-term static credentials, which violates the requirement to avoid storing long-term credentials and increases the risk of credential leakage. Option C is wrong because using an IAM user and storing credentials in AWS Secrets Manager still requires the EC2 instance to retrieve and use long-term credentials (the IAM user's access keys) at some point, and the instance would need to authenticate to Secrets Manager, typically with another set of credentials, creating a circular dependency; the recommended approach for EC2 is always an IAM role. Option D is wrong because DynamoDB does not support resource-based policies that grant access to EC2 instances directly; resource-based policies in DynamoDB are used for cross-account access or service-to-service authorization, not for granting permissions to compute resources like EC2 instances.

1424
Multi-Selecteasy

A developer is using Amazon DynamoDB as a data store for a serverless application. The application requires strongly consistent reads and must be able to recover from failures. Which THREE measures should the developer implement? (Choose THREE.)

Select 3 answers
A.Use the ConsistentRead parameter set to true in GetItem and Query operations.
B.Use DynamoDB read replicas to offload read traffic.
C.Configure DynamoDB global tables for multi-region replication.
D.Enable DynamoDB Streams to capture changes.
E.Implement DAX (DynamoDB Accelerator) for caching.
AnswersA, C, E

This ensures strongly consistent reads.

Why this answer

Option B is correct because strongly consistent reads can be requested per operation. Option C is correct because DynamoDB global tables provide multi-region replication for disaster recovery. Option D is correct because DynamoDB Accelerator (DAX) can improve read performance, though not directly for recovery.

Option A is wrong because DynamoDB Streams is for changes, not recovery. Option E is wrong because read replicas are a feature of RDS, not DynamoDB.

1425
MCQmedium

A developer is troubleshooting access to an S3 bucket from an EC2 instance. The bucket policy allows s3:GetObject for the instance's IAM role, but the application is still getting access denied errors. What is the MOST likely cause?

A.The EC2 instance's security group does not allow outbound traffic to S3.
B.The S3 bucket is encrypted with SSE-KMS and the instance does not have kms:Decrypt permissions.
C.The S3 bucket has a block public access setting enabled.
D.The EC2 instance does not have an instance profile associated with the IAM role.
AnswerD

The IAM role must be attached to the EC2 instance via an instance profile.

Why this answer

The most likely cause is that the EC2 instance does not have an instance profile associated with the IAM role. Without an instance profile, the IAM role's credentials are not delivered to the instance metadata service, so the AWS SDK cannot assume the role to sign requests to S3. This results in access denied errors even though the bucket policy explicitly allows s3:GetObject for that role.

Exam trap

The trap here is that candidates often overlook the requirement to attach an instance profile to the EC2 instance, assuming that creating an IAM role and applying a bucket policy is sufficient, but the instance must be explicitly associated with the role via an instance profile to inherit its permissions.

How to eliminate wrong answers

Option A is wrong because security groups operate at the network layer and do not affect outbound traffic to S3 by default; outbound traffic is allowed unless explicitly denied, and S3 access uses HTTPS over port 443 which is typically open. Option B is wrong because while SSE-KMS requires kms:Decrypt permissions, the question states the bucket policy allows s3:GetObject for the role, and the error could be due to missing KMS permissions, but the most likely cause given the scenario is the missing instance profile, not KMS. Option C is wrong because block public access settings only restrict public (unauthenticated) access, not access from an IAM role that has been explicitly granted permissions via a bucket policy.

Page 18

Page 19 of 22

Page 20