AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 76150

1616 questions total · 22pages · All types, answers revealed

Page 1

Page 2 of 22

Page 3
76
MCQeasy

A developer needs to securely store database credentials for a serverless application. Which service should be used?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.Amazon S3
D.AWS Key Management Service (KMS)
AnswerA

Secrets Manager is the best choice for database credentials.

Why this answer

AWS Secrets Manager is designed for storing and rotating secrets like database credentials. Option B (SSM Parameter Store) can store secrets but lacks automatic rotation. Option C (KMS) is for keys.

Option D (S3) is not a secrets service.

77
MCQmedium

A developer must locally test a SAM-based Lambda function with an API event before deployment. Which tool command family is designed for this?

A.AWS SAM CLI local invoke/start-api
B.AWS Shield Advanced CLI
C.AWS Organizations policy simulator
D.Amazon Inspector SBOM export
AnswerA

Correct for the stated requirement.

Why this answer

The AWS SAM CLI provides the `local invoke` and `local start-api` commands specifically for testing Lambda functions locally with simulated API Gateway events before deployment. `sam local start-api` creates a local HTTP server that mimics API Gateway, allowing developers to send requests to their Lambda functions as if they were deployed, while `sam local invoke` directly invokes the function with a specified event payload. This is the only tool family designed for local testing of SAM-based Lambda functions with API events.

Exam trap

The trap here is that candidates may confuse the AWS SAM CLI with other AWS CLI tools or services, mistakenly thinking that general-purpose CLI commands or unrelated security tools can perform local Lambda testing with API events.

How to eliminate wrong answers

Option B is wrong because AWS Shield Advanced CLI is a tool for managing DDoS protection services, not for testing Lambda functions or API events locally. Option C is wrong because AWS Organizations policy simulator is used to test IAM and SCP policies for multi-account environments, not for local Lambda or API Gateway testing. Option D is wrong because Amazon Inspector SBOM export is used to generate a software bill of materials for vulnerability assessment, not for testing Lambda functions or API events.

78
MCQmedium

A company has an Amazon S3 bucket that stores sensitive documents. The security team wants to ensure that all GET requests to the bucket are authenticated and that the requester does not have public access. Which combination of S3 features should the developer implement?

A.Block public access and enable S3 Access Points with a network origin policy
B.Enable S3 Object Lock and versioning
C.Use S3 Transfer Acceleration and server-side encryption
D.Configure a bucket policy that allows only specific IAM users and enable MFA Delete
AnswerA

Block public access prevents public access, and S3 Access Points with network policies restrict access to authenticated requests from allowed networks.

Why this answer

Option A is correct because blocking public access at the bucket level ensures that no anonymous or public requests can reach the bucket, while S3 Access Points with a network origin policy restrict access to requests originating from a specific VPC or on-premises network. This combination enforces that all GET requests must be authenticated (via the Access Point's IAM policies) and cannot come from public internet sources, meeting the security team's requirements.

Exam trap

The trap here is that candidates often confuse MFA Delete or encryption with authentication controls, not realizing that only explicit public access blocking combined with network-level restrictions (like Access Points) can prevent unauthenticated GET requests.

How to eliminate wrong answers

Option B is wrong because S3 Object Lock and versioning prevent object deletion or overwrite and maintain object history, but they do not control authentication or public access for GET requests. Option C is wrong because S3 Transfer Acceleration speeds up uploads over long distances and server-side encryption protects data at rest, neither of which authenticates requests or blocks public access. Option D is wrong because a bucket policy allowing only specific IAM users can restrict access, but MFA Delete only adds multi-factor authentication to delete operations, not to GET requests, and this combination does not inherently block public access from unauthenticated sources.

79
MCQmedium

An API Gateway REST API invokes Lambda synchronously. Clients receive 502 responses after a deployment, but Lambda logs show a successful business operation. What is the most likely issue?

A.The Lambda execution role lacks dynamodb:PutItem
B.The Lambda proxy integration response format is invalid
C.The API cache TTL is too short
D.The API stage has X-Ray tracing enabled
AnswerB

Correct for the stated requirement.

Why this answer

Lambda proxy integration requires the response to be in a specific JSON format: `{"statusCode": ..., "headers": ..., "body": ...}`. If the Lambda function returns a plain string or an object missing these keys, API Gateway cannot map it to an HTTP response, resulting in a 502 Internal Server Error. The successful business operation in logs confirms the Lambda code ran correctly, but the malformed response format causes the gateway error.

Exam trap

The trap here is that candidates see 'successful business operation' in logs and assume the Lambda is fine, overlooking that API Gateway proxy integration enforces a strict response contract, not just any valid return value.

How to eliminate wrong answers

Option A is wrong because a missing `dynamodb:PutItem` permission would cause a 403 Forbidden or 500 error from Lambda, not a 502, and the logs would show an access denied exception, not a successful operation. Option C is wrong because API cache TTL affects cached responses and latency, not the response format or 502 errors; a short TTL would cause more frequent cache misses, not gateway errors. Option D is wrong because enabling X-Ray tracing adds tracing headers and logs but does not alter the response format or cause 502 errors; it is purely a monitoring feature.

80
Multi-Selecthard

A developer is optimizing an AWS Lambda function that processes streaming data from Amazon Kinesis. The function is CPU-bound. Which TWO actions should the developer take to improve performance?

Select 2 answers
A.Rewrite the function in a compiled language like Go.
B.Increase the function's reserved concurrency.
C.Increase the function's memory allocation.
D.Increase the Kinesis stream's shard count.
E.Enable GPU acceleration for the function.
AnswersA, C

Compiled languages generally have better CPU performance than interpreted.

Why this answer

Option A is correct because increasing memory also increases CPU allocation. Option C is correct because using a language with better CPU performance (e.g., Go) can improve speed. Option B is wrong because increasing reserved concurrency does not affect individual function performance.

Option D is wrong because Lambda does not support GPU. Option E is wrong because Kinesis batch size does not affect CPU-bound processing.

81
MCQeasy

A developer needs to store configuration parameters securely for a Lambda function. The parameters include database credentials and API keys. Which AWS service should be used?

A.AWS Systems Manager Parameter Store
B.AWS Secrets Manager
C.Amazon DynamoDB with encryption
D.Amazon S3 with server-side encryption
AnswerB

Secrets Manager is purpose-built for storing and rotating secrets securely.

Why this answer

Option C is correct because Secrets Manager is designed to securely store secrets. Option A is wrong because SSM Parameter Store can be used but Secrets Manager is better for automated rotation. Option B is wrong because S3 is not secure for secrets.

Option D is wrong because DynamoDB is not secure by default.

82
MCQmedium

Refer to the exhibit. A developer has the above IAM policy attached. The developer is trying to push code to a CodeCommit repository and trigger a CodePipeline. The push succeeds but the pipeline does not start. What is the most likely reason?

A.The developer does not have permissions to push to the repository.
B.The CloudWatch Events rule that triggers the pipeline on code push does not have the necessary IAM role to invoke the pipeline.
C.The developer does not have permissions to start the pipeline.
D.The CodeCommit repository does not have a trigger configured.
AnswerB

The trigger rule needs permissions to start the pipeline.

Why this answer

Option C is correct because the pipeline requires a CloudWatch Events rule to start on code push, and that rule needs permissions to invoke the pipeline. Option A is wrong because the policy allows GitPush. Option B is wrong because the developer has StartPipelineExecution permission.

Option D is wrong because the developer can push.

83
MCQhard

A company is using AWS CodePipeline to automate their CI/CD pipeline. The pipeline includes a stage that runs a set of integration tests using AWS CodeBuild. The tests require access to a database running on a private subnet in a VPC. The CodeBuild project is configured to use a managed compute image. How can the CodeBuild project access the database?

A.Place the CodeBuild project in a public subnet and use a NAT gateway to route traffic to the private subnet.
B.Configure the CodeBuild project to use a custom VPC with the appropriate subnet and security group.
C.Set up a VPC peering connection between the CodeBuild VPC and the database VPC.
D.Create a VPC endpoint for the database service and attach it to the CodeBuild project.
AnswerB

CodeBuild supports launching in a VPC, allowing access to resources in that VPC.

Why this answer

Option B is correct because by setting the CodeBuild project to use a custom VPC, it can be configured with a subnet and security group that allow access to the private database. Option A is wrong because a NAT gateway would require the CodeBuild project to be in a public subnet, not private. Option C is wrong because VPC peering is unnecessary; CodeBuild can be launched directly in the VPC.

Option D is wrong because a VPC endpoint is for accessing AWS services privately, not for general network access.

84
MCQeasy

A company is using AWS KMS to encrypt sensitive data stored in S3. The security team wants to ensure that only a specific IAM role can decrypt the data. What is the most secure way to achieve this?

A.Use S3 server-side encryption with S3-managed keys (SSE-S3).
B.Create a KMS key policy that grants the role the kms:Decrypt permission.
C.Enable automatic key rotation for the KMS key.
D.Use an S3 bucket policy to restrict access to the role.
AnswerB

KMS key policies directly control who can use the key.

Why this answer

Option B is correct because KMS key policies are the most direct and secure way to control who can perform cryptographic operations like kms:Decrypt on a specific CMK. By granting only the specific IAM role the kms:Decrypt permission in the key policy, you ensure that no other principal (including the root user or other roles) can decrypt the data, even if they have S3 access. This follows the principle of least privilege and decouples data access from infrastructure access.

Exam trap

The trap here is that candidates often confuse S3 bucket policies with KMS key policies, assuming that restricting S3 access is sufficient to prevent decryption, when in fact the KMS key policy is the only way to enforce decryption restrictions at the cryptographic level.

How to eliminate wrong answers

Option A is wrong because SSE-S3 uses S3-managed keys, which do not allow you to restrict decryption to a specific IAM role; any principal with S3 GetObject permission can decrypt the data. Option C is wrong because automatic key rotation only changes the backing key material over time for security hygiene, but does not restrict who can decrypt; it does not address access control. Option D is wrong because an S3 bucket policy can control access to the S3 object itself, but it cannot prevent decryption of the underlying KMS-encrypted data if the caller has both S3 GetObject and KMS Decrypt permissions; the KMS key policy is the authoritative control for decryption.

85
Multi-Selecteasy

A developer is troubleshooting an AWS Lambda function that is invoked by an Amazon S3 bucket notification. The function processes new objects but sometimes fails because the object is not fully written before Lambda reads it. Which TWO actions can the developer take to fix this?

Select 2 answers
A.Implement a retry mechanism in the Lambda function to check object existence before processing.
B.Use S3 Transfer Acceleration.
C.Configure the S3 event notification to trigger only when objects with a specific suffix are created.
D.Use an Amazon SQS queue to buffer the S3 events.
E.Increase the Lambda function timeout.
AnswersA, C

Retry handles eventual consistency.

Why this answer

Option A (S3 event notification with suffix) is correct because it can target specific file types that are written last. Option D (Retry logic) is correct because it handles eventual consistency. Option B is wrong because SQS doesn't solve the write-in-progress issue.

Option C is wrong because it doesn't help. Option E is wrong because it doesn't address the timing.

86
Multi-Selecteasy

A development team is using AWS Elastic Beanstalk to deploy a web application. The team wants to perform a blue/green deployment. Which THREE steps are required to complete the blue/green deployment?

Select 3 answers
A.Update the existing environment with the new version.
B.Swap the CNAMEs of the two environments.
C.Terminate the old environment after verifying the new environment.
D.Update the Route 53 DNS record to point to the new environment.
E.Deploy the new application version to a separate Elastic Beanstalk environment.
AnswersB, C, E

Swapping CNAMEs routes traffic to the new environment.

Why this answer

Options A, C, and D are correct. In a blue/green deployment with Elastic Beanstalk, you deploy the new version to a separate environment (A), then swap the CNAMEs (C), and finally terminate the old environment (D). Option B is wrong because you don't update the old environment; you create a new one.

Option E is wrong because you swap CNAMEs, not update DNS records manually.

87
MCQeasy

Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to download an object from 'example-bucket' from an IP address of 10.0.1.5. Will the download succeed?

A.Yes, because the source IP matches the condition.
B.No, because the policy does not specify the user's IP.
C.Yes, but only if the bucket policy also allows the access.
D.No, because the condition requires the IP to be in 10.0.0.0/16.
AnswerA

The IP falls within the allowed CIDR.

Why this answer

Option A is correct because the policy allows s3:GetObject on the bucket when the source IP is within 10.0.0.0/16. The user's IP 10.0.1.5 is within that range. Option B is incorrect because the IP is in the allowed range.

Option C is incorrect because the condition is met. Option D is incorrect because the policy is sufficient.

88
MCQeasy

A developer needs to securely store database credentials for a Lambda function. The credentials must be automatically rotated every 30 days. Which service should be used?

A.AWS Key Management Service (KMS)
B.AWS Secrets Manager
C.AWS Systems Manager Parameter Store
D.AWS CloudHSM
AnswerB

Secrets Manager provides automatic rotation.

Why this answer

Option B is correct because AWS Secrets Manager supports automatic rotation of secrets. Option A is wrong because Parameter Store does not automatically rotate credentials. Option C is wrong because KMS is for encryption keys, not credential storage.

Option D is wrong because CloudHSM is for hardware security modules.

89
Multi-Selecteasy

A developer is building a microservices architecture using Amazon ECS with Fargate. The services need to communicate with each other. Which TWO AWS services can be used for service discovery?

Select 2 answers
A.Amazon ECR
B.AWS Cloud Map
C.Elastic Load Balancing
D.AWS Systems Manager Parameter Store
E.Amazon Route 53
AnswersB, E

Cloud Map is designed for service discovery.

Why this answer

Options B and D are correct. AWS Cloud Map is a service discovery service that can be used to register and discover services. Amazon Route 53 can also be used for service discovery by using private hosted zones and health checks.

Option A is incorrect because ELB is for load balancing, not service discovery. Option C is incorrect because ECR is for container images. Option E is incorrect because Systems Manager Parameter Store is for configuration, not discovery.

90
MCQmedium

A developer is troubleshooting an AWS Lambda function that processes records from an Amazon Kinesis Data Stream. The function is configured with a batch size of 100 and a parallelization factor of 1. The developer notices that the function is processing records slowly, and the iterator age is increasing. CloudWatch Logs show that the function is not experiencing errors or throttling, but the execution time per invocation is close to the 5-minute timeout. The stream has 10 shards. What is the most cost-effective way to increase processing throughput?

A.Increase the batch size to 1000
B.Increase the parallelization factor to 10
C.Increase the memory of the Lambda function
D.Split the stream into more shards
AnswerB

The parallelization factor determines the number of concurrent Lambda invocations per shard. Increasing it allows multiple invocations to process records from the same shard simultaneously, dramatically increasing throughput without additional shard costs.

Why this answer

Increasing the parallelization factor to 10 allows each shard to be processed by up to 10 concurrent Lambda invocations, which directly increases throughput without additional shard costs. Since the function is not throttled or erroring, the bottleneck is the per-invocation processing time; parallelization reduces the iterator age by processing multiple batches per shard simultaneously.

Exam trap

The trap here is that candidates often assume increasing shards is the only way to scale Kinesis processing, but the parallelization factor is a cost-effective Lambda-specific tuning knob that increases concurrency without additional shard costs.

How to eliminate wrong answers

Option A is wrong because the batch size is already 100, and increasing it to 1000 would likely cause the function to exceed the 5-minute timeout even more, as it would need to process more records per invocation, worsening the iterator age. Option C is wrong because increasing memory may reduce execution time for CPU-bound tasks, but the logs show the function is close to timeout, not CPU-bound, and memory increases cost without guaranteed throughput improvement for I/O-bound Kinesis processing. Option D is wrong because splitting the stream into more shards increases AWS costs and complexity, and the existing 10 shards are not fully utilized due to the parallelization factor of 1; adding shards does not address the per-shard concurrency bottleneck.

91
MCQeasy

A company requires that all objects uploaded to an Amazon S3 bucket are encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). The developer wants to enforce this with a bucket policy. Which condition key and value should be used in the policy to deny uploads that do not meet this requirement?

A.s3:x-amz-server-side-encryption equals AES256
B.s3:x-amz-server-side-encryption-aws-kms-key-id equals alias/aws/s3
C.aws:SecureTransport equals true
D.s3:object-lock-mode equals GOVERNANCE
AnswerA

Correct. This condition ensures that the request includes the header specifying SSE-S3 encryption.

Why this answer

Option A is correct because the condition key `s3:x-amz-server-side-encryption` with value `AES256` directly checks that the request header `x-amz-server-side-encryption` is set to `AES256`, which is the required value for SSE-S3. By using this condition in a bucket policy with a Deny effect, any upload that does not include this header or includes a different value (e.g., `aws:kms`) will be rejected, enforcing server-side encryption with Amazon S3 managed keys.

Exam trap

The trap here is that candidates often confuse the condition key for SSE-S3 (`s3:x-amz-server-side-encryption` with value `AES256`) with the condition key for SSE-KMS (`s3:x-amz-server-side-encryption-aws-kms-key-id`), or mistakenly think `aws:SecureTransport` enforces encryption at rest instead of in transit.

How to eliminate wrong answers

Option B is wrong because `s3:x-amz-server-side-encryption-aws-kms-key-id` is used to enforce a specific KMS key ID for SSE-KMS, not for SSE-S3; using `alias/aws/s3` would require SSE-KMS, not SSE-S3. Option C is wrong because `aws:SecureTransport` checks whether the request uses HTTPS (TLS), which enforces encryption in transit, not encryption at rest. Option D is wrong because `s3:object-lock-mode` is used to enforce S3 Object Lock governance mode, which prevents object deletion or overwrite, and has nothing to do with encryption at rest.

92
MCQeasy

A developer needs to allow an Amazon EC2 instance to send messages to an Amazon SQS queue. What is the most secure way to grant this access?

A.Create a bucket policy on S3 to allow EC2 to access SQS
B.Use a resource-based policy on the SQS queue allowing the EC2 instance's security group
C.Assign an IAM role to the EC2 instance with permissions to send messages to SQS
D.Create an IAM user and store the credentials in the application configuration file
AnswerC

Using an IAM role grants temporary credentials via instance metadata, which is secure.

Why this answer

The most secure approach is to assign an IAM role to the EC2 instance with a policy that allows sqs:SendMessage for the queue. This avoids hardcoding credentials.

93
MCQeasy

A developer is using Amazon DynamoDB for a new application. The developer wants to reduce read latency. Which design pattern should the developer use?

A.Create a global secondary index (GSI) for the table.
B.Increase the provisioned read capacity units (RCUs) for the table.
C.Use DynamoDB Global Tables to replicate data to multiple regions.
D.Use DynamoDB Accelerator (DAX) as a cache for frequently read items.
AnswerD

DAX provides microsecond read latency.

Why this answer

DynamoDB Accelerator (DAX) is an in-memory cache designed specifically for DynamoDB, providing microsecond read latency for frequently accessed items. By caching read-heavy workloads, DAX offloads requests from the DynamoDB table, reducing read latency without requiring application-level caching logic. This directly addresses the developer's goal of reducing read latency.

Exam trap

The trap here is that candidates often confuse increasing provisioned capacity (Option B) with reducing latency, when in fact it only increases throughput, while DAX (Option D) directly addresses latency by caching reads in memory.

How to eliminate wrong answers

Option A is wrong because a Global Secondary Index (GSI) provides an alternative query pattern or sort key, but does not inherently reduce read latency; it may even add latency due to asynchronous replication. Option B is wrong because increasing provisioned read capacity units (RCUs) improves throughput (handling more requests per second) but does not reduce per-request latency, as DynamoDB's read latency is already low and consistent regardless of RCU level. Option C is wrong because DynamoDB Global Tables replicate data across regions for disaster recovery and low-latency reads in remote regions, but for a single-region application, it adds complexity and cost without reducing local read latency.

94
MCQmedium

The above CloudWatch alarm is configured for an EC2 instance. The alarm state is 'INSUFFICIENT_DATA' and has been for 2 days. Which of the following is the most likely cause?

A.The EC2 instance is stopped
B.The alarm period and evaluation periods are misconfigured
C.The CloudWatch agent is not installed on the EC2 instance
D.The threshold is set too high for the metric
AnswerC

CPUUtilization for EC2 is available by default, but if the instance is not sending metrics due to missing agent or permissions, data will be absent.

Why this answer

Option A is correct because INSUFFICIENT_DATA means the metric data is not available. The most common reason is that the CloudWatch agent is not installed or configured to send the CPUUtilization metric. Option B is wrong because the instance is running, but that doesn't guarantee metric data.

Option C is wrong because if the alarm period and evaluation periods are correct, the alarm would evaluate to OK or ALARM if data existed. Option D is wrong because the threshold is not the issue; the issue is lack of data.

95
MCQmedium

A company is running a monolithic application on an EC2 instance. The application currently stores session state in local memory on the instance. The company plans to scale the application horizontally by adding more instances behind a load balancer. What change is required to ensure that session state is preserved across requests?

A.Store session data in Amazon S3 and retrieve it on each request.
B.Increase the EC2 instance size to handle more sessions per instance.
C.Use Amazon ElastiCache to store session state externally.
D.Use an Amazon RDS database to store session state.
AnswerC

ElastiCache provides a fast, in-memory session store that can be accessed by all instances.

Why this answer

The correct answer is D. Using ElastiCache (Redis or Memcached) provides a centralized, scalable session store accessible from all instances. Option A is wrong because S3 is not designed for low-latency session storage.

Option B is wrong because RDS is a relational database, which can work but is not optimized for session storage. Option C is wrong because increasing instance size does not enable session sharing across instances.

96
MCQhard

An application uses an Amazon SQS queue to decouple microservices. The producer is sending messages, but the consumer is not processing them. The consumer is an Auto Scaling group of EC2 instances. The SQS queue's ApproximateNumberOfMessagesVisible metric is increasing. What is the MOST likely cause?

A.The SQS queue policy denies access to the consumer.
B.The consumer instances are not polling the SQS queue.
C.The visibility timeout is set too low.
D.The SQS queue has a dead-letter queue configured.
AnswerB

If consumers are not polling, messages accumulate in the queue.

Why this answer

Option A is correct because if the number of visible messages is increasing, the consumer is not polling or processing fast enough. Option B is wrong because the DLQ would receive messages after max receive count is exceeded, but the visible messages are increasing, indicating messages are not being consumed. Option C is wrong because the visibility timeout being too short would cause messages to reappear after being processed, but the visible count would not increase continuously.

Option D is wrong because the queue is receiving messages, so permissions are likely correct.

97
Multi-Selectmedium

A company is deploying a Node.js application on AWS Elastic Beanstalk. The application uses environment variables for configuration. The development team wants to ensure that the environment variables are not exposed in the source code or in the deployment logs. Which TWO actions should the team take? (Choose TWO.)

Select 2 answers
A.Enable detailed logging for the Elastic Beanstalk environment and filter out sensitive data.
B.Set environment variables using Elastic Beanstalk environment properties in the console.
C.Store sensitive environment variables in AWS Systems Manager Parameter Store and retrieve them at runtime.
D.Use AWS Secrets Manager to manage secrets and reference them in the application code.
E.Embed the environment variables in the application package as a .env file.
AnswersC, D

Parameter Store keeps secrets encrypted and separate from code.

Why this answer

Options A and D are correct: Using AWS Systems Manager Parameter Store or Secrets Manager to store environment variables and retrieving them at runtime prevents exposure. Option B (environment properties) stores them in plaintext in the environment configuration. Option C (logging) is not relevant.

Option E (environment variables in source) is bad practice.

98
MCQmedium

A developer deployed a new version of an AWS Lambda function using the AWS CLI update-function-code command. The function uses environment variables to store database credentials. After the update, the function returns errors indicating it cannot connect to the database. What is the MOST likely cause?

A.The function ARN changed after the update.
B.The database credentials are encrypted but the function cannot decrypt them.
C.The environment variables were not set in the new version.
D.The function's IAM role was changed during the update.
AnswerC

update-function-code resets environment variables; they need to be set again.

Why this answer

Option B is correct because update-function-code does not preserve environment variables; they are reset. Option A is wrong because the function code is updated, not the IAM role. Option C is wrong because environment variables are not encrypted by default but that wouldn't cause connection failure.

Option D is wrong because the function ARN doesn't affect environment variables.

99
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The developer wants to perform a blue/green deployment to minimize downtime. The developer creates a new environment and deploys the new version. After verifying the new environment is healthy, the developer needs to swap the URLs so that traffic is routed to the new environment. Which AWS Elastic Beanstalk feature should the developer use?

A.Use the 'Swap environment URLs' feature in the Elastic Beanstalk console.
B.Delete the old environment and update the DNS record to point to the new environment.
C.Use Amazon Route 53 weighted routing policies to shift traffic.
D.Change the environment's CNAME to point to the new environment.
AnswerA

This swaps the URLs between two environments.

Why this answer

Option C is correct because Elastic Beanstalk's 'Swap environment URLs' feature allows swapping the CNAME records between two environments. Option A is wrong because Route 53 weighted routing is not managed by Elastic Beanstalk. Option B is wrong because the environment URL cannot be changed manually.

Option D is wrong because updating DNS manually is not recommended and not a built-in feature.

100
MCQhard

An organization has a Lambda function that processes messages from an Amazon SQS queue. The function is configured with a reserved concurrency of 5. The SQS queue has a visibility timeout of 30 seconds. The Lambda function takes an average of 45 seconds to process each message. What is the likely behavior of this setup?

A.The Lambda function will be throttled due to reserved concurrency.
B.The Lambda function will process messages successfully with no issues.
C.Messages will be processed multiple times because they become visible again before the function completes.
D.The Lambda function will automatically increase its processing speed.
AnswerC

Visibility timeout expires, making messages visible again.

Why this answer

Option C is correct because the Lambda function takes longer than the visibility timeout, causing messages to become visible again before processing completes. This leads to duplicate processing. Option A is wrong because Lambda will still process the message even if it takes longer.

Option B is wrong because the reserved concurrency limit may cause throttling but not duplication. Option D is wrong because messages are not deleted until the function completes, so they become visible again.

101
MCQmedium

A team is deploying a containerized application on Amazon ECS using Fargate. The application requires high availability and must be deployed across multiple Availability Zones. The team wants to automate the deployment process using AWS CodePipeline. What is the most efficient way to update the ECS service with a new task definition?

A.Use the ECS deploy action in CodePipeline with the 'Immediate' deployment option to update the service.
B.Use an AWS Lambda function that calls the ECS UpdateService API with the new task definition.
C.Use the AWS Management Console to update the ECS service with the new task definition.
D.Use AWS CloudFormation to update the ECS service by updating the stack with the new task definition.
AnswerA

CodePipeline natively supports ECS deployments with minimal configuration.

Why this answer

Option D is correct because CodePipeline can use the ECS deploy action with the 'Immediate' deployment option to update the ECS service to use the new task definition without downtime. Option A is wrong because manually updating the service is not automated. Option B is wrong because using CloudFormation to update the stack is possible but less efficient for frequent updates.

Option C is wrong because Lambda updating the service requires custom code and is more complex.

102
MCQhard

A developer is using AWS CodePipeline with multiple actions in a stage. The pipeline has a build action that produces artifacts, followed by a deploy action. The developer wants to ensure that if the deploy action fails, the pipeline stops and does not continue to the next stage. How can they achieve this?

A.Configure the deploy action to 'Abort' on failure.
B.Set the runOrder for the deploy action to 'Blocked'.
C.No additional configuration is needed; the pipeline stops on failure by default.
D.Set the pipeline's execution mode to 'PARALLEL'.
AnswerC

CodePipeline stops by default when an action fails.

Why this answer

Option D is correct because by default, if an action fails, the pipeline stops and does not proceed. No additional configuration is needed. Option A is incorrect because there is no 'Blocked' setting.

Option B is incorrect because 'Abort' is not a pipeline action configuration. Option C is incorrect because the pipeline already stops on failure by default.

103
Multi-Selecteasy

A developer is building a REST API using API Gateway and Lambda. The API must be secured using a Lambda authorizer. Which THREE steps are necessary to implement the Lambda authorizer? (Choose THREE.)

Select 3 answers
A.Configure the API Gateway method to use the Lambda authorizer.
B.Return a JSON Web Token (JWT) from the authorizer function.
C.Create a Lambda function that validates the token and returns an IAM policy.
D.Grant API Gateway permission to invoke the Lambda authorizer function.
E.Generate an API key and distribute it to clients.
AnswersA, C, D

Associate the authorizer with the API method.

Why this answer

Option A, B, and D are correct. Option C is wrong because API key is not required for Lambda authorizer. Option E is wrong because the authorizer returns an IAM policy, not a token.

104
MCQhard

A company runs a containerized web application on Amazon ECS with Fargate launch type. The application experiences intermittent HTTP 503 errors. The ECS service auto-scales based on CPU, but the errors persist. What is the most likely cause and solution?

A.The ALB health check interval is too short; increase the health check interval.
B.The CPU threshold is too low; increase the target value to 80%.
C.The ALB idle timeout is too low; increase it to 300 seconds.
D.The cluster does not have enough EC2 instances; add more instances.
AnswerA

Short intervals cause healthy containers to be marked unhealthy, leading to 503 errors.

Why this answer

Option C is correct because 503 errors from ALB suggest targets failing health checks. Increasing health check thresholds gives targets more time to become healthy. Option A is wrong because increasing CPU threshold would reduce scaling, worsening errors.

Option B is wrong because Fargate does not use a cluster of EC2 instances. Option D is wrong because errors are 503, not 504 (gateway timeout).

105
MCQhard

A developer is designing a serverless application that processes user-uploaded images. The images are uploaded to an S3 bucket, which triggers a Lambda function to create a thumbnail and store metadata in DynamoDB. The thumbnail creation is CPU-intensive and can take up to 10 seconds. The developer wants to minimize costs and ensure that the thumbnail is created as soon as possible. Which approach should the developer choose?

A.Use AWS Step Functions to orchestrate the Lambda function and DynamoDB update.
B.Use an ECS Fargate task to process the images, triggered by S3 events.
C.Use S3 event notifications to directly invoke the Lambda function.
D.Use an SQS queue between S3 and Lambda to buffer requests.
AnswerC

Direct invocation is the simplest, with minimal latency and cost.

Why this answer

Option C is correct because Lambda can handle CPU-intensive tasks, and using the S3 event to directly trigger Lambda is the simplest and most cost-effective approach. Option A is incorrect because Step Functions add cost and complexity. Option B is incorrect because SQS introduces latency and cost.

Option D is incorrect because ECS requires provisioning and management, increasing complexity and cost compared to Lambda.

106
Multi-Selecthard

A developer is using AWS CodePipeline to deploy a web application. The pipeline has a source stage from GitHub and a deploy stage to Elastic Beanstalk. The deploy stage fails with the error 'The S3 bucket does not allow access to the artifact'. Which THREE actions could resolve this issue?

Select 3 answers
A.Specify a different artifact bucket in the pipeline configuration.
B.Add a bucket policy that grants the pipeline's service role access to the artifact bucket.
C.Ensure the pipeline's IAM role has s3:GetObject and s3:PutObject permissions on the artifact bucket.
D.If the artifact bucket is encrypted with AWS KMS, ensure the pipeline role has kms:Decrypt permission.
E.Enable versioning on the artifact bucket.
AnswersB, C, D

Bucket policy can grant cross-account access.

Why this answer

Option A: The artifact bucket may be in another account; setting bucket policy allows access. Option B: The pipeline role must have permissions to the bucket. Option C: If the artifact bucket is encrypted with KMS, the role needs kms:Decrypt.

Option D is wrong because the bucket is already specified. Option E is wrong because versioning is not related to access.

107
MCQhard

Refer to the exhibit. A developer has attached this resource-based policy to an S3 bucket. The Lambda function 'my-function' is still getting access denied when trying to read objects from the bucket. What is the MOST likely reason?

A.The bucket name is incorrect in the policy.
B.The condition aws:SourceArn does not match the principal's ARN because the principal is the Lambda execution role, not the function.
C.The Lambda function's execution role does not have s3:GetObject permission.
D.The policy denies s3:GetObject for the Lambda function.
AnswerB

The source ARN is the function, but the principal is the role; the condition fails.

Why this answer

Option B is correct because the `aws:SourceArn` condition in the resource-based policy expects the ARN of the principal that is making the request. However, when a Lambda function invokes an S3 operation, the principal is the Lambda execution role (e.g., `arn:aws:iam::123456789012:role/my-function-role`), not the function itself (e.g., `arn:aws:lambda:us-east-1:123456789012:function:my-function`). The condition therefore fails, causing an access denied error even though the function's ARN is listed in the policy.

Exam trap

The trap here is that candidates confuse the ARN of the Lambda function with the ARN of the Lambda execution role, assuming the `aws:SourceArn` condition should match the function ARN, when in fact it must match the principal (the role) that performs the S3 operation.

How to eliminate wrong answers

Option A is wrong because if the bucket name were incorrect, the policy would not apply to the bucket at all, but the error message specifically indicates the policy exists and is being evaluated, so the bucket name must be correct. Option C is wrong because the question states the Lambda function is getting access denied when trying to read objects, and the resource-based policy is attached to the S3 bucket; if the execution role lacked `s3:GetObject`, the error would be an authorization failure from the role side, but the policy is the one being evaluated here. Option D is wrong because the policy explicitly grants `s3:GetObject` to the Lambda function (Principal: `lambda.amazonaws.com` with `AWS:arn:aws:lambda:us-east-1:123456789012:function:my-function`), so there is no deny statement for that action.

108
MCQeasy

A developer is setting up an S3 bucket to trigger an AWS Lambda function when a new object is created. After configuring the event notification, the Lambda function is not invoked. The developer checks the Lambda resource-based policy, which is shown in the exhibit. What is the issue?

A.The policy is missing a condition that specifies the S3 bucket ARN.
B.The Action is incorrect; it should be 'lambda:Invoke' instead of 'lambda:InvokeFunction'.
C.The principal is incorrect; it should be the S3 bucket ARN.
D.The policy is missing the 'Version' field.
AnswerA

To allow S3 to invoke the function, the policy should include a condition like 'ArnLike' with the bucket ARN to prevent other buckets from triggering the function.

Why this answer

The correct answer is C. The policy is missing a 'Version' and 'Id' field, but more importantly, S3 requires the source account ID in the policy. However, the policy is valid syntax but lacks the 'Condition' block that includes the bucket name or account ID.

Actually, the typical issue is that the policy is missing the 'Service' principal specification. The correct answer is that the Principal should be 's3.amazonaws.com' but the policy is missing the 'SourceAccount' condition. However, the most common mistake is that the policy is missing the 'SourceArn' condition.

Given the options, C is correct because the policy must include a condition to restrict which bucket can invoke the function.

109
Multi-Selecthard

A company is running a containerized application on Amazon ECS with Fargate. The application needs to process messages from an Amazon SQS queue. The developer must ensure that the application can scale out based on the queue depth. Which THREE steps should the developer take to implement this? (Choose THREE.)

Select 3 answers
A.Configure DynamoDB auto scaling for the application's table to handle increased load.
B.Configure an ECS Service Auto Scaling target tracking policy using the SQS queue's ApproximateNumberOfMessagesVisible metric.
C.Implement the application to delete messages from the queue after successful processing.
D.Grant the ECS task IAM role permission to poll and delete messages from the SQS queue.
E.Register the ECS tasks with an Application Load Balancer target group to distribute messages.
AnswersB, C, D

This scaling policy adjusts the number of tasks based on queue depth.

Why this answer

Options B, D, and E are correct. Option B: The task role needs permission to poll SQS. Option D: ECS Service Auto Scaling with a target tracking policy using SQS queue depth as a metric.

Option E: The application should delete messages after processing to avoid reprocessing. Option A is wrong because read capacity is for DynamoDB, not SQS. Option C is wrong because Fargate tasks are not registered with an ALB target group; they are launched by ECS service.

110
MCQhard

Refer to the exhibit. A developer deploys this CloudFormation template. After deployment, the S3 bucket is created but the developer notices that the lifecycle rule does not appear in the bucket's management console. What is the most likely cause?

A.The lifecycle rule is missing the 'Prefix' property, causing it to be invalid.
B.The lifecycle rule must have a 'Transitions' property.
C.The VersioningConfiguration is incorrectly specified.
D.The bucket name contains an account ID, which is not allowed.
AnswerA

S3 lifecycle rules require a Prefix; if omitted, it defaults to empty, but some consoles may not display it.

Why this answer

Option B is correct because lifecycle rules require the prefix to be specified; if omitted, the rule applies to the entire bucket but may not show in the console due to a display issue. However, the rule should be active. Option A is wrong because VersioningConfiguration is correct.

Option C is wrong because the rule does not require a prefix. Option D is wrong because bucket name is unique.

111
Multi-Selecthard

A developer is using Amazon S3 to store sensitive data. The compliance team requires that all objects be encrypted at rest using server-side encryption with a customer-managed key (SSE-KMS). Which THREE steps must the developer take to enforce this requirement? (Choose THREE.)

Select 3 answers
A.Create an AWS KMS customer-managed key.
B.Configure the bucket ACL to require encryption.
C.Add a bucket policy that denies PutObject if the x-amz-server-side-encryption header is not set to 'aws:kms'.
D.Enable S3 default encryption with SSE-S3.
E.Set the bucket's default encryption to SSE-KMS using the customer-managed key.
AnswersA, C, E

A customer-managed key is required for SSE-KMS.

Why this answer

Options A, C, and D are correct. Using a KMS key for encryption ensures SSE-KMS; bucket policies can deny writes without the correct encryption header; default encryption enforces SSE-KMS. Option B is wrong because S3 does not automatically encrypt with SSE-KMS without configuration.

Option E is wrong because bucket ACLs do not control encryption.

112
MCQmedium

A developer is deploying a serverless application using AWS CloudFormation. The stack creation fails with the error 'CREATE_FAILED: The following resource(s) failed to create: [MyLambdaFunction]'. The developer checks the CloudFormation events and sees 'Resource creation cancelled'. What is the most likely cause?

A.The Lambda function code is too large and exceeds the deployment limit.
B.The Lambda function creation timed out due to a network issue.
C.Another resource in the stack failed, triggering a rollback and cancelling the Lambda creation.
D.The Lambda function's execution role is missing permissions.
AnswerC

CloudFormation cancels creation of remaining resources when a stack rolls back.

Why this answer

CloudFormation cancels resource creation if a previous resource fails and the stack is set to roll back on failure. The Lambda function creation may have been cancelled due to another resource failure. Option A is correct.

Option B is wrong because the error is not specific to IAM. Option C is wrong because the Lambda function creation was cancelled, not failed due to timeout. Option D is wrong because the error does not mention throttling.

113
MCQeasy

A developer is deploying a static website to Amazon S3 and wants to use Amazon CloudFront for content delivery. The developer wants to ensure that only CloudFront can access the S3 bucket. Which S3 bucket policy should the developer use?

A.Use a bucket policy that allows access only if the Referer header matches the CloudFront distribution domain.
B.Make the bucket public and use CloudFront's default caching.
C.Grant CloudFront access by allowing the CloudFront IP address range.
D.Grant CloudFront access via an origin access identity (OAI) and restrict the bucket policy to the OAI.
AnswerD

OAI ensures only CloudFront can access the bucket.

Why this answer

Option D is correct because an Origin Access Identity (OAI) is a special CloudFront user that you can associate with your distribution. By configuring the S3 bucket policy to grant access only to that OAI, you ensure that direct S3 requests are denied, and only requests routed through CloudFront can retrieve objects. This provides a secure, private origin without exposing the bucket publicly.

Exam trap

The trap here is that candidates often choose IP-based restrictions (Option C) or Referer header checks (Option A) because they seem simpler, but AWS explicitly recommends OAI for secure S3 origin access in CloudFront, and the exam tests this best practice.

How to eliminate wrong answers

Option A is wrong because the Referer header can be easily spoofed by clients, so it does not provide a reliable security mechanism to restrict access exclusively to CloudFront. Option B is wrong because making the bucket public defeats the purpose of restricting access to CloudFront only, and anyone with the S3 URL can bypass CloudFront entirely. Option C is wrong because CloudFront IP address ranges are shared with other AWS services and can change without notice, making this approach both insecure and difficult to maintain; it also does not prevent direct access from other sources within the same IP range.

114
Drag & Dropmedium

Drag and drop the steps to implement a disaster recovery plan using cross-region replication for S3 in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create buckets, enable versioning, configure replication rule, and set permissions.

115
MCQeasy

A developer needs to grant an IAM user access to list objects in an S3 bucket named 'app-data'. Which IAM policy statement should be used?

A.{"Effect":"Allow","Action":"s3:*","Resource":"*"}
B.{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"}
C.{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::app-data"}
D.{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::app-data/*"}
AnswerC

ListBucket is the correct action to list objects in a bucket.

Why this answer

Option C is correct because the s3:ListBucket action is required to list the objects in an S3 bucket, and the resource ARN must specify the bucket itself (arn:aws:s3:::app-data) without a trailing /*. This grants permission to list the contents of the 'app-data' bucket, which is the exact requirement.

Exam trap

The trap here is that candidates often confuse s3:ListBucket (bucket-level action) with s3:GetObject (object-level action) or incorrectly apply the resource ARN with a trailing '/*' for bucket-level permissions.

How to eliminate wrong answers

Option A is wrong because it grants full administrative access to all S3 actions on all resources, which violates the principle of least privilege and is overly permissive for the specific task of listing objects. Option B is wrong because s3:ListAllMyBuckets lists all buckets in the account, not the objects within a specific bucket, and the resource '*' does not restrict to 'app-data'. Option D is wrong because s3:GetObject is used to retrieve an object's data, not to list objects; additionally, the resource ARN includes a trailing '/*' which refers to objects within the bucket, not the bucket itself.

116
MCQmedium

A team uses AWS CodeBuild to run automated tests. The buildspec.yaml file contains a 'pre_build' phase that sets environment variables. During a build, the build fails with 'Error: Cannot find module 'express' when running a Node.js application. The application's package.json is in the source root. What is the most likely cause?

A.The Node.js runtime version is incompatible with the express module.
B.The environment variable NODE_ENV is set to production, which skips devDependencies.
C.The buildspec does not include a command to run 'npm install' in the install or pre_build phase.
D.The package.json file is not in the source root directory.
AnswerC

Without npm install, dependencies are not installed.

Why this answer

Option A is correct because if the npm install command is missing in the buildspec, dependencies are not installed. Option B is wrong because package.json is present. Option C is wrong because the environment variable would affect the install command, not cause missing module.

Option D is wrong because Node.js runtime is available.

117
Multi-Selecthard

A developer is designing a CI/CD pipeline using AWS CodePipeline. The pipeline must deploy to multiple AWS accounts. Which THREE components are required to securely deploy across accounts?

Select 3 answers
A.The pipeline's service role must have a trust policy allowing it to assume the target account role.
B.An IAM role in the target account with permissions to deploy resources.
C.A CodeCommit repository in each account.
D.An S3 artifact bucket that the pipeline can access in the target account.
E.A customer managed KMS key to encrypt artifacts.
AnswersA, B, D

Without trust, the pipeline cannot assume the role.

Why this answer

To deploy across accounts, you need an IAM role in the target account that the pipeline can assume (A), the pipeline must have permissions to assume that role (B), and the pipeline must use an artifact bucket in the target account or use cross-account access (C) to store artifacts. (D) is not required; KMS keys are optional. (E) is not needed; CodeCommit is just a source.

118
MCQhard

A developer is storing an API secret for a third-party service in AWS Secrets Manager. The secret needs to be accessed by an AWS Lambda function that runs in a VPC. The Lambda function must have the minimum required permissions. Which IAM policy statement should the developer attach to the Lambda execution role?

A.A policy that grants secretsmanager:GetSecretValue for the specific secret ARN and includes a condition for aws:SourceVpce to restrict access to the VPC endpoint
B.A policy that grants secretsmanager:GetSecretValue for all secrets in the account
C.A policy that grants secretsmanager:GetSecretValue for the secret and includes a condition for aws:SourceIp
D.A policy that grants secretsmanager:GetSecretValue for the secret and includes a condition for ec2:Vpc
AnswerA

Correct. This provides least privilege and restricts access to requests coming through the VPC endpoint.

Why this answer

Option A is correct because it grants the minimum required permission (secretsmanager:GetSecretValue) scoped to the specific secret ARN, and uses the aws:SourceVpce condition key to restrict access to the VPC endpoint used by the Lambda function. This ensures that only requests originating from the specified VPC endpoint can retrieve the secret, aligning with the principle of least privilege and the requirement that the Lambda function runs in a VPC.

Exam trap

The trap here is that candidates often confuse aws:SourceIp with VPC-based access control, not realizing that Lambda functions in a VPC use private IPs and require VPC endpoint conditions (aws:SourceVpce or aws:SourceVpc) instead of IP-based conditions.

How to eliminate wrong answers

Option B is wrong because it grants secretsmanager:GetSecretValue for all secrets in the account, which violates the principle of least privilege by allowing access to secrets beyond the intended one. Option C is wrong because aws:SourceIp is not effective for Lambda functions in a VPC, as they use private IP addresses from the VPC subnet, and the condition would not match the source IP seen by Secrets Manager (which is the VPC endpoint's private IP). Option D is wrong because ec2:Vpc is not a valid condition key for Secrets Manager; the correct condition key for VPC endpoint restrictions is aws:SourceVpce, not ec2:Vpc.

119
MCQhard

A company deploys a microservices application using AWS CloudFormation. Each microservice is deployed as a separate stack. The developer wants to pass the output values (e.g., API endpoint URLs) from one stack to another. Which CloudFormation feature should be used?

A.Custom resources with Lambda
B.Stack outputs
C.Nested stacks
D.Cross-stack references using Export and ImportValue
AnswerD

Exports allow values to be imported by other stacks.

Why this answer

Option C is correct because cross-stack references using Fn::ImportValue and Export allow you to pass outputs from one stack to another. Option A is wrong because nested stacks are for hierarchical dependencies, not independent stacks. Option B is wrong because Outputs are not automatically available to other stacks.

Option D is wrong because custom resources are for custom logic, not simple value passing.

120
MCQhard

A developer is building a serverless application that uses AWS Step Functions to orchestrate multiple AWS Lambda functions. The workflow involves three steps: validate input, process data, and store results. The developer notices that the workflow occasionally fails due to transient errors in the process data step. The developer wants to implement error handling so that the workflow retries the process data step up to three times with an exponential backoff. Additionally, if all retries fail, the workflow should send a notification to an Amazon SNS topic and transition to a failure state. The developer has defined the state machine in Amazon States Language (ASL). How should the developer configure the state machine?

A.Write custom retry logic inside the Lambda function code and catch exceptions there.
B.Modify the IAM execution role to allow the state machine to call SNS and then use a ResultPath to handle errors.
C.In the process data state definition, add a Retry field with MaxAttempts: 3 and BackoffRate: 2, and add a Catch field that transitions to a failure state and sends an SNS notification.
D.Add a Retry field at the workflow level and a Catch field at the workflow level.
AnswerC

This correctly implements retry with exponential backoff and a fallback on failure.

Why this answer

Option B is correct because you can define Retry and Catch within a state. Retry specifies the retry behavior, and Catch specifies what to do after retries are exhausted. Option A is incorrect because you cannot define Retry and Catch at the workflow level; they must be per state.

Option C is incorrect because you should modify the state definition, not the execution role. Option D is incorrect because you can handle this within the state machine without Lambda code changes.

121
Multi-Selectmedium

A developer is creating an IAM policy to allow access to an Amazon DynamoDB table. The policy must allow the user to read and write items, but not to delete the table or modify its schema. Which TWO DynamoDB actions should be included in the policy?

Select 2 answers
A.UpdateTable
B.Scan
C.GetItem
D.DeleteTable
E.PutItem
AnswersC, E

GetItem reads a single item from the table.

Why this answer

GetItem and PutItem are the actions for reading and writing individual items. DeleteTable and UpdateTable are administrative actions that should not be allowed.

122
MCQhard

A company has a production environment using AWS Elastic Beanstalk with a multi-container Docker platform. The application consists of a PHP web server and a Redis cache, each running in separate containers. The deployment uses a rolling update policy with a batch size of 1. Recently, during deployments, some users experience intermittent 502 Bad Gateway errors for about 30 seconds. The errors occur when the old containers are terminated and new containers are not yet ready to serve traffic. The development team wants to eliminate this downtime without increasing the deployment time significantly. The team has access to modify the Elastic Beanstalk environment configuration and the Dockerrun.aws.json file. Which action should the team take to resolve the issue?

A.Increase the batch size to 2 to reduce the number of deployment cycles.
B.Configure a health check grace period in the Elastic Beanstalk environment to delay load balancer registration until the containers are healthy.
C.Change the deployment policy to 'All at once' to complete the deployment faster.
D.Reduce the health check interval on the load balancer to detect healthy instances faster.
AnswerB

Grace period prevents routing traffic to instances that are not yet healthy.

Why this answer

Option C is correct because adding a health check grace period allows the new instances to stabilize before being registered with the load balancer, preventing 502 errors. Option A is incorrect because increasing the batch size would cause more downtime. Option B is incorrect because switching to all-at-once would cause full downtime.

Option D is incorrect because reducing the health check interval would make the load balancer check more frequently, potentially causing premature routing to unhealthy instances.

123
MCQmedium

A developer is debugging an AWS Lambda function that processes messages from an Amazon SQS queue. The function is failing with an error when processing certain messages. The developer wants to isolate the failed messages for later analysis without losing them. What should the developer do?

A.Publish the failed messages to an SNS topic for later processing.
B.Log the error and delete the message from the queue.
C.Increase the visibility timeout of the SQS queue.
D.Configure a dead-letter queue (DLQ) for the SQS queue.
AnswerD

DLQ captures failed messages after retries.

Why this answer

Option C is correct because a dead-letter queue (DLQ) on the SQS queue will capture messages that cannot be processed, allowing the function to continue processing other messages. Option A (increase visibility timeout) does not isolate failed messages. Option B (log and ignore) loses the messages.

Option D (use SNS) is not a standard pattern for this issue.

124
Multi-Selectmedium

A developer is building a serverless application using AWS Lambda to process images uploaded to an S3 bucket. The Lambda function needs to resize each image and store the result in another S3 bucket. Which TWO actions should the developer take to ensure the function can access the S3 buckets securely?

Select 2 answers
A.Create an IAM execution role for the Lambda function with permissions to read from the source bucket and write to the destination bucket.
B.Configure a bucket policy on the destination S3 bucket that grants the Lambda execution role s3:PutObject permission.
C.Store the AWS access key and secret key in the Lambda environment variables.
D.Assign an IAM user to the Lambda function and embed the user's access key in the function code.
E.Attach an IAM instance profile to the Lambda function.
AnswersA, B

Lambda functions require an execution role to access AWS resources.

Why this answer

Option A is correct because Lambda functions need an execution role with permissions. Option D is correct because S3 bucket policies can grant access to the Lambda function's execution role. Option B is incorrect because Lambda functions do not use IAM users.

Option C is incorrect because EC2 instance profiles are for EC2, not Lambda. Option E is incorrect because Lambda does not use access keys directly.

125
MCQhard

A developer is deploying a Node.js application on AWS Lambda. The function uses the 'axios' library to call an external API. After deployment, the function times out after 3 seconds. The external API response time is normally under 500 ms. What should the developer do to resolve this issue?

A.Increase the Lambda function timeout to 10 seconds.
B.Increase the Lambda function reserved concurrency.
C.Remove the Lambda function from the VPC.
D.Increase the Lambda function memory to 1024 MB.
AnswerA

Default timeout is 3 seconds; external API may occasionally take longer.

Why this answer

Option A is correct because Lambda's default timeout is 3 seconds; increasing it allows the function to wait for the API response. Option B is wrong because it affects concurrency, not timeout. Option C is wrong because Lambda always runs in a VPC if configured; not using a VPC does not fix timeout.

Option D is wrong because increasing memory does not affect timeout.

126
MCQeasy

A developer needs to grant least-privilege access to a Lambda function to write logs to CloudWatch Logs. Which IAM policy effect should be used?

A.Always allow
B.Allow
C.Deny
D.Revoke
AnswerB

Allow grants the specified permissions.

Why this answer

Option B is correct because the policy should explicitly allow the necessary actions. Option A is wrong because Deny is used to explicitly deny access. Option C is wrong because Allow is the correct effect.

Option D is wrong because Revoke is not an IAM policy effect.

127
MCQmedium

A company is using AWS CodeCommit for source control. Developers need to access the repository from their local machines. Which authentication method is recommended for secure access?

A.Use IAM user name and password for Git credentials.
B.Use IAM access key and secret key for authentication.
C.Use Amazon Cognito user pools for authentication.
D.Generate and use SSH keys paired with an IAM user.
AnswerD

SSH keys are secure and recommended for CodeCommit.

Why this answer

Option C is correct because SSH keys provide secure access without storing credentials on the machine. Option A is wrong because IAM user password is for console access, not Git. Option B is wrong because access keys are long-term credentials and less secure.

Option D is wrong because Cognito is for end-user authentication, not developers.

128
MCQeasy

A developer notices that an S3 bucket configured for static website hosting returns 403 Forbidden errors when accessed from a browser. The bucket policy allows s3:GetObject for principal "*" but only over HTTPS. What is the MOST likely reason for the error?

A.The requester is not authenticated with AWS IAM.
B.The bucket policy denies s3:GetObject for anonymous principals.
C.The request was sent over HTTP instead of HTTPS.
D.The S3 bucket website endpoint does not support HTTPS.
AnswerC

The bucket policy condition requires HTTPS; HTTP requests are denied.

Why this answer

Option D is correct because the bucket policy condition requires HTTPS, but the browser may have used HTTP. Option A is wrong because the bucket policy does not require authentication. Option B is wrong because the website endpoint does not support HTTPS by default.

Option C is wrong because the bucket policy explicitly allows GetObject.

129
MCQeasy

A developer deployed a web application using AWS Elastic Beanstalk. The application uses an RDS MySQL database. After a recent deployment, the application's health status turned from 'Ok' to 'Severe'. The developer checks the environment events and sees that the database connection is failing. The RDS instance is in the same VPC and security group. The developer confirms that the database endpoint and credentials are correct. What is the MOST likely cause of the connection failure?

A.The security group for the Elastic Beanstalk environment no longer allows outbound traffic to the RDS database port.
B.The RDS database endpoint changed after the deployment.
C.The RDS instance is not publicly accessible.
D.The application code is failing to start due to a bug.
AnswerA

A deployment can modify security group rules, blocking the connection.

Why this answer

Option B is correct because a recent deployment may have changed the environment's security group configuration, removing or modifying the inbound rule for the database port. Option A is wrong because the database endpoint is correct. Option C is wrong because the application is failing to connect, not failing to start.

Option D is wrong because the RDS instance is in the same VPC, so it is not an internet routing issue.

130
MCQeasy

A company is using AWS CodePipeline to automate its CI/CD pipeline. The pipeline has a source stage that uses Amazon S3. The developer updates a file in the S3 bucket, but the pipeline does not start automatically. What is the MOST likely cause?

A.The IAM role for CodePipeline does not have s3:GetObject permission.
B.The pipeline is configured to use polling instead of event-based triggers.
C.Amazon S3 versioning is not enabled on the bucket.
D.AWS CloudTrail is not enabled.
AnswerC

CodePipeline uses S3 event notifications which require versioning.

Why this answer

Option A is correct because S3 source actions require versioning enabled to detect changes. Option B is wrong because CloudTrail is not required. Option C is wrong because polling is not the default method.

Option D is wrong because IAM permissions are separate from the detection mechanism.

131
MCQeasy

A developer is building a serverless application using AWS Lambda and Amazon DynamoDB. The application needs to store and retrieve session data. The session data has a TTL of 30 minutes. Which DynamoDB feature should the developer use to automatically delete expired items?

A.Use DynamoDB Streams to capture expired items and trigger a Lambda function for deletion.
B.Use DynamoDB Time to Live (TTL) to set an expiry time attribute that DynamoDB automatically deletes when the TTL is reached.
C.Use DynamoDB Global Tables to replicate data to another region and then set a TTL on the replica.
D.Use DynamoDB Accelerator (DAX) to cache the data and expire it based on a cache TTL.
AnswerB

DynamoDB TTL automatically deletes items after the specified expiry timestamp without any additional cost or custom code. This is the best option for automatic expiration of session data.

Why this answer

DynamoDB Time to Live (TTL) is the correct feature because it allows you to define a per-item timestamp attribute. When that timestamp is reached, DynamoDB automatically deletes the item without any additional cost or custom code. This directly meets the requirement to automatically delete expired session data after 30 minutes.

Exam trap

The trap here is that candidates may think DynamoDB Streams can be used to detect expired items, but TTL deletions do not generate stream events, so a custom deletion mechanism would require a separate scan or query, which is inefficient and not automatic.

How to eliminate wrong answers

Option A is wrong because DynamoDB Streams capture item changes but do not trigger on TTL expirations; using a Lambda function to scan and delete expired items would be inefficient and incur unnecessary costs. Option C is wrong because Global Tables replicate data across regions for high availability and disaster recovery, not for automatic deletion based on TTL. Option D is wrong because DAX is an in-memory cache that improves read performance but does not provide automatic deletion of expired items in the underlying DynamoDB table.

132
MCQmedium

A developer is designing a system where an S3 bucket receives uploads, and each upload triggers a Lambda function to process the file. The processed output is stored in another S3 bucket. The developer notices that sometimes the same file is processed multiple times. How can this be prevented?

A.Make the Lambda function idempotent by checking if the object has already been processed using a DynamoDB table.
B.Use an SQS FIFO queue as the event destination and enable content-based deduplication.
C.Enable S3 bucket replication to another bucket and trigger Lambda from the replica.
D.Enable S3 bucket versioning and use 's3:ObjectCreated:Put' events.
AnswerA

Idempotency ensures that duplicate events do not cause duplicate processing.

Why this answer

Option C is correct because enabling S3 event notifications with the 'S3:ObjectCreated:*' event type and ensuring the Lambda function is idempotent (e.g., using the object key as a unique identifier) prevents duplicate processing. Option A is wrong because S3 does not have a deduplication feature for events. Option B is wrong because SQS FIFO queues can deduplicate messages, but S3 event notifications do not support FIFO queues.

Option D is wrong because versioning does not prevent duplicate events.

133
Multi-Selecthard

A developer is using AWS CodeDeploy to deploy an application to an Amazon EC2 Auto Scaling group. The deployment fails because the CodeDeploy agent on the instances is not running. Which TWO steps should the developer take to resolve this issue? (Choose TWO.)

Select 2 answers
A.Attach an IAM role to the instances that allows CodeDeploy actions.
B.Install the CodeDeploy agent on the instances.
C.Start the CodeDeploy agent service on the instances.
D.Reboot the instances.
E.Add a script in the Auto Scaling group's launch configuration user data to install the agent.
AnswersB, C

Agent must be installed to run.

Why this answer

Options A and C are correct. A: Installing the agent ensures it's present. C: Starting the agent makes it operational.

Option B is wrong because user data runs at launch, not on existing instances. Option D is wrong because restarting the instance may not start the agent if it's not installed. Option E is wrong because IAM roles are necessary but don't start the agent.

134
MCQmedium

A company uses CodePipeline to deploy a web application to Elastic Beanstalk. The deployment fails at the Build stage with an error 'BUILD FAILED'. Which step should the developer take first to troubleshoot?

A.Review the buildspec.yml file for syntax errors
B.Verify the CodeDeploy application revision
C.Examine the Elastic Beanstalk environment logs
D.Check AWS CloudTrail for API calls
AnswerA

The buildspec.yml defines build commands; errors there cause build failure.

Why this answer

The error 'BUILD FAILED' indicates an issue during the build phase. The buildspec.yml file defines the build commands. Checking it is the first logical step.

Option A is correct because the buildspec.yml is the configuration for CodeBuild. Option B (CloudTrail) is for API auditing, not build errors. Option C (CodeDeploy) is for deployment, not build.

Option D (Elastic Beanstalk logs) are for runtime, not build.

135
Multi-Selectmedium

A developer is using AWS CodePipeline to automate the deployment of a microservices application. The pipeline consists of a source stage (GitHub), a build stage (AWS CodeBuild), and a deploy stage (Amazon ECS). The developer wants to ensure that only approved changes are deployed to production. Which THREE actions should the developer take? (Choose THREE.)

Select 3 answers
A.Configure the pipeline to automatically deploy every commit to production.
B.Deploy all feature branches directly to production.
C.Add a manual approval step before the deploy stage.
D.Use separate pipelines for different environments (e.g., dev, staging, prod).
E.Implement integration tests in the build stage to catch errors early.
AnswersC, D, E

Manual approval ensures human review.

Why this answer

Options A, B, and D are correct. Manual approval gates, separate pipelines, and integration testing are best practices. Option C is wrong because automatic deployment bypasses approval.

Option E is wrong because deploying all branches to production is risky.

136
Drag & Dropmedium

Drag and drop the steps to set up a CI/CD pipeline using AWS CodePipeline in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First set up artifact storage, then source repository, build project, deployment target, and finally the pipeline.

137
Multi-Selectmedium

A developer is building a RESTful API using AWS Lambda and Amazon API Gateway. The API will be accessed by external customers. The developer needs to implement authentication and authorization. Which THREE steps should the developer take to secure the API? (Choose three.)

Select 3 answers
A.Use Amazon Cognito user pools for user authentication and to generate JWT tokens.
B.Configure the API to use AWS IAM roles for authentication by passing the role ARN in the request.
C.Create a Lambda authorizer that validates a JWT token from a third-party identity provider.
D.Enable Amazon Cognito as an authorizer in the API Gateway method request settings.
E.Attach a resource policy to the API Gateway that allows only specific IAM users.
AnswersA, C, D

Correct: Cognito user pools handle authentication.

Why this answer

Option A is correct because API Gateway can use a Lambda authorizer to validate custom tokens. Option B is correct because Amazon Cognito can manage user sign-up/sign-in and issue JWT tokens. Option D is correct because API Gateway can integrate with Cognito to validate tokens.

Option C is incorrect because IAM roles are for internal AWS services, not external users. Option E is incorrect because resource policies are for cross-account access, not user authentication.

138
MCQhard

A company has a legacy application that runs on an Amazon EC2 instance. The developer is tasked with containerizing the application and deploying it on Amazon ECS with Fargate. The application writes logs to a local file. What should the developer do to ensure logs are available in Amazon CloudWatch Logs?

A.Modify the application to write logs to stdout, as ECS automatically captures stdout to CloudWatch Logs.
B.Install the CloudWatch Agent inside the container and configure it to tail the log file.
C.Configure the ECS task definition to use the 'awslogs' log driver and specify the log group.
D.Mount an Amazon S3 bucket and write logs to S3, then use a Lambda function to send them to CloudWatch.
AnswerC

The awslogs log driver sends container stdout/stderr to CloudWatch Logs.

Why this answer

Option A is correct because using the awslogs log driver sends container logs to CloudWatch Logs. Option B is wrong because CloudWatch Agent inside the container is less efficient. Option C is wrong because ECS does not send logs automatically.

Option D is wrong because S3 is not a direct log destination.

139
Multi-Selecteasy

A developer is building a serverless application using AWS Lambda and Amazon API Gateway. The application processes user uploads stored in an S3 bucket. The developer needs to ensure that the Lambda function can read objects from the S3 bucket. Which TWO steps should the developer take to meet this requirement? (Choose two.)

Select 2 answers
A.Set the S3 bucket's object-level permissions to allow the Lambda function.
B.Use AWS Key Management Service (KMS) to grant the Lambda function access to the S3 bucket.
C.Add a bucket policy on the S3 bucket that grants access to the Lambda function's execution role.
D.Attach an IAM policy to the Lambda execution role with permissions for s3:GetObject.
E.Create an IAM user with S3 read permissions and configure the Lambda function to assume that user.
AnswersC, D

Correct: The bucket policy must allow the Lambda role.

Why this answer

Option A is correct because the Lambda execution role must have an IAM policy granting s3:GetObject permission. Option C is correct because the S3 bucket policy must explicitly allow the Lambda function's execution role to access the objects. Option B is incorrect because Lambda functions use an execution role, not an IAM user.

Option D is incorrect because S3 bucket policies are evaluated at the bucket level, not the object level. Option E is incorrect because KMS is not required for S3 access unless encryption is involved.

140
MCQhard

A company is using AWS Secrets Manager to rotate database credentials automatically. The rotation Lambda function fails with a timeout error after 30 seconds. The developer checked the Lambda logs and saw that the function is making network calls to the database but never receives a response. What is the MOST likely cause?

A.The Lambda function memory is insufficient; increase memory to 1024 MB.
B.The Lambda function timeout is set too low; increase it to 5 minutes.
C.The Lambda function is not attached to a VPC with a NAT gateway or VPC endpoints for Secrets Manager.
D.The database credentials are incorrect; the rotation function cannot authenticate.
AnswerC

Lambda needs network connectivity to both the database and Secrets Manager; without a NAT gateway or VPC endpoints, it cannot reach Secrets Manager.

Why this answer

Option A is correct because Lambda functions in a VPC require a NAT gateway or VPC interface endpoints to access the internet or AWS services outside the VPC. The database is likely in a private subnet without internet access, and the Secrets Manager endpoint might be unreachable, causing the timeout. Options B, C, and D are incorrect because increasing timeout or memory would not solve network connectivity issues, and disabling rotation would not address the root cause.

141
Multi-Selecthard

Which THREE are best practices for managing IAM users and roles? (Choose three.)

Select 3 answers
A.Rotate IAM user access keys periodically.
B.Grant least privilege permissions.
C.Use IAM roles for EC2 instances instead of storing access keys.
D.Use the root account for daily administrative tasks.
E.Assign full administrator access to all users.
AnswersA, B, C

Limits exposure of compromised keys.

Why this answer

Options A, D, and E are correct. Option A: Granting least privilege limits permissions. Option D: Using roles for EC2 instances is more secure than storing credentials.

Option E: Rotating access keys regularly reduces risk. Option B is wrong because using the root account should be avoided. Option C is wrong because IAM users should have only necessary permissions, not full access.

142
MCQhard

A developer is deploying a microservices architecture on Amazon ECS with Fargate. The services need to communicate with each other using service discovery. The developer wants to use AWS Cloud Map for service discovery. Which configuration is required for the services to register and discover each other?

A.Create an Application Load Balancer and register each service as a target group.
B.Create a VPC endpoint for each service.
C.Configure Security Groups to allow traffic between services.
D.Create a Cloud Map namespace and service; then configure ECS tasks to register with the service.
AnswerD

Cloud Map provides service discovery via DNS or API.

Why this answer

Option C is correct because Cloud Map requires a namespace (either HTTP or DNS) and service resources. The ECS tasks use the Cloud Map API or DNS queries to discover services. Option A is wrong because ALB is for load balancing, not service discovery.

Option B is wrong because VPC endpoints are for private connectivity to AWS services. Option D is wrong because Security Groups are for firewall rules, not discovery.

143
MCQhard

A developer uses CodePipeline to deploy a new task definition to an ECS service. The pipeline fails with an access denied error when updating the service. Which missing permission is the most likely cause?

A.Missing iam:PassRole permission for the task execution role used by the new task definition
B.Missing ecs:UpdateService permission for the service resource
C.Missing ecs:DescribeServices permission
D.Missing ecs:RegisterTaskDefinition permission for the new task definition
AnswerA

When updating a service, ECS needs to pass the task execution role, which requires iam:PassRole on that role.

Why this answer

The error occurs when updating the ECS service with a new task definition. The ecs:UpdateService action requires the iam:PassRole permission for the task execution role that the new task definition uses. The policy only allows iam:PassRole for a specific role, but the new task definition might reference a different role.

Option B is correct because the policy does not allow passing the specific role referenced in the new task definition. Option A is incorrect because ecs:UpdateService is allowed. Option C is incorrect because there is no condition.

Option D is incorrect because describe is allowed.

144
MCQeasy

A developer is writing an AWS Lambda function that processes files uploaded to an S3 bucket. The function should only be triggered when a new object is created in a specific subfolder (e.g., /uploads/). Which S3 event notification configuration should the developer use?

A.Configure the event notification with a prefix filter set to 'uploads/' and event type 's3:ObjectCreated:*'.
B.Configure a single event notification for all objects and filter on the prefix inside the Lambda function.
C.Configure the event notification using object tags to filter events.
D.Use AWS CloudTrail to detect S3 PutObject events and trigger Lambda.
AnswerA

This ensures only objects created under the 'uploads/' prefix trigger the Lambda function, minimizing unnecessary invocations.

Why this answer

Option A is correct because S3 event notifications support prefix filtering, which allows you to specify a key prefix (e.g., 'uploads/') so that only object creation events in that subfolder trigger the Lambda function. By setting the event type to 's3:ObjectCreated:*', the function responds to all object creation operations (PUT, POST, Copy, etc.) within the filtered path, meeting the requirement precisely without unnecessary invocations.

Exam trap

The trap here is that candidates might think filtering inside the Lambda function is acceptable (Option B), but AWS best practice and the exam emphasize configuring filtering at the event source to minimize invocations and follow the principle of least privilege for triggers.

How to eliminate wrong answers

Option B is wrong because filtering on the prefix inside the Lambda function would still cause the function to be invoked for every object created in the bucket, leading to unnecessary executions and increased costs; S3 event notifications support prefix filtering natively, so this should be configured at the event source level. Option C is wrong because S3 event notifications do not support filtering by object tags; tag-based filtering is not a feature of S3 event notifications, and tags are not evaluated during event generation. Option D is wrong because AWS CloudTrail is not designed for real-time event-driven triggers; it logs API calls with a delay and is intended for auditing, not for invoking Lambda functions in response to S3 object creation events.

145
MCQmedium

A developer is deploying a serverless application using AWS SAM. The application includes an AWS Lambda function that is triggered by an S3 bucket event when an object is created. The developer wants to ensure that the Lambda function has the correct permissions to be invoked by S3. Which resource should the developer define in the SAM template?

A.AWS::Lambda::Permission
B.AWS::S3::BucketPolicy
C.AWS::Lambda::EventSourceMapping
D.AWS::IAM::Role
AnswerA

Correct. This resource explicitly grants the S3 service principal permission to invoke the Lambda function.

Why this answer

AWS::Lambda::Permission is the correct resource because it explicitly grants the S3 service principal permission to invoke the Lambda function when an object is created. In AWS SAM, this resource is automatically generated when you define an S3 event source on a Lambda function, but if you need to declare it manually or override permissions, you use AWS::Lambda::Permission with a SourceArn pointing to the S3 bucket and a SourceAccount to prevent confused deputy attacks.

Exam trap

The trap here is that candidates confuse the Lambda execution role (IAM::Role) with the invocation permission (Lambda::Permission), or mistakenly think S3 uses a bucket policy or event source mapping to trigger Lambda, when in fact S3 uses a push-based notification that requires a resource-based policy on the Lambda function.

How to eliminate wrong answers

Option B is wrong because AWS::S3::BucketPolicy controls access to the S3 bucket itself (e.g., who can read/write objects), not who can invoke a Lambda function; S3 uses a Lambda resource-based policy, not a bucket policy, to trigger invocations. Option C is wrong because AWS::Lambda::EventSourceMapping is used for poll-based event sources like DynamoDB Streams, Kinesis, or SQS, not for S3 event notifications, which are push-based and do not require an event source mapping. Option D is wrong because AWS::IAM::Role defines the execution role for the Lambda function (what the function can do), not the permissions for S3 to invoke the function; invocation permissions are handled via a resource-based policy on the Lambda function itself.

146
MCQhard

A company uses AWS Organizations with multiple accounts. A developer needs to grant an IAM user in Account A (111111111111) read-only access to an S3 bucket in Account B (222222222222). The bucket is encrypted with SSE-S3. Which combination of policies is required for cross-account access?

A.Bucket policy in Account B granting s3:GetObject to the IAM user ARN, and an IAM policy in Account A allowing s3:GetObject.
B.Bucket policy in Account B granting s3:GetObject to Account A's root user ARN, and an IAM policy in Account A allowing s3:GetObject.
C.Bucket policy in Account B granting s3:GetObject to the IAM user ARN, and no IAM policy in Account A is needed.
D.IAM policy in Account A allowing s3:GetObject, and an S3 Access Point in Account B configured for cross-account access.
AnswerA

This combination satisfies the cross-account access requirement: the bucket policy allows the specific user, and the IAM policy permits the user to use the permission.

Why this answer

Option A is correct because cross-account S3 access requires both a bucket policy in the resource account (Account B) that explicitly grants the IAM user ARN from Account A the s3:GetObject permission, and an IAM policy in the user's account (Account A) that allows the same action. The bucket policy acts as a resource-based policy that authorizes the cross-account principal, while the IAM policy is necessary to authorize the user to make the request. SSE-S3 encryption does not require additional configuration because S3 handles decryption automatically for authorized users.

Exam trap

The trap here is that candidates often think only a bucket policy is needed for cross-account access, forgetting that the IAM user must also have an explicit allow in their own account's IAM policy to actually invoke the S3 API call.

How to eliminate wrong answers

Option B is wrong because granting access to Account A's root user ARN would allow any principal in Account A to assume root-level permissions, which is overly broad and not a best practice; the correct approach is to grant access to the specific IAM user ARN. Option C is wrong because without an IAM policy in Account A allowing s3:GetObject, the IAM user lacks the necessary permissions to initiate the request, even if the bucket policy grants access; both policies are required for cross-account access. Option D is wrong because an S3 Access Point in Account B can simplify cross-account access but still requires a bucket policy that grants access to the Access Point, and the IAM user in Account A still needs an IAM policy allowing s3:GetObject; the Access Point alone does not eliminate the need for both policies.

147
MCQmedium

A developer attaches the IAM policy shown to a user. The user attempts to upload an object to example-bucket using the AWS CLI with the command: `aws s3 cp file.txt s3://example-bucket/`. The upload fails. What is the MOST likely reason?

A.The user does not have permission to perform s3:PutObject on the bucket.
B.The bucket policy overrides the IAM policy and denies the request.
C.The resource ARN does not include the bucket itself.
D.The user did not specify server-side encryption in the request.
AnswerD

The condition requires SSE with AES256.

Why this answer

Option B is correct because the policy requires the `x-amz-server-side-encryption` header to be set to AES256, but the CLI command does not specify SSE. Option A is wrong because the action is allowed. Option C is wrong because the resource allows all objects.

Option D is wrong because the bucket policy is not shown.

148
MCQhard

A company has a DynamoDB table with a global secondary index (GSI) for querying. The write capacity is provisioned at 1000 WCU, and the GSI has 500 WCU. During a traffic spike, writes to the table are throttled, but the GSI is not throttled. What is the MOST likely cause?

A.DynamoDB adaptive capacity is reducing the table's write capacity.
B.A hot partition in the table is exceeding its partition-level write limits.
C.The total write traffic to the table exceeds 1000 WCU.
D.The GSI is throttling writes because its write capacity is insufficient.
AnswerC

If the write traffic exceeds the provisioned 1000 WCU, the table will throttle writes regardless of the GSI capacity.

Why this answer

Option B is correct because throttling occurs when writes exceed provisioned WCU on the table, not the GSI. Option A is wrong because hot partition would cause throttling on specific partitions, but the scenario mentions general throttling. Option C is wrong because GSI throttling would affect writes to the GSI, not the table.

Option D is wrong because adaptive capacity would mitigate throttling, not cause it.

149
MCQmedium

A web application running on EC2 instances behind an Application Load Balancer (ALB) is experiencing intermittent 503 errors. The ALB target group health checks are succeeding. Which step should the developer take FIRST to diagnose the issue?

A.Increase the number of EC2 instances in the target group.
B.Examine the ALB access logs for 503 responses.
C.Check the Route 53 record for the ALB.
D.Verify that the EC2 instances are in a running state.
AnswerB

Access logs provide details on each request and can identify patterns causing 503s.

Why this answer

Option D is correct because examining ALB access logs can reveal the response status codes and request details. Option A is wrong because health checks succeed. Option B is wrong because increasing instances may not address the root cause.

Option C is wrong because the issue is with the ALB, not DNS.

150
MCQeasy

A developer is deploying a serverless application using AWS SAM. The deployment fails with the error 'Resource creation cancelled'. What is the most likely cause?

A.The SAM template is malformed.
B.A resource in the stack failed to create.
C.The Lambda function code has a timeout.
D.The IAM role does not have sufficient permissions.
AnswerB

AWS CloudFormation cancels the creation of subsequent resources after a failure.

Why this answer

Option D is correct because 'Resource creation cancelled' typically indicates a stack failure due to a previous resource creation failure. Option A is wrong because missing permissions cause access denied errors. Option B is wrong because timeout would cause a different error.

Option C is wrong because invalid YAML causes a parse error.

Page 1

Page 2 of 22

Page 3