AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 14261500

1616 questions total · 22pages · All types, answers revealed

Page 19

Page 20 of 22

Page 21
1426
MCQhard

The developer tries to deploy this stack but receives an error: 'CREATE_FAILED: LambdaExecutionRole - Resource creation cancelled'. The Lambda function is not created. What is the most likely cause?

A.The S3 bucket is in a different region
B.The Lambda function handler name is incorrect
C.The Lambda function code is missing from the S3 bucket
D.The IAM user does not have permission to create IAM roles
AnswerD

Creation cancelled typically indicates a permissions issue.

Why this answer

The error 'Resource creation cancelled' often occurs when a dependent resource (the Lambda function) references a resource that hasn't been created yet. In this template, the Lambda function depends on the role (via !GetAtt), but the role creation might fail due to permissions. However, the error says the role itself had creation cancelled.

The most likely cause is that the role creation was cancelled due to a dependency on a resource that doesn't exist. But in this case, the role has no dependencies. The error might be due to a missing permission to create the role.

Option A is correct because the role creation fails due to missing iam:CreateRole permission. Option B (Lambda function error) would show a different error. Option C (S3 bucket) would affect the Lambda function, not the role.

Option D (incorrect role name) would cause a different error.

1427
Multi-Selecthard

Which THREE AWS services are commonly used together to build a serverless event-driven architecture that processes real-time streaming data? (Choose three.)

Select 3 answers
A.Amazon Kinesis Data Streams
B.AWS Lambda
C.Amazon DynamoDB
D.Amazon SQS
E.Amazon Redshift
AnswersA, B, C

Kinesis ingests real-time streaming data.

Why this answer

Amazon Kinesis Data Streams ingests real-time data. AWS Lambda processes the data. Amazon DynamoDB stores the processed data.

Amazon SQS is for message queues, not real-time streaming. Amazon Redshift is a data warehouse, not for real-time streaming. AWS Step Functions orchestrates workflows but is not typically part of a basic streaming pipeline.

1428
MCQhard

A developer is using AWS CodeDeploy with a blue/green deployment on an Amazon ECS service running on Fargate. The developer wants to ensure that the new (green) task set is fully healthy and serving traffic before the old (blue) task set is terminated. The deployment should automatically roll back to the blue task set if the green task set fails health checks. Which configuration should the developer set in the CodeDeploy deployment group?

A.Deployment type: blue/green, with rollback configuration enabled to trigger automatic rollback and reroute traffic to the original task set
B.Deployment type: blue/green, Deployment configuration: CodeDeployDefault.ECSAllAtOnce
C.Deployment type: blue/green, Deployment configuration: CodeDeployDefault.ECSLinear10PercentEvery1Minutes
D.Deployment type: blue/green, with an Application Load Balancer
AnswerA

Correct. This configuration ensures that if the new task set fails, CodeDeploy rolls back to the previous version.

Why this answer

Option A is correct because the developer needs to configure the CodeDeploy deployment group with a blue/green deployment type and enable automatic rollback. This ensures that if the green task set fails health checks, CodeDeploy automatically terminates the green deployment and reroutes traffic back to the original blue task set, meeting the requirement for a fully healthy green task set before termination.

Exam trap

The trap here is that candidates often confuse deployment configurations (like AllAtOnce or Linear) with rollback settings, assuming that a traffic shifting strategy alone ensures health checks and automatic rollback, but rollback must be explicitly configured in the deployment group.

How to eliminate wrong answers

Option B is wrong because CodeDeployDefault.ECSAllAtOnce is a deployment configuration that shifts all traffic to the green task set immediately, which does not ensure the green task set is fully healthy before the blue task set is terminated; it also lacks automatic rollback on health check failure. Option C is wrong because CodeDeployDefault.ECSLinear10PercentEvery1Minutes is a linear traffic shifting configuration that gradually moves traffic in 10% increments every minute, but it does not automatically roll back to the blue task set if the green task set fails health checks; it only controls the traffic shift rate. Option D is wrong because while an Application Load Balancer is required for blue/green deployments on ECS, it alone does not provide the automatic rollback behavior needed; the rollback configuration must be explicitly enabled in the deployment group.

1429
MCQmedium

A developer is troubleshooting a CloudFormation stack that fails to create. The stack includes an Auto Scaling group with a launch template. The error message says 'Value (null) for parameter groupId is invalid.' What is the MOST likely cause?

A.The launch template references a SecurityGroupId parameter that is not provided or is misspelled.
B.The Auto Scaling group does not specify a VPC subnet.
C.The Auto Scaling group's user data script contains a syntax error.
D.The launch template specifies an invalid key pair name.
AnswerA

The error indicates a null value for groupId, meaning the security group parameter is missing or not resolved.

Why this answer

The error 'Value (null) for parameter groupId is invalid' indicates that a SecurityGroupId parameter referenced in the launch template is either not provided or misspelled. CloudFormation resolves parameters at stack creation; if the parameter is missing or has a typo, it evaluates to null, causing the launch template to fail validation because a security group ID is required for the network interface.

Exam trap

The trap here is that candidates confuse a missing subnet or user data error with a parameter null value, but the specific 'groupId' error points directly to a security group parameter issue, not infrastructure or script problems.

How to eliminate wrong answers

Option B is wrong because a missing VPC subnet would cause a different error, such as 'VPCIdNotSpecified' or 'SubnetIDNotSpecified', not a null groupId parameter. Option C is wrong because a syntax error in user data would result in a script execution failure, not a parameter validation error during stack creation. Option D is wrong because an invalid key pair name would produce an error like 'InvalidKeyPair.NotFound', not a null parameter value for groupId.

1430
MCQeasy

A developer needs to store application configuration data, such as database connection strings and API keys, for a microservices application running on Amazon ECS. The configuration must be encrypted at rest and easily auditable. Which AWS service should the developer use?

A.AWS Secrets Manager.
B.Amazon S3 with server-side encryption.
C.AWS Systems Manager Parameter Store.
D.Amazon DynamoDB with encryption at rest.
AnswerC

Parameter Store is designed for configuration management, supports encryption, and integrates with CloudTrail for auditing.

Why this answer

Option C is correct because AWS Systems Manager Parameter Store can store configuration data securely, with encryption using KMS, and provides audit trails via CloudTrail. Option A is incorrect because S3 is not designed for parameter storage and would require additional setup for encryption and access control. Option B is incorrect because DynamoDB is a database, not a configuration store; it would require more overhead.

Option D is incorrect because Secrets Manager is more expensive and is specifically for secrets, not general application configuration.

1431
Multi-Selectmedium

A developer is configuring a Lambda function to access a DynamoDB table in a VPC. Which TWO steps are required to ensure the Lambda function can securely access DynamoDB? (Select TWO.)

Select 2 answers
A.Configure a NAT gateway in the VPC.
B.Attach the Lambda function to a VPC.
C.Create a VPC endpoint for DynamoDB in the VPC.
D.Add a route to the DynamoDB service in the subnet's route table.
E.Assign a security group to the Lambda function that allows outbound traffic to DynamoDB.
AnswersB, C

Lambda must be in the VPC to use VPC endpoint.

Why this answer

Option B is correct because attaching the Lambda function to a VPC allows it to access resources within the VPC, such as a DynamoDB table accessed via a VPC endpoint. Without VPC attachment, the Lambda function runs outside the VPC and cannot use VPC endpoints or security groups. Option C is correct because a VPC endpoint for DynamoDB (using AWS PrivateLink) enables private connectivity between the VPC and DynamoDB without traversing the public internet, which is required for secure access from a Lambda function in the VPC.

Exam trap

The trap here is that candidates often think a NAT gateway is required for any outbound traffic from a VPC, but for AWS services like DynamoDB, a VPC endpoint provides a more secure and direct path without internet exposure.

1432
MCQmedium

A developer is creating an IAM policy to allow a Lambda function to write logs to CloudWatch. Which policy should be attached to the Lambda execution role?

A.AWSLambdaBasicExecutionRole
B.AdministratorAccess
C.AmazonDynamoDBFullAccess
D.AmazonS3FullAccess
AnswerA

This managed policy grants the necessary CloudWatch Logs permissions.

Why this answer

The AWSLambdaBasicExecutionRole managed policy grants permissions for Lambda to write logs to CloudWatch Logs, specifically allowing the logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents actions. This is the minimal set of permissions required for a Lambda function to send execution logs to CloudWatch, making it the correct choice for this use case.

Exam trap

The trap here is that candidates may mistakenly choose a broad policy like AdministratorAccess or a service-specific policy like AmazonDynamoDBFullAccess, thinking they need to grant 'full' permissions or that the Lambda function might need access to other services, when the question specifically asks only for CloudWatch logging permissions.

How to eliminate wrong answers

Option B (AdministratorAccess) is wrong because it grants full administrative permissions to all AWS services, which violates the principle of least privilege and is overly permissive for a Lambda function that only needs to write logs. Option C (AmazonDynamoDBFullAccess) is wrong because it provides full access to DynamoDB operations but does not include any CloudWatch Logs permissions, so the Lambda function would fail to write logs. Option D (AmazonS3FullAccess) is wrong because it grants full access to S3 buckets and objects but lacks the necessary CloudWatch Logs actions, making it irrelevant for logging purposes.

1433
MCQmedium

A company is using AWS CodeCommit and wants to ensure that all commits are signed with a GPG key. What must the developer configure?

A.Ask developers to sign commits using git commit -S.
B.Configure an SSH key in the IAM user.
C.Use HTTPS with a password.
D.Create a repository policy that requires commits to be signed.
AnswerD

You can use IAM conditions or pre-receive hooks to enforce signed commits.

Why this answer

Option D is correct because AWS CodeCommit supports repository policies that can enforce commit signing using the 'refs/heads/' condition key with 'git:Signer' or 'git:CommitSigningRequired' to require that all commits pushed to the repository are signed with a valid GPG key. This policy is evaluated at push time, and if a commit is not signed, the push is rejected, ensuring compliance without relying on developer discipline.

Exam trap

The trap here is that candidates confuse client-side signing (git commit -S) with server-side enforcement, assuming that asking developers to sign commits is sufficient, when in fact only a repository policy can enforce the requirement at the AWS side.

How to eliminate wrong answers

Option A is wrong because 'git commit -S' is a client-side command that signs a commit locally, but it does not enforce signing across the repository; developers could omit the flag, and the push would still succeed. Option B is wrong because configuring an SSH key in the IAM user is used for authentication to CodeCommit (via SSH protocol), not for commit signing; GPG keys are managed separately in IAM for signing verification. Option C is wrong because using HTTPS with a password (or Git credentials) handles authentication only, not commit signing; it does not enforce or verify GPG signatures on commits.

1434
MCQeasy

A company wants to give a third-party auditor read-only access to their AWS account for compliance purposes. What is the most appropriate way to grant this access?

A.Attach the AdministratorAccess managed policy to an IAM user.
B.Create an IAM role with the SecurityAudit managed policy and allow the auditor to assume it.
C.Create an IAM user with a custom policy that allows all actions.
D.Share the root account credentials with the auditor.
AnswerB

Least privilege and secure.

Why this answer

Option D is correct because an IAM role with the SecurityAudit policy provides read-only access to security services and is the least privilege. Option A is wrong because creating an IAM user is less secure than a role. Option B is wrong because root account access should never be shared.

Option C is wrong because the AdministratorAccess policy is not read-only.

1435
MCQhard

A team is using AWS CodePipeline to deploy a critical application to Amazon ECS. The pipeline has a deployment stage that uses Amazon ECS (Blue/Green) action with CodeDeploy. Recently, the deployment failed because the new task set did not become healthy within the specified timeout. The team wants to ensure that future deployments automatically roll back if the health check fails. What should the team do?

A.Create a CloudWatch alarm that triggers when the healthy task count of the ECS service falls below a threshold. Configure the CodeDeploy deployment group to automatically roll back when this alarm is in ALARM state.
B.Modify the CodeDeploy deployment group to enable automatic rollback when a deployment fails. The deployment will automatically revert to the last successful deployment.
C.Increase the deployment timeout in the CodeDeploy deployment configuration to allow more time for the new task set to become healthy.
D.Configure the ECS service to automatically roll back to the previous task definition if the deployment fails. Use the ECS service's deployment circuit breaker.
AnswerA

This allows automatic rollback based on health check failure, as the healthy task count will drop.

Why this answer

Option A is correct because it leverages CloudWatch alarms to monitor the health of the ECS service's new task set. When the alarm triggers due to insufficient healthy tasks, CodeDeploy can automatically initiate a rollback to the previous revision. This approach provides a proactive, health-based rollback mechanism that directly addresses the failure condition described (new task set not becoming healthy within timeout).

Exam trap

The trap here is that candidates confuse 'automatic rollback on deployment failure' (Option B) with 'health-based rollback via CloudWatch alarms' (Option A), not realizing that the former only triggers after the deployment times out, while the latter proactively rolls back during the health check phase.

How to eliminate wrong answers

Option B is wrong because enabling automatic rollback on deployment failure only triggers after the deployment has already failed (e.g., timeout exceeded), not when health checks fail during the deployment's lifecycle. Option C is wrong because increasing the timeout merely delays the failure detection; it does not implement a rollback mechanism. Option D is wrong because the ECS service's deployment circuit breaker rolls back the ECS service itself, but it does not integrate with CodeDeploy's Blue/Green deployment lifecycle or trigger a rollback of the CodePipeline pipeline stage.

1436
MCQhard

A developer is building a data processing pipeline that uses Amazon Kinesis Data Streams. The developer wants to ensure that records are processed in order within each shard. The consumer application runs on Amazon EC2 instances in an Auto Scaling group. What should the developer do to maintain ordering?

A.Use Amazon DynamoDB Streams to capture the order.
B.Use AWS Lambda as the consumer and set the batch size to 1.
C.Ensure that one consumer processes each shard exclusively.
D.Use the Kinesis Client Library (KCL) with multiple workers in the same consumer group.
AnswerC

Exclusive processing per shard ensures ordering within that shard.

Why this answer

Option D is correct because each shard's records have a sequence number, and a single consumer can process them in order. Option A is wrong because multiple consumers in a group can process different shards but ordering within a shard is maintained only if one consumer handles that shard. Option B is wrong because DynamoDB streams are for DynamoDB tables, not Kinesis.

Option C is wrong because Lambda consumes records in batches, but ordering is preserved within a shard as long as there's only one concurrent invocation per shard. However, the best practice is to have one consumer per shard.

1437
MCQhard

A developer is deploying a serverless application using AWS Lambda and API Gateway. The application needs to authenticate users via a third-party OIDC provider. The developer wants to minimize latency and avoid managing sessions. What is the BEST approach to achieve this?

A.Use Amazon Cognito User Pools with the OIDC identity provider and integrate with API Gateway.
B.Use Lambda@Edge to validate tokens at CloudFront edge locations.
C.Use Amazon Cognito Identity Pools with the OIDC provider.
D.Implement a custom Lambda authorizer in API Gateway to validate tokens.
AnswerA

User Pools can validate tokens and integrate with API Gateway.

Why this answer

Option C is correct because Cognito User Pools with an OIDC identity provider can handle token-based authentication and integrate with API Gateway. Option A is wrong because Lambda@Edge is for CloudFront. Option B is wrong because Cognito Identity Pools are for AWS credentials, not OIDC auth.

Option D is wrong because custom authorizer adds latency and management overhead.

1438
Multi-Selecthard

A developer is building a serverless application using AWS Lambda and Amazon API Gateway. The application must authenticate users using a third-party OAuth 2.0 provider. Which THREE options can the developer use to integrate with the OAuth provider?

Select 3 answers
A.Use an API Gateway resource policy to allow only authenticated users.
B.Use a Lambda authorizer in API Gateway to validate the OAuth token.
C.Configure Amazon Cognito User Pools as an OAuth 2.0 provider and use its integration with API Gateway.
D.Use IAM authorization with a custom token service.
E.Implement token validation in a custom Lambda function that is invoked before processing the request.
AnswersB, C, E

Lambda authorizer can call the OAuth provider.

Why this answer

API Gateway Lambda authorizer can call the OAuth provider to validate tokens. Cognito User Pools can be configured as an OAuth 2.0 provider and integrated with API Gateway. Custom Lambda function can validate tokens directly.

API Gateway resource policy is for IP whitelisting, not authentication. IAM authorization is for AWS credentials.

1439
Matchingmedium

Match each AWS service to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Pub/sub messaging

Queue-based messaging

Real-time streaming data

Event bus service

Managed message broker

Why these pairings

Messaging services are crucial for decoupling applications.

1440
Multi-Selectmedium

A developer is building a serverless application using AWS Lambda functions that need to access an Amazon RDS database. Which of the following are best practices for managing database credentials? (Choose TWO.)

Select 2 answers
A.Use AWS Systems Manager Parameter Store to store encrypted credentials.
B.Use AWS Secrets Manager to store and rotate credentials.
C.Store the credentials as Lambda environment variables.
D.Hardcode the credentials in the Lambda function code.
E.Store the credentials in a file in the Lambda deployment package.
AnswersA, B

Parameter Store can store encrypted parameters securely.

Why this answer

Options B and D are correct because they involve secure storage and rotation of credentials. Option A is wrong because storing credentials in Lambda environment variables is not secure if the variables are visible in the console. Option C is wrong because hardcoding is never a best practice.

Option E is wrong because storing in source code is insecure.

1441
MCQmedium

The exhibit shows the output of invoking a Lambda function from the AWS CLI. The function returned a status code of 200 but included a FunctionError field set to 'Unhandled'. What does this indicate?

A.The function executed but threw an unhandled exception.
B.The function returned an error in the LogResult field.
C.The function timed out during execution.
D.The function was invoked but there was a network error.
AnswerA

Unhandled indicates an exception that was not caught.

Why this answer

Option C is correct because FunctionError: 'Unhandled' means the function threw an exception that was not caught by the code. Option A is wrong because status code 200 indicates invocation succeeded. Option B is wrong because LogResult is base64-encoded logs, not error.

Option D is wrong because the function ran but threw an error.

1442
MCQmedium

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application includes an Amazon API Gateway HTTP API and several AWS Lambda functions. The developer wants to implement a canary deployment for the API Gateway stage so that 10% of traffic is shifted to the new version for 30 minutes before the remaining 90% is shifted. Which SAM resource attribute should the developer configure on the API Gateway resource?

A.AutoPublishAlias
B.DeploymentPreference
C.ProvisionedConcurrencyConfig
D.EventInvokeConfig
AnswerB

DeploymentPreference with a Canary setting enables gradual traffic shifting for the API Gateway stage.

Why this answer

The `DeploymentPreference` attribute on an AWS::Serverless::Api resource in SAM enables canary deployments by allowing you to specify traffic-shifting patterns, such as `Canary10Percent30Minutes`. This shifts 10% of traffic to the new API Gateway stage for 30 minutes before rolling out the remaining 90%, exactly matching the requirement.

Exam trap

The trap here is that candidates confuse `AutoPublishAlias` (which manages Lambda versioning) with `DeploymentPreference` (which manages API Gateway stage traffic shifting), leading them to pick A when the question explicitly asks about API Gateway canary deployments.

How to eliminate wrong answers

Option A is wrong because `AutoPublishAlias` is used for Lambda functions to automatically publish a new version and update an alias, but it does not control API Gateway stage traffic shifting. Option C is wrong because `ProvisionedConcurrencyConfig` is for Lambda functions to pre-warm execution environments, not for API Gateway deployment strategies. Option D is wrong because `EventInvokeConfig` configures Lambda function invocation settings like retries and DLQ, not API Gateway canary deployments.

1443
MCQeasy

A company has a DynamoDB table that stores personally identifiable information (PII). A developer needs to allow a Lambda function to read and write to this table. What is the MOST secure way to grant the Lambda function access?

A.Create an IAM role with a policy that allows DynamoDB read/write access and attach it to the Lambda function.
B.Use a resource-based policy on the DynamoDB table to allow the Lambda function's IAM role.
C.Create an IAM user with programmatic access and embed the credentials in the Lambda environment variables.
D.Have the Lambda function assume a role using AWS STS each time it runs.
AnswerA

IAM roles are the correct way to grant permissions to Lambda.

Why this answer

Option A is correct because an IAM role with an attached policy granting the necessary permissions is the most secure and best practice. Option B is wrong because IAM users should not be used for applications. Option C is wrong because resource-based policies on DynamoDB are not supported.

Option D is wrong because temporary credentials from STS are not needed when using a role.

1444
MCQmedium

Refer to the exhibit. A developer attempted to update a CloudFormation stack that includes an EC2 instance. The update failed and the stack is rolling back. The event shows that the EC2 instance update failed with reason 'Resource update cancelled: stack update cancelled'. What is the most likely cause of this failure?

A.A stack policy is preventing updates to the EC2 instance resource.
B.The IAM user does not have permission to update EC2 instances.
C.The template has a missing required parameter for the EC2 instance.
D.The EC2 instance is in a stopped state and cannot be updated.
AnswerA

Stack policies can prevent updates to specific resources, causing the update to be cancelled.

Why this answer

Option B is correct because the error 'Resource update cancelled: stack update cancelled' indicates that the stack update was cancelled, likely due to a stack policy that denies updates to the EC2 instance. Option A is wrong because insufficient permissions would show a different error. Option C is wrong because the instance being in a stopped state would cause a different error.

Option D is wrong because a missing parameter would cause a validation error before update.

1445
MCQhard

A company runs a data processing pipeline using AWS Step Functions. The pipeline starts with a task that reads a CSV file from Amazon S3 and then fans out to multiple parallel Lambda functions for data transformation. The final step aggregates the results and writes to an Amazon DynamoDB table. Recently, the pipeline has been failing intermittently with 'StateMachineExecutionLimitExceeded' errors. The development team has already increased the execution history limit to the maximum. The pipeline runs about 500 executions per day. Meanwhile, the operations team reports that some executions are timing out after 5 minutes, even though each Lambda function completes within 30 seconds. The Step Function definition uses a Map state with a max concurrency of 20. The developer needs to fix both issues. Which combination of actions should the developer take? (Choose the BEST option.)

A.Reduce the max concurrency of the Map state and increase the task execution timeout in the Step Function definition.
B.Split the pipeline into multiple smaller Step Functions and chain them together.
C.Increase the max concurrency of the Map state and add a retry policy.
D.Set a Lambda reserved concurrency for the transformation functions to 100.
AnswerA

Lower concurrency reduces parallel executions, preventing limit errors; increasing timeout prevents timeout errors.

Why this answer

Option A is correct because reducing max concurrency and increasing task timeout addresses both state machine execution limits and timeouts. Option B is wrong because increasing map concurrency would worsen throttling. Option C is wrong because splitting into multiple state machines does not address task timeouts.

Option D is wrong because Lambda reserved concurrency does not prevent state machine throttling.

1446
Multi-Selecthard

A developer is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment is set to use a 'OneAtATime' deployment configuration. The developer wants to ensure that the deployment does not cause downtime. Which TWO configurations are necessary?

Select 2 answers
A.Set the 'IgnoreApplicationStopFailures' flag to true.
B.Configure a load balancer for the Auto Scaling group.
C.Use an 'AllAtOnce' deployment configuration.
D.Configure health checks on the load balancer.
E.Install the CodeDeploy agent on each instance.
AnswersB, D

A load balancer can drain connections and reroute traffic.

Why this answer

Option A and Option D are correct. A load balancer is necessary to route traffic away from instances being updated. Health checks ensure that the instance is healthy before traffic is routed back.

Option B is wrong because 'AllAtOnce' would cause downtime. Option C is wrong because 'IgnoreApplicationStopFailures' would ignore failures, potentially causing issues. Option E is wrong because CodeDeploy agent can be installed on the instance, but it is necessary for deployment, not specifically for zero downtime.

1447
MCQhard

A developer is deploying a microservices architecture on Amazon ECS with Fargate. Each service needs to store sensitive configuration data such as database passwords. The developer wants to avoid hardcoding secrets in the application code. Which approach should the developer use?

A.Store the secrets in an Amazon S3 bucket and use a pre-signed URL to download them at startup.
B.Define the secrets as environment variables in the ECS task definition.
C.Encrypt the secrets using AWS KMS and store the encrypted blob in a configuration file within the Docker image.
D.Store the secrets in AWS Systems Manager Parameter Store or AWS Secrets Manager and reference them in the ECS task definition using the 'secrets' parameter.
AnswerD

This securely injects secrets at runtime.

Why this answer

Option A is correct because AWS Systems Manager Parameter Store or AWS Secrets Manager can securely store secrets and be referenced in ECS task definitions. Option B is wrong because environment variables in the task definition are visible in plaintext. Option C is wrong because S3 is not designed for secrets.

Option D is wrong because it increases attack surface.

1448
Matchingmedium

Match each AWS CLI command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Copy objects to/from S3

Invoke a Lambda function

Insert an item into DynamoDB

Deploy a CloudFormation stack

List EC2 instances

Why these pairings

CLI commands are frequently used in development and deployment.

1449
MCQmedium

A developer is troubleshooting an issue where an IAM user is unable to upload a file to an S3 bucket that uses server-side encryption with AWS KMS (SSE-KMS). The IAM policy shown in the exhibit is attached to the user. What is the likely cause of the failure?

A.The KMS key ARN in the resource statement is incorrect.
B.The user does not have s3:PutObject permission on the bucket.
C.The user does not have kms:Encrypt permission on the KMS key.
D.The user does not have access to the KMS key at all.
AnswerC

When using SSE-KMS, the s3:PutObject action requires kms:Encrypt (or kms:GenerateDataKey, which is included, but encrypt is needed for upload). Actually, for upload, kms:Encrypt is required; the policy only has kms:Decrypt and kms:GenerateDataKey, which are for download/read. So missing kms:Encrypt causes failure.

Why this answer

The correct answer is B. The policy allows s3:PutObject but does not include kms:Encrypt, which is required for uploading objects with SSE-KMS. Option A is wrong because the policy allows s3:PutObject.

Option C is wrong because the KMS key is specified. Option D is wrong because the user may not have KMS permissions, but the missing action is kms:Encrypt.

1450
MCQeasy

An IAM policy is attached to an IAM user. The user attempts to upload an object to s3://my-bucket/confidential/report.pdf from an IP address 192.168.1.100. What will happen?

A.The upload succeeds because the Allow statement grants s3:PutObject on all objects in the bucket.
B.The upload fails because the Deny statement blocks the request.
C.The upload succeeds because the IP address 192.168.1.100 matches the condition.
D.The upload fails because the Deny statement does not have a condition.
AnswerB

The Deny statement explicitly denies access when the source IP is not in the specified range.

Why this answer

Option A is correct because the Deny statement explicitly denies s3:* actions on the confidential prefix when the source IP is not in 10.0.0.0/8. Since the user's IP (192.168.1.100) is not in that range, the Deny applies. Even though the Allow statement grants s3:PutObject, the explicit Deny overrides.

Option B is wrong because the Deny applies. Option C is wrong because the Deny is explicit. Option D is wrong because the IP condition is checked.

1451
MCQeasy

A developer is writing code to upload an object to an Amazon S3 bucket. The object is 200 MB in size. Which AWS SDK method should the developer use to perform this upload?

A.Enable S3 Transfer Acceleration and use the PutObject API.
B.Use the PutObject API operation.
C.Use the multipart upload API.
D.Use a pre-signed URL and upload using HTTP PUT.
AnswerC

Multipart upload is recommended for objects larger than 100 MB.

Why this answer

Option C is correct because the multipart upload API is designed for objects over 100 MB. Option A is wrong because PutObject is for objects up to 5 GB, but recommended for smaller objects. Option B is wrong because pre-signed URLs are for granting temporary access, not uploading large objects efficiently.

Option D is wrong because S3 Transfer Acceleration speeds up uploads over long distances but does not change the API method needed.

1452
MCQmedium

A company has an S3 bucket that stores sensitive customer data. The security team requires that all data be encrypted at rest using server-side encryption with AWS KMS. Additionally, they want to enforce that objects are not uploaded without encryption. Which bucket policy should be used?

A.Deny s3:PutObject if the request includes x-amz-server-side-encryption
B.Deny s3:PutObject unless the request includes x-amz-server-side-encryption with value aws:kms
C.Allow s3:PutObject only if the request uses a specific KMS key
D.Deny s3:PutObject unless the request includes x-amz-server-side-encryption with value AES256
AnswerB

This enforces SSE-KMS for all uploads.

Why this answer

Option B is correct because it uses a Deny effect with a condition that checks for the presence and value of the `x-amz-server-side-encryption` header. This policy explicitly denies any `s3:PutObject` request that does NOT include `x-amz-server-side-encryption` with the value `aws:kms`, thereby enforcing server-side encryption with AWS KMS (SSE-KMS) on all uploads.

Exam trap

The trap here is that candidates often confuse the encryption header values (`aws:kms` vs `AES256`) or mistakenly think that an Allow statement alone can enforce encryption, when in fact a Deny statement with a condition is required to block non-compliant requests.

How to eliminate wrong answers

Option A is wrong because it denies `s3:PutObject` if the request includes the `x-amz-server-side-encryption` header, which would block all encrypted uploads, not enforce them. Option C is wrong because it only allows `s3:PutObject` if a specific KMS key is used, but it does not enforce that encryption is present at all; a request without encryption could still be allowed if no explicit Deny is present. Option D is wrong because it enforces SSE-S3 (AES256) rather than SSE-KMS (aws:kms), which does not meet the requirement for server-side encryption with AWS KMS.

1453
Multi-Selectmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application is experiencing high latency. Which TWO steps should the developer take to troubleshoot and optimize the application?

Select 2 answers
A.Configure an Amazon RDS read replica.
B.Enable AWS X-Ray integration and analyze service maps.
C.Enable enhanced health reporting and review the environment health metrics.
D.Increase the instance type to a larger size.
E.Deploy the application to a different AWS region.
AnswersB, C

Identifies bottlenecks in the application.

Why this answer

Option B is correct because enabling enhanced health reporting provides detailed metrics. Option D is correct because enabling X-Ray integration provides tracing to identify bottlenecks. Option A is wrong because deploying to a different region might not help latency for existing users.

Option C is wrong because increasing instance size could help but not a troubleshooting step. Option E is wrong because RDS is not involved.

1454
MCQhard

A company uses AWS CloudFormation to deploy resources. The templates are stored in an S3 bucket. A developer wants to ensure that only authorized users can create stacks from these templates. What should be implemented?

A.Use IAM policies to control who can call CreateStack and add S3 bucket policies to restrict template access.
B.Use a stack policy to restrict updates.
C.Enable CloudTrail to log template access.
D.Set the S3 bucket to private and rely on bucket policies.
AnswerA

Combines IAM and S3 policies for defense in depth.

Why this answer

Option A is correct because it combines two layers of access control: IAM policies restrict the ability to call the CreateStack API action, and S3 bucket policies restrict access to the template objects stored in S3. This ensures that even if a user has IAM permissions to create stacks, they cannot retrieve or use the template unless the S3 bucket policy also grants them access. Without both controls, an unauthorized user could bypass IAM by directly accessing the template URL or using a different AWS account.

Exam trap

The trap here is that candidates often assume S3 bucket policies alone are sufficient for access control, forgetting that IAM policies are required to authorize the CreateStack API call itself.

How to eliminate wrong answers

Option B is wrong because stack policies control updates to stack resources after creation, not who can create stacks from templates. Option C is wrong because CloudTrail logs API calls for auditing but does not enforce any access control or authorization. Option D is wrong because setting the S3 bucket to private and relying solely on bucket policies does not prevent an authorized S3 user from creating a stack with the template; it also fails to control the CreateStack API call itself, which is governed by IAM.

1455
MCQmedium

A developer is troubleshooting an AWS Lambda function that processes records from an Amazon Kinesis Data Stream. The function is configured with a batch size of 100 and a parallelization factor of 1. The iterator age metric is increasing, and CloudWatch Logs show the function execution time is around 4 minutes (timeout is 5 minutes). The stream has 10 shards. What is the most cost-effective way to increase processing throughput?

A.Increase the batch size to 500
B.Increase the number of shards
C.Increase the timeout to 10 minutes
D.Increase the parallelization factor per shard
AnswerD

Increasing the parallelization factor allows the function to process multiple batches from the same shard concurrently, improving throughput without additional cost from more shards.

Why this answer

Increasing the parallelization factor per shard (option D) allows each shard to be processed by multiple Lambda instances concurrently, which directly increases throughput without requiring additional shards or changes to the stream. Since the function is not hitting the 5-minute timeout but is taking ~4 minutes per batch, the bottleneck is processing concurrency per shard, not batch size or execution duration. This is the most cost-effective solution because it uses existing shards and avoids the cost of additional shards or unnecessary timeout increases.

Exam trap

The trap here is that candidates often assume increasing batch size (option A) is the natural fix for slow processing, but they overlook that the function is already near its timeout limit, making a larger batch size impractical without also increasing the timeout.

How to eliminate wrong answers

Option A is wrong because increasing the batch size to 500 would likely cause the function to exceed the 5-minute timeout (since it already takes ~4 minutes for 100 records), leading to throttling and failed processing. Option B is wrong because increasing the number of shards incurs additional costs and is not the most cost-effective approach; the current 10 shards are underutilized due to the parallelization factor of 1. Option C is wrong because the function is not timing out (it completes in ~4 minutes with a 5-minute timeout), so increasing the timeout does not address the throughput bottleneck and only delays potential failures.

1456
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The development team wants to update a stack that includes an Amazon RDS database. The update requires changing the DB instance class, which will cause a brief downtime. The team wants to minimize downtime by creating a new database instance before deleting the old one. Which CloudFormation stack update policy should be used?

A.Use a 'DeletionPolicy' attribute set to 'Delete' for the RDS instance.
B.Use a 'DeletionPolicy' attribute set to 'Snapshot' for the RDS instance.
C.Use an 'UpdatePolicy' attribute with 'UseOnlineResharding' set to true.
D.Use an 'UpdatePolicy' attribute with 'AutoScalingReplacingUpdate' set to true.
AnswerD

For resources that support replacement updates, this policy creates a new resource before deleting the old one, minimizing downtime.

Why this answer

Option D is correct because the 'AutoScalingReplacingUpdate' update policy directs CloudFormation to create a new resource (in this case, an RDS DB instance) before deleting the old one, enabling a rolling replacement that minimizes downtime. This policy is specifically designed for resources that support replacement updates, allowing the new instance to be provisioned and traffic shifted before the old instance is terminated.

Exam trap

The trap here is that candidates confuse 'DeletionPolicy' (which only governs deletion behavior) with update policies, or mistakenly apply ElastiCache-specific policies like 'UseOnlineResharding' to RDS, not realizing that 'AutoScalingReplacingUpdate' is the correct mechanism for replacing resources during a CloudFormation stack update.

How to eliminate wrong answers

Option A is wrong because 'DeletionPolicy' with 'Delete' only controls what happens when a resource is deleted (e.g., during stack deletion), not how updates are performed; it does not create a new instance before deleting the old one. Option B is wrong because 'DeletionPolicy' with 'Snapshot' takes a final snapshot before deletion but still does not orchestrate a rolling replacement to minimize downtime during an update. Option C is wrong because 'UseOnlineResharding' is a policy for Amazon ElastiCache (Redis) clusters to reshard without downtime, not for RDS DB instance class changes.

1457
Multi-Selectmedium

A developer is troubleshooting an AWS Lambda function that is timing out. The function has a timeout of 5 seconds and is configured with 128 MB of memory. Which TWO of the following are effective ways to resolve the timeout?

Select 2 answers
A.Increase the memory allocation to 512 MB.
B.Decrease the memory allocation to 64 MB.
C.Deploy the function inside a VPC.
D.Optimize the function code to reduce execution time.
E.Increase the function timeout to 10 seconds.
AnswersA, D

More memory can improve performance and reduce execution time.

Why this answer

Option A is correct because increasing memory often also increases CPU, which can improve performance. Option C is correct because optimizing the code can reduce execution time. Option B is wrong because increasing timeout alone may not solve the root cause.

Option D is wrong because increasing memory is an alternative to increasing timeout. Option E is wrong because deploying in a VPC adds latency due to ENI creation.

1458
MCQhard

A company is migrating a monolithic application to microservices on AWS. They want to use a blue/green deployment strategy for a new version of a service running on Amazon ECS with Fargate. The service is behind an Application Load Balancer. Which combination of actions should be taken to implement blue/green deployment with minimal downtime? (Choose the correct answer.)

A.Create a second ALB pointing to the new service, then update DNS to switch traffic.
B.Use AWS CodeDeploy to orchestrate a blue/green deployment by creating a new task set and shifting traffic.
C.Update the existing ECS service with the new task definition and allow rolling update.
D.Manually create a new target group with the new service and update the ALB listener rule.
AnswerB

CodeDeploy automates blue/green deployments on ECS with minimal downtime.

Why this answer

Option D is correct because AWS CodeDeploy supports blue/green deployments on ECS, creating a new task set and shifting traffic. Option A is wrong because updating the existing service directly causes downtime. Option B is wrong because a second ALB is unnecessary and adds complexity.

Option C is wrong because manually updating target groups is error-prone and not automated.

1459
MCQhard

A developer is using AWS X-Ray to trace requests through a microservices application. The application consists of several AWS Lambda functions that call each other and Amazon DynamoDB. The developer notices that some traces are incomplete and missing segments for downstream calls. What is the MOST likely cause?

A.The downstream DynamoDB table does not have X-Ray tracing enabled.
B.The Lambda functions do not have the X-Ray SDK imported.
C.The X-Ray daemon is not running on the Lambda execution environment.
D.The X-Ray sampling rate is set too low.
AnswerA

X-Ray tracing must be enabled on DynamoDB to capture segments.

Why this answer

Option D is correct because X-Ray tracing must be enabled on downstream resources to record segments. Option A is wrong because sampling rate affects number of traces, not completeness. Option B is wrong because X-Ray SDK is needed on Lambda.

Option C is wrong because X-Ray daemon is needed for EC2, but Lambda uses the X-Ray SDK.

1460
MCQmedium

A developer is using Amazon API Gateway with a Lambda authorizer to control access to an API. The authorizer function needs to decode a JWT token from the request header and return an IAM policy. Which type of Lambda authorizer should be used?

A.TOKEN authorizer with the token passed in the Authorization header.
B.REQUEST authorizer with the token in a custom header.
C.Use Amazon Cognito User Pools as the authorizer.
D.Use a resource policy to allow or deny access based on the JWT token.
AnswerA

A TOKEN authorizer is the simplest and most appropriate choice for JWT token validation. It receives the token as a string and returns a policy. This matches the requirement.

Why this answer

A TOKEN authorizer is designed to receive a JWT or OAuth token in the Authorization header and pass it directly to the Lambda function for validation. The Lambda function then decodes the token and returns an IAM policy document to allow or deny the API request. This is the correct choice because the question explicitly states the token is in the request header and needs to be decoded, which matches the TOKEN authorizer's behavior of forwarding the raw token value.

Exam trap

The trap here is that candidates confuse the TOKEN authorizer (which passes only the token) with the REQUEST authorizer (which passes the full request), assuming that decoding a JWT requires access to other request parameters, when in fact the token alone is sufficient for validation.

How to eliminate wrong answers

Option B is wrong because a REQUEST authorizer passes the entire request context (headers, query parameters, path parameters) to the Lambda function, which is unnecessary overhead when only the JWT token from a header is needed; it also requires more complex parsing logic. Option C is wrong because Amazon Cognito User Pools are a managed identity service that handles JWT verification natively, not a Lambda authorizer; using them would bypass the requirement for a custom Lambda function to decode the token. Option D is wrong because resource policies control access based on IP addresses, VPCs, or AWS accounts, not on the contents of a JWT token; they cannot decode or validate token claims.

1461
MCQhard

A company uses AWS Secrets Manager to store database credentials. The credentials must be automatically rotated every 30 days. The developer needs to configure rotation without exposing the secret to any IAM user directly. Which configuration steps should the developer take?

A.Enable automatic rotation and choose a rotation interval of 30 days. Secrets Manager will automatically rotate the secret using a built-in Lambda function.
B.Create a Lambda function with rotation logic, attach an IAM role with permissions to read and update the secret, and configure Secrets Manager to invoke the function every 30 days.
C.Use AWS Certificate Manager (ACM) to rotate the secret automatically every 30 days.
D.Store the secret in AWS Systems Manager Parameter Store and set a schedule to rotate it using a CloudWatch Events rule.
AnswerB

This is the correct approach. The Lambda function handles the rotation, and the execution role must have 'secretsmanager:GetSecretValue' and 'secretsmanager:PutSecretValue' permissions for the specific secret.

Why this answer

Option B is correct because AWS Secrets Manager does not provide a built-in Lambda function for rotating database credentials; you must create your own Lambda function that contains the rotation logic (e.g., querying the database, creating a new credential, and updating the secret). The Lambda function must be attached to an IAM role with permissions to read and update the secret, and Secrets Manager invokes this function based on the rotation schedule (every 30 days). This ensures the secret is never exposed directly to any IAM user, as only the Lambda function interacts with the secret programmatically.

Exam trap

The trap here is that candidates assume Secrets Manager provides a built-in Lambda function for all secret types, but in reality, you must create your own Lambda function for database credentials, while only AWS-managed secrets (like RDS) have pre-built rotation templates.

How to eliminate wrong answers

Option A is wrong because Secrets Manager does not include a built-in Lambda function for rotating secrets; you must provide your own custom Lambda function with the rotation logic. Option C is wrong because AWS Certificate Manager (ACM) is used for managing SSL/TLS certificates, not for rotating database credentials stored in Secrets Manager. Option D is wrong because AWS Systems Manager Parameter Store does not support automatic rotation of secrets; it is a simple key-value store without built-in rotation capabilities, and using a CloudWatch Events rule would require custom scripting and does not integrate with Secrets Manager's native rotation features.

1462
MCQhard

A company is deploying a containerized application on Amazon ECS using Fargate launch type. The application consists of multiple microservices, each deployed as a separate ECS service. The company uses AWS CodePipeline to automate deployments. The pipeline has a Source stage (CodeCommit), a Build stage (CodeBuild), and a Deploy stage (ECS). Recently, a deployment failed because the new task definition referenced an environment variable that was not available in the Parameter Store. The developer wants to prevent such failures in the future by validating the task definition before deployment. The developer has access to the AWS CLI and the AWS SDKs. The pipeline is configured to use CodeBuild for the build stage. What is the MOST efficient way to validate the task definition before deployment?

A.Add a step in the CodeBuild buildspec that runs 'aws ecs register-task-definition --cli-input-json file://taskdef.json --no-cli-pager --dry-run' to validate the task definition.
B.Add a step in the CodeBuild buildspec that runs 'aws ecs update-service --service my-service --task-definition <task-def-arn>' to see if the service accepts the task definition.
C.Add a step in the CodeBuild buildspec that runs 'aws ecs run-task --task-definition <task-def-arn> --count 1' to test the task definition.
D.Add a step in the CodeBuild buildspec that runs 'aws ecs describe-task-definition --task-definition <task-def-arn>' to check if the task definition exists.
AnswerA

The --dry-run flag validates the input without actually registering the task definition.

Why this answer

Option B is correct because using the 'aws ecs register-task-definition --cli-input-json' command with the '--no-cli-pager' and '--dry-run' flags will validate the task definition without actually registering it. This command checks for syntax errors and missing references, including Parameter Store parameters. Option A is incorrect because the 'aws ecs describe-task-definition' command only retrieves existing task definitions, not validates new ones.

Option C is incorrect because the 'aws ecs run-task' command will actually try to run the task, which could incur costs and may fail at runtime. Option D is incorrect because the 'aws ecs update-service' command updates a service, not validates a task definition.

1463
MCQhard

A developer is running an AWS Lambda function that is triggered by Amazon S3 events. The function writes processed data to an Amazon DynamoDB table. Over time, the function's execution time has increased significantly. CloudWatch Logs show many DynamoDBProvisionedThroughputExceededException errors. The table is configured with 5 read capacity units (RCUs) and 5 write capacity units (WCUs). The function performs both reads and writes. Which optimization will MOST effectively reduce throttling errors while maintaining performance?

A.Increase the RCUs and WCUs of the table to 50 each
B.Switch the DynamoDB table to on-demand capacity mode
C.Implement a DynamoDB Accelerator (DAX) cluster for caching reads
D.Increase Lambda function memory to 1024 MB
AnswerB

On-demand mode automatically scales read and write capacity based on traffic. This eliminates throttling caused by insufficient provisioned capacity and requires no capacity planning.

Why this answer

The DynamoDBProvisionedThroughputExceededException errors indicate that the Lambda function is exceeding the provisioned write capacity of 5 WCUs. Switching to on-demand capacity mode eliminates the need to manage throughput, automatically scaling to handle the workload without throttling. This directly resolves the root cause—capacity exhaustion—without requiring manual adjustments or architectural changes.

Exam trap

The trap here is that candidates often confuse read throttling with write throttling and reach for DAX (a read cache) or assume that increasing Lambda resources will solve database-level throughput issues, when the real fix is to match the database capacity mode to the workload pattern.

How to eliminate wrong answers

Option A is wrong because simply increasing RCUs and WCUs to 50 is a manual, reactive fix that does not address the root cause of unpredictable traffic patterns; it may still lead to throttling if the workload spikes beyond the new limit, and it incurs unnecessary cost if the average usage is lower. Option C is wrong because DAX caches reads only, but the errors are DynamoDBProvisionedThroughputExceededException, which primarily affects writes (the function writes processed data); caching reads does not reduce write throttling. Option D is wrong because increasing Lambda memory only increases CPU and network throughput, not DynamoDB capacity; it does not resolve the throttling errors caused by exceeding the table's write capacity.

1464
MCQeasy

A developer is building a serverless application using AWS Lambda. The function needs to access a DynamoDB table and write logs to Amazon CloudWatch. What is the minimum set of IAM permissions the Lambda execution role must have?

A.dynamodb:PutItem, logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents
B.logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents
C.dynamodb:*, logs:PutLogEvents
D.dynamodb:GetItem, dynamodb:PutItem, logs:PutLogEvents
AnswerA

Provides exactly the needed permissions.

Why this answer

Option C is correct because the Lambda execution role must allow logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents for CloudWatch, and dynamodb:PutItem for DynamoDB. Option A is wrong because it includes unnecessary DynamoDB read permissions. Option B is wrong because it includes dynamodb:* which is too broad.

Option D is wrong because it lacks DynamoDB write permission.

1465
Multi-Selectmedium

A developer is designing a serverless application that uses Amazon API Gateway and AWS Lambda. The API receives a high volume of requests, and the developer needs to cache responses to reduce latency and cost. Which TWO actions should the developer take? (Choose TWO.)

Select 2 answers
A.Use DynamoDB Accelerator (DAX) to cache Lambda responses.
B.Use ElastiCache for Redis to store frequently accessed responses.
C.Use Amazon CloudFront in front of API Gateway to cache responses.
D.Enable API Gateway caching and set a TTL for the cache.
E.Configure the Lambda function to return cache-control headers in the response.
AnswersD, E

API Gateway caching stores responses and reduces Lambda invocations.

Why this answer

Option A is correct because enabling caching in API Gateway will cache responses for a specified TTL. Option C is correct because Lambda can return cache-control headers to instruct API Gateway to cache the response. Option B is wrong because CloudFront caches content at the edge, but API Gateway caching is separate and more direct.

Option D is wrong because DynamoDB Accelerator is for database caching, not API responses. Option E is wrong because ElastiCache is not integrated with API Gateway for response caching.

1466
MCQeasy

A developer is using Amazon S3 to host a static website. The website returns 403 Forbidden errors. The bucket policy allows public read access. What is the most likely cause?

A.The bucket's 'Block public access' settings are enabled.
B.The bucket has an ACL that denies read access.
C.The bucket policy does not include the 's3:GetObject' action.
D.The bucket policy is not correctly attached to the bucket.
AnswerA

Block public access settings override bucket policies.

Why this answer

The most likely cause is that the bucket's 'Block public access' settings are enabled. Even if the bucket policy explicitly grants public read access, S3's Block Public Access settings act as an overarching security override that denies all public requests, resulting in a 403 Forbidden error. These settings are enabled by default for new buckets and can be applied at the account or bucket level, making them a common pitfall.

Exam trap

The trap here is that candidates often focus on the bucket policy syntax or ACLs, overlooking the fact that S3's Block Public Access settings can silently override all public permissions, even when the policy is perfectly written.

How to eliminate wrong answers

Option B is wrong because if an ACL denies read access, it would conflict with the bucket policy, but the question states the bucket policy allows public read access, and S3 evaluates both ACLs and policies; however, Block Public Access settings are a more common and immediate cause. Option C is wrong because the bucket policy is stated to allow public read access, which implicitly includes the 's3:GetObject' action; if it were missing, the error would be Access Denied, but the policy is correctly configured per the question. Option D is wrong because if the bucket policy were not correctly attached, the bucket would not have any policy to evaluate, leading to default private access (403), but the question explicitly says the policy allows public read access, implying it is attached; the issue is the Block Public Access override.

1467
Multi-Selectmedium

Which THREE steps should a developer include in a CI/CD pipeline to deploy a serverless application using AWS SAM? (Choose three.)

Select 3 answers
A.Run 'sam build' to prepare the application
B.Manually configure API Gateway stages
C.Run 'sam deploy' to create or update the CloudFormation stack
D.Run 'aws lambda update-alias' to shift traffic
E.Run 'sam package' to upload artifacts to S3
AnswersA, C, E

sam build compiles and prepares artifacts.

Why this answer

A typical SAM CI/CD pipeline includes building the app (A), packaging and uploading to S3 (B), and deploying the CloudFormation stack (C). Option D (update alias) is not a standard step. Option E (configure API Gateway) is part of deployment.

1468
MCQmedium

Refer to the exhibit. A developer runs the AWS CLI command for an EC2 instance. The instance is in the 'running' state, but the application hosted on it is not reachable. What should the developer check first?

A.Check the security group rules for inbound traffic.
B.Check the ELB health check settings.
C.Check the instance status checks in the EC2 console.
D.Verify the instance ID is correct.
AnswerA

Security groups control inbound traffic; missing rules can block access.

Why this answer

The application is unreachable despite the EC2 instance being in the 'running' state, which indicates the OS and instance services are operational. The most common cause for this scenario is that the security group's inbound rules are not allowing traffic on the application's port (e.g., HTTP/HTTPS on port 80/443). Security groups act as a virtual firewall at the instance level, and unless an inbound rule explicitly permits the traffic, it will be silently dropped, making the application unreachable.

Exam trap

The trap here is that candidates assume a 'running' instance means the application should be reachable, overlooking that security groups control network access independently of the instance's operational state.

How to eliminate wrong answers

Option B is wrong because ELB health check settings are only relevant if the instance is behind an Elastic Load Balancer, and the question does not mention an ELB; even if it were, the health check would fail due to the same security group issue, making it a secondary check. Option C is wrong because instance status checks verify the OS and hypervisor health (e.g., system reachability), and since the instance is 'running' and the application is unreachable, the issue is likely at the network layer, not the instance's operational status. Option D is wrong because verifying the instance ID is a basic validation step that would have been done before running the CLI command; if the ID were incorrect, the CLI command would have failed with an error, not left the instance running but unreachable.

1469
MCQmedium

A developer attached the IAM policy above to an IAM role used by an EC2 instance. The instance is in a VPC with CIDR 10.0.0.0/16, but it cannot access objects in the S3 bucket 'example-bucket'. What is the MOST likely reason?

A.The condition should use 'aws:VpcSourceIp' instead of 'aws:SourceIp'.
B.The policy does not allow 's3:ListBucket' action.
C.The IAM role does not have a trust policy.
D.The S3 bucket is in a different region than the EC2 instance.
AnswerA

For requests from a VPC endpoint, use VpcSourceIp. For direct requests, the source IP is the public IP, not private.

Why this answer

The condition uses 'aws:SourceIp', but EC2 instances in a VPC have private IPs. For S3, the source IP that AWS sees is the public IP (if traffic goes through internet gateway) or the VPC endpoint's private IP. If the bucket policy uses 'aws:SourceIp', it compares against the source IP of the request, which for EC2 instances without a VPC endpoint is the instance's public IP (if any) or the NAT gateway's IP, not the private IP.

The condition should use 'aws:VpcSourceIp' if using a VPC endpoint, or the policy should not rely on source IP from private ranges.

1470
MCQmedium

A developer attached the IAM policy above to an IAM user. What is the effect when the user tries to download an object from the 'confidential' folder in 'example-bucket'?

A.The policy is invalid because Deny cannot be used with s3:*
B.The user can download only if the object is encrypted
C.The user is denied access because of the explicit Deny statement
D.The user can download the object because of the Allow statement
AnswerC

The Deny statement covers s3:* on the confidential folder, blocking the GetObject request.

Why this answer

The policy has an explicit Deny for all s3 actions on the confidential folder. Explicit Deny overrides any Allow. Therefore, the user will be denied access even though the first statement allows GetObject on all objects.

1471
MCQeasy

A developer wants to store application logs in Amazon S3 with automatic transition to Glacier after 30 days and deletion after 365 days. Which S3 feature should be used?

A.S3 Lifecycle configuration
B.S3 Object Lock
C.S3 Replication
D.S3 Event Notifications
AnswerA

Lifecycle policies manage transitions and expirations.

Why this answer

S3 Lifecycle policies automate transitioning objects between storage classes and expiring them. Option A is correct.

1472
MCQhard

An organization uses AWS CodeBuild to run tests for a Node.js application. The build environment is Linux. The buildspec.yml includes a pre_build phase that runs 'npm install'. Occasionally, the build fails with an error 'npm ERR! code EINTEGRITY'. The developer wants to resolve this issue without compromising security. Which action should be taken?

A.Create a separate CodeBuild project to run npm install.
B.Add 'npm cache verify' to the pre_build phase before 'npm install'.
C.Add 'npm config set registry http://registry.npmjs.org/' to use HTTP.
D.Use 'npm install --prefer-offline' to avoid fetching from registry.
AnswerB

This verifies and cleans the cache, resolving integrity issues.

Why this answer

Option B is correct because adding 'npm cache verify' before 'npm install' can fix integrity errors by clearing the cache. Option A is wrong because disabling integrity checks reduces security. Option C is wrong because 'npm install --prefer-offline' uses cache and may still have integrity issues.

Option D is wrong because using a separate CodeBuild project does not solve the integrity problem.

1473
Multi-Selectmedium

An application running on Amazon ECS with Fargate is experiencing intermittent failures when connecting to an Amazon RDS database. The security group for the RDS instance allows inbound traffic from the security group attached to the ECS tasks. Which TWO additional checks should the developer perform to troubleshoot the connectivity issue?

Select 2 answers
A.Enable VPC Flow Logs to capture dropped packets.
B.Check that the database credentials are correctly stored in AWS Secrets Manager.
C.Verify that the security group for the RDS instance has an inbound rule allowing traffic from the security group used by the ECS tasks.
D.Check the network ACLs for the subnets to ensure they allow inbound and outbound traffic on ephemeral ports.
E.Ensure that the ECS tasks have a route to the internet through an Internet Gateway.
AnswersC, D

The security group rule must reference the correct source security group.

Why this answer

Options A and D are correct. Option A: The RDS security group must allow inbound traffic from the ECS task security group; this is already stated, but verifying the exact configuration is important. Option D: The NACL for the subnets must allow ephemeral ports for the response traffic.

Option B is wrong because the ECS tasks are in a private subnet, so an Internet Gateway is not used for RDS connectivity. Option C is wrong because the database credentials are not related to network connectivity. Option E is wrong because VPC Flow Logs are useful for analyzing traffic but not a first check; the question asks for additional checks after security group.

1474
MCQhard

A company runs a serverless application using AWS Lambda and Amazon API Gateway. The application experiences intermittent 502 Bad Gateway errors. The Lambda function logs show no errors. What is the most likely cause?

A.The Lambda function execution time exceeds API Gateway's 29-second timeout.
B.The API Gateway account-level throttling limit is exceeded.
C.The Lambda function is throwing unhandled exceptions.
D.The API Gateway request payload exceeds 10 MB.
AnswerA

API Gateway has a 29-second integration timeout; exceeding it causes 502 errors.

Why this answer

The most likely cause is that the Lambda function execution time exceeds API Gateway's 29-second timeout. API Gateway has a hard limit of 29 seconds for integration responses, and if the Lambda function takes longer, API Gateway returns a 502 Bad Gateway error. Since the Lambda logs show no errors, the function is running successfully but timing out at the API Gateway level, not failing within Lambda itself.

Exam trap

The trap here is that candidates assume 502 errors always indicate Lambda function failures, but API Gateway's 29-second timeout is a separate, often overlooked limit that causes 502 errors even when the Lambda function runs successfully.

How to eliminate wrong answers

Option B is wrong because exceeding API Gateway account-level throttling limits results in 429 Too Many Requests errors, not 502 Bad Gateway errors. Option C is wrong because unhandled exceptions in Lambda would produce error logs in CloudWatch and typically result in 500 Internal Server Error or 502 errors with logged exceptions, but the question states logs show no errors. Option D is wrong because API Gateway has a 10 MB payload limit, but exceeding it would return a 413 Request Entity Too Large error, not a 502 Bad Gateway error.

1475
MCQmedium

A team uses AWS Elastic Beanstalk to deploy a web application. The application experiences intermittent high latency. The team notices that the environment's Auto Scaling group is not scaling out quickly enough. Which configuration change should the team make to improve scaling responsiveness?

A.Modify the Elastic Load Balancer health check path to a lighter endpoint
B.Enable detailed CloudWatch metrics for the Auto Scaling group
C.Increase the instance type to a larger size
D.Decrease the Auto Scaling group's cooldown period
AnswerD

Lower cooldown allows faster scaling.

Why this answer

Option B is correct because lowering the Auto Scaling cooldown period allows the group to start new instances sooner after a scaling activity. Option A is incorrect because adjusting the health check path affects routing, not scaling speed. Option C is incorrect because increasing instance size does not improve scaling responsiveness.

Option D is incorrect because pushing metrics more frequently to CloudWatch can help but does not directly reduce cooldown.

1476
MCQmedium

A developer is creating a Lambda function that requires access to a DynamoDB table. The function will be invoked by an Amazon API Gateway REST API. What is the BEST way to secure this architecture?

A.Create an IAM role for the Lambda function with a policy granting access to the DynamoDB table.
B.Attach a resource-based policy to the DynamoDB table allowing Lambda access.
C.Use API Gateway to pass a shared secret to Lambda for DynamoDB access.
D.Store the DynamoDB access keys in the Lambda environment variables.
AnswerA

This is the secure and recommended approach.

Why this answer

Option A is correct because the Lambda function needs an execution role—an IAM role that Lambda assumes at runtime—with a policy that grants the specific DynamoDB actions (e.g., GetItem, PutItem) on the target table. This follows the principle of least privilege and is the standard AWS pattern for granting Lambda access to AWS resources. API Gateway invokes the Lambda function via a resource-based policy on the function itself, but that does not affect DynamoDB access; the Lambda execution role handles all downstream permissions.

Exam trap

The trap here is that candidates confuse resource-based policies (used for granting invocation permissions to other AWS accounts or services) with execution roles (used for granting the Lambda function permissions to access other AWS resources), leading them to incorrectly choose Option B or think Option C is a valid authentication method.

How to eliminate wrong answers

Option B is wrong because resource-based policies on DynamoDB tables are not supported; DynamoDB uses IAM policies attached to users, roles, or the table's own resource policy (only for cross-account access via VPC endpoints or AWS Organizations), not for granting access to a Lambda function in the same account. Option C is wrong because passing a shared secret via API Gateway to Lambda for DynamoDB access is insecure and unnecessary; secrets should never be passed through API Gateway payloads, and AWS recommends using IAM roles for service-to-service authentication. Option D is wrong because storing DynamoDB access keys (long-term credentials) in Lambda environment variables violates security best practices—they can be exposed in logs, console, or version history—and AWS strongly recommends using IAM roles with temporary credentials instead.

1477
MCQmedium

A company uses AWS OpsWorks for configuration management. They have a stack with multiple layers. They want to deploy a new application version to the application layer using rolling updates. What is the correct way to achieve this?

A.Update the custom cookbook and run the 'setup' command on the layer.
B.Clone the stack and then delete the old stack.
C.Update the app with the new version and run the 'deploy' command on the stack.
D.Modify the Auto Scaling group to launch new instances with the updated app.
AnswerC

The deploy command updates the app on all instances according to the deployment strategy.

Why this answer

Option C is correct because in AWS OpsWorks, deploying a new application version to a layer is done by updating the app configuration with the new version and then running the 'deploy' command on the stack. This command triggers the built-in Chef deploy recipes on the layer's instances, performing a rolling update that installs the new application version while minimizing downtime. The 'deploy' lifecycle event is specifically designed for application deployment, unlike 'setup' which configures the instance's initial state.

Exam trap

The trap here is confusing the 'setup' lifecycle event (used for initial configuration) with the 'deploy' lifecycle event (used for application deployment), leading candidates to incorrectly choose Option A instead of C.

How to eliminate wrong answers

Option A is wrong because the 'setup' command runs the setup lifecycle event, which configures the instance's packages, dependencies, and custom cookbooks, but it does not deploy application code; deploying a new app version requires the 'deploy' command. Option B is wrong because cloning the stack and deleting the old stack is an unnecessarily disruptive and manual process that does not achieve a rolling update; OpsWorks supports in-place rolling updates via the 'deploy' command without stack recreation. Option D is wrong because modifying the Auto Scaling group to launch new instances with an updated app bypasses OpsWorks's deployment lifecycle and does not perform a controlled rolling update; it would replace instances without the orchestrated 'deploy' recipes that handle application-specific tasks like database migrations or cache clearing.

1478
MCQeasy

A developer is creating an AWS Lambda function that needs to access files from an Amazon EFS file system. The Lambda function must be configured to access the VPC. Which of the following is required to allow the Lambda function to mount the EFS file system?

A.The Lambda function must have the AWSLambdaVPCAccessExecutionRole managed policy attached.
B.The Lambda function must be in the same Availability Zone as the EFS mount target.
C.The Lambda function must have the AmazonElasticFileSystemClientReadWriteAccess managed policy attached.
D.The Lambda function must have the efs:MountFileSystem permission in its execution role.
AnswerA

This policy provides permissions to create and manage ENIs, which is essential for Lambda to connect to a VPC and access EFS.

Why this answer

The AWSLambdaVPCAccessExecutionRole managed policy provides the necessary permissions for Lambda to manage elastic network interfaces (ENIs) in a VPC, which is required for Lambda to connect to an EFS file system via mount targets. Without this policy, the Lambda function cannot create or manage the ENI needed to route traffic to the EFS mount target within the VPC.

Exam trap

The trap here is that candidates confuse the VPC networking permissions required for Lambda to mount EFS (AWSLambdaVPCAccessExecutionRole) with EFS-specific API permissions (AmazonElasticFileSystemClientReadWriteAccess) or a nonexistent efs:MountFileSystem action, leading them to select the wrong policy or permission.

How to eliminate wrong answers

Option B is wrong because Lambda can access EFS mount targets in any Availability Zone within the same VPC; it does not need to be in the same AZ as the mount target, as Lambda uses ENIs in the VPC subnets to reach the mount target across AZs. Option C is wrong because the AmazonElasticFileSystemClientReadWriteAccess policy grants permissions to EFS API operations (e.g., CreateFileSystem, DescribeMountTargets) but does not include the specific efs:MountFileSystem permission or the VPC networking permissions required for Lambda to mount the file system. Option D is wrong because the efs:MountFileSystem permission is not a valid IAM action; EFS mounting is controlled by network connectivity (VPC configuration) and the execution role must include permissions for EC2 ENI management (ec2:CreateNetworkInterface, etc.), not a direct EFS mount action.

1479
MCQmedium

A developer is configuring an S3 bucket to host a static website. The bucket policy allows public read access. However, users receive a 403 Forbidden error when accessing the website. What is the most likely cause?

A.The bucket is located in a different AWS region than the website endpoint.
B.The bucket name does not match the domain name.
C.The bucket has 'Block all public access' settings enabled.
D.The bucket is not configured with CloudFront as a content delivery network.
AnswerC

Block public access settings override bucket policies and deny public access.

Why this answer

Option C is correct because the 'Block all public access' settings in the S3 bucket's Permissions tab override any bucket policy that grants public read access. Even if the bucket policy explicitly allows s3:GetObject for Principal "*", enabling any of the four block public access settings (especially 'Block public access to buckets and objects granted through new public bucket policies' or 'Block public and cross-account access to buckets and objects through any public bucket policies') will cause S3 to reject all anonymous requests, resulting in a 403 Forbidden error when accessing the static website endpoint.

Exam trap

The trap here is that candidates assume a bucket policy granting public read access is sufficient for static website hosting, overlooking that S3's Block Public Access settings act as a separate, overriding permission layer that can silently deny all public access even when the bucket policy is correctly configured.

How to eliminate wrong answers

Option A is wrong because S3 static website hosting endpoints are region-specific (e.g., http://bucket-name.s3-website-us-east-1.amazonaws.com), but the bucket's region does not affect access permissions; a 403 Forbidden error is an authorization issue, not a routing issue. Option B is wrong because while a bucket name must match the domain name for custom domain mapping (e.g., via Route 53), the 403 Forbidden error occurs regardless of domain name mismatch; a mismatch would cause a DNS resolution failure or a different error (e.g., 404 NoSuchBucket), not a 403. Option D is wrong because CloudFront is not required for S3 static website hosting; S3 can serve content directly via its website endpoint, and the absence of CloudFront does not cause a 403 Forbidden error—it would only affect performance, caching, or HTTPS support if not configured.

1480
MCQeasy

A company stores sensitive user data in an S3 bucket. The security team requires that all data be encrypted at rest using a customer-managed KMS key. The bucket already has default encryption configured with SSE-S3. What is the MINIMUM change needed to meet the requirement?

A.Change the default encryption of the bucket to SSE-KMS with the desired KMS key.
B.Add an object-level encryption setting to each object after upload.
C.Enable S3 Bucket Keys on the bucket.
D.Attach a bucket policy that denies uploads without the required KMS key.
AnswerA

This ensures all objects uploaded are encrypted with the specified KMS key.

Why this answer

SSE-S3 is Amazon-managed keys, not customer-managed. To use customer-managed KMS keys, you must change the default encryption to SSE-KMS. S3 Bucket Keys reduce KMS costs but are not required.

Object-level encryption settings are not needed if default encryption is set. Policy change is not sufficient.

1481
MCQhard

A company is using Amazon API Gateway to expose a set of RESTful APIs. Each API call is processed by an AWS Lambda function. The company wants to enforce throttling limits to prevent abuse. Specifically, the company wants to allow 100 requests per second per API key. What is the SIMPLEST way to achieve this?

A.Use AWS WAF to block requests after 100 per second.
B.Set a reserved concurrency on the Lambda function to 100.
C.Configure a CloudWatch alarm to disable the API key after exceeding the limit.
D.Create a usage plan in API Gateway with a rate limit of 100 requests per second per API key.
AnswerD

Correct: Usage plans allow per-key throttling.

Why this answer

Option B is correct because API Gateway provides built-in usage plans with the ability to set rate limits per API key. Option A is wrong because Lambda reserved concurrency limits the overall concurrency, not per-key throttling. Option C is wrong because WAF is for web application firewall, not per-key throttling.

Option D is wrong because CloudWatch alarms only alert, they don't throttle.

1482
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a Node.js application. The application requires an environment variable that contains a secret (e.g., a database password). The developer wants to store the secret securely and make it available to the application instances. Which Elastic Beanstalk feature should be used?

A.Store the secret in an environment property with the value set in plaintext.
B.Use the AWS Secrets Manager integration in Elastic Beanstalk.
C.Use an .ebextensions configuration file to set the environment variable.
D.Use Elastic Beanstalk platform hooks to retrieve the secret at startup.
AnswerB

This securely retrieves the secret from Secrets Manager and injects it as an environment variable.

Why this answer

AWS Elastic Beanstalk has a native integration with AWS Secrets Manager that allows you to retrieve secrets and inject them as environment variables into your application instances without exposing the secret in plaintext. This integration handles the secure retrieval and rotation of secrets automatically, making it the correct choice for securely storing and accessing a database password.

Exam trap

The trap here is that candidates may think platform hooks (Option D) are the correct approach because they can run scripts at startup, but they overlook the fact that Elastic Beanstalk's native Secrets Manager integration provides a simpler, more secure, and fully managed solution without requiring custom code to handle API calls and permissions.

How to eliminate wrong answers

Option A is wrong because storing the secret in an environment property with the value set in plaintext exposes the secret in the Elastic Beanstalk environment configuration and logs, violating security best practices. Option C is wrong because .ebextensions configuration files are processed during environment creation and updates, but they still require the secret value to be specified in plaintext or referenced from a source that does not inherently provide secure secret management. Option D is wrong because platform hooks are used to run custom scripts at specific lifecycle events (e.g., deployment, startup) but do not provide a built-in, managed mechanism for securely retrieving and injecting secrets; you would have to manually call the AWS Secrets Manager API and handle permissions, which is less secure and more complex than using the native integration.

1483
MCQhard

A developer is using AWS CodeDeploy with a blue/green deployment strategy to update an application running on Amazon ECS with the Fargate launch type. After the new (green) task set is created and traffic is shifted to it, users immediately report errors when trying to write data. The developer discovers that the green task set is connecting to a different database than the blue task set. The database endpoints are configured in the ECS task definition. What is the simplest way to prevent this issue in future deployments?

A.Modify the blue/green deployment configuration to use the same database endpoint for both task sets by updating the environment variables in the task definition before deployment.
B.Create two separate Amazon RDS databases and use an Amazon Route 53 weighted routing policy to distribute traffic.
C.Use an Application Load Balancer (ALB) with stickiness to route each user to the correct task set.
D.Use AWS CloudFormation to create a new database stack for each deployment and update the task definition dynamically.
AnswerA

Environment variables in the task definition can be changed without modifying the container image. Set the database endpoint to the same value for both blue and green task sets. This is the simplest solution.

Why this answer

Option A is correct because the issue stems from the green task set using a different database endpoint than the blue task set, which is configured via environment variables in the ECS task definition. By updating the task definition to use the same database endpoint before deployment, both task sets will connect to the same database, ensuring consistency during the traffic shift. This is the simplest fix as it requires no additional infrastructure or complex routing changes.

Exam trap

The trap here is that candidates may think the issue is about traffic routing or session persistence (options B or C), rather than recognizing that the root cause is a configuration mismatch in the task definition environment variables, which is a common oversight in blue/green deployments.

How to eliminate wrong answers

Option B is wrong because creating two separate RDS databases and using Route 53 weighted routing would introduce data inconsistency and complexity, as users would write to different databases, defeating the purpose of a single application state. Option C is wrong because using an ALB with stickiness would route users to either the blue or green task set based on session affinity, but it does not address the root cause of different database endpoints; the task sets would still connect to different databases, causing data fragmentation. Option D is wrong because using CloudFormation to create a new database stack for each deployment is overly complex and unnecessary; it would require managing multiple databases and updating the task definition dynamically, which is not the simplest solution and could lead to data loss or inconsistency.

1484
MCQhard

A developer is deploying a Lambda function that needs to write logs to CloudWatch Logs. The function's execution role has the AWSLambdaBasicExecutionRole managed policy attached. However, logs are not being written. What is the MOST likely reason?

A.The Lambda function is using a customer-managed KMS key for log encryption.
B.The CloudWatch Logs agent is not installed on the Lambda execution environment.
C.The log group does not exist and the Lambda function cannot create it due to a resource-based policy.
D.The Lambda function's execution role does not have sufficient permissions.
AnswerC

The basic policy allows creation, but if a resource-based policy is blocking, it could fail.

Why this answer

The AWSLambdaBasicExecutionRole managed policy grants permissions to create log streams and write logs to CloudWatch Logs, but it does not grant the `logs:CreateLogGroup` permission. If the log group does not already exist, the Lambda function will fail to write logs because it cannot create the log group. A resource-based policy on the log group can further restrict creation, but the primary issue is the missing `logs:CreateLogGroup` permission in the execution role.

Exam trap

The trap here is that candidates assume the AWSLambdaBasicExecutionRole includes all necessary CloudWatch Logs permissions, but it deliberately excludes `logs:CreateLogGroup`, so the log group must exist beforehand.

How to eliminate wrong answers

Option A is wrong because using a customer-managed KMS key for log encryption would not prevent log writing; it would only require additional `kms:Decrypt` and `kms:Encrypt` permissions on the key, which are not part of the AWSLambdaBasicExecutionRole but would cause a different error (access denied) rather than silent failure. Option B is wrong because the CloudWatch Logs agent is not used in Lambda; Lambda uses the AWS SDK or the Lambda runtime to send logs directly to CloudWatch Logs via the `PutLogEvents` API. Option D is wrong because the AWSLambdaBasicExecutionRole does include the necessary `logs:CreateLogStream` and `logs:PutLogEvents` permissions; the missing permission is `logs:CreateLogGroup`, which is not in that policy, so the role has sufficient permissions for writing but not for creating the log group.

1485
MCQmedium

A company wants to build a RESTful API that handles file uploads. The API needs to support multipart/form-data content type. The developer is using Amazon API Gateway and AWS Lambda. Which approach should the developer use to handle file uploads efficiently?

A.Configure API Gateway to pass the entire request body to Lambda, and process the file within the Lambda function.
B.Create a Lambda function that accepts the file and uploads it to S3 using the AWS SDK.
C.Use API Gateway to generate a presigned S3 URL, and have the client upload directly to S3. The Lambda function can then process the file asynchronously.
D.Use an EC2 instance to host a custom web server that accepts file uploads and writes to S3.
AnswerC

This approach uses presigned URLs to allow direct upload to S3, avoiding API Gateway and Lambda payload limits. The Lambda function can be triggered by S3 events to process the uploaded file.

Why this answer

Option C is correct because it offloads the file upload to Amazon S3 directly via a presigned URL, which avoids the 10 MB payload limit and 29-second timeout of API Gateway and Lambda for large files. The client uploads the file to S3, and a separate Lambda function processes the file asynchronously, making the solution efficient and scalable for multipart/form-data uploads.

Exam trap

The trap here is that candidates assume Lambda can handle file uploads directly via API Gateway, overlooking the 10 MB payload limit and 29-second timeout, and fail to recognize the presigned URL pattern as the efficient serverless solution for large multipart/form-data uploads.

How to eliminate wrong answers

Option A is wrong because API Gateway has a 10 MB payload limit and a 29-second integration timeout, making it unsuitable for large file uploads; passing the entire request body to Lambda also forces the function to handle raw multipart parsing, which is inefficient and error-prone. Option B is wrong because it still requires the client to send the file through API Gateway and Lambda, hitting the same size and timeout constraints; the Lambda function would need to receive the entire file payload before uploading to S3, defeating the purpose of direct upload. Option D is wrong because it introduces unnecessary infrastructure management (EC2) and does not leverage serverless benefits; it also does not address the requirement to use API Gateway and Lambda, and a custom web server on EC2 adds operational overhead without improving efficiency.

1486
MCQmedium

A developer is building a microservices application composed of multiple AWS Lambda functions and an Amazon API Gateway. The developer needs to trace requests as they travel through different services to identify performance bottlenecks. Which AWS service should the developer integrate?

A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.AWS X-Ray
D.Amazon Inspector
AnswerC

X-Ray is designed for tracing requests across distributed applications, allowing developers to pinpoint performance issues.

Why this answer

AWS X-Ray is the correct service because it provides end-to-end tracing of requests as they travel through distributed applications, including AWS Lambda functions and API Gateway. It generates a service map that shows the flow of requests, latency breakdowns, and identifies performance bottlenecks across microservices. X-Ray integrates directly with Lambda and API Gateway via the X-Ray SDK and tracing headers, enabling trace propagation without code changes.

Exam trap

The trap here is that candidates confuse CloudWatch Logs (which shows logs) with distributed tracing (which correlates requests across services), leading them to pick CloudWatch Logs instead of X-Ray for end-to-end performance analysis.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API calls for auditing and governance, not for tracing individual request paths or performance bottlenecks across microservices. Option B is wrong because Amazon CloudWatch Logs aggregates log data but does not provide distributed tracing or service maps to correlate requests across multiple Lambda functions and API Gateway. Option D is wrong because Amazon Inspector is a vulnerability management service that scans for software vulnerabilities and network exposure, not for tracing application requests or performance analysis.

1487
MCQmedium

A company uses Amazon API Gateway to expose a REST API. The API uses a Lambda authorizer to validate JWT tokens. Recently, the API has been returning 401 Unauthorized errors for valid tokens. The developer notices that the tokens are signed with a new key but the authorizer still uses the old key. What is the MOST efficient way to update the authorizer with the new key?

A.Modify the Lambda authorizer to fetch the public key from a well-known URL at runtime.
B.Update the API Gateway stage deployment to redeploy the API.
C.Delete and recreate the API Gateway authorizer with the new key.
D.Update the Lambda authorizer's environment variable with the new key and publish a new version.
AnswerA

This allows the authorizer to always use the latest key without manual updates.

Why this answer

Option A is correct because the Lambda authorizer can retrieve the public key from an external URL (e.g., JWKS endpoint) at runtime, avoiding hardcoded keys. Option B is wrong because recreating the authorizer would cause downtime. Option C is wrong because deploying a new stage does not update the authorizer logic.

Option D is wrong because manually updating environment variables requires a function update and is less flexible than fetching keys dynamically.

1488
MCQhard

A developer ran the above CLI command to describe an EC2 instance. The instance is running but the developer cannot connect to it via SSH. Which additional step should the developer take to troubleshoot the connectivity issue?

A.Check the AMI ID to ensure it is a valid Linux AMI
B.Check the instance's network interfaces for a public IP
C.Check the instance status checks in the EC2 console
D.Check the security group rules associated with the instance
AnswerD

Security groups control inbound traffic; if port 22 is not allowed, SSH will fail.

Why this answer

Option C is correct because checking the security group rules is essential to verify that inbound SSH traffic (port 22) is allowed. The describe-instances output does not include security group information. Option A is wrong because the instance is already running.

Option B is wrong because the instance type is t2.micro, which has a default ENI limit. Option D is wrong because the AMI ID is present.

1489
MCQeasy

A developer is using AWS CodePipeline to automate a build and deploy process. The pipeline has a build stage that uses AWS CodeBuild and a deploy stage that uses AWS CodeDeploy. The build stage produces a build artifact that is stored in Amazon S3. The deploy stage fails with 'NoSuchKey' error. What is the MOST likely cause?

A.The CodeDeploy application does not have the correct service role.
B.The CodeBuild project does not have permissions to upload to the S3 bucket.
C.The pipeline does not have an OutputArtifact configured for the build stage, so the artifact is not passed to the deploy stage.
D.The S3 bucket policy does not allow CodePipeline to access the artifact.
AnswerC

Correct: Artifacts must be defined in the pipeline configuration.

Why this answer

Option B is correct because the artifact must be passed explicitly between stages via the OutputArtifacts and InputArtifacts configuration. Option A is wrong because S3 bucket policy is not typically the issue for cross-account same account. Option C is wrong because CodeBuild permissions are separate.

Option D is wrong because CodeDeploy permissions are for deployment, not artifact access.

1490
Multi-Selecteasy

A developer is deploying a serverless application using AWS SAM. The application includes multiple Lambda functions and an API Gateway. Which THREE AWS CLI commands are part of the typical SAM deployment workflow? (Choose THREE.)

Select 3 answers
A.sam deploy
B.sam init
C.sam package
D.sam build
E.aws s3 cp
AnswersA, C, D

Deploys the application.

Why this answer

Option A is correct because `sam deploy` is the AWS SAM CLI command that deploys the packaged application to AWS, creating or updating the CloudFormation stack with the Lambda functions and API Gateway resources. It reads the `template.yaml` and the packaged artifacts (from `sam package`) to provision the infrastructure. This command is the final step in the standard SAM deployment workflow.

Exam trap

The trap here is that candidates confuse `sam init` (a project scaffolding command) with a deployment step, or mistakenly think `aws s3 cp` is part of the SAM workflow when in fact SAM provides its own `sam package` command to handle S3 uploads and template transformation.

1491
Multi-Selectmedium

Which TWO actions are recommended to secure an S3 bucket? (Choose 2)

Select 2 answers
A.Block public access at the bucket level
B.Disable versioning to reduce complexity
C.Use HTTP instead of HTTPS for faster access
D.Enable default encryption
E.Grant public read access via ACLs
AnswersA, D

Prevents unintended public access.

Why this answer

Options A and D are correct. A: Block public access is a key security measure. D: Enable default encryption ensures data at rest is encrypted.

B: Setting ACLs to public-read is insecure. C: Disabling version control reduces data protection. E: Using HTTP is insecure.

1492
Multi-Selectmedium

A company is using AWS Elastic Beanstalk to deploy a web application. The application uses an Amazon RDS MySQL database. The development team wants to ensure that database credentials are not exposed in the application code. Which THREE actions should the team take to securely manage and retrieve database credentials? (Choose three.)

Select 3 answers
A.Store the credentials in an S3 bucket with a bucket policy that restricts access to the application.
B.Configure Elastic Beanstalk to pass the secret ARN to the application as an environment property.
C.Modify the application code to retrieve the credentials from Secrets Manager at startup.
D.Hardcode the credentials in the application code and use environment variables to override them.
E.Store the database credentials in AWS Secrets Manager.
AnswersB, C, E

Correct: Elastic Beanstalk can pass the secret ARN securely.

Why this answer

Option A is correct because AWS Secrets Manager can store and automatically rotate database credentials. Option C is correct because Elastic Beanstalk can pass environment properties (e.g., secrets) to the application. Option D is correct because the application can query Secrets Manager at runtime to get the current credentials.

Option B is incorrect because hardcoding credentials in environment variables is insecure. Option E is incorrect because storing credentials in S3 with a bucket policy is less secure and not best practice.

1493
MCQmedium

A company runs a Node.js application on AWS Elastic Beanstalk. The application experiences high latency during peak hours. The developer suspects that the environment's EC2 instances are under-provisioned. Which configuration change would MOST effectively address the latency issue with minimal cost increase?

A.Place the environment behind an Application Load Balancer.
B.Enable Auto Scaling and configure scaling triggers based on CPU utilization.
C.Change the instance type to a larger size in the environment configuration.
D.Decrease the minimum number of instances in the Auto Scaling group.
AnswerB

Auto Scaling adds instances during high CPU usage and removes them when idle, optimizing cost and performance.

Why this answer

Option D is correct because enabling Auto Scaling and adjusting scaling triggers allows the environment to add instances during peak hours and remove them during low traffic, balancing performance and cost. Option A is wrong because increasing instance size may be more expensive and less elastic. Option B is wrong because reducing the number of instances would worsen latency.

Option C is wrong because using a load balancer alone does not change instance provisioning.

1494
MCQhard

A developer is deploying a serverless application using AWS SAM. The application consists of multiple Lambda functions and an API Gateway REST API. The developer needs to ensure that the API Gateway endpoint is created before the Lambda functions are deployed, because the functions need the endpoint URL as an environment variable. How should the developer configure the SAM template?

A.Separate the deployment into two stacks: first deploy API Gateway, then deploy Lambda functions
B.Add a DependsOn clause to each Lambda function resource to wait for the API Gateway resource
C.Define the Lambda functions to use the ServerlessRestApi implicit API and reference the API's output in the function's environment variables
D.Use a custom resource in CloudFormation to create the API Gateway endpoint before Lambda functions
AnswerC

SAM creates dependencies automatically.

Why this answer

Option C is correct because AWS SAM automatically creates an implicit API Gateway REST API (logical ID `ServerlessRestApi`) when you define an `AWS::Serverless::Api` or use the `Events` property on a function. You can reference its endpoint URL using the `Fn::Sub` intrinsic function with the `ServerlessRestApi` logical ID, such as `!Sub 'https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/${Stage}'`. This ensures the API Gateway resource is created before the Lambda functions that reference it, as CloudFormation resolves dependencies through intrinsic function references.

Exam trap

The trap here is that candidates may think `DependsOn` is sufficient to pass the endpoint URL, but it only orders creation and does not inject the URL into environment variables, which requires an intrinsic function reference like `Fn::Sub` or `Fn::GetAtt`.

How to eliminate wrong answers

Option A is wrong because separating into two stacks introduces unnecessary complexity and cross-stack output references, which is not required when SAM can handle the dependency within a single stack. Option B is wrong because `DependsOn` only ensures resource creation order but does not provide the endpoint URL as an environment variable; the developer still needs to reference the API Gateway output, and `DependsOn` alone does not pass the URL. Option D is wrong because using a custom resource to create the API Gateway endpoint is over-engineered and redundant; SAM already provides a built-in implicit API resource that handles creation and dependency resolution automatically.

1495
MCQeasy

Refer to the exhibit. A developer attached this bucket policy to an S3 bucket. Users from the 192.0.2.0/24 network can access objects, but users from a different network (203.0.113.0/24) get access denied. What change should be made to allow both networks?

A.Add a new statement with a different Principal.
B.Change the Condition to aws:SourceIp: "203.0.113.0/24".
C.Remove the Condition block entirely.
D.Change the Condition to use a list of IP ranges: ["192.0.2.0/24", "203.0.113.0/24"].
AnswerD

A list allows multiple IP ranges.

Why this answer

Option D is correct because the `aws:SourceIp` condition key accepts a list of IP ranges in an array format. By specifying both `192.0.2.0/24` and `203.0.113.0/24` in the condition, the bucket policy will grant access to requests originating from either network, resolving the access denied error for the second network.

Exam trap

The trap here is that candidates mistakenly think the `aws:SourceIp` condition key can only hold a single value, leading them to choose Option B, when in fact it accepts a list of IP ranges to allow multiple networks.

How to eliminate wrong answers

Option A is wrong because the `Principal` element in an S3 bucket policy specifies the AWS account or IAM entity allowed to access the bucket, not the network IP range; adding a different Principal would not fix the IP-based restriction. Option B is wrong because changing the condition to only `203.0.113.0/24` would deny access to the original `192.0.2.0/24` network, simply swapping which network is blocked. Option C is wrong because removing the `Condition` block entirely would allow all IP addresses to access the bucket, which is overly permissive and violates the principle of least privilege.

1496
MCQmedium

A company is using an Application Load Balancer (ALB) to route traffic to a set of EC2 instances. The security team wants to ensure that only traffic from the ALB can reach the instances. Which security group configuration should be used?

A.Configure the EC2 instance security group to allow traffic from the ALB's private IP address range.
B.Configure the network ACL for the EC2 instance subnet to allow traffic from the ALB security group.
C.Configure the EC2 instance security group to allow traffic from the ALB security group.
D.Configure the EC2 instance security group to allow HTTP traffic from 0.0.0.0/0.
AnswerC

Referencing the ALB security group as source ensures only ALB traffic reaches instances.

Why this answer

Option A is correct because referencing the ALB security group as the source in the EC2 instance security group ensures that only traffic originating from the ALB is allowed. Option B is wrong because the ALB's private IP addresses can change if the ALB scales. Option C is wrong because a network ACL does not support security group IDs as sources.

Option D is wrong because allowing all HTTP traffic would defeat the purpose of restricting traffic to the ALB only.

1497
MCQmedium

A developer is using Amazon API Gateway to expose a REST API. The API needs to validate request parameters and payload before invoking the backend Lambda function. What is the MOST efficient way to perform this validation?

A.Use API Gateway request validation with a model schema.
B.Validate the request in the Lambda function and return errors if validation fails.
C.Use Amazon CloudFront to validate the request at the edge.
D.Use API Gateway request parameters to enforce required headers.
AnswerA

API Gateway can validate requests before invoking Lambda, saving costs.

Why this answer

Option B is correct because API Gateway can validate requests using a model schema, reducing Lambda invocations. Option A is wrong because validation in Lambda still incurs cost and latency. Option C is wrong because request parameters alone don't validate payload.

Option D is wrong because CloudFront is a CDN, not for API validation.

1498
Multi-Selecthard

A developer is configuring an Amazon API Gateway REST API with a Lambda function as the backend. The Lambda function returns a JSON response. The developer wants to enable caching to reduce the number of calls to the Lambda function. Which TWO steps are required to enable caching for a specific stage?

Select 2 answers
A.Configure cache key parameters in the method request.
B.Enable API caching in the stage settings.
C.Attach a custom domain name to the API.
D.Create an API key and usage plan.
E.Deploy the API to an edge-optimized endpoint.
AnswersA, B

Cache keys determine how responses are cached; they must be defined.

Why this answer

Options A and C are correct. Enabling caching requires enabling cache in the API Gateway stage settings and also configuring cache key parameters (usually by enabling caching on the method request). Option B is for API keys, not caching.

Option D is for edge-optimized endpoints, not caching. Option E is not directly related to enabling caching; it is about custom domain.

1499
MCQeasy

A developer is building a serverless application using AWS Lambda. The application needs to process messages from an Amazon SQS queue and store results in an Amazon DynamoDB table. Which AWS service should the developer use to trigger the Lambda function when new messages arrive in the SQS queue?

A.Set up an Amazon EventBridge rule to capture SQS events and invoke Lambda.
B.Use Amazon SNS to subscribe to the SQS queue and trigger Lambda.
C.Use AWS Step Functions to poll the SQS queue and invoke Lambda.
D.Configure an SQS event source mapping on the Lambda function.
AnswerD

Lambda can poll SQS and invoke the function automatically.

Why this answer

Amazon SQS can directly invoke AWS Lambda via event source mappings. Option A is correct because Lambda can poll SQS and process messages. Option B is incorrect because SNS is a pub/sub service, not for SQS.

Option C is incorrect because EventBridge is for event buses, not direct SQS triggers. Option D is incorrect because Step Functions orchestrate workflows, not direct triggers.

1500
Multi-Selecthard

A company is using AWS CodePipeline to automate its CI/CD pipeline. The pipeline has a source stage that pulls code from an Amazon S3 bucket. Which THREE steps should the developer take to ensure that only approved changes are deployed to production?

Select 3 answers
A.Use AWS CloudFormation change sets to review changes
B.Enable versioning on the S3 bucket
C.Configure cross-account access for the pipeline
D.Add a manual approval step before the production deployment
E.Encrypt the S3 bucket with AWS KMS
AnswersA, B, D

Change sets allow you to preview changes before applying them.

Why this answer

Option A is correct because manual approval gates allow review. Option B is correct because S3 versioning enables rollback. Option D is correct because CloudFormation change sets allow preview.

Option C is wrong because AWS KMS is not needed. Option E is wrong because cross-account access is not mentioned.

Page 19

Page 20 of 22

Page 21