AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 15011575

1616 questions total · 22pages · All types, answers revealed

Page 20

Page 21 of 22

Page 22
1501
MCQeasy

A developer is using AWS CloudFormation to deploy a stack. The stack creation fails with a 'CREATE_FAILED' status for an EC2 instance resource. The event message says 'The requested configuration is currently not supported. Please check the documentation for supported configurations.' What should the developer do to resolve this issue?

A.Update the stack with a new parameter value.
B.Add an IAM role to the EC2 instance.
C.Change the instance type or specify a different Availability Zone in the template.
D.Use a different Amazon Machine Image (AMI).
AnswerC

The instance type is not supported in the selected AZ.

Why this answer

The error indicates the instance type is not available in the specified Availability Zone. Option A is correct: changing the instance type or AZ resolves it. Option B is wrong because the error is not about permissions.

Option C is wrong because the stack creation failed; updating the stack is not possible. Option D is wrong because the error is not about the AMI.

1502
Multi-Selectmedium

A developer is designing a microservices architecture using Amazon ECS with Fargate. The services need to communicate with each other securely. Which THREE methods can be used to enable service-to-service authentication?

Select 3 answers
A.Use AWS App Mesh with mutual TLS (mTLS) authentication.
B.Configure Amazon ECS Service Connect for service-to-service communication.
C.Use Amazon API Gateway as a proxy for inter-service communication.
D.Use security group rules to allow traffic only between services.
E.Use IAM roles for tasks and AWS SDK to sign requests.
AnswersA, B, E

App Mesh can enforce mTLS between services.

Why this answer

IAM roles for tasks can be used to authenticate to other AWS services via SDK. Service Connect can handle service discovery and encryption. App Mesh provides mTLS for authentication between services.

Security groups control network access, not authentication. API Gateway is for external APIs.

1503
MCQhard

A developer is building a REST API using Amazon API Gateway and AWS Lambda. The API must support CORS to allow requests from a web application hosted on a different domain. The developer has enabled CORS on the API Gateway resource and configured the Lambda function to return the appropriate headers. However, the web application is still receiving CORS errors. What is the most likely cause?

A.The API Gateway stage is not redeployed after enabling CORS.
B.The API Gateway CORS configuration is incorrect; the allowed origin should be set to '*'.
C.The web application is not sending the preflight OPTIONS request.
D.The Lambda function is not returning the CORS headers in the response.
AnswerD

For non-proxy integrations, the Lambda must include CORS headers in its response.

Why this answer

Option D is correct when the Lambda function is a custom integration (not proxy), the Lambda function must return the CORS headers in the response. For proxy integrations, API Gateway automatically handles CORS headers. If the developer enabled CORS on API Gateway but the Lambda is a custom integration, the headers from API Gateway may not be passed through; the Lambda must return them.

Option A is the correct answer: the Lambda function must return the CORS headers because the API Gateway CORS configuration only applies to the mock response, not the Lambda response.

1504
MCQmedium

A company uses AWS OpsWorks to manage a stack of EC2 instances. The operations team needs to deploy a new configuration file to all instances in a layer. Which approach should the team use to automate this deployment?

A.Use AWS Systems Manager Run Command to execute a script that deploys the file
B.Add a Chef recipe to the layer's custom cookbooks that copies the configuration file to the instances
C.Create a new AWS CloudFormation stack to update the instances
D.Use AWS CodeDeploy to deploy the configuration file
AnswerB

Chef recipes manage configuration.

Why this answer

Option C is correct because OpsWorks uses Chef recipes to automate configuration management. Option A is incorrect because CloudFormation is for infrastructure provisioning, not configuration. Option B is incorrect because CodeDeploy is for application deployment, not system configuration.

Option D is incorrect because Systems Manager Run Command can be used but is not native to OpsWorks.

1505
MCQhard

A company has an S3 bucket with versioning enabled. A developer accidentally deleted an object. What must be done to recover it?

A.Copy the object from another bucket
B.Restore the object from Glacier Deep Archive
C.Delete the delete marker
D.Enable versioning on the bucket
AnswerC

Removing the delete marker restores the object.

Why this answer

With versioning enabled, when an object is deleted, a delete marker is added. To recover, the delete marker must be removed. Option A (restore from Glacier) is not relevant.

Option B (enable versioning) is already enabled. Option D (copy from another bucket) is unnecessary.

1506
Multi-Selecteasy

Which TWO approaches can be used to optimize costs for an Amazon DynamoDB table with predictable read/write patterns? (Select TWO.)

Select 2 answers
A.Increase the read capacity units to avoid throttling.
B.Use provisioned capacity with auto scaling.
C.Use DynamoDB global tables for multi-region replication.
D.Use DynamoDB Accelerator (DAX) to cache read results.
E.Use on-demand capacity mode.
AnswersB, D

Auto scaling adjusts capacity to actual usage, optimizing cost.

Why this answer

Using provisioned capacity with auto scaling adjusts capacity based on usage, avoiding over-provisioning. DynamoDB Accelerator (DAX) reduces read costs by caching reads. Option A is wrong because on-demand is more expensive for predictable workloads.

Option C is wrong because global tables increase costs. Option D is wrong because increasing read capacity units costs more.

1507
MCQmedium

A developer has deployed an AWS Lambda function that is triggered by an Amazon S3 event. The function processes image files and stores metadata in an Amazon DynamoDB table. CloudWatch metrics show that the function's error count has increased. The developer checks CloudWatch Logs and sees errors related to insufficient memory. The function is configured with 128 MB of memory. What should the developer do to resolve the errors?

A.Increase the function's memory to 256 MB or higher.
B.Increase the function's timeout to 30 seconds.
C.Reduce the size of the images being uploaded to S3.
D.Move the DynamoDB write operation to an asynchronous invocation.
AnswerA

Increasing memory alleviates the out-of-memory error and also increases CPU power, which will help process images faster.

Why this answer

The error is caused by insufficient memory, which directly impacts the CPU and execution resources allocated to the Lambda function. Increasing the memory allocation to 256 MB or higher provides more CPU throughput and memory, resolving the out-of-memory errors without requiring code changes.

Exam trap

The trap here is that candidates confuse memory errors with timeout errors and incorrectly choose to increase the timeout, but the logs explicitly state insufficient memory, not duration limits.

How to eliminate wrong answers

Option B is wrong because increasing the timeout does not address memory exhaustion; timeout errors occur when execution duration exceeds the limit, not when memory is insufficient. Option C is wrong because reducing image sizes is a workaround that may not be feasible or controlled by the developer, and it does not fix the underlying resource allocation issue. Option D is wrong because moving the DynamoDB write to an asynchronous invocation does not reduce memory consumption during image processing; the function still needs enough memory to process the image in memory before any write occurs.

1508
MCQmedium

An application running on EC2 needs to access an S3 bucket. The security team wants to avoid using long-term access keys. What is the most secure approach?

A.Generate an access key and secret key for an IAM user and store them on the instance.
B.Create a new IAM user and store the credentials in S3 with bucket policies.
C.Use AWS Systems Manager Parameter Store to store the credentials and retrieve them at runtime.
D.Launch the EC2 instance with an IAM role that grants S3 access.
AnswerD

Temporary credentials are automatically rotated.

Why this answer

Option D is correct because assigning an IAM role to an EC2 instance allows the instance to obtain temporary security credentials from the AWS Security Token Service (STS) automatically via the instance metadata service. This eliminates the need to store, rotate, or manage long-term access keys, adhering to the security team's requirement for a credential-less approach. The IAM role's permissions policy grants the EC2 instance access to the S3 bucket, and the credentials are automatically rotated by AWS before they expire.

Exam trap

The trap here is that candidates often confuse 'secure storage' (like Parameter Store or Secrets Manager) with 'no long-term credentials at all,' failing to recognize that an IAM role provides temporary credentials that are inherently more secure and require no key management on the instance.

How to eliminate wrong answers

Option A is wrong because storing an access key and secret key on the EC2 instance introduces long-term static credentials that can be compromised if the instance is breached, violating the security team's requirement to avoid long-term access keys. Option B is wrong because storing IAM user credentials in S3 with bucket policies still relies on long-term access keys and adds unnecessary complexity; bucket policies cannot securely protect the credentials themselves from unauthorized access. Option C is wrong because while Systems Manager Parameter Store can securely store secrets, the EC2 instance still needs a mechanism (such as an IAM role) to retrieve them at runtime, and using Parameter Store with long-term credentials stored as parameters does not eliminate the underlying risk of managing static keys.

1509
MCQeasy

A developer invoked a Lambda function and saw the above output. What is the root cause of the error?

A.The Lambda function lacks permission to access the event payload.
B.The function code expects a property that is missing from the event payload.
C.The Lambda function's handler name is incorrect.
D.The Lambda function timed out.
AnswerB

The code tries to access 'length' on undefined, meaning expected property not in event.

Why this answer

Option C is correct because the error message 'Cannot read property 'length' of undefined' suggests that the code expects a property that does not exist in the event object. Option A is wrong because there is no timeout error. Option B is wrong because the log shows the function started and ran.

Option D is wrong because there is no mention of missing permissions.

1510
MCQhard

A developer needs to deploy a serverless application using AWS CloudFormation. The application includes an AWS Lambda function, an Amazon API Gateway REST API, and an Amazon DynamoDB table. The developer wants to create a stack that can be updated without downtime. Which CloudFormation feature should be used?

A.Drift detection
B.StackSets
C.Nested stacks
D.Change Sets
AnswerD

Change Sets allow you to review and apply changes safely.

Why this answer

Option A is correct because Change Sets allow you to preview how changes will affect running resources before applying them, enabling you to plan for zero downtime. Option B is wrong because Nested Stacks are for modularity, not specifically for zero-downtime updates. Option C is wrong because StackSets are for multi-account/region deployments.

Option D is wrong because Drift Detection identifies changes but does not prevent downtime.

1511
MCQmedium

A development team is using AWS CodeCommit as a source repository and CodeBuild for build automation. They want to trigger a build automatically whenever a pull request is created or updated in the repository. Which configuration should they use?

A.Configure an S3 event notification on the repository
B.Configure a webhook in CodeCommit to trigger CodeBuild
C.Use Amazon EventBridge to capture CodeCommit events and trigger CodeBuild
D.Create a CodePipeline that polls CodeCommit for changes
AnswerC

EventBridge can detect pull request events from CodeCommit and invoke CodeBuild.

Why this answer

Option B is correct because CodeCommit can send events via CloudWatch Events (Amazon EventBridge) to trigger CodeBuild. Option A is wrong because webhooks are used with GitHub/Bitbucket, not CodeCommit. Option C is wrong because CodePipeline is a higher-level orchestration service and not necessary for simple build triggers.

Option D is wrong because S3 events are not applicable to CodeCommit.

1512
Multi-Selecthard

A developer is designing a system that stores sensitive user data in DynamoDB. The data must be encrypted at rest and in transit. Which THREE actions should the developer take?

Select 3 answers
A.Enable DynamoDB encryption at rest using an AWS KMS managed key (SSE-KMS).
B.Enable DynamoDB encryption at rest using an AWS KMS customer managed key.
C.Use HTTPS for all API calls to DynamoDB.
D.Use TLS 1.2 for all connections.
E.Implement client-side encryption before writing items to DynamoDB.
AnswersA, B, C

Another valid option for encryption at rest.

Why this answer

Options A, B, and D are correct because DynamoDB automatically encrypts at rest with AWS owned keys by default, but using a KMS key gives more control. Option C is wrong because client-side encryption is not necessary if using HTTPS and server-side encryption. Option E is wrong because TLS is already used by default.

1513
MCQmedium

A developer is building a serverless application using AWS Lambda. The application needs to access a DynamoDB table and an S3 bucket. What is the MOST secure way to provide the necessary permissions?

A.Create an IAM role with appropriate policies and attach it to the Lambda function.
B.Use a resource-based policy on the DynamoDB table and S3 bucket to grant access to the Lambda function.
C.Attach an inline policy directly to the Lambda function resource.
D.Store AWS access keys in environment variables of the Lambda function.
AnswerA

Lambda assumes the role to get temporary credentials.

Why this answer

Option A is correct because IAM roles for Lambda functions are the secure way to grant permissions without hardcoding credentials. Option B is wrong because environment variables with keys are insecure. Option C is wrong because Lambda does not support inline policies directly.

Option D is wrong because resource-based policies are for cross-account access, not Lambda.

1514
MCQhard

A developer is configuring cross-account access to an S3 bucket. The bucket in Account A has a bucket policy granting access to an IAM role in Account B. The IAM role's trust policy allows the developer's IAM user in Account B to assume the role. When the developer tries to access the bucket from Account B using the assumed role, they receive an Access Denied error. Which additional step is required to resolve this?

A.Add the developer's IAM user ARN to the bucket policy in Account A.
B.Configure a VPC endpoint for S3 in Account A and attach it to the bucket policy.
C.Ensure the bucket policy grants the necessary permissions to the IAM role ARN from Account B.
D.Create an IAM user in Account A and grant it S3 access, then share the credentials with the developer.
AnswerC

Cross-account access requires the bucket policy to specify the principal as the IAM role ARN.

Why this answer

Option A is correct because the S3 bucket policy must grant access to the role ARN in Account B, and the role's trust policy must allow the developer's user to assume it. Option B is wrong because resource-based policies (bucket policy) can grant cross-account access without needing an IAM user in Account A. Option C is wrong because the bucket policy already grants access to the role.

Option D is wrong because S3 does not require VPC endpoints for cross-account access.

1515
MCQhard

A company runs a microservices application on Amazon ECS with Fargate. The application consists of three services: frontend, orders, and payments. The frontend service is behind an Application Load Balancer (ALB). The orders service processes requests from frontend and sends messages to the payments service via an Amazon SQS queue. The payments service polls the queue. Recently, during peak hours, the orders service experiences high latency and the SQS queue depth increases significantly. The monitoring shows that the payments service is not keeping up. The company wants to scale the payments service based on the queue depth. The developer has configured an ECS Service Auto Scaling target tracking policy using the SQS queue's ApproximateNumberOfMessagesVisible metric. However, the payments service is not scaling up as expected. What is the most likely cause?

A.The target tracking policy is not configured correctly because ECS Service Auto Scaling requires a custom metric, and the metric may not have been published yet.
B.The SQS queue is not sending the ApproximateNumberOfMessagesVisible metric to CloudWatch.
C.The payments service has reached the maximum number of tasks allowed by the service quota.
D.The payments service is not configured to poll the SQS queue frequently enough.
AnswerA

ECS Service Auto Scaling can use predefined SQS metrics, but it requires the metric to be available in CloudWatch, which may have a delay. Also, the policy might be misconfigured.

Why this answer

Option D is correct because the ECS Service Auto Scaling requires a custom metric to be published to CloudWatch, and it may take a few minutes for the metric to appear. Option A is wrong because Fargate tasks do not have a maximum task limit by default; the limit is per region and can be increased. Option B is wrong because the SQS ApproximateNumberOfMessagesVisible metric is available as a standard CloudWatch metric.

Option C is wrong because the payments service polls the queue; the scaling policy should work regardless of polling frequency.

1516
MCQhard

A developer is troubleshooting access to an S3 bucket from an EC2 instance. The instance has an IAM role with an attached policy that allows s3:GetObject on the bucket. However, the application is receiving Access Denied errors. What is a likely cause?

A.The IAM role does not have s3:ListBucket permission.
B.The EC2 instance is not associated with an instance profile.
C.The bucket policy has an explicit deny that overrides the IAM allow.
D.The bucket has S3 Block Public Access enabled.
AnswerC

Explicit deny in bucket policy takes precedence.

Why this answer

Option C is correct because if the bucket policy explicitly denies access, the deny overrides any allow from IAM. Option A is wrong because S3 does not require S3 Block Public Access for IAM role access. Option B is wrong because the instance profile needs an IAM role, not an IAM user.

Option D is wrong because S3 does not require the s3:ListBucket permission to get an object if you know the key.

1517
MCQhard

A developer is building a serverless application using AWS Lambda and Amazon API Gateway REST API. The API Gateway is configured to use a Lambda proxy integration. The developer wants to return a custom error message with a specific HTTP status code (e.g., 404) when a resource is not found. How should the developer implement this?

A.Return a JSON object with 'status_code' and 'message' keys.
B.Throw an exception with a message that includes the HTTP status code.
C.Return a JSON object with 'errorMessage' and 'errorType' keys.
D.Return a JSON object with keys 'statusCode', 'headers', and 'body' where 'statusCode' is 404 and 'body' contains the error message.
AnswerD

For Lambda proxy integration, the Lambda function must return a response in the format { 'statusCode': ..., 'headers': ..., 'body': ... } to control the HTTP response.

Why this answer

Option B is correct because with proxy integration, Lambda must return a response in the specific format: statusCode, headers, and body. Option A is wrong because throwing an exception results in a 502 Bad Gateway. Option C is wrong because the format does not include 'errorMessage' as a top-level key.

Option D is wrong because the correct format uses 'statusCode', not 'status_code'.

1518
MCQhard

A developer is optimizing an API Gateway REST API that uses Lambda integration. The response times are high, and CloudWatch logs show that the Lambda function has cold starts frequently. The function is written in Java and uses a large library. What is the MOST effective optimization?

A.Rewrite the function in Node.js to reduce cold start time.
B.Increase the Lambda function's memory allocation to 3008 MB.
C.Enable provisioned concurrency on the Lambda function.
D.Use the AWS SDK for Java 2.x to reduce initialization time.
AnswerC

Provisioned concurrency keeps a number of execution environments initialized and ready to respond immediately, eliminating cold starts.

Why this answer

Option B is correct because using provisioned concurrency keeps the function initialized and warm, eliminating cold starts. Option A is wrong because increasing memory does not directly reduce cold start time. Option C is wrong because using the AWS SDK alone does not reduce cold starts.

Option D is wrong because using a Node.js function would reduce cold starts but may require rewriting the code, which is not as effective as provisioned concurrency.

1519
MCQmedium

Given the IAM policy above, what is the effective permission for an IAM user?

A.No access to the bucket.
B.Full access to the bucket including delete.
C.Read-only access to the bucket.
D.Full access to the bucket except delete.
AnswerD

Explicit Deny overrides Allow.

Why this answer

The IAM policy grants the user s3:GetObject and s3:ListBucket permissions, which allow reading objects and listing the bucket, but explicitly denies s3:DeleteObject. Since an explicit deny overrides any allow, the effective permission is full access except delete. Option D is correct because the user can perform all actions except deleting objects.

Exam trap

The trap here is that candidates often overlook the explicit deny statement and assume that because the policy grants read and list permissions, the user has full read access, missing that the deny on delete restricts the effective permissions to full access except delete.

How to eliminate wrong answers

Option A is wrong because the policy grants read access (s3:GetObject and s3:ListBucket), so the user does have access to the bucket. Option B is wrong because the policy includes an explicit deny for s3:DeleteObject, which prevents full access including delete. Option C is wrong because the policy does not grant write permissions (e.g., s3:PutObject), but the user has read access plus the ability to list, which is not strictly read-only (though close); more importantly, the explicit deny on delete does not make it read-only—it still allows read and list actions, but the key point is that the correct answer is D, not C.

1520
MCQmedium

A company runs an application on Amazon EC2 that needs to securely store database credentials. The security team requires that credentials be automatically rotated every 30 days to reduce the risk of compromise. The application must be able to retrieve the credentials at startup without storing them in code or configuration files. Which AWS service should the developer use?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store (SecureString)
C.AWS Key Management Service (KMS)
D.AWS Identity and Access Management (IAM) roles
AnswerA

Secrets Manager stores secrets securely and can automatically rotate them on a schedule, meeting the requirement.

Why this answer

AWS Secrets Manager is the correct choice because it is specifically designed to securely store, retrieve, and automatically rotate database credentials on a schedule (e.g., every 30 days) without requiring custom code. The application can retrieve credentials at startup via the Secrets Manager API using IAM permissions, eliminating the need to store secrets in code or configuration files. Secrets Manager natively supports automatic rotation for Amazon RDS, Redshift, and DocumentDB, and can be extended to other services via custom Lambda functions.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (SecureString) with Secrets Manager, overlooking that Parameter Store lacks native automatic rotation, which is a key requirement in the question.

How to eliminate wrong answers

Option B is wrong because AWS Systems Manager Parameter Store (SecureString) can store encrypted secrets but does not natively support automatic rotation of credentials; rotation would require custom automation via AWS Lambda or other services. Option C is wrong because AWS Key Management Service (KMS) is a key management and encryption service that does not store or rotate secrets; it only provides encryption keys for protecting data. Option D is wrong because AWS Identity and Access Management (IAM) roles provide temporary credentials for AWS service access, not for storing or rotating database credentials; they cannot be used to retrieve static secrets like database passwords.

1521
MCQeasy

A developer wants to share an Amazon Machine Image (AMI) from one AWS account to another. The AMI is backed by Amazon EBS snapshots. What must the developer do to ensure the target account can launch an EC2 instance from the AMI?

A.Copy the AMI to the target account's region and share the AMI.
B.Make the AMI public and share the EBS snapshots.
C.Share the KMS key used to encrypt the EBS snapshots with the target account.
D.Modify the AMI permissions to allow the target account and share the underlying EBS snapshots.
AnswerD

Both AMI and snapshots must be shared.

Why this answer

Option A is correct because the AMI must be shared with the target account, and the EBS snapshots must be shared as well. Option B (copy to target account) is not necessary. Option C (public) is not required.

Option D (encryption key) is only needed if the snapshots are encrypted.

1522
MCQhard

A company has multiple AWS accounts managed under AWS Organizations. The security team requires that all Amazon S3 buckets with bucket names containing 'logs' must be encrypted with a specific KMS key (key ID: alias/logs-key) at rest. A developer must enforce this using an SCP (Service Control Policy). Which SCP effect and condition key should be used to deny any PutObject request that does not use the required KMS key?

A.Deny effect with a Condition: StringNotEquals on s3:x-amz-server-side-encryption-aws-kms-key-id
B.Deny effect with a Condition: StringEquals on s3:x-amz-server-side-encryption
C.Allow effect with a Condition: StringEquals on kms:RequestTag/key-id
D.Deny effect with a Condition: IpAddress on aws:SourceIp
AnswerA

This SCP will deny any PutObject request that specifies a KMS key that is not the required key. The StringNotEquals condition ensures that if the request does not use the specific key ID, the request is denied. This is the standard way to enforce encryption with a specific KMS key using SCPs.

Why this answer

Option A is correct because SCPs use a Deny effect to block non-compliant requests. The condition key `s3:x-amz-server-side-encryption-aws-kms-key-id` with `StringNotEquals` ensures that any PutObject request that does not specify the exact KMS key alias/logs-key is denied. This enforces encryption with the required key for all S3 buckets containing 'logs' in their name.

Exam trap

The trap here is that candidates confuse `s3:x-amz-server-side-encryption` (which only checks encryption type) with `s3:x-amz-server-side-encryption-aws-kms-key-id` (which checks the specific KMS key), leading them to choose Option B instead of A.

How to eliminate wrong answers

Option B is wrong because `s3:x-amz-server-side-encryption` only checks whether server-side encryption is enabled (e.g., AES256 or aws:kms), but does not verify the specific KMS key ID, so it cannot enforce the required key. Option C is wrong because Allow effects in SCPs are permissive and cannot deny non-compliant requests; also `kms:RequestTag/key-id` is not a valid condition key for S3 PutObject operations. Option D is wrong because `aws:SourceIp` restricts requests based on IP address, which is unrelated to encryption key enforcement.

1523
MCQhard

A company runs a stateful web application on EC2 instances behind an Application Load Balancer. The application uses WebSockets for real-time communication. The company wants to use AWS CodeDeploy to deploy updates with minimal downtime. Which deployment configuration should the developer use?

A.Canary deployment.
B.In-place deployment.
C.Blue/green deployment.
D.Immutable deployment.
AnswerC

Blue/green deployment creates a new environment, allowing traffic to be switched after verification, minimizing downtime for stateful apps.

Why this answer

Option A is correct because a blue/green deployment allows the company to create a new set of instances (green) and switch traffic after testing, minimizing downtime. Option B is incorrect because in-place deployment would update instances one by one, but stateful applications may lose session data. Option C is incorrect because immutable deployments are not supported by CodeDeploy for EC2; they are used with Elastic Beanstalk.

Option D is incorrect because canary deployments are for Lambda, not EC2.

1524
MCQhard

A developer is deploying a microservices architecture on Amazon ECS. The services need to communicate with each other securely. The developer wants to use service discovery and ensure that traffic between services is encrypted. Which combination of services should the developer use?

A.Use AWS Cloud Map for service discovery and AWS App Mesh with mutual TLS
B.Use Amazon API Gateway and AWS Lambda
C.Use Amazon Route 53 private hosted zones and enable DNSSEC
D.Use an Application Load Balancer for each service and enable TLS termination
AnswerA

Cloud Map provides DNS, App Mesh provides mTLS.

Why this answer

Option D is correct because ECS service discovery with AWS Cloud Map provides DNS-based service discovery, and mTLS via App Mesh or service mesh provides encryption. Option A is incorrect because ELB is for external traffic. Option B is incorrect because API Gateway is for APIs.

Option C is incorrect because Route 53 is not suitable for service discovery in ECS.

1525
MCQmedium

A development team uses AWS CodeCommit for source control and AWS CodePipeline for CI/CD. The team wants to automatically deploy changes to a staging environment when a pull request is merged into the main branch. Which CodePipeline trigger configuration should be used?

A.Set up a periodic polling schedule in CodePipeline to check for changes.
B.Configure a webhook in CodeCommit to trigger the pipeline on push events.
C.Create an Amazon CloudWatch Events rule that triggers the pipeline on a 'Reference Created' event for the main branch.
D.Use the 'Start pipeline execution' API in CodePipeline on pull request creation.
AnswerC

When a pull request is merged, a reference is created for the merge commit, triggering the rule.

Why this answer

Option C is correct because the CloudWatch Events rule on a pull request merge event can trigger the pipeline. Option A is wrong because a webhook on push events would trigger on every push, not specifically on pull request merge. Option B is wrong because CodePipeline does not have a built-in pull request trigger; it uses CloudWatch Events.

Option D is wrong because polling is not recommended and is less efficient.

1526
MCQmedium

A company uses AWS CodePipeline to deploy a Node.js application to AWS Elastic Beanstalk. The build stage runs successfully, but the deploy stage fails with an error: 'The deployment failed because no instances were found for the environment.' What is the most likely cause?

A.The CodeDeploy application is not configured correctly.
B.The IAM role for CodePipeline lacks permissions to describe EC2 instances.
C.The build artifact is not named correctly for Elastic Beanstalk.
D.The Elastic Beanstalk environment has no running instances due to a failed health check.
AnswerD

If no instances exist, the deployment cannot proceed.

Why this answer

Option C is correct because if the Elastic Beanstalk environment does not have any running EC2 instances (e.g., due to a failed health check or scaling issue), the deployment cannot find any instances to update. Option A is wrong because the IAM role permissions would cause a different error (e.g., access denied). Option B is wrong because CodeDeploy is not used with Elastic Beanstalk.

Option D is wrong because incorrect artifact name would cause a different error (e.g., artifact not found).

1527
MCQhard

A developer is building a serverless application with AWS Lambda that needs to read from an Amazon DynamoDB table. The Lambda function is in a VPC. What is the MOST secure way to grant the Lambda function access to DynamoDB?

A.Attach an IAM role to the Lambda function that allows the necessary DynamoDB actions.
B.Create a VPC endpoint for DynamoDB and associate a security group.
C.Store DynamoDB credentials in AWS Secrets Manager and retrieve them in the Lambda code.
D.Use an EC2 instance profile attached to the Lambda function's execution environment.
AnswerA

IAM roles provide temporary credentials and follow least privilege; this is the secure standard.

Why this answer

The best practice is to attach an IAM role to the Lambda function with a policy that grants only the required DynamoDB actions (e.g., GetItem, Query). Lambda does not require a VPC endpoint for DynamoDB if it has internet access via a NAT gateway, but the IAM role is essential. Option A is wrong because VPC endpoints are for private connectivity, not authorization.

Option C is wrong because hard-coding keys is insecure. Option D is wrong because Lambda does not use instance profiles.

1528
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a web application. The application stores user-uploaded images in an S3 bucket. The developer needs to ensure that the application can read and write to the S3 bucket. What should the developer do?

A.Use Amazon CloudFront to proxy requests to the S3 bucket.
B.Hardcode the AWS access keys in the application code.
C.Apply an S3 bucket policy that allows access from the Elastic Beanstalk environment's security group.
D.Configure the Elastic Beanstalk environment to use an IAM instance profile that grants S3 access.
AnswerD

The instance profile provides permissions to the EC2 instances running the application.

Why this answer

Option A is correct because Elastic Beanstalk can automatically create and configure an instance profile with the necessary S3 permissions if you specify the bucket policy. Option B is wrong because S3 bucket policies are for bucket-level access, not directly for EC2 instances. Option C is wrong because access keys are insecure.

Option D is wrong because CloudFront is for content delivery, not for granting S3 access.

1529
MCQeasy

A developer wants to ensure that an S3 bucket only allows HTTPS requests. What S3 bucket policy condition should be used?

A.aws:CurrentTime
B.aws:MultiFactorAuthPresent
C.aws:SourceIp
D.aws:SecureTransport
AnswerD

This condition evaluates to true if the request uses HTTPS.

Why this answer

Option B is correct because the aws:SecureTransport condition checks if the request was sent using SSL/TLS. Option A is wrong because that condition checks for a specific source IP. Option C is wrong because that condition checks the current time.

Option D is wrong because that condition checks for multi-factor authentication.

1530
MCQmedium

A company uses AWS CodePipeline to deploy a web application. The deployment fails intermittently during the 'Deploy' stage. The pipeline includes a step that runs a shell script on an EC2 instance. The pipeline uses a CodeBuild project for the build stage. What is the MOST likely cause of the intermittent failure?

A.The CodeBuild project is using an outdated build image.
B.The EC2 instance used for deployment does not have the CodeDeploy agent installed.
C.The pipeline is not configured to use a VPC.
D.The IAM role for CodePipeline does not have permissions to deploy.
AnswerB

Missing agent causes intermittent failures if instance is replaced.

Why this answer

Option B is correct because if the EC2 instance is terminated or replaced, the CodeDeploy agent may not be installed, causing intermittent failures. Option A is wrong because CodeBuild uses temporary instances. Option C is wrong because CodePipeline does not require a VPC.

Option D is wrong because IAM roles are not updated automatically.

1531
Matchingmedium

Match each AWS deployment strategy to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Switch between two environments

Gradual traffic shifting

Update instances incrementally

Immediate full deployment

Equal percentage increments

Why these pairings

Deployment strategies are tested in the exam.

1532
MCQmedium

Refer to the exhibit. A developer deploys this CloudFormation template. The Lambda function needs to write objects to an S3 bucket named 'my-app-bucket'. What must the developer add to the template?

A.Add an S3 bucket policy allowing the Lambda function's ARN to write objects.
B.Add a policy statement to LambdaExecutionRole allowing 's3:*' on 'arn:aws:s3:::my-app-bucket'.
C.Add a KMS key policy to allow the Lambda function to use a customer managed key.
D.Add a new policy statement to LambdaExecutionRole allowing 's3:PutObject' on 'arn:aws:s3:::my-app-bucket/*'.
AnswerD

This grants the necessary S3 write permission to the Lambda function.

Why this answer

Option D is correct because the Lambda function requires an IAM policy attached to its execution role to grant permissions for specific S3 actions. The `s3:PutObject` action on the `arn:aws:s3:::my-app-bucket/*` resource ARN precisely allows writing objects to the bucket, following the principle of least privilege. Without this policy statement, the Lambda function will receive an access denied error when trying to write to S3.

Exam trap

The trap here is that candidates often confuse bucket-level ARNs with object-level ARNs, selecting overly permissive options like `s3:*` on the bucket ARN instead of scoping the exact action and resource, or incorrectly assuming an S3 bucket policy is needed for same-account Lambda access.

How to eliminate wrong answers

Option A is wrong because an S3 bucket policy is used to grant cross-account access or public access, not to grant permissions to a Lambda function within the same account; the Lambda function's execution role is the correct mechanism. Option B is wrong because it uses a wildcard `s3:*` action and the bucket-level ARN `arn:aws:s3:::my-app-bucket` instead of the object-level ARN `arn:aws:s3:::my-app-bucket/*`, which is overly permissive and does not correctly scope the `s3:PutObject` permission to objects within the bucket. Option C is wrong because there is no indication that the S3 bucket uses a customer managed KMS key; the question only states the Lambda function needs to write objects, and KMS key policy is only relevant if server-side encryption with KMS is enabled, which is not mentioned.

1533
MCQmedium

A company is developing a microservices architecture using Amazon ECS with Fargate launch type. Each microservice needs to store sensitive configuration data such as database passwords. The company wants to avoid storing secrets in the application code or environment variables. What is the MOST secure and recommended approach?

A.Pass secrets as environment variables in the task definition.
B.Store secrets in an encrypted S3 bucket and have the application download them at startup.
C.Use AWS Systems Manager Parameter Store or AWS Secrets Manager to store and retrieve secrets.
D.Use an AWS Lambda function to generate secrets and store them in DynamoDB.
AnswerC

Correct: These services are built for secure secret management.

Why this answer

Option C is correct because AWS Systems Manager Parameter Store (or Secrets Manager) is designed for secure storage of secrets and can be accessed via IAM roles. Option A is wrong because environment variables can be exposed. Option B is wrong because S3 is not designed for secrets and requires encryption management.

Option D is wrong because Lambda is a compute service, not a secret store.

1534
MCQmedium

A developer is using CloudFront to serve content from an S3 bucket. The bucket contains sensitive data and should only be accessible through CloudFront. How can the developer enforce this?

A.Set the bucket policy to allow access only from CloudFront IP addresses.
B.Set the bucket policy to allow access only from AWS services.
C.Set the bucket policy to allow public read access and use CloudFront signed URLs.
D.Create an origin access identity (OAI) and grant it read access in the bucket policy.
AnswerD

Best practice for private content.

Why this answer

Option D is correct because an Origin Access Identity (OAI) is a special CloudFront user that you can associate with your distribution. By configuring the S3 bucket policy to grant read access only to that OAI, you ensure that content can only be retrieved via CloudFront, not directly from the S3 endpoint. This enforces the requirement that the bucket is accessible exclusively through CloudFront.

Exam trap

The trap here is that candidates often assume restricting by CloudFront IP addresses (Option A) is a valid approach, but AWS explicitly warns that CloudFront IP ranges are not static and should not be used for access control in bucket policies.

How to eliminate wrong answers

Option A is wrong because CloudFront IP addresses are not static and can change over time; using them in a bucket policy would require constant updates and is not a supported or reliable method for restricting access. Option B is wrong because there is no generic 'AWS services' principal in S3 bucket policies; you must specify a specific service principal or user, and this approach would not restrict access to CloudFront only. Option C is wrong because allowing public read access defeats the purpose of restricting access to CloudFront; signed URLs can control who accesses content via CloudFront, but the bucket itself would remain publicly accessible, violating the requirement.

1535
Multi-Selectmedium

A developer is implementing S3 multipart upload for large files. Which two actions are required to complete the upload?

Select 2 answers
A.Enable S3 static website hosting
B.Upload all parts and keep their ETags/part numbers
C.Disable bucket encryption
D.Call CompleteMultipartUpload with the uploaded part list
AnswersB, D

Correct for the stated requirement.

Why this answer

Option B is correct because during an S3 multipart upload, each part must be uploaded individually, and the response includes an ETag (a hash of the part) and a part number. These must be recorded and provided in the final request to assemble the object. Option D is correct because the CompleteMultipartUpload API call is required to signal S3 to combine all uploaded parts into the final object, using the list of ETags and part numbers.

Exam trap

The trap here is that candidates may think uploading all parts is sufficient without calling CompleteMultipartUpload, or they may confuse the multipart upload process with other S3 features like static hosting or encryption settings.

1536
MCQmedium

A developer deployed a new version of a Lambda function that processes S3 events. After deployment, some S3 events are not being processed. The CloudWatch Logs show no errors. What is the most likely cause?

A.The Lambda function has a syntax error.
B.The S3 bucket's event notification still points to the old Lambda function.
C.The Lambda function alias is not pointing to the new version.
D.The S3 events are being throttled by Lambda.
AnswerB

S3 event notification must be updated to invoke the new function.

Why this answer

Option B is correct because after deploying a new version of a Lambda function, the S3 bucket's event notification configuration still references the Amazon Resource Name (ARN) of the old Lambda function version or the function without a qualifier. S3 event notifications are configured to invoke a specific Lambda function ARN, and if the ARN does not point to the new version (e.g., by using an alias or the $LATEST qualifier), events will continue to be sent to the old version, which may not be processing them. Since CloudWatch Logs show no errors, the old version is likely not being invoked or is not logging, confirming the mismatch.

Exam trap

The trap here is that candidates assume deploying a new Lambda version automatically updates all event sources, but S3 event notifications are static ARN references that must be manually updated or use aliases to reflect the new version.

How to eliminate wrong answers

Option A is wrong because a syntax error would cause the Lambda function to fail during invocation, which would generate error logs in CloudWatch Logs, but the question states there are no errors. Option C is wrong because Lambda function aliases are optional; if the S3 event notification is configured to invoke the function directly without an alias (e.g., using the function ARN without a qualifier), the alias not pointing to the new version is irrelevant. Option D is wrong because Lambda throttling would produce a 'ThrottleReason' metric in CloudWatch and error logs (e.g., 429 TooManyRequestsException), but the question states no errors are present.

1537
MCQhard

A Lambda function needs to write logs to CloudWatch Logs. The developer attaches an IAM role with a policy that allows logs:CreateLogGroup and logs:PutLogEvents. However, logs are not appearing. What is the most likely cause?

A.The Lambda function is not configured to use a VPC.
B.The IAM role does not have a trust policy that allows Lambda to assume it.
C.The IAM policy does not include logs:CreateLogStream.
D.The CloudWatch Logs log group does not exist.
AnswerC

Lambda needs CreateLogStream to create a log stream before writing log events.

Why this answer

Lambda requires the `logs:CreateLogStream` permission to create a log stream within a log group before it can write log events. Without this permission, the function can create the log group but cannot create the individual log stream needed to store log entries, causing logs to silently fail to appear.

Exam trap

The trap here is that candidates assume `logs:CreateLogGroup` and `logs:PutLogEvents` are sufficient, overlooking the mandatory `logs:CreateLogStream` permission required for the log stream creation step between group creation and event writing.

How to eliminate wrong answers

Option A is wrong because Lambda functions can write logs to CloudWatch Logs without being in a VPC; VPC configuration affects network access but not log delivery. Option B is wrong because the Lambda function already has an IAM role attached, meaning the trust policy (which allows Lambda to assume the role) was already validated when the role was assigned to the function. Option D is wrong because CloudWatch Logs automatically creates the log group if it does not exist when the Lambda function first invokes, provided the IAM policy includes `logs:CreateLogGroup`.

1538
Multi-Selectmedium

A developer is troubleshooting a slow-running application that uses ElastiCache for Redis as a caching layer. The application frequently reads and writes data to the cache. Which TWO actions should the developer take to improve cache performance?

Select 2 answers
A.Use optimized data structures like hashes instead of strings for complex data.
B.Configure the cache to use LRU eviction policy.
C.Disable persistence by setting appendonly to no.
D.Increase the number of shards to distribute data.
E.Enable ElastiCache auto scaling to adjust the number of nodes.
AnswersA, E

Hashes can reduce memory usage and improve performance.

Why this answer

Option A is correct: enabling auto scaling for ElastiCache can adjust capacity based on demand. Option D is correct: optimizing data structures reduces memory and CPU overhead. Option B is wrong: TTL eviction is already handled by Redis.

Option C is wrong: more nodes increase complexity and may not help if the bottleneck is CPU. Option E is wrong: disabling persistence improves write performance but may not be the primary issue.

1539
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group of Amazon EC2 instances. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The developer needs to identify the root cause. Which AWS service should the developer use to view detailed error logs from the failed deployment?

A.Amazon CloudWatch Logs (if configured) or the CodeDeploy agent log files on the EC2 instances
B.AWS X-Ray
C.AWS CloudTrail
D.AWS CodeDeploy console
AnswerA

The CodeDeploy agent logs provide detailed error information for troubleshooting.

Why this answer

Option A is correct because when a CodeDeploy deployment fails due to instance-level errors, the most direct way to investigate is to examine the CodeDeploy agent logs located on each EC2 instance at `/opt/codedeploy-agent/deployment-root/deployment-logs/codedeploy-agent.log`. If Amazon CloudWatch Logs has been configured to stream these logs, you can also view them centrally in the CloudWatch console. These logs contain detailed error messages from the `codedeploy-agent` process, including script failures, permission issues, or missing dependencies that caused the deployment to fail.

Exam trap

The trap here is that candidates assume the CodeDeploy console provides detailed error logs, but it only shows aggregated failure counts and high-level messages, while the actual root cause is buried in the agent logs on the EC2 instances or in CloudWatch Logs if configured.

How to eliminate wrong answers

Option B is wrong because AWS X-Ray is a distributed tracing service for analyzing and debugging request flows in microservices applications, not a log viewer for deployment errors. Option C is wrong because AWS CloudTrail records API calls made to AWS services (e.g., who triggered the deployment), but it does not capture the internal agent-level error logs from individual EC2 instances. Option D is wrong because the AWS CodeDeploy console only shows high-level deployment status and failure summaries (e.g., 'failed instances'), not the detailed per-instance error logs needed to diagnose root causes.

1540
MCQeasy

A company wants to enforce that all IAM users use multi-factor authentication (MFA) when accessing the AWS Management Console. Which IAM policy condition key should be used in a policy attached to each user or group to deny access if MFA is not present?

A.aws:RequestedRegion
B.aws:MultiFactorAuthPresent
C.aws:SourceIp
D.aws:SecureTransport
AnswerB

This condition key checks whether the user authenticated with MFA. It can be used to deny access if MFA is not present.

Why this answer

The correct condition key is `aws:MultiAuthFactorPresent`, which is a boolean value that is `true` when the user has authenticated using a valid MFA device. By using this key in a `Deny` effect policy (often combined with `Bool` condition), you can block any API call or console access that does not include MFA authentication. This is the standard AWS approach to enforce MFA for console access.

Exam trap

The trap here is that candidates often confuse `aws:MultiFactorAuthPresent` with `aws:MultiFactorAuthAge` (which checks how long ago MFA was used) or assume that `aws:SecureTransport` (HTTPS) is equivalent to MFA enforcement.

How to eliminate wrong answers

Option A is wrong because `aws:RequestedRegion` restricts access based on the AWS region the request is made to, not authentication factors. Option C is wrong because `aws:SourceIp` restricts access based on the IP address of the requester, not MFA status. Option D is wrong because `aws:SecureTransport` checks whether the request uses SSL/TLS (HTTPS), not whether MFA was used.

1541
MCQeasy

A developer is building an application that needs to send email notifications to users. Which AWS service is designed for sending transactional emails?

A.AWS Lambda
B.Amazon Simple Email Service (SES)
C.Amazon Simple Notification Service (SNS)
D.Amazon Simple Queue Service (SQS)
AnswerB

SES is a scalable email service designed for sending transactional emails.

Why this answer

Option B is correct because Amazon SES is for sending emails. Option A is wrong because SNS is for push notifications. Option C is wrong because SQS is for message queuing.

Option D is wrong because Lambda is compute.

1542
Multi-Selectmedium

A developer is troubleshooting a slow Amazon DynamoDB table. The table has a read capacity of 1000 RCU and a write capacity of 500 WCU. The application frequently reads the same item. Which TWO actions can improve read performance?

Select 2 answers
A.Increase the read capacity units (RCU) to 2000.
B.Add a Global Secondary Index (GSI) on the frequently read attribute.
C.Decrease the write capacity units (WCU) to 250.
D.Implement DynamoDB Accelerator (DAX) for caching.
E.Use eventually consistent reads instead of strongly consistent reads.
AnswersD, E

DAX caches reads, reducing latency.

Why this answer

Option D is correct because DynamoDB Accelerator (DAX) is an in-memory cache that can reduce read latency for frequently accessed items from milliseconds to microseconds, offloading read traffic from the table and improving performance without requiring a capacity increase. Option E is correct because eventually consistent reads consume half the RCU of strongly consistent reads (0.5 RCU vs 1 RCU per 4 KB item) and return data faster, which is suitable when the application can tolerate slightly stale data for the same item.

Exam trap

The trap here is that candidates often choose to increase RCU (Option A) as a knee-jerk reaction to slow reads, overlooking that caching (DAX) and consistency model changes are more cost-effective and targeted solutions for repeated reads of the same item.

1543
MCQeasy

A developer needs to grant an IAM user access to an S3 bucket owned by another AWS account. Which method should be used?

A.Create an IAM role in the bucket owner account and allow the user to assume it.
B.Create a new IAM user in the bucket owner account for the developer.
C.Attach a bucket policy to the bucket that allows the user's IAM user ARN.
D.Add the user to a bucket ACL granting access.
AnswerC

Bucket policy can grant cross-account access.

Why this answer

Cross-account access requires a bucket policy in the account owning the bucket, granting access to the IAM user ARN from the other account.

1544
Multi-Selecteasy

Which of the following are valid ways to secure access to an Amazon S3 bucket? (Choose TWO.)

Select 2 answers
A.Bucket policies
B.CloudFront distribution
C.IAM policies
D.Network ACLs
E.Security groups
AnswersA, C

Bucket policies define access permissions for the bucket.

Why this answer

Bucket policies are a form of resource-based policy that you attach directly to an S3 bucket. They allow you to grant or deny access to the bucket and its objects for principals (users, roles, or AWS accounts) using the AWS JSON policy language. This is a primary and native way to control access to S3 resources, making option A correct.

Exam trap

The trap here is that candidates confuse network-level security controls (like NACLs and Security Groups) with resource-level access controls, mistakenly thinking they can be applied to S3 buckets, which are global services not bound to a VPC subnet.

1545
Multi-Selectmedium

A developer is using AWS CodeBuild to build a Docker image and push it to Amazon ECR. The build fails with a 'no basic auth credentials' error when trying to push the image. Which TWO actions should the developer take to resolve this issue? (Choose two.)

Select 2 answers
A.Add a pre-build command to run 'aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <account-id>.dkr.ecr.<region>.amazonaws.com'.
B.Install the AWS CLI in the buildspec.yml file.
C.Install Docker in the buildspec.yml file.
D.Add an IAM policy to the CodeBuild service role that allows ecr:GetAuthorizationToken and ecr:Push.
E.Configure SSH key-based authentication for ECR.
AnswersA, D

This authenticates Docker to ECR.

Why this answer

Options B and D are correct because the build project needs to have an IAM role with permissions to push to ECR, and the pre-build phase should include the 'aws ecr get-login-password' command to authenticate. Option A is wrong because AWS CLI is already installed in CodeBuild. Option C is wrong because Docker is already available.

Option E is wrong because ECR access is via IAM, not SSH keys.

1546
Multi-Selecteasy

A developer is using Amazon ElastiCache to improve the performance of a read-heavy web application. After implementing caching, some users see stale data. Which TWO strategies can the developer use to ensure cache coherence?

Select 2 answers
A.Set a suitable TTL for cached data.
B.Use write-through caching.
C.Invalidate the cache entry when the underlying data is updated.
D.Use read replicas of the database to serve read traffic.
E.Implement lazy loading with a short TTL.
AnswersA, C

TTL ensures data is refreshed periodically.

Why this answer

Option A is correct because setting a suitable Time-To-Live (TTL) on cached data ensures that stale entries are automatically evicted after a defined period. This forces the application to fetch fresh data from the primary database when the TTL expires, thereby maintaining cache coherence without requiring immediate invalidation on every write. In ElastiCache (Redis or Memcached), TTL is set per key using commands like EXPIRE or SETEX, and it is a simple, effective strategy for read-heavy workloads where eventual consistency is acceptable.

Exam trap

The trap here is that candidates often confuse 'lazy loading' (which loads data into cache on a miss) with 'TTL-based expiration' (which evicts stale data), and they may incorrectly select Option E as a separate strategy when it is functionally identical to Option A; also, they may overlook that write-through caching (Option B) is a valid coherence strategy but is not listed as correct in this specific question because the exam expects the two most common and straightforward approaches: TTL and explicit invalidation.

1547
MCQeasy

Refer to the exhibit. A developer creates this CloudFormation template and tries to deploy it. The deployment fails with 'CREATE_FAILED' for the S3 bucket resource. What is the most likely cause?

A.The template does not enable versioning on the bucket.
B.The bucket name must be in all lowercase letters.
C.The bucket name is already taken by another AWS account.
D.The template does not specify a bucket policy.
AnswerC

Bucket names must be globally unique.

Why this answer

Option D is correct because bucket names must be globally unique, and 'my-app-data-12345' may already exist. Option A is wrong because S3 buckets can be created without a bucket policy. Option B is wrong because the template does not include versioning configuration.

Option C is wrong because the bucket name is not required to be in a specific format.

1548
MCQmedium

A company uses AWS OpsWorks for configuration management. They want to migrate to AWS Systems Manager for patching and automation. They have a fleet of EC2 instances running Amazon Linux 2. Which Systems Manager capability should they use to automate patching?

A.Patch Manager
B.State Manager
C.Run Command
D.Maintenance Windows
AnswerA

Patch Manager automates the process of patching managed instances with security updates.

Why this answer

Option A is correct: Systems Manager Patch Manager is designed for patching. Option B (Run Command) can run scripts but not schedule patching natively. Option C (State Manager) can enforce state but not specifically patching.

Option D (Maintenance Windows) is a scheduling mechanism, but used with Patch Manager.

1549
MCQmedium

A company runs a Node.js application on AWS Elastic Beanstalk. The application is experiencing high latency. The developer suspects the database queries are slow. Which step should the developer take first to diagnose the issue?

A.Migrate the database to Amazon DynamoDB for better performance.
B.Enable enhanced health reporting and monitor CloudWatch metrics for database connection time.
C.Add database indexing to improve query performance.
D.Increase the instance size to improve performance.
AnswerB

Enhanced health reporting provides detailed metrics to diagnose latency issues.

Why this answer

The first step is to enable enhanced health reporting and use CloudWatch metrics to monitor database query performance. Option B is wrong because increasing instance size is a solution, not diagnosis. Option C is wrong because you need to identify the slow queries first.

Option D is wrong because switching to DynamoDB is a major architectural change.

1550
MCQeasy

A developer attaches the above bucket policy to an S3 bucket. An anonymous user tries to access https://my-bucket.s3.amazonaws.com/secret/key.txt. What is the result?

A.Access is denied because the explicit Deny overrides the Allow.
B.Access is allowed because the Allow statement covers all objects.
C.Access is allowed because anonymous requests are not affected by Deny statements.
D.Access is denied because the policy is invalid (two statements conflict).
AnswerA

Explicit Deny takes precedence.

Why this answer

Option B is correct because the explicit Deny overrides the Allow. Even though the Allow grants access to all objects, the Deny for the secret/ prefix explicitly denies access. Option A is incorrect because the explicit Deny takes precedence.

Option C is incorrect because the policy is valid. Option D is incorrect because the user is anonymous but the Deny applies.

1551
MCQhard

A company runs a microservices architecture on Amazon ECS with Fargate. Each service uses an Application Load Balancer and stores data in Amazon DynamoDB. The operations team notices that during traffic spikes, some requests fail with HTTP 503 errors. CloudWatch metrics show that the ALB's TargetResponseTime is increasing, and the DynamoDB table's ConsumedWriteCapacityUnits are reaching the provisioned limit. The team wants to handle traffic spikes gracefully without manual intervention. What should they do?

A.Increase the DynamoDB table's provisioned write capacity and the ALB's target group deregistration delay.
B.Use an SQS queue to buffer write requests and process them asynchronously.
C.Add a DynamoDB Accelerator (DAX) cluster to cache frequently accessed data.
D.Enable DynamoDB Auto Scaling for write capacity and configure ECS Service Auto Scaling based on ALB request count.
AnswerD

Both services will automatically scale to meet demand.

Why this answer

Option B is correct. DynamoDB Auto Scaling adjusts the provisioned capacity based on traffic, preventing throttling. ECS Service Auto Scaling adds more tasks to handle increased load.

Option A is wrong because increasing the throughput limit without auto scaling would still require manual changes. Option C is wrong because DynamoDB Accelerator (DAX) is a cache for reads, not writes. Option D is wrong because SQS for write requests adds complexity and may not be real-time.

1552
MCQmedium

A company wants to securely store secrets for a Lambda function. Which AWS service should they use?

A.AWS Secrets Manager
B.Amazon S3 with server-side encryption
C.AWS Key Management Service (KMS)
D.AWS Systems Manager Parameter Store
AnswerA

Secrets Manager is designed for secure secret storage and automatic rotation.

Why this answer

AWS Secrets Manager is designed to securely store and rotate secrets, making it the best choice for this use case. Option A (SSM Parameter Store) can store secrets but lacks automatic rotation. Option C (KMS) is a key management service, not a secret store.

Option D (S3 with encryption) is not a dedicated secrets service.

1553
MCQhard

A company runs a web application on EC2 instances in an Auto Scaling group. The application uses an IAM role to access an S3 bucket that stores user uploads. Recently, the security team discovered that some uploaded files contain malicious content. The team wants to implement a solution that automatically scans new objects for malware and blocks access if threats are detected. The solution must be cost-effective and minimize latency for legitimate uploads. The developer is tasked with designing this solution. Which approach should the developer take?

A.Use S3 Batch Operations to run a scanning script on all existing objects and then schedule periodic scans.
B.Use S3 Object Lambda to transform objects upon retrieval and check for malware.
C.Enable Amazon Macie on the S3 bucket to automatically detect malicious content.
D.Enable Amazon GuardDuty with S3 protection, configure an S3 event notification to trigger a Lambda function that scans new objects using a third-party malware engine, and update the bucket policy to deny access to objects that fail the scan.
AnswerD

Provides real-time scanning and access control.

Why this answer

Option D is correct because using Amazon GuardDuty with S3 protection and an S3 Event Notification to trigger a Lambda function for scanning provides automated threat detection and response. Option A is wrong because S3 Object Lambda is for modifying objects, not scanning. Option B is wrong because Macie is for sensitive data discovery, not malware.

Option C is wrong because S3 Batch Operations is for large-scale batch jobs, not real-time scanning.

1554
MCQmedium

A developer is using AWS CodePipeline to deploy a web application. The pipeline has a source stage that pulls from CodeCommit and a deploy stage that uses AWS Elastic Beanstalk. The developer wants to run unit tests automatically before deploying to Elastic Beanstalk. Which action should the developer add to the pipeline?

A.Add a test stage that uses an AWS CodeBuild project configured to run unit tests
B.Add a manual approval step before the deploy stage
C.Configure Elastic Beanstalk health checks to run tests
D.Replace Elastic Beanstalk with AWS CodeDeploy
AnswerA

Correct. CodeBuild can execute tests as part of the pipeline before deployment.

Why this answer

Option A is correct because AWS CodeBuild can be integrated as a test stage in CodePipeline to run unit tests automatically. By adding a CodeBuild project configured with a buildspec.yml file that executes unit tests, the pipeline will run tests after the source stage and before the deploy stage, ensuring only code that passes tests is deployed to Elastic Beanstalk.

Exam trap

The trap here is that candidates may confuse health checks (which monitor runtime health) with unit tests (which validate code logic), or think a manual approval step can substitute for automated testing, but AWS specifically tests the understanding that CodeBuild is the service designed for running custom build and test commands in a pipeline.

How to eliminate wrong answers

Option B is wrong because a manual approval step pauses the pipeline for human review, but does not execute unit tests automatically; it only gates deployment. Option C is wrong because Elastic Beanstalk health checks monitor the environment's operational status (e.g., HTTP response codes), not run unit tests on the application code. Option D is wrong because replacing Elastic Beanstalk with CodeDeploy does not add automated testing; CodeDeploy is a deployment service, not a test runner.

1555
MCQmedium

A company stores sensitive data in an S3 bucket that must be encrypted at rest. The security team requires that the encryption keys be rotated every 90 days and that access to the keys be auditable. Which solution meets these requirements with the LEAST operational overhead?

A.Use SSE-S3 with default encryption enabled.
B.Use client-side encryption with the AWS Encryption SDK.
C.Use SSE-C with keys stored in AWS Secrets Manager.
D.Use SSE-KMS with a customer managed key and enable automatic key rotation.
AnswerD

KMS automatic rotation meets the 90-day requirement and provides auditing.

Why this answer

Option B is correct because SSE-KMS with automatic key rotation meets the requirements with minimal overhead. Option A is wrong because SSE-S3 uses S3-managed keys that cannot be rotated on a schedule. Option C is wrong because SSE-C requires managing keys yourself.

Option D is wrong because client-side encryption adds complexity.

1556
MCQmedium

A company stores application logs in an Amazon S3 bucket. The security team requires that all objects uploaded to the bucket must be encrypted at rest using an AWS KMS key. The developer needs to enforce this by denying any PutObject request that does not use the required encryption. Which bucket policy condition should be used?

A."s3:x-amz-server-side-encryption": "aws:kms"
B."s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:123456789012:key/abc"
C."s3:x-amz-server-side-encryption": "AES256"
D."kms:EncryptionContext": "service:s3"
AnswerB

This condition enforces that the exact KMS key with the specified ARN is used for server-side encryption. Denying requests that do not match this condition ensures all objects use the required key.

Why this answer

Option B is correct because the condition key `s3:x-amz-server-side-encryption-aws-kms-key-id` allows you to enforce that a specific KMS key ARN is used for server-side encryption. By setting this condition to the exact KMS key ARN, any PutObject request that does not include the required `x-amz-server-side-encryption-aws-kms-key-id` header with the matching key ID will be denied, ensuring all objects are encrypted with the mandated KMS key.

Exam trap

The trap here is that candidates often confuse `s3:x-amz-server-side-encryption` (which only checks the encryption type, not the specific key) with `s3:x-amz-server-side-encryption-aws-kms-key-id` (which enforces the exact KMS key ARN), leading them to pick Option A instead of B.

How to eliminate wrong answers

Option A is wrong because `s3:x-amz-server-side-encryption` with value `aws:kms` only enforces that KMS encryption is used, but does not restrict which KMS key is used, so a different KMS key could be employed, failing the security requirement. Option C is wrong because `AES256` specifies SSE-S3 encryption, not SSE-KMS, which does not meet the requirement to use an AWS KMS key. Option D is wrong because `kms:EncryptionContext` is a condition key for KMS actions (like Decrypt), not for S3 PutObject, and it does not enforce encryption on the S3 side.

1557
MCQeasy

A developer is using AWS CodePipeline to deploy a web application. The pipeline has stages: Source, Build, Staging Deploy, Staging Test, and Prod Deploy. The developer wants to ensure that if the Staging Test stage fails, the pipeline automatically stops and does not proceed to Prod Deploy. Which action should the developer take?

A.No action is needed; CodePipeline automatically stops on stage failure
B.Add a manual approval step before Prod Deploy
C.Disable the transition from Staging Test to Prod Deploy
D.Configure the pipeline execution mode to 'Superseded'
AnswerA

CodePipeline halts execution when a stage fails and does not proceed to the next stage unless manually retried.

Why this answer

Option A is correct because AWS CodePipeline's default behavior is to stop execution when a stage fails, preventing the pipeline from proceeding to subsequent stages. When the Staging Test stage fails, the pipeline transitions to a 'Failed' status and does not automatically continue to Prod Deploy. No additional configuration is required for this behavior.

Exam trap

The trap here is that candidates may overthink the solution and assume additional configuration is needed, when in fact CodePipeline's default behavior already stops on stage failure, making options like manual approval or disabling transitions unnecessary.

How to eliminate wrong answers

Option B is wrong because adding a manual approval step before Prod Deploy would require human intervention to proceed, but it does not automatically stop the pipeline on Staging Test failure; the pipeline would still wait for approval even if the test failed, which is not the desired behavior. Option C is wrong because disabling the transition from Staging Test to Prod Deploy would prevent any execution to Prod Deploy, even if the Staging Test stage succeeds, which is overly restrictive and not conditional on failure. Option D is wrong because configuring the pipeline execution mode to 'Superseded' controls how multiple pipeline executions are handled (e.g., canceling a running execution when a new one starts), not how the pipeline responds to stage failures.

1558
MCQmedium

A company is using Amazon Cognito for user authentication. The developers need to add multi-factor authentication (MFA) for security. Which Cognito feature should be enabled?

A.Cognito Sync
B.Cognito User Pools with MFA configuration
C.Cognito Developer Authenticated Identities
D.Cognito Identity Pools
AnswerB

User pools support MFA directly.

Why this answer

Option C is correct because Cognito user pools support MFA, including SMS and TOTP. Option A is wrong because Cognito identity pools are for federated identities, not user pools. Option B is wrong because Cognito sync is for synchronizing user data.

Option D is wrong because Cognito developer authenticated identities are for custom authentication flows.

1559
MCQeasy

A development team wants to automatically deploy a web application to Amazon EC2 instances when new code is pushed to the master branch of an AWS CodeCommit repository. Which AWS service should the team use to orchestrate the build, test, and deployment phases?

A.AWS CloudFormation
B.AWS CodeBuild
C.AWS CodePipeline
D.AWS CodeDeploy
AnswerC

CodePipeline orchestrates the entire CI/CD workflow.

Why this answer

Option B is correct because AWS CodePipeline is a fully managed continuous delivery service that orchestrates build, test, and deploy phases. Option A is wrong because AWS CodeBuild only performs build and test, not deployment. Option C is wrong because AWS CodeDeploy only handles deployment, not build and test.

Option D is wrong because AWS CloudFormation is for infrastructure as code, not CI/CD orchestration.

1560
MCQhard

A developer is deploying an application on EC2 instances behind an Application Load Balancer. The application must support mutual TLS (mTLS) authentication between clients and the load balancer. Which configuration is required?

A.Use a Network Load Balancer (NLB) with TLS listeners.
B.Configure listener rules on the ALB to require client certificates.
C.Create a trust store in AWS Certificate Manager Private CA and associate it with the ALB.
D.Use Amazon CloudFront with a custom origin and require client certificates.
AnswerC

Trust store enables mTLS on ALB.

Why this answer

Option C is correct because mutual TLS (mTLS) on an Application Load Balancer requires a trust store that contains the trusted Certificate Authority (CA) certificates used to validate client certificates. This trust store must be created in AWS Certificate Manager Private CA and then associated with the ALB's listener rules. The ALB then performs client certificate verification during the TLS handshake, ensuring both the server and client present valid certificates.

Exam trap

The trap here is that candidates often confuse 'requiring client certificates' with simply configuring a listener rule, not realizing that mTLS on ALB specifically requires a trust store in ACM Private CA to perform certificate validation.

How to eliminate wrong answers

Option A is wrong because a Network Load Balancer (NLB) with TLS listeners does not support mTLS; NLB only supports server-side TLS termination and does not have the capability to validate client certificates. Option B is wrong because configuring listener rules on the ALB to 'require client certificates' is not a valid configuration; ALB listener rules control routing based on request attributes (like path or host header), not TLS-level client certificate validation. Option D is wrong because Amazon CloudFront with a custom origin can forward client certificates to the origin, but it does not natively perform mTLS validation at the edge; the validation would need to be handled by the origin server, not by CloudFront itself.

1561
Multi-Selecthard

A company is using AWS CodePipeline to automate its deployment pipeline. The pipeline has a source stage that pulls code from Amazon S3, a build stage using AWS CodeBuild, and a deploy stage using AWS CodeDeploy. The developer wants to add a manual approval step before deployment to production. Which of the following are correct steps to implement this? (Choose THREE.)

Select 3 answers
A.Add a second pipeline for the approval step.
B.Configure the approval action to use an SNS topic for notifications.
C.Use AWS CodeBuild to run a script that waits for manual approval.
D.Create an IAM role that allows the pipeline to publish to the SNS topic.
E.Add an approval action to the pipeline before the deploy stage.
AnswersB, D, E

SNS sends emails to approvers when approval is needed.

Why this answer

Options A, C, and D are correct. Option A is correct because an approval action is added to the pipeline. Option B is wrong because CodeBuild is for build, not deployment.

Option C is correct because approval requires an SNS topic to send notifications. Option D is correct because an IAM role is needed for the approval action to publish to SNS. Option E is wrong because the approval action is added to the pipeline, not a separate stage.

1562
MCQmedium

A developer is deploying an application on Amazon ECS using the Fargate launch type. The application needs to communicate with a DynamoDB table. The developer creates a VPC with private subnets and configures the ECS service to use those subnets. However, the tasks cannot reach DynamoDB. What is the MOST likely cause?

A.The task IAM role does not have permissions to access DynamoDB.
B.The security group of the tasks does not allow outbound traffic to DynamoDB.
C.The VPC does not have a VPC endpoint for DynamoDB, and there is no NAT gateway.
D.The task definition does not have a network mode that supports DynamoDB.
AnswerC

Correct: Private subnets cannot reach DynamoDB without a VPC endpoint or NAT.

Why this answer

Option B is correct because private subnets need a VPC endpoint (or NAT gateway) to access DynamoDB. Option A is wrong because security groups control traffic at instance level, but the issue is routing. Option C is wrong because IAM roles are for permissions, not network connectivity.

Option D is wrong because task definitions don't have network settings for VPC endpoints.

1563
Multi-Selectmedium

A developer is troubleshooting an issue where an IAM user cannot perform 's3:ListBucket' on a bucket. Which TWO factors could cause this denial?

Select 2 answers
A.The bucket is in a different region than the user's default region.
B.An explicit deny statement in the bucket policy.
C.The bucket is encrypted with AWS KMS.
D.The user has a permissions boundary that does not include s3:ListBucket.
E.The user's IAM policy does not include s3:ListBucket.
AnswersB, E

Explicit denies override any allows.

Why this answer

Option B is correct because an explicit deny statement in a bucket policy overrides any allow that might exist from an IAM policy or other sources. AWS IAM evaluates all policies (identity-based and resource-based) and an explicit deny always takes precedence, effectively blocking the s3:ListBucket action regardless of other permissions.

Exam trap

The trap here is that candidates confuse a permissions boundary with an explicit deny, thinking that a missing allow in the boundary blocks access, when in fact only an explicit deny or the absence of any allow (from all applicable policies) causes denial.

1564
MCQeasy

A developer has written an AWS Lambda function that processes messages from an Amazon SQS queue. The function is configured with a reserved concurrency of 5. The SQS queue has 10,000 messages waiting to be processed. What will happen when the Lambda function is invoked?

A.Lambda will automatically increase reserved concurrency to handle the load.
B.Lambda will reject the invocation because reserved concurrency is too low.
C.Lambda will scale up to 20 concurrent executions to process all messages quickly.
D.Lambda will process messages with a maximum of 5 concurrent executions, each processing a batch of messages.
AnswerD

Reserved concurrency limits to 5 concurrent executions.

Why this answer

Reserved concurrency limits the maximum number of concurrent invocations to 5. Lambda will poll the SQS queue and process messages up to the reserved concurrency. If the batch size is 10, each invocation processes up to 10 messages, so up to 50 messages can be processed concurrently.

The rest remain in the queue. Lambda does not scale beyond reserved concurrency.

1565
Multi-Selecthard

A company is deploying a microservices architecture using AWS Lambda and Amazon API Gateway. The developer wants to implement a canary release deployment for the API. Which THREE steps should the developer take? (Choose THREE.)

Select 3 answers
A.Configure stage variables to point the canary stage to a different Lambda function alias.
B.Enable canary by setting the traffic percentage in the API Gateway stage.
C.Use API Gateway canary release settings to create a canary stage.
D.Use Amazon CloudFront to distribute traffic between two API Gateway stages.
E.Use Lambda canary releases to gradually shift traffic.
AnswersA, B, C

Stage variables can route traffic to different aliases.

Why this answer

Option A is correct because stage variables in API Gateway can be configured to point the canary stage to a different Lambda function alias, enabling the canary to invoke a separate version of the function for testing. This allows the canary to route a percentage of traffic to a new Lambda version while the main stage continues using the stable alias, supporting gradual rollouts.

Exam trap

The trap here is that candidates may confuse Lambda alias weighted routing (Option E) with API Gateway canary releases, but the question explicitly asks for API-level canary deployment, which requires API Gateway's native canary settings, not just Lambda-level traffic shifting.

1566
MCQeasy

A developer is deploying a Docker container to Amazon ECS using the Fargate launch type. The developer wants to ensure the container has access to an Amazon RDS database. What is the best way to securely pass the database credentials to the container?

A.Pass the credentials as plain text environment variables in the task definition.
B.Store the credentials in an Amazon S3 bucket and download them at container startup.
C.Store the credentials in the container image as environment variables.
D.Use AWS Systems Manager Parameter Store or AWS Secrets Manager to store the credentials and reference them in the task definition.
AnswerD

This is the secure way to manage secrets.

Why this answer

Option D is correct because AWS Systems Manager Parameter Store and AWS Secrets Manager are designed to securely store and manage sensitive information like database credentials. In Amazon ECS with Fargate, you can reference these secrets directly in the task definition using the 'secrets' parameter, which injects them as environment variables at runtime without exposing them in plain text or requiring additional code to fetch them. This approach adheres to the principle of least privilege and integrates natively with IAM roles for secure access.

Exam trap

The trap here is that candidates may think environment variables are inherently secure or that storing credentials in S3 is a safe alternative, overlooking the native integration and security guarantees of AWS Secrets Manager and Parameter Store for ECS tasks.

How to eliminate wrong answers

Option A is wrong because passing credentials as plain text environment variables in the task definition exposes them in the ECS console, API responses, and logs, violating security best practices. Option B is wrong because downloading credentials from an S3 bucket at container startup requires storing AWS access keys in the container or granting broad S3 permissions, and the credentials could be exposed in transit or logs; it also adds unnecessary complexity and latency. Option C is wrong because embedding credentials in the container image as environment variables makes them accessible to anyone with access to the image registry and prevents rotation without rebuilding the image, violating immutable infrastructure principles.

1567
MCQmedium

A team uses AWS CodeCommit for source control and wants to automatically trigger a build and deployment when code is pushed to the master branch. Which AWS service should be used to create this automation?

A.AWS CodeBuild
B.AWS CodePipeline
C.AWS Lambda
D.AWS CodeDeploy
AnswerB

CodePipeline integrates with CodeCommit as source.

Why this answer

AWS CodePipeline is the correct service because it is a fully managed continuous delivery service that can be configured to automatically start a pipeline execution when a change is pushed to a specific branch in AWS CodeCommit. By setting the source stage to the CodeCommit repository and master branch, CodePipeline triggers subsequent build and deploy actions without manual intervention, enabling a complete CI/CD workflow.

Exam trap

The trap here is that candidates confuse individual services (CodeBuild for building, CodeDeploy for deploying) with the orchestration service (CodePipeline) needed to chain them together in response to a source code event.

How to eliminate wrong answers

Option A is wrong because AWS CodeBuild is a build service that compiles source code and runs tests, but it does not have native event-driven triggers to automatically start on a CodeCommit push; it requires an external trigger like CodePipeline or a webhook. Option C is wrong because AWS Lambda can be used to react to CodeCommit events via CloudWatch Events or SNS, but it is not a purpose-built CI/CD service and would require custom code to orchestrate build and deployment steps, making it less suitable than CodePipeline. Option D is wrong because AWS CodeDeploy is a deployment service that automates application deployments to compute services like EC2 or Lambda, but it cannot directly listen to CodeCommit push events or orchestrate a build step; it relies on a pipeline or other trigger to initiate deployments.

1568
MCQmedium

A developer is building a REST API using Amazon API Gateway and wants to transform the request data before sending it to the backend Lambda function. The transformation includes mapping query string parameters to a JSON body. Which API Gateway feature should be used?

A.Velocity Template Language (VTL) mapping templates
B.Lambda authorizer
C.Request validator
D.CORS configuration
AnswerA

Mapping templates in API Gateway use VTL to transform request data, such as converting query string parameters into a JSON body before passing to Lambda.

Why this answer

Option A is correct because API Gateway uses Velocity Template Language (VTL) mapping templates to transform incoming request data, such as mapping query string parameters into a JSON body before passing it to the backend Lambda function. This feature allows you to define a template that extracts values from the request's query string parameters (e.g., `$input.params('paramName')`) and constructs a new JSON payload, enabling seamless integration with Lambda without modifying the client request.

Exam trap

The trap here is that candidates often confuse request validation (Option C) with data transformation, assuming that validating the request structure also implies the ability to reshape the data, but validation only checks for presence and format, not mapping or transformation.

How to eliminate wrong answers

Option B is wrong because a Lambda authorizer is used for custom authentication and authorization of API requests, not for transforming request data or mapping parameters to a JSON body. Option C is wrong because a request validator only validates that the request adheres to the API's defined schema (e.g., required parameters, types), but it does not perform any data transformation or mapping. Option D is wrong because CORS configuration manages cross-origin resource sharing headers (e.g., Access-Control-Allow-Origin) to allow browser-based clients from different domains, and it has no role in transforming request payloads or mapping query string parameters.

1569
MCQmedium

A developer is troubleshooting an issue where an AWS Lambda function cannot write logs to Amazon CloudWatch Logs. The Lambda function has an execution role with a policy that allows logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents. Which additional configuration is likely missing?

A.The CloudWatch Logs log group is encrypted with a customer-managed KMS key.
B.The log group name must start with '/aws/lambda/'.
C.The Lambda function is in a VPC without a VPC endpoint for CloudWatch Logs.
D.The Lambda function is not configured with a log group name.
AnswerC

If the function is in a VPC, it needs either a NAT gateway or a VPC endpoint to reach CloudWatch Logs.

Why this answer

Option C is correct because when a Lambda function is attached to a VPC, it loses default internet connectivity, including the ability to reach the CloudWatch Logs API endpoints. Even if the execution role grants the necessary permissions, the function cannot send logs unless a VPC endpoint for CloudWatch Logs (com.amazonaws.region.logs) is created in the VPC, or the function has a NAT gateway to route traffic to the public endpoint.

Exam trap

The trap here is that candidates often assume IAM permissions are the only requirement for CloudWatch Logs integration, overlooking the network connectivity constraints introduced by VPC attachment.

How to eliminate wrong answers

Option A is wrong because if the log group is encrypted with a customer-managed KMS key, the Lambda execution role would need additional kms:Decrypt and kms:GenerateDataKey permissions, but the question states the role already has the necessary CloudWatch Logs actions, and the issue is about missing configuration, not missing permissions. Option B is wrong because log group names do not have to start with '/aws/lambda/'; Lambda can write to any log group it has permissions for, though the default log group name pattern is '/aws/lambda/<function-name>'. Option D is wrong because Lambda automatically creates a log group named '/aws/lambda/<function-name>' if it does not exist, and the function does not require explicit configuration of a log group name.

1570
MCQhard

A company has a production application running on AWS Lambda that processes real-time streaming data from Amazon Kinesis Data Streams. The Lambda function is configured with a batch size of 100 and a maximum concurrency of 5. Recently, the application has been experiencing failures with a high number of invocation errors. The errors indicate that the function is timing out. The developer checks the CloudWatch metrics and notices that the IteratorAge metric for the Kinesis stream is increasing rapidly, and there are many Throttles events for the Lambda function. The average execution duration of the function is 30 seconds, and the function timeout is set to 1 minute. The Kinesis stream has 10 shards. The company expects the data volume to double in the next month. Which combination of actions should the developer take to resolve the issue and prepare for future growth?

A.Increase the number of shards in the Kinesis stream to 20 and increase Lambda concurrency to 10.
B.Increase Lambda concurrency to at least 20 and reduce the batch size to 10.
C.Disable the reserved concurrency limit on the Lambda function and decrease the batch size to 5.
D.Increase the Lambda function timeout to 5 minutes and increase the batch size to 500.
AnswerB

More concurrency reduces throttling; smaller batch size reduces processing time per invocation.

Why this answer

Option C is correct. Increasing Lambda concurrency to at least 20 (2 per shard) will reduce throttling. Reducing batch size to 10 will lower processing time per batch, preventing timeouts.

Option A is wrong because increasing timeout to 5 minutes doesn't address throttling. Option B is wrong because increasing shards to 20 without increasing concurrency will not help. Option D is wrong because disabling concurrency limit could cause uncontrolled scaling.

1571
MCQmedium

An IAM policy is attached to a user. The user tries to delete an object in 'example-bucket' from IP address 198.51.100.5. What happens?

A.The user is denied from deleting the object.
B.The user can delete the object because the Allow statement grants all actions on the bucket.
C.The user can delete the object because there is no explicit Deny for their IP.
D.The user can delete the object because the Deny condition is met.
AnswerA

The Deny statement blocks DeleteObject from IPs outside 203.0.113.0/24.

Why this answer

The IAM policy includes an explicit Deny statement that denies the s3:DeleteObject action when the request originates from IP address 198.51.100.5. In AWS IAM, an explicit Deny overrides any Allow statement, so the user is denied from deleting the object regardless of any Allow permissions.

Exam trap

The trap here is that candidates often assume an Allow statement alone grants access, forgetting that an explicit Deny with a matching condition takes precedence and blocks the action.

How to eliminate wrong answers

Option B is wrong because the Allow statement is overridden by the explicit Deny for the specific IP address; AWS IAM evaluates Deny statements before Allow statements. Option C is wrong because an explicit Deny does not require the condition to be unmet—it applies when the condition is met, and here the condition (IP address match) is satisfied. Option D is wrong because the Deny condition is met (the request comes from 198.51.100.5), which triggers the Deny, not an Allow; the user cannot delete the object.

1572
MCQmedium

Refer to the exhibit. A developer invokes an AWS Lambda function and receives this error. The function is configured with a 3-second timeout. The developer needs to process data that sometimes takes up to 10 seconds. What should the developer do?

A.Change the invocation type to Event (async).
B.Increase the Lambda function timeout to 10 seconds.
C.Increase the memory allocation for the Lambda function.
D.Set reserved concurrency to 1.
AnswerB

Increasing timeout allows longer execution.

Why this answer

Option D is correct because increasing the timeout to 10 seconds allows the function to complete. Option A is incorrect because increasing memory does not directly affect timeout. Option B is incorrect because async invocation does not change timeout.

Option C is incorrect because reserved concurrency does not affect timeout.

1573
Multi-Selecthard

A developer is building a real-time chat application using WebSocket APIs in API Gateway and Lambda. The application must handle thousands of concurrent connections. Which TWO actions should the developer take to ensure the application scales properly?

Select 2 answers
A.Use CloudFront to distribute the WebSocket endpoints.
B.Place the Lambda function in a VPC to improve security.
C.Enable API Gateway caching to reduce Lambda invocations.
D.Set the Lambda function's reserved concurrency to a high enough value.
E.Use a DynamoDB table to store connection IDs and handle connection state.
AnswersD, E

Reserved concurrency ensures the function can handle peak load.

Why this answer

Options B and C are correct. Using a DynamoDB table to store connection IDs (B) is a common pattern for managing WebSocket connections. Setting the Lambda function concurrency limit (C) prevents throttling of other functions.

Option A is wrong because Lambda functions in a VPC have limited elastic network interfaces. Option D is wrong because API Gateway handles scaling automatically. Option E is wrong because CloudFront does not support WebSocket APIs.

1574
MCQeasy

A developer wants to deploy a containerized application to Amazon ECS using Fargate. The application requires persistent storage that can be shared across multiple containers in the same task. Which storage option should the developer use?

A.Amazon EC2 instance store
B.Amazon EFS file system
C.Amazon S3 bucket
D.Amazon EBS volume
AnswerB

EFS can be used as a shared volume in Fargate.

Why this answer

Option B is correct because EFS can be mounted as a volume in Fargate tasks and shared among containers. Option A (EBS) is not supported in Fargate. Option C (S3) is object storage, not a file system.

Option D (Instance store) is ephemeral and not available in Fargate.

1575
MCQhard

A developer is using AWS CodeBuild to compile a Java application. The build project is configured with a 'buildspec.yml' file. The developer notices that the build succeeds on the local machine but fails in CodeBuild with the error: 'Error: Could not find or load main class com.example.App'. What is the most likely cause?

A.The 'build' phase command is incorrect, causing compilation to fail.
B.The build environment does not have Java installed.
C.The buildspec.yml file does not include an 'install' phase to download dependencies.
D.The 'artifacts' section in buildspec.yml is misconfigured.
AnswerC

The local machine may have dependencies pre-installed, but CodeBuild needs explicit installation.

Why this answer

Option B is correct because CodeBuild uses a clean environment; if the buildspec does not include the 'install' phase to download dependencies, the application will fail. Option A is wrong because Java is pre-installed in CodeBuild images. Option C is wrong because the error indicates a missing class, not a compile error.

Option D is wrong because the 'artifacts' section only affects output, not execution.

Page 20

Page 21 of 22

Page 22