AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 15761616

1616 questions total · 22pages · All types, answers revealed

Page 21

Page 22 of 22

1576
MCQeasy

A developer needs to allow an IAM user to stop and start EC2 instances but not terminate them. Which IAM policy effect and action combination should be used?

A.Allow ec2:StopInstances and ec2:StartInstances
B.Allow ec2:StopInstances, ec2:StartInstances, and ec2:TerminateInstances
C.Deny ec2:TerminateInstances
D.Allow ec2:StartInstances and ec2:TerminateInstances
AnswerA

Allows stop and start without termination.

Why this answer

Option A is correct because the policy should allow ec2:StopInstances and ec2:StartInstances, but not ec2:TerminateInstances. Option B is wrong because Deny would block all actions. Option C is wrong because it includes ec2:TerminateInstances.

Option D is wrong because it also includes termination.

1577
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application needs to store session state. Which configuration is MOST cost-effective and scalable?

A.Use S3 to store session state
B.Use an ElastiCache Memcached cluster
C.Use an RDS database to store session state
D.Store session state in the local file system of each EC2 instance
AnswerB

Memcached is designed for session storage and is cost-effective.

Why this answer

ElastiCache with Memcached is a common choice for distributed session state. Option A is correct.

1578
Multi-Selectmedium

A company is using AWS CodeCommit as a source repository for a CI/CD pipeline. The developer has set up AWS CodePipeline with a source stage that uses CodeCommit. The pipeline triggers automatically on changes to the repository. The developer wants to ensure that only changes to the 'main' branch trigger the pipeline. Which THREE configurations should the developer set in the CodePipeline source stage? (Choose THREE.)

Select 3 answers
A.Set 'Output artifact format' to 'CodeCommit'.
B.Disable 'Poll for source changes'.
C.Set 'Change detection' to 'Amazon CloudWatch Events'.
D.Set 'Repository name' to 'main'.
E.Set the 'Branch name' to 'main'.
AnswersB, C, E

When using CloudWatch Events, polling should be disabled to avoid duplicate triggers.

Why this answer

Option B is correct because disabling 'Poll for source changes' is necessary when using event-based change detection (CloudWatch Events) to trigger the pipeline. When you set 'Change detection' to 'Amazon CloudWatch Events' (option C), you must disable polling to avoid duplicate triggers and ensure the pipeline only responds to CloudWatch Events triggered by commits to the specified branch. This configuration ensures that only changes to the 'main' branch (set in option E) initiate the pipeline.

Exam trap

The trap here is that candidates mistakenly think 'Repository name' can be used to specify the branch, or that 'Output artifact format' influences trigger behavior, when in fact only the 'Branch name' field and the combination of CloudWatch Events with polling disabled enforce branch-specific triggering.

1579
Multi-Selecthard

A company uses Amazon API Gateway to expose a REST API backed by AWS Lambda. The API has a resource /items with GET and POST methods. The GET method returns items from a DynamoDB table. The POST method adds an item to the table. Currently, all methods are open to the public. Security requirements mandate that only authenticated users can access the POST method, while the GET method remains public. Which THREE steps should the developer take to meet these requirements?

Select 3 answers
A.Configure the Lambda authorizer only on the POST method in the API Gateway.
B.Create a Lambda function as an authorizer that validates a JWT token from the Authorization header.
C.In the Lambda authorizer, return an IAM policy that allows execute-api:Invoke on the POST method.
D.Use an Amazon Cognito User Pools authorizer for the entire API.
E.Add a resource policy that denies public access to the POST method.
AnswersA, B, C

Authorizers can be applied per method.

Why this answer

Option A is correct because a Lambda authorizer can validate tokens. Option C is correct because the authorizer can be configured only on the POST method. Option E is correct because the Lambda authorizer returns an IAM policy that allows or denies access.

Option B is incorrect because Cognito User Pools authorizer would apply to the entire API. Option D is incorrect because resource policies are global, not method-specific.

1580
Multi-Selecthard

A Lambda function processes messages from an SQS standard queue and writes results to DynamoDB. Duplicate writes occasionally occur after retries. Which two changes best make the processing idempotent?

Select 2 answers
A.Use a deterministic idempotency key stored with a conditional write in DynamoDB
B.Increase the Lambda timeout to 15 minutes
C.Treat the SQS message ID or business transaction ID as a processed-record key
D.Disable SQS visibility timeout
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because using a deterministic idempotency key (e.g., a business transaction ID) combined with a conditional write in DynamoDB ensures that if the same message is processed more than once, the second write attempt will fail because the item already exists. This prevents duplicate records even when Lambda retries after a failure or timeout, making the processing idempotent at the database level.

Exam trap

The trap here is that candidates often confuse idempotency with simply increasing timeouts or disabling visibility timeouts, not realizing that idempotency requires a deterministic key and a conditional check at the storage layer.

1581
MCQeasy

A developer wants to store session state for a web application that runs on multiple EC2 instances behind an Application Load Balancer. Which AWS service should the developer use to store the session state in a centralized, highly available location?

A.Amazon RDS
B.Amazon S3
C.Amazon ElastiCache
D.AWS Lambda
AnswerC

ElastiCache provides a managed Redis or Memcached cluster, ideal for session state.

Why this answer

ElastiCache (Redis or Memcached) is a managed in-memory cache that is commonly used for session state storage across multiple EC2 instances. DynamoDB is also an option but is not listed. S3 is not suitable for session state.

RDS is a relational database, not ideal for session state. Lambda is compute, not storage.

1582
MCQhard

A developer is deploying an application using AWS CloudFormation. The template includes an AWS::Lambda::Function resource. The developer wants to ensure that the Lambda function's code is automatically updated when the source code in S3 changes. Which approach should the developer use?

A.Specify the S3 object version in the template and update the version number in the template when code changes.
B.Use the AWS::Lambda::Version resource to create a new version.
C.Include the S3 bucket and key as template parameters and update the stack with a new key when code changes.
D.Use a custom resource backed by a Lambda function that polls S3 for changes.
AnswerA

Changing the version ID causes CloudFormation to detect a modification and update the function.

Why this answer

CloudFormation does not automatically detect changes in S3. Using the same S3 key with a version ID ensures that CloudFormation sees a change and updates the function. Using a parameter for the bucket does not trigger updates.

Custom Resource or CodePipeline is overkill for simple updates.

1583
MCQeasy

A company is using AWS CloudFormation to deploy infrastructure. The developer wants to update a stack and needs to know what changes will be made before executing the update. Which AWS CLI command should the developer use?

A.aws cloudformation deploy
B.aws cloudformation create-change-set
C.aws cloudformation validate-template
D.aws cloudformation update-stack
AnswerB

Correct: Change sets allow you to preview changes.

Why this answer

Option C is correct because 'aws cloudformation change-set create' creates a change set that previews changes. Option A is wrong because 'update-stack' directly updates without preview. Option B is wrong because 'deploy' is for CodeDeploy.

Option D is wrong because 'validate-template' only checks syntax.

1584
Multi-Selecthard

A developer is troubleshooting a Lambda function that is failing with a 'Task timed out' error. The function is configured with a 3-second timeout. The function makes an HTTP request to an external API that sometimes takes more than 3 seconds to respond. Which THREE actions should the developer take to resolve this issue?

Select 3 answers
A.Use an asynchronous invocation pattern with a queue to decouple the HTTP request.
B.Place the Lambda function in a VPC to improve network latency.
C.Increase the Lambda function timeout to 10 seconds.
D.Reduce the batch size in the event source mapping.
E.Implement retry logic with exponential backoff in the function code.
AnswersA, C, E

Asynchronous processing prevents timeouts by returning immediately.

Why this answer

Options B, C, and E are correct. Increasing the Lambda timeout (B) allows the function to wait longer for the API response. Implementing a retry logic with exponential backoff (C) helps handle transient delays.

Using an asynchronous invocation pattern (E) decouples the request from the response, allowing the function to return quickly and process the response later. Option A is incorrect because VPC configuration does not affect timeout. Option D is incorrect because reducing batch size is not relevant to timeout.

1585
MCQmedium

A developer is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails during the 'BeforeInstall' lifecycle event. Which file should the developer check to debug the failure?

A.index.js
B.appspec.yml
C.taskdef.json
D.buildspec.yml
AnswerB

appspec.yml defines lifecycle events and scripts for CodeDeploy.

Why this answer

Option C is correct because the appspec.yml defines lifecycle hooks like BeforeInstall, and the scripts referenced in those hooks are executed. If the hook fails, the developer should check the scripts specified in appspec.yml. Option A is incorrect because buildspec.yml is for CodeBuild.

Option B is incorrect because taskdef.json is for ECS. Option D is incorrect because the application code is not the direct cause.

1586
MCQmedium

A developer is troubleshooting a CloudFront distribution that serves static content from an S3 bucket. Users in some geographic locations report slow load times. The developer checks the CloudFront metrics and sees a high number of cache misses. What is the MOST likely cause?

A.The CloudFront distribution is configured with Price Class 100, which uses only the US and Europe edge locations.
B.The S3 bucket is configured with signed URLs for access.
C.The CloudFront distribution is not configured to compress objects.
D.The object TTL is set to a very low value (e.g., 0 seconds).
AnswerD

A TTL of 0 means each request must go to the origin, resulting in high cache misses and slower performance for users.

Why this answer

Option B is correct because a short TTL causes objects to expire from edge caches quickly, leading to frequent cache misses and requests going back to the origin. Option A (price class) affects edge locations but not cache hits. Option C (compression) does not affect cache hits.

Option D (signed URLs) would cause misses if URLs are not properly constructed but not high miss rate.

1587
MCQmedium

A development team uses AWS CodeDeploy to deploy a serverless application. The deployment fails with the error: 'The deployment failed because the deployment group did not contain any instances.' The deployment group is configured with an Amazon ECS service and uses the Blue/Green deployment type. What is the MOST likely cause?

A.The AppSpec file is incorrectly formatted and does not specify the task definition.
B.The deployment group's traffic routing configuration is set to 'AllAtOnce' causing immediate failure.
C.The CodeDeploy service role does not have permissions to describe ECS clusters.
D.The deployment group does not have a configured ECS service to deploy to.
AnswerD

CodeDeploy requires an ECS service to be specified in the deployment group; missing this results in no target instances.

Why this answer

The error 'The deployment failed because the deployment group did not contain any instances' indicates that CodeDeploy cannot find a target resource to deploy to. Since the deployment group is configured for an Amazon ECS service with Blue/Green deployment, the most likely cause is that the deployment group does not have an ECS service specified. Without a configured ECS service, CodeDeploy has no target to route traffic to or replace during the deployment, resulting in this error.

Exam trap

The trap here is that candidates may confuse the 'no instances' error with missing EC2 instances, but in ECS deployments, 'instances' refers to the ECS service itself as the deployment target, not individual container instances.

How to eliminate wrong answers

Option A is wrong because an incorrectly formatted AppSpec file would cause a different error, such as 'Invalid AppSpec file' or 'Missing required property', not a missing instances error. Option B is wrong because 'AllAtOnce' traffic routing configuration controls how traffic is shifted to the replacement task set, not whether instances exist; it would not cause an immediate failure due to missing instances. Option C is wrong because insufficient permissions for the CodeDeploy service role would result in an access denied or authorization error, not a 'deployment group did not contain any instances' error.

1588
Multi-Selecthard

A company is using CloudFront with an S3 origin to serve static content. Users in some geographic regions experience high latency. The developer wants to optimize performance. Which THREE actions should the developer take?

Select 3 answers
A.Increase the TTL for the cache behavior to reduce requests to the origin.
B.Enable S3 Transfer Acceleration for the origin bucket.
C.Enable CloudFront Origin Shield to reduce the number of requests to the origin.
D.Configure multiple origins and set up origin failover.
E.Add additional CloudFront edge locations in the affected regions.
AnswersA, C, D

Higher TTL improves cache hit ratio, reducing origin requests and latency.

Why this answer

Option A is correct: adding more edge locations (through additional origins) is not possible directly, but optimizing the origin is. Actually, CloudFront has many edge locations, but adding more origins doesn't help. Option B is correct: enabling origin shield reduces load on the origin.

Option C is correct: using multiple origins and failover can improve availability. Option D is wrong: S3 Transfer Acceleration is for uploading to S3, not for CloudFront. Option E is wrong: TTL does not affect latency, only cache hit ratio.

1589
MCQhard

An S3 bucket policy allows GetObject from another account, but objects encrypted with SSE-KMS still return AccessDenied. Which additional authorization is required?

A.The caller must be allowed to use the KMS key for decrypt operations
B.The caller must own the destination VPC
C.The bucket must enable static website hosting
D.The object key must end with .kms
AnswerA

Correct for the stated requirement.

Why this answer

When an S3 object is encrypted with SSE-KMS, the S3 bucket policy granting GetObject access is not sufficient because S3 must also decrypt the object before returning it. The AWS KMS key policy must grant the caller kms:Decrypt permission, and the caller's IAM policy must also allow kms:Decrypt on the specific KMS key. Without this additional KMS authorization, S3 returns AccessDenied even if the bucket policy allows GetObject.

Exam trap

The trap here is that candidates assume a bucket policy granting s3:GetObject is sufficient for all objects, forgetting that SSE-KMS adds a separate authorization layer via KMS key policies that must explicitly allow the decrypt operation.

How to eliminate wrong answers

Option B is wrong because VPC ownership is irrelevant to S3 object access; S3 bucket policies and KMS permissions control cross-account access, not network ownership. Option C is wrong because static website hosting is a feature for serving public content and has no bearing on KMS-encrypted object access or cross-account authorization. Option D is wrong because the object key suffix has no effect on KMS authorization; SSE-KMS encryption is determined by the object's encryption settings, not its filename.

1590
Multi-Selecteasy

Which TWO are features of AWS Identity and Access Management (IAM)? (Choose 2)

Select 2 answers
A.Encrypt S3 objects automatically
B.Monitor network traffic
C.Define fine-grained permissions with policies
D.Manage EC2 instance lifecycle
E.Create and manage IAM users and groups
AnswersC, E

Policies are central to IAM.

Why this answer

Options A and D are correct. A: IAM allows creating users and groups. D: IAM policies define permissions.

B: Managing EC2 instances is not an IAM function. C: Encrypting S3 objects is not an IAM function. E: Monitoring network traffic is not an IAM function.

1591
MCQeasy

A developer is building a serverless API using Amazon API Gateway and AWS Lambda. The API accepts JSON payloads in the request body. The developer wants to ensure that incoming requests have a valid structure before being passed to the Lambda function to reduce unnecessary invocations. Which API Gateway feature should the developer use?

A.Request validation using models and request validators
B.Usage plans with API keys
C.WAF (AWS WAF) integration
D.Custom authorizer (Lambda authorizer)
AnswerA

API Gateway request validation checks the request against a model (JSON schema). It rejects invalid requests before reaching the integration, reducing Lambda invocations.

Why this answer

Option A is correct because API Gateway's request validation feature allows you to define a JSON Schema model for the request body and attach a request validator to the method. This validates the payload structure before the request reaches the Lambda function, preventing invalid payloads from triggering unnecessary invocations and reducing costs.

Exam trap

The trap here is that candidates confuse request validation (payload structure checking) with authorization (who can call the API) or security filtering (WAF), leading them to pick a wrong option like custom authorizer or WAF integration.

How to eliminate wrong answers

Option B is wrong because usage plans with API keys control rate limiting and quota management for API consumers, not payload structure validation. Option C is wrong because AWS WAF integration protects against web exploits like SQL injection or cross-site scripting at the HTTP layer, not JSON schema validation. Option D is wrong because a custom authorizer (Lambda authorizer) authenticates and authorizes the caller (e.g., via OAuth or JWT), but does not validate the request body's structure or content.

1592
MCQeasy

The exhibit shows the output of a command. What does this output indicate about the bucket?

A.Versioning is enabled, and MFA delete is required
B.Versioning is suspended
C.Versioning is disabled
D.Versioning is enabled, and MFA delete is not required
AnswerD

MFADelete is Disabled.

Why this answer

Versioning is enabled, but MFA delete is not required. Option B is correct.

1593
MCQmedium

An application running on Amazon EC2 instances behind an Application Load Balancer (ALB) is experiencing increased latency. The developer suspects the ALB is the bottleneck. How can the developer confirm this using CloudWatch metrics?

A.Monitor the HealthyHostCount metric and ensure it is equal to the number of instances.
B.Monitor the SurgeQueueLength metric and look for sustained high values.
C.Monitor the TargetResponseTime metric and compare it to the client's perspective.
D.Monitor the RequestCount metric and check if it exceeds the ALB's limit.
AnswerB

High SurgeQueueLength means requests are queued, causing latency.

Why this answer

The SurgeQueueLength metric tracks the number of requests that are queued by the ALB because it cannot route them to a healthy target. A sustained high value indicates that the ALB is overwhelmed and requests are waiting, which directly confirms the ALB as the bottleneck causing increased latency.

Exam trap

The trap here is that candidates often confuse SurgeQueueLength with backend metrics like TargetResponseTime, assuming latency must come from the targets rather than the load balancer's internal queuing.

How to eliminate wrong answers

Option A is wrong because HealthyHostCount only indicates the number of registered instances that pass health checks; it does not measure ALB load or queuing, so it cannot confirm the ALB as the bottleneck. Option C is wrong because TargetResponseTime measures the time taken by the backend targets to respond, not the ALB's internal processing or queuing delay; comparing it to client-perceived latency would highlight backend issues, not ALB overload. Option D is wrong because RequestCount alone does not have a fixed 'limit' that triggers latency; ALBs scale automatically based on request load, and exceeding a limit would cause errors, not necessarily increased latency.

1594
Multi-Selectmedium

Which THREE components are required to enable encryption in transit for an Application Load Balancer? (Choose THREE.)

Select 3 answers
A.A security group rule allowing inbound traffic on port 443
B.An SSL/TLS certificate from ACM or uploaded to IAM
C.A listener configured on port 443 with the certificate
D.Server Name Indication (SNI) support
E.An HTTP to HTTPS redirect rule
AnswersA, B, C

The security group must allow HTTPS traffic.

Why this answer

A security group rule allowing inbound traffic on port 443 is required because the Application Load Balancer (ALB) must accept HTTPS traffic from clients. Without this rule, the ALB's network interface will drop encrypted connections, preventing any TLS handshake from completing. This ensures that traffic between clients and the ALB is encrypted in transit.

Exam trap

The trap here is that candidates often confuse optional features like SNI or redirect rules as mandatory requirements, when in fact only the security group rule, the certificate, and the listener on port 443 are strictly necessary for encryption in transit.

1595
MCQhard

A developer is optimizing an S3 bucket for static website hosting. The site has a main page (index.html) and an error page (error.html). Users report seeing a generic 403 error instead of the error page when accessing a missing object. What is the likely cause?

A.The bucket policy denies access to the error.html object.
B.The Error document field in the static website hosting configuration is not set to error.html.
C.The index.html is missing from the bucket.
D.The error.html object has incorrect permissions.
AnswerB

The configuration must specify the error document for custom error pages.

Why this answer

Option D is correct because S3 static website hosting uses the Index document and Error document settings; if the error document is not configured correctly, S3 returns a generic 403. Option A is wrong because error page is not tied to object permissions. Option B is wrong because error page is different from index.

Option C is wrong because bucket policy does not affect error page routing.

1596
MCQmedium

A developer is using Amazon CloudFront to serve static content from an S3 bucket. Users are reporting that they see outdated content. The CloudFront distribution has a default TTL of 24 hours. What is the MOST efficient way to serve updated content immediately?

A.Create a CloudFront invalidation for the updated objects.
B.Disable and re-enable the CloudFront distribution.
C.Update the object key in the S3 bucket.
D.Change the default TTL to 0.
AnswerA

Invalidations remove objects from edge caches, ensuring users get the latest version.

Why this answer

Option C is correct because creating an invalidation removes the cached objects from edge locations, forcing CloudFront to fetch the updated content from the origin. Option A is wrong because changing the TTL would affect future cache behavior but not immediately purge existing cached objects. Option B is wrong because updating the object key would require users to use a new URL.

Option D is wrong because disabling and re-enabling the distribution would cause downtime.

1597
MCQeasy

A developer wants to store application configuration securely and retrieve it programmatically from EC2 instances. The configuration includes database passwords and API keys. Which AWS service should be used?

A.EC2 user data
B.Amazon S3 with server-side encryption
C.AWS CloudFormation template parameters
D.AWS Systems Manager Parameter Store with SecureString
AnswerD

Provides encrypted storage for secrets and integration with EC2.

Why this answer

Option B is correct because AWS Systems Manager Parameter Store with SecureString provides encrypted storage for secrets. Option A is wrong because S3 is not designed for secret management. Option C is wrong because EC2 user data is not encrypted.

Option D is wrong because CloudFormation is for infrastructure, not runtime secret retrieval.

1598
Multi-Selectmedium

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application consists of an API Gateway, Lambda functions, and a DynamoDB table. The developer wants to define and deploy this infrastructure as code. Which files and tools are required? (Choose THREE.)

Select 3 answers
A.Terraform configuration files
B.aws cloudformation deploy command
C.AWS SAM template file (template.yaml)
D.aws cloudformation package command
E.AWS CLI with aws lambda update-function-code command
AnswersB, C, D

This command deploys the packaged application.

Why this answer

The correct answers are B, C, and D. SAM uses a template.yaml file, and the aws cloudformation package and deploy commands are used to deploy. Option A is wrong because Terraform is a separate tool.

Option E is wrong because the AWS CLI alone cannot handle SAM packaging and deployment.

1599
MCQhard

A developer is using AWS Elastic Beanstalk to deploy a Node.js application. The developer wants to run a custom script to set environment variables before the application starts. Which configuration file and location should the developer use?

A.Add a configuration file in the .ebextensions directory that uses container_commands.
B.Add a Procfile to the application root.
C.Place a shell script in the .ebextensions/scripts directory.
D.Add a cron.yaml file to the .ebextensions directory.
AnswerA

container_commands in .ebextensions run custom commands during deployment.

Why this answer

Option A is correct because `.ebextensions` configuration files with `container_commands` allow you to run custom commands before the application starts. `container_commands` execute after the application and web server have been set up but before the application is deployed, making them ideal for setting environment variables or running setup scripts. The files must be in YAML or JSON format and placed in the `.ebextensions` directory at the root of your source bundle.

Exam trap

The trap here is that candidates confuse `container_commands` with `commands` (which run before the application setup) or assume a Procfile is used in Elastic Beanstalk, when in fact Elastic Beanstalk uses platform-specific hooks like `.platform/hooks/prebuild` or `.ebextensions` for custom scripts.

How to eliminate wrong answers

Option B is wrong because a Procfile is used by Heroku, not AWS Elastic Beanstalk; Elastic Beanstalk uses its own platform hooks and configuration files. Option C is wrong because placing a shell script in `.ebextensions/scripts` is not a recognized configuration method; Elastic Beanstalk does not automatically execute scripts from that path. Option D is wrong because `cron.yaml` is used for periodic tasks (cron jobs) in Elastic Beanstalk worker environments, not for running pre-deployment setup scripts.

1600
MCQmedium

A developer is building a serverless application that uses Amazon S3 event notifications to trigger an AWS Lambda function for thumbnail generation. The developer wants to ensure that duplicate S3 events do not cause the same image to be processed multiple times. Which approach should the developer implement to ensure idempotent processing?

A.Store the object key and event ID in a DynamoDB table and check for duplicates before processing
B.Set the Lambda function's concurrency to 1 to prevent concurrent executions
C.Use an Amazon SQS FIFO queue as the event destination
D.Enable S3 event notification filtering based on object size
AnswerA

By recording processed object keys in DynamoDB and checking for existing records, the function can skip duplicate events, ensuring each object is processed only once.

Why this answer

Option A is correct because storing the S3 object key and event ID in a DynamoDB table with a TTL attribute allows the Lambda function to perform a conditional write (or check for an existing item) before processing. This ensures that even if duplicate S3 events are delivered (e.g., due to S3's at-least-once delivery guarantee), the same image is only processed once, achieving idempotency.

Exam trap

The trap here is that candidates often assume S3 event notifications are exactly-once, but the exam tests that they are at-least-once, requiring explicit idempotency handling via an external store like DynamoDB.

How to eliminate wrong answers

Option B is wrong because setting concurrency to 1 only prevents concurrent executions but does not prevent duplicate events from being processed sequentially; the same image could still be processed multiple times if duplicate events arrive one after another. Option C is wrong because SQS FIFO queues provide exactly-once processing within the queue, but S3 event notifications cannot directly send to a FIFO queue (S3 only supports standard SQS queues as event destinations), and even if you manually route through a FIFO queue, the deduplication ID would need to be based on the event ID, which is not automatically handled. Option D is wrong because filtering based on object size only reduces the number of events triggered (e.g., for small or large objects) but does not address duplicate events for the same object; duplicates can still occur regardless of size.

1601
MCQhard

A developer performed a CodeDeploy deployment to an Auto Scaling group. The deployment status is Failed with code HEALTH_CONSTRAINTS. Based on the exhibit, what is the most likely cause?

A.The CodeDeploy agent on the instances is not running
B.The minimum number of healthy instances required for the deployment was not met
C.The application revision contains invalid scripts
D.The IAM role for CodeDeploy does not have sufficient permissions
AnswerB

HEALTH_CONSTRAINTS indicates that the deployment could not maintain the required healthy instance count.

Why this answer

The error 'HEALTH_CONSTRAINTS' means that too many instances failed health checks. The deployment overview shows 2 failed instances and 3 succeeded. The minimum healthy instances setting likely required more than 3 healthy instances.

Option B is correct. Option A (incorrect application revision) would cause a different error. Option C (CodeDeploy agent) would show agent issues.

Option D (permissions) would cause access denied errors.

1602
MCQeasy

A developer is using AWS SAM to define a serverless application. The application includes an AWS Lambda function that needs to access an Amazon DynamoDB table. The developer wants to grant the Lambda function the minimum required permissions to read and write items in the table. Which resource should the developer use to define the IAM permissions?

A.AWS::DynamoDB::Table
B.AWS::IAM::Role
C.AWS::Serverless::Function Policies property
D.AWS::Lambda::Permission
AnswerC

The Policies property allows attaching IAM policies to the function's execution role.

Why this answer

In AWS SAM, the AWS::Serverless::Function resource has a Policies property that can be used to attach IAM policies. The developer can use a managed policy like 'AmazonDynamoDBFullAccess' or a custom policy. However, the recommended approach is to use the 'Policies' property with a statement that grants specific DynamoDB actions.

AWS::IAM::Role can be used but is not necessary if using SAM. AWS::Lambda::Permission is for resource-based policies, not for Lambda execution role. AWS::DynamoDB::Table defines the table, not permissions.

1603
MCQmedium

A developer is using AWS CodeDeploy to deploy an application to an EC2 Auto Scaling group. The deployment must follow a rolling update, deploying to exactly 50% of the instances at a time. Which built-in deployment configuration should the developer use?

A.CodeDeployDefault.OneAtATime
B.CodeDeployDefault.HalfAtATime
C.CodeDeployDefault.AllAtOnce
D.CodeDeployDefault.LambdaAllAtOnce
AnswerB

This is the built-in configuration that deploys to half of the instances at a time during a rolling update.

Why this answer

Option B, CodeDeployDefault.HalfAtATime, is correct because it instructs CodeDeploy to deploy to exactly 50% of the instances in the Auto Scaling group at a time during a rolling update. This built-in configuration ensures that half the instances are updated before the other half, matching the requirement for a 50% rolling deployment.

Exam trap

The trap here is that candidates may confuse CodeDeployDefault.HalfAtATime with CodeDeployDefault.OneAtATime or CodeDeployDefault.AllAtOnce, or incorrectly apply Lambda-specific configurations like CodeDeployDefault.LambdaAllAtOnce to EC2 deployments.

How to eliminate wrong answers

Option A is wrong because CodeDeployDefault.OneAtATime deploys to only one instance at a time, not 50% of the instances. Option C is wrong because CodeDeployDefault.AllAtOnce deploys to all instances simultaneously, which is not a rolling update and does not limit to 50%. Option D is wrong because CodeDeployDefault.LambdaAllAtOnce is a deployment configuration for AWS Lambda functions, not for EC2 Auto Scaling groups, and it deploys to all traffic at once.

1604
Multi-Selecthard

A company has a web application running on Amazon ECS with Fargate launch type. The application needs to store and retrieve user session data. The sessions are small and require very low latency access. The development team wants a fully managed solution. Which storage options meet these requirements? (Choose TWO.)

Select 2 answers
A.Amazon DynamoDB
B.Amazon S3
C.Amazon EFS
D.Amazon ElastiCache for Redis
E.Amazon RDS for PostgreSQL
AnswersA, D

DynamoDB offers single-digit millisecond latency and is fully managed.

Why this answer

The correct answers are C and D. Amazon ElastiCache for Redis provides in-memory caching with low latency, and Amazon DynamoDB provides fast NoSQL storage. Option A is wrong because EFS is a file system, not optimized for key-value session data.

Option B is wrong because RDS is relational and adds latency. Option E is wrong because S3 is object storage with higher latency.

1605
MCQeasy

A developer uses the CloudFormation template in the exhibit to create an S3 bucket. The stack creation fails with the error 'Bucket already exists'. What is the MOST likely reason?

A.The CloudFormation template has invalid JSON syntax.
B.The bucket name is already taken by another AWS account.
C.The IAM user does not have permission to create S3 buckets.
D.The bucket name is not available in the specified region.
AnswerB

S3 bucket names must be unique across all AWS accounts.

Why this answer

Option B is correct because S3 bucket names must be globally unique. If the bucket name 'my-unique-bucket-name' already exists in another AWS account, the creation will fail. Option A (region) is not true; bucket names are global.

Option C (permissions) would cause a different error. Option D (template format) is valid JSON.

1606
MCQeasy

A developer needs to grant an IAM user access to an S3 bucket for read-only operations. Which IAM policy action should be used?

A.s3:PutObject
B.s3:DeleteObject
C.s3:ListBucket
D.s3:GetObject
AnswerD

Allows reading objects, which is read-only.

Why this answer

Option B is correct because s3:GetObject allows reading objects from S3. Option A is wrong because s3:PutObject allows writing. Option C is wrong because s3:ListBucket allows listing but not reading object content.

Option D is wrong because s3:DeleteObject allows deletion.

1607
MCQmedium

A developer attached the above IAM policy to an AWS Lambda function that writes encrypted objects to an S3 bucket. The function fails with an 'AccessDenied' error when putting objects. What is the most likely reason?

A.The policy does not include s3:PutObjectAcl permission.
B.The policy is missing a statement for the S3 bucket itself (not the objects).
C.The policy allows s3:GetObject, which is unnecessary and conflicts with PutObject.
D.The KMS key policy does not allow the Lambda function to decrypt.
AnswerA

If the bucket requires object ACLs, the function needs s3:PutObjectAcl.

Why this answer

Option C is correct because the policy allows s3:PutObject but does not include s3:PutObjectAcl or other permissions that may be needed by the Lambda function or the encryption context. Option A is wrong because the policy is not missing; it is there. Option B is wrong because KMS permissions are granted.

Option D is wrong because s3:GetObject is not needed for writing; but missing s3:PutObjectAcl is common when bucket policies enforce specific ACLs.

1608
MCQeasy

The exhibit shows the output of the describe-instances command. An Elastic Beanstalk environment is configured to use this EC2 instance as a web server. The application is not accessible. What is the most likely cause?

A.The instance has been terminated.
B.The security group does not allow HTTP traffic.
C.The instance does not have the correct Name tag.
D.The instance does not exist.
AnswerA

The state shows 'terminated', so the instance is not running.

Why this answer

Option B is correct because the instance state is 'terminated', meaning it is no longer running. Option A is wrong because the instance exists but is terminated. Option C is wrong because the tag is present.

Option D is wrong because there is no indication of a security group issue.

1609
MCQmedium

A developer wants to update an AWS CloudFormation stack that includes an Amazon SQS queue. The queue is currently processing messages. The developer needs to change the queue's default visibility timeout without losing any messages. Which approach should the developer take?

A.Delete the stack and recreate it with the updated visibility timeout.
B.Update the stack directly; CloudFormation will automatically handle in-flight messages.
C.Change the visibility timeout using the UpdateStack API; messages will be unaffected as long as the new timeout is longer than the current one.
D.Stop the queue, update the visibility timeout, then resume the queue.
AnswerC

The update modifies the queue's configuration without impacting existing messages. A longer timeout ensures messages don't become visible while being processed.

Why this answer

Option C is correct because the UpdateStack API allows you to modify the visibility timeout of an SQS queue without disrupting in-flight messages, as long as the new timeout is longer than the current one. This ensures that messages already being processed have sufficient time to complete before becoming visible again, preventing any message loss. CloudFormation handles the update by applying the change to the queue resource definition and triggering a stack update that modifies the queue's configuration without deleting or recreating it.

Exam trap

The trap here is that candidates may think CloudFormation automatically handles in-flight messages during an update, but in reality, the developer must choose a new visibility timeout that is longer than the current one to prevent message loss.

How to eliminate wrong answers

Option A is wrong because deleting and recreating the stack would destroy the existing queue and all its messages, including in-flight ones, causing message loss. Option B is wrong because while CloudFormation can update the stack directly, it does not automatically handle in-flight messages; the developer must ensure the new visibility timeout is longer than the current one to avoid premature message redelivery. Option D is wrong because SQS queues cannot be 'stopped' or 'paused'; they are always active, and attempting to stop the queue is not a valid operation in AWS.

1610
Multi-Selecteasy

A developer is using AWS Elastic Beanstalk to deploy a web application. The environment uses an Application Load Balancer (ALB). The developer wants to perform a blue/green deployment to minimize downtime. Which TWO steps should the developer take? (Choose two.)

Select 2 answers
A.Terminate the old environment after the new environment is deployed.
B.Add more EC2 instances to the existing environment.
C.Deploy the new version to a separate Elastic Beanstalk environment.
D.Update the existing environment with the new version.
E.Swap the CNAME records of the two environments.
AnswersC, E

This creates the green environment.

Why this answer

Option C is correct because blue/green deployment requires a separate, isolated environment running the new version. Elastic Beanstalk supports this by allowing you to create a second environment (green) alongside the existing one (blue), ensuring zero overlap and no risk to the live application during deployment.

Exam trap

The trap here is that candidates often confuse blue/green deployment with in-place updates (Option D) or scaling (Option B), failing to recognize that a separate environment and a CNAME swap are the defining steps for a true blue/green deployment on Elastic Beanstalk.

1611
Multi-Selecthard

A company is using AWS CloudFormation to deploy infrastructure. The developer needs to update a stack but wants to avoid downtime for a critical database. Which THREE strategies should the developer consider?

Select 3 answers
A.Set the DeletionPolicy attribute to Retain on the database resource.
B.Use the Parameters section to set a conditional update flag.
C.Use the UpdateReplace policy to create a new resource before deleting the old one.
D.Apply a stack policy that prevents updates to the database resource.
E.Use change sets to review the impact of changes before executing them.
AnswersC, D, E

This minimizes downtime during replacement.

Why this answer

Option A (Change sets) is correct because they allow previewing changes. Option B (Stack policy) is correct because it can protect specific resources during updates. Option D (UpdateReplace policy) is correct because it can create a replacement before deletion.

Option C is wrong because deletion policy is about stack deletion, not updates. Option E is wrong because it's a parameter, not a strategy.

1612
MCQeasy

A developer is using the AWS CLI to upload a file to an S3 bucket with server-side encryption. The bucket is configured with default encryption (SSE-S3). The developer wants to ensure the object is encrypted with SSE-KMS instead. What should the developer do?

A.Use the --kms-key-id parameter with a KMS key ARN
B.Use the --sse aws:kms parameter when uploading
C.No action needed; the bucket default encryption will apply
D.Change the bucket policy to require SSE-KMS
AnswerB

Explicitly requesting SSE-KMS overrides the bucket default.

Why this answer

Option B is correct because the developer must explicitly specify the server-side encryption method at the time of upload using the `--sse aws:kms` parameter in the AWS CLI. This overrides the bucket's default SSE-S3 encryption, ensuring the object is encrypted with SSE-KMS. Without this parameter, the object inherits the bucket's default encryption (SSE-S3), regardless of any other settings.

Exam trap

The trap here is that candidates assume bucket default encryption always applies to all objects, but in reality, request-level encryption parameters take precedence over bucket defaults, and the developer must explicitly specify SSE-KMS to override SSE-S3.

How to eliminate wrong answers

Option A is wrong because the `--kms-key-id` parameter is used to specify a specific KMS key ARN when SSE-KMS is already selected, but it does not enable SSE-KMS by itself; the `--sse aws:kms` parameter must also be provided. Option C is wrong because the bucket's default encryption (SSE-S3) will apply automatically, which does not meet the developer's requirement for SSE-KMS; the default is not overridden without explicit request-level parameters. Option D is wrong because changing the bucket policy to require SSE-KMS only enforces that objects must be encrypted with SSE-KMS at the bucket level, but the developer still needs to specify `--sse aws:kms` in the upload command to comply with that policy and achieve the desired encryption.

1613
MCQhard

A developer is writing a Lambda function that processes events from an Amazon Kinesis stream. The function must ensure that records are processed in the order they were received and that each shard is processed by only one instance of the function at a time. How should the developer configure the Lambda function?

A.Set the function's concurrency to the number of shards and enable parallelization factor.
B.Set the batch size to 1 and configure the function's reserved concurrency to 1.
C.Set the batch size to 100 and enable parallelization factor per shard.
D.Use a DynamoDB table to track sequence numbers and enforce ordering.
AnswerB

Batch size 1 ensures records are processed one at a time, and reserved concurrency 1 ensures only one instance processes all shards sequentially.

Why this answer

Option B is correct because setting the batch size to 1 and the concurrency to the number of shards (or reserved concurrency of 1) ensures per-shard ordering and single-threaded processing per shard. Option A is wrong because parallelization factor processes batches in parallel, breaking ordering. Option C is wrong because Lambda processes multiple shards concurrently by default, but reserving concurrency per shard is not possible; instead, set concurrency to 1.

Option D is wrong because Kinesis ordering is per-shard, not across the stream.

1614
MCQeasy

An application running on EC2 instances needs to access an S3 bucket securely. Which of the following is the BEST practice for managing credentials?

A.Store the AWS access key and secret key in a configuration file on the EC2 instance.
B.Use an IAM user with programmatic access and attach a policy allowing S3 access.
C.Launch the EC2 instance with an IAM role that grants S3 access.
D.Use a shared secret key stored in AWS Secrets Manager and retrieve it at runtime.
AnswerC

Best practice, temporary credentials.

Why this answer

Option C is correct because assigning an IAM role to an EC2 instance is the AWS-recommended best practice for securely granting permissions to AWS services. The instance automatically obtains temporary security credentials from the instance metadata service (IMDS), eliminating the need to hardcode or manage long-term access keys. This approach follows the principle of least privilege and avoids the security risks of storing credentials on disk.

Exam trap

The trap here is that candidates often confuse IAM users with IAM roles, mistakenly thinking that creating a dedicated IAM user with programmatic access is a secure practice, when in fact IAM roles are the correct and secure method for EC2-to-S3 access because they eliminate the need to manage long-term credentials.

How to eliminate wrong answers

Option A is wrong because storing AWS access keys and secret keys in a configuration file on the EC2 instance is a security risk; if the instance is compromised, the credentials are exposed and can be used indefinitely. Option B is wrong because using an IAM user with programmatic access requires distributing and managing long-term access keys, which violates the AWS security best practice of using IAM roles for EC2 workloads. Option D is wrong because while AWS Secrets Manager securely stores secrets, retrieving a shared secret key at runtime still introduces a long-term credential that must be managed and rotated, whereas an IAM role provides temporary, automatically rotated credentials without any secret management overhead.

1615
MCQeasy

Refer to the exhibit. The IAM policy is attached to an IAM role that is assumed by an AWS Lambda function. The Lambda function needs to read and write objects in the 'my-bucket' S3 bucket, but it should never delete objects. What will happen when the function attempts to delete an object?

A.The delete will fail because the Deny statement explicitly denies the delete action.
B.The delete will succeed because there is no explicit deny for the specific object.
C.The delete will succeed because the Allow statement gives full access.
D.The delete will fail because the Allow statement only includes GetObject and PutObject.
AnswerA

Explicit deny prevents the delete.

Why this answer

The policy explicitly denies s3:DeleteObject. IAM policies are evaluated with an explicit deny override. Even if another policy allows delete, the explicit deny will take effect, and the request will be denied.

1616
MCQmedium

A company is using AWS CodePipeline to automate deployments of a serverless application. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CloudFormation). The deploy stage fails intermittently with the error 'Rate exceeded' when creating or updating stacks. What should the developer do to resolve this issue?

A.Use the AWS CLI to deploy the CloudFormation stack instead of CodePipeline.
B.Increase the timeout for the CloudFormation deployment action in the pipeline.
C.Request a service limit increase for CloudFormation API calls.
D.Add a retry configuration with exponential backoff to the CloudFormation deployment action.
AnswerD

Retries with backoff can handle transient rate limiting.

Why this answer

Option B is correct. CloudFormation has API rate limits; adding a retry with backoff in the pipeline configuration will handle transient throttling. Option A is wrong because increasing the timeout does not address rate limits.

Option C is wrong because using a different deployment method may not avoid CloudFormation API calls. Option D is wrong because the issue is not related to IAM permissions.

Page 21

Page 22 of 22