AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 151225

1616 questions total · 22pages · All types, answers revealed

Page 2

Page 3 of 22

Page 4
151
Multi-Selectmedium

Which TWO AWS services can be used to store and retrieve application configuration data in a serverless application? (Choose two.)

Select 2 answers
A.Amazon S3
B.AWS CloudFormation
C.AWS AppConfig
D.AWS Secrets Manager
E.Amazon DynamoDB
AnswersC, E

AppConfig is a service for managing application configuration.

Why this answer

AWS AppConfig is designed for application configuration. Amazon DynamoDB is a NoSQL database that can store configuration data. AWS Systems Manager Parameter Store also stores configuration, but it is not listed as an option (it's a valid service but not in the list).

AWS CloudFormation is for infrastructure provisioning. Amazon S3 is object storage, not optimized for configuration. AWS Secrets Manager is for secrets, not general configuration.

152
MCQeasy

A company uses Amazon S3 to store sensitive data. A developer needs to ensure that all objects uploaded to a specific S3 bucket are encrypted at rest. Which approach should the developer take?

A.Add a bucket policy that denies PutObject if the object is not encrypted.
B.Use pre-signed URLs with server-side encryption parameters.
C.Attach an IAM policy to all users requiring them to include the x-amz-server-side-encryption header.
D.Enable default encryption on the bucket using SSE-S3.
AnswerA

A bucket policy with a condition key s3:x-amz-server-side-encryption can deny uploads without encryption.

Why this answer

Option D is correct because using a bucket policy that denies PutObject if the object is not encrypted with SSE-S3, SSE-KMS, or SSE-C ensures encryption is enforced. Option A (default encryption) encrypts objects that don't have encryption specified, but it does not prevent unencrypted uploads if the client overrides. Option B (IAM policy) is cumbersome and not bucket-specific.

Option C (pre-signed URLs) does not enforce encryption.

153
MCQhard

The above command invokes a Lambda function. The response includes 'FunctionError': 'Handled'. What does this indicate?

A.The function threw an exception that was caught and returned as an error.
B.The function had a permission error.
C.The function executed successfully.
D.The function timed out.
AnswerA

Correct: 'Handled' means the error was handled by the code.

Why this answer

Option C is correct because 'Handled' means the function threw an exception that was caught by the code (e.g., in a try-catch block) and returned an error response. Option A is wrong because 'Handled' does not mean the function succeeded. Option B is wrong because a timeout would be 'Unhandled'.

Option D is wrong because permission errors would result in 403.

154
MCQhard

A developer is debugging a Lambda function that is triggered by an S3 event. The function is supposed to process images and store metadata in DynamoDB. However, the function times out after 3 seconds for large images. The function's timeout is currently set to 5 seconds. What should the developer do to resolve the issue without increasing the timeout?

A.Increase the Lambda function's memory allocation to improve performance.
B.Increase the Lambda function's timeout to 15 minutes.
C.Use multipart upload or stream processing to handle the image in chunks.
D.Offload the processing to an Amazon SQS queue and process asynchronously.
AnswerC

Streaming or chunking can reduce memory usage and processing time.

Why this answer

Correct: B. The function times out because it processes the image synchronously. By using S3 Multipart upload or processing in chunks, the function can handle large images faster.

Option A is wrong because increasing memory may help but does not address the timeout issue directly. Option C is wrong because increasing timeout is not allowed per the condition. Option D is wrong because SQS does not speed up processing.

155
MCQhard

A company has an S3 bucket configured with server-side encryption using AWS KMS (SSE-KMS). An application running on EC2 with an appropriate IAM role is unable to write objects to the bucket. The error message indicates an access denied error. Which additional permission is most likely required?

A.kms:GenerateDataKey
B.kms:Decrypt
C.kms:Encrypt
D.kms:ReEncrypt
AnswerA

Required by S3 to encrypt the object with SSE-KMS.

Why this answer

Option D is correct because with SSE-KMS, the IAM role must have kms:GenerateDataKey permission to encrypt the object. Option A is wrong because kms:Decrypt is for reading. Option B is wrong because kms:Encrypt is used for client-side encryption, but for SSE-KMS, the S3 service uses GenerateDataKey.

Option C is wrong because kms:ReEncrypt is for re-encryption.

156
MCQeasy

A developer is using the AWS CLI to deploy a new version of a Lambda function. The developer runs the following command: aws lambda update-function-code --function-name my-function --zip-file fileb://my-code.zip After the command completes, the developer checks the function and sees that the code has been updated but the version number is still $LATEST. The developer wants to create a new version so that the previous version is preserved. What should the developer do next?

A.Run the update-function-code command again with the --publish flag.
B.Run the delete-function command and then create-function with the updated code.
C.Run the publish-version command to create a new version from the updated $LATEST.
D.Run the update-function-configuration command to set the version number.
AnswerC

This command creates a new version from the current $LATEST code.

Why this answer

Option C is correct because the `update-function-code` command without the `--publish` flag only updates the `$LATEST` version of the Lambda function. To create an immutable, numbered version that preserves the previous code, the developer must explicitly run the `publish-version` command, which takes the current `$LATEST` code and publishes it as a new version (e.g., version 2). This ensures the previous version (version 1) remains unchanged and can be referenced via its version ARN.

Exam trap

The trap here is that candidates assume the `update-function-code` command automatically creates a new version, but it only updates `$LATEST` unless the `--publish` flag is explicitly used, leading them to incorrectly choose Option A or D.

How to eliminate wrong answers

Option A is wrong because the `--publish` flag is used with `update-function-code` to publish a new version in a single step, but running the command again without it will not retroactively publish the already-updated `$LATEST`; it would simply re-upload the same code. Option B is wrong because deleting and recreating the function is unnecessary and destructive—it removes all existing versions, aliases, and event source mappings, which is not required to simply create a new version from the updated code. Option D is wrong because `update-function-configuration` modifies settings like memory, timeout, or environment variables, not the version number; version numbers are immutable and can only be created via `publish-version` or the `--publish` flag during code update.

157
Multi-Selecthard

A Lambda function reading from Kinesis is falling behind. Which two metrics/settings should be reviewed first?

Select 2 answers
A.IteratorAge for the event source mapping
B.S3 bucket public access settings
C.Route 53 hosted zone count
D.Batch size, parallelization factor, and shard count
AnswersA, D

Correct for the stated requirement.

Why this answer

The IteratorAge metric measures how far behind the Lambda function is in processing records from the Kinesis stream. A high IteratorAge indicates the function is falling behind, making it the primary metric to review. The batch size, parallelization factor, and shard count directly control the concurrency and throughput of the event source mapping, so adjusting these settings can help catch up.

Exam trap

The trap here is that candidates may overlook the direct performance-tuning metrics (IteratorAge, batch size, parallelization factor) and instead focus on unrelated AWS services like S3 or Route 53, which are red herrings in this troubleshooting context.

158
MCQhard

A developer is using AWS CloudFormation to deploy a stack that includes an Amazon RDS DB instance. The developer wants to update the DB instance to a larger instance type without causing downtime. The current template has DeletionPolicy set to 'Delete'. What should the developer do?

A.Take a snapshot of the DB instance and restore it to a larger instance type.
B.Use a blue/green deployment by creating a new stack with the larger instance type and updating the application to point to the new database.
C.Change the DeletionPolicy to 'Retain' and update the stack.
D.Create a read replica with the larger instance type and promote it.
AnswerB

Blue/green deployment minimizes downtime by switching to a new stack.

Why this answer

Option B is correct because a blue/green deployment allows you to create a new stack with the larger DB instance type in a separate environment (green), then switch the application traffic to the new database with minimal downtime. This approach avoids the downtime associated with in-place modifications, as CloudFormation updates to RDS instance types typically require a reboot, which causes an outage. By using a blue/green deployment, the developer can validate the new instance and cut over seamlessly.

Exam trap

The trap here is that candidates assume CloudFormation stack updates can resize RDS instances without downtime, but in reality, modifying the DBInstanceClass requires a reboot, making blue/green deployments the only zero-downtime option among the choices.

How to eliminate wrong answers

Option A is wrong because taking a snapshot and restoring to a larger instance type involves significant downtime during the restore process, and does not provide a zero-downtime update path. Option C is wrong because changing the DeletionPolicy to 'Retain' only affects stack deletion behavior, not updates; updating the stack with a larger instance type still triggers a reboot and downtime. Option D is wrong because promoting a read replica requires breaking replication and incurs downtime during the promotion process, and read replicas are not designed for zero-downtime instance type changes.

159
MCQhard

A company runs a microservices application on Amazon ECS with Fargate. Each service has its own task definition and uses service discovery via AWS Cloud Map. Recently, one service is failing to connect to another service using the service discovery endpoint. The developer verified that both services are running and the security groups allow traffic. What is the most likely cause of the connectivity issue?

A.The service discovery namespace is of type private but the DNS records are not being created.
B.The task definitions are not using the awsvpc network mode.
C.The service discovery namespace is of type public and the services are in a private subnet.
D.The VPC does not have an internet gateway attached.
AnswerA

If DNS records are missing, service discovery fails.

Why this answer

Service discovery namespace must be of type 'private' for ECS tasks to resolve. Option C identifies this. Option A is incorrect because Fargate tasks use awsvpc network mode by default.

Option B is incorrect because ECS service discovery works within VPC. Option D is incorrect because Cloud Map does not require an internet gateway for private namespaces.

160
MCQeasy

Which AWS service provides a managed, rotating secret store for database credentials?

A.AWS Secrets Manager
B.AWS KMS
C.AWS IAM Roles
D.AWS Systems Manager Parameter Store
AnswerA

Secrets Manager provides automatic rotation for supported databases.

Why this answer

AWS Secrets Manager is the correct service because it is specifically designed to manage the entire lifecycle of secrets, including automatic rotation of database credentials on a configurable schedule (e.g., every 30 days). It natively integrates with Amazon RDS, Aurora, Redshift, and DocumentDB to rotate credentials without application downtime, using a built-in Lambda rotation function. This makes it the only fully managed, rotating secret store among the options.

Exam trap

The trap here is that candidates confuse AWS Systems Manager Parameter Store (which can store secrets) with Secrets Manager, but Parameter Store lacks native automatic rotation, making Secrets Manager the only correct answer for a managed rotating secret store.

How to eliminate wrong answers

Option B (AWS KMS) is wrong because it is a key management service for creating and controlling encryption keys, not a secret store; it does not store or rotate database credentials. Option C (AWS IAM Roles) is wrong because IAM roles provide temporary credentials for AWS service access via the AWS STS, but they are not a secret store and cannot store or rotate static database passwords. Option D (AWS Systems Manager Parameter Store) is wrong because while it can store secrets as SecureString parameters, it does not provide native automatic rotation of database credentials; rotation must be implemented manually or via custom automation.

161
MCQeasy

A developer is building a RESTful API that allows clients to query a database and retrieve results. The backend logic is implemented in AWS Lambda, which queries an Amazon DynamoDB table. The developer wants to expose the API over HTTPS and manage authentication and throttling. Which AWS service should the developer use to create and manage the API endpoints?

A.Application Load Balancer
B.Amazon API Gateway
C.AWS CloudFront
D.Amazon S3
AnswerB

API Gateway provides a fully managed API frontend with HTTPS, authentication, throttling, and integration with Lambda and DynamoDB.

Why this answer

Amazon API Gateway is the correct choice because it is a fully managed service that enables developers to create, publish, maintain, monitor, and secure RESTful APIs at any scale. It directly supports HTTPS endpoints, integrates natively with AWS Lambda for backend logic, and provides built-in features for authentication (e.g., IAM, Cognito, Lambda authorizers) and throttling (usage plans and rate limits). This makes it the ideal service for exposing a Lambda-backed DynamoDB query as a secure, managed API.

Exam trap

The trap here is that candidates may confuse an Application Load Balancer with API Gateway because both can invoke Lambda functions, but ALB lacks API management features like authentication, throttling, and API key validation, which are explicitly required in the question.

How to eliminate wrong answers

Option A is wrong because an Application Load Balancer operates at Layer 7 of the OSI model and distributes traffic to targets like Lambda functions, but it does not provide API management features such as authentication, throttling, or API key validation; it is designed for load balancing, not for creating and managing RESTful API endpoints. Option C is wrong because AWS CloudFront is a content delivery network (CDN) that caches and accelerates content delivery, but it does not natively create API endpoints or manage authentication and throttling for a RESTful API; it can be placed in front of API Gateway but is not a substitute for it. Option D is wrong because Amazon S3 is an object storage service that can host static websites and serve content over HTTPS, but it cannot execute backend logic like querying a DynamoDB table, nor does it provide authentication or throttling for API requests; it is not designed for dynamic API endpoints.

162
MCQhard

An Elastic Beanstalk deployment must avoid downtime and create a full new set of instances before swapping traffic, accepting higher temporary cost. Which policy fits?

A.All at once
B.Rolling
C.Immutable
D.Traffic splitting disabled
AnswerC

Correct for the stated requirement.

Why this answer

Immutable deployment is correct because it creates a fully new set of instances in a separate Auto Scaling group, then swaps the Elastic Load Balancer (ELB) traffic to the new environment in a single atomic action. This ensures zero downtime and a complete rollback capability by simply reverting to the old environment, at the cost of running double the instances temporarily.

Exam trap

The trap here is that candidates confuse 'Rolling' with 'Immutable' because both avoid downtime, but Rolling modifies existing instances in batches and does not create a full parallel environment, whereas Immutable creates a completely separate fleet before the traffic switch.

How to eliminate wrong answers

Option A is wrong because 'All at once' deploys the new version to all existing instances simultaneously, causing downtime during the deployment and not creating a full new set of instances before traffic swap. Option B is wrong because 'Rolling' updates instances in batches, which avoids downtime but does not create a full new set of instances; it modifies existing instances, so rollback is slower and not atomic. Option D is wrong because 'Traffic splitting disabled' is not a valid Elastic Beanstalk deployment policy; traffic splitting is a feature for canary testing, and disabling it does not define a deployment method that creates a new instance set before swapping.

163
MCQeasy

An organization uses AWS CodeCommit for source control and AWS CodeBuild for building a Java application. The build process needs to run integration tests that require a MySQL database. The team wants to ensure the database is provisioned only during the build and cleaned up afterward to minimize costs. What is the most efficient solution?

A.Provision a small RDS MySQL instance and keep it running for the build process.
B.Use AWS CloudFormation to create an RDS instance at the start of the build and delete it at the end.
C.Use a Docker container running MySQL within the CodeBuild environment.
D.Use Amazon DynamoDB as a substitute for MySQL for the integration tests.
AnswerC

This provides an ephemeral database that is created and destroyed with the build.

Why this answer

Option C is correct. Using AWS CodeBuild's local custom image with Docker Compose allows running a MySQL container as part of the build, which is ephemeral and cost-effective. Option A is wrong because provisioned RDS instances incur costs even when not in use.

Option B is wrong because DynamoDB is not a relational database and may not support the same SQL queries. Option D is wrong because creating and destroying RDS instances in every build is slow and may hit API rate limits.

164
MCQmedium

A company uses Amazon API Gateway to expose a REST API backed by AWS Lambda. The API is experiencing high latency. The developer suspects cold starts are contributing to the latency. Which action would be MOST effective in reducing cold start latency?

A.Increase the memory allocation of the Lambda function.
B.Place the Lambda function in a VPC to improve network latency.
C.Enable Lambda@Edge to cache responses.
D.Increase the function timeout to 15 minutes.
AnswerA

More memory reduces cold start time.

Why this answer

Option C is correct because using a larger memory configuration can reduce cold start time by providing more CPU resources. Option A is wrong because provisioned concurrency reduces cold starts but does not involve Lambda@Edge. Option B is wrong because using VPC can increase cold starts.

Option D is wrong because increasing timeout does not affect cold start performance.

165
Multi-Selecthard

A company uses AWS KMS to encrypt data in S3. The security team wants to ensure that only specific IAM roles can decrypt the data. Which THREE steps should be taken?

Select 3 answers
A.Add a condition in the key policy that allows decrypt only when the principal matches the desired IAM roles.
B.Grant all IAM users decrypt permission and rely on S3 bucket policies.
C.Create an IAM policy that grants kms:Decrypt only to the specific roles.
D.Create a customer-managed customer master key (CMK) in KMS.
E.Use separate CMKs for each IAM role to isolate access.
AnswersA, C, D

Conditions can restrict decryption to specific roles.

Why this answer

Option A is correct because key policies in AWS KMS are resource-based policies that directly control access to the CMK. By adding a condition that restricts the `kms:Decrypt` action to only specific IAM roles (using the `aws:PrincipalArn` or `kms:CallerPrincipal` condition key), the security team can ensure that only those roles can decrypt data encrypted with that key. This approach is more secure than relying solely on IAM policies, as key policies are evaluated first and can explicitly deny access even if an IAM policy grants it.

Exam trap

The trap here is that candidates often think IAM policies alone are sufficient for KMS access control, but they forget that KMS key policies are the primary mechanism and must explicitly allow IAM policies to take effect; otherwise, even if an IAM policy grants `kms:Decrypt`, the key policy will deny the request.

166
MCQeasy

A developer is deploying a CloudFormation stack and sees the event above. What should the developer do to fix the error?

A.Update the Lambda function code to use a different programming language.
B.Increase the Lambda function timeout in the template.
C.Change the runtime to a supported version like nodejs18.x.
D.Add permissions to the Lambda function's execution role.
AnswerC

Updating the runtime to a supported version resolves the error.

Why this answer

The error indicates that the Node.js 12.x runtime is deprecated. The developer should update the runtime to a supported version, such as nodejs18.x, in the CloudFormation template and redeploy. Option A is wrong because the timeout is not the issue.

Option B is wrong because the Lambda function code may be fine; the runtime is the problem. Option C is wrong because adding permissions won't fix the unsupported runtime.

167
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a Python web application. After a successful deployment, the environment's health turns 'Severe' and the application returns HTTP 502 errors. What is the most likely cause?

A.The EC2 instances have insufficient storage for the deployment.
B.The application's requirements.txt file is missing a required dependency.
C.The load balancer's health check path is incorrectly configured.
D.The RDS database connection string is incorrect.
AnswerB

Missing dependency causes the application to fail to start, resulting in a 502 Bad Gateway from the proxy.

Why this answer

Option A is correct because if the application's dependencies (e.g., Python packages) are not included or installed, the application fails to start, causing a 502 error. Option B is incorrect because an incorrectly configured load balancer would cause 503 or 504 errors. Option C is incorrect because exceeding instance storage would cause disk full errors, not 502.

Option D is incorrect because RDS connection string misconfiguration would cause application errors but not necessarily 502; the web server would still respond.

168
MCQeasy

An application running on Amazon ECS with Fargate is unable to pull an image from Amazon ECR. The task definition uses the 'default' task execution role. What is the most likely cause?

A.The task role does not have permissions to access ECR.
B.The ECS cluster does not have permissions to access ECR.
C.The ECS service role does not have permissions to access ECR.
D.The task execution role does not have permissions to pull from ECR.
AnswerD

The execution role needs ecr:GetDownloadUrlForLayer and ecr:BatchGetImage permissions.

Why this answer

Option D is correct because when using Amazon ECS with Fargate, the task execution role (not the task role) is responsible for pulling container images from Amazon ECR. The 'default' task execution role is created automatically but lacks the necessary permissions (e.g., ecr:GetDownloadUrlForLayer, ecr:BatchGetImage, and ecr:BatchCheckLayerAvailability) unless explicitly attached via an IAM policy. Since the question states the task definition uses the 'default' task execution role, the most likely cause is that this role does not have the required ECR permissions.

Exam trap

The trap here is that candidates often confuse the task execution role with the task role, assuming the task role handles all permissions including image pulling, when in fact the task execution role is a separate IAM role specifically required for ECR image pulls and CloudWatch Logs.

How to eliminate wrong answers

Option A is wrong because the task role is used by the application code running inside the container to interact with AWS services (e.g., DynamoDB, S3), not for pulling images from ECR; image pulling is handled by the ECS agent using the task execution role. Option B is wrong because an ECS cluster itself does not have an IAM role or permissions; permissions are assigned to the task execution role or the ECS service role, not to the cluster resource. Option C is wrong because the ECS service role (formerly ecsServiceRole) is used for actions like registering/deregistering targets with a load balancer, not for pulling container images from ECR; image pulling is exclusively the responsibility of the task execution role.

169
Multi-Selectmedium

A developer is designing a system that must meet the following security requirements: (1) Encrypt data at rest in S3, (2) Automatically rotate encryption keys annually, (3) Use an encryption key that is managed by AWS. Which services or features should the developer use? (Choose TWO.)

Select 2 answers
A.SSE-C
B.SSE-KMS
C.SSE-S3
D.AWS CloudHSM
E.Client-side encryption with AWS KMS
AnswersB, C

KMS-managed keys, supports rotation.

Why this answer

Option A (SSE-S3) and Option E (SSE-KMS) are correct because both provide encryption at rest with AWS-managed keys. SSE-KMS supports automatic annual rotation (if KMS key rotation is enabled). SSE-S3 uses S3-managed keys which rotate automatically.

Option B (SSE-C) uses customer-provided keys, not AWS-managed. Option C (CloudHSM) is customer-managed. Option D (client-side encryption) is not AWS-managed.

170
Multi-Selectmedium

A developer wants separate dev and prod CloudFormation deployments from the same template. Which two practices help?

Select 2 answers
A.Use parameters or mappings for environment-specific values
B.Hardcode production ARNs throughout the template
C.Use separate stacks or stack names per environment
D.Use the root account for deployments
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because CloudFormation parameters and mappings allow you to inject environment-specific values (e.g., instance types, AMI IDs, security group IDs) into a single template without modifying the template itself. Parameters prompt for input at stack creation, while mappings provide a static lookup table keyed by environment (e.g., using the `AWS::Region` pseudo-parameter or a user-defined key). This keeps the template reusable and avoids hardcoding values that differ between dev and prod.

Exam trap

The trap here is that candidates might think hardcoding ARNs is acceptable for production stability, but the exam tests the principle of parameterizing environment-specific values to maintain a single, reusable template across multiple environments.

171
MCQhard

A developer is using AWS CloudFormation to deploy a stack that includes an Amazon RDS DB instance. The developer wants to ensure that the DB instance is not accidentally deleted when the stack is updated. Which property should be set on the DB instance resource?

A.UpdateReplacePolicy: Retain
B.DeletionPolicy: Delete
C.DeletionPolicy: Retain
D.DependsOn: SomeOtherResource
AnswerC

Retains the resource even if the stack is deleted.

Why this answer

Option D is correct because DeletionPolicy: Retain prevents the DB instance from being deleted when the stack is deleted or the resource is removed from the stack. Option A is wrong because UpdateReplacePolicy handles replacement updates, not deletion. Option B is wrong because DependsOn does not prevent deletion.

Option C is wrong because DeletionPolicy: Delete is the default and does not prevent deletion.

172
MCQeasy

A company is using AWS CodePipeline to automate deployments. The pipeline has a source stage that retrieves code from Amazon S3, a build stage using AWS CodeBuild, and a deploy stage using AWS CodeDeploy. The build stage is failing intermittently with errors related to missing dependencies. What should a developer do to ensure the build environment has all required dependencies?

A.Configure environment variables in CodePipeline to set dependency paths.
B.Manually install dependencies on the CodeBuild build server each time.
C.Use AWS CodeCommit as the source repository instead of S3.
D.Create a custom buildspec.yml file in the source code that installs the dependencies in the install phase.
AnswerD

Automates dependency installation.

Why this answer

Option C is correct because a custom buildspec.yml can install dependencies in the install phase. Option A is wrong because CodePipeline does not manage environment variables for CodeBuild. Option B is wrong because it's not efficient to install manually.

Option D is wrong because CodeCommit is a different source.

173
MCQhard

A developer is running a Lambda function that uses the 'requests' library. The error shown in the exhibit occurs when invoking the function. Which step should the developer take to fix this?

A.Change the Lambda runtime to Python 3.9 which includes requests
B.Package the 'requests' library with the Lambda deployment package
C.Use the 'urllib' library instead of 'requests'
D.Install the 'requests' library using pip in the Lambda console
AnswerB

Include dependencies in a .zip file or use Lambda layers.

Why this answer

The requests library is not included in the Lambda runtime; it must be packaged with the deployment package. Option C is correct.

174
MCQhard

Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to upload an object to s3://my-bucket/confidential/report.pdf. What is the outcome?

A.The upload succeeds because the Allow statement grants s3:PutObject on the bucket.
B.The upload fails because there is no Allow statement for the confidential prefix.
C.The upload fails because the Deny statement explicitly denies access to the confidential prefix.
D.The upload fails because the policy is malformed.
AnswerC

Explicit Deny always overrides any Allow.

Why this answer

Option B is correct because the Deny statement explicitly denies all s3 actions on the confidential prefix, and explicit Deny overrides any Allow. Option A is wrong because the Deny overrides the Allow. Option C is wrong because there is no explicit Allow for that prefix.

Option D is wrong because the policy applies.

175
MCQmedium

A developer is deploying an application using AWS Elastic Beanstalk with a Docker platform. The developer wants to minimize downtime during deployments and ensure that the new version is fully tested before routing traffic to it. Which deployment policy should the developer choose?

A.All at once.
B.Rolling with additional batch.
C.Immutable.
D.Traffic splitting.
AnswerD

Correct. Traffic splitting allows incremental traffic shifting, enabling canary testing. The developer can start with a small percentage, verify, and then increase to 100% with minimal risk.

Why this answer

Traffic splitting (option D) is correct because it allows the developer to gradually shift a percentage of traffic from the old application version to the new version, enabling canary testing. This minimizes downtime by ensuring the new version is fully validated before receiving full traffic, and it aligns with the requirement to test the new version before routing all traffic to it.

Exam trap

The trap here is that candidates often confuse 'Immutable' (blue/green) with canary deployments, but immutable swaps all traffic at once after the new instances are healthy, whereas traffic splitting allows gradual traffic shifting and testing before full cutover.

How to eliminate wrong answers

Option A is wrong because 'All at once' deploys the new version to all instances simultaneously, causing full downtime during the deployment and no gradual testing. Option B is wrong because 'Rolling with additional batch' updates instances in batches but does not provide a mechanism to test the new version with a subset of traffic before completing the deployment; it still replaces instances without a canary phase. Option C is wrong because 'Immutable' deploys a completely new set of instances and then swaps traffic, which minimizes downtime but does not allow testing the new version with a controlled traffic percentage before the full swap; it is a blue/green approach, not a canary.

176
MCQmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application stores session state in an S3 bucket. Users report that after logging in, they are sometimes redirected to the login page again on subsequent requests. What is the MOST likely cause?

A.S3 is not a suitable store for session state due to its eventual consistency and higher latency.
B.The EC2 instances do not have internet access to reach S3.
C.The ALB does not have sticky sessions enabled.
D.The application is not scaling properly, causing session loss.
AnswerA

Correct: S3 is not designed for high-frequency session reads/writes.

Why this answer

Option C is correct because S3 is not designed for low-latency session state access and is eventually consistent, leading to lost writes. A managed service like ElastiCache or DynamoDB is better. Option A is wrong because ALB supports sticky sessions.

Option B is wrong because S3 can be accessed from EC2. Option D is wrong because scaling alone does not cause session loss if storage is properly configured.

177
MCQmedium

A company uses Amazon API Gateway with a Lambda authorizer to secure its APIs. The authorizer must verify a JWT token from a third-party identity provider. The team notices that the authorizer is called on every API request, causing additional latency. How can the team reduce the number of authorizer invocations?

A.Use Amazon CloudFront to cache the API responses.
B.Configure the Lambda authorizer to return a cached policy using the 'methodArn' and 'principalId' combination.
C.Enable API Gateway caching and set a TTL of 300 seconds.
D.Remove the Lambda authorizer and use IAM roles for authorization.
AnswerB

Lambda authorizer supports caching based on the token.

Why this answer

Option C is correct because enabling token caching in the Lambda authorizer reduces invocations. Option A is wrong because the TTL in API Gateway caching is for response caching, not authorizer caching. Option B is wrong because caching in CloudFront is for content, not authorization.

Option D is wrong because the Lambda authorizer is the intended mechanism; removing it would bypass security.

178
MCQmedium

A company stores sensitive data in Amazon S3. The security team requires that all objects are encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). The developer needs to enforce that any PutObject request that does not specify the 'x-amz-server-side-encryption' header with value 'aws:kms' is denied. Which S3 bucket policy condition should be used?

A.s3:x-amz-server-side-encryption equals 'aws:kms'
B.s3:x-amz-server-side-encryption-aws-kms-key-id equals the KMS key ARN
C.s3:x-amz-acl equals 'bucket-owner-full-control'
D.s3:signatureversion equals 'AWS4-HMAC-SHA256'
AnswerA

Correct. This condition ensures that the request includes the required encryption header with value aws:kms.

Why this answer

Option A is correct because the condition key `s3:x-amz-server-side-encryption` in an S3 bucket policy can be used to require that the `x-amz-server-side-encryption` header is set to `aws:kms` on every PutObject request. This enforces server-side encryption with AWS KMS (SSE-KMS) at the bucket policy level, denying any request that omits or uses a different encryption header value.

Exam trap

The trap here is that candidates often confuse the condition key for the encryption header (`s3:x-amz-server-side-encryption`) with the condition key for the KMS key ID (`s3:x-amz-server-side-encryption-aws-kms-key-id`), mistakenly choosing Option B to enforce SSE-KMS instead of the correct header-based condition.

How to eliminate wrong answers

Option B is wrong because `s3:x-amz-server-side-encryption-aws-kms-key-id` checks for a specific KMS key ARN, not the encryption header value; it would allow requests with any SSE-KMS key but does not enforce the header itself. Option C is wrong because `s3:x-amz-acl` controls access control lists (ACLs), not encryption requirements; it is unrelated to server-side encryption enforcement. Option D is wrong because `s3:signatureversion` checks the signature version used in the request (e.g., AWS Signature Version 4), which is about request authentication, not encryption headers.

179
MCQhard

A company is using AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with the error: 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The application is deployed to a t2.micro instance with 1 GB of RAM. The deployment uses an in-place update with a deployment configuration that has a minimum of 1 healthy host. What is the most likely cause of the failure?

A.The application uses too much memory, causing the instance to become unhealthy during deployment.
B.The instance does not have enough disk space to download the application revision.
C.The CodeDeploy agent timed out because the deployment took longer than 30 minutes.
D.The IAM role for the CodeDeploy agent does not have sufficient permissions to deploy the application.
AnswerA

t2.micro has only 1 GB RAM; high memory usage can cause health checks to fail.

Why this answer

Option B is correct because the t2.micro instance has limited memory, and the application may cause out-of-memory errors during deployment. Option A is wrong because CodeDeploy agent timeout is typically 30 minutes, but the error mentions 'too few healthy instances', not timeout. Option C is wrong because IAM role permissions would cause a different error.

Option D is wrong because insufficient disk space is less likely given the instance type has 8 GB EBS.

180
MCQmedium

A company runs a microservices architecture on Amazon ECS with Fargate. The application experiences intermittent high latency. The operations team wants to trace requests across services and identify bottlenecks. Which AWS service should be used?

A.VPC Flow Logs
B.Amazon CloudWatch Logs
C.AWS X-Ray
D.Amazon CloudWatch Metrics
AnswerC

Designed for tracing and analyzing distributed applications.

Why this answer

Option B is correct because AWS X-Ray provides end-to-end tracing for distributed applications. Option A is wrong because CloudWatch Logs only collects logs, not traces. Option C is wrong because CloudWatch Metrics provides aggregated metrics but not request-level traces.

Option D is wrong because VPC Flow Logs capture network metadata but not application-level tracing.

181
MCQmedium

A developer is troubleshooting an AWS Lambda function that is triggered by an Amazon SQS queue. The function processes messages but occasionally fails. The failed messages are not being sent to the dead-letter queue (DLQ). What is the most likely reason?

A.The Lambda function's execution role does not have permission to send messages to the DLQ.
B.The SQS queue's redrive policy is not configured.
C.The Lambda function's reserved concurrency is set to 0.
D.The Lambda function does not have a dead-letter queue configured.
AnswerD

Lambda's DLQ must be explicitly configured to capture failed events.

Why this answer

For Lambda with SQS, a DLQ can be configured on the Lambda function or on the SQS source. If the Lambda function's DLQ is not configured, messages that fail after the maximum retries are discarded. The SQS queue's own DLQ (redrive policy) applies only if the message is not processed after the maxReceiveCount.

But Lambda's DLQ is separate. Option A is wrong because the SQS queue's DLQ is for when messages are not deleted after processing; Lambda deletes messages on success. Option B is wrong because the Lambda function's failure handling does not automatically send to DLQ unless configured.

Option C is wrong because the Lambda function's reserved concurrency does not affect DLQ. Option D is correct: the Lambda function's DLQ must be explicitly configured.

182
MCQeasy

A developer receives an alert that an EC2 instance's status check fails. The instance is running, but the developer cannot SSH into it. What is the most likely cause?

A.The security group inbound rules are incorrect.
B.The instance has been terminated.
C.There is a problem with the underlying host.
D.The key pair is missing.
AnswerC

Instance status check failure indicates host issues.

Why this answer

A status check failure on a running EC2 instance indicates that the instance is passing the system status check (i.e., the underlying host is operational) but failing the instance status check, which tests network connectivity, OS responsiveness, and file system integrity. Since the instance is running but SSH is unavailable, the most likely cause is a problem with the underlying physical host (e.g., hardware degradation, network connectivity loss at the hypervisor level) that prevents the instance from responding to network traffic, even though the instance state shows as 'running'.

Exam trap

The trap here is that candidates confuse a status check failure with a network configuration issue (security group) or authentication problem (key pair), but status checks are internal health probes that do not depend on security group rules or SSH keys.

How to eliminate wrong answers

Option A is wrong because incorrect security group inbound rules would block SSH traffic at the network level, but the instance would still pass its status checks (status checks test the instance's internal health, not external network access). Option B is wrong because if the instance were terminated, it would not appear as 'running' in the console and the status check would show 'insufficient data' or 'not applicable', not a failure. Option D is wrong because a missing key pair would prevent SSH authentication, but the instance would still be reachable and pass status checks; the key pair is only used for authentication, not for instance health or network connectivity.

183
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails with a 'ScriptMissing' error. What is the most likely cause?

A.The deployment group is not configured for an Auto Scaling group.
B.The buildspec.yml file is missing from the application root.
C.The application revision is not stored in an S3 bucket.
D.The lifecycle event hook script referenced in appspec.yml is not present.
AnswerD

Missing script causes ScriptMissing error.

Why this answer

The correct answer is D. CodeDeploy requires a scripts directory with lifecycle event hooks. If the appspec.yml references a script that is missing, the deployment fails with ScriptMissing.

Option A is incorrect because CodeDeploy does not require a buildspec.yml. Option B is incorrect because the deployment group can be for an ASG. Option C is incorrect because the revision must be in a bucket in the same region.

184
Multi-Selectmedium

Which TWO actions should a developer take to improve the security of an AWS Lambda function that processes sensitive data?

Select 2 answers
A.Use a dead-letter queue (DLQ) for failed invocations
B.Encrypt environment variables using AWS KMS
C.Grant the Lambda function full access to all S3 buckets
D.Run the Lambda function inside a VPC
E.Store secrets in the Lambda function code
AnswersB, D

Protects sensitive data at rest.

Why this answer

Encrypt environment variables with KMS and use a VPC to isolate the function. Options A and C are correct.

185
MCQmedium

A developer monitors an AWS Lambda function that processes messages from an Amazon SQS queue. CloudWatch logs show that the function's execution time has increased significantly over the past week. The function's code has not been changed recently. The function makes calls to an Amazon DynamoDB table. CloudWatch metrics show a high rate of DynamoDBProvisionedThroughputExceededException errors. The DynamoDB table has 5 read and 5 write capacity units (RCU/WCU). What is the most effective action to reduce the function's execution time?

A.Increase the Lambda function's memory allocation.
B.Increase the Lambda function's reserved concurrency.
C.Increase the DynamoDB table's read and write capacity units.
D.Increase the Lambda function's timeout.
AnswerC

Raising the provisioned capacity reduces the frequency of throttling exceptions. With fewer throttles, the function's retries decrease, leading to faster execution and lower overall latency.

Why this answer

Option C is correct because the high rate of DynamoDBProvisionedThroughputExceededException errors indicates that the Lambda function is being throttled by DynamoDB due to insufficient read and write capacity units. This throttling causes the function to retry operations, significantly increasing execution time. Increasing the RCU/WCU from 5 to a higher value directly addresses the bottleneck, allowing operations to complete without retries and reducing overall execution time.

Exam trap

The trap here is that candidates often confuse performance issues caused by Lambda resource limits (memory, concurrency, timeout) with downstream service throttling, leading them to adjust Lambda settings instead of addressing the root cause in DynamoDB capacity.

How to eliminate wrong answers

Option A is wrong because increasing memory allocation improves CPU performance and execution speed for compute-bound tasks, but the issue here is a DynamoDB throughput limitation, not a lack of compute resources. Option B is wrong because reserved concurrency controls how many concurrent Lambda invocations are allowed, which does not affect the per-invocation execution time or resolve DynamoDB throttling errors. Option D is wrong because increasing the timeout only allows the function to run longer before being terminated, but it does not reduce the actual time taken to process each message; the function will still be delayed by DynamoDB retries.

186
MCQhard

A company wants to audit all API calls made to AWS. Which service should be used to collect and store these logs?

A.VPC Flow Logs
B.AWS Config
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerC

CloudTrail records API calls for auditing.

Why this answer

AWS CloudTrail records all API calls and can store logs in S3. Option A (CloudWatch Logs) can store logs but is not the primary service for API auditing. Option C (VPC Flow Logs) captures network traffic, not API calls.

Option D (Config) records resource configuration changes, not API calls.

187
MCQmedium

A company uses AWS CodeDeploy to deploy applications to an Auto Scaling group. The deployment is failing with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The deployment configuration is CodeDeployDefault.OneAtATime. The Auto Scaling group has 4 instances. What is the most likely cause?

A.The first instance in the deployment fails, and the deployment stops because only one instance is deployed at a time.
B.The CodeDeploy agent on the instances is not running.
C.The target group health checks are misconfigured.
D.The Auto Scaling group is scaling down during deployment.
AnswerA

OneAtATime deploys to one instance; if it fails, deployment fails immediately.

Why this answer

Option C is correct because with OneAtATime, if the first instance fails, the deployment stops and fails. Option A is wrong because the error indicates a deployment failure, not an Auto Scaling issue. Option B is wrong because even if CodeDeploy agent is outdated, it would not cause a healthy host error.

Option D is wrong because the error mentions too few healthy instances, not misconfigured target groups.

188
MCQhard

A developer is deploying a serverless application using AWS SAM. The application includes an API Gateway HTTP API and multiple Lambda functions. The developer wants to implement a gradual deployment strategy where 10% of traffic is shifted to the new version, and if no errors occur, the remaining traffic is shifted after 5 minutes. The developer has defined the deployment preference in the SAM template. However, after deploying, the developer notices that the traffic shift happens immediately and not gradually. The SAM template includes the following configuration for one of the Lambda functions: DeploymentPreference: Type: Linear10PercentEvery5Minutes The developer has confirmed that the Lambda function version is being updated. What is the MOST likely reason the gradual deployment is not working?

A.The developer did not create a Lambda alias for the function.
B.The API Gateway integration is pointing to the Lambda function without specifying a version or alias.
C.The developer did not enable canary deployment in the API Gateway stage.
D.The Lambda function is using the default version, which cannot be used with gradual deployments.
AnswerB

Without a version or alias, API Gateway uses $LATEST, ignoring traffic shifting.

Why this answer

Option B is correct because for gradual deployments to work with API Gateway HTTP API, the Lambda function must be integrated using the function's ARN with the version number (e.g., my-function:1), not the function name alone. If the integration uses the function name (without version), API Gateway always invokes the $LATEST version, bypassing the traffic shifting. Option A is incorrect because CodeDeploy is automatically used when DeploymentPreference is set in SAM.

Option C is incorrect because the Lambda alias is created by SAM for traffic shifting; if the alias were not created, the deployment would fail. Option D is incorrect because the default version is $LATEST, but the issue is with how API Gateway invokes the function.

189
MCQmedium

A developer has set up an AWS CodePipeline pipeline that automatically deploys a web application through a series of stages: Source, Build, Staging, and Production. The developer wants to require a manual approval before the pipeline proceeds to the Production stage. How should the developer implement this?

A.Add a manual approval action in the Staging stage
B.Add a manual approval action between the Staging and Production stages
C.Configure the Production stage to use a CloudFormation change set with execution role
D.Use an SNS topic to notify developers of the deployment
AnswerB

Correct. A manual approval action placed as a separate stage or as an action in the transition between stages pauses the pipeline until approval is granted.

Why this answer

Option B is correct because AWS CodePipeline supports manual approval actions that can be added as a stage or between stages to pause the pipeline and require explicit approval before proceeding. By placing the manual approval action between the Staging and Production stages, the pipeline will halt after the Staging stage completes and wait for an approver to manually approve the transition to the Production stage, ensuring no automatic deployment to production occurs without human oversight.

Exam trap

The trap here is that candidates may think a manual approval action must be placed inside a stage (like Staging) rather than as a separate stage between stages, but CodePipeline allows stages to be ordered sequentially, and the approval action must be in its own stage or at the end of a stage to block the transition to the next stage.

How to eliminate wrong answers

Option A is wrong because adding a manual approval action in the Staging stage would pause the pipeline during the Staging stage itself, not between Staging and Production, so the deployment would proceed to Production automatically after the Staging stage completes, defeating the requirement. Option C is wrong because configuring the Production stage to use a CloudFormation change set with execution role does not introduce a manual approval step; it only controls how CloudFormation executes changes, not a human approval gate. Option D is wrong because using an SNS topic to notify developers of the deployment does not block the pipeline; it only sends notifications, so the pipeline would continue to Production without any manual approval.

190
MCQeasy

A developer reports that an AWS Lambda function is timing out after 3 seconds. The function reads from an Amazon SQS queue. What is the most likely cause?

A.The Lambda function memory is set too low, causing slow execution.
B.The Lambda function timeout is set to 3 seconds, which is too low.
C.The Lambda execution role lacks permissions to poll SQS.
D.The SQS queue is empty, causing the function to wait indefinitely.
AnswerB

The default timeout is 3 seconds, increasing it resolves the timeout.

Why this answer

The Lambda function is timing out after exactly 3 seconds because its configured timeout is set to 3 seconds, which is too low for the workload. Lambda has a maximum execution timeout of 15 minutes (900 seconds), but the default timeout is 3 seconds. Since the function reads from an SQS queue, it likely needs more time to process messages, and increasing the timeout value will resolve the issue.

Exam trap

The trap here is that candidates often confuse timeout with memory or permissions issues, but the exact 3-second timeout is a direct indicator of the default Lambda timeout being too low, not a resource or authorization problem.

How to eliminate wrong answers

Option A is wrong because low memory can cause slower execution, but it would not cause a hard timeout at exactly 3 seconds; memory affects performance, not the timeout limit. Option C is wrong because if the execution role lacked permissions to poll SQS, the function would fail with an access denied error (e.g., 403 or 500), not a timeout. Option D is wrong because an empty SQS queue does not cause a Lambda function to wait indefinitely; Lambda polls the queue and returns immediately if no messages are available, and the function would complete quickly without timing out.

191
MCQeasy

A developer is using Amazon DynamoDB as the database for a web application. The application experiences occasional spikes in traffic, and some write requests fail with a ProvisionedThroughputExceededException. What is the MOST cost-effective way to handle these spikes without manual intervention?

A.Switch to on-demand mode for the table.
B.Enable DynamoDB auto scaling for the table.
C.Increase the provisioned write capacity to the peak expected value.
D.Use DynamoDB Accelerator (DAX) to cache writes.
AnswerB

Auto scaling adjusts capacity dynamically.

Why this answer

Option A is correct because DynamoDB auto scaling automatically adjusts capacity based on traffic, handling spikes without manual intervention. Option B is wrong because it increases cost continuously. Option C is wrong because it requires manual changes.

Option D is wrong because it does not help with write throughput.

192
MCQmedium

Refer to the exhibit. A developer invoked a Lambda function and received the response shown. What does the response indicate?

A.The function was not invoked due to a permissions error.
B.The function executed successfully but did not return any logs.
C.The invocation timed out.
D.The function was invoked but returned an error.
AnswerD

FunctionError indicates an unhandled error in the function.

Why this answer

Option B is correct because the FunctionError field is 'Unhandled' and the response contains an error object, indicating a function error. Option A is wrong because the StatusCode is 200, not 4xx or 5xx. Option C is wrong because the invocation succeeded but the function failed.

Option D is wrong because LogResult is empty, but that's not the reason.

193
MCQhard

A team uses AWS CodePipeline to deploy a microservices application to Amazon ECS. The pipeline has a Source stage (GitHub), a Build stage (CodeBuild), and a Deploy stage (ECS). During a deployment, the pipeline fails at the Deploy stage with the error: 'Action execution failed: Deployment failed. The service my-service has reached the maximum number of tasks.' The service is configured with a desired count of 2 and a maximum percent of 200%. What is the most likely cause of this failure?

A.The task definition references a memory value that exceeds the available container instance memory.
B.There are already 4 tasks running for the service, which is the maximum allowed by the deployment configuration.
C.The service's minimum healthy percent is set too high, preventing new tasks from starting.
D.The pipeline is trying to deploy to an ECS cluster that has reached its Amazon EC2 instance limit.
AnswerB

The maximum percent of 200% allows up to 4 tasks (2 * 200%). If 4 tasks are already running, the new deployment cannot start more.

Why this answer

Option C is correct because the error indicates the service has reached the maximum number of tasks. With a desired count of 2 and maximum percent of 200%, ECS allows up to 4 tasks during deployment (2 * 200% = 4). If there are already 4 tasks running (e.g., due to a previous deployment that did not complete), the new deployment cannot start additional tasks.

Option A is incorrect because insufficient memory would cause a different error (task failure). Option B is incorrect because the maximum percent is already set to 200%, which allows for rolling updates. Option D is incorrect because the pipeline is not related to EC2 instance limits; it uses Fargate or EC2 launch type, but the error is about task count.

194
MCQeasy

A company wants to deploy a serverless application using AWS Lambda and API Gateway. The deployment process must support automatic rollbacks if the new version fails CloudWatch alarms. Which AWS service should be used to orchestrate this deployment?

A.AWS Elastic Beanstalk
B.AWS CodeDeploy
C.AWS CloudFormation with a change set
D.AWS CodePipeline
AnswerB

CodeDeploy supports Lambda canary/linear deployments and automatic rollback based on CloudWatch alarms.

Why this answer

Option D is correct. AWS CodeDeploy can be used with Lambda to perform canary or linear deployments and automatically roll back based on CloudWatch alarms. Option A is wrong because CloudFormation does not natively support canary deployments or automatic rollback based on alarms for Lambda.

Option B is wrong because AWS Elastic Beanstalk is for web applications, not serverless. Option C is wrong because AWS CodePipeline orchestrates build/test/deploy but does not handle canary deployments and rollback itself.

195
Multi-Selecthard

Which TWO security best practices should be applied when using AWS Lambda? (Choose TWO.)

Select 2 answers
A.Attach an IAM execution role with least privilege permissions.
B.Enable CloudWatch Logs for the Lambda function.
C.Hardcode database credentials in the function code.
D.Store sensitive data in Lambda environment variables.
E.Use AWS Secrets Manager to retrieve secrets at runtime.
AnswersA, E

Execution roles grant necessary permissions; least privilege minimizes risk.

Why this answer

Option A is correct because AWS Lambda requires an IAM execution role that defines the permissions the function has when interacting with other AWS services. The principle of least privilege dictates that this role should grant only the specific actions and resources needed for the function's intended purpose, minimizing the potential blast radius if the function is compromised.

Exam trap

The trap here is that candidates often confuse operational best practices (like enabling CloudWatch Logs) with security best practices, or they mistakenly believe that environment variables are a safe place to store secrets because they are not visible in the function code itself.

196
Multi-Selectmedium

A developer is troubleshooting a slow web application. The application uses an Application Load Balancer, EC2 instances, and an RDS database. The developer suspects the database is the bottleneck. Which TWO CloudWatch metrics should the developer examine to confirm this? (Select TWO.)

Select 2 answers
A.DatabaseConnections
B.RequestCount
C.NetworkIn
D.ReadIOPS and WriteIOPS
E.CPUUtilization
AnswersA, D

High connection count can indicate the database is overwhelmed.

Why this answer

Options B and D are correct. DatabaseConnections shows current connections; ReadIOPS and WriteIOPS show disk I/O, which can cause slowness. Option A (CPUUtilization) is a general metric, but for database bottleneck, I/O and connections are more indicative.

Option C (NetworkIn) is more about network load. Option E (RequestCount) is for the ALB, not the database.

197
Multi-Selecthard

Which TWO of the following are required to enable cross-origin resource sharing (CORS) for an API hosted on Amazon API Gateway? (Choose two.)

Select 2 answers
A.Modify the Lambda function to return CORS headers in the response
B.Configure Amazon CloudFront to add CORS headers
C.Add an OPTIONS method to the API Gateway resource and configure it to return the required CORS headers
D.Configure an S3 bucket CORS policy
E.Enable CORS on the API Gateway resource and deploy the API
AnswersC, E

The OPTIONS method handles preflight requests.

Why this answer

Correct: A and D. To enable CORS, you must enable CORS on the API Gateway resource (which adds the required headers) and configure the OPTIONS method to respond to preflight requests. Option B is wrong because Lambda functions do not need to return CORS headers if API Gateway handles it.

Option C is wrong because CloudFront does not enable CORS for API Gateway. Option E is wrong because S3 CORS configuration is for S3, not API Gateway.

198
Multi-Selectmedium

A company uses AWS Lambda functions that are invoked by an Amazon S3 bucket notification. The function sometimes fails with a 'ResourceNotFoundException' for the S3 bucket. Which THREE steps should the developer take to resolve the issue?

Select 3 answers
A.Ensure the S3 bucket has versioning enabled.
B.Check the S3 bucket notification configuration for the correct Lambda function ARN.
C.Verify that the Lambda execution role has permissions to read from the S3 bucket.
D.Increase the Lambda function timeout.
E.Confirm that the S3 bucket exists and is in the same region as the Lambda function.
AnswersB, C, E

Incorrect ARN can cause the function not to be invoked.

Why this answer

Option B is correct because the 'ResourceNotFoundException' indicates that the Lambda function ARN specified in the S3 bucket notification configuration is incorrect or does not match the actual function ARN. S3 uses the notification configuration to invoke the Lambda function, and if the ARN is malformed, outdated, or points to a deleted function, S3 will throw this error. Verifying and correcting the ARN in the S3 event notification ensures S3 can successfully invoke the Lambda function.

Exam trap

The trap here is that candidates often confuse 'ResourceNotFoundException' with a permissions issue (Option C) or a timeout issue (Option D), but the error specifically indicates the target resource (the Lambda function) is not found, not that access is denied or execution is slow.

199
MCQhard

A developer is deploying a microservice to Amazon ECS using Fargate. The service needs to be accessible from the internet via an Application Load Balancer. The developer creates the ECS service with a network load balancer by mistake. What is the minimal change required to fix the deployment?

A.Create a new target group for the ALB and update the ECS service to use it.
B.Update the ECS service to point to the ALB listener.
C.Change the existing target group to use ALB protocol.
D.Delete the ECS service and recreate it with an ALB.
AnswerA

Updating the service to use a new target group is a minimal change.

Why this answer

The minimal change is to create a new target group configured for the Application Load Balancer (ALB) and update the ECS service to use it. An ECS service with Fargate must be associated with a target group that matches the load balancer type; since the service was created with a Network Load Balancer (NLB), its existing target group uses TCP/TLS protocols. Creating an ALB-compatible target group (HTTP/HTTPS) and reassigning it to the service corrects the mismatch without deleting the service.

Exam trap

The trap here is that candidates assume you can modify the existing target group's protocol or simply point the service to the ALB listener, but AWS requires a target group of the correct type to be explicitly associated with the ECS service.

How to eliminate wrong answers

Option B is wrong because updating the ECS service to point to the ALB listener does not change the underlying target group; the service still references an NLB target group, causing a protocol mismatch. Option C is wrong because you cannot change an existing target group's protocol from TCP/TLS (NLB) to HTTP/HTTPS (ALB); target groups are immutable after creation and tied to the load balancer type. Option D is wrong because deleting and recreating the ECS service is not minimal; the service can be updated in place by specifying a new target group.

200
MCQeasy

A company uses AWS CloudFormation to manage infrastructure. The development team wants to deploy a new version of a Lambda function without downtime. The function is part of a stack. Which action should the team take?

A.Create a change set and execute it after the current stack is deleted.
B.Update the CloudFormation stack with the new function code and deploy the stack update.
C.Manually update the Lambda function code in the console and then update the stack.
D.Create a new CloudFormation stack for the new function and delete the old stack.
AnswerB

CloudFormation updates handle resource replacement; using Lambda aliases can ensure zero downtime.

Why this answer

Option A is correct: CloudFormation supports stack updates; updating the Lambda function resource in the template and performing a stack update will replace the function with zero downtime if the function is behind an alias. Option B (create new stack) leaves old stack. Option C (change set) is just a review.

Option D (manual update) bypasses CloudFormation.

201
Multi-Selectmedium

A company is using AWS CodePipeline to automate deployments. The pipeline has a source stage that retrieves code from an S3 bucket, a build stage using CodeBuild, and a deploy stage using CodeDeploy. The build stage sometimes fails due to intermittent network issues. Which TWO actions would make the pipeline more resilient to such failures?

Select 1 answer
A.Enable retry on the build stage to automatically attempt the build again on failure.
B.Store build artifacts in a different S3 bucket.
C.Add a manual approval stage before the build stage.
D.Configure the build stage to run multiple build actions in parallel.
E.Use a different source repository, such as CodeCommit.
AnswersA

Retry can handle transient failures.

Why this answer

Enabling retry on the build stage allows the pipeline to automatically retry on failure. Configuring a manual approval stage does not help with automated retries. Using a different source does not address build failures.

Splitting into multiple actions adds complexity, not resilience. Storing artifacts in different bucket is not relevant.

202
MCQhard

A web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). During peak hours, users report receiving HTTP 503 (Service Unavailable) errors. The developer checks Amazon CloudWatch metrics and finds that the ALB's request count is high but below the limit, and the target group's healthy host count drops to zero intermittently. The Auto Scaling group for the instances is configured with a minimum of 2, maximum of 10, and a simple scaling policy to add 2 instances when CPU utilization exceeds 70% for 5 consecutive minutes. What is the most likely cause of the 503 errors?

A.The Auto Scaling group's cooldown period prevents new instances from being added quickly enough during rapid traffic spikes
B.The ALB's idle timeout is set too low, causing dropped connections
C.The Auto Scaling group's maximum capacity of 10 is insufficient
D.The health check grace period is preventing instances from being marked healthy
AnswerA

After a scaling activity, the cooldown period (300s by default) pauses further scaling, causing delays that can result in all instances becoming unhealthy and returning 503 errors.

Why this answer

The 503 errors occur because the simple scaling policy has a cooldown period (default 300 seconds) that prevents the Auto Scaling group from launching new instances during rapid traffic spikes. When CPU exceeds 70% for 5 minutes, the policy adds 2 instances, but the cooldown blocks further scaling actions until it expires, even if the newly launched instances are still initializing and the healthy host count drops to zero. This mismatch between traffic demand and scaling responsiveness causes the ALB to have no healthy targets, resulting in 503 errors.

Exam trap

The trap here is that candidates often assume 503 errors are always due to capacity limits (Option C) or misconfigured health checks (Option D), but the real issue is the cooldown period's impact on scaling responsiveness during rapid traffic spikes.

How to eliminate wrong answers

Option B is wrong because the ALB's idle timeout (default 60 seconds) controls how long the ALB keeps a connection open without data transfer; it does not cause 503 errors or affect target health status. Option C is wrong because the maximum capacity of 10 is not the issue—the healthy host count drops to zero intermittently, indicating a scaling responsiveness problem, not a capacity ceiling. Option D is wrong because the health check grace period (default 300 seconds) delays the start of health checks for newly launched instances, but it does not cause healthy hosts to drop to zero; it only postpones marking them healthy, which would not explain intermittent drops in an already-running group.

203
Multi-Selectmedium

A developer is deploying a new version of an AWS Lambda function using the AWS CLI. The function is currently active and handling traffic. The developer wants to gradually shift traffic to the new version and rollback if errors increase. Which TWO actions should the developer take? (Choose TWO.)

Select 2 answers
A.Configure the alias to route a percentage of traffic to the new version and the rest to the current version.
B.Create a new version of the Lambda function.
C.Invoke the Lambda function with the new version using the AWS SDK.
D.Update the alias to route 100% of traffic to the new version.
E.Use AWS CodeDeploy to create a deployment group for the Lambda function.
AnswersA, B

This enables canary deployments.

Why this answer

Lambda aliases can route traffic. Option A and C are correct. Option B is wrong because weights sum to 100.

Option D is wrong because CodeDeploy can manage traffic shifting but not directly via CLI. Option E is wrong because SDK is not needed.

204
MCQmedium

A developer is deploying a Lambda function that processes messages from an SQS queue. The queue has a batch size of 10. To optimize cost and performance, the developer wants to minimize the number of Lambda invocations while ensuring that all messages are processed within the SQS visibility timeout. Which configuration should the developer use?

A.Set the Lambda function timeout to less than the SQS visibility timeout.
B.Increase the SQS visibility timeout to 5 minutes and set Lambda timeout to 5 minutes.
C.Configure the Lambda function to process messages asynchronously.
D.Set the Lambda reserved concurrency to 1 to limit concurrent executions.
AnswerA

This ensures messages are processed before becoming visible again, reducing duplicate invocations.

Why this answer

Option D is correct because setting the Lambda function timeout to be less than the SQS visibility timeout ensures that the function can process messages and delete them before they become visible again, preventing duplicate processing. A batch size of 10 already allows up to 10 messages per invocation.

205
MCQhard

A developer is using AWS CodePipeline to automate CI/CD. The pipeline has a Source stage (CodeCommit), a Build stage (CodeBuild), and a Deploy stage (CodeDeploy). The Build stage runs tests and packages the application. The developer notices that the Deploy stage is triggered even when the Build stage fails. How can the developer prevent deployment on build failure?

A.Set a transition between Build and Deploy stages that only allows successful builds.
B.Add a manual approval action before Deploy stage.
C.Add a CloudWatch Events rule to trigger a Lambda function that stops the pipeline on build failure.
D.Configure the Build stage with 'On failure: Abort' in the pipeline settings.
AnswerD

Aborting the pipeline on failure stops further stages.

Why this answer

CodePipeline transitions automatically unless a stage fails. Option A is correct because setting 'On failure: Abort' will stop the pipeline. Option B is incorrect because notifications do not prevent transition.

Option C is incorrect because transitions are between stages, not within. Option D is incorrect because manual approval is not automatic.

206
MCQeasy

A company needs to grant another AWS account read-only access to an S3 bucket. The developer wants to use a bucket policy without requiring IAM users in the trusted account. Which resource-based policy statement should the developer add to the bucket?

A.A principal of the root user of the other account with s3:GetObject.
B.A principal of any user with a condition for the account ID.
C.A principal of the other account's root ARN with s3:ListBucket and s3:GetObject.
D.A principal of 'arn:aws:iam::OTHER-ACCOUNT-ID:root' with s3:GetObject and s3:ListBucket.
AnswerD

Correct. This grants the entire account read-only access to the bucket.

Why this answer

Option D is correct because it uses the root user ARN of the trusted account as the principal, which effectively grants permissions to all IAM users and roles in that account. The s3:GetObject and s3:ListBucket actions provide the required read-only access. This approach allows cross-account access without needing to create IAM users in the trusted account, as the bucket policy is a resource-based policy that directly authorizes the principal.

Exam trap

The trap here is that candidates often confuse the principal format for cross-account access, mistakenly using an IAM user ARN or a full root ARN with 'root' as the resource, when the correct approach is to use the account ID or the root user ARN as the principal to grant access to all identities in the trusted account.

How to eliminate wrong answers

Option A is wrong because specifying the root user as a principal with only s3:GetObject grants read access to individual objects but not the ability to list the bucket contents, which is typically required for read-only access. Option B is wrong because using 'any user' as a principal is overly permissive and insecure; a condition for the account ID does not restrict the principal to the trusted account, as any AWS user could potentially match the condition if they are in that account, but the principal is not scoped correctly. Option C is wrong because using the root user's ARN (which includes the account ID) with s3:ListBucket and s3:GetObject is functionally correct, but the ARN format 'arn:aws:iam::OTHER-ACCOUNT-ID:root' is not a valid principal ARN for a bucket policy; the correct format is 'arn:aws:iam::OTHER-ACCOUNT-ID:root' as a string, but the principal element must be the account ID or the root user ARN, not a full ARN with 'root' as the resource name.

207
Multi-Selecteasy

A developer wants to ensure that an S3 bucket is not publicly accessible. Which TWO measures should the developer implement?

Select 2 answers
A.Enable S3 server access logging.
B.Enable versioning on the bucket.
C.Enable default encryption on the bucket.
D.Review the bucket policy to ensure it does not allow public access.
E.Enable S3 Block Public Access settings on the bucket.
AnswersD, E

A bucket policy could grant public access even if Block Public Access is off; removing public grants is essential.

Why this answer

Blocking public access at the account or bucket level (A) and ensuring no bucket policy grants public access (B) are both necessary. (C) is about encryption at rest, not access. (D) is about versioning. (E) is about logging.

208
MCQmedium

A developer needs to securely store database credentials for a Lambda function that accesses an Amazon RDS instance. The credentials must be automatically rotated every 30 days. Which AWS service should be used?

A.AWS IAM Roles for Lambda
B.AWS Secrets Manager
C.AWS Key Management Service (KMS)
D.AWS Systems Manager Parameter Store
AnswerB

Secrets Manager provides automatic rotation and fine-grained access control.

Why this answer

AWS Secrets Manager supports automatic rotation of secrets and integrates with Lambda and RDS. Option B is correct.

209
MCQhard

A developer is building a serverless application that processes images uploaded to an S3 bucket. The bucket triggers a Lambda function that creates a thumbnail and stores it in another S3 bucket. The developer notices that the Lambda function is invoked multiple times for the same object, causing duplicate thumbnails. What is the MOST likely cause?

A.S3 event notifications are eventually consistent and may deliver duplicates.
B.The Lambda function is configured with a DLQ that causes retries.
C.The Lambda function is idempotent and should handle duplicates.
D.The S3 bucket has multiple event notifications that trigger the same Lambda function.
AnswerD

Multiple notifications (e.g., for different event types) can cause the same function to be invoked for the same object.

Why this answer

Option D is correct because if S3 event notifications are misconfigured (e.g., both PutObject and PutObjectAcl events trigger the same function), the function runs multiple times. Option A is wrong because Lambda provides at-least-once execution, but duplicates are not typical unless triggered multiple times. Option B is wrong because S3 does not send duplicate events; the issue is multiple triggers.

Option C is wrong because concurrent Lambda executions would not cause duplicates; each invocation processes a unique event.

210
Multi-Selecteasy

Which THREE practices help protect data at rest in Amazon S3?

Select 3 answers
A.Enable versioning.
B.Enable MFA Delete.
C.Enable server-side encryption for the bucket.
D.Enable cross-region replication.
E.Use bucket policies to deny uploads without encryption headers.
AnswersB, C, E

MFA Delete requires multi-factor authentication to delete objects, adding a layer of protection.

Why this answer

B is correct because enabling MFA Delete on an S3 bucket requires multi-factor authentication for permanent deletion of object versions, adding an extra layer of security to protect data at rest from accidental or malicious deletion. This directly safeguards the durability and integrity of stored data.

Exam trap

The trap here is that candidates often confuse versioning (which provides data protection through object recovery) with data-at-rest security (which requires encryption or access controls like MFA Delete), leading them to select versioning as a valid practice for protecting data at rest.

211
MCQhard

A developer is using an S3 bucket to store sensitive files. The bucket policy includes a condition that requires TLS for all requests. A user reports that they can access the bucket via the AWS Management Console but not via an application using HTTP. What is the likely issue?

A.The application is using an expired IAM access key.
B.The bucket policy denies HTTP requests via aws:SecureTransport condition.
C.The S3 bucket is in a different region.
D.The application is not signing requests with Signature Version 4.
AnswerB

Console uses HTTPS, application uses HTTP.

Why this answer

The condition aws:SecureTransport requires HTTPS; the application uses HTTP, which violates the policy.

212
MCQmedium

An IAM user has the above policy attached. The user tries to stop an EC2 instance. What happens?

A.The stop operation fails because ec2:StopInstances is not allowed explicitly.
B.The stop operation fails because of the Deny statement.
C.The stop operation fails because the policy is invalid (conflict).
D.The stop operation succeeds.
AnswerD

Allow for StopInstances, no Deny.

Why this answer

Option A is correct because the Allow statement explicitly allows StopInstances for all resources. The Deny only applies to TerminateInstances, not StopInstances. Option B is incorrect because there is no Deny for StopInstances.

Option C is incorrect because StopInstances is allowed. Option D is incorrect because the policy is valid.

213
MCQhard

A company uses AWS Elastic Beanstalk to deploy a web application. The development team wants to test a new feature by routing a small percentage of traffic to a separate environment before fully rolling out. Which Elastic Beanstalk deployment strategy should the developer use?

A.Rolling deployment
B.Blue/green deployment
C.Immutable deployment
D.All at once deployment
AnswerB

Blue/green deployment creates a separate environment (green) where the new version runs. Then you can perform a CNAME swap to route all traffic at once, or use Route 53 weighted routing to split traffic gradually.

Why this answer

Blue/green deployment is the correct strategy because it allows you to route a small percentage of traffic to a separate environment (the 'green' environment) by swapping the CNAME record or using Elastic Beanstalk's environment URL swap feature. This enables testing the new feature with a subset of users before fully rolling out to the 'blue' environment, minimizing risk and enabling quick rollback if issues arise.

Exam trap

The trap here is that candidates confuse rolling deployment with blue/green deployment, mistakenly thinking rolling deployment can route traffic to a separate environment, when in fact rolling deployment updates instances within the same environment and does not provide a separate testing environment for traffic routing.

How to eliminate wrong answers

Option A is wrong because rolling deployment updates instances in batches within the same environment, which does not provide a separate environment for testing a new feature with a small percentage of traffic; it gradually replaces the existing version across all instances. Option C is wrong because immutable deployment launches a new set of instances with the new version in a separate Auto Scaling group, but it does not support routing a small percentage of traffic to the new version; it either fully replaces the old environment or fails. Option D is wrong because all at once deployment updates all instances simultaneously in the same environment, causing downtime and no ability to test with a subset of traffic.

214
Multi-Selectmedium

A company is deploying a new web application on Amazon EC2 instances behind an Application Load Balancer. The application must be deployed with no downtime. The deployment uses AWS CodeDeploy with a Blue/Green deployment configuration. Which TWO actions should be taken to achieve zero-downtime deployment? (Choose TWO.)

Select 2 answers
A.Create a new load balancer for the new environment.
B.Create a new Auto Scaling group with the new application version and register it with the ALB.
C.Update the existing Auto Scaling group with the new application version.
D.Terminate the old EC2 instances immediately after deploying the new ones.
E.Gradually shift traffic from the old environment to the new environment using the ALB.
AnswersB, E

This creates the new environment for testing.

Why this answer

Options A and D are correct. A: If the new environment passes tests, traffic is shifted to it. D: Before shifting traffic, the new environment must be fully tested.

Option B is wrong because terminating old instances immediately would cause downtime if the new environment fails. Option C is wrong because the new environment should be created first, not updated in-place. Option E is wrong because the load balancer is already in place; you should register the new instances with the existing ALB.

215
Multi-Selectmedium

Which THREE actions can be performed using AWS Lambda and Amazon S3 event notifications? (Choose three.)

Select 3 answers
A.Resize an image when a new image is uploaded to an S3 bucket.
B.Generate a pre-signed URL for an object.
C.Scan an uploaded file for viruses.
D.Enable versioning on the S3 bucket.
E.Transcode a video when a new video file is created.
AnswersA, C, E

Lambda can process image on upload.

Why this answer

Options A, B, and C are correct. S3 event notifications can trigger Lambda on PUT, POST, DELETE, etc. Option D (pre-signed URL generation) is not an event; it's a client action.

Option E (versioning) is a bucket property, not triggered by events.

216
MCQmedium

A company's S3 bucket contains sensitive data. The security team requires that all data be encrypted at rest. Which combination of actions will enforce encryption for all objects written to the bucket?

A.Enable default encryption on the bucket and apply a bucket policy that denies PutObject if the x-amz-server-side-encryption header is missing or set to None.
B.Use bucket ACLs to grant write access only to users who use encryption.
C.Enable default encryption on the bucket and use bucket ACLs to restrict access.
D.Create an AWS KMS key and attach a key policy that requires encryption.
AnswerA

This enforces encryption on all writes.

Why this answer

Option C is correct because enabling default encryption and using a bucket policy to deny writes without encryption headers ensures all objects are encrypted. Option A is wrong because default encryption alone does not prevent unencrypted uploads. Option B is wrong because KMS key policies do not enforce encryption.

Option D is wrong because bucket ACLs do not enforce encryption.

217
Multi-Selectmedium

A company is implementing a CI/CD pipeline using AWS CodePipeline and CodeBuild. The pipeline deploys a serverless application. Which TWO actions should be taken to securely manage the database credentials used by the application?

Select 2 answers
A.Embed the credentials in the Lambda function code.
B.Store the credentials in the buildspec.yml file in the CodeCommit repository.
C.Pass the credentials as CloudFormation parameters during deployment.
D.Use AWS Lambda environment variables with encryption using a KMS key.
E.Use AWS Secrets Manager to store the credentials and retrieve them in CodeBuild using an IAM role.
AnswersD, E

Lambda can encrypt environment variables with KMS and decrypt at runtime.

Why this answer

Option D is correct because AWS Lambda environment variables can be encrypted at rest using a KMS key, providing a secure way to store sensitive data like database credentials without hardcoding them in the function code. This approach ensures that the credentials are decrypted only when the Lambda function executes, and access to the KMS key can be controlled via IAM policies. Option E is also correct because AWS Secrets Manager is a dedicated service for managing secrets throughout their lifecycle, and CodeBuild can retrieve them securely using an IAM role with appropriate permissions, eliminating the need to store secrets in code or configuration files.

Exam trap

The trap here is that candidates may think CloudFormation parameters (Option C) are secure because they are not hardcoded, but they overlook that parameters can be exposed in plaintext in stack outputs, events, and parameter store, and they lack built-in encryption and rotation capabilities compared to Secrets Manager.

218
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user. The user reports that they can access objects in the S3 bucket from their office IP address (192.0.2.15) but cannot access from home (203.0.113.5). What is the most likely reason?

A.The policy requires requests to originate from a VPC.
B.The bucket policy does not allow the user.
C.The policy restricts access based on source IP address.
D.The policy denies all s3:GetObject actions.
AnswerC

The condition limits access to the specified IP range.

Why this answer

Option A is correct because the policy includes an IP address condition that restricts access to the 192.0.2.0/24 range. Option B is wrong because the policy allows GetObject. Option C is wrong because the bucket name is correct.

Option D is wrong because the condition is on source IP, not VPC.

219
MCQeasy

A developer wants to deploy a containerized application on AWS. The application requires persistent storage that can be accessed by multiple containers running on different EC2 instances. Which AWS service should the developer use?

A.Amazon Elastic File System (EFS)
B.Amazon Elastic Block Store (EBS)
C.Amazon Simple Storage Service (S3)
D.Amazon DynamoDB
AnswerA

EFS is a scalable file system that can be mounted on multiple EC2 instances concurrently.

Why this answer

Option B is correct because Amazon EFS provides shared file storage for multiple EC2 instances. Option A is wrong because EBS volumes can only be attached to one instance. Option C is wrong because S3 is object storage.

Option D is wrong because DynamoDB is a NoSQL database.

220
MCQhard

An application running on EC2 instances behind an Application Load Balancer (ALB) occasionally returns HTTP 503 errors. The instances are in an Auto Scaling group. Which action should be taken to resolve this issue?

A.Enable cross-zone load balancing on the ALB.
B.Review the ALB access logs to identify the target response codes.
C.Increase the ALB idle timeout setting.
D.Increase the size of the EC2 instances.
AnswerB

Access logs show whether the 503 is from targets or the ALB, guiding further action.

Why this answer

HTTP 503 errors from an ALB indicate that the targets (EC2 instances) are not responding successfully. Reviewing ALB access logs reveals the specific target response codes (e.g., 503 from the target itself or connection timeouts), which helps pinpoint whether the issue is due to overloaded instances, application errors, or health check failures. This diagnostic step is essential before making any configuration changes.

Exam trap

The trap here is that candidates often jump to scaling or instance size changes (Option D) without first using access logs to diagnose whether the 503s originate from the ALB or the targets, leading to ineffective fixes.

How to eliminate wrong answers

Option A is wrong because cross-zone load balancing is enabled by default on ALBs and affects traffic distribution across Availability Zones, not the root cause of 503 errors from unresponsive targets. Option C is wrong because the ALB idle timeout setting controls how long the ALB keeps a connection open without data transfer; increasing it does not resolve 503 errors caused by target failures or overload. Option D is wrong because simply increasing EC2 instance size may mask the problem but does not address the underlying cause (e.g., application bugs, scaling policies, or health check misconfigurations) and could lead to unnecessary cost.

221
MCQhard

A company has a monolithic application running on an EC2 instance that needs to be migrated to a microservices architecture on AWS. The development team wants to use AWS services to handle service discovery, configuration management, and secrets management. Which combination of AWS services should the team use?

A.Use Amazon ECS Service Discovery for service discovery, AWS Config for configuration, and AWS Systems Manager Parameter Store for secrets.
B.Use AWS Cloud Map for service discovery, AWS AppConfig for configuration, and AWS Secrets Manager for secrets.
C.Use AWS Cloud Map for service discovery, AWS Systems Manager Parameter Store for configuration, and AWS Secrets Manager for secrets.
D.Use AWS Service Discovery for service discovery, EC2 Image Builder for configuration, and AWS Key Management Service (KMS) for secrets.
AnswerB

Cloud Map for service discovery, AppConfig for config, Secrets Manager for secrets.

Why this answer

Option C is correct because AWS Cloud Map provides service discovery, AWS AppConfig manages application configuration, and AWS Secrets Manager securely stores secrets. Option A uses Systems Manager Parameter Store for configuration, but AppConfig is more feature-rich for config management. Option B uses Service Discovery (AWS Cloud Map) but EC2 Image Builder is for creating AMIs, not config.

Option D uses ECS Service Discovery (part of Cloud Map) but Config is for resource compliance, not configuration management.

222
MCQhard

The exhibit shows an IAM policy attached to a user who needs to deploy applications using AWS CodeDeploy. The user reports that they cannot create a deployment for the MyApplication/MyDeploymentGroup. What is the most likely reason?

A.The policy restricts the user to a different deployment group.
B.The user does not have permission to call the codedeploy:CreateDeployment action.
C.The user does not have permission to call codedeploy:GetDeployment and codedeploy:GetDeploymentGroup.
D.The policy does not include permission on the application resource.
AnswerD

CreateDeployment requires access to the application resource as well.

Why this answer

Option D is correct because the CreateDeployment action requires permission on the deployment group resource, but also requires permission on the application resource (arn:aws:codedeploy:region:account:application:MyApplication). The policy only grants on the deployment group, not the application. Option A is wrong because the actions are allowed.

Option B is wrong because GetDeployment and GetDeploymentGroup are allowed. Option C is wrong because the policy does not restrict the deployment group; it grants on the specific group.

223
MCQmedium

A developer is using AWS CodeDeploy to perform a canary deployment for an AWS Lambda function. The deployment should first shift 10% of traffic to the new version, and then shift the remaining 90% after 5 minutes. Which deployment configuration should be used?

A.AllAtOnce
B.Canary10Percent5Minutes
C.Linear10PercentEvery10Minutes
D.BlueGreen
AnswerB

This configuration shifts 10% instantly and then the remainder after 5 minutes. It is the correct choice for the described canary deployment.

Why this answer

Option B is correct because the Canary10Percent5Minutes deployment configuration is specifically designed for canary deployments with AWS Lambda, shifting 10% of traffic to the new version immediately and then automatically shifting the remaining 90% after a 5-minute interval. This matches the requirement exactly, as CodeDeploy uses this predefined configuration to orchestrate the traffic shift in two steps with a built-in wait period.

Exam trap

The trap here is that candidates often confuse deployment configurations (like Canary10Percent5Minutes) with deployment types (like BlueGreen), or they misremember the exact traffic percentages and intervals, leading them to select Linear10PercentEvery10Minutes or AllAtOnce instead of the precise configuration that matches the 10% initial shift and 5-minute wait.

How to eliminate wrong answers

Option A is wrong because AllAtOnce shifts 100% of traffic to the new version immediately, with no gradual traffic shifting or canary phase, which does not meet the requirement for a 10% initial shift and a 5-minute wait. Option C is wrong because Linear10PercentEvery10Minutes shifts traffic in 10% increments every 10 minutes, which would take 90 minutes to complete the full shift and does not match the specified 5-minute wait after the initial 10% shift. Option D is wrong because BlueGreen is a deployment type, not a deployment configuration; it refers to the strategy of routing all traffic to a new environment after validation, but CodeDeploy requires a specific traffic-shifting configuration (like Canary10Percent5Minutes) to control the canary behavior within a blue/green deployment.

224
MCQeasy

A developer is building a microservices application that processes event messages from multiple sources. The application requires at-least-once delivery, but message ordering is not important. Which Amazon SQS queue type should the developer use?

A.Standard queue
B.FIFO queue
C.Dead-letter queue
D.Delay queue
AnswerA

Standard queues offer at-least-once delivery and high throughput without ordering guarantees, fitting the requirement.

Why this answer

Amazon SQS Standard queues provide at-least-once delivery and best-effort ordering, making them ideal for microservices that can tolerate duplicate messages and do not require strict message sequencing. Since the application processes events from multiple sources and message ordering is not important, a Standard queue meets the requirements without the throughput limitations of FIFO queues.

Exam trap

The trap here is that candidates often confuse the 'at-least-once' delivery requirement with the need for ordering, leading them to choose FIFO queues, but the question explicitly states ordering is not important, making Standard queues the correct and more performant choice.

How to eliminate wrong answers

Option B is wrong because FIFO queues guarantee exactly-once processing and strict message ordering, which are unnecessary here and would impose a throughput limit of 3,000 transactions per second (with batching) or 300 without, adding cost and complexity. Option C is wrong because a dead-letter queue is not a primary queue type for receiving messages; it is a secondary queue used to capture messages that fail processing after a specified number of receive attempts. Option D is wrong because a delay queue is not a distinct queue type but a feature of Standard or FIFO queues that introduces an initial message delay (up to 15 minutes), which does not address the core requirement of at-least-once delivery.

225
MCQmedium

Refer to the exhibit. A developer invoked a Lambda function and received this response. What does the FunctionError field indicate?

A.The function executed successfully.
B.The function threw an unhandled exception.
C.The function was throttled.
D.The function timed out.
AnswerB

Unhandled means the error was not caught.

Why this answer

Option B is correct because FunctionError: Unhandled indicates that the function threw an exception that was not caught by the code. Option A is wrong because StatusCode 200 means invocation succeeded. Option C is wrong because throttling would return 429.

Option D is wrong because configuration errors would return 400.

Page 2

Page 3 of 22

Page 4