AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 226300

1616 questions total · 22pages · All types, answers revealed

Page 3

Page 4 of 22

Page 5
226
MCQhard

A developer is using AWS CodePipeline to deploy a serverless application. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CloudFormation). The developer wants to automatically roll back the deployment if the CloudFormation stack update fails. Which configuration should be used?

A.Add a stack policy to the CloudFormation stack to prevent updates.
B.Set the deployment to use AWS CodeDeploy and enable rollback.
C.Configure a manual approval action in the pipeline to trigger a rollback.
D.Configure the CloudFormation stack to roll back on failure using the RollbackConfiguration.
AnswerD

CloudFormation can automatically roll back a failed update.

Why this answer

Correct: D. CloudFormation stack updates can automatically roll back on failure if the stack's RollbackConfiguration is set. CodePipeline does not automatically roll back; it stops on failure.

Option A is wrong because CodePipeline does not have a built-in rollback action. Option B is wrong because CodeDeploy is for EC2/ECS, not CloudFormation. Option C is wrong because the stack policy does not control rollback behavior.

227
MCQmedium

A developer notices that an AWS Lambda function configured with a VPC is timing out when trying to access an Amazon S3 bucket. The function has the necessary IAM permissions. What is the most likely cause?

A.Lambda functions cannot be configured inside a VPC.
B.The Lambda function's execution role lacks S3 permissions.
C.The Lambda function does not have a route to the internet or a VPC endpoint for S3.
D.The security group attached to the Lambda function does not allow outbound traffic to S3.
AnswerC

Without a NAT gateway/instance or VPC endpoint, the function cannot reach S3 over the internet.

Why this answer

A VPC-enabled Lambda function has no internet access unless configured with a NAT Gateway/Instance or VPC Endpoint. To access S3, the function either needs a VPC endpoint for S3 or a route to the internet via a NAT device. The IAM permissions are not the issue.

Option A is wrong because the timeout is not due to IAM. Option B is wrong because security group rules would affect different resources. Option C is correct.

Option D is wrong because Lambda can be in a VPC but needs proper routing.

228
MCQhard

A developer creates the CloudFormation stack with the template above. After the stack is created, messages that are not processed after 5 receives are moved to the DLQ. However, the developer notices that the RedrivePolicy references a queue ARN that is hardcoded. What is the best practice to avoid this hardcoded ARN?

A.Use Ref to reference the DLQ's QueueName and construct the ARN.
B.Use Fn::Sub to substitute the queue name into a hardcoded ARN template.
C.Use Fn::ImportValue to import the DLQ ARN from another stack.
D.Use Fn::GetAtt with "Arn" attribute on the DLQ resource.
AnswerD

Fn::GetAtt can retrieve the Arn attribute of a queue resource.

Why this answer

Option D is correct because using Fn::GetAtt to retrieve the ARN of the DLQ resource within the same template avoids hardcoding. Option A is wrong because Fn::ImportValue is for cross-stack references, not needed here. Option B is wrong because Ref returns the queue URL, not the ARN.

Option C is wrong because Fn::Sub is a string substitution function, but you still need to reference the resource attribute correctly.

229
MCQmedium

A developer runs the query shown in the exhibit on a DynamoDB table named 'Orders' and gets an error. What is the MOST likely cause?

A.The expression attribute values are incorrectly formatted
B.The table's partition key is not named 'OrderID'
C.The table does not exist
D.The query needs to use a sort key
AnswerB

The key condition expression must use the partition key attribute.

Why this answer

The Query operation requires a partition key; the error indicates that OrderID is not the partition key. Option B is correct.

230
MCQhard

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application uses an Amazon RDS MySQL database. Recently, the application started experiencing frequent database connection timeouts. The development team discovered that the application is not closing database connections properly, leading to exhausted database connections. The team wants a solution that does not require code changes. Which option should they choose?

A.Configure Amazon RDS Proxy in front of the RDS instance and update the application to connect through the proxy.
B.Enable Multi-AZ on the RDS instance to handle failover and reduce connection timeouts.
C.Migrate the database to Amazon Aurora and enable Auto Scaling for read replicas.
D.Increase the max_connections parameter in the RDS parameter group to allow more concurrent connections.
AnswerA

RDS Proxy maintains a pool of connections to the database, reducing the number of open connections and preventing exhaustion.

Why this answer

Option A is correct. RDS Proxy manages connection pooling and reduces the number of open connections to the database, thus preventing connection exhaustion without code changes. Option B is wrong because increasing the max_connections setting only postpones the problem and may cause resource contention.

Option C is wrong because Multi-AZ is for high availability, not connection management. Option D is wrong because switching to Aurora with Auto Scaling does not address the connection leak issue and requires migration effort.

231
MCQeasy

A developer needs to store a database password for an AWS Lambda function. The password must be encrypted at rest with a customer-managed key that can be rotated manually. Which solution meets these requirements with minimal operational overhead?

A.Store the password in an encrypted Lambda environment variable using a customer-managed AWS KMS key
B.Store the password in AWS Systems Manager Parameter Store as a SecureString parameter
C.Store the password in AWS Secrets Manager and configure automatic rotation
D.Store the password in an Amazon S3 configuration file encrypted with server-side encryption
AnswerA

Lambda supports encrypting environment variables with a customer-managed KMS key, and the key can be rotated manually as needed.

Why this answer

Option A is correct because storing the password in an encrypted Lambda environment variable using a customer-managed AWS KMS key meets the encryption-at-rest requirement with minimal operational overhead. Lambda natively integrates with KMS to encrypt environment variables at rest using a customer-managed key, and the key can be manually rotated via the AWS Management Console or API. This approach requires no additional services or infrastructure, keeping operational overhead low.

Exam trap

The trap here is that candidates often assume AWS Secrets Manager is always the best choice for secrets, but the question explicitly requires minimal operational overhead and manual rotation, making the simpler Lambda environment variable with KMS the correct answer.

How to eliminate wrong answers

Option B is wrong because AWS Systems Manager Parameter Store as a SecureString parameter uses a default AWS-managed KMS key or a customer-managed key, but it introduces additional operational overhead for managing the parameter and does not provide native manual rotation capabilities without custom automation. Option C is wrong because AWS Secrets Manager with automatic rotation exceeds the requirement of minimal operational overhead and manual rotation; it is designed for automated rotation, not manual, and adds complexity and cost. Option D is wrong because storing the password in an Amazon S3 configuration file encrypted with server-side encryption (SSE) requires the Lambda function to fetch and decrypt the file from S3, adding latency, complexity, and potential security risks from managing file access, which is not minimal overhead.

232
MCQmedium

A company is using Amazon API Gateway to expose a REST API. The API must authenticate requests using an external OAuth 2.0 provider. Which API Gateway feature should be used?

A.IAM authorization
B.Resource policy
C.Lambda authorizer
D.Amazon Cognito User Pools
AnswerC

A Lambda authorizer can validate OAuth tokens from any provider.

Why this answer

Option C is correct because API Gateway supports custom authorizers that can validate OAuth tokens. Option A is wrong because IAM auth is for AWS credentials. Option B is wrong because Cognito User Pools can be used but the question specifies external provider.

Option D is wrong because Lambda authorizer is the custom authorizer type.

233
MCQhard

A developer is deploying a multi-container Docker application on Amazon ECS using the Fargate launch type. The application consists of a web server and a background worker. The web server must be scaled independently and must be accessible from the internet via an Application Load Balancer. The worker should not be accessible from the internet. Which ECS configuration should the developer use?

A.Create one ECS service with both containers in the same task definition, but only expose the web server port.
B.Create two separate ECS services, each with its own task definition, and place the web server in a public subnet with the worker in a private subnet.
C.Create one ECS service with two tasks, each containing one container.
D.Create one ECS service with two containers in the same task, and use a service discovery to expose the worker.
AnswerB

Correct. Separate services allow independent scaling. Placing the web server in a public subnet with an ALB provides internet access, while the worker in a private subnet remains isolated.

Why this answer

Option B is correct because it uses two separate ECS services, each with its own task definition, allowing independent scaling of the web server and worker. Placing the web server in a public subnet with an Application Load Balancer makes it internet-accessible, while the worker in a private subnet is isolated from direct internet traffic, meeting the security requirement.

Exam trap

The trap here is that candidates assume containers in the same task definition can be independently scaled or that service discovery alone provides network isolation, but in ECS, containers in the same task share the same resources and scaling lifecycle, and service discovery does not restrict internet access.

How to eliminate wrong answers

Option A is wrong because placing both containers in the same task definition forces them to be scaled together as a unit, preventing independent scaling of the web server, and exposing only the web server port does not isolate the worker from the internet since both containers share the same network namespace. Option C is wrong because creating one ECS service with two tasks, each containing one container, does not allow independent scaling of the web server and worker; the service scales all tasks together, and the worker task would still be in the same subnet as the web server unless explicitly placed in a private subnet, which is not specified. Option D is wrong because placing both containers in the same task (same task definition) again couples their scaling and lifecycle, and using service discovery (AWS Cloud Map) does not prevent the worker from being internet-accessible; service discovery only provides DNS-based service resolution within a VPC, not network isolation.

234
MCQhard

A company has a microservices architecture running on Amazon ECS with Fargate. Each service exposes an API through an Application Load Balancer (ALB). The development team needs to implement canary deployments for one of the services. What is the MOST efficient way to achieve this?

A.Create two ECS services behind the same ALB, each with a different task definition, and use sticky sessions.
B.Use Amazon Route 53 weighted routing policies to distribute traffic between two ALBs.
C.Configure the ALB to use weighted target groups, each pointing to a different task set of the same ECS service.
D.Use AWS CodeDeploy with an ECS blue/green deployment configuration that supports canary traffic shifting.
AnswerC

ALB weighted target groups allow precise traffic splitting between task sets, enabling canary deployments easily.

Why this answer

Option D is correct because using the ALB weighted target groups feature allows directing a percentage of traffic to a new task set, enabling canary deployments without additional infrastructure. Option A is wrong because CodeDeploy can perform canary deployments with ECS, but it requires additional setup and is not as direct as ALB weighted target groups. Option B is wrong because multiple ECS services would require a separate ALB or complex routing.

Option C is wrong because Route 53 cannot route based on percentage for canary deployments without complex health checks and DNS propagation delays.

235
Multi-Selecthard

Which THREE actions should a developer take to secure an AWS Lambda function that processes sensitive data? (Choose 3.)

Select 3 answers
A.Store configuration values in Lambda environment variables.
B.Attach an IAM role with least privilege permissions.
C.Enable encryption of environment variables using AWS KMS.
D.Run the Lambda function inside a VPC.
E.Enable AWS CloudTrail for the Lambda function.
AnswersA, C, D

Environment variables avoid hardcoding secrets in code.

Why this answer

A, C, and E are correct. Using environment variables for configuration (A) avoids hardcoding secrets. Encrypting environment variables with KMS (C) protects them at rest.

Using a VPC (E) isolates the function. Option B (IAM roles) is already required for permissions, not an additional action. Option D (CloudTrail) is for auditing, not direct security of the function.

236
MCQmedium

A developer is designing a serverless application using API Gateway, Lambda, and DynamoDB. The API must authenticate users using a JWT token. Which API Gateway feature should the developer use to validate the JWT before invoking the Lambda function?

A.Use an IAM authorizer with a resource policy.
B.Use an Amazon Cognito user pool authorizer.
C.Use a Lambda authorizer (custom authorizer).
D.Use an API Gateway resource policy to allow only authenticated IPs.
AnswerC

Lambda authorizer can validate any JWT.

Why this answer

Option C is correct because a Lambda authorizer (custom authorizer) allows the developer to implement custom JWT validation logic, such as verifying the token's signature, expiry, and claims, before the request reaches the Lambda function. This is the most flexible approach when the JWT is issued by a third-party identity provider (IdP) that is not Amazon Cognito, as API Gateway's native JWT authorizer only supports JWTs from specific providers like Cognito or Auth0. The Lambda authorizer can return an IAM policy to allow or deny the request, enabling fine-grained access control based on the token's content.

Exam trap

The trap here is that candidates often confuse the managed Cognito user pool authorizer (Option B) with the ability to validate any JWT, but the exam tests that the Cognito authorizer only works with Cognito-issued tokens, while a Lambda authorizer is required for custom or third-party JWT validation.

How to eliminate wrong answers

Option A is wrong because an IAM authorizer with a resource policy authenticates requests using AWS Signature Version 4, not JWT tokens, and is designed for AWS service-to-service or IAM user access, not for validating third-party JWTs. Option B is wrong because an Amazon Cognito user pool authorizer is a managed solution that validates JWTs issued only by a Cognito user pool; it cannot validate JWTs from other identity providers, which is the requirement in this scenario. Option D is wrong because an API Gateway resource policy controls access based on source IP addresses or AWS accounts, not on JWT token validation, and does not authenticate individual users.

237
MCQeasy

A developer is deploying a new version of an application to Amazon ECS using AWS CodeDeploy. The application uses a blue/green deployment strategy. After the deployment, traffic is automatically shifted to the new task set. However, the developer wants to test the new version with a small percentage of users before shifting all traffic. What should the developer do?

A.Create a new ECS task definition with a different CPU/memory allocation.
B.Use CodeDeploy to perform a canary deployment that shifts 10% of traffic initially.
C.Configure the target group to route traffic to a specific task set.
D.Use ECS service auto scaling to gradually increase the number of tasks.
AnswerB

CodeDeploy supports canary deployments for ECS, allowing gradual traffic shifting.

Why this answer

CodeDeploy supports canary deployments for ECS, which allow you to shift a specified percentage of traffic to the new task set initially (e.g., 10%) and then, after a configured interval, shift the remaining traffic. This matches the requirement to test with a small percentage of users before shifting all traffic. Option B directly implements this canary strategy.

Exam trap

The trap here is that candidates confuse 'canary deployment' (traffic shifting) with 'auto scaling' (task count scaling) or think that modifying the task definition or target group alone can achieve gradual traffic routing.

How to eliminate wrong answers

Option A is wrong because changing CPU/memory allocation in the task definition does not control traffic shifting; it affects resource provisioning and may cause deployment failures but does not route a percentage of traffic to the new version. Option C is wrong because target groups route traffic to all healthy tasks in a service, not to a specific task set; you cannot use a target group to selectively route a small percentage to one task set without additional traffic-shifting logic. Option D is wrong because ECS service auto scaling adjusts the number of tasks based on load, not the percentage of traffic directed to a new version; it does not implement a canary traffic shift.

238
MCQmedium

A developer deploys an application on EC2 instances behind an Application Load Balancer (ALB). The application uses sticky sessions (session affinity) based on a cookie. Users report that they are intermittently logged out during their session. What is the MOST likely cause?

A.The deregistration delay value is too low, causing connections to be dropped during scaling events.
B.The ALB health check interval is too short, causing healthy instances to be marked unhealthy frequently.
C.Cross-zone load balancing is disabled, causing uneven traffic distribution.
D.The stickiness cookie expiration duration is set too low, causing the cookie to expire before the user's session ends.
AnswerD

Short cookie duration causes loss of stickiness.

Why this answer

Option C is correct because if the stickiness cookie duration is shorter than the user's session, the load balancer may route the user to a different instance, losing session state. Option A is wrong because cross-zone load balancing distributes traffic but does not affect stickiness. Option B is wrong because deregistration delay affects instance draining, not stickiness.

Option D is wrong because health checks do not remove cookies.

239
Multi-Selectmedium

A company is using AWS Lambda functions that access an RDS database. Which THREE practices should be followed to secure the database credentials?

Select 3 answers
A.Use AWS Secrets Manager to store and automatically rotate the credentials.
B.Use a security group to decrypt the credentials.
C.Encrypt the credentials using AWS KMS and pass them as encrypted environment variables to Lambda.
D.Store the credentials in the Lambda function code.
E.Place the Lambda function inside a VPC and use a security group to allow access to RDS.
AnswersA, C, E

Secrets Manager provides secure storage and rotation.

Why this answer

Option A is correct because AWS Secrets Manager is designed to securely store, retrieve, and automatically rotate database credentials, eliminating the need to hardcode secrets. It integrates natively with RDS to manage credential rotation on a schedule you define, reducing the risk of credential exposure. This follows the AWS security best practice of using a dedicated secrets management service rather than embedding credentials in code or configuration.

Exam trap

The trap here is that candidates often confuse network-level controls (security groups) with cryptographic operations, or assume that encrypting environment variables with KMS is sufficient, overlooking that Secrets Manager provides rotation and centralized audit capabilities that KMS alone does not.

240
MCQeasy

A developer is deploying a web application using AWS Elastic Beanstalk. The application experiences high traffic during peak hours. The developer wants to ensure that the environment can scale out quickly without manual intervention. Which Elastic Beanstalk configuration should be used?

A.Use a scheduled scaling action to increase capacity during peak hours.
B.Manually add EC2 instances during peak hours.
C.Set the environment to use a fixed number of EC2 instances.
D.Configure Auto Scaling triggers based on CloudWatch alarms.
AnswerD

Auto Scaling triggers allow the environment to scale out based on metrics like CPU.

Why this answer

Option B is correct. Auto Scaling triggers based on CloudWatch alarms allow automatic scaling. Option A is wrong because fixed number of instances does not scale.

Option C is wrong because time-based scaling is not dynamic. Option D is wrong because manual scaling is not automatic.

241
Multi-Selectmedium

Which THREE statements are true about AWS Lambda concurrency and scaling?

Select 3 answers
A.Provisioned concurrency can be used to reduce cold start latency.
B.Lambda automatically scales concurrency based on the number of incoming requests.
C.Lambda has a burst concurrency limit of 500-3000 per region.
D.Reserved concurrency guarantees a minimum number of concurrent executions.
E.Lambda's concurrency limit is per function and cannot be increased.
AnswersA, B, C

Provisioned concurrency pre-initializes environments to handle requests immediately.

Why this answer

Options A, C, and E are correct. Lambda scales by creating new instances up to the reserved concurrency limit. Provisioned concurrency keeps instances warm.

The burst concurrency limit applies per region. Option B is wrong because reserved concurrency limits max concurrency, not guarantees. Option D is wrong because provisioned concurrency does not reduce cold starts for unreserved instances.

242
MCQmedium

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group of EC2 instances. The deployment must automatically roll back if the new application version causes health check failures for more than 20% of the instances within the first 5 minutes after deployment. Which configuration should the developer set in the deployment group?

A.Create a CloudWatch alarm that monitors the DeploymentFailure metric and configure it as a rollback trigger in the deployment group.
B.Define a lifecycle hook in the Auto Scaling group that terminates instances with failing health checks.
C.Set the deployment configuration to use a minimum healthy host percentage of 80% and a timeout of 5 minutes.
D.Configure the AppSpec file with a rollback section that specifies the health check failure threshold.
AnswerA

This is the correct method. CodeDeploy can use CloudWatch alarms as rollback triggers. When the alarm enters the ALARM state, the deployment is automatically rolled back.

Why this answer

Option A is correct because AWS CodeDeploy supports CloudWatch alarm-based rollback triggers. By creating a CloudWatch alarm that monitors the DeploymentFailure metric (or a custom metric reflecting health check failures) and configuring it as a rollback trigger in the deployment group, the deployment will automatically roll back if the alarm state is breached within the specified monitoring period (e.g., 5 minutes). This directly meets the requirement to roll back when more than 20% of instances fail health checks.

Exam trap

The trap here is that candidates often confuse deployment configuration settings (like minimum healthy hosts) with rollback triggers, not realizing that rollback triggers require explicit CloudWatch alarm integration rather than just threshold-based deployment settings.

How to eliminate wrong answers

Option B is wrong because lifecycle hooks in Auto Scaling groups control instance lifecycle actions (e.g., launch or terminate) but do not trigger a CodeDeploy rollback; they only terminate failing instances without reverting the deployment. Option C is wrong because setting a minimum healthy host percentage of 80% and a timeout of 5 minutes defines the deployment's success criteria (e.g., for blue/green or canary deployments) but does not automatically trigger a rollback upon health check failures; it only fails the deployment if the threshold is not met. Option D is wrong because the AppSpec file does not contain a 'rollback' section; rollback behavior is configured in the deployment group settings, not in the AppSpec file.

243
Multi-Selectmedium

A company is deploying a new microservice using AWS Lambda and Amazon API Gateway. Which THREE steps should be included in the deployment pipeline? (Choose three.)

Select 3 answers
A.Deploy the API Gateway API to a stage.
B.Create or update the API Gateway REST API resources and methods.
C.Invalidate the Amazon CloudFront cache.
D.Update the Route 53 DNS record to point to the new API.
E.Build the Lambda function code and create a deployment package.
AnswersA, B, E

Deploying to a stage makes the API available.

Why this answer

Options A, C, and E are correct. The pipeline should include building the Lambda function (A), creating the API Gateway resources (C), and deploying the API (E). Option B is wrong because updating DNS is not required.

Option D is wrong because CloudFront is not necessary.

244
MCQhard

A developer is using AWS KMS to encrypt data in an S3 bucket. The developer wants to ensure that the S3 bucket uses server-side encryption with AWS KMS managed keys (SSE-KMS) by default. Which configuration should be applied?

A.Add a bucket policy that denies PutObject without the 'x-amz-server-side-encryption' header set to 'aws:kms'.
B.Configure the bucket to use SSE-C with a customer-provided key.
C.Set the bucket's default encryption to SSE-S3.
D.Set the bucket's default encryption to SSE-KMS with a KMS key.
AnswerD

This ensures default encryption uses KMS.

Why this answer

Option D is correct because setting the bucket's default encryption to SSE-KMS with a KMS key ensures that all objects uploaded to the S3 bucket are automatically encrypted using server-side encryption with AWS KMS managed keys (SSE-KMS). This configuration enforces encryption at rest without requiring the client to specify encryption headers in the request, meeting the requirement for default SSE-KMS encryption.

Exam trap

The trap here is that candidates often confuse enforcing encryption via a bucket policy (Option A) with setting a default encryption configuration, but the policy only denies non-compliant requests without establishing a default, whereas the default encryption setting automatically applies encryption to all objects regardless of request headers.

How to eliminate wrong answers

Option A is wrong because a bucket policy that denies PutObject without the 'x-amz-server-side-encryption' header set to 'aws:kms' enforces encryption on a per-request basis but does not set a default encryption configuration for the bucket; it only rejects requests that lack the header, leaving the bucket without a default encryption setting. Option B is wrong because SSE-C uses a customer-provided key, not an AWS KMS managed key, and is not the SSE-KMS method specified in the requirement. Option C is wrong because SSE-S3 uses Amazon S3 managed keys, not AWS KMS managed keys, and thus does not fulfill the requirement for SSE-KMS.

245
MCQeasy

A developer needs to store a large number of binary files (e.g., images) that are accessed infrequently but must be retrievable within minutes. The storage solution should be cost-effective. Which Amazon S3 storage class is MOST suitable?

A.S3 Intelligent-Tiering
B.S3 One Zone-Infrequent Access
C.S3 Glacier Instant Retrieval
D.S3 Standard
AnswerC

Low-cost storage for infrequently accessed data with instant retrieval.

Why this answer

Option C is correct because S3 Glacier Instant Retrieval is for long-lived, rarely accessed data that requires millisecond retrieval, but with a retrieval cost. Option A is wrong because S3 Standard is for frequently accessed data. Option B is wrong because S3 Intelligent-Tiering is for unknown or changing access patterns.

Option D is wrong because S3 One Zone-IA is for infrequent access but less durable.

246
MCQmedium

A developer is deploying a web application on Amazon ECS with a Fargate launch type. The application needs to securely access an Amazon DynamoDB table. How should the developer grant permissions?

A.Store AWS credentials in the container image
B.Define a task role for the ECS task with DynamoDB permissions
C.Assign an IAM role to the ECS service and use it from the container
D.Use an EC2 instance profile and mount it to the container
AnswerB

The task role is assumed by the container and provides temporary credentials.

Why this answer

For ECS tasks with Fargate, you define a task execution role and a task role. The task role grants permissions to the containers to access AWS services like DynamoDB.

247
MCQmedium

A company has an S3 bucket containing confidential data. The security team wants to ensure that the bucket is never publicly accessible, even if a bucket policy or ACL is incorrectly set to allow public access. Which S3 feature should the developer enable?

A.Enable S3 Transfer Acceleration to ensure faster uploads.
B.Enable S3 Block Public Access (bucket-level).
C.Enable S3 Server Access Logging to monitor access.
D.Enable S3 Object Lock to prevent objects from being deleted.
AnswerB

S3 Block Public Access provides an additional layer of security that prevents any public access, even if a bucket policy or ACL inadvertently allows it. It is the recommended way to ensure a bucket is never public.

Why this answer

Option B is correct because S3 Block Public Access (bucket-level) provides a definitive override that prevents any public access to the bucket, regardless of any bucket policies or ACLs that might otherwise grant public access. This feature acts as a safety net, ensuring that even if a policy or ACL is misconfigured to allow public access, the block public access settings will deny all public requests at the S3 service level before any policy evaluation occurs.

Exam trap

The trap here is that candidates often confuse monitoring features (like logging) or object protection features (like Object Lock) with access control mechanisms, failing to recognize that S3 Block Public Access is the only feature specifically designed to enforce a hard block on public access regardless of other configurations.

How to eliminate wrong answers

Option A is wrong because S3 Transfer Acceleration is a performance feature that speeds up uploads over long distances using AWS edge locations, and it has no impact on access control or public accessibility. Option C is wrong because S3 Server Access Logging only records access requests for auditing purposes; it does not prevent public access or enforce any security restrictions. Option D is wrong because S3 Object Lock is designed to prevent objects from being deleted or overwritten for a specified retention period, but it does not control or block public read access to the bucket.

248
MCQeasy

Refer to the exhibit. An IAM policy is attached to a user. What is the effect when the user tries to upload an object to s3://example-bucket/secret/file.txt?

A.The upload fails because the Deny statement explicitly denies access to the secret/ prefix.
B.The upload fails only if the user is not the bucket owner.
C.The upload succeeds because the Deny statement does not match the specific action.
D.The upload succeeds because the Allow statement grants s3:PutObject on the bucket.
AnswerA

Explicit Deny always overrides Allow.

Why this answer

Correct: D. The Deny statement explicitly denies all s3 actions on the secret/ prefix. Even though the Allow statement allows PutObject on the bucket, the explicit Deny overrides it.

Option A is wrong because Deny takes precedence. Option B is wrong because it's denied. Option C is wrong because the Deny is not conditional.

249
Multi-Selectmedium

A developer wants to encrypt data in an S3 bucket using server-side encryption with AWS KMS (SSE-KMS). Which TWO steps are required?

Select 2 answers
A.Set the default encryption on the bucket to SSE-KMS.
B.Enable MFA Delete on the bucket.
C.Create a bucket policy that denies unencrypted requests.
D.Grant the IAM role kms:GenerateDataKey and kms:Decrypt permissions.
E.Enable versioning on the bucket.
AnswersA, D

Required to enforce SSE-KMS.

Why this answer

The bucket must be configured for SSE-KMS, and the IAM role must have kms:GenerateDataKey and kms:Decrypt permissions.

250
MCQmedium

A company runs a web application on AWS Elastic Beanstalk. The application currently runs in a single environment. The developer wants to deploy a new version with zero downtime and be able to test the new version thoroughly before it receives any production traffic. Which deployment strategy should the developer use?

A.Perform a rolling deployment with a batch size of one instance at a time.
B.Use an immutable deployment to launch a new set of instances and then swap the Auto Scaling group.
C.Create a new environment (green) with the new version, run tests against it, and then swap the environment URLs so that production points to the green environment.
D.Use a rolling deployment with additional batch to launch new instances before terminating old ones.
AnswerC

This is the blue/green deployment strategy. The green environment is isolated for testing. Swapping the CNAME from the blue environment to the green environment provides zero downtime and full testing.

Why this answer

Option C is correct because it describes a blue/green deployment strategy, which creates a separate 'green' environment with the new application version, allowing thorough testing before swapping the environment URLs (CNAME records) in Elastic Beanstalk. This ensures zero downtime because the swap is instantaneous and the original 'blue' environment remains untouched until the swap occurs.

Exam trap

The trap here is that candidates confuse immutable deployments (which replace instances but not the environment) with blue/green deployments (which replace the entire environment), leading them to choose Option B because both involve launching new instances, but only blue/green allows pre-production testing without traffic exposure.

How to eliminate wrong answers

Option A is wrong because a rolling deployment with a batch size of one instance at a time updates instances in-place, which still causes a brief period where old and new versions coexist and does not allow testing the new version before it receives production traffic. Option B is wrong because an immutable deployment launches a new set of instances and then swaps the Auto Scaling group, but it does not provide a separate environment for pre-production testing; the new instances immediately serve traffic after the swap. Option D is wrong because a rolling deployment with an additional batch launches new instances before terminating old ones, which reduces downtime but still updates the existing environment in-place and does not allow isolated testing of the new version before it receives traffic.

251
MCQhard

A company runs a production web application on EC2 instances behind an Application Load Balancer. Users report intermittent 502 errors. The developers find that the ALB access logs show 'target_response_code' of 502 for some requests. What is the MOST likely cause?

A.The EC2 instances are unable to resolve DNS for the ALB.
B.The security group for the EC2 instances is blocking traffic from the ALB.
C.The EC2 instances are closing idle connections prematurely due to a short keep-alive timeout.
D.The ALB health checks are failing and the target group has unhealthy instances.
AnswerC

If the EC2 instance closes the connection before the ALB finishes sending the request, the ALB returns a 502.

Why this answer

Option B is correct because a 502 from ALB indicates the target (EC2) closed the connection before the ALB could finish writing the request or reading the response. Option A is wrong because security groups blocking traffic would result in 503 or timeout. Option C is wrong because ALB health checks failing would cause 503.

Option D is wrong because DNS resolution is not involved in ALB-to-target communication.

252
MCQeasy

A developer needs to store application configuration data (key-value pairs) that can be accessed by multiple microservices running on EC2 instances. The configuration data changes infrequently but must be retrievable with low latency. Which AWS service should the developer use?

A.AWS Systems Manager Parameter Store
B.AWS AppConfig
C.Amazon S3
D.Amazon DynamoDB
AnswerB

AppConfig is purpose-built for application configuration, providing validation, deployment, and low-latency retrieval.

Why this answer

The correct answer is B. AWS AppConfig is designed to manage application configuration data and supports feature flags and dynamic configuration. Option A is wrong because Systems Manager Parameter Store is also suitable but AppConfig is more specialized for this use case.

However, according to best practices, AppConfig is the recommended service for application configuration. Option C is wrong because DynamoDB is a database, not a configuration store. Option D is wrong because S3 is object storage with higher latency.

253
Multi-Selecthard

Which TWO actions should a developer take to securely manage database credentials in a serverless application?

Select 2 answers
A.Store credentials in AWS Secrets Manager and enable automatic rotation.
B.Use IAM database authentication for Amazon RDS.
C.Store credentials in a text file within the Lambda deployment package.
D.Hardcode credentials in environment variables.
E.Use security groups to allow only the Lambda function to access the database.
AnswersA, B

Secrets Manager securely stores and rotates credentials.

Why this answer

AWS Secrets Manager securely stores database credentials and supports automatic rotation, which reduces the risk of credential exposure and eliminates the need for manual updates. By integrating with Lambda via the AWS SDK, the application can retrieve credentials at runtime without embedding them in code or configuration files.

Exam trap

AWS often tests the distinction between network-level controls (security groups) and credential management, leading candidates to mistakenly select security groups as a method for securing credentials rather than managing them.

254
MCQhard

A developer is using AWS CodePipeline to automate a multi-stage pipeline. The pipeline includes a manual approval step before deploying to production. The developer wants to receive an email notification when the pipeline reaches the approval step. Which service should the developer use?

A.Configure CodePipeline to send an email using the 'Email' action
B.Use Amazon CloudWatch Logs to monitor the pipeline logs and trigger an alarm
C.Use Amazon Simple Email Service (SES) to send an email from the pipeline
D.Use Amazon CloudWatch Events to detect the pipeline state change and trigger an SNS notification
AnswerD

CloudWatch Events can monitor pipeline stage transitions and publish to an SNS topic.

Why this answer

Option B is correct because CloudWatch Events (EventBridge) can detect the pipeline state change (e.g., stage execution state changed to 'waiting') and trigger an SNS topic to send email. Option A is wrong because CodePipeline does not directly send email notifications. Option C is wrong because CloudWatch Logs is for logging, not notifications.

Option D is wrong because SES is for sending emails directly, but CloudWatch Events with SNS is the standard approach.

255
MCQhard

A company is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The developer wants to identify the specific error on a failed instance. Which AWS CLI command should the developer use?

A.aws deploy get-deployment
B.aws deploy get-deployment-instance
C.aws deploy list-deployments
D.aws deploy list-deployment-instances
AnswerB

Correct: Provides detailed status and error for a specific instance.

Why this answer

Option D is correct because 'aws deploy get-deployment-instance' provides detailed information about a specific instance deployment. Option A is wrong because 'list-deployment-instances' only lists IDs. Option B is wrong because 'get-deployment' gives overall deployment info.

Option C is wrong because 'list-deployments' lists deployments.

256
MCQeasy

A developer is writing an AWS Lambda function in Python that needs to download a file from Amazon S3, process it, and upload the result to a different S3 bucket. The function currently runs within the default 3-second timeout, but the developer expects the file size to increase. What is the MOST cost-effective way to handle the increase in processing time?

A.Increase the Lambda function's timeout to a value higher than the expected processing time.
B.Increase the Lambda function's timeout to 15 minutes.
C.Use Lambda provisioned concurrency to keep the function warm.
D.Refactor the code to use AWS Step Functions to orchestrate the processing.
AnswerA

Increasing the timeout is simple and cost-effective.

Why this answer

Option C is correct because increasing the Lambda timeout is the simplest and most cost-effective way to handle longer processing times. Option A is wrong because Step Functions add cost and complexity. Option B is wrong because Lambda functions cannot run longer than 15 minutes.

Option D is wrong because provisioned concurrency is for reducing cold starts, not for extending timeout.

257
MCQmedium

A company has a Node.js application running on an EC2 instance. The application needs to store session state. The developer wants to ensure high availability and scalability by storing session data externally. Which AWS service is BEST suited for this purpose?

A.Amazon DynamoDB
B.Amazon S3
C.Amazon ElastiCache for Redis
D.Amazon RDS for MySQL
AnswerC

Redis is commonly used for session caching due to its speed and support for data expiration.

Why this answer

Option B is correct because ElastiCache for Redis provides an in-memory data store that is ideal for session management, offering low latency and high throughput. Option A is wrong because S3 is for object storage, not low-latency session storage. Option C is wrong because RDS is a relational database, which is slower for session data.

Option D is wrong because DynamoDB is a NoSQL database but is not as fast as in-memory caching for session state.

258
MCQhard

A developer is using Amazon S3 Transfer Acceleration to upload a large file. The upload is slower than expected. Which metric should the developer check to determine if Transfer Acceleration is providing a benefit?

A.CloudWatch metric 'Requests' for the S3 bucket.
B.CloudWatch metric 'BytesDownloaded' for the S3 bucket.
C.CloudWatch metric 'TotalRequestLatency' for the S3 bucket.
D.CloudWatch metric 'FirstByteLatency' for the S3 bucket.
AnswerC

This metric shows the time for a complete upload, indicating acceleration benefit.

Why this answer

TotalRequestLatency measures the time taken for a complete S3 request, including the time to send the request to the S3 endpoint and receive the response. For S3 Transfer Acceleration, this metric reflects the end-to-end latency improvement achieved by routing traffic through AWS edge locations and the optimized network path. A lower TotalRequestLatency compared to a non-accelerated upload indicates that Transfer Acceleration is providing a benefit.

Exam trap

The trap here is confusing 'FirstByteLatency' (which measures initial response time for reads) with 'TotalRequestLatency' (which captures the full upload duration), leading candidates to incorrectly select D when they should focus on the end-to-end time for uploads.

How to eliminate wrong answers

Option A is wrong because the 'Requests' metric simply counts the number of requests made to the bucket, which does not indicate whether Transfer Acceleration is improving upload speed. Option B is wrong because 'BytesDownloaded' tracks data downloaded from the bucket, not uploaded, and is irrelevant to upload acceleration. Option D is wrong because 'FirstByteLatency' measures the time to receive the first byte of a response, which is more relevant to read operations and does not capture the total upload duration that Transfer Acceleration optimizes.

259
MCQmedium

Refer to the exhibit. A developer ran this CLI command and received the output shown. The application is retrieving the secret but getting an authentication error from the database. What is the MOST likely issue?

A.The secret is not marked as AWSCURRENT.
B.The application is not correctly parsing the JSON SecretString.
C.The CLI command should have used the --secret-string parameter.
D.The secret ID is incorrect.
AnswerB

The password contains special characters that may need escaping.

Why this answer

The CLI command successfully retrieved the secret, as shown by the output containing the secret value. The application, however, is failing with an authentication error from the database. This indicates that the secret was retrieved but the application is likely misinterpreting the JSON structure of the SecretString.

If the secret is stored as a JSON object (e.g., containing username and password fields), the application must parse the JSON and extract the correct field (e.g., 'password'). If it treats the entire JSON string as the password, it will pass an invalid credential to the database, causing an authentication error.

Exam trap

The trap here is that candidates assume any retrieval error is due to an incorrect secret ID or missing label, but the question explicitly states the secret was retrieved successfully, shifting the issue to how the application processes the retrieved value.

How to eliminate wrong answers

Option A is wrong because the secret is successfully retrieved, and the AWSCURRENT label is automatically applied to the latest version of a secret; if it were missing, the retrieval would fail entirely, not cause a parsing issue. Option C is wrong because the CLI command used 'get-secret-value' which is the correct command to retrieve a secret; the '--secret-string' parameter is used when creating or updating a secret, not when retrieving it. Option D is wrong because the secret ID is correct—the command returned a valid secret value without an error, proving the ID was accurate.

260
MCQmedium

A developer has an AWS Lambda function that processes messages from an Amazon SQS queue. The function is configured with a reserved concurrency of 5. Recently, the SQS queue has experienced a high volume of messages, and the developer notices that many invocations are being throttled, leading to increased processing time. What is the most likely cause of the throttling?

A.The function's execution role lacks permissions to invoke the function.
B.The reserved concurrency is too low, causing SQS to throttle Lambda invocations.
C.The SQS queue visibility timeout is set too high.
D.The Lambda function has a VPC configuration that causes cold starts.
AnswerB

Reserved concurrency caps the number of concurrent executions. When the queue has many messages, SQS tries to invoke Lambda concurrently, but if the reserved limit is reached, invocations are throttled, delaying processing.

Why this answer

The correct answer is B because reserved concurrency limits the maximum number of concurrent executions for a Lambda function. When the SQS queue has a high volume of messages, Lambda attempts to scale up to process them, but with a reserved concurrency of 5, it can only run 5 concurrent invocations. Any additional invocation requests are throttled with a 429 error, causing messages to remain in the queue and increasing processing time.

Exam trap

The trap here is that candidates often confuse throttling (due to concurrency limits) with cold starts (due to VPC or initialization delays), or they mistakenly think that SQS itself throttles Lambda invocations rather than understanding that Lambda's reserved concurrency is the bottleneck.

How to eliminate wrong answers

Option A is wrong because the execution role's permissions affect whether the function can access other AWS services (like SQS or CloudWatch), not whether Lambda itself can invoke the function; invocation permissions are controlled by the resource-based policy or the SQS trigger configuration. Option C is wrong because a high visibility timeout would cause messages to become invisible for longer after being polled, potentially leading to duplicate processing or delays, but it does not cause throttling of Lambda invocations. Option D is wrong because VPC configuration can cause cold starts due to ENI creation delays, but cold starts affect latency on the first invocation, not throttling due to concurrency limits.

261
MCQhard

A company uses Amazon API Gateway with a Lambda authorizer to control access to its APIs. The Lambda authorizer returns an IAM policy that grants access to the API. Recently, the company noticed that some API calls are being throttled due to high latency from the authorizer. What is the MOST effective way to reduce latency?

A.Enable caching for the Lambda authorizer responses.
B.Use a custom authorizer instead of a Lambda authorizer.
C.Reduce the TTL of the authorizer cache.
D.Increase the memory allocated to the Lambda authorizer function.
AnswerA

Caching avoids invoking the authorizer for every request.

Why this answer

Option B is correct because enabling caching for the authorizer allows API Gateway to reuse the policy for subsequent requests within the TTL. Option A is wrong because increasing Lambda memory may reduce latency but not as effectively as caching. Option C is wrong because using a custom authorizer with a simple response does not address latency.

Option D is wrong because reducing the TTL would increase calls to the authorizer, increasing latency.

262
MCQeasy

An organization wants to deploy a microservices architecture using AWS Lambda functions. They need to manage environment variables for each function across different stages (dev, test, prod). Which approach is the MOST secure and maintainable?

A.Use AWS Systems Manager Parameter Store with separate paths for each stage.
B.Use AWS CloudFormation parameters to pass values at deployment.
C.Hardcode the environment variables in each Lambda function code.
D.Store environment variables in the Lambda function configuration.
AnswerA

Secure, centralized, and stage-aware.

Why this answer

Option C is correct because AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data. Option A is wrong because hardcoding is insecure. Option B is wrong because environment variables in the function code are not environment-specific.

Option D is wrong because CloudFormation parameters are for infrastructure, not runtime config.

263
MCQeasy

A team uses AWS CodePipeline to automate deployments. They notice that a deployment to Amazon ECS fails because the task definition is not updated. The pipeline includes a source stage from CodeCommit, a build stage using AWS CodeBuild, and a deploy stage to Amazon ECS. What is the most likely missing step?

A.The pipeline has a manual approval step before deployment.
B.The deploy stage action is set to 'Create a new ECS service'.
C.The task definition is not registered in the Amazon ECS console.
D.The build stage does not output the updated task definition as an artifact.
AnswerD

Without the artifact, the deploy stage uses the old task definition.

Why this answer

Option D is correct because in a CodePipeline that deploys to Amazon ECS, the build stage must output the updated task definition file (typically `imagedefinitions.json` or a task definition JSON) as an artifact. Without this artifact, the deploy stage cannot reference the new task definition revision, so it continues using the old one, causing the deployment to fail.

Exam trap

The trap here is that candidates assume the task definition is automatically updated by the deploy action or that manual registration in the ECS console is required, when in fact the build stage must explicitly output the updated definition as an artifact for the pipeline to use.

How to eliminate wrong answers

Option A is wrong because a manual approval step would pause the pipeline but not affect whether the task definition is updated; it does not cause the deployment to fail due to an outdated task definition. Option B is wrong because setting the deploy stage action to 'Create a new ECS service' would create a new service instead of updating the existing one, which is not the missing step for updating the task definition. Option C is wrong because the task definition does not need to be manually registered in the ECS console; the pipeline should register it automatically via the deploy action, and the issue is that the updated definition is not passed as an artifact.

264
MCQmedium

A company wants to enforce multi-factor authentication (MFA) for all users accessing the AWS Management Console. The company has an existing IAM setup with users and groups. Which approach should the developer recommend to enforce MFA?

A.Enable MFA at the account level using the AWS Account settings.
B.Attach an IAM policy to each user that denies all actions unless the user has MFA present.
C.Enable MFA on the root user and require all users to use the root user credentials with MFA.
D.Create a new IAM group for MFA users and add users to that group.
AnswerB

This uses a condition in the policy to require MFA for any API action, effectively enforcing MFA for all users.

Why this answer

Option B is correct because it uses an IAM policy with a condition key (`aws:MultiFactorAuthPresent`) to deny all actions when MFA is not present. This is the standard AWS-recommended approach to enforce MFA for IAM users accessing the Management Console, as it applies a deny-all-except-MFA effect at the user level without requiring account-level changes.

Exam trap

The trap here is that candidates assume MFA can be enforced at the account level (Option A) or by simply adding users to a group (Option D), but AWS requires an explicit IAM policy with a condition key to deny unauthenticated MFA actions.

How to eliminate wrong answers

Option A is wrong because AWS does not support enabling MFA at the account level for all users; MFA must be configured per IAM user or via a policy. Option C is wrong because sharing root user credentials violates security best practices and AWS prohibits using root user for everyday tasks; MFA on root does not enforce MFA for other IAM users. Option D is wrong because simply creating a group and adding users does not enforce MFA; a policy with a condition key must be attached to the group to deny actions without MFA.

265
MCQeasy

A company uses AWS CodeCommit and wants to automatically trigger a build in AWS CodePipeline when code is pushed to the master branch. Which action should be taken?

A.Configure a CloudWatch Events rule to start the pipeline on repository changes
B.Add a webhook in CodeCommit to directly invoke CodePipeline
C.Set up a scheduled pipeline that polls CodeCommit every minute
D.Use an S3 trigger to start the pipeline when code is uploaded
AnswerA

CloudWatch Events triggers the pipeline on push events.

Why this answer

CodePipeline can use a CloudWatch Events rule to detect changes in CodeCommit and start the pipeline. Option A is correct.

266
MCQmedium

A developer is building a serverless application using AWS SAM that includes an API Gateway REST API and a Lambda function. The developer wants to pass environment variables to the Lambda function based on the deployment stage (dev/prod). The stage name is provided as a SAM parameter. How should the developer define this in the SAM template?

A.Define a SAM Parameter for the stage name, and reference it in the Lambda function's Environment property
B.Use the Globals section of the SAM template to set environment variables
C.Hard-code the environment variables with different values in the template
D.Use an AWS Systems Manager Parameter Store parameter and reference it in the function
AnswerA

SAM Parameters are the standard way to inject deployment-time values. You can reference the parameter directly in the Environment.Variables section to set variables like STAGE.

Why this answer

Option A is correct because AWS SAM allows you to define parameters (e.g., StageName) and reference them directly in the Lambda function's Environment property using CloudFormation intrinsic functions like !Ref. This enables dynamic injection of environment variables based on the deployment stage without modifying the template structure, aligning with Infrastructure as Code best practices for multi-environment deployments.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing Parameter Store (Option D) for dynamic values, missing that SAM parameters are the simplest native mechanism for stage-specific environment variables without external service dependencies.

How to eliminate wrong answers

Option B is wrong because the Globals section sets default values for all functions in the template, but it cannot dynamically vary environment variables per deployment stage without additional logic like conditions or parameters, making it unsuitable for stage-specific values. Option C is wrong because hard-coding environment variables for each stage would require maintaining separate templates or manual edits, violating the principle of reusable, parameterized templates and increasing error risk. Option D is wrong because while AWS Systems Manager Parameter Store can store values, referencing it directly in the function does not inherently tie the value to the SAM deployment stage; you would still need a parameter or mapping to select the correct Parameter Store path per stage, making Option A more straightforward.

267
MCQmedium

A company is using AWS Lambda functions behind an Amazon API Gateway REST API. Users report intermittent 503 errors. The Lambda function code appears correct. Which action is MOST likely to resolve the issue?

A.Increase the Lambda function memory allocation.
B.Increase the Lambda function timeout.
C.Request a service quota increase for Lambda concurrent executions.
D.Increase the API Gateway throttling limits.
AnswerC

Lambda concurrent execution limits cause 503 errors when exceeded.

Why this answer

Option D is correct because Lambda concurrent execution limits can cause throttling, leading to 503 errors. Increasing the limit provides more capacity. Option A is wrong because Lambda timeout errors cause 504, not 503.

Option B is wrong because API Gateway throttling (default 10,000 rps) is usually not the cause at low rates. Option C is wrong because memory increase helps performance but not concurrency limits.

268
Multi-Selectmedium

A developer is building a serverless application using AWS Lambda and Amazon DynamoDB. The application experiences occasional throttling on DynamoDB writes. The developer wants to implement a retry mechanism with exponential backoff. Which THREE steps should the developer take?

Select 3 answers
A.Use Amazon SQS to buffer write requests to DynamoDB.
B.Configure a dead-letter queue (DLQ) for the Lambda function to capture failed events.
C.Increase the DynamoDB table's provisioned write capacity.
D.Use the AWS SDK's built-in retry behavior which includes exponential backoff.
E.Implement custom retry logic in the Lambda function with exponential backoff.
AnswersB, D, E

DLQ stores events that failed after retries.

Why this answer

Option A, B, and D are correct. The AWS SDK automatically retries with exponential backoff (A). The developer can also implement custom retry logic (B).

DLQ helps capture failed events (D). Option C (reserved capacity) does not implement retry. Option E (SQS) is not needed for this scenario.

269
MCQmedium

A company is using AWS CodePipeline to automate the deployment of a microservices application to Amazon ECS. The pipeline has the following stages: Source (GitHub), Build (CodeBuild), Deploy (ECS). The Deploy stage uses an ECS task definition and updates the service. Recently, the pipeline failed at the Deploy stage with the error: 'The task definition family is inactive.' The developer checks the ECS console and sees that the task definition family exists but is inactive. The developer also notices that the pipeline uses a parameter 'TASK_DEFINITION_FAMILY' with the value 'my-app'. What is the most likely cause?

A.The task definition family 'my-app' does not exist in the ECS cluster.
B.The environment variables in the task definition are not correctly set.
C.The IAM role for ECS does not have permission to register new task definitions.
D.The pipeline is referencing the task definition family name without a specific revision number, and the latest revision is inactive.
AnswerD

The pipeline should specify an active revision.

Why this answer

Option B is correct because CodePipeline expects a specific revision number, not just the family. When the family is inactive, it may be because the latest revision is inactive. The pipeline should reference the active revision.

Option A is wrong because the family exists. Option C is wrong because the task role is not related. Option D is wrong because the environment variables are likely correct.

270
MCQeasy

A developer needs to enforce encryption in transit for all traffic between an application and an RDS database. Which configuration should be used?

A.Configure the security group to only allow traffic on port 443.
B.Create a VPC peering connection between the application and database subnets.
C.Enable encryption at rest using AWS KMS.
D.Set the 'require_secure_transport' parameter to 'ON' in the DB parameter group.
AnswerD

This forces clients to use SSL/TLS for connections.

Why this answer

Option D is correct because setting the 'require_secure_transport' parameter to 'ON' in the DB parameter group enforces TLS/SSL encryption for all connections to the RDS database. This ensures that data in transit between the application and the database is encrypted, meeting the requirement for encryption in transit.

Exam trap

The trap here is that candidates often confuse encryption at rest (Option C) with encryption in transit, or assume that network-level controls like security groups (Option A) or VPC peering (Option B) inherently encrypt traffic, when they do not.

How to eliminate wrong answers

Option A is wrong because port 443 is used for HTTPS traffic, not for native database connections (e.g., MySQL uses port 3306, PostgreSQL uses 5432), and security groups do not enforce encryption—they only control network access. Option B is wrong because VPC peering connects networks but does not provide encryption for traffic; it only facilitates routing between VPCs without encrypting the data in transit. Option C is wrong because encryption at rest using AWS KMS protects data stored on disk, not data transmitted between the application and the database; it addresses a different security concern.

271
MCQeasy

A company wants to enforce that all uploads to an Amazon S3 bucket must be encrypted using server-side encryption with a specific AWS KMS customer managed key (CMK). The developer needs to write an IAM policy condition that denies any s3:PutObject request that does not use the specified KMS key. Which IAM condition key should be used?

A.s3:x-amz-server-side-encryption
B.kms:EncryptionContext
C.s3:x-amz-server-side-encryption-aws-kms-key-id
D.kms:KeyArn
AnswerC

Correct. This condition key evaluates the KMS key ID in the request header, allowing you to deny requests that do not specify the required CMK.

Why this answer

Option C is correct because the `s3:x-amz-server-side-encryption-aws-kms-key-id` condition key allows you to enforce that a specific AWS KMS customer managed key (CMK) ARN is used for server-side encryption on S3 PutObject requests. By using this condition key in a Deny statement, you can reject any upload that does not specify the required KMS key ID, ensuring encryption compliance.

Exam trap

The trap here is that candidates confuse the condition key for enforcing encryption type (Option A) with the condition key for enforcing a specific KMS key ID (Option C), or mistakenly think that a KMS-specific condition key like `kms:KeyArn` can be used in an S3 policy, when in fact it only applies to KMS API calls.

How to eliminate wrong answers

Option A is wrong because `s3:x-amz-server-side-encryption` only checks whether the `x-amz-server-side-encryption` header is set to `AES256` or `aws:kms`, but it cannot enforce a specific KMS key ID. Option B is wrong because `kms:EncryptionContext` is used to control access based on encryption context in KMS operations, not to enforce which KMS key is used for S3 server-side encryption. Option D is wrong because `kms:KeyArn` is a condition key for KMS API actions (like `kms:Decrypt` or `kms:GenerateDataKey`), not for S3 PutObject requests, and it cannot be used directly in an S3 bucket policy to enforce encryption key selection.

272
Multi-Selecthard

Which THREE steps are required to set up cross-account access for an Amazon S3 bucket? (Choose THREE.)

Select 3 answers
A.Configure the bucket ACL to allow the other account
B.Create an IAM role in the source account that the other account can assume
C.Set up a VPC endpoint for S3
D.Add a bucket policy that allows the other account to access the bucket
E.Grant the IAM user in the other account the necessary S3 permissions
AnswersB, D, E

Cross-account role allows temporary access.

Why this answer

Options A, B, and D are correct. The bucket policy must grant access to the other account's user or role. The user in the other account must have permissions via IAM.

The IAM role in the source account can be used for cross-account access. Option C is wrong because ACLs are legacy and not recommended. Option E is wrong because VPC endpoint is for network connectivity, not cross-account access.

273
MCQhard

A developer is using AWS X-Ray to trace a serverless application. The application uses an AWS Lambda function to query a DynamoDB table. The trace shows that the DynamoDB subsegment takes a significant portion of the total response time. The developer wants to reduce the DynamoDB query latency. Which service should the developer integrate with the Lambda function to achieve the lowest latency for repeated read queries?

A.DynamoDB Accelerator (DAX)
B.Amazon ElastiCache for Redis
C.DynamoDB Global Tables
D.DynamoDB Streams
AnswerA

Correct. DAX is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to 10x read performance improvement by caching frequently accessed data.

Why this answer

DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to 10x read performance improvement by reducing response times from milliseconds to microseconds for repeated read queries. By integrating DAX with the Lambda function, the developer can cache the results of frequent DynamoDB queries directly in memory, bypassing the read capacity units and the underlying storage engine, which directly addresses the latency bottleneck shown in the X-Ray trace.

Exam trap

The trap here is that candidates often choose ElastiCache for Redis because it is a well-known caching solution, but they overlook that DAX is purpose-built for DynamoDB and provides lower latency with zero application-level cache management, making it the correct choice for reducing DynamoDB query latency in a serverless application.

How to eliminate wrong answers

Option B (Amazon ElastiCache for Redis) is wrong because it is a general-purpose caching solution that requires the developer to manually manage cache invalidation, data synchronization, and application-level logic to keep the cache consistent with DynamoDB, adding complexity and potential latency overhead compared to DAX's native DynamoDB integration. Option C (DynamoDB Global Tables) is wrong because it is designed for multi-region replication and disaster recovery, not for reducing read latency within a single region; it actually increases write latency due to cross-region replication and does not cache repeated read queries. Option D (DynamoDB Streams) is wrong because it captures a time-ordered sequence of item-level changes in a DynamoDB table for event-driven processing (e.g., triggering Lambda functions), but it does not provide any caching or read acceleration functionality.

274
Multi-Selecthard

Which THREE are valid methods to authenticate to AWS APIs? (Choose 3)

Select 3 answers
A.Temporary security credentials from AWS STS
B.Database password stored in Secrets Manager
C.Credentials from an EC2 instance profile
D.CloudFront key pair
E.IAM user access key ID and secret access key
AnswersA, C, E

Used for federated users or cross-account access.

Why this answer

Options A, B, and C are correct. A: IAM user access keys are a standard method. B: Temporary credentials from STS are used for roles.

C: EC2 instance profile credentials are used by applications on EC2. D: Database passwords are not for API authentication. E: CloudFront key pairs are for signed URLs, not general API auth.

275
MCQmedium

A developer is building a serverless application using AWS Lambda to process events from an Amazon SQS queue. The Lambda function is CPU-bound and currently experiences timeouts. What is the MOST cost-effective way to reduce execution time?

A.Increase the SQS batch window size
B.Switch the Lambda runtime from Python to Node.js
C.Increase the Lambda function's memory allocation
D.Enable Provisioned Concurrency for the function
AnswerC

More memory provides more CPU, speeding up CPU-bound tasks.

Why this answer

Option C is correct because increasing the Lambda memory allocation also increases allocated CPU, which directly helps CPU-bound functions. Option A is wrong because increasing batch size does not help CPU-bound tasks. Option B is wrong because Provisioned Concurrency does not reduce execution time.

Option D is wrong because changing to a different runtime may not address the CPU limitation.

276
Multi-Selecteasy

Which THREE factors should a developer consider when choosing between a blue/green deployment and a rolling deployment for an Amazon ECS service?

Select 3 answers
A.Rolling deployments require manual intervention to rollback
B.Rolling deployments update a subset of tasks at a time, which may cause slower rollback
C.Blue/green deployments are always cheaper than rolling deployments
D.Blue/green deployments require running two versions of the application simultaneously
E.Blue/green deployments provide instant rollback by switching traffic back to the old environment
AnswersB, D, E

Rolling deployments update gradually; rollback is slower.

Why this answer

Blue/green deployments require additional resources (A), support quick rollback (B), and have higher cost (C). Option D (cost) is relevant. Option E (database schema changes) is not directly related; both can handle it with proper migration.

277
MCQmedium

A development team is using AWS CodeBuild to compile and test their code. They want to store build artifacts in an Amazon S3 bucket. The buildspec.yml file includes an artifacts section. Which configuration correctly specifies the output artifacts?

A.artifacts: files: - '**/*' discard-paths: no
B.artifacts: base-directory: 'build' files: '**/*'
C.artifacts: file: '**/*' discard-paths: no
D.artifacts: path: '**/*' discard-paths: false
AnswerA

This is the correct syntax for specifying build artifacts in buildspec.yml.

Why this answer

Option B is correct because the artifacts section in buildspec.yml uses the 'files' key (not 'file') to specify which files are build artifacts. Option A is wrong because 'file' is not a valid key. Option C is wrong because 'path' is not a key in the artifacts section; it's a property of the 'files' list.

Option D is wrong because 'base-directory' is misspelled and the structure is incorrect.

278
MCQhard

A developer is building a serverless application using AWS Lambda and Amazon API Gateway. The developer wants to enable caching for API responses to reduce latency and cost. Which step is REQUIRED to enable caching?

A.Enable caching in the Lambda function code
B.Set the TTL in the API Gateway method request integration
C.Create a cache cluster in API Gateway for the stage
D.Use Amazon ElastiCache and modify the Lambda function to check cache
AnswerC

You must enable caching at the API Gateway stage level and specify cache size.

Why this answer

To enable API Gateway caching, you must create a cache cluster on the stage level, which incurs additional cost. Option B is correct.

279
MCQeasy

A developer is building a serverless application using AWS Lambda and Amazon DynamoDB. The Lambda function needs to read and write items to a DynamoDB table. What is the BEST way to securely provide the Lambda function with the necessary AWS credentials?

A.Store the AWS access key and secret key in the Lambda environment variables.
B.Create an IAM role with DynamoDB permissions and attach it to the Lambda function.
C.Create an IAM user with programmatic access and store the credentials in the Lambda code.
D.Use the Lambda function's default full admin access provided by AWS.
AnswerB

Lambda assumes the IAM role to obtain temporary credentials; this is secure and follows least privilege.

Why this answer

Option C is correct because the best practice is to attach an IAM role to the Lambda function with the required permissions. This avoids hardcoding credentials. Option A is incorrect because storing credentials in environment variables is not secure.

Option B is incorrect because Lambda does not use access keys in IAM users; it uses roles. Option D is incorrect because the Lambda function should have least privilege, not full admin access.

280
MCQhard

A developer is building a real-time chat application using Amazon API Gateway WebSockets and AWS Lambda. The developer notices that messages are sometimes delivered out of order. What should the developer do to ensure ordered message delivery?

A.Increase the Lambda function's memory allocation
B.Use API Gateway's built-in message ordering feature
C.Set the 'sequenceNumber' property in the WebSocket message
D.Use an Amazon SQS FIFO queue to buffer messages before processing
AnswerD

FIFO queues preserve order.

Why this answer

WebSocket connections are stateful; using a FIFO queue ensures ordering. Option C is correct.

281
MCQmedium

A developer is using AWS SAM to deploy a serverless application. The SAM template defines an API Gateway REST API and several Lambda functions. During deployment, the developer receives an error: 'Resource creation cancelled' for the API Gateway resource. The developer has sufficient IAM permissions. What is the MOST likely cause?

A.The AWS account has reached the limit of API Gateway REST APIs.
B.The SAM template has a syntax error in the YAML file.
C.The SAM template does not include an AWS::Serverless::Api resource.
D.A stack policy is preventing the creation of the API Gateway resource.
AnswerD

Stack policies can explicitly deny creation of specific resources, causing cancellation.

Why this answer

Option C is correct. AWS SAM uses AWS CloudFormation to deploy resources. If a resource creation is cancelled, it often indicates a stack policy that prevents creation or modification of certain resources.

Option A is wrong because a missing AWS::Serverless::Api would cause a different error. Option B is wrong because invalid YAML would cause a template validation error. Option D is wrong because Lambda function limit would cause a different error.

282
MCQmedium

A developer is using AWS CodeDeploy to deploy an application to an EC2 Auto Scaling group. The application must remain fully available; only one instance should be taken offline at a time. The developer wants to configure the deployment to update instances one by one, ensuring that the deployment fails fast if any instance fails to deploy. Which deployment configuration should the developer choose?

A.CodeDeployDefault.AllAtOnce
B.CodeDeployDefault.HalfAtATime
C.CodeDeployDefault.OneAtATime
D.CodeDeployDefault.BlueGreen
AnswerC

This deploys to one instance at a time, minimizing impact and providing fast failure detection.

Why this answer

Option C, CodeDeployDefault.OneAtATime, is correct because it deploys the application to one instance at a time, ensuring that only one instance is taken offline during the deployment. This satisfies the requirement for the application to remain fully available. Additionally, this configuration fails fast: if any instance fails to deploy, the deployment stops immediately, preventing further instances from being updated.

Exam trap

The trap here is that candidates may confuse deployment configurations (like OneAtATime) with deployment types (like BlueGreen), or incorrectly assume that HalfAtATime updates instances one by one when it actually updates half the fleet at a time.

How to eliminate wrong answers

Option A is wrong because CodeDeployDefault.AllAtOnce deploys to all instances simultaneously, which would take all instances offline at once and violate the requirement for only one instance to be offline at a time. Option B is wrong because CodeDeployDefault.HalfAtATime deploys to half the instances at a time, which would take more than one instance offline simultaneously, not meeting the one-at-a-time requirement. Option D is wrong because CodeDeployDefault.BlueGreen is a deployment type that shifts traffic between two environments (blue and green), not a deployment configuration that controls the number of instances updated at a time within a single Auto Scaling group; it also does not inherently provide a one-at-a-time update pattern.

283
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The developer needs to pass a list of security group IDs to an EC2 instance launch configuration. The security groups are created in another stack. How should the developer obtain the security group IDs?

A.Use Fn::GetAtt to retrieve the IDs from the other stack's resources.
B.Use Fn::ImportValue to import the exported outputs from the other stack.
C.Use a nested stack to include the security group resources in the same template.
D.Use Fn::Ref to reference the security group IDs directly.
AnswerB

ImportValue is designed for cross-stack references.

Why this answer

Option C is correct because Fn::ImportValue imports exported outputs from another stack. Option A is wrong because Fn::GetAtt only works within the same stack. Option B is wrong because Fn::Ref returns a single value.

Option D is wrong because nested stacks are more complex.

284
MCQmedium

A developer is setting up a CI/CD pipeline using AWS CodePipeline to deploy an application to Amazon ECS. The pipeline has a source stage that pulls code from an AWS CodeCommit repository. The developer wants the pipeline to execute only when commits are pushed to the 'main' branch. How should the developer configure this?

A.Create an Amazon CloudWatch Events rule that triggers the pipeline only when the branch is 'main'.
B.Configure the pipeline's source stage to include the branch name in the CodeCommit action configuration.
C.Use an AWS Lambda function in the source stage to filter the branch.
D.Set a branch filter pattern in the pipeline trigger settings.
AnswerB

The CodeCommit source action in CodePipeline allows you to specify the branch name. The pipeline will automatically start on pushes to that branch.

Why this answer

Option B is correct because AWS CodePipeline allows you to specify a branch name directly in the source action configuration for CodeCommit. When you configure the source stage, you can set the 'BranchName' parameter to 'main', which ensures the pipeline only triggers on commits pushed to that specific branch. This is the simplest and most direct method to filter by branch without additional services or custom logic.

Exam trap

The trap here is that candidates might overthink the solution by considering external services like CloudWatch Events or Lambda, when the correct answer is a simple configuration option already built into the CodePipeline source stage.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Events rules can trigger a pipeline on various events, but they do not natively filter by branch name; you would need to add a custom event pattern or use a Lambda function to inspect the branch, which is unnecessary and more complex than the built-in branch filter. Option C is wrong because using an AWS Lambda function in the source stage to filter the branch adds unnecessary complexity and cost; CodePipeline already supports branch filtering natively in the source action configuration. Option D is wrong because CodePipeline does not have a 'pipeline trigger settings' feature with a branch filter pattern; branch filtering is configured within the source stage action, not as a separate trigger setting.

285
Multi-Selecteasy

A developer needs to implement a serverless API using Amazon API Gateway and AWS Lambda. The API should support CORS (Cross-Origin Resource Sharing) to allow requests from a web application hosted on a different domain. Which TWO configurations are required? (Choose TWO.)

Select 2 answers
A.Create a custom domain name for the API Gateway and configure the web application to use it.
B.Enable CORS on the API Gateway resource and methods.
C.Disable CORS on the API Gateway and set the Access-Control-Allow-Origin header in the Lambda function.
D.Configure an OPTIONS method in API Gateway and return appropriate CORS headers from the Lambda function.
E.Modify the Lambda function to include the Access-Control-Allow-Origin header in all responses.
AnswersB, D

API Gateway can be configured to return the required CORS headers automatically.

Why this answer

Options A and B are correct. Option A: API Gateway must return CORS headers. Option B: The Lambda function must handle the OPTIONS method.

Option C is wrong because CORS is not disabled by default; it must be explicitly enabled. Option D is wrong because the Lambda function does not need to return CORS headers; API Gateway adds them. Option E is wrong because custom domain is not related to CORS.

286
MCQmedium

A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The role's trust policy allows the EC2 service, and the permissions policy grants s3:GetObject on the bucket. The application on the instance receives 'Access Denied' errors when trying to read objects. What is the most likely cause?

A.The IAM role's trust policy does not allow the EC2 service.
B.The S3 bucket has default encryption enabled.
C.The EC2 instance does not have an instance profile associated with the IAM role.
D.The S3 bucket policy explicitly denies s3:GetObject.
AnswerC

Without an instance profile, the instance cannot assume the role and retrieve temporary credentials.

Why this answer

The most likely cause is that the EC2 instance does not have an instance profile associated with the IAM role. An IAM role must be attached to an EC2 instance via an instance profile, which acts as a container for the role. Without this association, the instance cannot obtain temporary credentials from the AWS Security Token Service (STS) to sign API requests, resulting in 'Access Denied' errors even if the role's trust and permissions policies are correctly configured.

Exam trap

The trap here is that candidates often assume the IAM role's trust and permissions policies are sufficient, overlooking the mandatory instance profile association required for EC2 to use the role.

How to eliminate wrong answers

Option A is wrong because the trust policy allowing the EC2 service is correctly configured, as stated in the question; if it were not, the role could not be assumed at all, but the error occurs at the S3 access level, not at the role assumption level. Option B is wrong because default encryption on an S3 bucket does not affect IAM permissions for reading objects; it only encrypts objects at rest, and the application would still be able to read objects if it has the correct IAM permissions. Option D is wrong because the question states the permissions policy grants s3:GetObject, and there is no indication of a bucket policy; an explicit deny in a bucket policy would override the IAM role's allow, but the scenario does not mention any bucket policy, making this an unlikely primary cause.

287
MCQhard

A company deploys a containerized application on Amazon ECS with Fargate launch type. The application needs to read sensitive configuration data at startup. The company requires that the data be encrypted at rest and in transit, and that the application use least-privilege permissions. Which solution meets these requirements?

A.Store the configuration data in AWS Secrets Manager and retrieve it at startup using the Secrets Manager API
B.Store the configuration data in an Amazon S3 bucket and use a pre-signed URL to download it at startup
C.Store the configuration data in environment variables within the ECS task definition
D.Store the configuration data in AWS Systems Manager Parameter Store with a SecureString parameter and retrieve it using the task IAM role
AnswerD

Parameter Store supports encryption and least-privilege access.

Why this answer

Option D is correct because AWS Systems Manager Parameter Store supports encryption via KMS and can be accessed from ECS tasks using IAM roles. Option A is incorrect because environment variables may be visible in plaintext. Option B is incorrect because Secrets Manager is overkill for configuration data and more expensive.

Option C is incorrect because S3 does not enforce transit encryption by default and requires additional setup.

288
MCQmedium

A developer needs to package and deploy a serverless application with Lambda functions, API Gateway, and DynamoDB using concise syntax. Which framework is AWS-native for this purpose?

A.AWS Serverless Application Model
B.AWS Control Tower
C.Amazon Macie
D.AWS Backup
AnswerA

Correct for the stated requirement.

Why this answer

The AWS Serverless Application Model (SAM) is an AWS-native framework that uses a simplified YAML or JSON syntax to define and deploy serverless resources such as Lambda functions, API Gateway, and DynamoDB. It extends AWS CloudFormation, allowing developers to package and deploy with concise syntax using the `sam build` and `sam deploy` commands, making it the correct choice for this purpose.

Exam trap

The trap here is that candidates may confuse AWS SAM with general-purpose infrastructure-as-code tools like Terraform or AWS CloudFormation, but the question specifically asks for a framework with concise, AWS-native syntax for serverless applications, which SAM uniquely provides.

How to eliminate wrong answers

Option B is wrong because AWS Control Tower is a governance and multi-account management service, not a framework for packaging and deploying serverless applications. Option C is wrong because Amazon Macie is a data security and privacy service that uses machine learning to discover and protect sensitive data, not a deployment framework. Option D is wrong because AWS Backup is a centralized backup service for managing backups across AWS services, not a framework for defining or deploying serverless resources.

289
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The application requires a database connection string that is different for each environment (development, staging, production). The developer wants to set these values without hardcoding them in the application code. Which configuration method should the developer use?

A.Use the .ebextensions configuration files with environment-specific snippet files
B.Use environment properties in the Elastic Beanstalk console
C.Use Amazon RDS within Elastic Beanstalk
D.Use AWS Systems Manager Parameter Store with an IAM instance profile
AnswerB

Correct. Environment properties are defined per environment and injected as environment variables into the instances, enabling different configurations across environments.

Why this answer

Option B is correct because Elastic Beanstalk environment properties allow you to inject configuration values (like database connection strings) into your application at deployment time without hardcoding them. These properties are set per environment in the Elastic Beanstalk console or via CLI, and the application retrieves them as environment variables, making them environment-specific and secure.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing AWS Systems Manager Parameter Store (Option D) for secret management, but the question specifically asks for a configuration method within Elastic Beanstalk's native features, where environment properties are the simplest and most direct approach for non-sensitive, environment-specific values.

How to eliminate wrong answers

Option A is wrong because .ebextensions configuration files are used for customizing the Elastic Beanstalk environment (e.g., installing packages, creating files) but not for setting environment-specific database connection strings; they are static per application version, not dynamic per environment. Option C is wrong because Amazon RDS within Elastic Beanstalk is a feature that provisions a database tied to the environment, but it does not solve the problem of setting a connection string that differs per environment—the connection string is automatically generated and managed by Elastic Beanstalk, not manually configured. Option D is wrong because AWS Systems Manager Parameter Store can store secrets, but using it requires additional IAM configuration and code changes to fetch the parameter, which is more complex than the built-in environment properties; the question asks for the simplest method within Elastic Beanstalk's native capabilities.

290
MCQmedium

A developer is creating a REST API using Amazon API Gateway and multiple AWS Lambda functions for different endpoints. The API must support CORS for a web application hosted on a different domain. The developer is using Lambda proxy integration. Which configuration is required to enable CORS?

A.Enable CORS in API Gateway and configure the Lambda functions to return the required CORS headers.
B.Configure API Gateway to return CORS headers and Lambda functions can ignore CORS.
C.Configure Lambda functions to return CORS headers and API Gateway will pass them through automatically.
D.Use a Lambda@Edge function at Amazon CloudFront to add CORS headers.
AnswerA

Enabling CORS in API Gateway generates an OPTIONS method and configures headers for non-proxy integrations, but for proxy integrations, the Lambda must also return the headers. Both steps are needed to ensure full CORS support.

Why this answer

With Lambda proxy integration in API Gateway, the entire request and response are passed through to the Lambda function, which must return the HTTP response including status code, headers, and body. To enable CORS, the Lambda function must include the required CORS headers (e.g., Access-Control-Allow-Origin) in its response. While API Gateway can be configured to add CORS headers for non-proxy integrations, with proxy integration the Lambda function is solely responsible for returning all headers.

Exam trap

The trap here is that candidates assume API Gateway's CORS configuration works universally, but with Lambda proxy integration, the Lambda function has full control over the response headers, making API Gateway's CORS settings ineffective.

How to eliminate wrong answers

Option B is wrong because with Lambda proxy integration, API Gateway cannot independently add CORS headers; the Lambda function controls the entire response. Option C is wrong because API Gateway does not automatically pass through headers from the Lambda function; the Lambda function must explicitly return them in the response object. Option D is wrong because Lambda@Edge is used with CloudFront for edge processing, not for API Gateway CORS configuration, and it would add unnecessary complexity and latency.

291
Multi-Selecthard

A developer is building a real-time chat application using Amazon API Gateway WebSocket APIs and AWS Lambda. The application needs to send messages to all connected clients. Which THREE actions are required to implement this functionality? (Choose THREE.)

Select 3 answers
A.Store the WebSocket URL in the Lambda function environment variables.
B.Use the API Gateway callback URL to post messages to a specific connection.
C.Grant the Lambda function IAM permission to execute the execute-api:ManageConnections action.
D.Store the connection IDs in an Amazon DynamoDB table for later retrieval.
E.Extract the connection ID from the event object when a client connects.
AnswersB, C, E

The callback URL is in the format https://api-id.execute-api.region.amazonaws.com/@connections/{connectionId}.

Why this answer

Options A, B, and D are correct. Option A: The Lambda function needs the execute-api:ManageConnections permission to post to connections. Option B: The callback URL is used to send messages to clients.

Option D: The connection ID is obtained from the event object. Option C is wrong because the WebSocket URL is not needed for posting; the callback URL is derived from the API endpoint. Option E is wrong because DynamoDB is not required for sending messages; it's optional for persistence.

292
MCQmedium

A developer is using AWS CloudFormation to deploy a stack that includes an Amazon S3 bucket and an AWS Lambda function. The Lambda function needs to be granted permission to read objects from the S3 bucket. Which resource should the developer define in the CloudFormation template to provide these permissions?

A.AWS::IAM::Role
B.AWS::Lambda::Permission
C.AWS::S3::BucketPolicy
D.AWS::IAM::ManagedPolicy
AnswerA

Correct. An IAM role with an appropriate policy (e.g., allowing s3:GetObject) is the correct way to grant the Lambda function permissions to read from the S3 bucket.

Why this answer

Option A is correct because the Lambda function requires an IAM role (AWS::IAM::Role) with a policy that grants s3:GetObject permissions on the S3 bucket. This role is assumed by the Lambda service at runtime, allowing the function to read objects from the bucket. The role must include a trust policy that allows lambda.amazonaws.com to assume it.

Exam trap

The trap here is that candidates often confuse resource-based policies (like S3 bucket policies or Lambda permission statements) with identity-based policies (like IAM roles), thinking a bucket policy alone can grant the Lambda function access, when in fact the Lambda function needs an IAM role with the appropriate permissions to assume and use.

How to eliminate wrong answers

Option B (AWS::Lambda::Permission) is wrong because it grants a resource-based policy to allow another AWS service or account to invoke the Lambda function, not to grant the Lambda function permissions to access S3. Option C (AWS::S3::BucketPolicy) is wrong because a bucket policy controls access to the S3 bucket from external principals, but it does not grant the Lambda function's execution role the necessary IAM permissions; while a bucket policy could be used to allow the Lambda role, the standard and recommended approach is to attach permissions to the Lambda execution role. Option D (AWS::IAM::ManagedPolicy) is wrong because it defines a reusable policy document but does not create a role; the Lambda function needs an IAM role to assume, not just a managed policy.

293
MCQeasy

A developer is building a serverless web application using AWS Lambda and Amazon DynamoDB. The application needs to perform complex aggregations on data stored in DynamoDB. Which AWS service should the developer use to perform these aggregations efficiently without reading all the data into Lambda?

A.AWS Glue
B.Amazon EMR
C.DynamoDB Streams with AWS Lambda
D.Amazon Redshift
AnswerC

DynamoDB Streams capture changes and can trigger Lambda to update aggregated results in near real-time without scanning the full table.

Why this answer

Option C is correct because DynamoDB Streams captures item-level changes in near real-time and can trigger a Lambda function to perform incremental aggregations without scanning the entire table. This pattern avoids reading all data into Lambda, making it efficient for continuous aggregation workloads.

Exam trap

The trap here is that candidates may choose AWS Glue or Amazon EMR because they associate 'complex aggregations' with big data tools, overlooking that DynamoDB Streams with Lambda provides a serverless, incremental aggregation pattern that avoids full table scans.

How to eliminate wrong answers

Option A is wrong because AWS Glue is a serverless ETL service designed for batch data processing and cataloging, not for real-time aggregations triggered by DynamoDB changes. Option B is wrong because Amazon EMR is a big data platform for running Apache Spark, Hadoop, or Hive clusters, which is overkill and not serverless for simple aggregations on DynamoDB data. Option D is wrong because Amazon Redshift is a petabyte-scale data warehouse for SQL analytics, not a service for performing aggregations directly on DynamoDB data without moving it first.

294
MCQhard

A company uses AWS CodeDeploy to deploy a web application to an Auto Scaling group. The deployment fails during the 'Install' lifecycle event. The developer checks the logs and finds that the scripts in the 'appspec.yml' file are not being executed because the instances are not in a healthy state. What could be the reason for the instances being unhealthy?

A.The health check grace period on the Auto Scaling group is too short.
B.The Elastic Load Balancer is not configured to route traffic to the Auto Scaling group.
C.The CodeDeploy agent on the instances is outdated.
D.The IAM instance profile does not have permissions to access the S3 bucket where the artifacts are stored.
AnswerA

Instances may be marked unhealthy before the deployment completes.

Why this answer

Option D is correct because if the health check grace period is too short, instances may be marked unhealthy before the deployment scripts complete. Option A is wrong because insufficient IAM permissions would cause a different error (e.g., access denied). Option B is wrong because incorrect ELB configuration would cause load balancer issues, not instance health.

Option C is wrong because CodeDeploy agent version is unrelated to instance health checks.

295
MCQeasy

A developer needs to grant a Lambda function read-only access to an S3 bucket. Which IAM entity should be used to attach the permissions?

A.Create an IAM user and provide the credentials to the Lambda function.
B.Attach a resource-based policy to the S3 bucket.
C.Attach a policy to an IAM group and add the Lambda function to the group.
D.Create an IAM role with the necessary permissions and assign it to the Lambda function as the execution role.
AnswerD

Lambda execution roles are IAM roles that grant permissions to the function.

Why this answer

Option D is correct because Lambda functions require an IAM role (execution role) to obtain temporary AWS credentials via the AWS Security Token Service (STS). This role must have a trust policy allowing Lambda to assume it, and an attached permissions policy granting read-only access to the S3 bucket. This is the standard and secure method for granting permissions to an AWS service like Lambda.

Exam trap

The trap here is that candidates confuse resource-based policies (which grant access to the principal specified in the policy) with identity-based policies (which grant permissions to the principal the policy is attached to), and incorrectly think a bucket policy alone can grant permissions to a Lambda function without an execution role.

How to eliminate wrong answers

Option A is wrong because IAM users are intended for human or application access with long-term credentials, not for AWS services; embedding user credentials in a Lambda function is insecure and violates best practices. Option B is wrong because a resource-based policy on the S3 bucket can grant cross-account access or access to other AWS services, but it cannot directly grant permissions to a Lambda function's execution role; the Lambda function still needs an execution role with the appropriate permissions. Option C is wrong because IAM groups are used to manage permissions for IAM users, not for AWS services; Lambda functions cannot be added to an IAM group.

296
MCQmedium

A developer is designing an application that will process credit card payments and store them temporarily in an Amazon DynamoDB table. The developer must ensure that the payment data is encrypted at rest and that the encryption key is managed by the company's security team using AWS KMS. Which type of encryption should the developer enable on the DynamoDB table?

A.Server-side encryption with a customer-managed KMS key
B.Server-side encryption with an AWS managed KMS key
C.Client-side encryption
D.Static key encryption
AnswerA

This allows the security team to manage the KMS key, providing control over encryption and key rotation.

Why this answer

Option A is correct because the requirement specifies that the encryption key must be managed by the company's security team. Server-side encryption (SSE) with a customer-managed KMS key allows the company to create, rotate, and control access to the KMS key used to encrypt the DynamoDB table at rest. This gives the security team full control over the encryption key lifecycle, meeting the stated requirement.

Exam trap

The trap here is that candidates often confuse 'customer-managed KMS key' with 'AWS managed KMS key,' assuming any KMS encryption meets the requirement, but the exam specifically tests the distinction between who manages the key (customer vs. AWS) to enforce security control requirements.

How to eliminate wrong answers

Option B is wrong because server-side encryption with an AWS managed KMS key means AWS owns and manages the key, not the company's security team, so it does not satisfy the requirement for key management by the security team. Option C is wrong because client-side encryption encrypts data before it is sent to DynamoDB, which would require the developer to implement encryption logic in the application and manage keys separately, not using AWS KMS for server-side encryption at rest. Option D is wrong because 'static key encryption' is not a valid encryption type for DynamoDB; DynamoDB supports server-side encryption with AWS KMS keys (AWS managed or customer managed) and not a static key approach.

297
MCQmedium

A developer is deploying a serverless application using AWS SAM. The application consists of an API Gateway endpoint that triggers an AWS Lambda function. The developer wants to enable canary deployments to gradually shift traffic to a new Lambda version. Which SAM resource attribute should the developer configure?

A.ReservedConcurrentExecutions
B.Timeout
C.AutoPublishAlias and DeploymentPreference
D.ProvisionedConcurrency
AnswerC

These enable canary deployments with traffic shifting.

Why this answer

Option D is correct because SAM's AutoPublishAlias property combined with DeploymentPreference enables canary deployments. Option A is wrong because ProvisionedConcurrency is for pre-provisioned capacity. Option C is wrong because ReservedConcurrentExecutions limits concurrency.

Option B is wrong because Timeout is for function execution time.

298
MCQhard

Refer to the exhibit. A developer is trying to query a DynamoDB table from a Lambda function that uses an execution role named MyRole. The Lambda function is failing with the error shown. Which step should the developer take to resolve this?

A.Enable DynamoDB encryption at rest.
B.Add a resource-based policy to the DynamoDB table allowing the Lambda role.
C.Attach a policy to the Lambda execution role that allows dynamodb:Query on the table.
D.Grant the Lambda role kms:Decrypt permission on the KMS key.
AnswerC

The role needs identity-based permission.

Why this answer

Option B is correct because the error indicates the role lacks dynamodb:Query permission. Option A is wrong because the error is about missing permission, not resource policy. Option C is wrong because the error is not about encryption.

Option D is wrong because the error is not about KMS.

299
MCQeasy

A company is deploying a web application on EC2 instances behind an Application Load Balancer. The application needs to authenticate users using a third-party identity provider that supports SAML 2.0. The company wants to use AWS Identity and Access Management (IAM) to manage user permissions. Which solution should the developer implement?

A.Use AWS Security Token Service (STS) to generate temporary credentials for the users.
B.Create an IAM identity provider for the SAML IdP and set up a role with a trust policy that allows federated users to assume it.
C.Store the SAML metadata document in AWS Certificate Manager.
D.Use Amazon Cognito user pools with a SAML identity provider.
AnswerB

Standard SAML federation with IAM.

Why this answer

Option B is correct because it describes the standard AWS pattern for SAML 2.0 federation: creating an IAM identity provider for the external SAML IdP, then configuring an IAM role with a trust policy that allows users authenticated by that IdP to assume the role. This enables the application to use IAM to manage permissions for federated users without creating IAM users in the AWS account.

Exam trap

The trap here is that candidates may confuse Amazon Cognito (which also supports SAML) as the only way to federate with a third-party IdP, but the question explicitly requires IAM to manage permissions, making direct IAM SAML federation the correct choice.

How to eliminate wrong answers

Option A is wrong because AWS STS generates temporary credentials, but it does not directly handle SAML authentication; STS is used after federation is established to issue credentials for an assumed role. Option C is wrong because AWS Certificate Manager (ACM) manages SSL/TLS certificates, not SAML metadata documents; SAML metadata is uploaded to IAM when creating the identity provider. Option D is wrong because Amazon Cognito user pools with a SAML IdP is a valid approach for user authentication, but the question specifically requires using IAM to manage user permissions, and Cognito does not integrate with IAM for permission management in the same way as direct IAM SAML federation.

300
MCQmedium

A developer is building a serverless application using AWS Lambda to process files uploaded to an S3 bucket. The files are encrypted with S3 server-side encryption using AWS KMS (SSE-KMS). The Lambda function needs to read the files and store metadata in DynamoDB. Which IAM policy statement should be attached to the Lambda execution role to allow it to decrypt the objects?

A.{"Effect":"Allow","Action":["kms:Encrypt"],"Resource":"*"}
B.{"Effect":"Allow","Action":["kms:Decrypt"],"Resource":"arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"}
C.{"Effect":"Allow","Action":["kms:GenerateDataKey"],"Resource":"*"}
D.{"Effect":"Allow","Action":["s3:GetObject"],"Resource":"arn:aws:s3:::my-bucket/*"}
AnswerB

Decrypt is required to decrypt objects encrypted with SSE-KMS.

Why this answer

Option C is correct because the Lambda function needs kms:Decrypt permission for the specific KMS key used for S3 SSE-KMS encryption. Option A is wrong because s3:GetObject without kms:Decrypt would fail if the object is encrypted with SSE-KMS. Option B is wrong because kms:GenerateDataKey is used for client-side encryption, not decryption.

Option D is wrong because kms:Encrypt is for encryption, not decryption.

Page 3

Page 4 of 22

Page 5