AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 301375

1616 questions total · 22pages · All types, answers revealed

Page 4

Page 5 of 22

Page 6
301
MCQhard

A developer attached the above IAM policy to an IAM user. The user tries to download an object from example-bucket using the AWS CLI without specifying server-side encryption. What will happen?

A.The download succeeds because the policy allows s3:GetObject
B.The download fails with an AccessDenied error
C.The download succeeds because the object is encrypted with SSE-S3
D.The download fails with a 500 Internal Server Error
AnswerB

The condition is not satisfied, so access is denied.

Why this answer

The policy grants s3:GetObject only if the request uses server-side encryption with AES256. If the user does not specify encryption, the condition is not met, and the request is denied. Option A is incorrect because the policy does not require SSE-KMS.

Option C is incorrect because the policy explicitly allows GetObject. Option D is incorrect because the condition is evaluated.

302
MCQmedium

Refer to the exhibit. A developer runs the AWS CLI command to invoke a Lambda function. The output shows StatusCode 200 and no FunctionError. However, the application that depends on this function's output is not working correctly. What should the developer check next?

A.Check the Lambda function's CloudWatch Logs for any errors or unexpected output.
B.Check the IAM role attached to the Lambda function for insufficient permissions.
C.Check the payload format against the function's expected input.
D.Check the Lambda function's memory and timeout configuration.
AnswerA

CloudWatch Logs contain the function's output and any debug information.

Why this answer

A StatusCode 200 indicates that Lambda accepted the invocation and ran the function without a runtime error. However, the function might have a logical error, incorrect business logic, or might be returning unexpected data. The developer should check the function's logs in CloudWatch Logs to see the actual output and any debug messages.

The payload format might also be incorrect, but the invocation succeeded technically. The function's memory or timeout settings might cause issues but would typically result in an error. The IAM role might be insufficient but would show an error in logs.

303
Multi-Selecteasy

Which TWO actions are valid ways to encrypt data at rest in Amazon S3? (Choose TWO.)

Select 2 answers
A.Use S3-managed keys (SSE-S3)
B.Use client-side encryption with a KMS key
C.Use SSL/TLS for all data transfers
D.Use AWS CloudHSM to store encryption keys
E.Use AWS KMS keys (SSE-KMS)
AnswersA, E

SSE-S3 encrypts data at rest with S3-managed keys.

Why this answer

SSE-S3 is a valid server-side encryption option where Amazon S3 manages the encryption keys on your behalf. When you upload an object, S3 encrypts the data using AES-256 before writing it to disk and decrypts it when you access it, all without requiring any additional configuration or key management from you.

Exam trap

The trap here is that candidates often confuse encryption at rest with encryption in transit, leading them to select SSL/TLS (Option C) as a valid answer, or they mistakenly think client-side encryption with KMS (Option B) is a server-side encryption method for S3.

304
MCQhard

A developer optimized an Amazon S3 bucket for high request rates. The bucket receives over 5,000 PUT requests per second. Recently, some requests are failing with a 503 Slow Down error. What is the most likely cause and how should the developer fix it?

A.Use multipart upload for all objects to improve throughput.
B.The request rate exceeds the account-level PUT quota; request a quota increase.
C.The bucket policy is too permissive; restrict access to prevent abuse.
D.Add a random prefix to the object keys to distribute across partitions.
AnswerD

Random prefixes increase partition count, reducing 503 errors.

Why this answer

Option D is correct because S3 returns 503 when request rates exceed partition limits. Prefix randomization spreads requests across partitions. Option A is wrong because 503 is not due to permissions.

Option B is wrong because 503 is not a quota limit exceeded error (that would be 400). Option C is wrong because multipart upload is for large objects, not rate limits.

305
Multi-Selectmedium

A Lambda function needs to decrypt data encrypted with a customer managed KMS key. Which two permissions are commonly required?

Select 2 answers
A.kms:Decrypt on the key
B.iam:CreateUser on the account
C.s3:PutBucketAcl on every bucket
D.Permission for the Lambda execution role to use the KMS key
AnswersA, D

Correct for the stated requirement.

Why this answer

Option A is correct because the Lambda function must have permission to call the kms:Decrypt action on the specific customer managed KMS key to decrypt the data. This permission is granted via a key policy or a grant on the KMS key itself, allowing the Lambda execution role to use the key for decryption operations.

Exam trap

The trap here is that candidates often confuse IAM actions (like iam:CreateUser or s3:PutBucketAcl) with KMS-specific permissions, or they forget that the Lambda execution role needs both the IAM policy and the key policy to allow kms:Decrypt.

306
Multi-Selecteasy

Which TWO AWS services can be used to decouple microservices in a distributed application? (Choose TWO.)

Select 2 answers
A.Amazon CloudWatch
B.Elastic Load Balancer (ELB)
C.Amazon Simple Notification Service (SNS)
D.Amazon Simple Queue Service (SQS)
E.Amazon Route 53
AnswersC, D

Pub/sub decoupling.

Why this answer

Options B and C are correct. Amazon SQS provides message queuing for decoupling. Amazon SNS enables pub/sub messaging.

Option A is wrong because ELB is for load balancing traffic to a single service. Option D is wrong because CloudWatch is for monitoring. Option E is wrong because Route 53 is DNS.

307
MCQhard

A developer is using Amazon CloudFront to distribute content from an S3 bucket. The bucket is configured as an origin with Origin Access Control (OAC). Recently, some users have reported that they receive 403 Forbidden errors when accessing certain objects. The developer checks the CloudFront distribution and confirms that the OAC is set up correctly. The S3 bucket policy allows the CloudFront service principal to get objects. The developer also notes that the objects in question have been updated recently. What is the MOST likely cause of the 403 errors?

A.The objects are encrypted with SSE-C (server-side encryption with customer-provided keys).
B.The OAC configuration is not correctly associated with the CloudFront distribution.
C.The S3 bucket policy denies access to the CloudFront service principal.
D.The CloudFront distribution is configured to use the S3 website endpoint instead of the REST endpoint.
AnswerA

CloudFront cannot decrypt objects encrypted with SSE-C, resulting in 403 errors.

Why this answer

Option D is correct because CloudFront may be serving cached stale objects from edge locations. If the object is updated but the cache TTL has not expired, CloudFront serves the old object. However, the question says users receive 403 errors, not old content.

Actually, 403 errors could occur if the object permissions changed. But more likely, the issue is that the new objects have different permissions or the bucket policy does not cover the new objects' paths. Option A is wrong because OAC is correctly configured.

Option B is wrong because the CloudFront origin is not a website endpoint. Option C is wrong because the bucket policy allows access. The most plausible cause is that the objects were updated and the S3 bucket policy has a condition that restricts access based on a header that the new objects do not have.

But given typical scenarios, the correct answer is often that the objects are not publicly accessible? However, with OAC, objects do not need to be public. Actually, if the objects were uploaded with a bucket policy that denies access to everyone except CloudFront, but the objects were uploaded with a different owner? Wait. The correct answer is likely D: The objects were uploaded with a different AWS account? No.

Let's think: The most common cause is that the object's permissions were set to private and the bucket policy only grants access to CloudFront, but if the object is owned by a different account, the bucket policy might not apply. However, that is complex. A simpler explanation: The objects were updated and the bucket policy includes a condition that requires a specific header that the new objects' requests do not have.

But the question says the objects in question have been updated recently. The best answer is that the objects were updated with a different encryption key? Actually, the correct answer is: The objects were uploaded with SSE-C (customer-provided encryption keys) and CloudFront cannot access them because it does not have the encryption key. Option A: The OAC configuration is incorrect.

Option B: The CloudFront distribution is using the S3 website endpoint. Option C: The bucket policy denies access to the CloudFront service principal. Option D: The objects are encrypted with SSE-C.

That is a known issue: CloudFront cannot serve objects encrypted with SSE-C. So Option D is correct.

308
MCQhard

A company uses AWS CodePipeline with CodeBuild to deploy a Node.js application. The build fails intermittently with 'npm ERR! network' errors. What is the most likely cause and solution?

A.A unit test is failing; fix the test code.
B.The npm cache is corrupted; clear the cache in CodeBuild.
C.The build environment lacks outbound internet access; configure a NAT gateway or use a VPC endpoint for npm.
D.The npm token has expired; regenerate the token.
AnswerC

Network errors indicate connectivity issues.

Why this answer

Option A is correct because CodeBuild may have limited outbound internet access; using a NAT gateway or VPC endpoint for npm registry resolves this. Option B is incorrect because failing test does not cause network errors. Option C is incorrect because CodeBuild does not have npm cache.

Option D is incorrect because npm token expiry returns 401, not network errors.

309
MCQhard

A company uses AWS OpsWorks for configuration management and deployment of applications on EC2 instances. The company wants to migrate to AWS Systems Manager for automation and patching. Which Systems Manager capability should be used to execute scripts and commands on EC2 instances as part of a deployment?

A.AWS Systems Manager Patch Manager
B.AWS Systems Manager State Manager
C.AWS Systems Manager Automation
D.AWS Systems Manager Run Command
AnswerB

State Manager can run scripts on a schedule or on demand as part of a deployment.

Why this answer

AWS Systems Manager State Manager is the correct capability because it is designed to define and maintain consistent configuration of EC2 instances, including executing scripts and commands as part of a deployment. State Manager uses associations to enforce a desired state, such as running a custom script during instance boot or on a schedule, making it ideal for deployment automation. This aligns with the migration from OpsWorks, which also manages configuration state.

Exam trap

The trap here is that candidates often confuse Run Command (on-demand execution) with State Manager (stateful, scheduled execution), but the question's emphasis on 'as part of a deployment' implies a need for ongoing configuration enforcement, not just a one-time command.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Patch Manager is specifically for automating the patching of operating systems and applications, not for executing arbitrary scripts or commands as part of a deployment. Option C is wrong because AWS Systems Manager Automation is used for automating complex, multi-step operational tasks (e.g., AMI creation or instance recovery) and requires an Automation document, not for simple script execution on individual instances. Option D is wrong because AWS Systems Manager Run Command executes scripts or commands on demand, but it does not enforce a persistent desired state or schedule; State Manager is the correct choice for ongoing deployment and configuration management.

310
MCQhard

A company is using AWS KMS to encrypt data in S3. They want to ensure that only specific IAM roles can decrypt the data, even if the IAM role has full S3 access. What should they do?

A.Use an IAM policy to deny KMS Decrypt for all users except the role.
B.Add a bucket policy that denies Decrypt for all principals except the role.
C.Enable S3 Block Public Access on the bucket.
D.Modify the KMS key policy to grant decrypt permission only to the specific IAM role.
AnswerD

Key policy controls who can use the key.

Why this answer

Option D is correct because a KMS key policy can grant decrypt permission to specific IAM roles. Option A is wrong because bucket policies only control S3 access, not KMS decrypt. Option B is wrong because IAM policies alone cannot restrict decrypt if the role has access.

Option C is wrong because S3 Block Public Access does not affect KMS.

311
MCQhard

A developer is troubleshooting an issue where an S3 bucket policy is not granting cross-account access to a user in another AWS account. The bucket policy uses a Principal element with the AWS account ID. What is the most likely reason for the failure?

A.The bucket is encrypted with SSE-S3, which blocks cross-account access.
B.The bucket policy must use the user's ARN instead of the account ID.
C.The bucket policy cannot grant access to users in another account.
D.The IAM user in the other account does not have an IAM policy that allows the S3 action.
AnswerD

Both bucket policy and user policy must allow the action.

Why this answer

Option B is correct because for cross-account access, the user's IAM role must also allow the S3 action; both bucket policy and user policy must grant permission. Option A is wrong because bucket policies can grant access to other accounts. Option C is wrong because encryption does not block access if permissions are correct.

Option D is wrong because bucket policies support granting access to specific IAM users in other accounts.

312
MCQeasy

A developer is building a RESTful API using Amazon API Gateway. The API experiences high traffic spikes, and many requests are for the same data (e.g., a product catalog). The developer wants to reduce the load on the backend Lambda functions and improve response times for repeated requests. Which feature should the developer enable?

A.Enable API Gateway caching and set a TTL.
B.Use CloudFront with the API Gateway as an origin.
C.Enable throttling on the API Gateway usage plan.
D.Use a DynamoDB Accelerator (DAX) cluster for the backend database.
AnswerA

API Gateway caching stores responses for a specified TTL. Repeated requests for the same resource and parameters are served from the cache, reducing backend load and improving response times.

Why this answer

API Gateway caching stores responses from backend Lambda functions for a configurable time-to-live (TTL). When a request for the same data (e.g., a product catalog) arrives within the TTL period, API Gateway serves the cached response directly, reducing the number of invocations to the Lambda function and improving response latency. This directly addresses the need to reduce load on the backend and improve response times for repeated requests.

Exam trap

The trap here is that candidates often confuse API Gateway caching with CloudFront caching, thinking that CloudFront alone reduces backend load, but CloudFront caches at the edge and still forwards cache misses to API Gateway, which then invokes Lambda; only API Gateway caching directly reduces Lambda invocations for repeated requests.

How to eliminate wrong answers

Option B is wrong because CloudFront with API Gateway as an origin adds a CDN layer that caches responses at edge locations, but it does not reduce the load on the backend Lambda functions for repeated requests to the same API endpoint; it primarily improves latency for geographically distributed users and can still forward requests to API Gateway, which then invokes Lambda. Option C is wrong because enabling throttling on the API Gateway usage plan limits the rate of requests to protect the backend from being overwhelmed, but it does not cache responses or improve response times for repeated requests; it may actually reject or delay requests. Option D is wrong because using a DynamoDB Accelerator (DAX) cluster caches database queries at the data layer, but the problem is about reducing load on Lambda functions and improving response times for API requests, not about optimizing database access; DAX does not cache API responses or reduce Lambda invocations.

313
MCQmedium

A company is using AWS CodePipeline to automate its CI/CD pipeline. The pipeline has a build stage that uses AWS CodeBuild. The developer wants to run unit tests and only proceed to the deploy stage if the tests pass. Which configuration should the developer use to achieve this?

A.Configure a manual approval step before the deploy stage.
B.Configure Amazon CloudWatch alarms to stop the pipeline if tests fail.
C.Configure the build stage to run tests and fail the build if tests fail; CodePipeline will automatically stop.
D.Configure AWS Lambda to invoke a function that checks test results and manually stops the pipeline.
AnswerC

Tests in the build stage can fail the build, preventing deployment.

Why this answer

CodeBuild can be configured with a buildspec file that defines phases, including a 'post_build' phase for running tests. If the tests fail, CodeBuild returns a non-zero exit code, causing the build to fail. CodePipeline will then stop and not proceed to the deploy stage.

The developer can also use a 'test' action in CodePipeline with a test provider like CodeBuild. The other options either don't stop the pipeline or are not automated.

314
MCQmedium

The exhibit shows the output of the describe-stack-events command for a CloudFormation stack that failed to create. What is the most likely cause of the failure?

A.The Lambda function handler 'index.handler' does not exist in the deployment package.
B.The S3 bucket 'my-bucket' does not contain the object 'my-function.zip'.
C.The Lambda function code exceeds the maximum allowed size.
D.The IAM role associated with the Lambda function lacks necessary permissions.
AnswerA

A common cause of CREATE_FAILED for Lambda is an incorrect handler.

Why this answer

Option A is correct because the stack event shows CREATE_FAILED for the Lambda function resource, which could be due to an incorrect handler name. Option B is wrong because the S3 bucket and key are provided. Option C is wrong because there is no indication of a permissions issue; the event does not show an error message.

Option D is wrong because there is no indication of a missing S3 bucket.

315
MCQhard

A company has a legacy application running on an EC2 instance that stores database credentials in a plain text configuration file. The security team requires that credentials be stored securely and rotated every 90 days. The developer must minimize changes to the application code. The application currently reads the configuration file from the file system. Which solution meets these requirements?

A.Encrypt the configuration file using AWS KMS and store the encrypted file on S3.
B.Use AWS Secrets Manager to store the credentials and configure automatic rotation with a Lambda function. Modify the application to retrieve the secret from Secrets Manager.
C.Store the credentials in environment variables on the EC2 instance.
D.Store the credentials in AWS Systems Manager Parameter Store as a SecureString and retrieve them at application startup.
AnswerB

Supports rotation; minimal code change required.

Why this answer

Option B is correct because AWS Secrets Manager provides built-in support for automatic credential rotation using a Lambda function, meeting the 90-day rotation requirement without manual intervention. By modifying the application to retrieve the secret via the Secrets Manager API, the credentials are no longer stored in plain text, satisfying the security team's mandate. This approach minimizes code changes because the application only needs to replace the file read with an API call, preserving the existing logic structure.

Exam trap

The trap here is that candidates often confuse AWS Secrets Manager with Systems Manager Parameter Store, assuming both support automatic rotation, but Parameter Store does not provide built-in rotation capabilities, making Secrets Manager the only correct choice for automated rotation requirements.

How to eliminate wrong answers

Option A is wrong because encrypting the configuration file and storing it on S3 does not address rotation; the encrypted file would still need to be manually updated every 90 days, and the application would require code changes to decrypt the file. Option C is wrong because environment variables on the EC2 instance are not encrypted at rest by default and do not support automatic rotation; they also expose credentials in process listings or logs. Option D is wrong because AWS Systems Manager Parameter Store as a SecureString does not support automatic rotation natively; while it can store encrypted parameters, rotation would require custom automation, and the application would still need code changes to retrieve the parameter via the AWS SDK.

316
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. The development team wants to make a change to a stack that involves replacing a critical resource. The team wants to minimize downtime and ensure that the replacement is successful before removing the old resource. Which CloudFormation feature should the team use?

A.Use AWS CodeDeploy blue/green deployment.
B.Use a change set to review the changes before executing.
C.Use a CreationPolicy on the resource to ensure it is fully created before the old one is deleted.
D.Use nested stacks to isolate the resource.
AnswerC

CreationPolicy with 'create before destroy' ensures the new resource is up before deleting the old.

Why this answer

Option D is correct because CloudFormation stack updates with replacement use the 'create before destroy' policy when the resource has a 'DeletionPolicy' of 'Retain' or when using a custom resource with a 'CreationPolicy'. However, the best way is to use a 'CreationPolicy' on the resource to ensure it is fully created before the old is destroyed. Option A is wrong because change sets are for preview, not ordering.

Option B is wrong because it is not a CloudFormation feature. Option C is wrong because nested stacks do not control replacement order.

317
MCQmedium

The developer runs a scan on the DynamoDB table 'orders' with a filter expression to find items with order_status equal to 'SHIPPED'. The output shows ScannedCount of 10000 but Count of 0. Which statement is correct?

A.The scan retrieved 10,000 items from the table, but none matched the filter condition.
B.The scan only returned items that matched the filter, so there are no items with status SHIPPED.
C.The filter expression syntax is incorrect, causing the scan to return zero items.
D.The scan applied the filter before reading items, so only matching items were scanned.
AnswerA

Filter expressions are applied after the scan, so all items were scanned but filtered out.

Why this answer

Option A is correct because filter expressions are applied after the scan retrieves the items, so all 10,000 items were scanned but none matched the filter. Option B is wrong because the scan returns up to 1 MB of data, not a fixed number of items, and the filter is applied after. Option C is wrong because the filter expression is syntactically correct.

Option D is wrong because the filter expression is applied after scanning, not before.

318
MCQhard

A developer is deploying a microservices application on Amazon ECS using Fargate. The developer wants to implement a blue/green deployment strategy using AWS CodeDeploy. The current production environment uses an Application Load Balancer (ALB). What is the minimum configuration required to enable blue/green deployments?

A.An ALB with two target groups, one for blue and one for green.
B.An ALB with a single target group and an Amazon CloudFront distribution.
C.An ECS service discovery namespace.
D.A Network Load Balancer (NLB) with a single target group.
AnswerA

CodeDeploy uses two target groups to shift traffic between blue and green environments.

Why this answer

Option A is correct because CodeDeploy blue/green requires an ALB and a target group for each environment. Option B is wrong because NLB also works but requires additional configuration. Option C is wrong because CloudFront is not required.

Option D is wrong because ECS service discovery is not necessary.

319
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all S3 buckets across all accounts are encrypted with SSE-S3. What is the MOST effective way to enforce this?

A.Create an IAM policy that denies non-SSE-S3 encryption and attach it to all users.
B.Use AWS Config rules to detect buckets without SSE-S3 and send alerts.
C.Use an SCP in AWS Organizations to deny s3:PutBucketEncryption unless the encryption algorithm is AES256.
D.Use S3 bucket policies to deny PutObject if encryption is not SSE-S3.
AnswerC

SCPs enforce across all accounts in the organization.

Why this answer

Option D is correct because service control policies (SCPs) can be applied at the organization level to deny actions that do not meet conditions. An SCP can deny s3:PutBucketEncryption if the encryption is not SSE-S3. Option A is not possible because you cannot directly apply IAM policies to all accounts.

Option B is per account and not centralized. Option C is per bucket and not enforced across accounts.

320
Multi-Selecthard

Which THREE are valid deployment strategies in AWS CodeDeploy? (Choose three.)

Select 3 answers
A.AllAtOnce
B.Rolling
C.Immutable
D.Canary
E.Blue/Green
AnswersA, B, E

Deploys to all instances simultaneously.

Why this answer

Options A, B, and D are correct. CodeDeploy supports AllAtOnce, Rolling, and Blue/Green. Option C is wrong because Canary is not a CodeDeploy strategy.

Option E is wrong because Immutable is an Elastic Beanstalk strategy, not CodeDeploy.

321
MCQmedium

A developer is deploying an application using AWS Elastic Beanstalk. The application reads and writes data to an Amazon RDS database. The developer wants to ensure that database credentials are not stored in the application code or configuration files. What should the developer do?

A.Store the credentials as environment properties in the Elastic Beanstalk environment configuration.
B.Encrypt the credentials and store them in an Amazon S3 bucket. Have the application download them at startup.
C.Use AWS Secrets Manager to store the credentials and retrieve them in the application code.
D.Store the credentials in a separate configuration file and include it in the application source bundle.
AnswerA

Elastic Beanstalk supports storing environment properties that are injected into the application at runtime.

Why this answer

Option D is correct because Elastic Beanstalk can pass environment properties securely by storing them in the EB environment configuration, and they can be retrieved at runtime. Option A is wrong because hardcoding in environment variables in the EB console is not secure; they can be seen in the console. Option B is wrong because storing credentials in S3 and downloading them adds complexity and potential exposure.

Option C is wrong because Secrets Manager is a good practice, but Elastic Beanstalk can inject secrets as environment properties without custom code.

322
MCQeasy

A developer wants to store session state data for a web application running on multiple EC2 instances behind an Application Load Balancer. The data is ephemeral and should not persist if an instance is terminated. Which storage option should the developer use?

A.Amazon ElastiCache
B.Amazon RDS
C.Amazon S3
D.Amazon EFS
AnswerA

Correct. ElastiCache provides an in-memory cache that is ephemeral (by default) and can be shared across all EC2 instances, making it ideal for session state in a distributed environment.

Why this answer

Amazon ElastiCache is the correct choice because it provides an in-memory caching service (e.g., Redis or Memcached) that is ideal for storing ephemeral session state data. The data is stored in memory, not on disk, so it is automatically lost when an EC2 instance is terminated, matching the requirement that session data should not persist. Additionally, ElastiCache is designed for low-latency access, making it suitable for session state that must be quickly read and written by multiple instances behind an Application Load Balancer.

Exam trap

The trap here is that candidates often choose Amazon EFS because it is shared storage accessible by multiple EC2 instances, but they overlook the explicit requirement that data must be ephemeral and not persist after instance termination, which EFS violates by design.

How to eliminate wrong answers

Option B (Amazon RDS) is wrong because RDS is a relational database service that stores data persistently on disk, which contradicts the requirement that session data should be ephemeral and not survive instance termination; it also introduces unnecessary overhead and latency for transient session state. Option C (Amazon S3) is wrong because S3 is an object storage service designed for durable, persistent storage of unstructured data, not for low-latency, ephemeral session state; its eventual consistency model and higher latency make it unsuitable for real-time session management. Option D (Amazon EFS) is wrong because EFS is a shared file system that provides persistent, durable storage across multiple EC2 instances, meaning data would survive instance termination, which directly violates the requirement that session data should not persist.

323
Multi-Selecteasy

A developer is troubleshooting a slow Amazon RDS for MySQL database. The application experiences high latency on write operations. Which TWO actions can improve write performance?

Select 2 answers
A.Add a read replica to offload read traffic.
B.Increase the allocated storage size to get better I/O performance.
C.Enable deletion protection.
D.Increase the DB instance class to a larger size.
E.Enable Multi-AZ deployment for high availability.
AnswersB, D

More storage can provide better I/O throughput due to burst credits.

Why this answer

Option B is correct because increasing the allocated storage size for an Amazon RDS for MySQL instance can improve I/O performance by providing a higher baseline IOPS rate. Larger volumes in RDS, especially those using General Purpose SSD (gp2/gp3), have higher throughput and IOPS limits, which directly reduces write latency under heavy load.

Exam trap

The trap here is that candidates often confuse high availability (Multi-AZ) or read scaling (read replicas) with performance improvements for write operations, but neither addresses the underlying I/O or compute bottleneck causing write latency.

324
MCQhard

A company is deploying a containerized application on Amazon ECS with Fargate launch type. The application needs to store sensitive configuration data such as database passwords. The developer must ensure that the secrets are encrypted at rest and in transit, and that they are rotated automatically. Which solution should the developer use?

A.Store secrets in AWS Secrets Manager and enable automatic rotation.
B.Store secrets in AWS Systems Manager Parameter Store with a secure string parameter encrypted using AWS KMS.
C.Store secrets in an encrypted S3 bucket and retrieve them in the task definition.
D.Store secrets in AWS Secrets Manager and use a Lambda function to rotate the secrets.
AnswerD

Secrets Manager supports automatic rotation with built-in or custom Lambda rotation.

Why this answer

Option D is correct because AWS Secrets Manager provides automatic rotation, encryption at rest, and integration with ECS for secure retrieval. Option A (Parameter Store with KMS) does not support automatic rotation. Option B (Secrets Manager with Lambda rotation) is essentially correct but the Lambda function is needed for custom rotation; however, Secrets Manager can manage rotation automatically with built-in rotation for AWS services.

Option C (EC2 Systems Manager) is not for secrets management.

325
MCQmedium

A company has an S3 bucket that stores sensitive data. The data is encrypted at rest using an AWS KMS customer managed key (CMK). The security team wants to ensure that only a specific IAM role in the same account can decrypt the objects. Which configuration should the developer implement?

A.Add a bucket policy that denies s3:GetObject unless the request uses a specific IAM role.
B.Add a key policy that allows the IAM role to perform kms:Decrypt and denies all other principals.
C.Configure the S3 bucket with default encryption using the KMS key.
D.Create an IAM policy that grants kms:Decrypt only to the specific role.
AnswerB

KMS access is controlled via key policies; this grants decryption only to the specified role.

Why this answer

Option B is correct because KMS key policies directly control who can use the key for cryptographic operations like kms:Decrypt. By explicitly allowing only the specific IAM role and denying all other principals (including the root account), the key policy ensures that only that role can decrypt the S3 objects, regardless of any other IAM or bucket policies. This is the most secure and direct way to restrict decryption at the key level.

Exam trap

The trap here is that candidates often assume IAM policies alone can grant decryption access, but KMS key policies are the authoritative gatekeeper for key usage, and without an explicit Allow in the key policy, even an IAM policy with kms:Decrypt will fail.

How to eliminate wrong answers

Option A is wrong because a bucket policy denying s3:GetObject based on the IAM role does not control decryption; it controls read access to the object metadata and data, but if the object is encrypted with KMS, the request must also have kms:Decrypt permission, which the bucket policy cannot grant or deny. Option C is wrong because configuring default encryption with the KMS key only ensures new objects are encrypted at rest, but does not restrict which principals can decrypt them; any principal with kms:Decrypt on the key can still decrypt. Option D is wrong because an IAM policy granting kms:Decrypt to the role is insufficient if the key policy does not also allow the role; KMS key policies are the primary access control mechanism, and if the key policy denies all principals except the role, an IAM policy alone cannot override that denial.

326
MCQmedium

A developer runs the AWS CLI command shown in the exhibit. The output includes 'FunctionError': 'Unhandled'. What does this indicate?

A.The function threw an error that was caught by the code.
B.The function timed out.
C.The function threw an unhandled exception.
D.The function was not invoked successfully.
AnswerC

Unhandled means an uncaught error occurred.

Why this answer

Option C is correct because 'Unhandled' means the function returned an error that was not caught by the code. Option A is wrong because StatusCode 200 indicates successful invocation, not failure to invoke. Option B is wrong because a handled error would show 'Handled'.

Option D is wrong because a timeout would be a different error.

327
MCQeasy

Refer to the exhibit. A developer invokes a Lambda function using the AWS CLI. The response shows StatusCode 200 and FunctionError: Unhandled. What does this indicate?

A.The Lambda function threw an exception that was not caught by the code.
B.The Lambda function timed out before completing.
C.The Lambda function executed successfully without errors.
D.The AWS CLI failed to invoke the function due to permissions.
AnswerA

Unhandled error means an exception was thrown.

Why this answer

FunctionError: Unhandled means the function threw an exception. Option C is correct. Option A is wrong because StatusCode 200 indicates invocation succeeded but function failed.

Option B is wrong because function did execute. Option D is wrong because response is not an error from CLI.

328
MCQhard

A developer is building a REST API using Amazon API Gateway with a Lambda integration. The API must validate that the 'Authorization' header contains a valid JWT token before invoking the backend. Which approach provides the LOWEST latency for token validation?

A.Use a VPC Link to connect to a private server for validation.
B.Validate the token inside the Lambda function integrated with the API.
C.Use API Gateway request validation to check the header format.
D.Use a Lambda authorizer (formerly custom authorizer) on the API Gateway.
AnswerD

Lambda authorizer caches the policy, minimizing latency for subsequent requests.

Why this answer

Option A is correct because using a Lambda authorizer caches the policy and reduces latency for subsequent requests. Option B is wrong because request validation only checks format, not token validity. Option C is wrong because it adds a separate validation step in the integration.

Option D is wrong because VPC Link is for private integrations, not token validation.

329
MCQeasy

A developer needs to access a DynamoDB table from a Lambda function. The Lambda function is in the same AWS account as the DynamoDB table. What is the most secure way to grant the Lambda function access to the DynamoDB table?

A.Use the AWS account root user credentials.
B.Store the AWS access key and secret access key in the Lambda environment variables.
C.Create an IAM role with a policy that grants DynamoDB access and assign it as the Lambda execution role.
D.Use a resource-based policy on the DynamoDB table to allow the Lambda function.
AnswerC

This is the secure and standard way to grant permissions.

Why this answer

Option C is correct because the Lambda execution role is an IAM role that the Lambda function assumes at runtime. Attaching an IAM policy to this role with the necessary DynamoDB permissions is the best practice for granting permissions.

330
MCQhard

Refer to the exhibit. The developer runs the AWS CLI command to invoke a Lambda function. The output shows 'FunctionError': 'Unhandled'. What should the developer do to get more details about the error?

A.Re-invoke the function with a valid payload because the error is due to invalid input.
B.Enable AWS X-Ray tracing on the function.
C.Decode the base64-encoded 'LogResult' field to view the log output.
D.Check the CloudWatch Logs for the function's log group.
AnswerC

The 'LogResult' contains the base64-encoded log; decoding it shows the error.

Why this answer

The 'LogResult' field contains a base64-encoded log. Decoding it provides the error details. Option A is correct.

Option B is wrong because 'FunctionError' indicates an error, not success. Option C is wrong because CloudWatch Logs is another option but not directly from the CLI output. Option D is wrong because X-Ray traces requests but not errors.

331
MCQhard

A developer is using Amazon API Gateway with a Lambda authorizer to control access to APIs. The authorizer is failing with a 500 error. The Lambda function logs show 'User: arn:aws:iam::123456789012:role/MyLambdaRole is not authorized to perform: sts:AssumeRole'. What is the most likely cause?

A.The Lambda authorizer is not returning a valid policy.
B.The Lambda function's resource-based policy is missing.
C.The API Gateway does not have permission to invoke the Lambda function.
D.The Lambda function's execution role does not have sts:AssumeRole permission for the target role.
AnswerD

The error shows the Lambda function's role is trying to assume another role but lacks permission.

Why this answer

The Lambda function's execution role needs permission to call sts:AssumeRole for the authorizer's role? Actually, the error indicates that the Lambda function's role is trying to assume another role (perhaps the authorizer's role) but is not allowed. In API Gateway Lambda authorizer, the Lambda function is invoked directly by API Gateway; the function does not need to assume a role unless it calls other services. The error may be from within the Lambda code trying to assume a role.

Option A is wrong because invoke permission is for API Gateway to invoke Lambda, not for Lambda to assume role. Option B is wrong because the Lambda authorizer does not need to assume a role by default. Option C is correct: the Lambda function's code is attempting to assume an IAM role (maybe to call another service) but the function's execution role lacks sts:AssumeRole permission for that role.

Option D is wrong because the Lambda function's resource-based policy is for cross-account access, not for assuming roles.

332
MCQhard

A developer is building a serverless application using AWS Lambda and API Gateway. The API should be accessible only from a specific VPC. What is the MOST secure way to achieve this?

A.Attach a security group to the API Gateway that only allows traffic from the VPC.
B.Create a private API Gateway endpoint and associate it with the VPC.
C.Set up VPC Peering between the VPC and the API Gateway's VPC.
D.Create a VPC endpoint for API Gateway and attach a resource policy to the API that allows access only from the VPC endpoint.
AnswerD

This restricts access to the VPC using aws:SourceVpce condition.

Why this answer

Option D is correct because using a resource policy on API Gateway with aws:SourceVpce condition restricts access to requests originating from the VPC endpoint. Option A is wrong because private API Gateway endpoints are accessible from within a VPC without a resource policy. Option B is wrong because VPC Peering does not restrict access to API Gateway.

Option C is wrong because security groups are for network interfaces, not API Gateway.

333
MCQmedium

A company runs a containerized web application on Amazon ECS using Fargate. The application needs to store files in Amazon S3. The developer wants to follow the principle of least privilege for the ECS task IAM role. Which IAM policy should be attached to the task role?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:*","Resource":"*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::example-bucket/*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:PutObject","Resource":"arn:aws:s3:::example-bucket/*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:GetObject","s3:PutObject"],"Resource":"arn:aws:s3:::example-bucket/*"}]}
AnswerC

Only PutObject is needed to upload files; minimal permissions.

Why this answer

Option B is correct because the policy grants only the necessary S3 actions (PutObject) on the specific bucket. Option A is wrong because it grants all S3 actions. Option C is wrong because it grants s3:* which is too broad.

Option D is wrong because it grants read-only access, not write.

334
Multi-Selecthard

A developer needs to securely expose an API running on an EC2 instance behind an Application Load Balancer. The API should only be accessible to authenticated users via a custom authorization header. Which steps should be taken? (Choose TWO.)

Select 2 answers
A.Create a Lambda authorizer that validates the custom header
B.Enable AWS WAF on the ALB to inspect the header
C.Use Amazon Cognito User Pools to validate the header
D.Use Amazon API Gateway instead of ALB
E.Configure the ALB to use the Lambda authorizer
AnswersA, E

Lambda authorizer can verify the token and return IAM policy.

Why this answer

Option A is correct because a Lambda authorizer can validate a custom authorization header by inspecting the header value and returning an IAM policy that either allows or denies access to the API. This approach is commonly used with API Gateway, but the question specifies an ALB, so the Lambda authorizer must be integrated with the ALB via a Lambda function that acts as an authenticator. The ALB can invoke a Lambda function as a target group, and the function can validate the custom header and return a response that the ALB uses to determine whether to forward the request.

Exam trap

The trap here is that candidates often assume API Gateway is required for Lambda authorizers, but the ALB can also invoke a Lambda function for authentication, and the question specifically asks for steps to secure the ALB, not to replace it.

335
MCQmedium

A developer is building a system that reads messages from an Amazon SQS queue, processes them, and stores results in an Amazon DynamoDB table. The developer wants to use a managed service to coordinate the processing steps, including error handling and retry logic, without provisioning any servers. Which AWS service should the developer use?

A.AWS Step Functions
B.Amazon Simple Workflow Service (SWF)
C.AWS Glue
D.Amazon MQ
AnswerA

Step Functions can orchestrate multiple services, integrate with SQS and DynamoDB, and provide built-in error handling and retry policies.

Why this answer

AWS Step Functions is a serverless orchestration service that lets you coordinate multiple AWS services into a workflow. It directly supports error handling, retry logic, and conditional branching, making it ideal for managing the processing steps of messages from SQS through to DynamoDB without provisioning any servers.

Exam trap

The trap here is that candidates confuse Amazon MQ (a message broker) with a workflow orchestrator, or mistakenly think SWF is the correct choice because it was historically used for workflow coordination, but Step Functions is the modern, serverless, and fully managed alternative that directly integrates with SQS and DynamoDB.

How to eliminate wrong answers

Option B is wrong because Amazon Simple Workflow Service (SWF) is a legacy workflow service that requires you to manage workers (deciders and activity workers) and does not natively integrate with SQS or DynamoDB as seamlessly as Step Functions; it also lacks the built-in retry and error-handling patterns of Step Functions. Option C is wrong because AWS Glue is a serverless ETL service designed for data preparation and transformation, not for orchestrating message processing workflows with SQS and DynamoDB. Option D is wrong because Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ, not a workflow orchestration service; it provides message queuing but does not handle coordination, error handling, or retry logic across processing steps.

336
MCQmedium

A developer ran the AWS CLI command shown in the exhibit. What is the most likely cause of the error?

A.The --origin parameter is misspelled.
B.The --key-spec parameter is invalid for custom key stores.
C.The IAM user does not have permission to create KMS keys.
D.The AWS Region does not support CloudHSM custom key stores.
AnswerD

Custom key stores are not available in all regions; the error confirms this.

Why this answer

Creating a KMS key in a custom key store (CloudHSM) requires a CloudHSM cluster and a custom key store to be set up first. The error indicates that custom key stores are not supported in the region, meaning the developer is in a region that does not support CloudHSM-based custom key stores. Option A is wrong because the CLI syntax is correct.

Option B is wrong because the error specifically says custom key stores not supported in this region. Option D is wrong because the key spec is valid.

337
Multi-Selecteasy

A web application running on Amazon EC2 instances behind an Application Load Balancer (ALB) is experiencing intermittent 503 errors. Which TWO steps should be taken to diagnose the issue?

Select 2 answers
A.Check the Route 53 health checks for the domain.
B.Check the CPU utilization of the EC2 instances.
C.Check the target group health check settings and instance health status.
D.Check the security group rules for the ALB.
E.Check the EBS volume type of the EC2 instances.
AnswersB, C

High CPU can cause instances to fail health checks and return 503.

Why this answer

Option B is correct because high CPU utilization on EC2 instances can cause them to become unresponsive or fail to respond to health checks within the ALB's configured timeout, leading to 503 errors. The ALB routes traffic only to healthy targets; if instances are overwhelmed, they may fail health checks or drop requests, resulting in a 503 response to clients.

Exam trap

The trap here is that candidates may confuse Route 53 health checks (DNS-level) with ALB target group health checks (application-level), or assume that security groups or EBS volumes are the root cause of HTTP 503 errors when they are not directly related to load balancer routing failures.

338
Multi-Selecteasy

A developer is troubleshooting a slow RDS MySQL instance. Which TWO metrics in Amazon CloudWatch should the developer examine first?

Select 2 answers
A.NetworkReceiveThroughput
B.SwapUsage
C.CPUUtilization
D.FreeStorageSpace
E.ReadLatency
AnswersC, E

High CPU indicates a problem.

Why this answer

Options A and E are correct because high CPU and high ReadLatency are common indicators of database performance issues. Option B is wrong because FreeStorageSpace is for storage capacity, not performance. Option C is wrong because NetworkReceiveThroughput is for network.

Option D is wrong because SwapUsage is less common for RDS.

339
Multi-Selecteasy

A developer is using Amazon API Gateway to expose a Lambda function as a REST API. The API should only be accessible from a specific VPC. Which TWO steps are required to achieve this? (Choose TWO.)

Select 2 answers
A.Create a VPC endpoint for API Gateway.
B.Attach a resource policy to the API Gateway API that denies access unless the request originates from the VPC.
C.Use an API key that is only known within the VPC.
D.Configure the Lambda function to be VPC-enabled.
E.Create a VPC endpoint for Lambda.
AnswersA, B

A VPC endpoint allows API Gateway to be accessed privately from within the VPC.

Why this answer

Option B is correct because a resource policy on API Gateway can restrict access to a VPC. Option E is correct because a VPC endpoint for API Gateway allows API Gateway to receive traffic from the VPC privately. Option A is wrong because Lambda VPC configuration is for the function's access to VPC resources, not for API Gateway.

Option C is wrong because a VPC endpoint for Lambda is not needed for API Gateway access. Option D is wrong because an API key is for authentication, not network restriction.

340
MCQmedium

An application running on Amazon ECS with Fargate is experiencing high latency. The application writes logs to Amazon CloudWatch Logs. Which AWS service can be used to analyze the logs to pinpoint the cause of the latency?

A.Amazon CloudWatch Logs
B.Amazon CloudWatch Logs Insights
C.AWS X-Ray
D.Amazon S3
AnswerB

Logs Insights allows querying and analyzing logs to identify latency causes.

Why this answer

Amazon CloudWatch Logs Insights is the correct choice because it is purpose-built for interactively querying and analyzing log data stored in CloudWatch Logs. It allows you to run SQL-like queries (using a query language) to filter, aggregate, and visualize log events, which is essential for pinpointing latency patterns, such as slow API calls or database queries, without needing to export logs to another service.

Exam trap

The trap here is that candidates confuse CloudWatch Logs (storage/monitoring) with CloudWatch Logs Insights (query/analysis), assuming the former can perform deep log analysis, when in fact it only supports basic metric filters and real-time monitoring.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Logs itself is a log storage and monitoring service, not a query engine; it can only view raw log streams or set metric filters, not perform ad-hoc analytical queries to diagnose latency. Option C is wrong because AWS X-Ray is a distributed tracing service that traces requests through microservices, but it does not analyze CloudWatch Logs; it uses its own trace data and segments, not log files. Option D is wrong because Amazon S3 is an object storage service; while logs can be exported to S3, it provides no built-in querying capability for log analysis without additional services like Athena.

341
MCQeasy

A developer needs to store session state for a web application running on multiple EC2 instances behind an Application Load Balancer. Which AWS service should the developer use for a fully managed, highly available session store?

A.Amazon RDS
B.Amazon S3
C.Amazon DynamoDB
D.Amazon ElastiCache
AnswerD

ElastiCache provides low-latency, managed caching for session state.

Why this answer

Option B is correct because ElastiCache (Memcached or Redis) is a managed in-memory cache suitable for session state. Option A is wrong because S3 is not designed for low-latency session storage. Option C is wrong because DynamoDB can be used but is not as fast for session state.

Option D is wrong because RDS adds latency and cost for session data.

342
MCQeasy

A developer is writing an AWS Lambda function that needs to read a secret from AWS Secrets Manager. The function is written in Python. What is the BEST practice for retrieving the secret?

A.Use AWS Systems Manager Parameter Store to store the secret.
B.Retrieve the secret inside the handler function every time it is invoked.
C.Store the secret in an environment variable.
D.Retrieve the secret outside the handler function and cache it in a global variable.
AnswerD

Caching outside the handler reduces latency and cost.

Why this answer

Option C is correct because caching the secret outside the handler reduces latency and cost. Option A is wrong because it does not cache. Option B is wrong because environment variables are not secure for secrets.

Option D is wrong because SSM Parameter Store is not the best practice for secrets; Secrets Manager is preferred.

343
MCQhard

A company uses AWS CodePipeline with CodeBuild and CodeDeploy. The pipeline deploys a web application to an Auto Scaling group. Recently, a deployment failed because the build output exceeded the CodeDeploy deployment limit for the number of files. The developer needs to prevent this issue in the future. What should the developer do?

A.Use AWS CodeStar to manage the pipeline.
B.Increase the instance size in the Auto Scaling group to handle more files.
C.Store the build output in an S3 bucket and modify the CodeDeploy deployment to pull the archive from S3.
D.Modify the buildspec.yml to compress the build output.
AnswerC

Using S3 reduces the number of files in the deployment package to one.

Why this answer

Option C is correct because CodeDeploy has a hard limit on the number of files in a deployment archive (currently 10,000 files for in-place deployments). By storing the build output in an S3 bucket and configuring CodeDeploy to pull the archive from S3, the developer bypasses the file count limit entirely. S3 has no such file count restriction, and CodeDeploy can retrieve the archive directly, allowing deployments with a large number of files to succeed.

Exam trap

The trap here is that candidates often confuse the file count limit with archive size limits or instance resource constraints, leading them to choose compression or instance scaling instead of addressing the actual CodeDeploy limitation.

How to eliminate wrong answers

Option A is wrong because AWS CodeStar is a project management and orchestration service that does not change the underlying CodeDeploy file count limit; it simply provides a unified interface for CI/CD pipelines. Option B is wrong because increasing the instance size in the Auto Scaling group does not affect the CodeDeploy deployment limit on the number of files; the limit is imposed by CodeDeploy itself, not by instance resources. Option D is wrong because compressing the build output in buildspec.yml does not reduce the number of files; it only reduces the archive size, and CodeDeploy still counts the individual files within the archive against its limit.

344
MCQmedium

A company uses AWS CodeCommit for source control and AWS CodeBuild for building a Java application. They have a CodePipeline that deploys the built artifacts to an Auto Scaling group using CodeDeploy. Recently, the build stage started failing with the error: 'BUILD FAILED: Could not resolve dependencies for project'. The developer checks the buildspec.yml and sees that it uses Maven to download dependencies from a private repository. The developer also notices that the build environment is a managed Docker image. What is the most likely cause?

A.The CodeBuild project does not have the necessary IAM permissions to access the private Maven repository.
B.The build environment does not have network access to the private Maven repository because it is not configured with a VPC.
C.The buildspec.yml has a syntax error in the 'phases' section.
D.The Java compiler version is incompatible with the project.
AnswerB

Managed images in CodeBuild have internet access, but private repos may require VPC.

Why this answer

Option B is correct because a managed Docker image may not have network access to a private repository if it's not configured with a VPC or NAT gateway. Option A is wrong because CodeBuild supports private repositories with proper network configuration. Option C is wrong because the buildspec is correct.

Option D is wrong because the error is about dependency resolution, not compilation.

345
MCQmedium

A developer is building a serverless application that uses an Amazon SQS FIFO queue to process orders. The orders must be processed exactly once and in the order they are received. The developer uses an AWS Lambda function as the consumer. Despite using a FIFO queue, the developer notices that some orders are being processed more than once. What is the most likely cause of this behavior?

A.The Lambda function is not deleting messages from the queue after successful processing, so they become visible again after the visibility timeout.
B.The Lambda function is configured with a batch size greater than 1, causing multiple messages to be processed at once and some to be duplicated.
C.The SQS queue has a message retention period set too low, causing messages to be deleted automatically and re-queued.
D.The Lambda function's execution role does not have permission to delete messages from the queue.
AnswerA

If the function does not delete the message from the queue, the message reappears after the visibility timeout expires, causing duplicate processing. FIFO queues do not automatically remove messages; the consumer must explicitly delete them.

Why this answer

The most likely cause is that the Lambda function is not deleting messages from the SQS FIFO queue after successful processing. By default, Lambda does not automatically delete messages; it relies on the function code to call the `DeleteMessage` API. If the function fails to delete a message, it remains in the queue and becomes visible again after the visibility timeout expires, leading to duplicate processing even though the queue is FIFO.

Exam trap

The trap here is that candidates assume FIFO queues guarantee exactly-once processing automatically, but they actually guarantee exactly-once delivery to the consumer, not exactly-once processing—the consumer must still delete the message to prevent reprocessing.

How to eliminate wrong answers

Option B is wrong because increasing the batch size in a FIFO queue does not cause message duplication; Lambda processes messages in batches but still deletes them individually after successful processing, and FIFO ordering is preserved within each batch. Option C is wrong because a low message retention period causes messages to be deleted permanently, not re-queued; it does not cause duplicate processing. Option D is wrong because if the Lambda execution role lacked permission to delete messages, the function would fail to delete them, but this would result in repeated processing after the visibility timeout—however, the question asks for the most likely cause, and the absence of delete logic in the code is a more common oversight than missing IAM permissions, which would typically raise an error.

346
MCQmedium

Refer to the exhibit. An IAM policy is attached to an IAM role used by an EC2 instance in a CodeDeploy deployment group. The deployment fails with 'Access Denied' when the CodeDeploy agent tries to register the application revision. What is the most likely cause?

A.The resource is set to '*' which is not allowed for CodeDeploy actions.
B.The role is not associated with the CodeDeploy service.
C.The policy does not include the 'codedeploy:PutApplicationRevision' action.
D.The policy is missing an explicit deny for other actions.
AnswerC

RegisterApplicationRevision is not a valid action.

Why this answer

Option A is correct because the policy is missing 'codedeploy:PutApplicationRevision' permission. The 'RegisterApplicationRevision' action is not a valid CodeDeploy API call; the correct action is 'PutApplicationRevision'. Option B is wrong because the actions are allowed, not denied.

Option C is wrong because the policy uses '*' resource. Option D is wrong because the instance profile role is for EC2, not CodeDeploy.

347
MCQeasy

A developer is deploying a serverless application using AWS SAM. The developer wants to define a Lambda function that is invoked by an Amazon API Gateway REST API. Which SAM resource type should the developer use to define the API?

A.AWS::Serverless::SimpleTable
B.AWS::Serverless::Api
C.AWS::ApiGateway::RestApi
D.AWS::Serverless::Function
AnswerB

This defines an API Gateway REST API.

Why this answer

Option B is correct because AWS::Serverless::Api defines an API Gateway REST API in SAM. Option A is wrong because AWS::Serverless::Function defines a Lambda function. Option C is wrong because AWS::ApiGateway::RestApi is a raw CloudFormation resource, not a SAM shorthand.

Option D is wrong because AWS::Serverless::SimpleTable defines a DynamoDB table.

348
MCQhard

A large enterprise is deploying a critical application across multiple AWS regions using AWS CodePipeline and AWS CodeDeploy. The application runs on EC2 instances in an Auto Scaling group. The deployment uses a blue/green strategy. During a cross-region deployment, the pipeline fails in the secondary region with the error 'The deployment group does not exist.' The developer confirms that the deployment group exists in the primary region and has been replicated via AWS CloudFormation StackSets. The developer also checks that the StackSet is successfully deployed in the secondary region. What is the most likely cause?

A.The CodePipeline in the secondary region references the deployment group ARN from the primary region instead of the secondary region.
B.The deployment group name is case-sensitive and differs between regions.
C.The CodePipeline in the secondary region is not configured with the correct source stage.
D.The IAM role for CodeDeploy in the secondary region does not have cross-region permissions.
AnswerA

Pipeline must reference local resources.

Why this answer

Option D is correct because CodePipeline is region-specific and the pipeline in the secondary region must be configured to use the deployment group in that same region. The StackSet may have created the resources, but the pipeline definition still points to the primary region. Option A is wrong because the deployment group does exist.

Option B is wrong because the pipeline exists. Option C is wrong because permissions are global.

349
MCQhard

A developer attached the above IAM policy to an IAM user. The user reports being denied access to objects in the S3 bucket 'my-bucket' from an IP address in the 10.0.0.0/24 range. What is the MOST likely cause?

A.The Resource ARN is missing the bucket name.
B.The bucket policy also denies access.
C.The IP address range 10.0.0.0/24 is a private range not seen by S3.
D.The condition should use 'aws:VpcSourceIp' instead.
AnswerC

S3 sees the public IP of the client or the VPC endpoint IP, not the private IP.

Why this answer

Option B is correct because IAM policies use the key 'aws:SourceIp' for source IP conditions, but the policy uses 'IpAddress' which is incorrect; the correct condition key is 'IpAddress' but the operator 'IpAddress' is valid. However, the condition key should be 'aws:SourceIp' (the key used in the policy is correct). Actually, the issue is that IAM policies cannot restrict based on source IP for S3 actions in all cases; S3 bucket policies support it, but IAM user policies also support 'aws:SourceIp'.

The problem is that the IP address range 10.0.0.0/24 is a private IP range. S3 does not see the private IP of the client when accessed from within a VPC; it sees the public IP or VPC endpoint IP. Therefore, the condition never matches, causing denial.

Option B is correct because private IPs are not seen by S3.

350
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The developer wants to run database migration scripts as part of the deployment process before the new application version starts serving traffic. Which Elastic Beanstalk configuration file should the developer use to define the migration commands?

A..ebextensions/<filename>.config with container_commands
B..ebextensions/<filename>.config with commands
C.Procfile
D.buildspec.yml
AnswerA

container_commands are executed after the application and web server are ready but before the new version starts serving traffic. This makes them suitable for database migrations.

Why this answer

Option A is correct because `container_commands` in `.ebextensions/<filename>.config` runs commands after the application and web server have been set up but before the new application version starts serving traffic. This makes it the ideal place to execute database migration scripts that must complete before the environment accepts requests, ensuring data consistency.

Exam trap

The trap here is confusing `commands` with `container_commands`; candidates often pick `commands` because they sound similar, but they run at different lifecycle stages, and only `container_commands` guarantees execution after the application stack is ready but before traffic is routed.

How to eliminate wrong answers

Option B is wrong because `commands` in `.ebextensions/<filename>.config` runs before the application and web server are set up, so the database migration scripts would execute too early, potentially before the application dependencies or environment variables are ready. Option C is wrong because a `Procfile` is used to specify the processes that run your application (e.g., web server, worker), not to define deployment lifecycle commands like database migrations. Option D is wrong because `buildspec.yml` is a configuration file for AWS CodeBuild, not for Elastic Beanstalk; it defines build phases and commands for a CI/CD pipeline, not deployment hooks within Elastic Beanstalk.

351
MCQhard

An application running on Amazon ECS (Fargate) uses an Application Load Balancer (ALB) with connection draining enabled. The application is experiencing intermittent 502 (Bad Gateway) errors during rolling updates of the ECS service. The developer notices that the ALB is routing requests to tasks that are in the 'Draining' state. The ECS service is configured with a deployment circuit breaker that automatically rolls back a failed deployment. What is the most likely cause of the 502 errors?

A.The ALB's idle timeout is too short, causing connections to be dropped before the application responds.
B.The ALB's connection draining timeout is set to 0 seconds, causing connections to be dropped immediately when deregistering targets.
C.The ECS deployment circuit breaker is incorrectly configured to roll back on health check failures.
D.The application is not handling the SIGTERM signal from ECS, causing it to terminate abruptly while the ALB still routes traffic to it.
AnswerD

When ECS stops a task, it sends a SIGTERM signal to allow the application to gracefully shut down. If the application does not catch this signal and stop accepting new connections or complete in-flight requests before exiting, the ALB may still send traffic to the task after it stops, resulting in 502 errors. This is a common issue during rolling updates.

Why this answer

Option D is correct because when ECS sends a SIGTERM signal to a Fargate task during a rolling update, the task is expected to gracefully shut down. If the application does not handle SIGTERM, it terminates immediately, but the ALB may still have the task registered as a target and continue routing requests to it. Since the task is already dead or unresponsive, the ALB receives no valid HTTP response and returns a 502 Bad Gateway error.

Connection draining is enabled, but it only works if the task signals the ALB that it is deregistering; without proper SIGTERM handling, the task dies before the draining process completes.

Exam trap

The trap here is that candidates often assume connection draining is a silver bullet that prevents all errors during rolling updates, but they overlook that the application must handle SIGTERM to allow the draining process to work as intended.

How to eliminate wrong answers

Option A is wrong because the ALB's idle timeout (default 60 seconds) controls how long the ALB keeps a connection open without data transfer; it does not cause 502 errors during rolling updates, as 502s stem from the target not responding, not from idle timeouts. Option B is wrong because setting connection draining timeout to 0 seconds would cause immediate deregistration, which would prevent routing to draining tasks, not cause 502 errors; the problem here is that tasks are still receiving traffic while draining, which is the opposite scenario. Option C is wrong because the deployment circuit breaker rolls back the entire deployment on health check failures, but it does not cause 502 errors during the update; it is a recovery mechanism, not a root cause of the errors.

352
Multi-Selectmedium

A company wants to encrypt data at rest in Amazon RDS for MySQL. Which TWO actions should be taken?

Select 2 answers
A.Enable encryption at rest when creating the DB instance.
B.Encrypt individual tables using MySQL native encryption.
C.Enable encryption at rest after the DB instance is created.
D.Use AWS KMS to manage the encryption keys.
E.Use client-side encryption to encrypt data before sending to RDS.
AnswersA, D

RDS encryption at rest must be enabled at creation time.

Why this answer

Option A is correct because Amazon RDS for MySQL supports encryption at rest only at the time of DB instance creation. You must enable the encryption option in the console or specify the --storage-encrypted flag in the AWS CLI when launching the instance. Once enabled, RDS automatically encrypts the underlying storage, automated backups, read replicas, and snapshots using AES-256 encryption, with keys managed through AWS KMS.

Exam trap

The trap here is that candidates often assume encryption at rest can be enabled after instance creation (like modifying a DB parameter group) or that MySQL native encryption is available in RDS, but AWS restricts encryption to instance creation time and does not support MySQL's native table encryption within the managed service.

353
MCQeasy

A developer receives an AccessDeniedException when trying to invoke a Lambda function from an Amazon API Gateway REST API. The Lambda resource-based policy allows API Gateway. What is the most likely issue?

A.The Lambda function is in a VPC without a NAT gateway.
B.The Lambda function concurrency limit is exceeded.
C.The API Gateway execution role lacks lambda:InvokeFunction permission.
D.API Gateway caching is enabled, returning stale responses.
AnswerC

Execution role needs invoke permission.

Why this answer

Option C is correct because when API Gateway invokes a Lambda function, it must have the `lambda:InvokeFunction` permission. Even if the Lambda resource-based policy grants API Gateway access, the API Gateway execution role must also explicitly allow the `lambda:InvokeFunction` action. Without this permission, API Gateway cannot invoke the function, resulting in an AccessDeniedException.

Exam trap

The trap here is that candidates often assume the Lambda resource-based policy alone is sufficient, overlooking that API Gateway's execution role must also grant the `lambda:InvokeFunction` permission, which is a separate IAM authorization layer.

How to eliminate wrong answers

Option A is wrong because a Lambda function in a VPC without a NAT gateway would cause network timeout errors (e.g., inability to reach the internet), not an AccessDeniedException, which is an IAM permissions error. Option B is wrong because exceeding the Lambda concurrency limit results in a `TooManyRequestsException` (HTTP 429) or `ResourceConflictException`, not an AccessDeniedException. Option D is wrong because API Gateway caching returns stale responses only when caching is enabled and a cached response exists; it does not cause an AccessDeniedException, which is a permissions issue unrelated to caching.

354
MCQhard

A company uses AWS KMS to encrypt data in S3. The security team wants to ensure that all KMS keys are rotated every year. Which action should be taken?

A.Manually rotate the KMS key every year
B.Create a new KMS key and update all applications to use it
C.Enable automatic key rotation
D.Use AWS CloudWatch Events to trigger a Lambda function that rotates the key
AnswerC

KMS supports automatic annual rotation for symmetric keys.

Why this answer

AWS KMS supports automatic key rotation for customer-managed KMS keys. When enabled, KMS rotates the key material annually without requiring any manual intervention or application changes. This satisfies the security team's requirement for yearly rotation while maintaining the same key ID and existing encrypted data accessibility.

Exam trap

The trap here is that candidates may think manual rotation or creating a new key is required because they confuse KMS key rotation with S3 bucket key rotation or assume that automatic rotation changes the key ID, which would break references to the key.

How to eliminate wrong answers

Option A is wrong because manual rotation requires creating a new key and updating applications, which is error-prone and does not automatically re-encrypt existing data. Option B is wrong because creating a new KMS key and updating applications introduces operational overhead and does not rotate the existing key; it replaces it, potentially breaking access to previously encrypted data. Option D is wrong because AWS CloudWatch Events triggering a Lambda function is unnecessary and overly complex; KMS already provides a built-in, fully managed automatic rotation feature that does not require custom scripting or event-driven orchestration.

355
MCQeasy

A developer needs to generate temporary credentials for a user to access an S3 bucket for 30 minutes. Which AWS service should be used?

A.IAM role
B.Amazon Cognito
C.AWS Key Management Service (KMS)
D.AWS Security Token Service (STS)
AnswerD

STS issues temporary credentials that can be configured to expire in 30 minutes.

Why this answer

AWS Security Token Service (STS) is the correct service for generating temporary, limited-privilege credentials to access AWS resources. It can issue credentials with a configurable expiration period, such as 30 minutes, via the AssumeRole API call. This directly meets the requirement for time-bound access to an S3 bucket.

Exam trap

The trap here is that candidates confuse IAM roles (a permission container) with the service that actually issues temporary credentials (STS), leading them to select Option A instead of D.

How to eliminate wrong answers

Option A is wrong because an IAM role is a set of permissions, not a mechanism to generate temporary credentials; you must use STS (e.g., AssumeRole) to obtain temporary credentials for a role. Option B is wrong because Amazon Cognito is designed for user identity and authentication in web/mobile apps, not for directly generating temporary AWS credentials for a single S3 bucket access scenario; it uses identity pools which rely on STS under the hood but adds unnecessary complexity. Option C is wrong because AWS Key Management Service (KMS) manages encryption keys and cannot generate any type of credentials, temporary or otherwise.

356
MCQmedium

A developer is running a web application on multiple Amazon EC2 instances behind an Application Load Balancer (ALB). The application needs to store user session state that must be available across all instances. The session data is small and temporary but must survive individual instance failures. Which AWS service should the developer use to store this session state?

A.Store session state in an Amazon ElastiCache cluster
B.Store session state in the /tmp directory of each EC2 instance
C.Use an Amazon SQS queue to persist session data
D.Store session state in an Amazon S3 bucket
AnswerA

ElastiCache provides a managed in-memory cache that is shared across instances. It is ideal for session state because it is fast and can replicate data for high availability.

Why this answer

Amazon ElastiCache (e.g., using Redis or Memcached) provides a centralized, in-memory data store that is external to the EC2 instances. This allows all instances behind the ALB to read and write the same session state, ensuring consistency across the fleet. Because the data is stored in a managed cluster, it survives individual instance failures and is ideal for small, temporary session data that requires low-latency access.

Exam trap

The trap here is that candidates often confuse 'survive instance failures' with 'persistent storage' and choose S3 or SQS, overlooking that session state requires low-latency, in-memory access with automatic expiry, which only ElastiCache provides among the options.

How to eliminate wrong answers

Option B is wrong because storing session state in the /tmp directory of each EC2 instance is ephemeral—data is lost if the instance terminates or fails, and it is not shared across instances, breaking the requirement for cross-instance availability. Option C is wrong because Amazon SQS is a message queue service designed for decoupling and asynchronous communication, not for storing session state; it lacks the low-latency, key-value lookup capabilities needed for session management. Option D is wrong because Amazon S3 is an object storage service with higher latency and no built-in support for fast, atomic read/write operations on small session data, making it unsuitable for real-time session state storage.

357
MCQeasy

A developer needs to securely store database credentials for a Lambda function. The credentials should be automatically rotated every 30 days. Which AWS service should the developer use?

A.AWS Key Management Service (KMS) to encrypt the credentials.
B.Store the credentials in an IAM role's trust policy.
C.AWS Secrets Manager.
D.AWS Systems Manager Parameter Store with a SecureString parameter.
AnswerC

Supports automatic rotation.

Why this answer

AWS Secrets Manager is the correct choice because it is specifically designed to securely store, manage, and automatically rotate database credentials and other secrets. It supports native rotation of credentials for Amazon RDS, Redshift, and DocumentDB with built-in Lambda rotation functions, and can be configured to rotate on a schedule (e.g., every 30 days) without custom code. The service also integrates directly with Lambda via the AWS SDK to retrieve secrets at runtime, ensuring credentials are never hardcoded.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets with SecureString) with AWS Secrets Manager, but the key differentiator is that Secrets Manager provides built-in automatic rotation, which is explicitly required by the question.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a key management service for encrypting data at rest, but it does not store credentials or provide automatic rotation; it only provides the encryption key, not the secret management lifecycle. Option B is wrong because IAM role trust policies define which principals can assume the role, not where to store credentials; storing credentials in a trust policy is not supported and would be a security risk. Option D is wrong because while Systems Manager Parameter Store with SecureString can store encrypted parameters, it does not natively support automatic rotation of credentials; you would need to build a custom rotation solution, whereas Secrets Manager provides built-in rotation capabilities.

358
Matchingmedium

Match each AWS security feature to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Temporary permissions for services

Stateful firewall for EC2

Web application firewall

DDoS protection

SSL/TLS certificate management

Why these pairings

Security is a key domain in the DVA-C02 exam.

359
Multi-Selecthard

A company uses AWS CloudFormation to manage infrastructure. The development team wants to implement a CI/CD pipeline that automatically updates a CloudFormation stack when code is pushed to a CodeCommit repository. The pipeline should also run tests before deploying. Which THREE services should be used together to achieve this? (Choose THREE.)

Select 3 answers
A.AWS CodeBuild
B.Amazon CloudWatch Events
C.AWS CodeDeploy
D.AWS CodePipeline
E.AWS CodeCommit
AnswersA, D, E

CodeBuild runs tests and builds the project.

Why this answer

AWS CodeBuild is correct because it can compile source code, run tests, and produce artifacts that are ready for deployment. In this CI/CD pipeline, CodeBuild executes the test suite after code is pushed to CodeCommit, ensuring that only validated code proceeds to update the CloudFormation stack.

Exam trap

The trap here is that candidates may confuse AWS CodeDeploy with CloudFormation stack updates, but CodeDeploy handles application-level deployments (e.g., code to instances) while CloudFormation manages infrastructure provisioning and updates, so CodeDeploy is not used for stack updates in this context.

360
MCQhard

A company runs a critical application on EC2 instances behind an Application Load Balancer. The application experiences intermittent 503 errors. The health checks are configured correctly and the instances pass health checks consistently. What is the most likely cause?

A.The application response time exceeds the ALB idle timeout
B.The health check path is incorrect
C.The target group is deregistering instances prematurely
D.A security group is blocking traffic from the ALB to the instances
AnswerA

ALB idle timeout is 60 seconds by default; if the app takes longer, ALB returns 503.

Why this answer

Option D is correct because if the application takes longer than the idle timeout to respond, the ALB returns a 503. Option A is wrong because the target group might be deregistering instances that are terminating, but this would show as unhealthy. Option B is wrong because security groups denying traffic would cause connection timeouts, not 503.

Option C is wrong because the health check path issue would cause health check failures, not intermittent 503.

361
MCQmedium

A company runs a production web application on AWS. The application consists of an Application Load Balancer (ALB) that distributes traffic across multiple EC2 instances in an Auto Scaling group. The application uses an Amazon Aurora MySQL database. The operations team reports that the application is experiencing intermittent latency spikes, especially during peak hours. Investigation reveals that the database CPU utilization is consistently above 80% and there are many slow queries. The developer is asked to improve database performance without changing the application code. Which solution should the developer implement?

A.Implement an Amazon RDS Proxy in front of the Aurora cluster to manage database connections efficiently.
B.Use Amazon ElastiCache to cache frequently accessed data.
C.Increase the desired capacity of the Auto Scaling group to add more EC2 instances.
D.Upgrade the Aurora instance to a larger instance type.
AnswerA

RDS Proxy reduces connection overhead and improves performance.

Why this answer

Option A is correct because adding an RDS Proxy reduces connection management overhead and can improve latency. Option B is wrong because scaling EC2 instances does not help database performance. Option C is wrong because ElastiCache requires application changes.

Option D is wrong because increasing instance size helps but may be costly and not address connection pooling.

362
MCQhard

A company runs a web application on EC2 instances behind an Application Load Balancer. The application uses a PostgreSQL database on RDS. The security team requires that database credentials never be stored in application code or configuration files. Which solution meets this requirement?

A.Store the credentials in a Systems Manager Parameter Store parameter and retrieve them at application startup.
B.Store the credentials in an encrypted S3 bucket and have the application read the config file at startup.
C.Hardcode the credentials in a Lambda function that is called to get the credentials.
D.Use AWS Secrets Manager to store the credentials and retrieve them at runtime with automatic rotation.
AnswerD

Secrets Manager provides secure storage and automatic rotation.

Why this answer

Option D is correct because AWS Secrets Manager is designed specifically for securely storing and automatically rotating database credentials. It integrates natively with RDS for PostgreSQL, enabling automatic rotation without code changes. The application retrieves credentials at runtime via the AWS SDK, ensuring they are never stored in code or configuration files.

Exam trap

The trap here is that candidates confuse Systems Manager Parameter Store (which can store secrets but lacks automatic rotation) with Secrets Manager, leading them to choose Option A despite the rotation requirement.

How to eliminate wrong answers

Option A is wrong because Systems Manager Parameter Store does not natively support automatic rotation of RDS credentials; it is a parameter store, not a secrets manager with built-in rotation. Option B is wrong because storing credentials in an S3 bucket, even encrypted, still requires the application to read a configuration file at startup, which violates the requirement that credentials never be stored in configuration files. Option C is wrong because hardcoding credentials in a Lambda function still stores them in code, which is explicitly prohibited by the security requirement.

363
Multi-Selectmedium

Which TWO actions can improve the performance of an Amazon DynamoDB table that experiences frequent throttling due to hot partitions? (Choose TWO.)

Select 2 answers
A.Disable auto scaling to provision fixed capacity
B.Enable DynamoDB Accelerator (DAX) for caching
C.Increase the read capacity units (RCUs) of the table
D.Add a random suffix to the partition key values
E.Use a global secondary index (GSI) with a different partition key
AnswersB, D

Reduces read load on the table, mitigating throttling.

Why this answer

Options B and D are correct. Adding a random prefix to the partition key distributes writes across partitions. Using DynamoDB Accelerator (DAX) reduces read load.

Option A is wrong because increasing read capacity does not solve hot partition issue. Option C is wrong because global secondary indexes do not reduce throttling on the base table. Option E is wrong because disabling auto scaling may worsen throttling.

364
MCQhard

A developer is using IAM roles for Amazon EC2 to grant permissions to an application. The application makes API calls to DynamoDB and S3. After deploying, the application fails to access DynamoDB. The developer verifies the IAM role has the correct DynamoDB permissions. What is the most likely cause?

A.The IAM role does not have a trust policy for EC2.
B.The IAM role is not attached to the EC2 instance profile.
C.The DynamoDB table is in a different region than the EC2 instance.
D.The application is using the wrong AWS SDK.
AnswerB

The instance profile must be associated with the EC2 instance for the application to use the role.

Why this answer

For an EC2 instance to use an IAM role, the role must be attached to an EC2 instance profile, which is the container that passes the role's credentials to the instance via the instance metadata service. Even if the IAM role has the correct DynamoDB permissions, if it is not associated with the instance profile, the application will not receive temporary credentials and will fail to access DynamoDB.

Exam trap

The trap here is that candidates assume simply having the correct IAM role with proper permissions is sufficient, overlooking the mandatory step of attaching the role to an EC2 instance profile for credential delivery.

How to eliminate wrong answers

Option A is wrong because the IAM role does have a trust policy for EC2 (it must, otherwise the role could not be assumed by EC2 at all); the issue is the lack of attachment to the instance profile. Option C is wrong because DynamoDB is a global service that can be accessed across regions via its global endpoints, and region mismatch does not cause access failures when permissions are correct. Option D is wrong because the AWS SDK automatically handles credential retrieval from the instance metadata service; using a different SDK version or language does not prevent credential resolution if the role is properly attached.

365
Multi-Selecthard

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application includes an API Gateway REST API and a Lambda function. The developer wants to enable access logging for the API Gateway. Which THREE resources or configurations are required? (Choose THREE.)

Select 3 answers
A.A stage with access logging enabled in the API Gateway.
B.A Lambda function that processes the access logs.
C.An IAM role that grants API Gateway permission to write to CloudWatch Logs.
D.An Amazon CloudWatch Logs log group.
E.An IAM role for the Lambda function with logs:PutLogEvents permission.
AnswersA, C, D

Access logging is configured per stage.

Why this answer

Options A, B, and D are correct. Option A sets up a log group. Option B configures the IAM role for API Gateway to write logs.

Option D enables access logging. Option C is not required because Lambda function logs are separate. Option E is not required because Lambda execution role is for Lambda, not API Gateway logging.

366
MCQhard

A developer is configuring cross-account access for an S3 bucket. The source account (111111111111) wants to allow the target account (222222222222) to write objects to the bucket. The developer attaches the following bucket policy. However, the write operation fails with AccessDenied. What is the most likely cause?

A.The target account has not attached an IAM policy granting the user or role s3:PutObject
B.The bucket has an S3 ACL that denies the target account
C.The bucket policy does not allow s3:PutObject for the target account
D.The bucket is encrypted with SSE-KMS and the target account lacks KMS permissions
AnswerA

Cross-account access requires both the resource-based policy (bucket policy) and an IAM policy in the target account.

Why this answer

Option A is correct because cross-account S3 access requires both a bucket policy that grants the target account principal (or a resource-based policy) AND an IAM policy in the target account that explicitly allows the user or role to perform the s3:PutObject action. Without the target account's IAM policy, the request is denied even if the bucket policy permits it, as the target account's principal lacks the necessary permissions to make the call.

Exam trap

The trap here is that candidates assume a bucket policy alone is sufficient for cross-account access, overlooking the requirement for an IAM policy in the target account to authorize the principal making the request.

How to eliminate wrong answers

Option B is wrong because S3 ACLs are legacy and, while they can grant cross-account permissions, the bucket policy is the primary mechanism here; an ACL denying the target account would cause a different error (e.g., AccessDenied with a different message) but is not the most likely cause given the bucket policy is already in place. Option C is wrong because the question states the developer attaches the bucket policy to allow the target account to write objects, so the bucket policy presumably includes s3:PutObject; if it didn't, the error would be expected, but the most likely cause is the missing IAM policy in the target account. Option D is wrong because SSE-KMS requires additional KMS key permissions (kms:GenerateDataKey, kms:Decrypt) for the target account, but the error would be a KMS-related AccessDenied, not a generic s3:PutObject failure; the question does not mention KMS, so this is less likely than the missing IAM policy.

367
MCQmedium

A developer is writing a Lambda function that processes events from an Amazon S3 bucket. The function needs to access a DynamoDB table to store metadata about the S3 objects. Which of the following is the MOST efficient way to initialize the DynamoDB client in the Lambda function?

A.Store the DynamoDB table name as a global variable and create the client inside the handler.
B.Use a static variable inside the handler to cache the DynamoDB client.
C.Create the DynamoDB client inside the Lambda handler function every invocation.
D.Create the DynamoDB client outside the Lambda handler function, in the global scope.
AnswerD

This allows the client to be reused across invocations, reducing cold start latency.

Why this answer

Option B is correct because initializing the DynamoDB client outside the handler allows it to be reused across invocations, improving performance. Option A is incorrect because creating a new client for each invocation adds overhead. Option C is incorrect because using a global variable for the table name is fine, but the client should be initialized outside.

Option D is incorrect because using a static variable in Java achieves the same effect as initializing outside the handler.

368
MCQmedium

A developer monitors an AWS Lambda function that processes messages from an Amazon SQS queue. CloudWatch logs show that the function's execution time has increased significantly over the past week, and it now frequently times out at the 5-minute timeout. The function's code has not been changed recently. The function makes calls to an Amazon DynamoDB table. What is the most likely cause of the increased execution time?

A.The DynamoDB table's read capacity units are underprovisioned, causing throttling.
B.The SQS queue's visibility timeout is too short, causing duplicate processing.
C.The Lambda function's memory is too low, causing CPU throttling.
D.The DynamoDB table's indexes are missing, causing full table scans.
AnswerA

Underprovisioned capacity throttles read/write requests, causing Lambda to retry, increasing execution time and potentially causing timeouts.

Why this answer

The most likely cause is that the DynamoDB table's read capacity units are underprovisioned, leading to throttling (ProvisionedThroughputExceededException). When DynamoDB throttles requests, the Lambda function must retry them, which adds latency and can cause the function to exceed its 5-minute timeout. Since the code hasn't changed, this points to a scaling or capacity issue on the DynamoDB side.

Exam trap

The trap here is that candidates may confuse DynamoDB throttling with Lambda timeout configuration, overlooking that gradual performance degradation often points to downstream resource contention rather than function configuration.

How to eliminate wrong answers

Option B is wrong because a short SQS visibility timeout would cause duplicate processing, not increased execution time; duplicates would result in more invocations, not slower individual runs. Option C is wrong because low memory in Lambda causes CPU throttling only if the function is CPU-bound; memory allocation affects CPU proportionally, but the described symptom (increased execution time without code changes) is not typically caused by memory alone. Option D is wrong because missing indexes would cause full table scans, which would increase execution time from the start, not gradually over a week; this would be a code or schema issue, not a gradual degradation.

369
MCQmedium

A company is using AWS CloudFormation to manage infrastructure. The developer wants to update a stack that includes an RDS database. The update requires replacing the database with a new one. Which stack update policy should the developer use to minimize downtime?

A.Use a 'Rolling update' update policy.
B.Use a 'Replacement with snapshot' update policy.
C.Use a 'Delete and recreate' update policy.
D.Use an 'Update with snapshot' update policy.
AnswerB

This creates a snapshot before replacing, allowing data preservation.

Why this answer

Option A is correct because 'Replacement with snapshot' creates a new DB instance from a snapshot of the old one, minimizing data loss and downtime. Option B is wrong because 'Update with snapshot' does not exist. Option C is wrong because 'Delete and recreate' would cause data loss.

Option D is wrong because 'Rolling update' is not applicable to RDS.

370
MCQhard

A developer deployed a new version of an AWS Lambda function that is part of a serverless application. The function uses an Amazon DynamoDB table as a data store. After deployment, the developer notices that the function's latency has increased significantly for some requests. CloudWatch traces show that the increase is due to DynamoDB throttle events. The function is configured with a reserved concurrency of 100 and the DynamoDB table has 5 read capacity units (RCUs) and 5 write capacity units (WCUs). What is the most effective way to reduce the throttling while maintaining application performance?

A.Decrease the reserved concurrency of the Lambda function to 10
B.Increase the read and write capacity units on the DynamoDB table
C.Enable DynamoDB Accelerator (DAX) for caching reads
D.Enable auto scaling on the DynamoDB table
AnswerB

Increasing RCU and WCU directly increases the number of operations the table can handle, reducing throttling.

Why this answer

The primary cause of the throttling is insufficient DynamoDB capacity to handle the request volume from the Lambda function. Increasing the read and write capacity units (RCUs/WCUs) directly addresses the throttle events by providing more throughput to match the function's concurrency of 100. This is the most effective solution because it resolves the bottleneck at the data store level without reducing the application's ability to process requests concurrently.

Exam trap

The trap here is that candidates may choose auto scaling (Option D) thinking it dynamically handles spikes, but they overlook that auto scaling has a significant lag and cannot prevent immediate throttling, whereas increasing the base capacity is the immediate and effective solution.

How to eliminate wrong answers

Option A is wrong because decreasing reserved concurrency to 10 would reduce the number of concurrent Lambda invocations, which would lower the request rate to DynamoDB and potentially reduce throttling, but it would also severely degrade application performance by limiting throughput and increasing latency for legitimate traffic. Option C is wrong because DynamoDB Accelerator (DAX) is an in-memory cache that only accelerates read operations (GetItem, Query, Scan) and does not help with write throttling or reduce write capacity consumption; the question does not specify that the throttling is read-only, and DAX cannot mitigate write capacity throttling. Option D is wrong because enabling auto scaling on the DynamoDB table would adjust capacity over time based on traffic patterns, but it cannot react instantly to sudden spikes in demand; auto scaling has a lag of several minutes, so it would not prevent the immediate throttle events that are already occurring, and it does not address the need for a higher baseline capacity to match the Lambda's concurrency.

371
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). Users report intermittent 503 errors. The ALB health checks are failing for a few instances, but the instances themselves are running and have healthy application processes. What is the MOST likely cause?

A.The ALB is not scaled to handle the traffic.
B.The security group for the EC2 instances is not allowing traffic from the ALB.
C.The DNS resolution via Route53 is misconfigured.
D.Sticky sessions are not enabled on the ALB.
AnswerB

Health checks fail if security group blocks ALB traffic.

Why this answer

The ALB health checks are failing despite the instances and application processes being healthy, which indicates a network-level issue. The most likely cause is that the EC2 instances' security group is not allowing inbound traffic from the ALB's security group on the health check port (e.g., HTTP/HTTPS). Without this rule, the ALB cannot reach the health check endpoint, marking the instances as unhealthy and causing intermittent 503 errors when traffic is routed to those instances.

Exam trap

The trap here is that candidates often assume health check failures are always due to application issues (e.g., process crashes) rather than network-layer misconfigurations like security group rules, especially when the instance appears healthy from within the OS.

How to eliminate wrong answers

Option A is wrong because the ALB scales automatically based on traffic patterns and does not require manual scaling; 503 errors from insufficient capacity would be persistent, not intermittent, and would affect all instances. Option C is wrong because DNS misconfiguration via Route53 would cause resolution failures (e.g., NXDOMAIN) or routing to the wrong endpoint, not intermittent 503 errors from healthy instances behind an ALB. Option D is wrong because sticky sessions (session affinity) do not affect health checks or 503 errors; they only control how requests are distributed to the same target, and their absence would not cause health check failures.

372
MCQmedium

A company uses AWS KMS to encrypt data at rest in S3. The security team requires that all encryption keys be rotated every 90 days. Which key type should the company use to meet this requirement with minimal operational overhead?

A.Customer managed KMS key with manual rotation
B.Customer managed KMS key with automatic rotation enabled
C.AWS managed KMS key
D.AWS owned KMS key
AnswerB

Customer managed keys allow you to set a custom rotation period (e.g., 90 days) and enable automatic rotation.

Why this answer

Customer managed KMS keys support automatic rotation, which can be enabled to rotate the key material every 365 days (or every 90 days if using a custom key store with imported key material). However, the requirement is for 90-day rotation with minimal operational overhead. Automatic rotation for customer managed KMS keys meets this by handling rotation without manual intervention, though note that the default automatic rotation period is 365 days; to achieve exactly 90 days, you would need to use a custom key store and import key material with a 90-day rotation schedule, or manually rotate more frequently.

Given the options, B is the best choice because it provides automatic rotation with less overhead than manual rotation.

Exam trap

The trap here is that candidates assume automatic rotation can be configured to any custom period (like 90 days) for standard customer managed keys, but KMS automatic rotation is fixed at 365 days for AWS KMS keys, and only imported key material in a custom key store allows custom rotation intervals.

How to eliminate wrong answers

Option A is wrong because manual rotation requires the company to create new keys, update applications, and delete old keys every 90 days, which introduces significant operational overhead and risk of errors. Option C is wrong because AWS managed KMS keys cannot be rotated by the customer; AWS rotates them automatically on a schedule that is not configurable (typically every 3 years for AWS managed keys), and the rotation policy is not under customer control. Option D is wrong because AWS owned KMS keys are used by AWS services on behalf of the customer, are not visible or manageable by the customer, and cannot be rotated on a custom schedule.

373
MCQeasy

A developer needs to store application logs in a highly available and durable storage service. The logs must be retained for 7 years for compliance purposes. The logs are accessed infrequently after the first 30 days. Which storage solution is MOST cost-effective?

A.Amazon S3 Intelligent-Tiering
B.Amazon S3 Glacier Deep Archive
C.Amazon S3 One Zone-Infrequent Access
D.Amazon S3 Standard
AnswerB

Lowest cost for archival storage with infrequent access.

Why this answer

S3 Glacier Deep Archive is the lowest cost for long-term archival with retrieval times of 12 hours. S3 Standard is expensive for long retention. S3 Intelligent-Tiering automatically moves to lower cost tiers, but still incurs monitoring fees.

S3 One Zone-Infrequent Access is not highly available across AZs.

374
MCQhard

A developer receives an Access Denied error when trying to download an object from an S3 bucket. The developer's IAM policy is shown in the exhibit. The bucket policy also grants access. What is the MOST likely cause?

A.The S3 bucket has block public access enabled.
B.The S3 bucket uses SSE-KMS and the user lacks kms:Decrypt permission.
C.The IAM policy does not allow s3:GetObject.
D.The bucket policy denies access to the user.
AnswerB

KMS permissions are required to decrypt objects.

Why this answer

Option B is correct because if the bucket is encrypted with a KMS key, the user must also have kms:Decrypt permission. Option A is wrong because the policy explicitly allows s3:GetObject. Option C is wrong because the bucket policy also grants access, so it's not a bucket policy issue.

Option D is wrong because public access is not required if IAM policies allow access.

375
Multi-Selecteasy

A developer is designing a serverless application using AWS Lambda. The function needs to process messages from an Amazon SQS queue. The developer wants to configure the Lambda function to be triggered by the SQS queue. Which TWO actions are required? (Choose TWO.)

Select 2 answers
A.Attach an IAM execution role to Lambda with permission to receive messages from SQS.
B.Configure a resource-based policy on the SQS queue to allow Lambda invocation.
C.Create an event source mapping in Lambda to poll the SQS queue.
D.Set up a dead-letter queue for failed messages.
E.Place the Lambda function in a VPC to access the SQS queue.
AnswersA, C

Correct: Lambda needs permission to poll the queue.

Why this answer

B and D are correct. The Lambda function needs an event source mapping (B) and the execution role needs permissions to poll the queue (D). Option A is wrong because SQS does not need a resource-based policy for the same account.

Option C is wrong because DLQ is optional. Option E is wrong because VPC is not required.

Page 4

Page 5 of 22

Page 6