AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 376450

1616 questions total · 22pages · All types, answers revealed

Page 5

Page 6 of 22

Page 7
376
Multi-Selecthard

A developer is using AWS Secrets Manager to rotate database credentials. The rotation Lambda function fails with an error. Which THREE steps should the developer take to troubleshoot? (Choose THREE.)

Select 3 answers
A.Check VPC Flow Logs for the Lambda function's ENI.
B.Verify that the Lambda function has network access to the database.
C.Ensure the KMS key used to encrypt the secret is rotated.
D.Verify that the Lambda function's IAM role has permission to update the secret.
E.Check the CloudWatch Logs for the Lambda function.
AnswersB, D, E

If the database is in a VPC, Lambda needs VPC access.

Why this answer

Options A, B, and D are correct. CloudWatch Logs shows error details; IAM permissions are often the cause; network connectivity is required for Lambda to reach the database. Option C is wrong because KMS key rotation is not related.

Option E is wrong because VPC flow logs show network traffic but not Lambda errors.

377
MCQhard

A developer is designing a serverless application that processes images uploaded to an S3 bucket. Each image must be resized and then stored in a different S3 bucket. The process must be asynchronous and fault-tolerant. Which AWS service should trigger the Lambda function?

A.Amazon S3 Event Notifications
B.Amazon SQS
C.Amazon API Gateway
D.AWS Step Functions
AnswerA

S3 can directly invoke Lambda asynchronously on object creation.

Why this answer

Option D is correct because S3 Event Notifications can trigger Lambda asynchronously and support retry. Option A is wrong because API Gateway is for synchronous requests. Option B is wrong because Step Functions is an orchestrator, not a trigger.

Option C is wrong because SQS requires a Lambda function to poll; S3 does not directly send to SQS.

378
MCQhard

A developer is troubleshooting an AWS Lambda function that experiences high latency for the first few invocations after being idle. The function is written in Python and uses a large library (e.g., Pandas). The function connects to an RDS database in a VPC. What is the most effective way to reduce the latency for the first invocation after idle?

A.Increase the function's memory allocation to 3008 MB.
B.Enable provisioned concurrency on the function.
C.Move the large library to a Lambda layer.
D.Replace the RDS database with Amazon DynamoDB.
AnswerB

Provisioned concurrency keeps the function initialized and ready, eliminating cold starts.

Why this answer

Provisioned concurrency keeps a specified number of execution environments initialized and ready to respond immediately, eliminating the cold start latency that occurs after a period of idle time. This is the most direct solution for reducing latency on the first invocation after idle, especially for functions with large libraries like Pandas that take significant time to load.

Exam trap

The trap here is that candidates often confuse cold start mitigation strategies like increasing memory or using layers with the only AWS feature that truly eliminates cold starts for idle functions: provisioned concurrency.

How to eliminate wrong answers

Option A is wrong because increasing memory allocation can improve CPU performance and reduce cold start time slightly, but it does not eliminate the cold start itself; the function still needs to load the large library and establish the VPC connection from scratch after idle. Option C is wrong because moving the library to a Lambda layer does not reduce cold start latency; layers are simply a packaging mechanism and the library still must be loaded into memory during initialization. Option D is wrong because replacing RDS with DynamoDB addresses database connection latency, not the cold start latency caused by loading the large Python library and initializing the function runtime.

379
Multi-Selectmedium

A company is using AWS KMS to encrypt data in S3. Which TWO actions are required to allow an IAM user to decrypt objects in a specific S3 bucket?

Select 2 answers
A.Attach a policy to the user allowing s3:GetObject on the bucket.
B.Attach a policy to the user allowing kms:Encrypt.
C.Attach a policy to the user allowing s3:PutObject.
D.Attach a policy to the user allowing kms:GenerateDataKey.
E.Attach a policy to the user allowing kms:Decrypt on the KMS key.
AnswersA, E

Required to retrieve the object.

Why this answer

Option A is correct because to decrypt an object stored in S3 using server-side encryption with AWS KMS (SSE-KMS), the IAM user must have the s3:GetObject permission to retrieve the encrypted object from the bucket. Without this permission, the user cannot even initiate the GetObject request, regardless of KMS permissions.

Exam trap

The trap here is that candidates often forget that decrypting an SSE-KMS encrypted object requires both S3 read permissions and KMS decrypt permissions, leading them to select only one of the two required actions.

380
MCQeasy

A developer is using AWS CloudFormation to create a stack. They want to update the stack but need to ensure that if the update fails, the stack is automatically rolled back to the previous state. Which stack option should they configure?

A.Configure SNS notification topics for the stack.
B.Set the 'Rollback on failure' option to 'Yes'.
C.Set the 'Disable rollback' option to 'No'.
D.Define a stack policy that protects critical resources.
AnswerB

This is the default behavior but can be explicitly set.

Why this answer

Option B is correct because the 'Rollback on failure' option, when set to 'Yes', instructs AWS CloudFormation to automatically revert the stack to its previous working state if the stack update fails. This ensures that any changes that cause errors are undone, maintaining stack stability without manual intervention.

Exam trap

The trap here is that candidates confuse 'Disable rollback' with 'Rollback on failure' or think that SNS notifications or stack policies can control rollback behavior, but only the 'Rollback on failure' option directly enables automatic rollback on update failures.

How to eliminate wrong answers

Option A is wrong because configuring SNS notification topics only sends alerts about stack events (e.g., update success or failure) but does not trigger or control automatic rollback behavior. Option C is wrong because setting 'Disable rollback' to 'No' is not a valid configuration; the actual parameter is 'Disable rollback' which, when set to 'True', prevents rollback, and setting it to 'False' is the default that allows rollback, but the question asks for explicitly configuring rollback, which is done via 'Rollback on failure'. Option D is wrong because a stack policy defines which stack resources can be updated or replaced during an update, but it does not control rollback behavior on failure.

381
MCQmedium

A developer notices that an AWS Lambda function processing S3 events is being retried frequently due to throttling errors from Amazon DynamoDB. The function writes records to a DynamoDB table and has reserved concurrency set to 100. The DynamoDB table uses on-demand capacity mode. What should the developer do to reduce retries and improve overall throughput?

A.Increase the Lambda function's reserved concurrency to 500.
B.Implement exponential backoff and retry in the Lambda function code for DynamoDB API calls.
C.Disable the Lambda function's S3 event source mapping and use Amazon SQS to buffer events.
D.Switch the DynamoDB table to provisioned capacity with a high write capacity unit setting.
AnswerB

Exponential backoff and retry automatically handle throttling errors by retrying with increasing delays, reducing the chance of repeated failures.

Why this answer

Option B is correct because implementing exponential backoff and retry in the Lambda function code for DynamoDB API calls directly addresses the throttling errors. Even with on-demand capacity, DynamoDB can throttle requests if they exceed the table's burst capacity or if there are hot partitions. Exponential backoff reduces the retry rate, allowing DynamoDB to recover and improving overall throughput without changing the Lambda concurrency or capacity mode.

Exam trap

The trap here is that candidates assume increasing Lambda concurrency or switching to provisioned capacity will solve throttling, but the real issue is the retry strategy at the application layer, not the infrastructure scaling.

How to eliminate wrong answers

Option A is wrong because increasing reserved concurrency to 500 would only increase the number of concurrent Lambda invocations, which would exacerbate DynamoDB throttling by sending more requests simultaneously. Option C is wrong because disabling the S3 event source mapping and using SQS to buffer events would add latency and complexity but does not address the root cause of DynamoDB throttling; it only decouples the invocation, not the write errors. Option D is wrong because switching to provisioned capacity with a high write capacity unit setting does not guarantee elimination of throttling; on-demand mode already scales automatically, and the issue is likely due to request patterns or hot partitions, not capacity mode.

382
MCQmedium

A developer is deploying a web application using AWS Elastic Beanstalk. The application needs to store session state. The developer wants to ensure that session data is not lost if an EC2 instance is terminated. Which solution should the developer implement?

A.Store session data in an Amazon EBS volume.
B.Store session data in an Amazon S3 bucket.
C.Store session data in the instance store.
D.Store session data in an Amazon ElastiCache cluster.
AnswerD

ElastiCache provides persistent, low-latency session storage.

Why this answer

Option D is correct because ElastiCache provides a managed, external cache for session state that persists independently of EC2 instances. Option A is wrong because instance store is ephemeral. Option B is wrong because EBS is tied to the instance and is lost on termination if not configured for persistence.

Option C is wrong because S3 is not optimized for low-latency session storage.

383
MCQhard

A company runs a containerized application on Amazon ECS using Fargate. The application needs to access an S3 bucket to read configuration files and a DynamoDB table to store session state. The ECS task role is configured with the following IAM policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "dynamodb:PutItem", "dynamodb:GetItem" ], "Resource": "*" } ] } The application fails to read from the S3 bucket and write to DynamoDB. The error messages indicate AccessDenied. The S3 bucket has a bucket policy that denies all access unless the request includes a specific aws:SourceIp condition. The DynamoDB table has a resource-based policy that allows access only from the VPC endpoint. The ECS tasks are running in a private subnet with a VPC endpoint for DynamoDB but no VPC endpoint for S3. Which action should be taken to resolve the errors?

A.Add s3:ListBucket to the task role policy and ensure the S3 bucket policy allows the task role ARN
B.Attach a NAT gateway to the private subnet and update the S3 bucket policy to allow the NAT gateway's public IP
C.Modify the task role policy to restrict resource ARNs to the specific S3 bucket and DynamoDB table
D.Create a VPC endpoint for S3 and modify the S3 bucket policy to allow access from the VPC endpoint
AnswerD

VPC endpoint for S3 bypasses the need for public IP; bucket policy can use aws:sourceVpce condition.

Why this answer

The application fails because the S3 bucket policy denies access unless the request includes a specific `aws:SourceIp` condition, but the ECS tasks in a private subnet have no public IP and no VPC endpoint for S3. Without a VPC endpoint, traffic to S3 traverses the internet via a NAT gateway, but the bucket policy explicitly requires a specific source IP, which the NAT gateway's public IP does not match (or is not allowed). Option D resolves this by creating a VPC endpoint for S3 and modifying the bucket policy to allow access from the VPC endpoint, bypassing the IP condition and enabling private connectivity.

Exam trap

The trap here is that candidates may focus on the task role policy (Option C) or NAT gateway (Option B) without recognizing that the S3 bucket policy's `aws:SourceIp` condition explicitly blocks traffic from private subnets without a VPC endpoint, and that the DynamoDB table policy already requires a VPC endpoint, which is present for DynamoDB but missing for S3.

How to eliminate wrong answers

Option A is wrong because adding `s3:ListBucket` to the task role policy does not address the S3 bucket policy's `aws:SourceIp` condition that denies access; the bucket policy overrides the task role's permissions. Option B is wrong because attaching a NAT gateway gives the tasks a public IP, but the bucket policy requires a specific source IP that the NAT gateway's IP may not match, and updating the bucket policy to allow the NAT gateway's IP is not a scalable or secure solution; also, the DynamoDB access issue remains unresolved as the DynamoDB table policy requires VPC endpoint access. Option C is wrong because restricting resource ARNs in the task role policy does not resolve the S3 bucket policy's IP condition or the DynamoDB table policy's VPC endpoint requirement; the task role already allows the necessary actions on all resources, so the issue is with the resource-based policies, not the task role's scope.

384
Multi-Selectmedium

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets are encrypted with AES-256 (SSE-S3) and that no public access is allowed. Which TWO methods can be used to enforce these requirements across all accounts? (Choose TWO.)

Select 2 answers
A.Use AWS Config rules with automatic remediation to detect and fix non-compliant buckets.
B.Attach an IAM policy to all IAM users in each account that denies unencrypted operations.
C.Use an SCP in the root organizational unit to deny 's3:PutBucketPublicAccessBlock' and enforce encryption settings.
D.Enable AWS CloudTrail to log all S3 API calls and send alerts.
E.Use AWS Trusted Advisor to check for unencrypted buckets.
AnswersA, C

Config rules can evaluate and remediate.

Why this answer

Option A is correct because AWS Config rules can evaluate S3 bucket configurations against desired settings (e.g., encryption enabled, public access blocked) and trigger automatic remediation via AWS Systems Manager Automation documents to fix non-compliant buckets. This provides continuous enforcement across all accounts in the organization without manual intervention.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking SCPs can grant permissions (they only deny), or they assume CloudTrail or Trusted Advisor can enforce security requirements when they are only detective or advisory tools.

385
Multi-Selectmedium

A company is implementing a CI/CD pipeline using AWS CodeCommit, CodeBuild, and CodeDeploy. The developer wants to ensure that the pipeline automatically deploys to production only after a manual approval step. Which TWO actions should the developer take?

Select 2 answers
A.Create a CloudWatch Events rule to trigger a Lambda function that waits for approval.
B.Add a manual approval action in the CodePipeline pipeline.
C.Configure the approval action to require a specified IAM user or group to approve.
D.Use a CodeDeploy lifecycle hook to pause the deployment.
E.Configure an SNS topic to send an email to the approver.
AnswersB, C

CodePipeline supports manual approval actions that pause the pipeline.

Why this answer

Option B and Option D are correct. Adding an approval action in CodePipeline pauses the pipeline until manual approval. CodePipeline natively supports manual approval actions.

Option A is wrong because SNS is used for notifications, not approval. Option C is wrong because CodeDeploy does not have a built-in manual approval step; it can use lifecycle hooks but not manual approval. Option E is wrong because CloudWatch Events can trigger pipelines but not provide manual approval.

386
MCQhard

A developer is using Amazon DynamoDB to store session data for a web application. The application reads and writes a single item per user session. The traffic pattern shows occasional spikes. The developer wants to minimize read and write costs. Which DynamoDB capacity mode should the developer choose?

A.Reserved capacity
B.On-demand capacity
C.Provisioned capacity with manual scaling
D.Provisioned capacity with auto scaling
AnswerB

Pay-per-request, handles spikes without throttling.

Why this answer

Option D is correct because on-demand capacity handles spikes automatically and is cost-effective for unpredictable traffic. Option A is wrong because provisioned capacity requires manual scaling and may throttle during spikes. Option B is wrong because reserved capacity is for predictable workloads.

Option C is wrong because auto scaling adds latency and cost during scaling.

387
Multi-Selectmedium

A developer is using AWS CodePipeline to deploy a web application. The pipeline has a source stage from Amazon S3, a build stage using AWS CodeBuild, and a deploy stage using AWS CodeDeploy. The developer notices that the deploy stage fails intermittently due to EC2 instances not being available. Which TWO actions should the developer take to improve the reliability of the deployment? (Choose two.)

Select 2 answers
A.Increase the number of EC2 instances in the Auto Scaling group to ensure availability.
B.Configure the CodeDeploy deployment group to have a minimum healthy hosts threshold.
C.Reduce the deployment timeout to fail faster.
D.Use a different deployment type, such as blue/green, instead of in-place.
E.Add a manual approval step in the pipeline before the deploy stage to verify instance health.
AnswersB, E

This ensures that deployments proceed only when enough healthy hosts are available.

Why this answer

Option B is correct because configuring a minimum healthy hosts threshold in the CodeDeploy deployment group ensures that a certain percentage or number of EC2 instances remain healthy during the deployment. This prevents the deployment from proceeding if too many instances are unavailable, reducing the risk of failure due to insufficient capacity. Option E is correct because adding a manual approval step before the deploy stage allows the developer to verify instance health (e.g., via AWS Systems Manager or custom scripts) before triggering the deployment, catching availability issues early.

Exam trap

The trap here is that candidates often confuse increasing instance count (Option A) with improving deployment reliability, but the question specifically targets intermittent unavailability during the deploy stage, which is better addressed by health checks and approval gates rather than raw capacity.

388
MCQeasy

A developer is troubleshooting an AWS Lambda function that is failing with an 'AccessDenied' error when trying to write to an S3 bucket. The function's execution role has the following policy. What is the most likely cause of the failure? (Policy: { 'Version': '2012-10-17', 'Statement': [ { 'Effect': 'Allow', 'Action': 's3:PutObject', 'Resource': 'arn:aws:s3:::my-bucket/*' } ] })

A.The resource ARN does not include the bucket itself; it only includes objects
B.The policy is missing a 'Principal' element
C.The action 's3:PutObject' is not allowed for Lambda execution roles
D.The action 's3:PutObject' is not sufficient; need 's3:*'
AnswerA

For s3:PutObject, the resource must be 'arn:aws:s3:::my-bucket/*'. However, the bucket policy may also need access, but the error is likely due to missing permissions on the bucket level for other actions like 's3:ListBucket' or the function is trying to write to the bucket root without proper permissions.

Why this answer

Option B is correct because the resource ARN 'arn:aws:s3:::my-bucket/*' only allows objects inside the bucket, but the bucket itself is 'arn:aws:s3:::my-bucket'. The policy needs to include both the bucket and its contents for operations like 's3:PutObject'. Option A is wrong because the action 's3:PutObject' is correct.

Option C is wrong because the policy is in the correct format. Option D is wrong because the action is allowed.

389
Multi-Selecthard

A company is deploying a web application on EC2 instances behind an ALB. The application needs to authenticate users using a corporate identity provider that supports SAML 2.0. Which of the following are required to configure this? (Choose THREE.)

Select 3 answers
A.Obtain the IdP's metadata document to configure the trust.
B.Register the corporate IdP as a SAML identity provider in IAM.
C.Configure Amazon Cognito as an intermediary.
D.Register the corporate IdP in Amazon Route 53.
E.Create an ALB rule that uses the SAML provider for authentication.
AnswersA, B, E

Metadata contains endpoints and certificates.

Why this answer

Options A, B, and D are correct. The ALB can authenticate users via SAML by creating a rule that uses an IdP. The IdP must be registered in IAM as a SAML provider.

The ALB must be configured with a listener rule that uses that provider. Option C is incorrect because Cognito is not required. Option E is incorrect because the IdP is not registered in Route 53.

390
MCQhard

The exhibit shows an IAM policy attached to a Lambda function's execution role. The function writes objects to an S3 bucket that is encrypted with a KMS key (the key specified in the policy). When the function tries to write an object, it receives an access denied error. What is the MOST likely missing permission?

A.kms:GenerateDataKey is missing.
B.The KMS key policy does not allow the Lambda function role.
C.s3:GetObject is missing for the bucket.
D.kms:ReEncrypt is missing.
AnswerA

S3 uses GenerateDataKey for server-side encryption with KMS.

Why this answer

Option B is correct because to write an encrypted object, the function needs kms:GenerateDataKey or kms:Encrypt permission. Option A is wrong because s3:PutObject is allowed. Option C is wrong because KMS key policy might be restrictive, but the most direct missing permission is kms:GenerateDataKey.

Option D is wrong because kms:ReEncrypt is not needed.

391
MCQmedium

A developer is using Amazon DynamoDB as the data store for a web application. The application experiences frequent throttling errors. Which action can reduce throttling without changing the application code?

A.Add a secondary index
B.Decrease the provisioned write capacity
C.Enable DynamoDB Auto Scaling
D.Increase the provisioned read capacity only
AnswerC

Auto scaling adjusts capacity automatically based on traffic patterns.

Why this answer

Option D is correct because enabling auto scaling adjusts capacity based on traffic. Option A is wrong because indexes don't affect throttling. Option B is wrong because decreasing capacity would worsen throttling.

Option C is wrong because increasing read capacity only partially helps.

392
MCQmedium

A developer is running a Docker container on Amazon ECS with Fargate. The container logs are not appearing in CloudWatch Logs even though the task definition has a logConfiguration specifying the awslogs driver and a log group. What is the MOST likely missing configuration?

A.The container image does not have the awslogs log driver installed.
B.The task execution role lacks the necessary IAM permissions to write to CloudWatch Logs.
C.The CloudWatch Logs log group does not exist.
D.The EC2 instance profile does not have CloudWatch Logs permissions.
AnswerB

The execution role needs logs:CreateLogStream and logs:PutLogEvents.

Why this answer

Option A is correct because the task execution role must have permissions to write to CloudWatch Logs. Option B is wrong because the container is running in Fargate, so there is no EC2 instance profile. Option C is wrong because the log driver is specified in the task definition, not in the container image.

Option D is wrong because the log group already exists in the configuration.

393
Multi-Selectmedium

A developer is designing a system that must meet PCI DSS compliance. Which THREE AWS services can help with logging and monitoring security events?

Select 3 answers
A.Amazon CloudWatch Logs
B.Amazon VPC Flow Logs
C.AWS CloudTrail
D.AWS Key Management Service (KMS)
E.AWS Config
AnswersA, C, E

CloudWatch Logs collects and stores log files from various sources.

Why this answer

Amazon CloudWatch Logs is correct because it provides a centralized service for collecting, monitoring, and storing log data from various AWS resources and applications. For PCI DSS compliance, CloudWatch Logs can ingest security-related logs (e.g., from EC2, Lambda, or on-premises servers) and enable real-time monitoring, metric filters, and alarms to detect and respond to security events. It also supports log retention policies and encryption at rest using AWS KMS, which are required for audit trails under PCI DSS Requirement 10.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs (network metadata) with security event logging, or mistakenly think KMS is a logging service because it is used for encryption, but neither generates or monitors security events as required by PCI DSS.

394
MCQhard

A Step Functions workflow calls three independent Lambda functions and should continue only after all results are available. Which state pattern should be used?

A.Choice state
B.Wait state
C.Parallel state
D.Fail state
AnswerC

Correct for the stated requirement.

Why this answer

The Parallel state in AWS Step Functions is designed to execute multiple branches of work concurrently and then aggregate their outputs into a single array. This is exactly what is needed when three independent Lambda functions must all complete before the workflow continues, as the Parallel state waits for all branches to finish before proceeding to the next state.

Exam trap

The trap here is that candidates may confuse the Parallel state with the Map state, but the Map state is for processing items in an array with the same logic, not for running distinct independent tasks.

How to eliminate wrong answers

Option A is wrong because a Choice state is used for conditional branching based on input data, not for executing multiple tasks concurrently. Option B is wrong because a Wait state only introduces a delay in the workflow and does not execute or coordinate multiple Lambda functions. Option D is wrong because a Fail state is used to stop the execution and mark it as failed, not to run parallel tasks.

395
MCQhard

A developer notices that an AWS Lambda function, which processes messages from an SQS queue, is taking longer than expected. The function has a reserved concurrency of 5 and a batch size of 10. The SQS queue has a large backlog. CloudWatch metrics show that the function's throttles are high. The function is idempotent and can process up to 100 messages per invocation. What is the most effective way to increase throughput without increasing reserved concurrency?

A.Increase the batch size to 100.
B.Increase reserved concurrency to 10.
C.Change the function timeout to 15 minutes.
D.Enable SQS short polling to reduce latency.
AnswerA

Since the function can handle more messages per invocation, increasing the batch size reduces the number of invocations, which reduces throttling and increases throughput without changing reserved concurrency.

Why this answer

Increasing the batch size to 100 allows each invocation to process up to 100 messages instead of 10, directly increasing throughput per invocation without changing the reserved concurrency of 5. Since the function is idempotent and can handle up to 100 messages per invocation, this change maximizes the number of messages processed per Lambda execution, reducing the backlog more efficiently.

Exam trap

The trap here is that candidates may assume increasing batch size is always beneficial, but in reality, AWS Lambda's maximum batch size for SQS is 10, so the option to increase to 100 is unrealistic and tests whether you recognize the constraint or focus on the conceptual improvement.

How to eliminate wrong answers

Option B is wrong because increasing reserved concurrency would increase the number of concurrent executions, which directly contradicts the requirement to not increase reserved concurrency. Option C is wrong because increasing the function timeout does not increase throughput; it only allows longer processing time per invocation, but the bottleneck is throttling due to concurrency limits, not execution duration. Option D is wrong because enabling SQS short polling reduces latency for message retrieval but does not increase the number of messages processed per invocation or reduce throttling; it may even increase the number of empty responses.

396
MCQhard

An application running on Amazon ECS Fargate is experiencing intermittent high latency and timeout errors. The application makes API calls to an external third-party service. The ECS service is configured with a target group using HTTP health checks. The ALB health check logs show occasional 503 responses. What is the MOST likely cause?

A.The security group for the ECS tasks is blocking inbound traffic from the ALB.
B.The ECS tasks are running out of CPU credits, causing slow response times.
C.The ECS service is configured with a task placement strategy that is causing tasks to be stopped and restarted frequently.
D.The application is not properly handling timeouts to the third-party service, causing the health check endpoint to hang.
AnswerD

If the health check endpoint is blocked by a long-running call to the external service, the ALB health check may timeout and return 503, leading to unhealthy tasks.

Why this answer

Option A is correct because if the application is waiting for a response from the third-party service, it may not respond to health checks in time, causing the ALB to mark it unhealthy and stop routing traffic, which exacerbates the issue. Option B (insufficient CPU) could cause latency but not specifically 503s. Option C (security group) would cause consistent failures.

Option D (task placement) would cause new tasks to be created, but not 503s.

397
MCQmedium

A company wants to encrypt data in transit between an on-premises application and an Amazon RDS instance. Which of the following should be implemented?

A.Use an AWS Site-to-Site VPN connection
B.Use SSL/TLS for the database connection
C.Place the RDS instance in a private subnet and use a bastion host
D.Enable encryption at rest on the RDS instance
AnswerB

SSL/TLS encrypts data in transit between client and RDS.

Why this answer

Encryption in transit is achieved by using SSL/TLS for the connection. RDS supports SSL/TLS connections to encrypt data moving between the client and the database.

398
MCQmedium

A developer is building a REST API using Amazon API Gateway and AWS Lambda. The API must support request validation, request throttling, and API keys. Which API Gateway feature should the developer use to enforce a daily request limit for each API key?

A.Usage plans
B.API keys
C.Throttling settings at the method level
D.AWS WAF
AnswerA

Correct. Usage plans let you define quotas and throttling limits for each API key.

Why this answer

Usage plans in API Gateway allow you to set throttling and quota limits per API key, enabling daily request limits for each key. This feature is specifically designed to control usage by associating API keys with a plan that defines rate limits and quotas, such as a daily request cap. Option A is correct because it directly addresses the requirement to enforce a daily request limit per API key.

Exam trap

The trap here is that candidates often confuse API keys with usage plans, thinking that simply enabling API keys automatically enforces throttling or quotas, but API keys alone provide no rate limiting without a usage plan.

How to eliminate wrong answers

Option B is wrong because API keys alone are just identifiers used to authenticate requests; they do not enforce any throttling or quota limits. Option C is wrong because throttling settings at the method level apply globally to all requests for that method, not per API key, and cannot enforce a daily limit per key. Option D is wrong because AWS WAF is a web application firewall that protects against common web exploits, not a feature for managing API usage quotas or throttling per API key.

399
Multi-Selecteasy

A developer is storing secrets such as database passwords. Which TWO AWS services can be used to securely store and retrieve secrets?

Select 2 answers
A.AWS CloudHSM
B.AWS Systems Manager Parameter Store
C.AWS Identity and Access Management (IAM)
D.AWS Secrets Manager
E.Amazon S3
AnswersB, D

Can store encrypted parameters.

Why this answer

Option B and Option D are correct. AWS Secrets Manager is designed for secrets with automatic rotation. AWS Systems Manager Parameter Store can store secrets in the Advanced tier with encryption.

IAM is for identities. S3 is object storage. CloudHSM is a hardware security module.

400
MCQmedium

A developer is managing an application that uses Amazon S3 to store user-uploaded images. The application generates thumbnails using AWS Lambda and stores them in a separate S3 bucket. The security team requires that all objects in both buckets be encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). The developer has configured the Lambda function to use an IAM role with permissions to call KMS Encrypt and Decrypt. However, when a user uploads an image, the Lambda function fails to write the thumbnail with an 'Access Denied' error. The upload bucket has default encryption set to SSE-KMS. What is the MOST likely cause of the failure?

A.The Lambda function is not in a VPC that has access to the KMS key.
B.The output bucket does not have a bucket policy allowing the Lambda function to write.
C.The upload bucket's default encryption is not applied to objects uploaded by Lambda.
D.The Lambda execution role lacks kms:GenerateDataKey permission for the KMS key.
AnswerD

SSE-KMS requires GenerateDataKey to encrypt objects.

Why this answer

Option B is correct because the Lambda function's IAM role needs kms:GenerateDataKey permission to encrypt the thumbnail. Option A is wrong because the error is Access Denied, not a missing bucket policy. Option C is wrong because the upload bucket's default encryption does not affect the output bucket.

Option D is wrong because VPC endpoints are not required for S3 access.

401
MCQmedium

A developer needs to encrypt secrets (database passwords) that are used by an application running on EC2. The application retrieves the secrets at startup. Which combination of services provides the MOST secure and manageable solution?

A.Store the secrets in AWS Secrets Manager and use an IAM role to access them.
B.Encrypt the secrets with AWS KMS and store them in an S3 bucket with a bucket policy.
C.Store the secrets in AWS Systems Manager Parameter Store with a SecureString parameter.
D.Hardcode the secrets in the application code and encrypt the code.
AnswerA

Secrets Manager provides automatic rotation and fine-grained access control.

Why this answer

Option B is correct because AWS Secrets Manager is designed for rotating secrets and integrates with IAM. Option A is wrong because SSM Parameter Store does not have native rotation. Option C is wrong because S3 with KMS lacks automatic rotation.

Option D is wrong because environment variables are not secure.

402
MCQmedium

A developer is troubleshooting an AWS Lambda function that processes records from an Amazon Kinesis Data Stream. The function is configured with a batch size of 100 and a parallelization factor of 1. The developer notices that the iterator age is increasing, indicating that the function is not keeping up with the stream. CloudWatch Logs show that the function is not experiencing errors or throttling, but the execution time per invocation is close to the 5-minute timeout. The stream has 10 shards. Which action will most likely increase processing throughput?

A.Increase the batch size to 500.
B.Increase the parallelization factor to 10.
C.Increase the Lambda function memory and CPU allocation.
D.Split the stream into more shards.
AnswerC

Increasing memory increases CPU allocation proportionally, which can make each invocation faster. This reduces the per-batch processing time, allowing the function to keep up with the stream and decrease the iterator age.

Why this answer

Option C is correct because the function's execution time is already near the 5-minute timeout, indicating a CPU-bound or memory-bound operation. Increasing memory proportionally increases CPU allocation in Lambda, which directly reduces execution time per invocation, allowing each batch to be processed faster and thus increasing overall throughput without changing the batch size or shard count.

Exam trap

The trap here is that candidates assume increasing parallelism (via shards or parallelization factor) always improves throughput, but when the bottleneck is per-invocation execution time (not concurrency), only reducing that time—by increasing memory/CPU—will help.

How to eliminate wrong answers

Option A is wrong because increasing the batch size to 500 would cause the function to process more records per invocation, but since the function is already near the timeout, it would likely exceed the 5-minute limit, leading to timeouts and failed processing. Option B is wrong because the parallelization factor controls the number of concurrent Lambda instances per shard; with 10 shards and a factor of 1, there are already 10 concurrent instances, and increasing the factor to 10 would create 100 concurrent instances, which could cause throttling or out-of-memory errors without addressing the per-invocation execution time bottleneck. Option D is wrong because splitting the stream into more shards increases the number of parallel Lambda invocations, but each invocation still suffers from the same high execution time, so the overall processing rate would not improve; additionally, the function is not throttled, so shard count is not the limiting factor.

403
Multi-Selectmedium

A company is using Amazon S3 to store sensitive documents. They must encrypt all objects at rest. Which TWO methods can be used to enforce server-side encryption? (Choose TWO.)

Select 2 answers
A.Set a bucket policy that denies PutObject if x-amz-server-side-encryption header is not present.
B.Enable default encryption on the S3 bucket.
C.Attach an IAM policy that denies all S3 actions unless encryption is specified.
D.Configure an SQS queue policy to require encryption.
E.Use client-side encryption before uploading objects.
AnswersA, B

Bucket policies can enforce encryption headers.

Why this answer

Option C is correct because S3 Bucket Policies can deny uploads without encryption headers. Option D is correct because S3 default encryption can be configured to automatically encrypt objects. Option A is wrong because client-side encryption is different from server-side.

Option B is wrong because S3 does not support SQS policies for encryption. Option E is wrong because IAM policies can control permissions but not enforce encryption on uploads.

404
Multi-Selecteasy

A developer wants to deploy a static website to AWS. The website content is stored in an S3 bucket. Which combination of actions is required to host the website? (Choose TWO.)

Select 2 answers
A.Enable server access logging.
B.Enable static website hosting on the S3 bucket.
C.Set a bucket policy that restricts access to a specific IP.
D.Configure Amazon CloudFront as a CDN.
E.Set the bucket objects to publicly readable.
AnswersB, E

Required for S3 website hosting.

Why this answer

Option A and D are correct because enabling static website hosting and making objects publicly readable are required. Option B is wrong because CloudFront is optional. Option C is wrong because bucket policy is not required if ACLs are used.

Option E is wrong because logging is optional.

405
MCQeasy

A developer is creating a new IAM policy to allow users to list objects in a specific S3 bucket. The policy must follow the principle of least privilege. Which policy statement should the developer use?

A.{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"}
B.{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::example-bucket"}
C.{"Effect":"Allow","Action":"s3:PutObject","Resource":"arn:aws:s3:::example-bucket/*"}
D.{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::example-bucket/*"}
AnswerB

Correctly grants list on the specific bucket.

Why this answer

Option B is correct because it grants s3:ListBucket on the specific bucket. Option A is wrong because it grants s3:ListAllMyBuckets which lists all buckets, not just the specific one. Option C is wrong because s3:GetObject is for reading objects, not listing.

Option D is wrong because s3:PutObject is for writing.

406
MCQhard

A developer is using Amazon API Gateway with a Lambda authorizer to protect a REST API. The authorizer is configured with a TTL of 300 seconds. After updating the IAM policy attached to the authorizer's execution role, some users still receive 403 Forbidden errors for requests that should be allowed. What is the MOST likely cause?

A.The Lambda authorizer function has a timeout that prevents it from evaluating the new policy.
B.The authorizer's cached results are still valid, so the old policy is being applied.
C.The IAM policy update has not propagated to all regions.
D.The API Gateway endpoint was not redeployed after the policy change.
AnswerB

Caching causes the authorizer to return previous decisions until the TTL expires.

Why this answer

Option C is correct because the Lambda authorizer result is cached for 300 seconds, so old permissions are enforced until the cache expires. Option A is wrong because the authorizer function itself does not have an execution timeout issue. Option B is wrong because the IAM policy update is immediate for the role, but the authorizer result is cached.

Option D is wrong because the deployment does not affect authorizer caching.

407
Multi-Selectmedium

A developer is designing a CI/CD pipeline for a serverless application using AWS CodePipeline. The pipeline must automatically build and deploy the application when changes are pushed to a CodeCommit repository. The application uses AWS CloudFormation for infrastructure provisioning. Which TWO actions should the developer include in the pipeline?

Select 2 answers
A.Use AWS CodeDeploy to deploy the application to EC2 instances.
B.Use AWS CodeCommit as a deployment action.
C.Use AWS CodeBuild to run unit tests and package the application.
D.Use AWS Lambda to run integration tests.
E.Use AWS CloudFormation to create or update the stack.
AnswersC, E

CodeBuild is ideal for build and test.

Why this answer

Options A and C are correct because CodeBuild can run unit tests, and CloudFormation can deploy and update stacks. Option B is wrong because CodeDeploy is not used for CloudFormation deployments. Option D is wrong because Lambda can be invoked but is not the primary deployment mechanism.

Option E is wrong because CodeCommit is the source, not an action in the pipeline.

408
MCQeasy

A developer is creating a CloudFormation template to deploy an Amazon S3 bucket. The developer wants the bucket to be deleted automatically when the CloudFormation stack is deleted. What should the developer specify in the template?

A.Set the DeletionPolicy attribute to Delete.
B.Specify a unique bucket name to avoid conflicts.
C.Use the DependsOn attribute to specify the bucket depends on the stack.
D.Set the DeletionPolicy attribute to Retain.
AnswerA

Delete causes the bucket to be deleted when the stack is deleted.

Why this answer

Option C is correct because setting the DeletionPolicy attribute to Delete ensures the bucket is deleted when the stack is deleted. Option A is wrong because the default is to retain the bucket. Option B is wrong because DependsOn does not affect deletion.

Option D is wrong because the bucket name is not related to deletion behavior.

409
MCQeasy

A developer notices that an S3 bucket used for static website hosting returns 403 Forbidden for anonymous requests. The bucket policy allows s3:GetObject for Principal "*". What is the most likely issue?

A.The bucket does not have server access logging enabled.
B.The bucket ACL does not allow public read.
C.The bucket policy is not attached to the correct bucket.
D.The S3 Block Public Access settings are enabled.
AnswerD

Block Public Access overrides bucket policies.

Why this answer

D is correct because S3 Block Public Access settings, when enabled at the account or bucket level, override any bucket policy or ACL that grants public access. Even though the bucket policy allows s3:GetObject for Principal "*", the Block Public Access settings explicitly deny all public requests, resulting in a 403 Forbidden error for anonymous users.

Exam trap

The trap here is that candidates often assume a bucket policy granting public access is sufficient, overlooking the S3 Block Public Access settings which silently override such policies and cause 403 errors.

How to eliminate wrong answers

Option A is wrong because server access logging is a feature for logging requests to the bucket, not a permission control; it does not affect whether requests are allowed or denied. Option B is wrong because the bucket policy already grants public read access via Principal "*", and while ACLs can also grant public read, the bucket policy takes precedence; the issue is not the ACL but an overriding deny. Option C is wrong because the question states the bucket policy is attached and allows s3:GetObject, so the policy is correctly associated; the problem lies with a separate security mechanism.

410
MCQhard

A company runs a monolithic application on EC2 Behind an Application Load Balancer. They want to migrate to a microservices architecture using ECS Fargate. What is the most important optimization to ensure minimal downtime during the migration?

A.Use a blue/green deployment strategy with weighted target groups.
B.Increase the EC2 instance size to handle the microservices load.
C.Deploy all microservices in a single ECS service for simplicity.
D.Scale horizontally by adding more EC2 instances.
AnswerA

Blue/green allows controlled traffic shift.

Why this answer

Option A is correct because a blue/green deployment strategy with weighted target groups allows you to gradually shift traffic from the existing monolithic EC2 application (blue) to the new microservices on ECS Fargate (green) while monitoring for errors. This minimizes downtime by enabling instant rollback if issues arise, and it leverages Application Load Balancer (ALB) features like stickiness and health checks to ensure a seamless transition without disrupting active connections.

Exam trap

The trap here is that candidates confuse scaling strategies (horizontal/vertical) with deployment strategies, assuming that adding more capacity or consolidating services will inherently reduce downtime, when in fact only a controlled traffic-shifting method like blue/green with weighted routing ensures minimal disruption during a live migration.

How to eliminate wrong answers

Option B is wrong because increasing EC2 instance size does not address the migration to microservices or ECS Fargate; it only scales the monolithic application vertically, which contradicts the goal of moving to a serverless container architecture and does not reduce downtime during migration. Option C is wrong because deploying all microservices in a single ECS service defeats the purpose of microservices isolation, scaling, and independent deployment; it introduces tight coupling and increases the blast radius of failures, leading to higher downtime risk. Option D is wrong because scaling horizontally by adding more EC2 instances only scales the monolithic application, not the microservices on Fargate, and does not provide a controlled traffic-shifting mechanism to minimize downtime during migration.

411
MCQmedium

A developer configured an S3 bucket to trigger a Lambda function on object creation. The Lambda function processes the object and then deletes it. Some objects are not being processed. What should the developer do to ensure all objects are processed?

A.Assign a new IAM role to the Lambda function with S3 permissions.
B.Enable S3 versioning on the bucket.
C.Send S3 events to an SQS queue and configure the Lambda function to poll the queue.
D.Increase the Lambda function timeout.
AnswerC

SQS provides reliable message delivery with retries.

Why this answer

Option C is correct because sending S3 events to an SQS queue decouples event delivery from Lambda invocation. If the Lambda function fails or throttles, the event remains in the queue and can be retried, ensuring no objects are missed. Without a queue, S3 events that fail to invoke Lambda (e.g., due to concurrency limits) are lost, leading to unprocessed objects.

Exam trap

The trap here is that candidates assume the issue is a permission or timeout problem, when in fact the root cause is the loss of S3 event notifications due to Lambda throttling or transient failures, which a queue-based architecture resolves.

How to eliminate wrong answers

Option A is wrong because the Lambda function already processes and deletes objects, so it must already have S3 permissions; assigning a new IAM role would not fix lost events. Option B is wrong because enabling S3 versioning preserves object versions but does not affect event delivery reliability or retry behavior. Option D is wrong because increasing the Lambda function timeout addresses execution duration, not the loss of events due to throttling or invocation failures.

412
Multi-Selecteasy

A developer is setting up a CI/CD pipeline for a Python application using AWS CodeCommit, CodeBuild, and CodeDeploy. The developer wants to trigger the pipeline automatically when code is pushed to the master branch. Which TWO actions are required? (Choose two.)

Select 2 answers
A.Configure CodeDeploy to run after the build stage.
B.Set the source stage in the pipeline to use AWS CodeCommit as the source provider.
C.Create a CloudWatch Events rule to trigger the pipeline on a schedule.
D.Configure a webhook in CodeCommit to trigger the pipeline.
E.Enable AWS CloudTrail to log API calls.
AnswersB, D

The source stage must be configured to pull from CodeCommit.

Why this answer

Options A and D are correct because a webhook (or event) from CodeCommit triggers the pipeline, and the source stage must use CodeCommit as the provider. Option B is wrong because CodeDeploy does not trigger the pipeline. Option C is wrong because a schedule is not needed.

Option E is wrong because AWS CloudTrail is not required for pipeline triggers.

413
MCQhard

A company uses AWS CodePipeline to deploy a critical web application. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CodeDeploy). During a recent deployment, the CodeDeploy stage failed because the target EC2 instances were not in a healthy state. The developer needs to ensure that the pipeline automatically rolls back the deployment to the last successful version if the deployment fails. What should the developer do?

A.In the CodeDeploy deployment group, enable automatic rollback when a deployment fails.
B.Use AWS CloudFormation to manage the deployment and enable rollback on failure.
C.Configure a CloudWatch alarm to trigger a rollback in CodePipeline.
D.Modify the CodePipeline stage to include a manual approval step that checks health before proceeding.
AnswerA

CodeDeploy supports automatic rollback on failure, which will revert to the last successful deployment.

Why this answer

Option A is correct because CodeDeploy deployment groups have a built-in automatic rollback configuration that can be enabled to revert to the last successful deployment revision when a deployment fails. This feature directly addresses the requirement without requiring additional services or manual steps, as it operates within the CodeDeploy service itself.

Exam trap

The trap here is that candidates may confuse CodePipeline's built-in rollback capabilities with CodeDeploy's automatic rollback, or incorrectly assume that CloudWatch alarms or manual approvals can directly perform rollbacks without custom logic.

How to eliminate wrong answers

Option B is wrong because AWS CloudFormation is an infrastructure-as-code service for managing resources, not a deployment service for CodePipeline; enabling rollback on failure in CloudFormation would roll back the stack, not the CodeDeploy deployment. Option C is wrong because CloudWatch alarms can trigger actions like SNS notifications or Auto Scaling, but they cannot directly trigger a rollback in CodePipeline or CodeDeploy without custom Lambda functions or additional configuration. Option D is wrong because a manual approval step only pauses the pipeline for human review before proceeding; it does not automatically roll back a failed deployment to the last successful version.

414
MCQeasy

A developer wants to grant a user in a different AWS account access to an S3 bucket. The developer has written a bucket policy that allows the user's IAM user ARN. However, the access is still denied. What is the most likely reason?

A.The user's IAM user policy does not explicitly allow the required S3 action
B.The bucket policy does not have a principal of '*' to allow external accounts
C.The bucket is in a different region than the user's account
D.The user is using the wrong S3 endpoint (e.g., path-style vs virtual-hosted)
AnswerA

In cross-account access, both the bucket policy and the user's IAM policy must grant permission. The user's policy must include an Allow for the action (e.g., s3:GetObject).

Why this answer

When granting cross-account access to an S3 bucket, both the bucket policy (resource-based policy) and the user's IAM policy (identity-based policy) must explicitly allow the action. The bucket policy alone is insufficient if the user's IAM policy does not include an explicit Allow for the S3 action, because IAM denies by default. Even though the bucket policy grants access, the user's own IAM policy must also permit the operation for the request to succeed.

Exam trap

The trap here is that candidates assume a bucket policy alone is sufficient for cross-account access, forgetting that the external user's IAM policy must also explicitly allow the action, as IAM denies all actions by default.

How to eliminate wrong answers

Option B is wrong because a bucket policy does not require a principal of '*' to allow external accounts; you can specify the exact IAM user ARN as the principal, which is more secure and correct. Option C is wrong because S3 is a global service and bucket policies work across regions; the region of the bucket and the user's account does not affect access control. Option D is wrong because the S3 endpoint type (path-style vs virtual-hosted) affects URL format but does not impact authorization; access is denied due to IAM permissions, not endpoint choice.

415
MCQhard

A developer is using AWS CloudFormation to deploy a stack that includes an Amazon RDS DB instance. The developer wants to update the stack to change the DB instance class. The update fails because CloudFormation cannot modify the DB instance class without replacement. The developer needs to complete the update with minimal downtime. What should the developer do?

A.Delete the stack and create a new stack with the new DB instance class.
B.Use a custom resource with an AWS Lambda function to perform the modification, ensuring data is backed up and downtime is minimized.
C.Update the stack and disable rollback on failure.
D.Update the stack using a change set, then execute it.
AnswerB

A custom resource can orchestrate the change with minimal downtime, e.g., by creating a read replica and promoting it.

Why this answer

Option B is correct because a custom resource backed by an AWS Lambda function allows you to perform the RDS DB instance class modification outside of CloudFormation's direct lifecycle, enabling you to use the 'ApplyImmediately' parameter to minimize downtime. CloudFormation's native update for RDS DB instance class requires replacement (i.e., a new physical resource), which causes downtime; a custom resource can orchestrate a 'modify-db-instance' API call with '--apply-immediately' to change the class in-place with only a brief reboot.

Exam trap

The trap here is that candidates assume a change set (Option D) can bypass CloudFormation's replacement requirement, but change sets only preview and execute the same update logic—they do not change the underlying resource behavior.

How to eliminate wrong answers

Option A is wrong because deleting and recreating the stack would cause full downtime (the DB instance is destroyed and re-provisioned), which is not minimal. Option C is wrong because disabling rollback on failure does not resolve the underlying issue—CloudFormation still cannot modify the DB instance class without replacement, so the update will still fail and leave the stack in a failed state. Option D is wrong because a change set only previews changes and executes them; it does not alter CloudFormation's inability to perform an in-place modification of the DB instance class—the update would still fail with the same 'requires replacement' error.

416
MCQeasy

A developer is using AWS Lambda to process events from an Amazon Kinesis stream. The function has been failing with 'ProvisionedThroughputExceededException' errors when writing to a DynamoDB table. What should the developer do to resolve this issue?

A.Decrease the batch size of the Kinesis event source mapping.
B.Implement retry logic with exponential backoff in the Lambda function.
C.Increase the number of shards in the Kinesis stream.
D.Increase the memory allocated to the Lambda function.
AnswerB

Exponential backoff is the standard way to handle ProvisionedThroughputExceededException.

Why this answer

Option C is correct because implementing a retry mechanism with exponential backoff is the recommended approach to handle throttling errors from DynamoDB. Option A is wrong because increasing Lambda memory does not affect DynamoDB throughput. Option B is wrong because decreasing batch size may reduce the number of writes per invocation, but does not handle throttling directly; exponential backoff is more effective.

Option D is wrong because changing the Kinesis stream's shard count does not affect DynamoDB throughput.

417
MCQhard

Refer to the exhibit. A developer deploys this CloudFormation stack. The Lambda function is triggered by SQS messages. However, the function fails to process messages. What is the MOST likely cause?

A.The SQS queue event source mapping is not configured correctly.
B.The batch size of 10 exceeds the maximum allowed batch size.
C.The Lambda function code has a syntax error.
D.The Lambda function's execution role does not have permissions to poll from SQS.
AnswerD

The role lacks SQS permissions like ReceiveMessage and DeleteMessage.

Why this answer

Correct: A. The Lambda execution role only has the AWSLambdaBasicExecutionRole policy, which grants permissions to write logs to CloudWatch. However, the Lambda function needs permission to poll and delete messages from SQS.

The missing policy is AWSLambdaSQSQueueExecutionRole or a custom policy with sqs:ReceiveMessage, sqs:DeleteMessage, sqs:GetQueueAttributes. Option B is wrong because the SQS event source mapping is correctly defined. Option C is wrong because the function code is valid.

Option D is wrong because the batch size of 10 is valid.

418
MCQhard

A developer is building a serverless application using API Gateway and Lambda. The API must be accessed only by authenticated users from a specific AWS Cognito User Pool. Which method should be used?

A.Create a Lambda authorizer that checks the token against Cognito.
B.Use an IAM authorizer with a policy that allows only Cognito roles.
C.Use a resource policy on API Gateway to restrict by source IP.
D.Configure a Cognito Authorizer on the API Gateway method.
AnswerD

Directly integrates with Cognito User Pools.

Why this answer

API Gateway can use a Cognito Authorizer to validate tokens from a specific user pool.

419
MCQhard

A Lambda function processes messages from an SQS queue. The function occasionally fails due to network timeouts when calling an external API. The developer wants to retry failed messages automatically. What should the developer do?

A.Enable SQS redrive policy to automatically retry after a failure.
B.Configure a dead-letter queue on the Lambda function to capture failed events.
C.Configure a dead-letter queue for the SQS queue and set the Lambda function's maximum retries to 2.
D.Increase the Lambda function's timeout to 15 minutes.
AnswerC

SQS DLQ stores messages that fail after retries, and Lambda retries can be configured.

Why this answer

Option D is correct because configuring a dead-letter queue (DLQ) for the SQS queue allows messages that exceed the maximum retries to be stored for later analysis, while the Lambda function's retry behavior handles transient failures. Option A is wrong because increasing the Lambda timeout may help but does not provide automatic retries. Option B is wrong because SQS does not have a built-in retry mechanism; Lambda retries are separate.

Option C is wrong because DLQ on Lambda captures only events that Lambda cannot process, but the best practice is to use SQS DLQ.

420
MCQeasy

A developer is deploying a web application using AWS Elastic Beanstalk. The application requires a relational database. The developer wants the database to be automatically created and configured as part of the Elastic Beanstalk environment. Which approach should they use?

A.Use Amazon DynamoDB as the database and configure it in the Elastic Beanstalk environment.
B.Create an RDS database manually and configure the application to connect to it using environment properties.
C.Embed a SQLite database file in the application deployment package.
D.Configure the Elastic Beanstalk environment to include an RDS database instance.
AnswerD

Elastic Beanstalk supports creating an RDS instance as a linked resource within the environment.

Why this answer

Option A is correct. Elastic Beanstalk can provision an RDS database as part of the environment using the AWS::ElasticBeanstalk::Environment resource with a linked RDS instance. Option B is wrong because manually creating an RDS instance outside of Elastic Beanstalk does not integrate with environment management.

Option C is wrong because DynamoDB is NoSQL, not relational. Option D is wrong because adding a database to the application code as a file-based database like SQLite is not suitable for production and does not scale.

421
Multi-Selecteasy

A developer is building a serverless application using AWS Lambda. The Lambda function needs to access a VPC to connect to an RDS database. Which TWO resources must the developer configure to allow the Lambda function to access the VPC?

Select 2 answers
A.A NAT gateway in the VPC.
B.A security group that allows inbound/outbound traffic to the RDS database.
C.VPC subnet IDs for the Lambda function.
D.An IAM role with permissions to access RDS.
E.An internet gateway attached to the VPC.
AnswersB, C

Security group acts as a firewall to control traffic between Lambda and RDS.

Why this answer

Options B and D are correct. Option B: Lambda functions must be configured with a VPC subnet to be placed in the VPC. Option D: A security group must be attached to the Lambda function to control traffic.

Option A is incorrect because an internet gateway is not needed for private VPC access. Option C is incorrect because a NAT gateway is for outbound internet access, not for accessing RDS within the VPC. Option E is incorrect because an IAM role is for permissions, not network connectivity.

422
MCQhard

An EC2 instance is running with an IAM instance profile. The application on the instance is trying to access an S3 bucket, but receives 'Access Denied'. The instance profile has a role with a policy that allows s3:GetObject on the bucket. What is a likely cause?

A.The instance profile is not attached to the instance.
B.The IAM role does not have the correct permissions.
C.The trust policy of the IAM role does not allow the EC2 service.
D.The instance is in a private subnet without a VPC endpoint for S3.
AnswerD

Without a VPC endpoint or NAT gateway, the instance cannot reach S3.

Why this answer

Option D is correct because when an EC2 instance is in a private subnet, it cannot reach the S3 public endpoint over the internet. Without a VPC endpoint (gateway or interface type) for S3, traffic to S3 is routed through a NAT device or internet gateway, which may be blocked by network ACLs or route tables. The 'Access Denied' error here is not due to IAM permissions but due to the network path being unavailable, causing the SDK to fail with a connectivity-related denial.

Exam trap

The trap here is that candidates often assume all 'Access Denied' errors are due to IAM permissions, but network-level restrictions (like missing VPC endpoints or incorrect route tables) can produce the same error message from the AWS SDK.

How to eliminate wrong answers

Option A is wrong because if the instance profile were not attached, the instance would have no IAM credentials at all, resulting in an 'Access Denied' error for any AWS API call, but the question states the instance profile is present. Option B is wrong because the policy explicitly allows s3:GetObject on the bucket, so the permissions are correct. Option C is wrong because the trust policy of an IAM role for EC2 must allow the ec2.amazonaws.com service principal to assume the role; if it were missing, the instance would fail to obtain temporary credentials entirely, not just for S3 access.

423
MCQeasy

A company is using AWS CodeBuild to compile a Java application. The build takes a long time because Maven dependencies are downloaded each time. How can the developer reduce build time?

A.Use a higher compute type for the build project.
B.Use a custom AMI with pre-installed dependencies.
C.Increase the timeout value for the build.
D.Configure a cache in Amazon S3 for the Maven repository.
AnswerD

Caching dependencies avoids re-downloading them.

Why this answer

Option B is correct because storing the Maven repository in Amazon S3 and caching it across builds avoids re-downloading dependencies. Option A is incorrect because increasing compute resources may help but not as much as caching. Option C is incorrect because installing dependencies in a custom AMI would require managing images.

Option D is incorrect because using a larger instance type might help but is not the direct solution.

424
Multi-Selectmedium

A company wants to securely store database credentials for a Lambda function. The credentials must be automatically rotated. Which TWO services should be used together?

Select 2 answers
A.AWS KMS
B.AWS Secrets Manager
C.AWS CloudHSM
D.AWS Lambda
E.AWS Systems Manager Parameter Store
AnswersB, D

Stores and rotates secrets.

Why this answer

AWS Secrets Manager is the correct service because it is purpose-built for securely storing, retrieving, and automatically rotating database credentials and other secrets. It integrates natively with AWS Lambda and supports automatic rotation via a built-in rotation function or a custom Lambda function, meeting the requirement for automated credential rotation without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store with Secrets Manager because both can store secrets, but Parameter Store lacks automatic rotation, which is explicitly required in the question.

425
MCQeasy

A developer is building an AWS Lambda function that needs to retrieve a database password securely. The password is stored in AWS Secrets Manager and is rotated every 30 days. The function must minimize the number of API calls to Secrets Manager. Which approach should the developer use?

A.Store the database password as an encrypted environment variable in the Lambda function.
B.Call Secrets Manager on every invocation to get the latest secret.
C.Retrieve the secret from Secrets Manager once outside the handler function, cache it in a global variable, and refresh the cache if the secret fails.
D.Use AWS Systems Manager Parameter Store SecureString instead of Secrets Manager.
AnswerC

Caching the secret in the global scope allows reuse across invocations within the same execution environment. If the secret is rotated, the cache can be refreshed when the cached secret fails to authenticate.

Why this answer

Option C is correct because it retrieves the secret once during the Lambda cold start (outside the handler), caches it in a global variable, and only refreshes the cache if the secret fails (e.g., due to rotation). This minimizes API calls to Secrets Manager while still handling secret rotation gracefully, as the cached secret remains valid until a failure occurs.

Exam trap

The trap here is that candidates assume 'minimize API calls' means never calling Secrets Manager again, but the correct approach allows a single call per cold start with a fallback refresh on failure, not zero calls forever.

How to eliminate wrong answers

Option A is wrong because storing the password as an encrypted environment variable does not support automatic rotation—the value is static until the function is redeployed, violating the requirement that the password is rotated every 30 days. Option B is wrong because calling Secrets Manager on every invocation maximizes API calls, incurring unnecessary cost and latency, and contradicts the requirement to minimize API calls. Option D is wrong because switching to Systems Manager Parameter Store does not inherently reduce API calls; the same caching strategy would still be needed, and the question specifically asks about Secrets Manager, not an alternative service.

426
MCQmedium

A developer is using AWS CodeDeploy to deploy an application to an EC2 Auto Scaling group. The developer wants to monitor the deployment and automatically roll back if a specified Amazon CloudWatch alarm is triggered during the deployment. Which CodeDeploy feature should the developer configure?

A.Deployment group alarm configuration
B.Deployment configuration with alarm
C.Revision rollback
D.EC2 instance health check
AnswerA

Correct. You add a CloudWatch alarm to the deployment group, and set the rollback behavior to trigger when the alarm enters the ALARM state.

Why this answer

The Deployment group alarm configuration in AWS CodeDeploy allows you to specify Amazon CloudWatch alarms that, when triggered during a deployment, automatically initiate a rollback. This feature is configured at the deployment group level and ensures that if a predefined alarm (e.g., high error rate or latency) enters the ALARM state, CodeDeploy stops the deployment and reverts to the last known good revision. This provides automated, policy-driven rollback without manual intervention.

Exam trap

The trap here is that candidates confuse the deployment group alarm configuration (which monitors CloudWatch alarms during deployment) with a deployment configuration (which controls traffic shifting and failure thresholds), leading them to select Option B instead of A.

How to eliminate wrong answers

Option B is wrong because 'Deployment configuration with alarm' is not a valid CodeDeploy feature; CodeDeploy deployment configurations define traffic routing and failure thresholds, not alarm-based rollback triggers. Option C is wrong because 'Revision rollback' is a manual or automated action that can be initiated by the deployment group alarm configuration, but it is not a feature you configure to monitor alarms—it is the outcome of the alarm trigger. Option D is wrong because 'EC2 instance health check' refers to the health checks performed by Auto Scaling or Elastic Load Balancing to determine instance health, not to CloudWatch alarm-based rollback logic in CodeDeploy.

427
MCQhard

A company wants to allow cross-account access to a DynamoDB table. They set up an IAM role in Account A (table owner) and allow Account B's users to assume the role. Which additional step is required?

A.Add a policy to the DynamoDB table allowing Account B
B.Create a bucket policy in Account A
C.Attach a policy to the IAM role that allows DynamoDB actions
D.Configure the trust policy of the IAM role in Account A to allow Account B to assume it
AnswerD

The trust policy defines which principals can assume the role.

Why this answer

Option B is correct because the IAM role's trust policy must explicitly allow the Account B user or account to assume the role. Option A is wrong because the role is in Account A. Option C is wrong because DynamoDB tables do not have resource-based policies.

Option D is wrong because the trust policy is set on the role, not the table.

428
MCQmedium

A developer is troubleshooting an AWS Lambda function that returns timeout errors when calling an external HTTPS API. The function is configured with a 30-second timeout and runs in a VPC with a public subnet and NAT Gateway. The developer checks CloudWatch logs and sees that the function is timing out at exactly 30 seconds. What is the most likely cause?

A.The NAT Gateway is not configured with a route to the internet.
B.The Lambda function's security group does not allow outbound traffic.
C.The external API's response time exceeds 30 seconds.
D.The Lambda function's VPC does not have an internet gateway.
AnswerB

Correct. If the security group's outbound rules do not permit HTTPS traffic, the connection cannot be established, resulting in a timeout. This is the most common cause in such scenarios.

Why this answer

Option B is correct because Lambda functions running in a VPC do not automatically get internet access; they require a route to a NAT Gateway or NAT instance. Even with a NAT Gateway, the Lambda function's security group must allow outbound traffic (e.g., HTTPS on port 443) to reach the external API. Without this rule, outbound packets are dropped, causing the function to hang until the configured timeout (30 seconds) expires, resulting in a timeout error.

Exam trap

The trap here is that candidates assume a NAT Gateway alone provides internet access to Lambda, overlooking that security group egress rules must explicitly allow outbound traffic to the destination.

How to eliminate wrong answers

Option A is wrong because the NAT Gateway is explicitly stated to be present, and a NAT Gateway requires a route to the internet (via an Internet Gateway) to function; if it were misconfigured, the function would likely fail immediately or at a different timeout, not exactly at 30 seconds. Option C is wrong because the function times out at exactly 30 seconds, matching its configured timeout, not at a variable time based on API response; if the API exceeded 30 seconds, the timeout would still occur at 30 seconds, but the question asks for the most likely cause given the VPC setup. Option D is wrong because the VPC does not need an Internet Gateway for outbound traffic through a NAT Gateway; the NAT Gateway itself resides in a public subnet and uses an Internet Gateway, but the Lambda function's VPC configuration is separate—the issue is security group egress rules, not the presence of an Internet Gateway.

429
MCQhard

A developer is building a REST API using API Gateway and AWS Lambda. The API must support long-running operations that can take up to 30 minutes. The current implementation uses synchronous Lambda invocation, causing API Gateway to timeout after 29 seconds. What solution should the developer implement?

A.Increase the Lambda function timeout to 30 minutes.
B.Use an SQS queue to decouple the request and have the client poll for results.
C.Use Lambda function URL directly and bypass API Gateway.
D.Change the API Gateway integration to HTTP_PROXY type.
AnswerB

This pattern allows the API to return immediately and the client to poll for the result asynchronously.

Why this answer

Option A is correct because API Gateway has a 29-second timeout for synchronous integrations. By using asynchronous processing with SQS and a separate polling endpoint, the client can retrieve results later. Option B is wrong because HTTP_PROXY integration still has the same timeout.

Option C is wrong because increasing Lambda timeout does not affect API Gateway's integration timeout. Option D is wrong because connecting directly to the Lambda function URL still has a maximum invocation payload size and timeout, but the API Gateway timeout is the primary issue.

430
MCQmedium

A company uses AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' Which of the following is the MOST likely cause?

A.The new application version fails the configured health checks on the instances.
B.The deployment group does not exist.
C.The IAM role for CodeDeploy does not have sufficient permissions.
D.The CodeDeploy agent is not installed on the instances.
AnswerA

Health check failures cause the deployment to roll back.

Why this answer

The error message indicates that instances failed deployment, which is most commonly caused by the new application version failing the health checks configured in the deployment group. CodeDeploy uses these health checks (e.g., ELB health checks or custom scripts) to determine if an instance is healthy after deployment; if the application crashes or returns non-200 status codes, CodeDeploy marks the instance as failed and aborts the deployment.

Exam trap

The trap here is that candidates often confuse deployment failures caused by health check failures with infrastructure issues like missing IAM roles or agents, but the specific error message about 'too many individual instances failed deployment' directly points to application-level health check failures, not permission or agent problems.

How to eliminate wrong answers

Option B is wrong because if the deployment group did not exist, CodeDeploy would return a 'DeploymentGroupDoesNotExistException' error, not a generic instance failure error. Option C is wrong because insufficient IAM permissions would cause a different error, such as 'AccessDeniedException' when CodeDeploy tries to call EC2 or Auto Scaling APIs, not a per-instance deployment failure. Option D is wrong because if the CodeDeploy agent is not installed, the instance would show as 'Unknown' or 'Not Registered' in the deployment group, and the error would be about missing agent, not about too many instances failing health checks.

431
MCQeasy

A developer needs to grant a Lambda function permission to write logs to CloudWatch Logs. Which IAM entity should be used?

A.Attach an inline policy to the Lambda function.
B.Create an IAM execution role with the necessary permissions and associate it with the function.
C.Use a service control policy (SCP) to allow logging.
D.Add a resource-based policy to the Lambda function.
AnswerB

Execution roles are the standard way to grant permissions.

Why this answer

Lambda functions require an IAM execution role to obtain temporary credentials for accessing other AWS services. This role must include a trust policy allowing Lambda to assume it and a permissions policy granting the specific actions (e.g., logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents) on CloudWatch Logs. Associating this role with the function is the standard and secure way to grant permissions.

Exam trap

The trap here is confusing the entity that receives permissions (the Lambda function) with the mechanism that grants them (an execution role), leading candidates to incorrectly select attaching a policy directly to the function or using a resource-based policy.

How to eliminate wrong answers

Option A is wrong because an inline policy is attached to an IAM user, group, or role, not directly to a Lambda function; Lambda functions do not have IAM policies attached to them. Option C is wrong because Service Control Policies (SCPs) are used to set permission boundaries across an entire AWS organization or organizational unit, not to grant permissions to individual Lambda functions. Option D is wrong because resource-based policies are used to grant other AWS services or accounts access to the Lambda function itself (e.g., allowing an S3 bucket to invoke the function), not to grant the function permissions to other services like CloudWatch Logs.

432
MCQhard

A company runs a containerized application on Amazon ECS with Fargate. The application writes logs to stdout. The operations team wants to send these logs to a centralized log management tool that requires logs in JSON format. What is the BEST way to achieve this without modifying application code?

A.Use the FireLens log driver to route logs to Fluent Bit and then to the tool
B.Use the awslogs log driver and configure a JSON output format
C.Install the CloudWatch Logs agent on the container
D.Modify the application to output logs in JSON format
AnswerA

FireLens allows log routing and transformation without code changes.

Why this answer

Option D is correct because the FireLens integration allows you to use a log router (e.g., Fluent Bit) in the task definition to transform logs to JSON and forward them to any destination. Option A is wrong because CloudWatch Logs agent is for EC2, not Fargate. Option B is wrong because you cannot modify the `awslogs` driver to output JSON; it sends to CloudWatch Logs.

Option C is wrong because modifying the application requires code change.

433
MCQmedium

A CloudFormation template defines a Lambda function and a version resource. After updating the function code in the S3 bucket, the developer updates the stack. The Lambda function is updated, but the version resource remains unchanged. What is the most likely reason?

A.The template should use AutoPublishAlias to create versions.
B.The function code changed, but CloudFormation does not detect the change because the S3 key is the same.
C.The version resource is created before the function update completes.
D.The version resource has a DependsOn clause that prevents it from updating.
AnswerB

CloudFormation compares the S3 key, not the content; if the key is unchanged, it may not trigger an update.

Why this answer

Option A is correct. The Lambda version resource depends on the function's code. If the function's properties (except the code) do not change, CloudFormation does not update the function resource, and thus the version is not updated.

Option B is incorrect; the version resource does not use DependsOn, but its FunctionName reference triggers an update if the function is updated. Option C is incorrect; the version is created after the function update. Option D is incorrect; the template does not use AutoPublishAlias.

434
Multi-Selectmedium

A developer is building a web application that uses Amazon Cognito for user authentication. Which TWO actions should be taken to secure the application?

Select 2 answers
A.Enable multi-factor authentication (MFA) for users.
B.Disable token expiration to avoid frequent re-authentication.
C.Use HTTPS for all communication between the client and the application.
D.Use IAM users for authentication instead of Cognito.
E.Store user tokens in local storage for persistence.
AnswersA, C

MFA provides additional security.

Why this answer

Option A is correct because enabling multi-factor authentication (MFA) adds an extra layer of security beyond just a password, requiring users to provide a second factor (e.g., a one-time code from an authenticator app or SMS). This significantly reduces the risk of unauthorized access due to compromised credentials. Amazon Cognito supports MFA natively, allowing developers to enforce it for user pools.

Exam trap

The trap here is that candidates often think disabling token expiration improves user experience, but they overlook the critical security risk of token theft and the need for short-lived tokens (e.g., 1 hour for access tokens) combined with refresh tokens to balance security and usability.

435
Multi-Selecthard

A company is using Amazon ElastiCache for Redis to improve the performance of a high-traffic web application. Recently, the application has been experiencing increased latency. The developer suspects that cache misses are causing the application to read from the database more frequently. Which THREE metrics should the developer examine in Amazon CloudWatch to troubleshoot this issue? (Choose THREE.)

Select 3 answers
A.CacheMisses
B.Evictions
C.SwapUsage
D.CurrConnections
E.CPUUtilization
AnswersA, B, D

High cache misses indicate that the cache is not being used effectively, leading to database reads.

Why this answer

Option A, option B, and option C are correct. Option A: CacheMisses shows the number of requests that did not find a key in the cache. Option B: Evictions indicates keys removed due to memory pressure, which can cause increased misses.

Option C: CurrConnections helps understand if there is a connection bottleneck. Option D (CPUUtilization) is not directly related to cache efficiency. Option E (SwapUsage) indicates memory pressure, which is related to evictions, but CPU is not the best metric for this issue.

The three best are CacheMisses, Evictions, and CurrConnections.

436
MCQhard

A developer is troubleshooting performance issues in an application that uses Amazon DynamoDB as the primary data store. The application reads a large set of items using a Query operation on a Global Secondary Index (GSI). The developer notices high read latency and throttled requests on the GSI. The base table has sufficient read capacity. The GSI is projected with KEYS_ONLY. Which action would most likely reduce the latency and throttling?

A.Increase the read capacity units (RCU) of the base table.
B.Change the GSI projection to ALL.
C.Increase the read capacity units (RCU) of the GSI.
D.Create a Local Secondary Index instead.
AnswerC

Correct. Throttling on a GSI indicates that the provisioned read capacity of that index is exhausted. Increasing its RCU alleviates throttling and reduces latency.

Why this answer

The correct answer is C because a Global Secondary Index (GSI) has its own provisioned read capacity, separate from the base table. When a Query operation reads from a GSI, it consumes RCUs from the GSI's capacity, not the base table's. Since the base table has sufficient read capacity but the GSI is experiencing throttling and high latency, increasing the GSI's RCU directly addresses the bottleneck by allowing more read requests per second against the index.

Exam trap

The trap here is that candidates often assume increasing the base table's capacity will resolve all read performance issues, failing to recognize that GSIs have independent capacity allocations and that throttling on a GSI requires adjusting the index's RCU, not the base table's.

How to eliminate wrong answers

Option A is wrong because increasing the base table's RCU does not affect the GSI's throughput; the GSI has its own independent capacity settings, and throttling on the GSI is caused by insufficient RCU on the index itself. Option B is wrong because changing the GSI projection to ALL would increase the size of each item returned, consuming more RCUs per query and potentially worsening latency and throttling, not reducing it. Option D is wrong because a Local Secondary Index (LSI) shares the base table's partition key and RCU/WCU, but it does not solve the issue of insufficient read capacity on the index; additionally, LSIs cannot be created after table creation if not initially defined, and they have different partition key constraints that do not address the GSI-specific throttling.

437
MCQmedium

A developer is using AWS Secrets Manager to store database credentials. The application runs on EC2 and needs to retrieve the secret. Which approach is the most secure?

A.Store the secret in an environment variable in the user data script.
B.Use an IAM role attached to the EC2 instance with permissions to access the secret, and call the AWS SDK to retrieve it at runtime.
C.Retrieve the secret at application startup and store it in a configuration file.
D.Download the secret from an S3 bucket using pre-signed URLs.
AnswerB

This follows best practices: no hardcoded secrets, automatic credential rotation.

Why this answer

Option B is correct because it follows the principle of least privilege and avoids hardcoding or storing secrets in insecure locations. By attaching an IAM role to the EC2 instance, the application can securely retrieve the secret from AWS Secrets Manager at runtime using the AWS SDK, without ever exposing the secret in code, configuration files, or environment variables. This approach leverages IAM's temporary credentials from the instance metadata service (IMDS) to authenticate the SDK call, ensuring the secret is never persisted locally.

Exam trap

The trap here is that candidates often think storing secrets in environment variables or configuration files is acceptable because it's 'runtime only,' but the exam emphasizes that any persistent or accessible storage of secrets violates security best practices, and only IAM roles with SDK retrieval provide the necessary isolation and rotation support.

How to eliminate wrong answers

Option A is wrong because storing the secret in an environment variable via user data script exposes it in the EC2 instance's metadata and process list, making it accessible to any user or process on the instance and violating security best practices. Option C is wrong because storing the secret in a configuration file after retrieval persists it on disk, increasing the risk of exposure through file system access, backups, or logs, and defeats the purpose of using Secrets Manager for dynamic rotation. Option D is wrong because downloading the secret from an S3 bucket using pre-signed URLs requires storing the secret in S3 first, which introduces additional management overhead and potential exposure, and pre-signed URLs can be intercepted or leaked, whereas Secrets Manager provides native encryption and access control.

438
MCQhard

An AWS Lambda function that processes messages from an SQS queue is experiencing throttling (TooManyRequestsException). The function has reserved concurrency set to 100. The SQS queue has a redrive policy configured with maxReceiveCount of 5. CloudWatch metrics show that the function's concurrent executions occasionally spike to 100, and throttling occurs. The function execution time averages 2 seconds. What is the most effective way to reduce throttling?

A.Increase the batch size of the SQS event source mapping
B.Increase the reserved concurrency of the Lambda function
C.Decrease the batch window of the event source mapping
D.Add a dead-letter queue (DLQ) for the Lambda function
AnswerA

A larger batch size means fewer invocations for the same number of messages, reducing the peak concurrent executions and thus throttling.

Why this answer

Increasing the batch size allows the Lambda function to process more messages per invocation, reducing the number of concurrent executions needed to handle the same message volume. Since the function already spikes to its reserved concurrency of 100, processing more messages per batch lowers the invocation rate and thus reduces throttling without requiring additional concurrency.

Exam trap

The trap here is that candidates often assume throttling is always solved by increasing reserved concurrency, but the question explicitly states the function already spikes to its limit, so the correct approach is to reduce the number of invocations by increasing the batch size.

How to eliminate wrong answers

Option B is wrong because reserved concurrency is already at 100 and throttling occurs at that limit; increasing it would raise costs and may hit account-level concurrency limits, but the question asks for the most effective way to reduce throttling given the existing spike, not to increase capacity. Option C is wrong because decreasing the batch window would cause the SQS event source mapping to poll more frequently, increasing the number of invocations and worsening throttling. Option D is wrong because adding a dead-letter queue (DLQ) only captures messages that fail processing after the maxReceiveCount is exceeded; it does not reduce the invocation rate or throttling.

439
Multi-Selecthard

Which THREE steps are required to enable cross-account access to a DynamoDB table from a Lambda function in another AWS account?

Select 2 answers
A.Create a resource-based policy on the DynamoDB table that allows access from the Lambda execution role.
B.Configure the Lambda function to assume an IAM role in the DynamoDB account.
C.Add a trust policy to the Lambda execution role allowing the DynamoDB account to access it.
D.Add a bucket policy to the DynamoDB table to allow cross-account access.
E.In the Lambda account, attach an IAM policy to the Lambda execution role that allows access to the DynamoDB table.
AnswersA, E

DynamoDB supports resource-based policies for fine-grained access.

Why this answer

Options A, B, and D are correct. The DynamoDB table must have a resource-based policy allowing the Lambda execution role. The Lambda execution role must have a trust policy allowing the other account to assume it.

Option C is not required because DynamoDB uses resource-based policies; an S3 bucket policy is not relevant. Option E is not correct because DynamoDB does not support bucket policies.

440
MCQeasy

A developer is using AWS CodeCommit as a source repository. They want to automatically build and test code whenever a new branch is created. Which AWS service should they use to trigger the pipeline?

A.Amazon CloudWatch Events
B.Amazon S3 event notification
C.Amazon Simple Notification Service (SNS)
D.AWS Lambda
AnswerA

CloudWatch Events can capture CodeCommit repository events.

Why this answer

Option B is correct because CloudWatch Events (now Amazon EventBridge) can detect CodeCommit events like branch creation and trigger a pipeline. Option A is incorrect because S3 events are for object-level operations. Option C is incorrect because SNS is a notification service.

Option D is incorrect because Lambda can be triggered but the question asks for the service that triggers the pipeline directly.

441
MCQhard

A developer is monitoring an AWS Lambda function that processes events from an Amazon Kinesis stream. The function's CloudWatch metrics show high IteratorAge and the function is often throttled. The function's batch size is 100, maximum record age is 60s, and reserved concurrency is 100. The Kinesis stream has 10 shards, each with 5000 records/sec. Which action is most effective to reduce the IteratorAge and throttle rate?

A.Increase the batch size to 1000
B.Increase the number of shards
C.Decrease the maximum record age
D.Increase the function's memory and CPU allocation
AnswerB

Correct. More shards increase the concurrency of Lambda invocations (each shard processed independently), directly reducing the IteratorAge and throttle rate by providing more parallel processing capacity.

Why this answer

The high IteratorAge indicates that the Lambda function is falling behind in processing records from the Kinesis stream. Throttling occurs because the function's reserved concurrency of 100 is insufficient to handle the total throughput of 10 shards × 5000 records/sec = 50,000 records/sec. Increasing the number of shards (option B) directly increases the parallelism of the stream, allowing more Lambda invocations to run concurrently (up to the reserved concurrency limit) and reducing the backlog, thereby decreasing IteratorAge and throttle rate.

Exam trap

The trap here is that candidates often assume increasing batch size or memory will solve throughput issues, but the real bottleneck is concurrency limits and shard-level parallelism, not per-invocation processing capacity.

How to eliminate wrong answers

Option A is wrong because increasing the batch size to 1000 would cause each invocation to process more records, but it does not increase concurrency; the function is already throttled due to reserved concurrency limits, and larger batches may increase processing time per invocation, worsening IteratorAge. Option C is wrong because decreasing the maximum record age (from 60s to a lower value) would cause records to be discarded sooner, which does not address the root cause of throttling or backlog; it only changes the retention policy for unprocessed records. Option D is wrong because increasing memory and CPU allocation improves per-invocation performance but does not increase the number of concurrent executions; the throttling is due to concurrency limits, not individual invocation speed.

442
Multi-Selectmedium

A developer is using AWS KMS to encrypt data. Which of the following are true about customer master keys (CMKs)? (Choose TWO.)

Select 2 answers
A.You can disable and re-enable AWS managed keys.
B.You cannot create customer managed keys; only AWS can create them.
C.AWS managed keys are free with no usage charges.
D.Customer managed keys can be rotated automatically every year.
E.You can create and manage customer managed keys.
AnswersD, E

You can enable automatic rotation for customer managed keys.

Why this answer

Options B and D are correct. Customer managed keys are created, managed, and can be rotated automatically (if enabled). AWS managed keys cannot be rotated by the customer.

Option A is incorrect because you can create customer managed keys. Option C is incorrect because AWS managed keys are free but have a per-request cost. Option E is incorrect because you can disable and re-enable customer managed keys.

443
MCQeasy

A developer is deploying a web application using AWS Elastic Beanstalk. The application runs on multiple Amazon EC2 instances behind an Application Load Balancer. The developer wants to deploy a new version with zero downtime and the ability to quickly roll back if issues are discovered. Which deployment policy should the developer choose?

A.All at once
B.Rolling
C.Rolling with additional batch
D.Immutable
AnswerD

Correct. Immutable deployment creates a completely new environment, swaps the load balancer target group, and provides zero downtime with easy rollback by terminating the new environment.

Why this answer

Immutable deployment is the correct choice because it launches a completely new set of EC2 instances in a new Auto Scaling group with the updated application version, then swaps the load balancer target group to point to the new instances. This ensures zero downtime during deployment and provides an instant rollback by simply reverting the target group to the old instances if issues are detected.

Exam trap

The trap here is that candidates often confuse 'Rolling with additional batch' with zero-downtime because it adds capacity, but it still terminates old instances before new ones are fully healthy, causing brief downtime, whereas immutable deployment guarantees zero downtime by keeping the old environment fully intact until the swap is complete.

How to eliminate wrong answers

Option A is wrong because 'All at once' deploys the new version to all instances simultaneously, causing downtime during the deployment and no ability to roll back without redeploying the old version. Option B is wrong because 'Rolling' updates instances in batches, which reduces but does not eliminate downtime (the old instances are terminated before new ones are fully in service) and rollback requires a reverse rolling update. Option C is wrong because 'Rolling with additional batch' adds a temporary batch of instances to maintain capacity during the update, but still terminates old instances before new ones are fully healthy, risking brief downtime and making rollback slower than immutable.

444
MCQeasy

A developer is deploying a new version of a microservice that runs on AWS Fargate. The service is part of an Amazon ECS cluster and has an associated Application Load Balancer (ALB). The developer wants to perform a rolling update without downtime and ensure that at least 50% of the service's desired count remains available during the deployment. The current desired count is 4. The developer updates the task definition and triggers a new service deployment using the AWS CLI. After the update, the developer notices that the service briefly goes to 0 running tasks during the deployment, causing downtime. The ECS service deployment configuration has: minimumHealthyPercent=50 and maximumPercent=200. What is the most likely cause of this downtime?

A.The ALB health check is misconfigured, causing healthy tasks to be marked as unhealthy and replaced.
B.The service is using the CODE_DEPLOY deployment controller instead of the default ECS rolling update controller.
C.The minimumHealthyPercent value of 50% is too low, allowing the service to scale down to 0 tasks.
D.The ALB deregistration delay is set to 0, causing tasks to be removed immediately.
AnswerB

Correct: With CODE_DEPLOY controller, ECS does not manage the rollout; it stops tasks and waits for external deployment.

Why this answer

Option B is correct because the deployment controller default is ECS, not CODE_DEPLOY. ECS rolling update with min/max settings should work, but if the deployment controller is set to 'CODE_DEPLOY', the service does not manage the rollout automatically; it expects an external deployment. In this case, the developer triggered a new deployment with the updated task definition but the service might have been configured with CODE_DEPLOY controller, causing it to stop all tasks.

Option A is incorrect because 50% minimum healthy percent should keep at least 2 tasks. Option C is incorrect because deregistration delay affects draining, not immediate 0 count. Option D is incorrect because the ALB health check doesn't cause tasks to stop.

445
MCQhard

An application running on an EC2 instance needs to access a DynamoDB table. The instance is in a private subnet. What is the most secure way to grant access without using long-lived credentials?

A.Create a VPC endpoint for DynamoDB and attach a security group to allow access.
B.Store IAM user access keys in the application configuration file.
C.Create an IAM role with DynamoDB access and attach it to the EC2 instance profile.
D.Use a security group to allow the EC2 instance to communicate with DynamoDB.
AnswerC

Instance profiles provide temporary credentials via the instance metadata service. This is the best practice.

Why this answer

Option C is correct because it uses an IAM role attached to the EC2 instance profile, which allows the instance to obtain temporary security credentials from the AWS Security Token Service (STS). This eliminates the need for long-lived credentials and follows the principle of least privilege. The instance can securely access DynamoDB without storing any secrets on the instance.

Exam trap

The trap here is that candidates often confuse network-level controls (VPC endpoints or security groups) with identity-based access control, mistakenly thinking that enabling private connectivity alone grants API access to DynamoDB.

How to eliminate wrong answers

Option A is wrong because a VPC endpoint for DynamoDB enables private network connectivity but does not grant IAM permissions; without an IAM role or credentials, the EC2 instance cannot authenticate to DynamoDB. Option B is wrong because storing IAM user access keys in the application configuration file introduces long-lived credentials that can be compromised, violating the security best practice of using temporary credentials. Option D is wrong because security groups control network traffic at the instance level and cannot authenticate or authorize API calls to DynamoDB; DynamoDB access requires IAM permissions, not network rules.

446
MCQmedium

A developer needs to grant an IAM user in the same AWS account access to a specific object in an S3 bucket. The bucket policy currently grants access only to the bucket owner (the root account). Which identity-based policy statement should the developer add to the IAM user's permissions?

A.A bucket policy that allows s3:GetObject for the user.
B.An IAM policy that allows s3:GetObject for the specific object ARN.
C.An S3 access point policy.
D.An IAM policy that allows s3:ListBucket for the bucket.
AnswerB

Correct. An IAM policy attached to the user can grant access to the specific object. The bucket policy does not deny, so this will work.

Why this answer

Option B is correct because an IAM policy attached directly to the user can grant s3:GetObject permission for a specific object ARN (e.g., arn:aws:s3:::bucket-name/object-key). This identity-based policy overrides the bucket policy's default deny for the root-only access, as long as there is no explicit deny in the bucket policy. The bucket policy restricts access to the root account, but an explicit allow in an IAM policy can still grant access to the user since IAM policies and bucket policies are evaluated together, and an explicit allow in either can permit the action unless an explicit deny exists.

Exam trap

The trap here is that candidates confuse resource-based policies (bucket policies) with identity-based policies (IAM policies) and assume that a bucket policy is the only way to grant S3 access, overlooking that IAM policies can grant access to specific objects even when the bucket policy restricts access to the root account.

How to eliminate wrong answers

Option A is wrong because a bucket policy is a resource-based policy, not an identity-based policy; the question specifically asks for an identity-based policy statement to add to the IAM user's permissions. Option C is wrong because an S3 access point policy is a separate resource-based policy attached to an access point, not an identity-based policy attached to the IAM user; it does not directly grant permissions to the user's identity. Option D is wrong because s3:ListBucket is a bucket-level action that lists objects in the bucket, not a specific object-level action; it does not grant access to a specific object and is irrelevant for granting GetObject on a particular object ARN.

447
MCQeasy

A company wants to store sensitive data in S3. The data must be encrypted at rest using server-side encryption with a key that is automatically rotated annually. Which S3 encryption option should be used?

A.Client-side encryption
B.SSE-S3
C.SSE-KMS with a customer managed key
D.SSE-C
AnswerB

SSE-S3 uses AWS managed keys that rotate automatically.

Why this answer

Option A is correct because SSE-S3 uses AWS managed keys that are automatically rotated. Option B (SSE-KMS) requires managing key rotation. Option C (SSE-C) does not manage rotation.

Option D (client-side) is not server-side.

448
MCQeasy

A developer is troubleshooting an EC2 instance that cannot connect to the internet. The instance has a public IP address and is in a public subnet with a route to an internet gateway. The security group allows all outbound traffic. What is the most likely cause?

A.The subnet's route table does not have a route to an internet gateway.
B.The security group's outbound rules are too restrictive.
C.The network ACL's outbound rules are blocking traffic.
D.The instance does not have a public IP address.
AnswerC

Network ACLs are stateless and must allow both inbound and outbound.

Why this answer

Option D is correct because a missing or misconfigured network ACL can block traffic even if security group allows it. Option A is wrong because the instance has a public IP. Option B is wrong because the route table has a route to an internet gateway.

Option C is wrong because outbound is allowed.

449
MCQeasy

A company is using AWS CodeBuild to compile and test code before deploying to Amazon S3. The build process must be triggered automatically whenever a developer pushes code to the 'main' branch of an AWS CodeCommit repository. Which resource should be used to trigger the build?

A.Use AWS CodePipeline with a source stage that connects to the CodeCommit repository and a build stage that invokes the CodeBuild project.
B.Set up an AWS CodeDeploy trigger to start the build when a deployment is created.
C.Configure an Amazon S3 event notification to invoke the CodeBuild project when a new object is created.
D.Create an Amazon CloudWatch Events rule that triggers the CodeBuild project when a repository event occurs.
AnswerA

CodePipeline automatically starts the build when changes are pushed to the repository.

Why this answer

Option B is correct because CodePipeline can be used to automatically start a build in CodeBuild when a code change is pushed to CodeCommit. Option A is wrong because CloudWatch Events can trigger builds, but it requires setting up a rule; CodePipeline is the recommended service for CI/CD. Option C is wrong because S3 events are used for S3 buckets, not CodeCommit.

Option D is wrong because CodeDeploy is for deployment, not for triggering builds.

450
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The developer has created a stack that includes an Amazon RDS DB instance. The stack creation fails with a rollback, and the error message indicates that the DB instance could not be created because the DB instance identifier already exists. The developer has verified that there is no existing DB instance with that identifier in the account. The stack uses a custom resource to generate the DB instance identifier. The custom resource is a Lambda function that returns a unique identifier. The developer suspects that the custom resource is returning a stale value. What is the MOST likely cause of this issue?

A.The custom resource Lambda function has not been updated with the new code; the stack is using a previous version of the function.
B.The stack is using the same stack name, and CloudFormation is reusing the previous custom resource output.
C.The custom resource Lambda function is returning the same value because it uses a random number generator without a seed.
D.The custom resource Lambda function is not being invoked during stack creation because the service token is incorrect.
AnswerA

If the Lambda function code is changed but the stack uses the old version, it will return the same identifier.

Why this answer

Option D is correct because custom resources in CloudFormation can return data that is cached if the Lambda function is not updated correctly. The developer may have updated the Lambda function code but the stack is still using the old function version. Option A is incorrect because the custom resource is invoked each time the stack is created; it should generate a new value.

Option B is incorrect because if the custom resource is not invoked, the stack would fail with a different error (missing property). Option C is incorrect because the DB instance identifier is generated by the custom resource, not by the stack name.

Page 5

Page 6 of 22

Page 7