AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 451525

1616 questions total · 22pages · All types, answers revealed

Page 6

Page 7 of 22

Page 8
451
Multi-Selectmedium

A developer is investigating why an Amazon API Gateway REST API is returning 504 errors during peak traffic. The API integrates with a Lambda function. Which TWO factors are MOST likely causing the 504 errors? (Choose TWO.)

Select 2 answers
A.The Lambda function is hitting its reserved concurrency limit and being throttled.
B.The API Gateway cache is full and cannot store responses.
C.The AWS WAF is blocking the request.
D.The Lambda function's configured timeout is too short.
E.The API Gateway account-level throttling limits are exceeded.
AnswersA, D

When Lambda throttles, it returns a 429 error, which API Gateway converts to a 504 because it cannot complete the request.

Why this answer

Option A and Option B are correct. Option A: If the Lambda function's timeout is less than the API Gateway integration timeout (29 seconds), the function may timeout before the API Gateway, causing a 504. Option B: If the Lambda function is throttled, API Gateway receives a 429 from Lambda and returns a 504.

Option C (API Gateway throttling) would cause 429, not 504. Option D (cache) would not cause 504. Option E (WAF) would cause 403.

452
MCQeasy

A developer is building a serverless application using AWS Lambda and Amazon DynamoDB. The Lambda function reads from a DynamoDB table. The function fails with a timeout error when processing large items. What is the MOST efficient solution?

A.Increase the Lambda function memory.
B.Increase the Lambda function timeout.
C.Enable Lambda provisioned concurrency.
D.Increase the DynamoDB read capacity units.
AnswerB

A longer timeout allows processing of large items without timing out.

Why this answer

Option C is correct because increasing Lambda timeout gives more time for large item processing. Option A is wrong because provisioned concurrency reduces cold starts but not timeouts. Option B is wrong because increasing memory also increases CPU, but the primary issue is the timeout limit.

Option D is wrong because increasing DynamoDB RCUs addresses throttling, not timeouts.

453
MCQhard

A developer applied the above bucket policy to an S3 bucket. What is the outcome?

A.Anonymous users are allowed to read objects.
B.Only write requests are denied if not using HTTPS.
C.All requests to the bucket must use HTTPS; otherwise, they are denied.
D.The policy has no effect because it uses Deny.
AnswerC

The condition denies access when SecureTransport is false.

Why this answer

Option A is correct because the policy denies all S3 actions when the request is not using HTTPS (SecureTransport is false). All other requests are allowed by default. Option B is wrong because it denies all actions, not just write.

Option C is wrong because it only denies when not HTTPS. Option D is wrong because it does not allow anonymous access.

454
MCQhard

A developer is troubleshooting an AWS Lambda function that processes messages from an Amazon SQS queue. The function is configured with a batch size of 10 and a maximum concurrency of 5. The function frequently reports errors related to message processing timeouts. The function code is idempotent. Which combination of actions will reduce the number of timeouts and improve processing efficiency?

A.Increase the function timeout to 30 seconds and set the SQS visibility timeout to 6 minutes.
B.Increase the batch size to 20 and increase the function timeout to 30 seconds.
C.Reduce the batch size to 5 and increase the maximum concurrency to 10.
D.Increase the maximum concurrency to 10 and set the SQS visibility timeout to 30 seconds.
AnswerC

Smaller batches reduce processing time per invocation; more concurrency increases throughput.

Why this answer

Option D is correct because reducing batch size lowers the work per invocation, and increasing concurrency allows more parallel processing. Option A is wrong because increasing batch size would increase processing time. Option B is wrong because increasing timeout may not solve the root cause if messages are heavy.

Option C is wrong because increasing concurrency alone may help but not as much as reducing batch size.

455
MCQhard

A developer is using Amazon API Gateway with a Lambda integration. The API returns a 502 Bad Gateway error. The developer checks the Lambda function logs and finds no invocations. What is the most likely cause?

A.The Lambda function is returning a non-JSON response.
B.The API Gateway does not have permission to invoke the Lambda function.
C.The Lambda function is timing out due to a long-running operation.
D.The Lambda function's memory is insufficient, causing it to crash.
AnswerB

Without a resource-based policy, API Gateway cannot invoke Lambda, leading to a 502.

Why this answer

A 502 Bad Gateway error from API Gateway with Lambda integration typically indicates that the Lambda function either returned an invalid response or was not invoked at all. Since the Lambda logs show no invocations, the most likely cause is that API Gateway lacks the necessary resource-based policy permission to invoke the Lambda function. Without this permission, API Gateway cannot trigger the function, resulting in a 502 error without any invocation record.

Exam trap

The trap here is that candidates often assume a 502 error always means the Lambda function returned malformed data (Option A), but the absence of invocation logs points to a permissions issue, not a response formatting problem.

How to eliminate wrong answers

Option A is wrong because a non-JSON response from Lambda would still result in an invocation (and thus appear in logs), and the 502 would occur after invocation due to response formatting issues. Option C is wrong because a Lambda timeout would still generate an invocation log entry and a 502 error would occur after the timeout, not before any invocation. Option D is wrong because insufficient memory would cause the function to crash during execution, which would still produce an invocation log entry before the crash.

456
MCQmedium

Refer to the exhibit. A developer ran the above commands to inspect a KMS key. What can be determined about this key?

A.The key is disabled.
B.The key can be used in multiple AWS regions.
C.The key is an AWS managed key.
D.The key is a customer managed key.
AnswerD

KeyManager: CUSTOMER indicates customer managed.

Why this answer

Option D is correct because the KeyManager is 'CUSTOMER', meaning it is a customer managed key. Option A is incorrect because it is not an AWS managed key. Option B is incorrect because it is not a multi-region key (MultiRegion: false).

Option C is incorrect because the key is enabled, not disabled.

457
MCQmedium

A developer is using AWS CodeBuild to build a Java application. The build fails with the error 'BUILD_CONTAINER_UNABLE_TO_PULL_IMAGE'. What is the most likely cause?

A.The build environment does not have enough memory.
B.The Docker image specified in the build environment does not exist or the repository is not accessible.
C.The build command has a syntax error.
D.The buildspec.yml file does not define artifacts.
AnswerB

This error indicates the image could not be pulled.

Why this answer

The error 'BUILD_CONTAINER_UNABLE_TO_PULL_IMAGE' in AWS CodeBuild indicates that the service cannot pull the specified Docker image from the repository. This occurs when the image name/tag is incorrect, the image does not exist in the specified registry (e.g., Amazon ECR or Docker Hub), or the CodeBuild service role lacks the necessary permissions (e.g., ecr:GetDownloadUrlForLayer, ecr:BatchGetImage) to access the repository. Option B correctly identifies this as the most likely cause.

Exam trap

The trap here is that candidates often confuse build-phase errors (like syntax errors in commands) with environment setup errors (like image pull failures), leading them to select options related to build commands or artifacts instead of recognizing the error message's specific reference to container image retrieval.

How to eliminate wrong answers

Option A is wrong because insufficient memory would cause a different error, such as 'BUILD_CONTAINER_MEMORY_LIMIT_EXCEEDED' or a container OOM kill, not an image pull failure. Option C is wrong because a syntax error in the build command would result in a build phase failure (e.g., 'Error: command not found' or a non-zero exit code), not a container image pull error. Option D is wrong because the absence of artifacts in buildspec.yml would cause a build success but no output, or a warning, not a container image pull failure.

458
Multi-Selecthard

A developer is implementing a CI/CD pipeline using AWS CodePipeline. The pipeline has a source stage that uses an Amazon S3 bucket, a build stage that uses AWS CodeBuild, and a deploy stage that uses AWS CodeDeploy. The developer wants to ensure that the pipeline automatically triggers when a new file is uploaded to the S3 source bucket. Which TWO steps should the developer take to configure this? (Choose two.)

Select 2 answers
A.Create a webhook in CodePipeline and configure S3 to send HTTP requests to the webhook URL.
B.Enable S3 event notifications on the bucket to publish events to Amazon CloudWatch Events.
C.Configure AWS CloudTrail to log S3 PutObject events and trigger the pipeline.
D.Create an AWS Lambda function that is invoked on S3 object creation and starts the pipeline.
E.In the CodePipeline source action, specify the S3 bucket and enable 'S3 source change detection'.
AnswersB, E

Correct: S3 event notifications can trigger CloudWatch Events, which can trigger the pipeline.

Why this answer

Option A is correct because enabling S3 event notifications on the bucket can trigger the pipeline. Option D is correct because the pipeline source configuration should be set to 'Amazon S3' and the event notification should be configured to invoke the pipeline. Option B is incorrect because CloudTrail is for auditing, not triggering.

Option C is incorrect because Lambda is not required; S3 events can directly trigger CodePipeline. Option E is incorrect because webhooks are for third-party sources like GitHub.

459
MCQmedium

A company is using AWS Secrets Manager to rotate database credentials automatically. The rotation Lambda function fails with a timeout. Which action should be taken to resolve this issue?

A.Reduce the rotation schedule interval.
B.Increase the Lambda function timeout.
C.Place the Lambda function in a VPC with a NAT gateway.
D.Store the rotation schedule in EC2 user data.
AnswerB

Increasing timeout allows the rotation to complete.

Why this answer

The Lambda function is timing out during the rotation process, which indicates that the default 3-second timeout is insufficient for the rotation logic. Increasing the Lambda function timeout (Option B) directly addresses this by allowing the function more time to complete the rotation, such as calling the Secrets Manager API, updating the database, and verifying the new credentials.

Exam trap

The trap here is that candidates may confuse a timeout with a network issue and incorrectly choose to place the Lambda in a VPC with a NAT gateway, when the real problem is simply that the default execution duration is too short for the rotation logic.

How to eliminate wrong answers

Option A is wrong because reducing the rotation schedule interval does not fix a timeout during execution; it only makes the rotation happen more frequently, potentially exacerbating the issue. Option C is wrong because placing the Lambda function in a VPC with a NAT gateway is unrelated to a timeout; it is used to enable internet access for Lambda functions in a VPC, but rotation timeouts are typically due to insufficient execution time, not network connectivity. Option D is wrong because storing the rotation schedule in EC2 user data is irrelevant; Secrets Manager rotation is managed by Lambda, not EC2, and user data is used for instance bootstrapping, not for scheduling rotation.

460
MCQhard

A developer is building a multi-region application using Amazon DynamoDB global tables. The application needs to read data from a replica table in a different region shortly after a write in the primary region. The developer notices that reads sometimes return stale data. Which of the following explains this behavior?

A.Global tables use asynchronous replication, introducing unavoidable replication lag.
B.The developer must use DynamoDB Streams to capture changes and replicate them separately.
C.The developer must enable strong consistency reads on the replica table.
D.The global table must be configured with write forwarding.
AnswerA

Replication between regions is eventually consistent, meaning there can be a delay before data appears in other regions.

Why this answer

Amazon DynamoDB global tables use asynchronous replication to propagate writes from one region to all other replica tables. This means that after a write in the primary region, there is an inherent replication lag (typically sub-second but can be higher under load or network issues) before the change is visible in other regions. The developer observes stale reads because the read is hitting a replica that has not yet received the update, which is expected behavior for eventually consistent reads on global tables.

Exam trap

The trap here is that candidates often assume DynamoDB global tables provide immediate consistency across regions (like synchronous replication) or that they can simply switch to strong consistency reads on replicas, but the exam tests the understanding that global tables are eventually consistent and that strong consistency is not available on replica tables.

How to eliminate wrong answers

Option B is wrong because DynamoDB Streams are used to capture item-level changes for custom processing (e.g., triggering Lambda functions), but they are not required for replication in global tables—global tables handle replication internally using the DynamoDB replication protocol. Option C is wrong because strong consistency reads are not supported on replica tables in a global table setup; only eventually consistent reads are available on replicas, so enabling strong consistency reads is not an option. Option D is wrong because write forwarding is a feature that allows a write request to a replica to be forwarded to the primary region for execution, but it does not affect the read consistency or replication lag when reading from a replica after a write in the primary region.

461
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application uses an in-environment Amazon RDS database instance. The developer needs to update the application code without risking data loss. The database must not be affected by environment operations such as termination or updates. What is the recommended approach?

A.Create a standalone Amazon RDS instance and reconfigure the application to use it instead of the in-environment database.
B.Take a snapshot of the database before each deployment and restore it after the deployment completes.
C.Use the Elastic Beanstalk environment's 'Swap environment URLs' feature to perform a blue/green deployment.
D.Create a new Elastic Beanstalk environment with a new RDS instance and migrate data manually.
AnswerA

Decoupling the database from the Elastic Beanstalk environment ensures that data persists even if the environment is terminated. This is the recommended approach.

Why this answer

Option A is correct because decoupling the RDS database from the Elastic Beanstalk environment by creating a standalone RDS instance ensures that the database is not tied to the environment's lifecycle. In-environment databases are automatically deleted when the environment is terminated or updated, risking data loss. By reconfiguring the application to point to an external RDS instance, the database persists independently of environment operations, meeting the requirement to avoid data loss during code updates or environment changes.

Exam trap

The trap here is that candidates may assume the 'Swap environment URLs' blue/green deployment (Option C) inherently protects the database, but they overlook that in-environment databases are still tied to the environment lifecycle, so the original database can be lost when the old environment is terminated.

How to eliminate wrong answers

Option B is wrong because taking a snapshot before each deployment and restoring it after does not prevent data loss during the deployment window; any writes between the snapshot and restore would be lost, and it introduces unnecessary complexity and downtime. Option C is wrong because the 'Swap environment URLs' feature for blue/green deployment swaps traffic between two environments, but if both environments use in-environment databases, the database in the original environment is still at risk of deletion or data loss during termination or updates. Option D is wrong because creating a new environment with a new RDS instance and manually migrating data does not guarantee zero data loss during the migration process, and it duplicates effort without addressing the core issue of decoupling the database from the environment lifecycle.

462
MCQeasy

A developer is deploying a Node.js application to AWS Elastic Beanstalk. The application uses environment variables for database credentials. What is the BEST way to securely provide these credentials to the application?

A.Store the credentials in a file in the source code repository.
B.Store the credentials in the application's configuration file within the deployment package.
C.Hardcode the credentials in the application code.
D.Set environment properties in the Elastic Beanstalk environment configuration.
AnswerD

Environment properties are secure and easily managed.

Why this answer

Option D is correct because Elastic Beanstalk allows you to set environment properties in the environment configuration, which are injected as environment variables into the application's runtime. This approach keeps sensitive credentials out of the source code and deployment artifacts, adhering to the principle of least privilege and secure credential management. For a Node.js application, these environment variables can be accessed via `process.env`, providing a secure and flexible way to manage database credentials without hardcoding or storing them in files.

Exam trap

The trap here is that candidates may think storing credentials in a configuration file (Option B) is acceptable because it separates code from configuration, but they overlook that the configuration file is still part of the deployment package and can be accessed by anyone with access to the artifact or the running environment.

How to eliminate wrong answers

Option A is wrong because storing credentials in a file in the source code repository exposes them to anyone with access to the repository, violating security best practices and potentially leading to credential leakage in version control history. Option B is wrong because including credentials in the application's configuration file within the deployment package embeds them in the deployable artifact, making them accessible to anyone who can access the deployment package or the running environment's filesystem. Option C is wrong because hardcoding credentials in the application code is a severe security risk, as it exposes secrets in the codebase, makes rotation difficult, and violates the principle of separating configuration from code.

463
MCQeasy

A developer is creating an IAM policy for an Amazon S3 bucket that must allow read access to a specific object only. Which policy element should be used to restrict access to the object?

A.Action
B.Condition
C.Principal
D.Resource
AnswerD

Resource specifies the S3 object ARN to restrict access to that object only.

Why this answer

The Resource element in an IAM policy specifies the ARN of the resource. For S3, the ARN format is arn:aws:s3:::bucket-name/key. Using a specific object ARN restricts access to that object only.

464
MCQeasy

A developer is deploying a Python application to AWS Lambda. The application has several dependencies. The developer wants to ensure that the deployment package is as small as possible to reduce cold start times. What should the developer do?

A.Use Lambda Layers to manage dependencies separately from the function code.
B.Use an S3 bucket to store the deployment package.
C.Use AWS CodeBuild to optimize the package.
D.Include all dependencies in the deployment package.
AnswerA

Layers reduce the function code size and are reused across functions.

Why this answer

Lambda Layers allow you to package and manage dependencies (like Python libraries) separately from your function code. By moving dependencies to a layer, the function code deployment package becomes smaller, which reduces the time Lambda spends downloading and extracting the package during cold starts. Layers are cached across executions, further improving performance.

Exam trap

The trap here is that candidates may think including all dependencies in the package is simpler or more reliable, but they overlook that Lambda Layers are the designed AWS mechanism to reduce deployment package size and improve cold start performance.

How to eliminate wrong answers

Option B is wrong because storing the deployment package in an S3 bucket is a standard way to upload large packages to Lambda, but it does not reduce the package size or cold start times. Option C is wrong because AWS CodeBuild is a continuous integration service that builds and tests code, but it does not inherently optimize the deployment package for size or cold start performance. Option D is wrong because including all dependencies in the deployment package directly increases its size, which worsens cold start latency, contradicting the goal of minimizing the package.

465
MCQeasy

A developer needs to securely store database credentials for a serverless application. Which service should be used?

A.Amazon S3 with server-side encryption.
B.AWS Identity and Access Management (IAM).
C.AWS Systems Manager Parameter Store.
D.AWS Secrets Manager.
AnswerD

Designed for secret storage and rotation.

Why this answer

Option B is correct because AWS Secrets Manager is designed to securely store and manage secrets like database credentials. Option A is wrong because S3 is not designed for secret storage without encryption. Option C is wrong because IAM is for identities, not secrets.

Option D is wrong because Systems Manager Parameter Store can store parameters but Secrets Manager provides automatic rotation.

466
MCQmedium

A developer is deploying a web application using AWS Elastic Beanstalk. The application uses a MySQL database. During deployment, the developer needs to apply database schema migrations. Which approach should the developer use to run database migrations as part of the Elastic Beanstalk deployment?

A.Use an .ebextensions configuration file to run a migration script during deployment.
B.Configure an RDS event subscription to trigger a Lambda function that runs migrations.
C.Run the migration script as a scheduled task using CloudWatch Events.
D.Use AWS CodeDeploy's AppSpec file to run the migration script.
AnswerA

.ebextensions allows custom commands.

Why this answer

Option A is correct because .ebextensions config files can run custom commands during deployment, such as a migration script. Option B is wrong because deployment hooks are for scripts, not RDS events. Option C is wrong because CodeDeploy is a separate service.

Option D is wrong because Lambda is not triggered automatically during Beanstalk deployment.

467
Multi-Selectmedium

A company is using Amazon S3 to store large objects. Users report that uploads are slow. Which THREE actions should the developer take to optimize upload performance?

Select 3 answers
A.Use multipart upload for objects over 100 MB.
B.Use S3 Select to upload only specific parts of the object.
C.Enable S3 Transfer Acceleration.
D.Transition objects to S3 Glacier after upload.
E.Use multiple S3 prefixes to increase request rate.
AnswersA, C, E

Multipart upload improves throughput by parallelizing uploads.

Why this answer

Option A is correct because multipart upload improves performance for large objects. Option B is correct because using S3 Transfer Acceleration reduces latency. Option C is correct because using S3 prefixes increases request rate performance.

Option D is wrong because S3 Select is for retrieving subsets of data, not uploads. Option E is wrong because Glacier is for archival, not for active uploads.

468
MCQeasy

A developer notices that an EC2 instance running a web application is unreachable via its public IP. The instance passes status checks but security group rules appear correct. What should the developer check NEXT?

A.Verify that the instance has an Elastic IP associated.
B.Check the network ACL associated with the subnet for rules that may block traffic.
C.Review the route table for a route to an internet gateway.
D.Inspect the IAM role attached to the instance for network permissions.
AnswerB

NACLs are stateless and can block traffic even if security groups allow it.

Why this answer

The instance passes status checks and security group rules appear correct, which rules out OS-level and security group issues. Since the instance is unreachable via its public IP, the next logical step is to check the network ACL (NACL) associated with the subnet, because NACLs are stateless and can block inbound or outbound traffic even if security groups allow it. NACLs evaluate rules in order by rule number, and a deny rule (or missing allow rule) for the required ephemeral ports (e.g., 1024-65535 for return traffic) could silently drop packets.

Exam trap

The trap here is that candidates often assume security group rules are the only network filter and overlook the stateless nature of network ACLs, which can block traffic even when security groups are correctly configured.

How to eliminate wrong answers

Option A is wrong because an Elastic IP is not required for public IP reachability; an instance with a public IP assigned by AWS (from the subnet's auto-assign public IP setting) is reachable without an Elastic IP, so this check is premature and not the next step. Option C is wrong because the route table must have a route to an internet gateway for public traffic, but the question states the instance is unreachable via its public IP, and a missing route would typically cause a different symptom (e.g., no connectivity at all) rather than passing status checks; also, route tables are often checked earlier in troubleshooting, but the question specifies security groups appear correct, making NACL the more likely culprit. Option D is wrong because IAM roles control permissions for AWS API actions (e.g., S3, DynamoDB), not network-level traffic to/from the instance; network permissions are governed by security groups and NACLs, not IAM.

469
Multi-Selectmedium

A developer is using IAM roles to grant permissions to an EC2 instance. Which TWO statements are true about IAM roles for EC2?

Select 2 answers
A.An EC2 instance can have multiple IAM roles attached simultaneously.
B.Temporary security credentials are obtained from the instance metadata service.
C.The temporary credentials expire after 6 hours and must be manually refreshed.
D.An IAM role can only be attached to one EC2 instance at a time.
E.An IAM role can be attached to a running EC2 instance without stopping it.
AnswersB, E

EC2 instances use Instance Metadata Service to get role credentials.

Why this answer

Options A and D are correct because IAM roles provide temporary credentials via the instance metadata service, and they can be attached to a running instance. Option B is wrong because you cannot attach a role to multiple instances simultaneously? Actually you can attach the same role profile to many instances. Option C is wrong because the credentials are automatically rotated by AWS.

Option E is wrong because roles are not limited to one per instance; you can attach one role per instance profile, but you can create multiple instance profiles.

470
MCQmedium

A developer needs an S3 upload workflow where clients upload large files directly to S3 without exposing AWS credentials through the browser. What should the backend generate?

A.Pre-signed URLs with appropriate expiration and object restrictions
B.Long-lived IAM access keys for each client
C.A public-read bucket policy
D.An S3 Inventory report
AnswerA

Correct for the stated requirement.

Why this answer

Pre-signed URLs allow the backend to generate time-limited, permission-restricted URLs that clients can use to upload objects directly to S3 without exposing AWS credentials. The backend signs the URL with IAM credentials, and the client uses the URL to perform the PUT operation, ensuring secure, credential-free uploads.

Exam trap

The trap here is that candidates may confuse pre-signed URLs with public bucket policies or long-lived keys, thinking that any form of direct access requires exposing credentials, when in fact pre-signed URLs provide temporary, scoped access without credential leakage.

How to eliminate wrong answers

Option B is wrong because long-lived IAM access keys would expose permanent credentials in the browser, violating the requirement to avoid credential exposure and creating a severe security risk. Option C is wrong because a public-read bucket policy allows anyone to read objects but does not provide a secure, controlled upload mechanism; it would also expose the bucket to unauthorized writes if not carefully restricted. Option D is wrong because an S3 Inventory report is a listing of objects for auditing or lifecycle management, not a mechanism for uploading files.

471
MCQeasy

A developer is creating an IAM policy to allow an EC2 instance to read objects from a specific S3 bucket named 'my-app-data'. The policy should be attached to an IAM role that will be assumed by the EC2 instance. Which policy statement meets this requirement?

A.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::my-app-data/*" } ] }
B.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*" } ] }
C.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::my-app-data/*" } ] }
D.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-app-data/*" } ] }
AnswerD

This allows only GetObject on the specific bucket.

Why this answer

Option D is correct because it grants only the s3:GetObject permission on the specific S3 bucket 'my-app-data' and its objects, which is the minimum required to allow an EC2 instance to read objects from that bucket. The policy is designed to be attached to an IAM role that the EC2 instance assumes, following the principle of least privilege.

Exam trap

The trap here is that candidates often choose overly permissive policies (like s3:* or including s3:PutObject) or forget to scope the resource to the specific bucket, leading to security misconfigurations that fail the principle of least privilege.

How to eliminate wrong answers

Option A is wrong because it allows all S3 actions (s3:*) on the bucket objects, which is overly permissive and violates the requirement to only allow read access. Option B is wrong because it allows s3:GetObject on all S3 resources (*), which grants read access to any S3 bucket, not just 'my-app-data', and is a security risk. Option C is wrong because it includes s3:PutObject in addition to s3:GetObject, which allows write access to the bucket, exceeding the requirement of read-only access.

472
Multi-Selecteasy

A company wants to enforce multi-factor authentication (MFA) for all IAM users accessing the AWS Management Console. Which THREE actions are required?

Select 3 answers
A.Instruct users to use their MFA device when logging in
B.Configure a password policy that requires MFA
C.Create a service control policy (SCP) to enforce MFA
D.Enable MFA for each IAM user
E.Create an IAM policy that denies access unless MFA is present
AnswersA, D, E

Users must present MFA code during authentication.

Why this answer

Option A is correct because instructing users to use their MFA device when logging in is a necessary step to ensure that users know how to properly authenticate with their assigned MFA device (e.g., virtual TOTP token or hardware key fob) during the AWS Management Console login process. Without this instruction, users may not complete the MFA challenge, leaving the policy enforcement ineffective. This action complements the technical enforcement by providing user guidance.

Exam trap

The trap here is that candidates often think a password policy or SCP can enforce MFA, but password policies only control password rules and SCPs operate at the organizational level, not on individual IAM user login sessions.

473
MCQeasy

A developer is using Amazon DynamoDB to store session data for a web application. The application experiences read-heavy traffic and the developer wants to reduce latency. Which feature should be used to improve read performance?

A.DynamoDB Global Tables
B.DynamoDB Streams
C.DynamoDB Accelerator (DAX)
D.DynamoDB Time to Live (TTL)
AnswerC

DAX is an in-memory cache for DynamoDB, improving read performance.

Why this answer

Correct: A. DynamoDB Accelerator (DAX) is an in-memory cache that reduces read latency. Option B is wrong because DynamoDB Streams is for change data capture, not caching.

Option C is wrong because Global Tables are for multi-region replication, not read performance within a region. Option D is wrong because TTL is for automatic item expiration, not caching.

474
MCQmedium

A developer is using AWS CodeDeploy to deploy an application to an EC2 Auto Scaling group. The deployment must be rolled back automatically if any instance in the deployment fails a health check within 10 minutes after the deployment. Which configuration should the developer set in the CodeDeploy deployment group?

A.Set the deployment style to in-place and enable automatic rollback with event triggers.
B.Configure a deployment configuration with a minimum healthy hosts of 90% and enable CloudWatch alarm-based rollback.
C.Set the deployment style to blue/green and enable automatic rollback for deployment failure.
D.Configure a deployment group with automatic rollback enabled and set the rollback trigger to instance failure.
AnswerD

This directly configures automatic rollback based on instance failure events, which include health check failures during the deployment lifecycle. CodeDeploy will then automatically revert to the previous deployment revision.

Why this answer

Option D is correct because the developer needs to configure the CodeDeploy deployment group with automatic rollback enabled and set the rollback trigger to 'instance failure'. This configuration ensures that if any instance fails a health check within the specified monitoring period (10 minutes after deployment), CodeDeploy automatically rolls back the deployment to the last known good revision. The 'instance failure' trigger specifically monitors the health of each instance and initiates a rollback when a health check fails, meeting the requirement exactly.

Exam trap

The trap here is that candidates often confuse 'deployment failure' (which triggers rollback only when the entire deployment process fails) with 'instance failure' (which triggers rollback when any individual instance fails a health check after deployment), leading them to choose options that only handle deployment-level failures.

How to eliminate wrong answers

Option A is wrong because setting the deployment style to in-place with automatic rollback and event triggers does not provide the specific health check monitoring within a 10-minute window; event triggers are for lifecycle events, not for health check failures. Option B is wrong because configuring a minimum healthy hosts of 90% and enabling CloudWatch alarm-based rollback only triggers a rollback when a CloudWatch alarm fires, not directly when an instance fails a health check within 10 minutes; this approach is for broader metric-based rollbacks, not per-instance health monitoring. Option C is wrong because blue/green deployment style with automatic rollback for deployment failure only rolls back if the entire deployment fails, not if a single instance fails a health check after deployment; it does not provide the granular per-instance health check monitoring required.

475
MCQmedium

A company is building a serverless application using AWS Lambda functions that write results to an Amazon DynamoDB table. The Lambda functions are invoked by an Amazon API Gateway REST API. During testing, some requests fail with a 503 status code. The Lambda function code is correct. What is the MOST likely cause of the 503 errors?

A.The DynamoDB table has insufficient write capacity.
B.The Lambda function execution time exceeds the configured timeout.
C.The Lambda function's IAM role does not have permission to write to DynamoDB.
D.The API Gateway stage has throttling limits configured.
AnswerB

Lambda timeout causes API Gateway to return a 503.

Why this answer

Option B is correct because 503 errors from API Gateway typically indicate that the Lambda function is not returning a response within the timeout. Option A is wrong because DynamoDB writes are asynchronous from API Gateway's perspective. Option C is wrong because missing IAM role would cause 500 or 403, not 503.

Option D is wrong because throttling would cause 429, not 503.

476
MCQeasy

Refer to the exhibit. A developer created this CloudFormation template. After deployment, the stack creation fails with 'Bucket name already exists'. What should the developer do to fix the issue?

A.Change the BucketName to include a random suffix.
B.Remove the MyQueue resource.
C.Remove the VersioningConfiguration from the bucket.
D.Set SqsManagedSseEnabled to false.
AnswerA

Ensures globally unique bucket name.

Why this answer

Option B is correct because the bucket name is derived from the stack name, which might be already used. Changing the bucket name to include a unique suffix will avoid conflicts. Option A is wrong because removing versioning does not affect bucket name uniqueness.

Option C is wrong because the queue is not the issue. Option D is wrong because disabling SSE does not affect naming.

477
MCQeasy

A company wants to encrypt data at rest in Amazon S3. Which AWS service can be used to manage the encryption keys?

A.AWS Certificate Manager (ACM)
B.AWS CloudHSM
C.AWS Identity and Access Management (IAM)
D.AWS Key Management Service (KMS)
AnswerD

KMS is used for creating and managing encryption keys.

Why this answer

Option C is correct because AWS KMS manages encryption keys for S3 SSE-KMS. Option A is wrong because CloudHSM is for hardware-based key management but not directly integrated with S3. Option B is wrong because IAM is for access control, not key management.

Option D is wrong because ACM is for SSL/TLS certificates.

478
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a web application. The development team wants to deploy a new version of the application to a separate environment for testing before switching production traffic. Which deployment strategy should be used?

A.Immutable deployment.
B.All at once deployment.
C.Blue/green deployment.
D.Rolling deployment.
AnswerC

This creates a separate environment for testing and swaps URLs.

Why this answer

Option D is correct because blue/green deployment creates a separate environment (green) for testing and then swaps URLs to switch traffic. Option A is wrong because all-at-once updates the current environment. Option B is wrong because rolling updates update instances in batches in the same environment.

Option C is wrong because immutable updates create a new Auto Scaling group in the same environment.

479
MCQhard

An application running on EC2 instances behind an Application Load Balancer is experiencing high error rates. The ALB target group health checks are failing. The instances are in an Auto Scaling group with a minimum of 2 and maximum of 10. What should a developer do to troubleshoot?

A.Check the EC2 instance system log and screenshot.
B.Review the ALB access logs.
C.Modify the Auto Scaling group's scaling policy.
D.Increase the maximum size of the Auto Scaling group.
AnswerA

Can reveal OS boot issues or application crashes.

Why this answer

Option A is correct because checking the instance system log and screenshot helps diagnose OS-level issues. Option B is wrong because that only shows traffic. Option C is wrong because scaling policies don't affect health check failures.

Option D is wrong because increasing max size doesn't fix existing instances.

480
MCQmedium

Why is the Lambda function not being invoked?

A.The Lambda execution role does not have permission to be invoked by S3.
B.The Lambda permission does not specify the correct source account.
C.The Lambda function has a runtime that is not supported.
D.The S3 bucket does not have a notification configuration for the Lambda function.
AnswerD

Missing NotificationConfiguration property in the bucket.

Why this answer

The S3 bucket has no notification configuration to trigger the Lambda function. The Lambda permission allows S3 to invoke, but the bucket must have a NotificationConfiguration event. Option D is correct.

Option A is wrong because runtime is supported. Option B is wrong because permission is correct. Option C is wrong because the role is for Lambda execution, not S3 invocation.

481
MCQeasy

A developer is deploying a new version of a Lambda function using the AWS CLI. The function is part of a serverless application that processes S3 events. The developer wants to ensure that the new version is production-ready and that the old version is still available for rollback. Which CLI command should the developer use to create a new version of the Lambda function?

A.aws lambda publish-version --function-name my-function
B.aws lambda update-function-configuration --function-name my-function --handler new-handler
C.aws lambda update-function-code --function-name my-function --zip-file fileb://my-code.zip
D.aws lambda create-function --function-name my-function --zip-file fileb://my-code.zip
AnswerA

This command publishes a new version of the Lambda function.

Why this answer

Option A is correct because the `aws lambda publish-version` command creates an immutable, versioned snapshot of the Lambda function's code and configuration, which is required for production-ready deployments. This ensures the old version remains available for rollback while the new version is published with a unique version number (e.g., $LATEST, 1, 2). The command explicitly publishes the current $LATEST version as a new numbered version, making it production-ready without affecting existing versions.

Exam trap

The trap here is that candidates confuse deploying code with `update-function-code` (which only updates $LATEST) with publishing a new version, assuming that any code update automatically creates a version; in reality, you must explicitly run `publish-version` to create an immutable, numbered version for production use and rollback.

How to eliminate wrong answers

Option B is wrong because `update-function-configuration` only modifies the function's configuration settings (e.g., handler, runtime, environment variables) and does not create a new version; it updates the $LATEST version in place, leaving no immutable snapshot for rollback. Option C is wrong because `update-function-code` only deploys new code to the $LATEST version, overwriting the existing code without creating a new numbered version; the old code is lost unless a version was previously published. Option D is wrong because `create-function` is used to create a new Lambda function from scratch, not to deploy a new version of an existing function; it would fail if the function already exists or create a separate function, which does not preserve the old version for rollback.

482
MCQeasy

A developer needs to allow an EC2 instance to read items from a DynamoDB table. Which is the best practice for granting permissions?

A.Store IAM user access keys on the instance
B.Use root user credentials
C.Attach an IAM role with the required permissions to the EC2 instance
D.Apply a service control policy (SCP) to the instance
AnswerC

IAM roles are the secure way to grant permissions to AWS services.

Why this answer

Attaching an IAM role to the EC2 instance is the best practice because it avoids embedding credentials. Option B (IAM user keys) is less secure. Option C (root credentials) is insecure.

Option D (service control policy) is for organizational boundaries, not EC2 permissions.

483
Multi-Selectmedium

A company wants to audit access to their S3 buckets. Which TWO services can be used to log and monitor S3 API calls?

Select 2 answers
A.AWS Config
B.S3 server access logs
C.AWS CloudTrail
D.AWS KMS
E.Amazon CloudWatch Logs
AnswersB, C

These logs record object-level requests.

Why this answer

Option A is correct because CloudTrail logs S3 management events. Option C is correct because S3 server access logs record object-level requests. Option B is wrong because CloudWatch Logs does not directly capture S3 API calls; it can be used with CloudTrail logs.

Option D is wrong because KMS is for encryption keys. Option E is wrong because Config records resource configuration changes, not API calls.

484
Multi-Selecteasy

Which TWO AWS services can be used to protect an application running on EC2 from common web exploits like SQL injection and cross-site scripting?

Select 2 answers
A.Amazon CloudWatch
B.Security Groups
C.AWS WAF
D.AWS Shield Advanced
E.AWS Identity and Access Management (IAM)
AnswersC, D

WAF can block SQL injection and XSS attacks.

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. It allows you to create rules that filter and monitor HTTP(S) requests based on conditions such as IP addresses, HTTP headers, URI strings, and SQL injection or cross-site scripting patterns, making it the correct choice for protecting against these specific threats.

Exam trap

The trap here is that candidates often confuse Security Groups (Layer 3/4 network filtering) with application-layer protection, mistakenly believing they can block web exploits, when in fact they only control traffic based on IP/port rules and have no awareness of HTTP payload content.

485
MCQmedium

A developer has an AWS Lambda function that processes messages from an Amazon SQS standard queue. The function is idempotent and currently has a batch size of 10. The developer wants to increase throughput and increases the batch size to 100. After the change, CloudWatch metrics show a significant increase in throttles and the queue backlog is growing. The function's reserved concurrency is set to 10. What is the most effective action to resolve the throttling and improve throughput?

A.Increase the reserved concurrency of the Lambda function
B.Increase the memory allocation of the Lambda function
C.Switch the SQS queue to a FIFO queue
D.Decrease the batch size back to 10
AnswerA

Higher concurrency allows more invocations to run simultaneously, reducing throttling and enabling the function to consume the larger batch size effectively.

Why this answer

Increasing the reserved concurrency from 10 to a higher value directly addresses the root cause of throttling. With a batch size of 100, each invocation processes more messages, but the function's reserved concurrency of 10 limits the maximum number of concurrent executions to 10. This means the Lambda service can only invoke the function 10 times at once, regardless of how many messages are in the queue.

By raising reserved concurrency, you allow more concurrent invocations to handle the larger batches, reducing throttling and improving throughput.

Exam trap

The trap here is that candidates often assume throttling is due to function performance (memory or CPU) and choose to increase memory, when in fact the issue is a concurrency limit that prevents the function from scaling to handle the larger batch size.

How to eliminate wrong answers

Option B is wrong because increasing memory allocation improves CPU and network performance per invocation but does not increase the number of concurrent executions allowed, so it cannot resolve throttling caused by hitting the reserved concurrency limit. Option C is wrong because switching to a FIFO queue would reduce throughput due to its strict message ordering and limited concurrency (FIFO queues support a maximum of 300 transactions per second with batching), which is counterproductive when trying to increase throughput. Option D is wrong because decreasing the batch size back to 10 would reduce the number of messages processed per invocation, lowering throughput and failing to address the underlying concurrency bottleneck.

486
MCQmedium

A developer is troubleshooting an AWS Lambda function that is triggered by an S3 event. The function occasionally fails with a timeout error. CloudWatch logs show that the timeout occurs during the processing of large files. The function has a memory setting of 128 MB and a timeout of 3 seconds. The developer wants to process large files without modifying the code. Which parameter should the developer adjust first?

A.Increase the function's memory
B.Increase the function's timeout
C.Increase the function's reserved concurrency
D.Increase the S3 event notification batch size
AnswerA

More memory provides more CPU, which can speed up processing and reduce the chance of timeout without code changes.

Why this answer

Increasing the function's memory is the correct first step because Lambda allocates CPU proportionally to memory, and more CPU reduces processing time for CPU-bound tasks like decompressing or parsing large files. This directly addresses the timeout by making the function complete faster, without requiring code changes. The current 128 MB setting is the minimum, which provides the least CPU, so even a modest increase can significantly reduce execution time.

Exam trap

The trap here is that candidates often assume a timeout error must be fixed by increasing the timeout, but the question explicitly states the timeout occurs during processing of large files, indicating a performance bottleneck that memory (and thus CPU) increase can resolve without code changes.

How to eliminate wrong answers

Option B is wrong because increasing the timeout alone does not speed up processing; it only allows the function to run longer, which may mask the underlying performance issue but does not prevent future timeouts on even larger files. Option C is wrong because reserved concurrency controls the number of concurrent executions, not the execution duration of a single invocation; it would not resolve a timeout caused by slow processing. Option D is wrong because the S3 event notification batch size controls how many events are sent per invocation, not the processing speed of a single file; increasing it would only make the function handle more files per invocation, worsening the timeout.

487
MCQmedium

A developer needs to trace a request across API Gateway, Lambda, and downstream AWS service calls. Which service should be enabled?

A.AWS X-Ray
B.AWS Budgets
C.AWS Artifact
D.AWS License Manager
AnswerA

Correct for the stated requirement.

Why this answer

AWS X-Ray is the correct service because it provides end-to-end tracing for requests flowing through distributed applications, including API Gateway, Lambda functions, and downstream AWS services like DynamoDB or S3. It captures trace data as the request traverses each component, allowing developers to identify performance bottlenecks and errors across the entire request path. X-Ray integrates natively with API Gateway and Lambda via the X-Ray SDK or active tracing configuration, requiring no code changes for basic tracing.

Exam trap

The trap here is that candidates may confuse AWS X-Ray with CloudWatch Logs or CloudTrail, thinking those services provide the same distributed tracing capability, but X-Ray is the only service that correlates trace data across multiple components in a single request.

How to eliminate wrong answers

Option B (AWS Budgets) is wrong because it is a cost management service that monitors AWS spending and sends alerts when usage exceeds thresholds, not a tracing or observability tool. Option C (AWS Artifact) is wrong because it provides access to AWS compliance reports, security documentation, and agreements, such as SOC and PCI reports, not request tracing capabilities. Option D (AWS License Manager) is wrong because it manages software licenses (e.g., Microsoft, Oracle) to prevent license violations, and has no role in tracing API requests or debugging distributed applications.

488
Multi-Selectmedium

Which TWO actions should a developer take to ensure that an AWS CodeDeploy deployment is successful when deploying to an Auto Scaling group? (Choose TWO.)

Select 2 answers
A.Create an IAM service role that allows CodeDeploy to access the instances.
B.Attach an Application Load Balancer to the Auto Scaling group.
C.Enable the Application Discovery Service for the instances.
D.Configure the deployment to use a blue/green deployment type.
E.Install the CodeDeploy agent on each EC2 instance in the Auto Scaling group.
AnswersA, E

Role is required for CodeDeploy to perform actions.

Why this answer

Option B and D are correct because the CodeDeploy agent must be installed on each instance, and the service role must have permissions to access the instances. Option A is wrong because CodeDeploy supports in-place deployments. Option C is wrong because a load balancer is optional.

Option E is wrong because CodeDeploy does not require an Application Discovery Service.

489
MCQeasy

A developer is using AWS X-Ray to trace requests through a microservices application. One of the services, Service B, is not appearing in the trace map. What is the MOST likely reason?

A.Service B is using HTTP/2, which is not supported by X-Ray.
B.Service B is running in a different AWS region.
C.The X-Ray sampling rate is set too low.
D.Service B is not instrumented with the X-Ray SDK.
AnswerD

Without instrumentation, X-Ray cannot receive trace data from that service.

Why this answer

For X-Ray to trace requests across services, each service must be instrumented with the X-Ray SDK. If Service B is not instrumented, it won't send trace data, and it won't appear in the trace map.

490
MCQeasy

A company wants to deploy an application using AWS Elastic Beanstalk. The application requires a relational database. What is the BEST practice for managing the database?

A.Create an Amazon RDS database instance separately and configure the application to connect to it.
B.Use the Elastic Beanstalk console to add an RDS database to the environment.
C.Use an S3 bucket to store data.
D.Use Amazon DynamoDB as the database.
AnswerA

Decouples database from environment.

Why this answer

The best practice for managing a relational database in Elastic Beanstalk is to decouple the database from the application lifecycle by creating an Amazon RDS instance separately. This ensures the database is not deleted when the Elastic Beanstalk environment is terminated, provides better control over backups, scaling, and maintenance, and allows the application to connect via environment variables or configuration files. Using a separate RDS instance aligns with production best practices for durability and operational flexibility.

Exam trap

The trap here is that candidates assume the integrated RDS option in Elastic Beanstalk is the simplest and therefore best approach, but the exam tests the understanding that decoupling the database from the environment lifecycle is the production best practice to avoid accidental data loss.

How to eliminate wrong answers

Option B is wrong because adding an RDS database via the Elastic Beanstalk console ties the database lifecycle to the environment, meaning the database is deleted when the environment is terminated, which is risky for production workloads. Option C is wrong because Amazon S3 is an object storage service, not a relational database; it cannot support SQL queries, transactions, or relational data models required by the application. Option D is wrong because Amazon DynamoDB is a NoSQL key-value and document database, not a relational database; it does not support SQL joins, ACID transactions across multiple tables, or schema enforcement needed for relational workloads.

491
MCQeasy

A developer is using AWS CodeBuild to build and test a Java application. The buildspec.yaml file includes phases for install, pre_build, build, and post_build. The developer notices that the build fails intermittently due to network timeouts when downloading dependencies from an external repository. The developer wants to improve the reliability of the build by caching the dependencies. The build environment is Linux and the dependencies are stored in the /root/.m2 directory (Maven cache). The developer has an S3 bucket for caching. What should the developer add to the buildspec.yaml to enable caching?

A.Add a 'phases' section with install commands to manually copy dependencies to S3.
B.Add an 'artifacts' section with 'files' including '/root/.m2/**/*' and 'location' set to the S3 bucket.
C.Add a 'cache' section with 'paths' including '/root/.m2' and 'location' set to the S3 bucket ARN.
D.Add an 'env' section with 'parameter-store' variables to store the dependency paths.
AnswerC

The cache section in buildspec enables caching of specified paths to an S3 bucket.

Why this answer

Option A is correct because adding a 'cache' section with 'paths' pointing to /root/.m2 and 'location' pointing to the S3 bucket will cache the Maven dependencies. Option B is incorrect because the 'artifacts' section is for output artifacts, not caching. Option C is incorrect because the 'env' section is for environment variables.

Option D is incorrect because the 'phases' section defines build commands, not caching.

492
MCQmedium

A developer is using AWS CloudFormation to deploy a stack with multiple resources. To ensure that a specific EC2 instance is created only after a security group is created, the developer wants to define the dependency. How should the developer achieve this in the CloudFormation template?

A.Use the DependsOn attribute on the EC2 instance resource
B.Use the Ref function to refer to the security group in the EC2 instance properties
C.Use the AWS::NoValue intrinsic function
D.Use the Condition attribute on the EC2 instance
AnswerA

DependsOn explicitly defines that the EC2 instance depends on the security group, ensuring creation order.

Why this answer

Option A is correct because the `DependsOn` attribute explicitly tells AWS CloudFormation to create the EC2 instance only after the security group has been successfully created. Without this explicit dependency, CloudFormation may attempt to create resources in parallel, which could cause the EC2 instance launch to fail if it references a security group that does not yet exist.

Exam trap

The trap here is that candidates often assume that using `Ref` to reference a resource automatically creates a dependency, but CloudFormation only creates implicit dependencies when the reference is used in a property that directly requires the referenced resource's physical ID (e.g., `SecurityGroups`), not for all uses of `Ref`.

How to eliminate wrong answers

Option B is wrong because using the `Ref` function to refer to the security group in the EC2 instance properties does not create an explicit dependency; it only passes the security group's logical ID or physical ID as a parameter. CloudFormation may still create the EC2 instance before the security group if no explicit dependency is declared. Option C is wrong because `AWS::NoValue` is used to conditionally omit a property value or to suppress a return value, not to define resource creation order.

Option D is wrong because the `Condition` attribute controls whether a resource is created at all based on a condition, not the order in which resources are created.

493
MCQmedium

A developer is creating a REST API using Amazon API Gateway with Lambda proxy integration. The API needs to accept and return binary data such as images or PDF files. The developer has configured the API to use the Lambda proxy integration. What additional configuration is required to support binary data?

A.Set the Content-Type header to application/octet-stream in the Lambda response.
B.In API Gateway, add the binary media types to the API settings, e.g., image/png, application/pdf.
C.Use an API Gateway custom domain with an SSL certificate.
D.Enable API caching with binary support.
AnswerB

Correct. This tells API Gateway which responses should be treated as binary data.

Why this answer

With Lambda proxy integration, API Gateway passes the client request as-is to Lambda and returns the Lambda response as-is to the client. To handle binary data, you must explicitly declare the binary media types (e.g., image/png, application/pdf) in the API Gateway REST API settings. This tells API Gateway to base64-encode the binary payload before sending it to Lambda and to decode the base64-encoded response from Lambda back to binary for the client.

Without this configuration, API Gateway treats all payloads as text and will corrupt binary data.

Exam trap

The trap here is that candidates assume Lambda proxy integration automatically handles binary data because it passes everything through, but in reality, API Gateway requires explicit binary media type configuration to avoid corrupting binary payloads during base64 encoding/decoding.

How to eliminate wrong answers

Option A is wrong because setting the Content-Type header to application/octet-stream in the Lambda response alone does not enable API Gateway to handle binary data; API Gateway must be explicitly configured with the binary media types in the API settings, and the Lambda response must also include the correct isBase64Encoded flag set to true. Option C is wrong because using a custom domain with an SSL certificate is related to HTTPS endpoint configuration and custom domain names, not to enabling binary data support in API Gateway. Option D is wrong because API caching is a performance optimization feature that caches responses; it does not provide or enable binary data handling, and there is no 'binary support' toggle in API caching.

494
MCQmedium

A developer is optimizing a Node.js Lambda function that processes CSV files from S3. The function reads the entire file into memory, processes it, and writes results to DynamoDB. For large files, the function runs out of memory. What is the MOST effective optimization?

A.Increase the Lambda timeout to allow more processing time.
B.Increase the Lambda function memory to 3008 MB.
C.Use the AWS SDK's S3 GetObject with a stream and process in chunks.
D.Use S3 Select to retrieve only necessary columns.
AnswerC

Streaming prevents loading entire file into memory.

Why this answer

Option D is correct because streaming the file from S3 avoids loading the entire file into memory. Option A is wrong because increasing Lambda timeout does not address memory. Option B is wrong because increasing memory may help but is less efficient than streaming.

Option C is wrong because S3 Select is for filtering, not streaming.

495
MCQeasy

A developer is deploying a serverless application using AWS SAM. The application consists of an API Gateway REST API and multiple AWS Lambda functions. The developer wants to deploy the application to a production environment with minimal downtime. Which deployment strategy should the developer use?

A.Create a blue/green deployment using AWS Elastic Beanstalk.
B.Delete the existing stack and deploy a new one.
C.Perform a rolling update by updating functions one by one.
D.Use SAM's built-in canary deployment with traffic shifting.
AnswerD

SAM supports canary deployments natively for gradual traffic shifting.

Why this answer

Option A is correct because AWS SAM supports canary deployments, which allow traffic shifting gradually to new versions, minimizing downtime. Option B is wrong because rolling updates are not natively supported by SAM for Lambda. Option C is wrong because blue/green deployments require manual setup and are not built into SAM.

Option D is wrong because replacing the stack causes downtime.

496
MCQmedium

A developer is building an application that needs to store session state data for a web application running on multiple EC2 instances behind an ALB. The data is ephemeral and should not persist if an instance is terminated. Which storage option should the developer use?

A.Amazon ElastiCache
B.Amazon RDS
C.Amazon DynamoDB
D.Amazon S3
AnswerA

ElastiCache is an in-memory cache that provides low-latency access and ephemeral storage, perfect for session state.

Why this answer

Amazon ElastiCache is the correct choice because it provides a managed in-memory cache (e.g., Redis or Memcached) that is ideal for storing ephemeral session state data. Session data is temporary and must be shared across multiple EC2 instances behind an ALB, and ElastiCache offers sub-millisecond latency and automatic key expiration, ensuring data is not persisted if an instance terminates. This aligns with the requirement for non-persistent, high-performance session storage that survives individual instance failures.

Exam trap

The trap here is that candidates often confuse durable storage (like DynamoDB or RDS) with ephemeral storage, failing to recognize that the requirement 'should not persist if an instance is terminated' explicitly calls for a non-persistent, in-memory solution like ElastiCache, not a database that guarantees data durability.

How to eliminate wrong answers

Option B (Amazon RDS) is wrong because RDS is a relational database designed for persistent, durable storage with ACID transactions, not for ephemeral session state; it introduces unnecessary overhead, cost, and latency for temporary data that should not survive instance termination. Option C (Amazon DynamoDB) is wrong because DynamoDB is a NoSQL database that provides durable, persistent storage with eventual consistency, which contradicts the requirement that data should not persist if an instance is terminated; it is better suited for long-lived application data rather than transient session state. Option D (Amazon S3) is wrong because S3 is an object storage service for durable, persistent data with high latency compared to in-memory solutions; it is not designed for low-latency session state access and would incur unnecessary costs and performance penalties for ephemeral data.

497
MCQhard

A company uses AWS CodePipeline with a manual approval step before deployment. The developer wants to ensure that if a pipeline execution is waiting for approval and new code is pushed, the awaiting execution is canceled and a new one starts with the latest code. Which pipeline execution mode should be configured?

A.Queued
B.Superseded
C.Parallel
D.Single
AnswerB

Superseded mode cancels the current execution and starts a new one with the latest changes.

Why this answer

The Superseded execution mode is correct because it automatically cancels any currently running or waiting pipeline execution when a new one is triggered, ensuring that only the latest code proceeds through the pipeline. This is ideal for scenarios with manual approval steps where stale executions should not block or delay the deployment of the most recent commit.

Exam trap

The trap here is that candidates may confuse Superseded with Queued, assuming that queuing is the default or safest option, but they miss that Superseded is specifically designed to replace pending executions with the latest code push.

How to eliminate wrong answers

Option A is wrong because Queued mode places executions in a queue and runs them sequentially, meaning a waiting approval would not be canceled and the new push would wait until the previous execution completes. Option C is wrong because Parallel mode allows multiple executions to run concurrently, which would not cancel the awaiting execution and could lead to conflicting deployments. Option D is wrong because Single mode is not a valid execution mode in AWS CodePipeline; the available modes are Queued, Superseded, and Parallel.

498
Multi-Selecthard

A developer is deploying an application on EC2 that must access an S3 bucket and an SQS queue. The developer wants to follow the principle of least privilege. Which THREE steps should be taken?

Select 3 answers
A.Attach the IAM role directly to the EC2 instance as a security group.
B.Configure an SQS queue policy that grants access to the IAM role.
C.Create an IAM role with permissions to access S3 and SQS.
D.Configure an S3 bucket policy that grants access to the IAM role.
E.Attach an IAM policy directly to the EC2 instance.
AnswersB, C, D

Queue policy allows the role to send/receive messages.

Why this answer

Option A is correct because an IAM role grants temporary credentials to EC2. Option C is correct because a bucket policy can allow access from the role. Option D is correct because an SQS queue policy can allow access from the role.

Option B is wrong because attaching a policy to the EC2 instance is not possible; policies are attached to roles. Option E is wrong because the role should be attached to the instance profile, not the instance directly.

499
MCQhard

A company deploys a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application allows users to retrieve data by calling a REST API. Recently, users have reported that some requests return HTTP 500 errors. The developer investigates and finds that the Lambda function logs show occasional 'ProvisionedThroughputExceededException' errors when writing to a DynamoDB table. The table has provisioned read capacity of 5 and write capacity of 5. The Lambda function is configured with a reserved concurrency of 10. The developer wants to minimize errors without significantly increasing costs. Which action should the developer take?

A.Enable auto scaling for the DynamoDB table with a minimum write capacity of 5 and a maximum of 10.
B.Add a DynamoDB Accelerator (DAX) cluster in front of the table.
C.Increase the reserved concurrency for the Lambda function to 20.
D.Implement retry logic with exponential backoff in the Lambda function for DynamoDB write operations.
AnswerA

Auto scaling adjusts capacity based on actual traffic, reducing throttling while keeping costs low.

Why this answer

Option A is correct because enabling DynamoDB auto scaling allows the table to handle bursts beyond provisioned capacity, reducing throttling while controlling cost. Option B is wrong because increasing reserved concurrency would cause more Lambda invocations and more writes, potentially worsening the throttling. Option C is wrong because adding retries with exponential backoff in the Lambda function may help, but it does not address the root cause of insufficient write capacity; it only reduces the immediate error rate but could increase latency and costs due to retries.

Option D is wrong because using DAX is for read-heavy workloads and does not help with write capacity.

500
MCQeasy

A developer needs to grant an IAM user the ability to create and manage CloudFormation stacks. Which IAM policy action should be allowed?

A.cloudformation:CreateStack
B.lambda:CreateFunction
C.ec2:RunInstances
D.s3:CreateBucket
AnswerA

This is the action to create CloudFormation stacks.

Why this answer

Option B is correct because cloudformation:CreateStack is the action to create stacks. Option A is for EC2, Option C is for S3, Option D is for Lambda.

501
Multi-Selectmedium

A SAM application should gradually shift Lambda traffic and roll back on errors. Which two pieces are needed?

Select 2 answers
A.An S3 lifecycle rule
B.A Lambda alias/deployment preference
C.CloudWatch alarms tied to deployment health
D.A public S3 bucket
AnswersB, C

Correct for the stated requirement.

Why this answer

Option B is correct because AWS SAM uses Lambda aliases with deployment preferences (e.g., Canary10Percent5Minutes or Linear10PercentEvery10Minutes) to gradually shift traffic from the old version to the new version. Option C is correct because CloudWatch alarms can be tied to the deployment preferences to automatically roll back the traffic shift if the alarm enters the ALARM state, indicating errors or degraded health.

Exam trap

The trap here is that candidates often confuse deployment-related features (like S3 lifecycle rules or public buckets) with the actual AWS services (Lambda alias and CodeDeploy) that handle traffic shifting and rollback, leading them to select irrelevant options.

502
Multi-Selecthard

Which TWO approaches can a developer use to automate the deployment of a microservices application to Amazon ECS with Fargate, ensuring that each microservice is independently deployable and can scale based on demand?

Select 2 answers
A.Define all microservices in a single task definition and run them as one service
B.Use a single ECS service with multiple containers per task definition
C.Use a single CodePipeline that builds all microservices together
D.Define each microservice as a separate ECS service with its own task definition
E.Use a separate CodePipeline for each microservice that builds and deploys independently
AnswersD, E

Separate services allow independent deployment and scaling.

Why this answer

Using separate ECS services (A) and a CI/CD pipeline per microservice (B) ensures independent deployment and scaling. Option C (monolithic pipeline) defeats independence. Option D (single task definition) couples services.

Option E (single service) does not allow independent scaling.

503
MCQmedium

A developer is deploying a new version of an AWS Lambda function using the AWS CLI. The deployment fails with a 'ResourceConflictException' error. What is the MOST likely cause?

A.Another deployment is currently in progress for the same Lambda function.
B.The Lambda function code exceeds the maximum allowed size.
C.The Lambda function has an alias that conflicts with the version number.
D.The IAM role associated with the Lambda function does not have sufficient permissions.
AnswerA

Lambda does not allow concurrent updates to the same function.

Why this answer

Option A is correct because the error indicates that the function code or configuration is being updated while a previous update is still in progress. Option B is wrong because the error is not related to IAM permissions. Option C is wrong because publishing a new version does not conflict with an alias.

Option D is wrong because the error is not about exceeding the function code size limit.

504
MCQeasy

A developer is using Amazon API Gateway to create a REST API. The API must support CORS (Cross-Origin Resource Sharing) to allow requests from a web application hosted on a different domain. What must the developer do to enable CORS?

A.Use Amazon CloudFront to proxy the API and add CORS headers.
B.Enable CORS in the API Gateway settings and configure the required headers.
C.Nothing; API Gateway automatically handles CORS.
D.Add CORS headers in the Lambda function code.
AnswerB

API Gateway can be configured to return CORS headers.

Why this answer

Option B is correct because API Gateway can enable CORS by adding the appropriate headers. Option A is incorrect because CORS is not automatically enabled. Option C is incorrect because Lambda does not handle CORS headers for API Gateway.

Option D is incorrect because CloudFront is not required.

505
MCQmedium

A developer is deploying a new version of a Lambda function using the AWS CLI. The developer wants to shift 10% of traffic to the new version and then gradually increase to 100% over 10 minutes. Which CLI command should the developer use?

A.aws lambda publish-version --function-name my-function
B.aws lambda create-function --function-name my-function --zip-file fileb://my-code.zip
C.aws lambda update-alias --function-name my-function --name prod --function-version 2 --routing-config AdditionalVersionWeights={"1":0.9}
D.aws lambda invoke --function-name my-function --payload '{}'
AnswerC

This sets up routing to send 10% to version 2.

Why this answer

The update-function-code command deploys a new version. To shift traffic, the developer must use the update-alias command with a routing configuration. Option C is correct because it creates an alias with a routing config.

Option A (create-function) creates a new function. Option B (invoke) invokes a function. Option D (publish-version) publishes a version but does not shift traffic.

506
MCQmedium

A developer is deploying a web application on AWS Elastic Beanstalk. The application uses a relational database and requires a custom environment variable for the database connection string. The developer has created an Elastic Beanstalk environment and wants to set the environment variable securely without exposing it in the source code or configuration files. The developer also wants to ensure that the environment variable is available to the application instances at deployment time. What is the BEST way to achieve this?

A.Set the environment variable using the Elastic Beanstalk console or CLI by configuring environment properties.
B.Store the connection string in AWS Systems Manager Parameter Store and retrieve it from the application code at runtime.
C.Hardcode the connection string in the application code and commit it to the source repository.
D.Store the connection string in a file named 'env.txt' in the application source bundle and read it at application startup.
AnswerA

Elastic Beanstalk environment properties are secure and automatically available to instances.

Why this answer

Option B is correct because Elastic Beanstalk allows setting environment properties in the environment configuration, which are securely passed to the instances. Option A is incorrect because storing the connection string in a plain text file is insecure. Option C is incorrect because hardcoding the value in the application code is not secure and not a best practice.

Option D is incorrect because although AWS Systems Manager Parameter Store can store the value, the application would need to retrieve it at runtime, adding complexity; Elastic Beanstalk environment properties are simpler and automatically injected.

507
MCQhard

A company uses AWS CodeBuild for building and testing their application. They have a build project that runs on a Linux environment. They want to run a build in a custom Docker image that is stored in Amazon ECR. How should they configure the build project?

A.Add a 'Dockerfile' to the source code and specify it in the buildspec.
B.In the environment configuration, set the 'Image' field to the ECR image URI.
C.Use a managed image provided by AWS CodeBuild.
D.Configure the pipeline to pass the image URI as an environment variable.
AnswerB

CodeBuild supports custom images from ECR.

Why this answer

Option B is correct because AWS CodeBuild allows you to specify a custom Docker image from Amazon ECR by entering its URI directly in the 'Image' field under the environment configuration. This enables the build to run in a container that includes all necessary dependencies, without requiring a Dockerfile in the source code or a managed image.

Exam trap

The trap here is that candidates confuse specifying a Dockerfile to build a new image (Option A) with using an existing custom image as the build environment, leading them to overlook the direct ECR URI configuration in the environment settings.

How to eliminate wrong answers

Option A is wrong because adding a Dockerfile to the source code and specifying it in the buildspec is used for building a new Docker image, not for running the build in an existing custom image from ECR. Option C is wrong because managed images provided by AWS CodeBuild are pre-configured environments (e.g., Ubuntu, Windows) and do not include custom dependencies that the company needs. Option D is wrong because passing the image URI as an environment variable does not instruct CodeBuild to use that image as the runtime environment; the image must be specified in the environment configuration's 'Image' field.

508
MCQeasy

A developer needs to grant cross-account access to an S3 bucket for an IAM user from another AWS account. The developer has added a bucket policy that allows the user's ARN. However, the user still cannot access the bucket. What additional step is required?

A.The user must have an IAM policy allowing the required S3 actions on that bucket
B.The bucket must be made public
C.The user must use a different AWS CLI profile
D.The resource-based policy must explicitly allow the user's ARN
AnswerA

Without an identity-based policy, the user is not allowed to perform the action even if the resource policy permits it.

Why this answer

A is correct because cross-account access to an S3 bucket requires both a resource-based policy (the bucket policy) that grants access to the user's ARN and an identity-based policy (an IAM policy attached to the user) that explicitly allows the required S3 actions on that bucket. Without the IAM policy, the user's account denies the request by default, even if the bucket policy permits it. This is the principle of 'permission delegation' in AWS: the resource owner can grant access, but the user's own account must also authorize the action.

Exam trap

The trap here is that candidates assume a bucket policy alone is sufficient for cross-account access, forgetting that the requesting account must also explicitly authorize the action via an IAM policy, which is a common oversight in AWS cross-account scenarios.

How to eliminate wrong answers

Option B is wrong because making the bucket public would grant access to all anonymous users, which is overly permissive and not a secure or necessary step for cross-account access; the bucket policy already specifies the user's ARN. Option C is wrong because using a different AWS CLI profile does not resolve the underlying permission issue; the user's IAM policy must allow the S3 actions regardless of the profile used. Option D is wrong because the developer has already added a bucket policy that explicitly allows the user's ARN, so this step is already done; the missing piece is the user's own IAM policy.

509
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application writes logs to the local file system. The developer wants to ensure that logs are automatically rotated and retained for 30 days. What should the developer do?

A.Modify the application code to write logs directly to an S3 bucket with lifecycle policies.
B.Add a cron job to the EC2 instances that compresses and deletes old logs.
C.Configure the Elastic Beanstalk environment to enable log rotation and set retention period to 30 days.
D.Install the CloudWatch Logs agent on the EC2 instances and configure it to stream logs to CloudWatch Logs with a 30-day retention.
AnswerC

Elastic Beanstalk provides built-in log rotation and retention settings.

Why this answer

Option A is correct because Elastic Beanstalk can be configured to rotate and retain logs by setting the appropriate option settings in the environment configuration. Option B is wrong because CloudWatch Logs agent without rotation configuration may not handle log rotation properly. Option C is wrong because a cron job is a manual approach and not integrated with Elastic Beanstalk.

Option D is wrong because storing logs in S3 via a script is not automatic rotation.

510
MCQeasy

A developer is deploying a web application on EC2 instances behind an Application Load Balancer (ALB). The application needs to encrypt data in transit between the client and the ALB. Which AWS service should be used to manage the SSL/TLS certificate?

A.AWS Certificate Manager (ACM)
B.AWS Key Management Service (KMS)
C.AWS Secrets Manager
D.AWS Identity and Access Management (IAM)
AnswerA

ACM provisions, manages, and deploys SSL/TLS certificates for AWS services including ALB, allowing automatic renewal and easy attachment to load balancers.

Why this answer

AWS Certificate Manager (ACM) is the correct service because it provisions, manages, and deploys public and private SSL/TLS certificates that can be associated with an Application Load Balancer (ALB) to encrypt data in transit between clients and the ALB. ACM handles certificate renewal automatically and integrates natively with ALB, removing the need for manual certificate management. This ensures HTTPS termination at the load balancer, securing the client-to-ALB communication.

Exam trap

The trap here is that candidates may confuse AWS KMS (used for encryption at rest) with ACM (used for encryption in transit), or incorrectly assume IAM can manage SSL/TLS certificates for ALBs when it only supports legacy certificate uploads for CloudFront and Elastic Load Balancers in specific cases.

How to eliminate wrong answers

Option B (AWS KMS) is wrong because KMS is a key management service for creating and controlling encryption keys used for data at rest, not for managing SSL/TLS certificates for data in transit. Option C (AWS Secrets Manager) is wrong because Secrets Manager is designed to rotate and manage secrets such as database credentials and API keys, not SSL/TLS certificates for load balancers. Option D (AWS IAM) is wrong because IAM is an identity and access management service for controlling user and resource permissions, and while IAM can support SSL certificates for legacy CloudFront distributions, it does not manage or automate SSL/TLS certificates for ALBs and is not the recommended service for this purpose.

511
MCQmedium

A company is using AWS CodeDeploy to deploy a web application to an Auto Scaling group of EC2 instances. The deployment fails with the error 'The overall deployment failed because too many individual instances failed deployment.' What is the most likely cause?

A.The application specification file (appspec) is missing required hooks.
B.The IAM role for CodeDeploy does not have sufficient permissions to call EC2 APIs.
C.The Auto Scaling group does not have enough instances to meet the minimum healthy count.
D.The number of instances that failed deployment exceeded the configured failure threshold.
AnswerD

CodeDeploy fails the deployment if too many instances fail.

Why this answer

Option C is correct because CodeDeploy has a failure threshold that, when exceeded, fails the entire deployment. Option A is wrong because insufficient capacity would cause a different error. Option B is wrong because IAM permissions would cause access denied errors.

Option D is wrong because missing tags would cause a different error.

512
MCQhard

A developer is using AWS Lambda with a VPC configuration. The function needs to access an Amazon RDS instance in the same VPC. The function is timing out after 3 seconds. What is the MOST likely cause?

A.The Lambda function's execution role does not have rds:Connect permission.
B.The Lambda function's security group does not allow outbound traffic to the RDS instance.
C.The Lambda function does not have an RDS proxy configured.
D.The Lambda function timeout is set too low.
AnswerB

The Lambda function's security group must allow outbound traffic to the RDS security group on the database port.

Why this answer

Option C is correct because Lambda functions in a VPC need a NAT gateway or VPC endpoints to access the internet, but to access RDS in the same VPC, they need a route to the RDS subnet. However, the most common cause of timeout is missing a route to the RDS subnet via a VPC peering or transit gateway, but here the RDS is in the same VPC, so the issue is likely that the Lambda function's security group does not allow outbound traffic to the RDS security group. Option A is wrong because RDS proxy is not required.

Option B is wrong because the function can access the database directly via its private IP. Option D is wrong because the function timeout is set to 3 seconds, which is the default; it could be increased, but the root cause is connectivity.

513
MCQmedium

A developer is troubleshooting an AWS Lambda function that writes to an S3 bucket. The function is configured with a resource-based policy that allows the S3 service to invoke the function. However, the function fails with an access denied error when trying to write to S3. What is the MOST likely cause?

A.The Lambda function is configured in a VPC without an S3 VPC endpoint.
B.The Lambda function's execution role does not have an IAM policy that allows s3:PutObject.
C.The Lambda function's trigger (S3 event notification) is misconfigured.
D.The S3 bucket policy does not grant the Lambda function write access.
AnswerB

Execution role must have S3 write permissions.

Why this answer

Option D is correct because the Lambda function needs an execution role with permissions to write to S3. The resource-based policy only allows S3 to invoke the function, not the function to write. Option A is wrong because bucket policy is not needed if the execution role has permissions.

Option B is wrong because the function can be triggered correctly. Option C is wrong because VPC does not cause access denied.

514
MCQhard

Refer to the exhibit. An IAM role has the attached policy. A developer is writing an application that will upload objects to the S3 bucket using server-side encryption with AWS KMS (SSE-KMS). The application is failing with an Access Denied error when trying to upload. What is the missing permission?

A.kms:Decrypt on the KMS key
B.kms:ListKeys on the KMS key
C.kms:Encrypt on the KMS key
D.s3:PutObjectAcl on the bucket
AnswerC

Upload with SSE-KMS requires kms:Encrypt.

Why this answer

Option C is correct because s3:PutObject with SSE-KMS requires kms:Encrypt on the KMS key. The policy allows kms:Decrypt and GenerateDataKey, but not Encrypt. Option A is wrong because kms:Decrypt is not needed for upload.

Option B is wrong because kms:ListKeys is not required. Option D is wrong because the bucket name is correct.

515
MCQeasy

A developer wants to store application configuration data that can be accessed by multiple microservices. The data is sensitive and should be encrypted at rest. Which AWS service should be used to meet these requirements?

A.Amazon S3
B.AWS Identity and Access Management (IAM)
C.Amazon DynamoDB
D.AWS Systems Manager Parameter Store
AnswerD

Supports encrypted parameters and secure access.

Why this answer

Option B is correct because AWS Systems Manager Parameter Store supports encrypted parameters using KMS. Option A is wrong because S3 is not a configuration store and requires additional IAM policies. Option C is wrong because DynamoDB can store configuration but does not natively encrypt at rest without additional setup.

Option D is wrong because IAM is for access management, not configuration storage.

516
MCQeasy

A developer is building a serverless application using AWS Lambda and Amazon API Gateway. The developer wants to restrict access to the API so that only authenticated users can invoke it. Which API Gateway feature should be used?

A.API Gateway Lambda authorizer
B.AWS WAF
C.API Gateway usage plan
D.API Gateway resource policy
AnswerA

A Lambda authorizer can validate tokens and return an IAM policy to allow or deny access.

Why this answer

API Gateway supports AWS Lambda authorizers (formerly custom authorizers) that use a Lambda function to validate a bearer token, such as a JWT, from the client. This allows authentication before invoking the backend.

517
MCQhard

Refer to the exhibit. A developer created the CloudFormation template snippet. After deployment, the developer uploads a file to the bucket, but the Lambda function is not invoked. What is the MOST likely cause?

A.The bucket has a bucket policy that denies s3:PutObject for the IAM user.
B.The bucket has versioning enabled, which blocks event notifications.
C.The lifecycle rule moves objects to Glacier before the notification is sent.
D.The Lambda function returned an error, so the invocation failed silently.
AnswerA

If the upload fails due to permissions, no event is sent.

Why this answer

Option A is correct because S3 bucket policies that deny s3:PutObject would prevent the upload from triggering the event. Option B is wrong because versioning does not affect notifications. Option C is wrong because lifecycle rules do not affect immediate events.

Option D is wrong because Lambda function errors do not prevent invocation.

518
Multi-Selecthard

Which TWO are valid ways to automate deployments to Amazon ECS? (Choose TWO.)

Select 2 answers
A.Use AWS CodeDeploy with an Amazon ECS blue/green deployment.
B.Use AWS CloudFormation to create a change set and update the service.
C.Use AWS OpsWorks with a Docker layer.
D.Use AWS CodePipeline with an Amazon ECS deploy action.
E.Use AWS Elastic Beanstalk with a Docker platform.
AnswersA, D

CodeDeploy supports ECS blue/green deployments.

Why this answer

Options B and D are correct. AWS CodePipeline with ECS deploy action and AWS CodeDeploy with ECS blue/green are valid. Option A is incorrect because CloudFormation is for infrastructure, not deployments.

Option C is incorrect because Elastic Beanstalk is not for ECS. Option E is incorrect because OpsWorks is not for ECS.

519
Multi-Selectmedium

A company is using Amazon RDS for MySQL with Multi-AZ deployment. The application writes to the database using the primary endpoint. The company wants to improve read performance and offload read traffic from the primary instance. Which TWO actions should the company take? (Choose TWO.)

Select 2 answers
A.Create an Amazon RDS read replica in the same region.
B.Add another primary instance and configure replication.
C.Modify the application to use the read replica endpoint for SELECT queries.
D.Use the Multi-AZ secondary instance endpoint for read queries.
E.Enable Amazon RDS Proxy to distribute read queries across instances.
AnswersA, C

A read replica can handle read traffic, reducing load on the primary.

Why this answer

Option A is correct because a read replica can serve read traffic. Option C is correct because the application should use the read replica endpoint for read queries. Option B is wrong because Multi-AZ does not provide a separate read endpoint; the secondary is standby.

Option D is wrong because RDS Proxy is for connection pooling, not read scaling. Option E is wrong because creating additional primary instances is not supported; RDS has one primary per DB instance.

520
MCQeasy

A developer wants to grant an IAM user permissions to list all S3 buckets in the account, but deny access to a specific bucket named 'confidential-data'. Which IAM policy should be attached?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"},{"Effect":"Deny","Action":"s3:ListBucket","Resource":"*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"},{"Effect":"Deny","Action":"s3:ListBucket","Resource":"confidential-data"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"},{"Effect":"Deny","Action":"s3:ListBucket","Resource":"arn:aws:s3:::confidential-data"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"*"},{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::confidential-data"}]}
AnswerC

Explicitly denies ListBucket on the confidential-data bucket, overriding the allow.

Why this answer

Option C is correct because the policy grants s3:ListAllMyBuckets and explicitly denies s3:ListBucket on the confidential-data bucket. The explicit deny overrides the allow. Option A denies all ListBucket actions, preventing listing any bucket.

Option B grants access to all buckets. Option D is invalid syntax.

521
MCQeasy

A developer needs to store session state data for a web application running on multiple EC2 instances. The data must be highly available and durable. Which AWS service should be used?

A.Amazon ElastiCache
B.Amazon S3
C.Amazon EBS
D.Amazon CloudFront
AnswerA

In-memory caching service for session state.

Why this answer

Option B is correct because ElastiCache provides a high-performance, highly available in-memory cache suitable for session state. Option A is wrong because S3 is object storage, not ideal for low-latency session state. Option C is wrong because EBS volumes are attached to a single instance.

Option D is wrong because CloudFront is a CDN, not a session store.

522
MCQhard

A developer is creating a CloudFormation template to deploy a microservices architecture. The template includes an Amazon ECS service with an Application Load Balancer. The developer wants to ensure that the load balancer is created before the ECS service. How should the developer achieve this?

A.Use the Ref function in the ECS service to reference the load balancer.
B.Use the DependsOn attribute in the ECS service resource to reference the load balancer.
C.Define the load balancer before the ECS service in the template.
D.Use the Fn::GetAtt function to reference the load balancer.
AnswerB

DependsOn ensures creation order.

Why this answer

Option A is correct because DependsOn explicitly specifies the order. Option B is wrong because Ref does not guarantee creation order. Option C is wrong because order in template does not guarantee creation order.

Option D is wrong because Fn::GetAtt does not enforce order.

523
MCQeasy

A developer uses AWS CodeCommit to store source code. The developer wants to automatically trigger a build in AWS CodeBuild every time a new commit is pushed to the master branch. Which AWS service should the developer use to configure this integration?

A.Amazon CloudWatch Events (or EventBridge)
B.Amazon S3 events
C.AWS CodeDeploy
D.AWS CodePipeline
AnswerD

CodePipeline integrates CodeCommit and CodeBuild for continuous integration.

Why this answer

Option C is correct because CodePipeline can be configured to trigger on CodeCommit events and start a CodeBuild project. Option A is wrong because CloudWatch Events can trigger CodeBuild directly, but CodePipeline is the standard integration. Option B is wrong because CodeDeploy is for deployment, not build.

Option D is wrong because S3 events are not directly related to CodeCommit.

524
Multi-Selectmedium

A developer is designing a mobile application that needs to upload files to Amazon S3. The developer wants to use temporary credentials to avoid storing long-term AWS credentials on the device. Which TWO services should the developer use together?

Select 2 answers
A.AWS Security Token Service (STS)
B.Amazon Cognito
C.Amazon S3 Transfer Acceleration
D.AWS Identity and Access Management (IAM)
E.AWS Key Management Service (KMS)
AnswersA, B

STS issues temporary credentials.

Why this answer

Option A (Amazon Cognito) is correct because it provides identity pools for temporary AWS credentials. Option D (AWS STS) is correct because it issues temporary credentials. Option B is wrong because IAM is for long-term users.

Option C is wrong because KMS is for encryption. Option E is wrong because S3 Transfer Acceleration is for speed.

525
MCQeasy

A developer configures an AWS Lambda function to process image files uploaded to an S3 bucket. The bucket receives a mix of .jpg, .png, and .pdf files. The developer wants to invoke the Lambda function only for image files to reduce costs. Which configuration should the developer use?

A.Configure an S3 event notification with a prefix filter 'images/'
B.Configure an S3 event notification with a suffix filter '.jpg' and '.png'
C.Create a Lambda resource-based policy that denies invocation from S3 for .pdf objects
D.Add an S3 bucket policy that denies PutObject for any object that is not a .jpg or .png
AnswerB

Suffix filters allow you to invoke the Lambda function only for objects with specific file extensions, e.g., '.jpg' and '.png'.

Why this answer

Option B is correct because S3 event notifications support suffix filtering, allowing you to specify object key suffixes like '.jpg' and '.png'. This ensures the Lambda function is invoked only when objects with those extensions are uploaded, filtering out .pdf files and reducing unnecessary invocations and costs.

Exam trap

The trap here is that candidates confuse S3 event notification filters (which control which objects trigger the event) with resource-based policies (which control invocation permissions), leading them to choose option C or D instead of the correct suffix filter.

How to eliminate wrong answers

Option A is wrong because a prefix filter 'images/' would only filter objects whose key starts with 'images/', not by file type; .pdf files could still be uploaded to that prefix and trigger the function. Option C is wrong because a Lambda resource-based policy controls who can invoke the function, not which S3 objects trigger it; S3 event notifications are configured separately and cannot be filtered by a resource policy. Option D is wrong because an S3 bucket policy that denies PutObject for non-image files would prevent uploads of .pdf files entirely, which is not the requirement—the developer only wants to avoid processing them, not block them.

Page 6

Page 7 of 22

Page 8