AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 526600

1616 questions total · 22pages · All types, answers revealed

Page 7

Page 8 of 22

Page 9
526
MCQeasy

A developer is creating an API with Amazon API Gateway that needs to accept binary data (e.g., images) and store them directly in an S3 bucket. The developer wants to minimize backend complexity. Which integration type should be used?

A.AWS service integration with S3
B.Lambda proxy integration
C.HTTP integration
D.Mock integration
AnswerA

This allows API Gateway to directly interact with S3 to store objects, minimizing backend complexity.

Why this answer

AWS service integration with S3 allows API Gateway to directly proxy binary data (e.g., images) to an S3 bucket without invoking a Lambda function or other backend. This minimizes backend complexity because the API Gateway handles the request transformation and passes the payload directly to S3 via the PutObject API action, eliminating the need for custom code.

Exam trap

The trap here is that candidates often default to Lambda proxy integration for any data processing task, overlooking that direct AWS service integration can handle binary uploads to S3 without any compute layer, which is the simplest and most cost-effective approach.

How to eliminate wrong answers

Option B (Lambda proxy integration) is wrong because it introduces unnecessary backend complexity by requiring a Lambda function to receive the binary data and then upload it to S3, adding compute cost and latency. Option C (HTTP integration) is wrong because it would require a separate HTTP endpoint (e.g., on EC2 or on-premises) to receive the data and then forward it to S3, defeating the goal of minimizing backend complexity. Option D (Mock integration) is wrong because it only returns static responses from API Gateway without actually storing any data in S3, so it cannot fulfill the requirement of persisting binary data.

527
MCQeasy

A developer wants to encrypt data in transit between an API Gateway REST API and its clients. Which configuration should be used?

A.Use a custom domain name with a certificate from ACM.
B.Implement client-side encryption using a JavaScript library.
C.Use the default HTTPS endpoint provided by API Gateway.
D.Attach an AWS WAF web ACL to the API Gateway.
AnswerC

API Gateway automatically provides HTTPS for REST APIs, encrypting data in transit.

Why this answer

Option C is correct because API Gateway REST APIs automatically provide an HTTPS endpoint using TLS for data in transit encryption. This default endpoint uses an Amazon-issued certificate, ensuring encryption between clients and API Gateway without any additional configuration. The developer only needs to use the default HTTPS URL provided by API Gateway to satisfy the requirement.

Exam trap

The trap here is that candidates often overcomplicate the solution by assuming a custom domain or additional services like WAF are needed for encryption, when the default HTTPS endpoint already provides TLS encryption for data in transit.

How to eliminate wrong answers

Option A is wrong because using a custom domain name with a certificate from ACM is an optional feature for branding or custom DNS, not a requirement for encrypting data in transit; the default HTTPS endpoint already provides encryption. Option B is wrong because client-side encryption using a JavaScript library encrypts data before sending it over the network, but it does not address the requirement of encrypting data in transit between the client and API Gateway; the transport layer (TLS) is already encrypted by the default HTTPS endpoint, and client-side encryption adds unnecessary complexity and is not a standard approach for transport encryption. Option D is wrong because AWS WAF is a web application firewall that protects against common web exploits, not a mechanism for encrypting data in transit; it operates at the application layer and does not provide TLS/SSL encryption.

528
MCQmedium

A Lambda function processing SQS messages is failing with concurrency errors. The function is configured with reserved concurrency of 5. The SQS queue has a batch size of 10. What is the most effective way to prevent throttling?

A.Reduce the batch size to 1 to spread out invocations.
B.Increase the Lambda function memory to get more concurrency.
C.Increase the reserved concurrency to a higher value.
D.Set the SQS queue's concurrency limit to match the Lambda reserved concurrency.
AnswerC

More reserved concurrency prevents throttling.

Why this answer

Option C is correct because the function is throttling due to insufficient reserved concurrency. With a batch size of 10, each SQS batch triggers one invocation, but the function's reserved concurrency of 5 limits concurrent executions to 5. Increasing reserved concurrency allows more concurrent invocations to handle the SQS messages without throttling.

Exam trap

The trap here is that candidates often confuse batch size with concurrency, thinking reducing batch size reduces load, but it actually increases invocation count and worsens throttling.

How to eliminate wrong answers

Option A is wrong because reducing the batch size to 1 would increase the number of invocations per message, worsening concurrency pressure and potentially increasing throttling. Option B is wrong because increasing Lambda memory does not affect concurrency limits; memory and concurrency are independent settings. Option D is wrong because SQS queues do not have a configurable concurrency limit; Lambda's event source mapping manages polling, and setting a non-existent queue concurrency limit is not a valid action.

529
MCQhard

A company wants to grant a third-party vendor access to an Amazon S3 bucket in the company's AWS account. The vendor has their own AWS account. The company requires the vendor to include a unique identifier in each request to verify their identity before granting access. Which policy element should the company include in the S3 bucket policy?

A.Condition with sts:ExternalId
B.Condition with aws:SourceArn
C.Condition with aws:SourceAccount
D.Principal element with the vendor's AWS account ID
AnswerA

Correct. The sts:ExternalId condition key in the bucket policy ensures that the request includes a specific external ID, which the vendor must supply when assuming the role.

Why this answer

The `sts:ExternalId` condition key is specifically designed for scenarios where a third party (the vendor) needs to access AWS resources in your account, and you want to ensure that the vendor includes a unique identifier in each request. This prevents the confused deputy problem by requiring the vendor to pass the external ID in the `AssumeRole` call or directly in the request to S3 when using role-based access. By including this condition in the bucket policy, the company can verify that the request originates from the intended vendor and not from another entity trying to misuse the permissions.

Exam trap

The trap here is that candidates often confuse `aws:SourceArn` or `aws:SourceAccount` with identity verification, but these are used for resource-based policies to restrict based on the source of the request, not for enforcing a unique per-request identifier from a third-party vendor.

How to eliminate wrong answers

Option B is wrong because `aws:SourceArn` is used to restrict requests based on the ARN of the resource that originated the request, typically for services like SNS or S3 events, not for verifying a third-party vendor's identity with a unique identifier. Option C is wrong because `aws:SourceAccount` is used to restrict requests based on the AWS account ID of the resource that originated the request, but it does not enforce a unique, per-request identifier that the vendor must include. Option D is wrong because the `Principal` element only specifies which AWS account or IAM entity is allowed to access the bucket, but it does not enforce a unique identifier in each request; it merely grants access based on the account ID, which does not prevent confused deputy attacks or verify the vendor's specific identity per request.

530
MCQeasy

A developer is creating an AWS Lambda function that processes messages from an Amazon SQS queue. The function should process each message only once. Which SQS queue type should the developer use?

A.Amazon SQS does not support exactly-once processing.
B.Dead-letter queue
C.FIFO queue
D.Standard queue
AnswerC

Guarantees exactly-once processing.

Why this answer

Option A is correct because standard queues provide at-least-once delivery, not exactly-once. Option B is correct because FIFO queues guarantee exactly-once processing. Option C is wrong because DLQs are for failed messages.

Option D is wrong because dead-letter queue is a feature, not a type.

531
MCQhard

A developer is using AWS Lambda to process sensitive data. The Lambda function needs to access a DynamoDB table that is encrypted with a customer-managed CMK. The developer is using the default Lambda execution role. What must be done to allow Lambda to decrypt the DynamoDB table?

A.Add a policy to the Lambda execution role allowing dynamodb:GetItem.
B.Add a policy to the KMS key that allows the Lambda execution role to perform kms:Decrypt.
C.Configure a VPC endpoint for DynamoDB.
D.Modify the Lambda function to call KMS Decrypt API.
AnswerB

DynamoDB uses KMS to decrypt on behalf of the caller.

Why this answer

Option D is correct because Lambda needs permission to use the KMS key to decrypt DynamoDB. The KMS key policy must allow the Lambda execution role to perform kms:Decrypt. Option A is wrong because granting DynamoDB access does not include KMS.

Option B is wrong because VPC endpoints are not required. Option C is wrong because Lambda does not need to call KMS directly if the key policy allows it.

532
MCQeasy

A developer needs to grant an IAM role in the same AWS account read-only access to objects in a specific S3 bucket. The bucket is configured with a bucket policy that has an explicit Deny statement denying all principals except the root user. Which approach should the developer use to grant the required access?

A.Modify the bucket policy to allow the IAM role explicitly, or remove the Deny statement
B.Attach an IAM policy to the role that allows s3:GetObject on the bucket
C.Use an S3 access point instead of the bucket directly
D.Make the bucket public to allow all access
AnswerA

Correct. The bucket policy's explicit Deny must be adjusted to permit access to the IAM role.

Why this answer

The bucket policy contains an explicit Deny that overrides any allow permissions, including those granted by an IAM policy attached to the role. To grant the IAM role read-only access, the developer must either remove the Deny statement or add an explicit Allow for the role in the bucket policy, because an explicit Deny in a resource-based policy cannot be overridden by an identity-based policy.

Exam trap

The trap here is that candidates assume an IAM policy attached to the role is sufficient to override a bucket policy's explicit Deny, but they forget that explicit Deny always wins regardless of the source of the allow.

How to eliminate wrong answers

Option B is wrong because attaching an IAM policy that allows s3:GetObject to the role is insufficient; the explicit Deny in the bucket policy will still block access, as explicit Deny statements take precedence over any allow. Option C is wrong because an S3 access point uses the same underlying bucket policy; the explicit Deny in the bucket policy would still apply to requests made through the access point unless the bucket policy is modified. Option D is wrong because making the bucket public would grant access to everyone, which violates the principle of least privilege and does not specifically grant read-only access to the IAM role.

533
MCQhard

A developer is using AWS Lambda with Amazon API Gateway to build a REST API. The Lambda function is written in Node.js and uses the 'aws-sdk' to interact with DynamoDB. When the function is invoked, it consistently takes more than 10 seconds to complete, causing API Gateway to timeout (default timeout is 29 seconds). The developer wants to reduce latency. What should the developer do FIRST?

A.Increase the Lambda function timeout in the function configuration.
B.Switch from DynamoDB to Amazon RDS for faster queries.
C.Attach an IAM role to the Lambda function to speed up DynamoDB access.
D.Enable provisioned concurrency on the Lambda function to reduce cold starts.
AnswerD

Correct: Provisioned concurrency keeps instances warm, reducing latency.

Why this answer

Option D is correct because the cold start is the most common cause of high latency in Lambda, especially for Node.js. Provisioned concurrency keeps the function warm. Option A is wrong because increasing timeout does not reduce latency.

Option B is wrong because Lambda has execution role, not IAM role attached. Option C is wrong because DynamoDB is not the bottleneck typically.

534
MCQhard

A developer is using AWS CodeDeploy to deploy an application to an Auto Scaling group of EC2 instances. The application is critical and must have zero downtime. The Auto Scaling group currently has 4 instances spread across 2 Availability Zones. Which predefined deployment configuration minimizes the number of instances taken out of service at any given time?

A.CodeDeployDefault.AllAtOnce
B.CodeDeployDefault.HalfAtATime
C.CodeDeployDefault.OneAtATime
D.CodeDeployDefault.LambdaCanary10Percent5Minutes
AnswerC

OneAtATime deploys to a single instance at a time, minimizing the number of instances offline and best preserving availability.

Why this answer

Option C, CodeDeployDefault.OneAtATime, is correct because it deploys the application to only one instance at a time, ensuring that the remaining instances continue to serve traffic. This minimizes the number of instances taken out of service at any given moment, which is critical for achieving zero downtime in an Auto Scaling group with 4 instances across 2 Availability Zones.

Exam trap

The trap here is that candidates may confuse deployment configurations designed for EC2 instances (like OneAtATime) with those for Lambda (like LambdaCanary10Percent5Minutes), or incorrectly assume HalfAtATime is the safest option without considering that OneAtATime minimizes the number of instances out of service even further.

How to eliminate wrong answers

Option A is wrong because CodeDeployDefault.AllAtOnce deploys to all instances simultaneously, taking all 4 instances out of service at once, which violates the zero-downtime requirement. Option B is wrong because CodeDeployDefault.HalfAtATime deploys to 2 instances at a time (half of 4), which takes more instances out of service than necessary compared to OneAtATime. Option D is wrong because CodeDeployDefault.LambdaCanary10Percent5Minutes is a deployment configuration for AWS Lambda functions, not for EC2 instances in an Auto Scaling group, and is therefore inapplicable.

535
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user. The user attempts to download an object from my-bucket that was uploaded without server-side encryption. What happens?

A.The request succeeds because the condition only applies to PutObject.
B.The request is denied because the object is not encrypted with SSE-KMS.
C.The request is denied because the bucket policy requires encryption.
D.The request succeeds because the policy allows s3:GetObject.
AnswerB

Condition requires SSE-KMS.

Why this answer

Option B is correct because the condition requires the object to have SSE-KMS encryption. Since the object was uploaded without encryption, the condition is not met, and the request is denied. Option A is wrong because the policy does not allow unencrypted access.

Option C is wrong because the condition applies to GetObject, not just PutObject. Option D is wrong because AWS does not automatically encrypt at rest by default.

536
MCQmedium

A company uses AWS Secrets Manager to store database credentials. The application runs on Amazon EC2 instances with an IAM role attached. How should the application retrieve the secret securely?

A.Use AWS Systems Manager Parameter Store with a secure string parameter
B.Store the secret ID in an environment variable and use the AWS SDK to retrieve it
C.Store the secret in an S3 bucket with server-side encryption
D.Hardcode the secret in the application code
AnswerB

Using the IAM role, the application can call Secrets Manager with the secret ID stored in an environment variable.

Why this answer

The best practice is to use the IAM role to call Secrets Manager APIs. The role must have a policy allowing secretsmanager:GetSecretValue. The application can then retrieve the secret at runtime using the AWS SDK.

537
MCQhard

A company uses an Amazon S3 bucket to store sensitive documents. The security team requires that all objects uploaded to the bucket must be encrypted at rest using server-side encryption with a customer-managed KMS key (SSE-KMS). A developer needs to enforce this by denying any PutObject request that does not specify the required encryption. Which bucket policy condition should be used?

A."Condition": {"StringNotEquals": {"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:123456789012:key/abc123"}}
B."Condition": {"StringNotEquals": {"s3:x-amz-server-side-encryption": "aws:kms"}}
C."Condition": {"Null": {"s3:x-amz-server-side-encryption-aws-kms-key-id": "true"}}
D."Condition": {"ArnNotEquals": {"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:123456789012:key/abc123"}}
AnswerA

This condition key allows you to specify the exact KMS key ARN that must be used. A StringNotEquals condition will deny requests that do not use the correct key.

Why this answer

Option A is correct because the condition `s3:x-amz-server-side-encryption-aws-kms-key-id` with `StringNotEquals` explicitly denies any PutObject request that does not specify the exact customer-managed KMS key ARN. This enforces SSE-KMS with a specific key, meeting the security team's requirement that all objects must be encrypted at rest using that key.

Exam trap

The trap here is that candidates often confuse the condition key for the encryption type (`s3:x-amz-server-side-encryption`) with the condition key for the specific KMS key ID (`s3:x-amz-server-side-encryption-aws-kms-key-id`), leading them to pick Option B which only enforces SSE-KMS but not a specific customer-managed key.

How to eliminate wrong answers

Option B is wrong because `s3:x-amz-server-side-encryption` with `aws:kms` only checks that SSE-KMS is used, but does not enforce a specific customer-managed KMS key; it would allow any KMS key, including the default AWS-managed key. Option C is wrong because the `Null` condition on `s3:x-amz-server-side-encryption-aws-kms-key-id` would deny requests where the key ID is not present, but it would not enforce that the key is the specific customer-managed key; it could be any KMS key ID. Option D is wrong because `ArnNotEquals` is not a valid condition operator for S3 bucket policies; the correct operator for string comparison is `StringNotEquals`.

538
MCQeasy

A developer needs to encrypt data in an S3 bucket. The company requires that the encryption key be managed by AWS but with the ability to audit key usage. Which S3 encryption option should the developer use?

A.Server-Side Encryption with AWS KMS (SSE-KMS).
B.Client-side encryption.
C.Server-Side Encryption with S3-Managed Keys (SSE-S3).
D.Server-Side Encryption with Customer-Provided Keys (SSE-C).
AnswerA

SSE-KMS allows you to audit key usage via CloudTrail and manage keys centrally.

Why this answer

SSE-KMS uses AWS KMS to manage the key and provides CloudTrail logs for key usage. SSE-S3 does not provide separate audit logs for key usage. SSE-C requires the customer to manage keys.

Client-side encryption does not use S3 server-side encryption.

539
MCQmedium

A developer is using AWS SAM to deploy a serverless application. The template includes a Lambda function that connects to an RDS MySQL database. The function works correctly in the developer's account but fails with a timeout when deployed to a production account. What is the MOST likely cause?

A.The Lambda function timeout is set too low for the database query.
B.The Lambda function is not attached to the same VPC as the RDS instance.
C.The SAM template does not support RDS as an event source.
D.The Lambda function uses a runtime that is not compatible with the MySQL client.
AnswerB

Lambda needs to be in the same VPC to access RDS privately.

Why this answer

Option B is correct because the Lambda function may not have a VPC configuration to access the RDS database in the production account. Option A is wrong because SAM supports RDS connections. Option C is wrong because Lambda's default timeout is 3 seconds, but the function may have a higher timeout set.

Option D is wrong because Lambda supports Python natively.

540
MCQmedium

The developer invokes a Lambda function using the AWS CLI and gets the output shown. What is the most likely cause of the error?

A.The Lambda function code has a syntax error.
B.The Lambda function's execution role lacks permissions.
C.The event payload does not contain the expected data.
D.The Lambda function timed out.
AnswerC

The code assumes a property exists on the event object, but it is undefined.

Why this answer

The error 'Cannot read property 'x' of undefined' indicates that the code is trying to access a property on an undefined object. This is a runtime error in the function code, likely due to the event payload not having the expected structure. Option A is wrong because the function returned a 200 status code, meaning it was invoked successfully but the code threw an error.

Option B is wrong because the error is in the code logic, not syntax (syntax errors would prevent invocation). Option C is wrong because the execution role permissions affect access to other AWS services, not code errors. Option D is correct: the payload does not contain the expected property, causing the code to fail.

541
Multi-Selectmedium

A developer is deploying a web application using AWS Elastic Beanstalk. Which TWO configuration files can be used to customize the software that runs on the EC2 instances? (Select TWO.)

Select 2 answers
A..platform/hooks/
B.Dockerfile
C..ebextensions/*.config
D.appspec.yml
E.buildspec.yml
AnswersA, C

Used for custom platform hooks.

Why this answer

Option A is correct because the `.platform/hooks/` directory is a feature of Elastic Beanstalk's platform-specific configuration that allows you to run custom scripts at specific lifecycle events (e.g., prebuild, postdeploy) on the EC2 instances. This is the modern replacement for the older `.ebextensions` approach for running commands during deployment, and it directly customizes the software running on the instances.

Exam trap

The trap here is that candidates often confuse Elastic Beanstalk configuration files with other AWS services' configuration files (like CodeDeploy's appspec.yml or CodeBuild's buildspec.yml) or assume a Dockerfile is universally applicable, when in fact only `.platform/hooks/` and `.ebextensions/*.config` are the two valid options for customizing software on EC2 instances in Elastic Beanstalk.

542
MCQeasy

A developer is reviewing a CloudFormation template that creates an S3 bucket and a Lambda function. The Lambda function's code is stored in the S3 bucket. What is a potential issue with this template?

A.The Lambda function's role is referenced incorrectly; it should be 'Ref' instead of 'GetAtt'.
B.The Lambda function depends on the S3 bucket, but there is no DependsOn clause to ensure the bucket is created first.
C.The bucket name 'my-unique-bucket-12345' is not globally unique.
D.The bucket must have versioning enabled to store Lambda code.
AnswerB

CloudFormation may attempt to create the Lambda function before the bucket exists, causing failure.

Why this answer

Option B is correct because CloudFormation tries to create both resources in parallel, but the Lambda function needs the S3 bucket to exist first to retrieve the code. Additionally, the bucket must have the code uploaded before stack creation. Option A is wrong because the reference is valid.

Option C is wrong because versioning is not required. Option D is wrong because the role reference is correct.

543
MCQeasy

A developer needs to store temporary session data for a web application running on Amazon EC2 behind an Application Load Balancer. The data must be accessible across multiple EC2 instances. Which AWS service should the developer use?

A.Amazon ElastiCache
B.Amazon EBS
C.Amazon DynamoDB
D.Amazon S3
AnswerA

ElastiCache provides a fast, in-memory cache ideal for session data that needs to be shared across instances.

Why this answer

Option C is correct because ElastiCache (Redis or Memcached) provides a low-latency, shared cache for session data. Option A is wrong because S3 is object storage with higher latency. Option B is wrong because DynamoDB is a NoSQL database, but session data is temporary and better suited for caching.

Option D is wrong because EBS volumes cannot be shared across instances.

544
Multi-Selectmedium

An API Gateway API returns 429 errors during load testing. Which two areas should the developer investigate first?

Select 2 answers
A.Usage plan or stage throttling limits
B.S3 lifecycle expiration rules
C.CloudFormation stack drift only
D.Account-level or method-level API Gateway throttling
AnswersA, D

Correct for the stated requirement.

Why this answer

A is correct because API Gateway uses usage plans and stage-level throttling to limit request rates. When a client exceeds the configured rate limit (e.g., 10,000 requests per second) or burst limit, API Gateway returns a 429 Too Many Requests error. Investigating these limits is the first step to identify if the load test is hitting predefined caps.

Exam trap

The trap here is that candidates may overlook account-level throttling (option D) as a separate investigation area, but both usage plan/stage limits and account/method-level limits are valid first checks for 429 errors.

545
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application uses an Amazon RDS database instance that is included in the Elastic Beanstalk environment. The developer wants to update the application code without affecting the database. What is the recommended approach?

A.Update the application code directly on the EC2 instances without redeploying the environment.
B.Create a new environment configuration, update the code, and swap the CNAME of the environments.
C.Decouple the database from the Elastic Beanstalk environment by creating a separate RDS instance and connecting the application to it externally.
D.Use Elastic Beanstalk's platform updates while keeping the database attached to the environment.
AnswerC

By creating an independent RDS instance and configuring the Elastic Beanstalk environment to connect to it via environment properties, the database is unaffected by application updates or environment changes.

Why this answer

Option C is correct because when an RDS instance is included in an Elastic Beanstalk environment, it is tied to the environment's lifecycle. If the environment is terminated or rebuilt, the database is also deleted. Decoupling the database by creating a standalone RDS instance and connecting the application to it externally ensures the database persists independently of application deployments, allowing code updates without risking data loss.

Exam trap

The trap here is that candidates assume swapping CNAMEs between environments (blue/green deployment) is sufficient to protect the database, but they overlook that the database is still lifecycle-managed within each environment and will be lost if the original environment is terminated.

How to eliminate wrong answers

Option A is wrong because directly updating code on EC2 instances bypasses Elastic Beanstalk's managed deployment process, leading to configuration drift and loss of rollback capability. Option B is wrong because swapping CNAMEs between environments does not decouple the database; the new environment would still have its own lifecycle-managed RDS instance, and the original database remains tied to the old environment. Option D is wrong because platform updates only update the Elastic Beanstalk platform version, not the application code, and the database remains lifecycle-coupled, so any environment rebuild or termination would still affect the database.

546
MCQmedium

A developer is building a chat application using WebSockets. The application runs on multiple EC2 instances and needs to broadcast messages to all connected clients. Which AWS service can handle the WebSocket connections and route messages?

A.Amazon SQS with long polling
B.Application Load Balancer with WebSocket support
C.Amazon CloudFront with WebSocket support
D.Amazon API Gateway WebSocket API
AnswerD

API Gateway WebSocket API can manage connections and broadcast messages.

Why this answer

Correct: A. Amazon API Gateway supports WebSocket APIs and can manage connections and broadcast messages. Option B is wrong because ALB supports WebSocket but does not provide broadcasting capabilities.

Option C is wrong because CloudFront is a CDN and does not natively support WebSocket broadcasting. Option D is wrong because SQS is a queue, not for WebSocket management.

547
MCQeasy

A company is using AWS CloudFormation to deploy a stack that includes an Amazon EC2 instance with an attached Amazon EBS volume. The developer wants to ensure that the EBS volume is deleted when the EC2 instance is terminated. The developer has set the DeletionPolicy attribute on the EBS volume resource to Delete. However, after terminating the EC2 instance through the console, the EBS volume is still present. The stack still exists. What is the most likely reason the volume was not deleted?

A.The EBS volume has a DeleteOnTermination attribute set to false.
B.The DeletionPolicy attribute only takes effect when the CloudFormation stack is deleted, not when an individual resource is terminated.
C.The EBS volume is the root device of the EC2 instance.
D.The EC2 instance was terminated manually, not through a stack update.
AnswerB

DeletionPolicy applies to stack deletion, not resource termination.

Why this answer

Option A is correct because DeletionPolicy only applies when the stack is deleted, not when an individual resource is terminated. Option B is wrong because the EC2 instance termination does not trigger stack update. Option C is wrong because the EBS volume is not a root device; root device is an instance store or EBS volume.

Option D is wrong because the DeleteOnTermination attribute on the EC2 instance's BlockDeviceMapping controls whether the volume is deleted when the instance is terminated, not the DeletionPolicy on the volume resource.

548
MCQeasy

A developer is using Amazon DynamoDB with provisioned throughput. The application is receiving ProvisionedThroughputExceededException errors. What is the BEST way to handle this error?

A.Contact AWS Support to increase the DynamoDB service limits.
B.Reduce the read and write capacity units.
C.Implement exponential backoff and retry in the application code.
D.Switch the table to on-demand capacity mode.
AnswerC

Exponential backoff allows the application to retry after a delay, reducing the chance of further throttling.

Why this answer

Option D is correct because the best practice is to implement exponential backoff and retry logic. Option A is wrong because the error is transient, not a permanent issue. Option B is wrong because switching to on-demand would resolve the issue but is not the best way to handle the error; it's a capacity change, not an error handling strategy.

Option C is wrong because reducing read capacity would make the problem worse.

549
MCQeasy

A developer needs to share an S3 bucket with a third-party AWS account. The third-party will upload files to the bucket using their own IAM users. The developer creates a bucket policy that grants s3:PutObject to the third-party account's root user. However, the third-party reports that their IAM users cannot upload files. What is the MOST likely reason?

A.The third-party's IAM users do not have an IAM policy allowing s3:PutObject.
B.The bucket policy must include a condition requiring encryption.
C.The bucket policy should grant access to the IAM user ARN instead of the root user.
D.The developer must create IAM users in their own account for the third-party.
AnswerA

Cross-account access requires permissions from both sides.

Why this answer

Option A is correct because the bucket policy grants access to the root user, but the IAM users also need explicit permissions from their own account via an IAM policy. Option B is wrong because the bucket policy is not missing a condition; it's a permissions issue. Option C is wrong because the bucket policy grants PutObject to the root, but not to the users.

Option D is wrong because S3 does not require user creation in the owning account for cross-account access.

550
Multi-Selecthard

A company uses AWS CodePipeline to automate deployments of a microservices application to Amazon ECS with Fargate. The pipeline has a deploy stage that uses Amazon ECS Blue/Green deployment. The deployment fails intermittently with a 'Task failed to start' error. The developer needs to troubleshoot the issue. Which THREE steps should the developer take? (Choose three.)

Select 3 answers
A.Review the CodeBuild build logs for errors.
B.Check the Amazon ECS service events for the task failure reason.
C.Validate that the task definition JSON is correctly formatted and references the correct container images.
D.Check the CloudFormation stack events for the ECS service.
E.Verify that the task execution IAM role has permissions to pull the container image from ECR.
AnswersB, C, E

ECS service events provide detailed failure reasons.

Why this answer

Options A, C, and E are correct because checking ECS service events (A) gives direct error messages, validating the task definition (C) ensures container configuration is correct, and verifying the IAM role (E) addresses permission issues. Option B is wrong because CodeBuild logs are for build, not deploy. Option D is wrong because CloudFormation events are not relevant for ECS deployments.

551
MCQeasy

A developer runs the AWS CLI command to invoke a Lambda function synchronously. What does the output indicate?

A.The Lambda function executed successfully and returned a response.
B.The Lambda function failed validation.
C.The Lambda function was not found.
D.The Lambda function timed out.
AnswerA

StatusCode 200 indicates success, and response.json contains the output.

Why this answer

Option A is correct. The StatusCode 200 indicates the invocation was successful, and the response contains the Lambda function's output. Option B (validation error) would return a different status code.

Option C (timeout) would return a timeout error. Option D (function not found) would return 404.

552
MCQeasy

Refer to the exhibit. A CloudFormation template creates an S3 bucket with a 'Retain' deletion policy and an EC2 instance. If the stack is deleted, what happens to the S3 bucket?

A.The S3 bucket is deleted along with the stack.
B.The S3 bucket is moved to a different account.
C.A snapshot of the S3 bucket is taken before deletion.
D.The S3 bucket is retained and must be deleted manually.
AnswerD

The 'Retain' policy preserves the resource.

Why this answer

Option D is correct because the 'Retain' deletion policy on the S3 bucket overrides the default stack deletion behavior. When a CloudFormation stack is deleted, any resource with a 'DeletionPolicy' set to 'Retain' is preserved in the AWS account, even though the resource is removed from the stack's template. The bucket continues to exist independently and must be manually deleted by the user via the AWS Management Console, CLI, or SDK.

Exam trap

The trap here is that candidates may assume all resources are automatically deleted when a stack is deleted, overlooking the 'DeletionPolicy' attribute that can override this default behavior for specific resources like S3 buckets.

How to eliminate wrong answers

Option A is wrong because the 'Retain' deletion policy explicitly prevents the S3 bucket from being deleted when the stack is deleted; without this policy, the bucket would be deleted by default. Option B is wrong because CloudFormation does not have any mechanism to move resources to a different account during stack deletion; the bucket remains in the same AWS account. Option C is wrong because CloudFormation does not take snapshots of S3 buckets; snapshot functionality is specific to Amazon EBS volumes, not S3.

553
MCQhard

A Lambda function connects to an RDS database and causes too many database connections during traffic spikes. Which service should be introduced?

A.AWS Glue Data Catalog
B.Amazon RDS Proxy
C.Amazon Route 53 Resolver
D.AWS WAF
AnswerB

Correct for the stated requirement.

Why this answer

Amazon RDS Proxy sits between your Lambda function and the RDS database, managing a pool of established database connections. During traffic spikes, Lambda can rapidly scale up concurrent executions, each potentially opening a new database connection, which can exhaust the database's maximum connections. RDS Proxy reuses connections from the pool, reducing the number of open connections and preventing database overload, while also improving connection handling efficiency for serverless applications.

Exam trap

The trap here is that candidates might confuse AWS WAF (a web firewall) or Route 53 (DNS) with database connection management, or incorrectly think that Glue Data Catalog can somehow cache or pool database connections, when in fact only RDS Proxy directly addresses the connection scaling issue for Lambda and RDS.

How to eliminate wrong answers

Option A is wrong because AWS Glue Data Catalog is a metadata repository for data assets in AWS Glue and Athena, not a connection pooling or proxy service for RDS databases. Option C is wrong because Amazon Route 53 Resolver is a DNS service for resolving domain names within VPCs, and it does not manage database connections or connection pooling. Option D is wrong because AWS WAF is a web application firewall that protects against common web exploits like SQL injection and cross-site scripting, but it does not handle database connection management or pooling.

554
MCQhard

Refer to the exhibit. A developer runs the AWS CLI command to invoke a Lambda function. The command succeeds, but the function returns an error. The developer wants to see the error message and logs from the function execution. What should the developer add to the command?

A.--client-context string
B.--qualifier alias
C.--invocation-type Event
D.--log-type Tail
AnswerD

This returns the last 4 KB of log data.

Why this answer

The --log-type Tail option returns the last 4 KB of log data. Option B is correct. Option A is incorrect because --invocation-type Event is for async invocation.

Option C is incorrect because --client-context is for passing context. Option D is incorrect because --qualifier is for version/alias.

555
MCQhard

A developer is trying to update a CloudFormation stack that includes a Lambda function. The stack rolls back with the error shown. What is the most likely cause?

A.The Lambda function's execution role lacks permissions to write logs to CloudWatch.
B.The Lambda function's deployment package is not stored in Amazon S3.
C.The Lambda function's code is too large for the deployment.
D.The Lambda function's execution role does not have a trust policy that allows Lambda to assume it.
AnswerD

Lambda needs to assume the role, so the trust policy must include lambda.amazonaws.com.

Why this answer

Option A is correct because the error states that the role cannot be assumed by Lambda, meaning the trust policy of the IAM role does not include 'lambda.amazonaws.com' as a trusted entity. Option B is wrong because the error is about the role, not permissions. Option C is wrong because the error is not about S3.

Option D is wrong because the function code is not the issue.

556
MCQmedium

A developer is using AWS CodePipeline to deploy a web application. The pipeline includes a source stage from CodeCommit, a build stage using CodeBuild, and a deploy stage using CodeDeploy to EC2 instances. The application stores sensitive data in an S3 bucket. The developer needs to ensure that the S3 bucket is only accessible from the EC2 instances and not from any other AWS service or account. The EC2 instances have an IAM role that allows s3:GetObject. What additional configuration is required?

A.Use SSE-KMS encryption on the bucket.
B.Enable S3 Block Public Access on the bucket.
C.Add a bucket policy that allows access only from the VPC endpoint or specific IP addresses of the EC2 instances.
D.Move the sensitive data to a different S3 bucket and update the application.
AnswerC

Restricts access to the instances.

Why this answer

Option C is correct because a bucket policy that restricts access to the S3 bucket from a specific VPC endpoint or the EC2 instances' IP addresses ensures that only requests originating from those sources are allowed. This complements the IAM role's s3:GetObject permission by adding a network-level condition, preventing other AWS services or accounts from accessing the bucket even if they have valid IAM credentials. The condition key `aws:SourceVpce` or `aws:SourceIp` in the bucket policy enforces this restriction.

Exam trap

The trap here is that candidates often confuse encryption (SSE-KMS) or public access controls (Block Public Access) with network-level access restrictions, failing to realize that IAM permissions alone are insufficient to prevent access from other AWS services or accounts that have their own valid credentials.

How to eliminate wrong answers

Option A is wrong because SSE-KMS encryption protects data at rest but does not control access to the bucket; it only ensures data is encrypted, not who can read it. Option B is wrong because S3 Block Public Access prevents public access from the internet but does not restrict access from other AWS services or accounts that have valid IAM credentials. Option D is wrong because moving the data to a different bucket does not solve the access control issue; the same problem would persist unless additional restrictions are applied.

557
Multi-Selecteasy

Which TWO AWS services can be used to deploy and manage containerized applications? (Choose two.)

Select 2 answers
A.Amazon EC2
B.Amazon ECS
C.Amazon RDS
D.AWS Lambda
E.Amazon EKS
AnswersB, E

ECS is a container orchestration service.

Why this answer

Amazon ECS is a container orchestration service. Amazon EKS is a managed Kubernetes service. AWS Lambda is for serverless functions, not containers.

Amazon EC2 is for virtual machines, not specifically for containers. Amazon RDS is a managed database service.

558
Multi-Selecthard

A company has an IAM policy that allows s3:GetObject for all users in the account. However, a specific user is receiving access denied errors. Which TWO possible causes should the developer investigate?

Select 2 answers
A.An SCP at the organization level denies s3:GetObject.
B.The user is using an incorrect region endpoint.
C.The user's IAM role has an attached policy that denies s3:GetObject.
D.The S3 bucket is in a different AWS account.
E.A bucket policy explicitly denies the user.
AnswersA, E

SCPs can deny even if IAM allows.

Why this answer

A bucket policy with an explicit Deny overrides the IAM policy. Also, a service control policy (SCP) at the organizational level can deny access.

559
MCQmedium

A company uses AWS OpsWorks to manage a stack of EC2 instances. After a deployment, the application becomes unresponsive. The engineer suspects that a configuration file was not updated correctly. What is the best way to verify the deployed configuration?

A.Use AWS Systems Manager Run Command to execute a script that outputs the configuration.
B.Check the OpsWorks stack's logs for any JSON syntax errors in the custom JSON.
C.SSH into an instance and inspect the configuration files in /var/lib/aws/opsworks.
D.Review the application logs in Amazon CloudWatch Logs for configuration errors.
AnswerC

This location contains the applied configuration, allowing verification of what was actually deployed.

Why this answer

Option B is correct because OpsWorks stores the last applied configuration in /var/lib/aws/opsworks, and checking this location shows the actual configuration used. Option A is incorrect because JSON syntax errors cause deployment failures, not silent misconfiguration. Option C is incorrect because AWS Systems Manager Run Command is not specific to OpsWorks.

Option D is incorrect because CloudWatch Logs may not contain configuration details.

560
MCQeasy

A developer is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment is configured with a 'OneAtATime' deployment configuration. The developer notices that the deployment is taking a long time. What is the most likely reason?

A.The deployment group is configured with an incorrect load balancer.
B.The Auto Scaling group has a large number of instances, and deploying one at a time is slow.
C.The deployment configuration is set to 'AllAtOnce', but the developer intended 'OneAtATime'.
D.The CodeDeploy agent on the instances is not running.
AnswerB

OneAtATime deploys sequentially.

Why this answer

Option C is correct because 'OneAtATime' deploys to one instance at a time, which can be slow for large groups. Option A is wrong because the deployment configuration is correct. Option B is wrong because the agent is not the issue.

Option D is wrong because the deployment group is correctly configured.

561
Multi-Selecthard

A developer is optimizing an application that uses Amazon DynamoDB. The application reads items by primary key and also performs queries on a Global Secondary Index (GSI). The developer notices that some queries on the GSI are slow. Which TWO actions would improve the performance of GSI queries? (Choose TWO.)

Select 2 answers
A.Use a more distributed GSI partition key to avoid hot partitions.
B.Ensure that the GSI key attribute exists on all items that need to be queried.
C.Increase the read capacity of the GSI.
D.Use strongly consistent reads on the GSI.
E.Increase the write capacity of the DynamoDB table.
AnswersA, B

A hot partition can cause throttling; a more distributed key spreads read traffic evenly.

Why this answer

Option A and Option B are correct. Option A: If the GSI is sparse (not all items have the GSI key attribute), the index may not have enough data to distribute reads; adding a filter condition can help. Actually, ensuring that the GSI key attribute exists on all items that need to be queried can improve performance.

Option B: Overloading the GSI partition key can cause hot partitions; using a more distributed key pattern helps. Option C (adjust write capacity) does not directly help read performance on GSI. Option D (use strong consistency) would actually increase latency.

Option E (increase read capacity) could help if the issue is throttling, but the question asks for two actions. Let me reconsider: The correct options should be: B (use a more distributed GSI partition key) and E (increase read capacity on the index) if the issue is throttling. However, increasing read capacity on the index is not directly possible; you increase read capacity on the table, which is shared with GSIs.

Actually, GSIs use the same read capacity units as the table. So option E is not accurate. Option C says 'Increase the write capacity of the table' which would not help read performance.

Option D 'Use strongly consistent reads' would be slower. So the best two are: B (redistribute keys) and A (ensure GSI key attribute exists on queried items) to avoid sparse index. Let me adjust the correct answers.

562
MCQeasy

A developer deploys a new version of an AWS Lambda function using the AWS CLI. After deployment, the function returns stale results. What is the most likely cause?

A.The function's environment variables are cached and not updated.
B.The Lambda function alias is still pointing to the previous version.
C.The Amazon CloudFront distribution is caching the old response.
D.The Lambda function's code is cached by the Lambda service.
AnswerB

Aliases are used to point to specific versions; if not updated, the old code runs.

Why this answer

When a developer deploys a new version of a Lambda function using the AWS CLI without updating the function alias, the alias continues to point to the previous version. Invoking the function via the alias (e.g., via an API Gateway endpoint or a CloudFront origin) will execute the old code, returning stale results. The `$LATEST` version is updated, but unless the alias is repointed, it does not automatically use the new code.

Exam trap

The trap here is that candidates may assume deploying new code automatically updates the invoked version, overlooking that aliases must be explicitly repointed to the new version to change which code is executed.

How to eliminate wrong answers

Option A is wrong because environment variables are not cached; they are read from the function's configuration at invocation time and are updated immediately when the function is deployed with new environment variables. Option C is wrong because CloudFront caching is a separate concern; while it can serve stale responses, the question states the function itself returns stale results, and CloudFront would only cache the HTTP response, not the Lambda execution output directly. Option D is wrong because the Lambda service does not cache the function's code in a way that persists across deployments; the new code is immediately available when the function version is updated, and the issue is about which version is being invoked, not code caching.

563
Multi-Selecthard

A developer is designing a system to store sensitive user data in Amazon S3. The data must be encrypted at rest and the encryption keys must be rotated annually. Which services can be used to meet these requirements? (Choose THREE.)

Select 3 answers
A.Amazon S3 SSE-KMS
B.AWS Secrets Manager
C.AWS Certificate Manager (ACM)
D.AWS KMS
E.AWS CloudHSM
AnswersA, B, D

SSE-KMS uses KMS keys that can be rotated.

Why this answer

Amazon S3 SSE-KMS (Server-Side Encryption with AWS KMS managed keys) allows you to encrypt data at rest in S3 using customer master keys (CMKs) stored in AWS KMS. With SSE-KMS, you can enable automatic annual rotation of the CMK by configuring key rotation in AWS KMS, which meets the requirement for rotating encryption keys annually.

Exam trap

The trap here is that candidates often confuse AWS KMS with AWS CloudHSM, thinking both support automatic key rotation, but CloudHSM requires manual rotation and lacks native S3 integration for SSE.

564
MCQmedium

A Lambda function must share reusable validation code across several functions without packaging the same library into every deployment artifact. What should be used?

A.Lambda layer
B.API Gateway usage plan
C.S3 multipart upload
D.CloudWatch metric filter
AnswerA

Correct for the stated requirement.

Why this answer

Lambda layers allow you to centrally manage reusable code (e.g., validation libraries) and share it across multiple Lambda functions without packaging it into each deployment artifact. When you attach a layer to a function, the layer's content is extracted into the /opt directory, making it available at runtime. This avoids duplication and simplifies updates, as you only need to update the layer version rather than every function's deployment package.

Exam trap

The trap here is that candidates may confuse Lambda layers with other AWS services that handle 'sharing' (like API Gateway usage plans for sharing API access) or 'packaging' (like S3 multipart upload for large files), but only Lambda layers are designed to share code and dependencies across functions without repackaging.

How to eliminate wrong answers

Option B is wrong because API Gateway usage plans are used to throttle and quota API requests, not to share code across Lambda functions. Option C is wrong because S3 multipart upload is a mechanism for uploading large objects in parts, not for distributing reusable code to Lambda functions. Option D is wrong because CloudWatch metric filters are used to extract metric data from log streams, not to share or package code for Lambda.

565
MCQeasy

A developer is writing a Lambda function that processes images uploaded to an S3 bucket. The function needs to extract metadata from the image. Which S3 feature can be used to automatically trigger the Lambda function?

A.S3 Events
B.S3 Inventory
C.S3 Transfer Acceleration
D.S3 Batch Operations
AnswerA

S3 Events can trigger Lambda function executions on object creation events.

Why this answer

Amazon S3 Events can be configured to send a notification when an object is created (e.g., via PutObject) in an S3 bucket. This event can directly invoke an AWS Lambda function, making it the correct service to automatically trigger the function upon image upload. The developer simply needs to set up an S3 event notification with the Lambda function as the destination.

Exam trap

The trap here is that candidates may confuse S3 Batch Operations (which can invoke Lambda functions for batch processing) with real-time event triggers, but Batch Operations require a manual job initiation and do not automatically fire on each upload.

How to eliminate wrong answers

Option B (S3 Inventory) is wrong because it is used to generate a list of objects and their metadata for auditing or compliance, not to trigger real-time event-driven actions. Option C (S3 Transfer Acceleration) is wrong because it only speeds up uploads over long distances using edge locations, it has no mechanism to invoke Lambda functions. Option D (S3 Batch Operations) is wrong because it performs bulk actions (like copying or tagging) on existing objects via a job, not real-time event triggering upon object creation.

566
MCQeasy

A developer uses AWS CodePipeline with a manual approval step before deployment. The developer wants to ensure that if a new commit is pushed while a pipeline execution is waiting for approval, the waiting execution is canceled and a new one starts with the latest commit. Which pipeline execution mode should be configured?

A.Queued
B.Superseded
C.Parallel
D.Single
AnswerB

Superseded mode cancels the current execution (if it is still in progress) and starts a new one with the latest changes.

Why this answer

The Superseded execution mode is designed to automatically cancel any in-progress pipeline execution when a new commit is pushed, and start a new execution with the latest source changes. This ensures that the manual approval step does not block newer commits, as the waiting execution is replaced by the one triggered by the latest commit. In contrast, other modes either queue or run executions in parallel, which would not cancel the waiting approval step.

Exam trap

The trap here is that candidates may confuse Superseded with Queued, thinking that queuing will handle the latest commit, but Queued only delays execution without canceling the waiting approval step.

How to eliminate wrong answers

Option A is wrong because Queued mode places new executions in a queue, waiting for the current execution to complete before starting the next one, which would not cancel the waiting approval step. Option C is wrong because Parallel mode allows multiple executions to run concurrently, which would not cancel the waiting execution and could lead to multiple approvals or deployments. Option D is wrong because Single mode is not a valid execution mode in AWS CodePipeline; the valid modes are Queued, Superseded, and Parallel.

567
MCQhard

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application includes an API Gateway endpoint backed by a Lambda function. The developer wants to enable canary deployments to shift traffic gradually. Which SAM resource attribute should they configure?

A.DeploymentPreference
B.StageName
C.Events
D.AutoPublishAlias
AnswerA

DeploymentPreference enables canary, linear, or all-at-once deployments.

Why this answer

Option A is correct because the DeploymentPreference attribute in the AWS::Serverless::Function resource allows configuring canary deployments with CodeDeploy. Option B is incorrect because AutoPublishAlias is used for automatic alias creation but not for canary traffic shifting. Option C is incorrect because StageName is for API Gateway stage name.

Option D is incorrect because Events define event sources.

568
MCQhard

A development team wants to automate the deployment of a microservices application on Amazon ECS with Fargate. The team uses AWS CodePipeline for CI/CD. Each microservice has its own source repository and Dockerfile. The team wants to build Docker images, push them to Amazon ECR, and deploy them to ECS. Which approach minimizes manual effort and follows best practices?

A.Use AWS CodeDeploy to deploy to ECS with a blue/green deployment.
B.Use AWS CloudFormation to create the infrastructure and manually trigger updates.
C.Use AWS CodePipeline with a build stage in CodeBuild and a deploy stage that uses the ECS deploy provider.
D.Use AWS CodeBuild to build and push images, then manually update the ECS service.
AnswerC

CodePipeline natively supports ECS deployment.

Why this answer

Option D is correct because CodePipeline can directly integrate with ECS using deploy actions that update the ECS service with new task definitions. Option A is wrong because it adds unnecessary manual steps. Option B is wrong because it is not a best practice to bypass CI/CD.

Option C is wrong because it adds extra complexity with CodeDeploy when not needed for Fargate.

569
MCQeasy

A developer is designing a microservices architecture where each service runs in its own Amazon ECS container. Services need to communicate with each other. The developer wants to simplify service discovery and load balancing. Which AWS service should the developer use?

A.AWS Cloud Map
B.Elastic Load Balancing
C.Amazon ECS service discovery
D.Amazon Route 53
AnswerA

AWS Cloud Map provides service discovery for resources like ECS tasks.

Why this answer

Option C is correct because AWS Cloud Map provides service discovery for microservices. Option A is incorrect because Route 53 is for DNS, but not optimized for dynamic service discovery. Option B is incorrect because ELB is for load balancing, not service discovery.

Option D is incorrect because Amazon ECS does not have built-in service discovery.

570
Multi-Selecthard

Which TWO AWS services can be used to send messages between microservices in a decoupled manner? (Choose two.)

Select 2 answers
A.Amazon SQS
B.Amazon SNS
C.AWS Lambda
D.Amazon MQ
E.Amazon Kinesis Data Streams
AnswersA, B

Decouples components via message queues.

Why this answer

Option A (Amazon SQS) and Option B (Amazon SNS) are correct. SQS is a message queue, SNS is a pub/sub messaging service. Option C (Amazon Kinesis Data Streams) is for real-time streaming, not typically for simple messaging.

Option D (AWS Lambda) is a compute service. Option E (Amazon MQ) is a managed message broker, but SQS and SNS are the primary decoupling services.

571
MCQmedium

A company is using AWS Lambda functions to process events from Amazon S3. The functions are writing logs to CloudWatch Logs. Recently, they noticed that some logs are missing and the functions are experiencing throttling errors. What is the MOST likely cause?

A.The CloudWatch Logs log group retention policy is set too low.
B.The Lambda function's reserved concurrency is set to a low value.
C.The Lambda function's IAM role lacks permissions to write to CloudWatch Logs.
D.The S3 bucket is sending too many event notifications.
AnswerB

Reserved concurrency limits the number of concurrent executions, causing throttling when exceeded.

Why this answer

Option D is correct because Lambda concurrency limits cause throttling when exceeded. Option A is wrong because CloudWatch Logs doesn't cause throttling. Option B is wrong because S3 event notifications are asynchronous and not source of throttling.

Option C is wrong because IAM roles affect permissions, not concurrency.

572
MCQhard

An application uses a custom KMS key to encrypt data. The application runs on an EC2 instance. To decrypt data, the application must call KMS. What is the BEST practice to securely provide the KMS key ID to the application?

A.Hardcode the key ID in the application code
B.Store the key ID in a configuration file on the instance
C.Retrieve the key ID using the instance's IAM role
D.Use an environment variable to pass the key ID to the application
AnswerD

Environment variables are a secure way to pass configuration to applications.

Why this answer

Option D is correct because the key ID can be stored in an environment variable on the instance, which is retrieved by the application. Option A is wrong because storing the key ID in a configuration file is less secure. Option B is wrong because hardcoding is insecure.

Option C is wrong because an IAM role does not directly provide the key ID.

573
Multi-Selecteasy

A developer needs to monitor the performance of an Amazon RDS for MySQL database. Which TWO metrics should the developer monitor to detect a potential CPU bottleneck?

Select 2 answers
A.FreeStorageSpace
B.DatabaseConnections
C.CPUUtilization
D.NetworkThroughput
E.ReadLatency
AnswersB, C

High connection count can lead to CPU contention.

Why this answer

Option B is correct because CPUUtilization directly shows CPU usage. Option D is correct because DatabaseConnections can indicate high load causing CPU contention. Option A is wrong because FreeStorageSpace is storage.

Option C is wrong because ReadLatency is I/O. Option E is wrong because NetworkThroughput is network.

574
Multi-Selecteasy

A developer is using AWS CloudFormation to manage infrastructure. The developer needs to update a stack that contains a resource that requires replacement. Which TWO actions can the developer take to perform the update with minimal downtime?

Select 2 answers
A.Use a change set and execute it, allowing CloudFormation to replace the resource.
B.Use the 'Stack Policy' to prevent replacement.
C.Delete the stack and recreate it.
D.Create a new stack with the updated resource and then update the DNS to point to the new stack.
E.Use AWS CodeDeploy with a blue/green deployment to manage the replacement.
AnswersD, E

This blue/green approach minimizes downtime.

Why this answer

Options A and D are correct because creating a new stack in parallel and using a blue/green deployment with CodeDeploy minimize downtime. Option B causes downtime. Option C is not a method.

Option E does not address downtime.

575
MCQeasy

A developer is building a serverless REST API using Amazon API Gateway and AWS Lambda. The API should return JSON responses to client requests. The developer is using the Lambda proxy integration. What is the simplest way to return a JSON response from the Lambda function?

A.Return a string from the Lambda handler.
B.Return a dictionary containing 'statusCode', 'headers', and 'body' with 'body' as a JSON string.
C.Use API Gateway integration response and mapping templates to transform the Lambda output.
D.Return a JSON object from Lambda and set a Content-Type header in the API Gateway method response.
AnswerB

This format satisfies the API Gateway proxy integration contract, allowing the client to receive a proper JSON response.

Why this answer

With Lambda proxy integration, API Gateway passes the entire request to the Lambda function and expects the function to return a specific response format. The simplest way to return a JSON response is to return a dictionary (or object) containing 'statusCode', 'headers', and 'body', where 'body' is a JSON string. This format is required by API Gateway to correctly interpret the Lambda output and forward it to the client.

Exam trap

The trap here is that candidates often think returning a JSON object directly from Lambda is sufficient, but they overlook the requirement that the body must be a JSON string and the response must include the exact 'statusCode', 'headers', and 'body' keys for API Gateway proxy integration to work correctly.

How to eliminate wrong answers

Option A is wrong because returning a plain string from the Lambda handler will cause API Gateway to fail or return an unexpected response, as it expects a properly formatted response object. Option C is wrong because using API Gateway integration response and mapping templates adds unnecessary complexity; with proxy integration, the Lambda function itself is responsible for formatting the response, and mapping templates are not used. Option D is wrong because simply returning a JSON object from Lambda without the required 'statusCode', 'headers', and 'body' structure will not be parsed correctly by API Gateway, and setting a Content-Type header in the method response does not address the required Lambda response format.

576
MCQhard

A developer is deploying a web application on EC2 instances behind an Application Load Balancer. The application needs to authenticate users via a third-party identity provider (IdP) that supports OpenID Connect (OIDC). The developer wants to offload authentication to the ALB. Which configuration is required?

A.Install and configure an OIDC client on the EC2 instances.
B.Configure Amazon Cognito as an identity provider and integrate with the ALB.
C.Register the third-party IdP as an OIDC identity provider in IAM, then configure the ALB listener rule to authenticate users using that provider.
D.Create an IAM role for the EC2 instances that allows them to assume the identity of the user.
AnswerC

ALB can authenticate against any OIDC-compliant IdP registered in IAM.

Why this answer

Option C is correct because ALB can authenticate users via OIDC by configuring a rule that uses an OIDC IdP. The developer must register the IdP in IAM as an OIDC identity provider, then configure the ALB listener rule to use that provider. Option A is incorrect because Cognito is not required if the IdP supports OIDC directly.

Option B is incorrect because the ALB handles authentication, not the EC2 instances. Option D is incorrect because IAM roles are for AWS services, not user authentication.

577
Drag & Dropmedium

Drag and drop the steps to deploy a containerized application using AWS ECS with Fargate in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First define the task, then create the cluster, register the task definition, create the service, and optionally attach a load balancer.

578
MCQhard

A developer is building a real-time chat application using WebSocket APIs in Amazon API Gateway. The backend is an AWS Lambda function that stores connection IDs in an Amazon DynamoDB table. After a few days, the application stops working for new users. The developer checks CloudWatch Logs and sees that the Lambda function is returning 'AccessDeniedException' when calling DynamoDB. What is the MOST likely cause?

A.The Lambda function code was updated but the IAM role was not reattached.
B.The Lambda function uses an outdated AWS SDK version.
C.The API Gateway route was updated without redeploying the API.
D.The DynamoDB table was recreated and the Lambda function's IAM role still references the old table ARN.
AnswerD

If the table ARN changed, the IAM policy must be updated to allow access to the new table.

Why this answer

Option A is correct because Lambda execution role must be updated when DynamoDB table is recreated. Option B is wrong because Lambda function code updates don't change IAM roles. Option C is wrong because API Gateway permissions affect invocation, not DynamoDB access.

Option D is wrong because SDK version mismatch would cause different errors.

579
MCQmedium

A company manages multiple AWS accounts using AWS Organizations. A developer needs to allow an IAM role in the production account to read objects from an S3 bucket in the development account. The bucket is encrypted with an AWS KMS customer managed key (CMK) in the development account. Which of the following is required to enable this cross-account access?

A.Grant the production account's root user access to the KMS key and the S3 bucket.
B.Add a bucket policy allowing the production account's IAM role and a KMS key policy granting the same role.
C.Create an IAM role in the production account with permissions to access the S3 bucket and KMS key.
D.Enable S3 bucket logging to allow cross-account access.
AnswerB

The bucket policy grants access to the bucket, and the KMS key policy allows decryption of encrypted objects.

Why this answer

Option B is correct because cross-account access to an S3 bucket encrypted with a KMS customer managed key requires both a bucket policy that grants the production account's IAM role s3:GetObject permission and a KMS key policy that grants the same role kms:Decrypt permission. The bucket policy authorizes the S3 operation, while the key policy authorizes decryption of the object; both policies must explicitly allow the cross-account principal.

Exam trap

The trap here is that candidates often assume a bucket policy alone is sufficient for cross-account access, forgetting that KMS-encrypted objects require a separate key policy grant for the decrypt permission.

How to eliminate wrong answers

Option A is wrong because granting the production account's root user access is overly broad and unnecessary; the principle of least privilege requires granting only the specific IAM role, not the entire root account. Option C is wrong because creating an IAM role in the production account with permissions to access the S3 bucket and KMS key does not solve the cross-account authorization; the development account's bucket policy and KMS key policy must explicitly allow the production account's role, not just the role having permissions in its own account. Option D is wrong because enabling S3 bucket logging only records access events and does not grant any cross-account permissions; it is irrelevant to authorization.

580
MCQhard

A company runs a microservices application on Amazon ECS with Fargate. The application includes a service that processes messages from an SQS queue. The service's CPU utilization is consistently above 80%, and messages are accumulating in the queue. The service is configured with a desired count of 2 tasks and auto scaling based on CPU utilization. What should a developer do to improve message processing throughput?

A.Increase the desired count of tasks to 5.
B.Increase the task size to use more CPU and memory.
C.Change the auto scaling metric to use the SQS queue's ApproximateNumberOfMessagesVisible.
D.Decrease the batch size of messages polled from SQS.
AnswerC

Queue-based scaling is more direct and responsive.

Why this answer

Option A is correct because using SQS-based metrics (e.g., ApproximateNumberOfMessagesVisible) for auto scaling is more responsive to queue depth than CPU utilization. Option B is wrong because increasing task size may help but does not address the scaling trigger. Option C is wrong because increasing desired count without scaling policy will not adapt.

Option D is wrong because reducing batch size reduces throughput.

581
MCQmedium

A developer is using AWS CodePipeline to deploy a web application to an Auto Scaling group. The pipeline includes a deploy action that uses CodeDeploy. The deployment fails with the error: 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' Which of the following is the MOST likely cause?

A.The CodeDeploy agent is not sending logs to CloudWatch.
B.The deployment configuration has a minimum healthy instances setting that is too restrictive.
C.The application's lifecycle hooks are failing during the ApplicationStop event.
D.The instances were launched from an AMI that does not have the CodeDeploy agent installed.
AnswerB

The error indicates too few healthy instances.

Why this answer

Option A is correct because if the deployment configuration has a low minimum healthy instances threshold, the deployment may fail when instances become unhealthy. Option B is wrong because CodeDeploy can deploy to any instance, regardless of how it was launched. Option C is wrong because the application stops may be failing, but the error indicates a health issue.

Option D is wrong because CodeDeploy Agent sends logs to CloudWatch, but that would not cause the error.

582
MCQeasy

A developer is using AWS Lambda to process files uploaded to an S3 bucket. The Lambda function needs to read the files and write results to a DynamoDB table. What is the MOST secure way to grant the necessary permissions?

A.Attach a resource-based policy to the S3 bucket and DynamoDB table allowing access from the Lambda function.
B.Create an IAM execution role for Lambda with permissions to read from S3 and write to DynamoDB.
C.Configure the S3 bucket policy to allow the Lambda function's ARN.
D.Store AWS access keys in the Lambda environment variables.
AnswerB

Execution roles are the best practice for Lambda permissions.

Why this answer

Option A is correct because Lambda execution roles are the recommended way to grant permissions to Lambda functions. Option B is wrong because resource-based policies on S3 and DynamoDB are used for cross-account access, not for Lambda. Option C is wrong because hardcoding credentials is insecure.

Option D is wrong because S3 bucket policies do not grant Lambda permissions; they grant access to the bucket.

583
MCQhard

A developer is building a REST API using API Gateway and Lambda. The API must support multiple HTTP methods and use a custom domain name with an SSL certificate. The developer wants to enable caching for the /products GET endpoint to reduce latency. Which step is essential to enable caching for this specific endpoint?

A.Set the TTL (time-to-live) for the /products GET method to a non-zero value.
B.Enable caching on the /products GET method and specify cache key parameters.
C.Flush the API cache to start fresh.
D.Enable caching on the API stage and set the 'Cache Status' to 'AVAILABLE'.
AnswerB

This configures caching specifically for that method.

Why this answer

Caching is enabled at the stage level, but can be overridden per method by enabling caching on the method and setting the cache key parameters. Enabling caching on the stage without configuring the method does not cache responses for that method unless the method inherits. Setting TTL is not the essential step.

Flush cache is for clearing, not enabling.

584
MCQhard

A team wants CloudFormation to prevent accidental deletion of a production DynamoDB table during stack updates. What should they configure?

A.A larger write capacity setting
B.A Lambda layer
C.An API Gateway usage plan
D.DeletionPolicy or UpdateReplacePolicy Retain as appropriate
AnswerD

Correct for the stated requirement.

Why this answer

The DeletionPolicy attribute with a value of Retain instructs AWS CloudFormation to preserve the DynamoDB table when its stack resource is deleted during a stack update or stack deletion. Similarly, UpdateReplacePolicy Retain ensures that if a resource replacement is required during an update, the existing table is kept rather than deleted. This directly prevents accidental data loss by overriding CloudFormation's default behavior of deleting resources that are removed from the template or replaced.

Exam trap

The trap here is that candidates may confuse operational settings (like write capacity) or unrelated services (Lambda layers, API Gateway) with CloudFormation's resource lifecycle policies, missing the direct purpose of DeletionPolicy and UpdateReplacePolicy.

How to eliminate wrong answers

Option A is wrong because a larger write capacity setting only affects DynamoDB's throughput performance and has no impact on resource lifecycle or deletion prevention. Option B is wrong because a Lambda layer is used to package runtime dependencies for Lambda functions and does not influence CloudFormation's resource deletion behavior. Option C is wrong because an API Gateway usage plan throttles and monitors API requests for billing or rate-limiting purposes and is unrelated to CloudFormation stack resource protection.

585
Multi-Selectmedium

Which TWO actions should a developer take to optimize cost and performance for a Lambda function that processes real-time streaming data from Amazon Kinesis? (Choose 2.)

Select 2 answers
A.Enable provisioned concurrency to reduce cold starts.
B.Increase the Lambda function memory to improve processing speed.
C.Use a larger Kinesis shard count.
D.Enable the parallelization factor to process multiple batches concurrently per shard.
E.Increase the batch size to process more records per invocation.
AnswersD, E

Parallelization factor improves throughput without increasing shards.

Why this answer

Increasing batch size and enabling parallelization factor reduce the number of Lambda invocations and improve throughput. Provisioned concurrency is for latency, not cost/performance optimization for Kinesis. Increasing memory may be needed but not directly for cost optimization.

586
MCQmedium

A developer is debugging an issue where an Amazon S3 bucket policy is not allowing cross-account access for a user from another AWS account. The bucket policy grants access to the other account's root user. The IAM user in the other account has an IAM policy that allows s3:GetObject on the bucket. When the user tries to download an object, they get an Access Denied error. What is the most likely cause?

A.The bucket is encrypted with SSE-KMS and the user does not have kms:Decrypt permission
B.The bucket policy does not specify the user's ARN
C.The object's ACL is set to private
D.The IAM policy does not include s3:ListBucket
AnswerA

SSE-KMS requires explicit kms:Decrypt permission on the customer master key. Without it, even valid S3 permissions result in Access Denied.

Why this answer

The most likely cause is that the bucket is encrypted with SSE-KMS. When an S3 bucket uses AWS KMS customer master keys (CMKs) for server-side encryption, the bucket policy granting access to the root user of the other account is not sufficient. The IAM user in the other account must also have explicit kms:Decrypt permission on the KMS key, because S3 GetObject calls require decrypting the object before returning it.

Without this KMS permission, the request fails with Access Denied even though the S3 bucket policy and IAM policy appear correct.

Exam trap

The trap here is that candidates assume a valid S3 bucket policy and IAM policy are sufficient, forgetting that KMS encryption adds an independent authorization layer that requires explicit kms:Decrypt permissions, which is a common oversight in cross-account S3 access scenarios.

How to eliminate wrong answers

Option B is wrong because the bucket policy grants access to the other account's root user, which covers all IAM users and roles in that account by default; specifying the individual user's ARN is not required. Option C is wrong because object ACLs are evaluated after bucket policies, and if the bucket policy explicitly grants access, a private object ACL would be overridden (unless the bucket policy has a condition denying access). Option D is wrong because s3:ListBucket is only needed for listing objects (e.g., GET Bucket (List Objects) requests), not for downloading a specific object using s3:GetObject.

587
Multi-Selecthard

A developer is creating a CI/CD pipeline for a serverless application using AWS CodePipeline. The application includes Lambda functions and an API Gateway REST API. The pipeline should automatically deploy changes when code is pushed to a Git repository. Which THREE actions are required to set this up? (Choose THREE.)

Select 3 answers
A.Use AWS CloudFormation with a template to deploy the infrastructure.
B.Create a CodeCommit repository to store the source code.
C.Use AWS CodeStar to create a project dashboard.
D.Use CodeDeploy to deploy the application to Lambda.
E.Use AWS CodeBuild to run unit tests and package the application.
AnswersA, B, E

CloudFormation can deploy Lambda and API Gateway resources.

Why this answer

Options A, C, and E are correct. CodePipeline needs a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CloudFormation). Option B is wrong because CodeDeploy is for EC2/Lambda but CloudFormation is more appropriate for serverless resources.

Option D is wrong because CodeStar is not required.

588
MCQhard

A developer is troubleshooting an AWS Lambda function that processes streaming data from Amazon Kinesis Data Streams. The function processes records in batches. The developer notices that the function often experiences high latency even though the average invocation rate is well below the account concurrency limit. Which action would MOST effectively reduce latency?

A.Increase the batch size for the Kinesis event source mapping.
B.Enable reserved concurrency for the function.
C.Increase the number of shards in the Kinesis data stream.
D.Use provisioned concurrency for the function.
AnswerD

Provisioned concurrency keeps execution environments initialized, eliminating cold starts and reducing invocation latency.

Why this answer

Provisioned concurrency pre-warms a specified number of execution environments, eliminating cold starts and ensuring that the function can handle sudden bursts of traffic without latency spikes. Since the function processes streaming data from Kinesis and experiences high latency despite low average concurrency, the issue is likely cold starts or initialization overhead, which provisioned concurrency directly mitigates.

Exam trap

The trap here is that candidates often confuse concurrency limits (reserved concurrency) with performance optimization, or assume that increasing shards or batch sizes will always reduce latency, when in fact the root cause is cold start latency that provisioned concurrency directly addresses.

How to eliminate wrong answers

Option A is wrong because increasing the batch size may reduce the number of invocations but can increase per-record processing latency and risk of timeout, especially if records are large or processing is complex. Option B is wrong because reserved concurrency only caps the maximum concurrency for the function to prevent it from competing with other functions; it does not reduce latency or address cold starts. Option C is wrong because increasing the number of shards increases parallelism and throughput but does not reduce per-invocation latency caused by cold starts or initialization; it may even exacerbate the problem by creating more concurrent invocations that each face cold starts.

589
Multi-Selectmedium

Which THREE of the following are valid use cases for AWS Lambda? (Choose three.)

Select 3 answers
A.Processing records from a DynamoDB Stream in real time
B.Running a scheduled task every hour to clean up old database records
C.Serving as a web server for a static website
D.Hosting a long-running web application with WebSockets
E.Processing objects uploaded to an S3 bucket
AnswersA, B, E

DynamoDB Streams can trigger Lambda for real-time processing.

Why this answer

Correct: A, C, and E. Lambda can process S3 events, run scheduled tasks via CloudWatch Events, and process DynamoDB Streams. Option B is wrong because Lambda is not suitable for long-running applications; maximum execution time is 15 minutes.

Option D is wrong because Lambda cannot be used as a web server like EC2; it is event-driven and stateless.

590
MCQhard

A developer is designing a serverless application that processes large files uploaded to Amazon S3. Each file can be up to 5 GB. The processing involves extracting metadata and generating thumbnails. The developer wants to minimize processing time and cost. Which approach should the developer take?

A.Use S3 Object Lambda to process the object as it is being retrieved.
B.Use an S3 event notification to invoke a Lambda function that copies the object to an EC2 instance for processing.
C.Use AWS Fargate to run a container that polls S3 for new objects and processes them.
D.Use an S3 event notification to invoke a Lambda function that downloads the file, processes it, and uploads results.
AnswerA

S3 Object Lambda processes data in-stream, minimizing data transfer and cost.

Why this answer

Option B is correct because S3 Object Lambda allows processing data on the fly without downloading the entire object, reducing data transfer and cost. Option A is wrong because Lambda has a 15-minute timeout and may not handle large files efficiently. Option C is wrong because Fargate is overkill for metadata extraction and thumbnail generation.

Option D is wrong because transferring to EC2 adds cost and complexity.

591
Matchingmedium

Match each AWS tool or feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Infrastructure as Code

PaaS for web apps

Automated code deployment

Distributed tracing

Key management encryption

Why these pairings

These tools are commonly used for deployment, monitoring, and security.

592
MCQeasy

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The developer runs 'sam deploy' and receives an error: 'Error: Failed to create changeset for the stack.' What is a common cause of this error?

A.The SAM template contains a syntax error.
B.The S3 bucket specified for artifacts does not exist.
C.The IAM user does not have permission to create CloudFormation stacks.
D.AWS CodeDeploy is not configured for the application.
AnswerA

A malformed template prevents CloudFormation from creating a changeset, resulting in this error.

Why this answer

Option C is correct because the SAM template must be valid JSON or YAML; malformed syntax causes the changeset creation to fail. Options A, B, and D are incorrect: missing S3 bucket causes a different error, insufficient IAM permissions cause an authorization error, and CodeDeploy is not involved in SAM deployments.

593
MCQmedium

A company is using Amazon CloudFront to distribute static content from an S3 bucket. The content is updated frequently, but users see stale content. The developer wants to ensure that new content is served as soon as possible after an update. Which action should be taken?

A.Enable 'Origin Shield' to reduce the number of requests to S3.
B.Set the 'Minimum TTL' to 0 and 'Default TTL' to 0.
C.Set the 'Object Caching' to 0 in the CloudFront distribution.
D.Create a CloudFront invalidation for the updated files.
AnswerD

Invalidation removes objects from edge caches.

Why this answer

Option C is correct because creating a CloudFront invalidation for the updated objects ensures the edge caches are refreshed. Option A is wrong because 'Object Caching' can be set to 0, but that increases load. Option B is wrong because 'Minimum TTL' of 0 allows caching but does not clear existing cache.

Option D is wrong because 'Origin Shield' reduces origin load but does not invalidate cache.

594
Multi-Selectmedium

A developer is designing a serverless application using AWS Lambda and Amazon S3. The application must process files immediately after they are uploaded to an S3 bucket. Which TWO services can be used to trigger the Lambda function?

Select 2 answers
A.Amazon Kinesis Data Streams
B.Amazon CloudWatch Events
C.Amazon SQS
D.Amazon SNS
E.AWS Lambda S3 event notifications
AnswersD, E

S3 can send event notifications to SNS, which can then invoke the Lambda function.

Why this answer

Options A and C are correct. S3 can publish events to SNS, and SNS can invoke Lambda via subscription. S3 can also directly invoke Lambda via S3 event notifications.

Option B is incorrect because SQS cannot directly invoke Lambda; it requires a Lambda trigger configured with SQS as event source. Option D is incorrect because Kinesis Data Streams is not a direct S3 event target. Option E is incorrect because CloudWatch Events can schedule Lambda but not trigger on S3 events directly without a custom solution.

595
MCQhard

An IAM policy attached to an IAM user. What is the effect of this policy on the user's ability to delete objects in the bucket my-bucket?

A.The user can delete objects from any IP address.
B.The user is denied the ability to delete objects regardless of source IP.
C.The user can delete objects only if the source IP is not 192.0.2.0/24.
D.The user can delete objects only if the source IP is 192.0.2.0/24.
AnswerB

No Allow statement exists for DeleteObject, so implicit deny applies.

Why this answer

Option B is correct because the Deny statement has a condition that only denies the action when the source IP is NOT in the specified range. So if the user's IP is in 192.0.2.0/24, the Deny does not apply, and since there is no explicit Allow for DeleteObject, the default implicit Deny applies, so deletion is denied regardless. Actually, need to analyze: The Deny applies when source IP is not in the range.

If the source IP is in the range, the Deny condition is not met, so the Deny statement does not apply. However, there is no Allow for DeleteObject, so the action is implicitly denied. Therefore, deletion is always denied.

If there were an Allow, then the Allow would take effect when the Deny doesn't apply. But here there is no Allow, so it's denied always. So answer B is correct: the user is denied because there is no Allow statement for DeleteObject.

596
Multi-Selectmedium

A DynamoDB query must support lookup by email address as well as by user ID. Which two changes may be required?

Select 2 answers
A.Create a secondary index with email as a key
B.Scan the full table for every login
C.Choose projection attributes needed by the query
D.Disable partition keys
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because a Global Secondary Index (GSI) or Local Secondary Index (LSI) on the email attribute allows DynamoDB to efficiently query by email address without scanning the entire table. Since the primary key is user ID, querying by email requires an index that uses email as the partition key or sort key. Option C is correct because specifying projection attributes limits the data returned from the index or table, reducing read capacity consumption and improving performance.

Exam trap

The trap here is that candidates may think a Scan is acceptable for low-volume logins, but the exam emphasizes that any production authentication system must use an index to avoid full table scans and meet latency requirements.

597
MCQeasy

A developer is using AWS CloudFormation to create a stack that includes an EC2 instance. The stack creation fails because the instance type is not supported in the selected Availability Zone. What should the developer do?

A.Delete the stack and start over.
B.Change the instance type to one that is supported.
C.Update the stack to specify a different subnet or not specify an Availability Zone.
D.Create the stack in a different region.
AnswerC

CloudFormation can choose an AZ automatically.

Why this answer

Option C is correct because when an EC2 instance type is not supported in a specific Availability Zone (AZ), the developer can update the CloudFormation stack to either specify a different subnet (which implicitly selects a different AZ) or omit the Availability Zone parameter entirely, allowing AWS to automatically choose an AZ where the instance type is supported. This avoids the need to delete the stack or change the instance type, preserving other stack resources and configurations.

Exam trap

The trap here is that candidates assume the only fix is to change the instance type (Option B) or restart from scratch (Option A), overlooking CloudFormation's ability to update the stack's subnet or AZ selection to match the instance type's availability.

How to eliminate wrong answers

Option A is wrong because deleting the stack and starting over is unnecessary and inefficient; the issue can be resolved by updating the stack's subnet or AZ specification without losing existing resources. Option B is wrong because changing the instance type may not be desirable if the developer specifically needs that instance type for performance or cost reasons; the problem is the AZ constraint, not the instance type itself. Option D is wrong because creating the stack in a different region is an overreaction; the instance type is likely supported in other AZs within the same region, and changing regions could introduce latency, cost, or compliance issues.

598
MCQmedium

A developer is troubleshooting an AWS Lambda function that writes items to an Amazon DynamoDB table. The function frequently fails with ProvisionedThroughputExceededException. The table has provisioned write capacity of 500 write capacity units (WCUs). The function has reserved concurrency of 10, and each invocation writes 10 items of approximately 1 KB each. There are no other writers to the table. What is the most likely cause of the throttling?

A.The function is writing to a single partition key, causing hot partition throttling
B.The function's reserved concurrency is too high, causing excessive write requests
C.The table's read capacity is insufficient, causing write throttling
D.The function is exceeding the DynamoDB item size limit of 400 KB
AnswerA

Correct. Hot partitions can cause throttling even when table-level capacity is sufficient. The function's writes are likely concentrated on one partition key, exceeding that partition's throughput limits.

Why this answer

The most likely cause is that the function is writing to a single partition key, creating a 'hot partition' that exceeds the 1,000 WCU per-partition limit (or 3,000 WCU for burst capacity) even though the table's total provisioned capacity of 500 WCU is not exhausted. DynamoDB distributes throughput across partitions based on the partition key; if all writes target the same key, they are throttled at the partition level regardless of table-level capacity.

Exam trap

The trap here is that candidates assume table-level provisioned capacity is the only throttle boundary, but DynamoDB enforces per-partition throughput limits, so a hot partition can cause throttling even when the table's total WCU is not fully consumed.

How to eliminate wrong answers

Option B is wrong because reserved concurrency of 10 limits the number of concurrent invocations, and each invocation writes 10 items (10 KB total), so at most 100 items/second (100 KB/s) are written, which is well within the 500 WCU table capacity (each 1 KB item consumes 1 WCU). Option C is wrong because read capacity is irrelevant to write throttling; ProvisionedThroughputExceededException is specific to write capacity, and the table has sufficient write capacity. Option D is wrong because the DynamoDB item size limit is 400 KB, and each item is approximately 1 KB, so size is not a factor.

599
Multi-Selecteasy

A developer is creating an IAM policy for an EC2 instance to allow it to read from an S3 bucket. Which of the following are required? (Choose TWO.)

Select 2 answers
A.Create an IAM role with s3:GetObject permissions
B.Use KMS to encrypt the S3 objects
C.Configure an S3 bucket policy allowing the role
D.Attach the IAM role to the EC2 instance
E.Create an instance profile and assign a key pair
AnswersA, D

The IAM role provides the permissions.

Why this answer

Option A is correct because an IAM role must be created with the necessary permissions. Option C is correct because the role must be attached to the EC2 instance. Option B is wrong because S3 bucket policy is optional if using an IAM role; it's needed for cross-account.

Option D is wrong because KMS is not required. Option E is wrong because instance profile is not the same as role attachment.

600
MCQmedium

A developer is using AWS CodeDeploy to deploy a new version of an AWS Lambda function. The developer wants to gradually shift traffic from the old version to the new version in 10-minute increments. Which deployment configuration should the developer use?

A.Canary10Percent10Minutes
B.Canary10Percent30Minutes
C.Linear10PercentEvery10Minutes
D.AllAtOnce
AnswerC

This configuration shifts 10% of traffic every 10 minutes until 100% is shifted, meeting the requirement of gradual 10-minute increments.

Why this answer

The Linear10PercentEvery10Minutes configuration shifts traffic from the old Lambda version to the new version in 10% increments every 10 minutes, which matches the developer's requirement of gradually shifting traffic in 10-minute increments. This is a linear deployment type in AWS CodeDeploy that provides a steady, incremental traffic shift over time.

Exam trap

The trap here is confusing canary deployments (which shift a small percentage immediately and then the remainder after a wait) with linear deployments (which shift traffic in equal increments over time), leading candidates to select a canary configuration when a linear one is required.

How to eliminate wrong answers

Option A is wrong because Canary10Percent10Minutes shifts 10% of traffic to the new version immediately, then waits 10 minutes before shifting the remaining 90% all at once, which does not provide gradual 10-minute increments. Option B is wrong because Canary10Percent30Minutes shifts 10% immediately, then waits 30 minutes before shifting the remaining 90%, which does not match the 10-minute increment requirement. Option D is wrong because AllAtOnce shifts 100% of traffic to the new version immediately with no gradual traffic shifting, which contradicts the developer's requirement.

Page 7

Page 8 of 22

Page 9