AWS Certified Developer Associate DVA-C02 (DVA-C02) — Questions 601675

1616 questions total · 22pages · All types, answers revealed

Page 8

Page 9 of 22

Page 10
601
MCQhard

A developer attaches this IAM policy to an IAM user. The user tries to upload an object to the S3 bucket my-bucket from an IP address of 10.0.1.5. What will happen?

A.The upload will fail because the IP address is not within the allowed range.
B.The upload will fail because the bucket policy denies access.
C.The upload will succeed because the policy allows s3:PutObject.
D.The upload will succeed because the condition is ignored for uploads.
AnswerA

The condition restricts to 10.0.0.0/24; 10.0.1.5 is not in that range.

Why this answer

Option D is correct because the condition restricts access to the IP range 10.0.0.0/24. The user's IP 10.0.1.5 is outside that range, so the request will be denied. Option A is wrong because even though the action is allowed, the condition denies it.

Option B is wrong because the condition is evaluated and denies the request. Option C is wrong because the condition is valid.

602
MCQmedium

A developer is building a serverless application that processes orders. An order is placed and an event is published to an Amazon SNS topic. The SNS topic has multiple subscribers, including an SQS queue for order processing and a Lambda function for sending notifications. The developer wants to ensure that the SQS queue receives all messages reliably, even if the processing Lambda function fails temporarily. Which configuration should the developer set?

A.Enable a dead-letter queue on the SQS queue
B.Enable SNS delivery retries for HTTP endpoints
C.Set the SQS queue's visibility timeout to a value greater than the Lambda function's processing time
D.Configure the SNS topic to use server-side encryption
AnswerA

Correct. A DLQ captures messages that cannot be processed after retries, ensuring no messages are lost.

Why this answer

A dead-letter queue (DLQ) on the SQS queue ensures that messages that cannot be processed successfully after the configured number of retries (maxReceiveCount) are moved to a separate queue for later analysis or reprocessing. This prevents message loss when the Lambda function fails temporarily, as the SQS queue will continue to receive messages from SNS reliably, and only messages that exceed the retry limit are redirected to the DLQ.

Exam trap

The trap here is that candidates confuse SNS delivery retries (which only apply to HTTP/HTTPS endpoints) with SQS's built-in retry mechanism via visibility timeout and DLQ, leading them to incorrectly select Option B.

How to eliminate wrong answers

Option B is wrong because SNS delivery retries for HTTP endpoints apply only to HTTP/S subscribers, not to SQS queues; SNS delivers messages to SQS synchronously via the AWS API, which does not use HTTP delivery retries. Option C is wrong because setting the SQS queue's visibility timeout greater than the Lambda function's processing time is a best practice to avoid duplicate processing, but it does not guarantee message reliability if the Lambda fails permanently; messages would remain in the queue but could be lost if the function never succeeds. Option D is wrong because server-side encryption (SSE) protects data at rest but has no effect on message delivery reliability or failure handling.

603
Multi-Selecteasy

A developer is creating an IAM policy for a Lambda function that needs to read from an SQS queue and write to a DynamoDB table. Which THREE permissions are required? (Select THREE.)

Select 3 answers
A.sqs:DeleteMessage
B.dynamodb:PutItem
C.sqs:ReceiveMessage
D.sqs:SendMessage
E.dynamodb:GetItem
AnswersA, B, C

Required to delete messages after processing.

Why this answer

A is correct because the Lambda function must delete messages from the SQS queue after processing them to prevent them from being reprocessed. The sqs:DeleteMessage permission is required to call the DeleteMessage API, which removes the message from the queue using its receipt handle. Without this permission, the function would successfully receive and process the message but fail to delete it, causing the message to become visible again after the visibility timeout expires.

Exam trap

The trap here is that candidates often confuse the permissions needed for a Lambda function acting as a consumer (ReceiveMessage and DeleteMessage) with those needed for a producer (SendMessage), or they mistakenly think GetItem is required for writing to DynamoDB when PutItem is the correct write operation.

604
MCQmedium

A developer runs the above command and gets the output shown. What is the developer verifying?

A.Whether the object is encrypted
B.The size and ETag of an object in S3
C.The version ID of the object
D.Whether the user has permissions to access the object
AnswerB

The command get-object-attributes returns object attributes.

Why this answer

Option A is correct because the command retrieves attributes of an object, including its size and ETag. Option B is wrong because the command does not check encryption. Option C is wrong because version ID is not requested.

Option D is wrong because the command does not test permissions; it returns attributes successfully.

605
MCQmedium

A developer is deploying a new version of an AWS Lambda function using the AWS CLI. The developer wants to create a new version and update the alias to point to the new version. Which sequence of CLI commands should the developer use?

A.Update alias, update function code, publish version
B.Create alias, update function code, publish version
C.Publish version, update function code, update alias
D.Update function code, publish version, update alias
AnswerD

Correct sequence to deploy new code and shift traffic.

Why this answer

Option C is correct because first update the function code, then publish a new version, and finally update the alias. Option A is wrong because it creates an alias before publishing. Option B is wrong because it publishes before updating code.

Option D is wrong because it updates the alias before publishing.

606
MCQeasy

A developer is building a serverless application using API Gateway and Lambda. The API Gateway REST API endpoint needs to be accessible only from a specific VPC. Which configuration should be used?

A.Attach a security group to the API Gateway.
B.Create a VPC endpoint for API Gateway and associate it with the API.
C.Enable private DNS on the API Gateway API.
D.Configure a resource policy with a condition using aws:SourceVpc.
AnswerD

Resource policies with aws:SourceVpc condition allow access only from specified VPCs.

Why this answer

Option C is correct because API Gateway REST APIs can be configured with a resource policy to allow access only from a specific VPC using the aws:SourceVpc condition key. Option A is wrong because private DNS is for VPC endpoints, not for controlling access. Option B is wrong because security groups are not used for API Gateway; they are for EC2.

Option D is wrong because API Gateway does not have VPC endpoints in the same way as other services.

607
MCQmedium

A developer is building a mobile application that uses Amazon Cognito for user authentication. After a user signs in, the application needs to access an Amazon DynamoDB table. The developer has set up an identity pool with an authenticated role. The IAM role attached to the authenticated identity has a policy allowing the required DynamoDB actions. However, users report that they cannot perform DynamoDB operations. What is the MOST likely cause of this issue?

A.The identity pool is not configured to use the authenticated role.
B.The app is not passing the correct identity ID.
C.The IAM role's trust policy does not allow Cognito to assume it.
D.The DynamoDB table is encrypted with a different KMS key.
AnswerC

The trust policy of the IAM role must grant the Cognito Identity service principal the sts:AssumeRole permission. Without it, Cognito cannot issue credentials, resulting in denied actions.

Why this answer

The most likely cause is that the IAM role's trust policy does not include a statement allowing Amazon Cognito (specifically the `cognito-identity.amazonaws.com` service principal) to assume the role. Even if the identity pool is configured to use the authenticated role and the role's permissions policy grants DynamoDB actions, Cognito must be able to assume the role via AWS Security Token Service (STS) `AssumeRoleWithWebIdentity`. Without the correct trust relationship, Cognito cannot obtain temporary credentials for the user, so all DynamoDB operations fail.

Exam trap

The trap here is that candidates often focus on the permissions policy (allowing DynamoDB actions) and overlook the trust policy, which is a separate and critical requirement for Cognito to assume the role and generate credentials.

How to eliminate wrong answers

Option A is wrong because if the identity pool were not configured to use the authenticated role, the developer would not have been able to set it up in the first place; the configuration is a prerequisite that is explicitly stated as done. Option B is wrong because the identity ID is used to identify the user within the identity pool, but passing an incorrect identity ID would cause authentication failures or mismatched credentials, not a permissions issue on DynamoDB after sign-in; the core problem is the lack of a trust policy allowing role assumption. Option D is wrong because KMS key encryption on the DynamoDB table would only cause access failures if the IAM role lacked `kms:Decrypt` permissions or the key policy denied access, but the question states the role's policy allows the required DynamoDB actions, and KMS key mismatch would produce a different error (AccessDeniedException for KMS), not a generic inability to perform DynamoDB operations.

608
MCQeasy

A developer needs to store session state for a stateless web application running on EC2 instances behind an Application Load Balancer. Which AWS service should the developer use to ensure session data is not lost if an instance fails?

A.Amazon S3
B.Amazon DynamoDB
C.Amazon ElastiCache
D.Amazon RDS
AnswerC

ElastiCache provides a managed in-memory cache, ideal for storing session state externally to maintain statelessness.

Why this answer

Option A (ElastiCache) is correct because it provides a managed in-memory cache that can store session state externally, making the application stateless. Option B (S3) is designed for object storage, not low-latency session storage. Option C (RDS) is a relational database, which adds latency and complexity for session state.

Option D (DynamoDB) can also store session state but is not the simplest or most cost-effective for this use case; ElastiCache is more common for session caching.

609
MCQeasy

A developer needs to allow an IAM user to manage only their own access keys (create, list, update, delete). Which IAM policy statement achieves this?

A.{"Effect":"Allow","Action":"iam:*AccessKey*","Resource":"arn:aws:iam::*:user/${aws:username}"}
B.{"Effect":"Allow","Action":"iam:*AccessKey*","Resource":"arn:aws:iam::*:user/JohnDoe"}
C.{"Effect":"Allow","Action":"iam:*AccessKey*","Resource":"*"}
D.{"Effect":"Allow","Action":["iam:ListAccessKeys","iam:GetAccessKeyLastUsed"],"Resource":"*"}
AnswerA

Restricts to own user.

Why this answer

Option A is correct because it uses the `iam:*AccessKey*` wildcard action to cover all access key management operations (create, list, update, delete) and restricts the resource to `arn:aws:iam::*:user/${aws:username}`. The `${aws:username}` policy variable dynamically resolves to the IAM user's own username, ensuring that each user can only manage their own access keys. This follows the principle of least privilege by scoping permissions to the user's own resource.

Exam trap

The trap here is that candidates often choose Option C (resource `*`) thinking it grants access to all users' keys, but they overlook that the wildcard resource would allow a user to manage other users' keys, violating the 'only their own' requirement.

How to eliminate wrong answers

Option B is wrong because it hardcodes the username 'JohnDoe', which would only allow that specific user to manage their own access keys, not any IAM user as required by the question. Option C is wrong because the resource `*` grants access to all IAM users' access keys, violating the requirement that each user manages only their own keys. Option D is wrong because it only includes read-only actions (`iam:ListAccessKeys` and `iam:GetAccessKeyLastUsed`) and omits the create, update, and delete actions needed to fully manage access keys.

610
Matchingmedium

Match each AWS storage class to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frequent access, low latency

Automatic cost optimization

Long-term archival

Infrequent access, single AZ

Lowest cost retrieval

Why these pairings

S3 storage classes are important for cost management.

611
MCQmedium

A company is developing a web application that runs on Amazon EC2 instances. The application needs to access an Amazon DynamoDB table to store and retrieve data. The security team requires that no IAM users or roles should be used; instead, the application must use temporary credentials that are automatically rotated. Which approach should the developer use to securely grant access to DynamoDB?

A.Create an IAM user with access keys and store the keys in AWS Secrets Manager. Have the application retrieve the keys at runtime.
B.Launch the EC2 instance with an instance profile that has an IAM role attached. The IAM role should have a policy granting access to the DynamoDB table. The application uses the AWS SDK to obtain temporary credentials from the instance metadata service.
C.Use an AWS Lambda function to generate a pre-signed URL that allows access to DynamoDB, and have the EC2 instance use that URL.
D.Generate a long-lived API token using AWS KMS and embed it in the application code.
AnswerB

This is the recommended approach. The IAM role provides temporary credentials that are automatically rotated by AWS. The AWS SDK obtains credentials from the EC2 instance metadata service (IMDS). No long-term credentials are stored on the instance.

Why this answer

Option B is correct because it uses an IAM role attached to the EC2 instance via an instance profile, which allows the AWS SDK to automatically retrieve temporary credentials from the EC2 instance metadata service (IMDS). These credentials are rotated automatically by AWS, satisfying the security team's requirement for no long-lived IAM users or roles and ensuring secure, temporary access to DynamoDB.

Exam trap

The trap here is that candidates may confuse pre-signed URLs (which only work for S3) with DynamoDB access, or assume that storing keys in Secrets Manager satisfies the 'temporary credentials' requirement when it still relies on long-lived IAM users.

How to eliminate wrong answers

Option A is wrong because it creates an IAM user with long-lived access keys, which violates the requirement for temporary credentials that are automatically rotated; storing keys in Secrets Manager still uses static credentials. Option C is wrong because pre-signed URLs are designed for S3 object access, not for DynamoDB operations, and DynamoDB does not support pre-signed URLs. Option D is wrong because embedding a long-lived API token in application code is insecure and does not provide automatic rotation, directly contradicting the security team's requirement.

612
MCQmedium

A developer is deploying a serverless application using AWS SAM. The application includes an API Gateway endpoint that invokes a Lambda function. The developer wants to pass a stage name as a parameter to the Lambda function. How should the developer define the Lambda function's environment variable in the SAM template?

A.Use the parameter reference 'Ref: StageName' in the environment variable mapping.
B.Define the environment variable as 'Stage: dev' in the Lambda function configuration.
C.Use 'Fn::GetAtt: [AWS::StackName, Outputs.StageName]' to get the stage name.
D.Use 'Fn::ImportValue: StageName' to import from another stack.
AnswerA

Ref can reference a parameter defined in the template.

Why this answer

Option B is correct because the SAM template can use the Ref function to reference a parameter and assign it to an environment variable. Option A is wrong because it uses hardcoded value. Option C is wrong because AWS::StackName would give the stack name, not the stage parameter.

Option D is wrong because GetAtt is not used for parameters.

613
MCQmedium

A company wants to store database credentials securely and rotate them automatically on a schedule. The credentials are used by an AWS Lambda function to access an Amazon RDS instance. Which AWS service should the developer use to meet these requirements?

A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.AWS Key Management Service (KMS)
D.AWS Certificate Manager (ACM)
AnswerA

Secrets Manager automatically rotates credentials for RDS and other services, meeting the requirements.

Why this answer

AWS Secrets Manager is the correct choice because it is specifically designed to securely store, retrieve, and automatically rotate database credentials on a schedule. It natively supports automatic rotation for Amazon RDS databases (including MySQL, PostgreSQL, Oracle, SQL Server, and MariaDB) by integrating with Lambda to update the credentials in both Secrets Manager and the RDS instance. This meets the requirement for both secure storage and scheduled rotation without custom infrastructure.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets but lacks native rotation) with Secrets Manager, leading them to choose Parameter Store for its lower cost, but the requirement for automatic rotation disqualifies it.

How to eliminate wrong answers

Option B is wrong because AWS Systems Manager Parameter Store does not support automatic rotation of secrets; it requires custom solutions or integration with Secrets Manager for rotation. Option C is wrong because AWS KMS is a key management service for encryption keys, not for storing or rotating secrets like database credentials. Option D is wrong because AWS Certificate Manager (ACM) is used for managing SSL/TLS certificates, not for database credentials or rotation.

614
MCQeasy

A developer in Account A has an Amazon S3 bucket that contains sensitive data. The developer wants to grant an IAM user in Account B read-only access to objects in the bucket. The developer has added a bucket policy in Account A that grants s3:GetObject access to the IAM user's ARN. However, the IAM user in Account B still receives Access Denied errors. What additional configuration is required?

A.Add an IAM policy in Account B that allows the user to perform s3:GetObject on the bucket's ARN.
B.Create an S3 access point and grant the user access through it.
C.Change the bucket policy to grant access to the entire AWS account B instead of the specific user.
D.Enable S3 object ownership and set the bucket ACL to grant read access to the user in Account B.
AnswerA

The IAM user must have explicit permission via an IAM policy to access the S3 bucket. The bucket policy alone is not sufficient; the user's account must also allow the action.

Why this answer

Option A is correct because cross-account access to S3 requires both a bucket policy in the source account (Account A) granting the necessary permissions to the target IAM user, and an IAM identity-based policy in the target account (Account B) that explicitly allows the same action (s3:GetObject) on the bucket's ARN. Without the IAM policy in Account B, the user lacks the authorization to initiate the request, even though the bucket policy permits it. This dual-permission model is a fundamental security requirement for cross-account S3 access.

Exam trap

The trap here is that candidates often assume a bucket policy alone is sufficient for cross-account access, overlooking the mandatory IAM policy in the target account that must explicitly allow the action.

How to eliminate wrong answers

Option B is wrong because creating an S3 access point does not bypass the need for an IAM policy in Account B; access points still require both the bucket policy and the user's IAM policy to grant cross-account permissions. Option C is wrong because granting access to the entire AWS account B instead of the specific user would allow all principals in Account B (including unintended users) to access the bucket, which violates the principle of least privilege and does not resolve the missing IAM policy issue. Option D is wrong because S3 object ownership and bucket ACLs are legacy mechanisms that do not apply to cross-account access when a bucket policy is already in use; ACLs are disabled by default for new buckets and are not a substitute for the required IAM policy in Account B.

615
MCQeasy

A developer needs to securely store database credentials for a Lambda function. Which AWS service should be used?

A.AWS Secrets Manager
B.AWS CloudHSM
C.AWS KMS
D.Amazon DynamoDB
AnswerA

Secrets Manager is purpose-built for storing and rotating secrets.

Why this answer

AWS Secrets Manager is the correct service because it is purpose-built for securely storing, rotating, and managing database credentials and other secrets throughout their lifecycle. It integrates natively with Lambda via the AWS Secrets Manager API, allowing the function to retrieve credentials at runtime without hardcoding them, and supports automatic rotation using built-in or custom Lambda rotation functions. This makes it the ideal choice for securely handling database credentials in a serverless application.

Exam trap

The trap here is that candidates often confuse AWS KMS (which only manages encryption keys) with AWS Secrets Manager (which manages the full lifecycle of secrets), leading them to choose KMS because they think 'encryption' is the primary requirement, when in fact the question asks for secure storage and management of credentials, not just encryption.

How to eliminate wrong answers

Option B (AWS CloudHSM) is wrong because it provides dedicated hardware security modules (HSMs) for cryptographic key generation and storage, not for managing application secrets like database credentials; it lacks built-in secret rotation and retrieval APIs. Option C (AWS KMS) is wrong because it is a key management service for creating and controlling encryption keys used to encrypt data, not for storing or rotating secrets; while it can encrypt secrets stored elsewhere, it does not natively manage the secret lifecycle. Option D (Amazon DynamoDB) is wrong because it is a NoSQL database designed for high-performance, scalable data storage, not a secrets management service; storing credentials in DynamoDB would require manual encryption, rotation, and access control, increasing security risk and operational overhead.

616
MCQhard

An application uses an Auto Scaling group with a launch configuration that includes a user data script to configure instances. After a scaling event, new instances launch but fail to register with the target group. The existing instances continue to work. What should the developer do to resolve this issue?

A.Modify the existing launch configuration with the correct user data
B.Create a new launch configuration with corrected user data and update the Auto Scaling group
C.Update the Auto Scaling group to use the latest launch configuration version
D.Delete and recreate the Auto Scaling group
AnswerB

Creating a new launch configuration and associating it with the Auto Scaling group will ensure new instances use the correct user data.

Why this answer

Option D is correct because the launch configuration is immutable; changes to it are not applied to existing instances. Updating the launch configuration and launching new instances will use the corrected user data. Option A is wrong because the Auto Scaling group does not automatically update launch configurations.

Option B is wrong because modifying the launch configuration does not affect running instances. Option C is wrong because recreating the Auto Scaling group is unnecessary.

617
Multi-Selecthard

An SQS-triggered Lambda repeatedly processes the same poison message. Which two settings help contain the issue?

Select 2 answers
A.Configure maxReceiveCount and a dead-letter queue
B.Disable CloudWatch Logs
C.Use partial batch response or failure reporting where applicable
D.Set message retention to zero
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because setting a maxReceiveCount on the SQS queue limits how many times a message can be received before it is automatically moved to a dead-letter queue (DLQ). This prevents the Lambda function from repeatedly processing the same poison message, as the message is redirected to the DLQ after exceeding the threshold, allowing you to isolate and analyze the failure.

Exam trap

The trap here is that candidates often confuse message retention period (how long a message stays in the queue) with receive count limits, and they may overlook that disabling CloudWatch Logs only hides the problem rather than solving it.

618
MCQmedium

A company is developing a serverless application using AWS Lambda and API Gateway. The application needs to process user uploads to Amazon S3. The Lambda function must be invoked asynchronously after an object is uploaded to an S3 bucket. Which configuration should the developer use to invoke the Lambda function?

A.Configure the S3 bucket to send events to Lambda by adding a Lambda trigger in the S3 bucket properties.
B.Configure the S3 bucket to send events to an Amazon SQS queue and have Lambda poll the queue.
C.Configure the S3 bucket to send events to Amazon CloudWatch Events and have CloudWatch invoke Lambda.
D.Configure the S3 bucket to send events to an Amazon API Gateway endpoint that triggers the Lambda function.
AnswerA

S3 can directly invoke Lambda asynchronously using event notifications.

Why this answer

S3 can send event notifications to Lambda when an object is created. The Lambda function must be configured with a resource-based policy allowing S3 to invoke it. S3 event notifications are asynchronous.

API Gateway is not needed. CloudWatch Events can monitor but not directly trigger on S3 object creation. S3 batch operations are for large-scale batch jobs.

619
MCQeasy

A developer is deploying an application using AWS Elastic Beanstalk. The application needs to connect to an Amazon RDS database. What is the best practice for storing database credentials?

A.Hardcode the credentials in the application code.
B.Store credentials in Elastic Beanstalk environment properties.
C.Store credentials in an Amazon S3 bucket with public read access.
D.Store credentials in AWS Secrets Manager and retrieve them at runtime.
AnswerD

Secrets Manager provides secure storage and rotation.

Why this answer

Option C is correct because AWS Secrets Manager is designed for securely storing and rotating secrets. Option A is wrong because hardcoding credentials is insecure. Option B is wrong because environment variables can be exposed in logs.

Option D is wrong because S3 is not secure for credentials without encryption.

620
MCQhard

Refer to the exhibit. A developer attached this S3 bucket policy to my-bucket. Users from IP 10.0.0.5 can access objects, but users from IP 10.0.1.5 cannot. What is the most likely reason?

A.The bucket policy does not apply to users.
B.The action should be s3:GetObjectVersion.
C.The resource ARN is incorrect.
D.The IP address condition restricts access to a specific range.
AnswerD

Only IPs in 10.0.0.0/24 are allowed.

Why this answer

Option D is correct because the policy only allows access from the IP range 10.0.0.0/24. Users from 10.0.1.5 are outside this range. Option A is wrong because the resource is correct.

Option B is wrong because the action is correct. Option C is wrong because the bucket policy allows access.

621
MCQhard

A developer is building a real-time chat application using Amazon API Gateway WebSocket APIs and AWS Lambda. The application needs to send messages to connected clients. The developer notices that the 'connectionId' changes every time a client reconnects. How should the developer store the mapping between user identity and connectionId?

A.Use Amazon ElastiCache to store the mapping in memory.
B.Use Amazon DynamoDB to store the mapping, with user identity as the partition key and connectionId as an attribute.
C.Use Amazon RDS to store the mapping in a relational database.
D.Use Amazon S3 to store the mapping as a JSON file.
AnswerB

DynamoDB is ideal for this use case due to its low latency and scalability.

Why this answer

Option A is correct because DynamoDB provides fast, scalable storage for the connectionId mapping. Option B is wrong because ElastiCache is ephemeral and not ideal for persistence. Option C is wrong because S3 is not designed for low-latency lookups.

Option D is wrong because RDS adds overhead and cost for this simple use case.

622
MCQmedium

A company uses an S3 bucket to store sensitive customer data. The bucket policy currently allows access to a specific IAM role used by an EC2 instance. A security audit reveals that the bucket is also accessible from an external AWS account. Which action should the security team take to restrict access to only the intended role?

A.Use S3 Object Ownership to disable ACLs.
B.Enable S3 Block Public Access on the bucket.
C.Modify the IAM role trust policy to only allow the EC2 instance.
D.Add a condition in the bucket policy to allow access only when the request includes the specific IAM role ARN.
AnswerD

This restricts access to the intended role.

Why this answer

Option D is correct because adding a condition in the bucket policy using the `aws:PrincipalArn` condition key allows you to restrict access exclusively to the specific IAM role ARN. This ensures that even if the bucket policy grants access to an external AWS account, only requests made by the designated IAM role (e.g., `arn:aws:iam::123456789012:role/EC2AppRole`) will be allowed, effectively blocking any other principals, including those from external accounts.

Exam trap

The trap here is that candidates often confuse IAM role trust policies with resource-based policies (like S3 bucket policies), thinking that modifying the trust policy will control access to the bucket, when in fact the bucket policy itself must explicitly restrict the principal.

How to eliminate wrong answers

Option A is wrong because disabling ACLs via S3 Object Ownership does not restrict access based on IAM roles or external accounts; it only controls whether ACLs are used to manage permissions, not the bucket policy or IAM policies. Option B is wrong because S3 Block Public Access only prevents public (anonymous or authenticated AWS users) access, but the external AWS account is a trusted AWS principal, not a public user, so Block Public Access would not block that access. Option C is wrong because the IAM role trust policy controls which entities can assume the role, not which principals can access the S3 bucket; the bucket policy must be modified to restrict access to the role.

623
MCQhard

A company uses AWS Elastic Beanstalk to deploy a web application. The development team wants to ensure that the deployment does not cause any downtime and that new instances are fully registered with the load balancer before old instances are terminated. Which deployment policy should they use?

A.Immutable
B.Rolling with an additional batch
C.Rolling
D.All at once
AnswerB

This policy adds new instances before removing old ones, ensuring zero downtime.

Why this answer

Option A is correct because rolling with an additional batch launches new instances, registers them with the ELB, and then terminates old instances, ensuring zero downtime. Option B is incorrect because immutable deployments create a new Auto Scaling group but can be slower. Option C is incorrect because rolling deployments can cause downtime if the batch size is too large.

Option D is incorrect because all at once causes downtime.

624
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application requires a highly available environment across multiple Availability Zones. The developer wants to update the application without any downtime while minimizing the number of new instances launched. Which deployment policy should the developer use?

A.All at once
B.Rolling
C.Rolling with additional batch
D.Immutable
AnswerC

This policy launches a new batch of instances alongside the existing ones, ensuring capacity is never reduced. It achieves zero downtime with minimal additional instances compared to immutable.

Why this answer

Option C (Rolling with additional batch) is correct because it launches a new batch of instances before taking the old ones out of service, ensuring full capacity is maintained during the deployment. This provides high availability across multiple Availability Zones while minimizing the number of new instances compared to an immutable deployment, which would double the instance count. The additional batch absorbs the traffic during the rolling update, preventing any downtime.

Exam trap

The trap here is that candidates confuse 'Rolling' with 'Rolling with additional batch', assuming both provide zero downtime, but only the latter guarantees full capacity throughout the update by adding an extra batch to absorb traffic.

How to eliminate wrong answers

Option A is wrong because 'All at once' deploys the new version to all instances simultaneously, causing downtime as all instances are replaced at the same time. Option B is wrong because 'Rolling' updates instances in batches without an extra batch, which reduces capacity during the update and can lead to downtime if the application cannot handle reduced load. Option D is wrong because 'Immutable' launches a completely new set of instances in a new Auto Scaling group, then swaps the environment, which minimizes downtime but launches the maximum number of new instances (doubling the count), contradicting the requirement to minimize new instances.

625
MCQeasy

A developer is troubleshooting a slow-running query in Amazon RDS for MySQL. The query is used by a reporting dashboard. Which AWS service should the developer use to identify the bottleneck?

A.AWS X-Ray
B.AWS CloudTrail
C.Amazon RDS Performance Insights
D.Amazon CloudWatch Logs
AnswerC

Performance Insights is designed for database performance troubleshooting.

Why this answer

Amazon RDS Performance Insights provides a detailed analysis of database performance, including wait events and SQL query performance, helping identify bottlenecks.

626
MCQeasy

A developer is creating an AWS Lambda function to process events from an Amazon SQS queue. The function must process each message exactly once and in order. Which SQS queue type should the developer use?

A.Standard queue.
B.FIFO queue.
C.Dead-letter queue.
D.Delay queue.
AnswerB

Correct. FIFO queues provide first-in-first-out delivery and exactly-once processing, satisfying the requirements.

Why this answer

The correct answer is B, FIFO queue. FIFO (First-In-First-Out) queues guarantee exactly-once processing and preserve the order of messages, which is required by the use case. Standard queues offer at-least-once delivery and do not guarantee order, making them unsuitable for this requirement.

Exam trap

The trap here is that candidates often confuse the 'exactly-once' and 'in-order' requirements with Standard queues, assuming they can achieve this with idempotent processing, but Standard queues explicitly do not guarantee order and can deliver duplicates.

How to eliminate wrong answers

Option A is wrong because Standard queues provide at-least-once delivery, meaning a message can be delivered more than once, and they do not guarantee message order. Option C is wrong because a Dead-letter queue is not a primary queue type; it is a secondary queue used to store messages that failed processing, not to process events in order with exactly-once semantics. Option D is wrong because a Delay queue is a feature of both Standard and FIFO queues that introduces a message delivery delay, but it does not provide exactly-once processing or ordering guarantees.

627
MCQeasy

A developer is building a serverless application using AWS Lambda to process files uploaded to an S3 bucket. The Lambda function needs to read the uploaded file, transform it, and write the result to a DynamoDB table. Which IAM policy statement should be attached to the Lambda execution role?

A.{"Effect":"Allow","Action":["s3:GetObject","dynamodb:PutItem"],"Resource":"*"}
B.{"Effect":"Allow","Action":["s3:PutObject","dynamodb:PutItem"],"Resource":"*"}
C.{"Effect":"Allow","Action":["s3:GetObject","dynamodb:UpdateItem"],"Resource":"*"}
D.{"Effect":"Allow","Action":["s3:GetObject","dynamodb:GetItem"],"Resource":"*"}
AnswerA

Correct actions for reading from S3 and writing to DynamoDB.

Why this answer

The Lambda execution role needs permissions for S3 GetObject and DynamoDB PutItem. Option C provides both. Option A lacks DynamoDB write.

Option B lacks S3 read. Option D lacks S3 read and uses incorrect DynamoDB action.

628
MCQhard

A development team is building a real-time chat application using Amazon API Gateway WebSocket APIs and AWS Lambda. The application needs to maintain a connection to each user and broadcast messages to all connected clients. Which approach should the developer use to scale the application efficiently?

A.Store connection IDs in Amazon DynamoDB and use the API Gateway Management API to send messages to all connections.
B.Use Amazon ElastiCache to cache connection IDs and have Lambda send messages using the Redis pub/sub feature.
C.Use Amazon SNS to publish messages to all connected clients via the WebSocket API.
D.Use Amazon SQS to queue messages and have Lambda poll the queue to send messages to all connections.
AnswerA

DynamoDB stores connection IDs, and the Management API sends messages to each connection.

Why this answer

API Gateway WebSocket APIs maintain persistent connections. When a client sends a message, API Gateway invokes a Lambda function. To broadcast to all connected clients, the Lambda function needs to call the API Gateway Management API to send messages to each connection.

The connection IDs must be stored in a shared data store like DynamoDB. The other options are not suitable: SQS is for message queuing, not broadcasting; SNS is pub/sub but doesn't integrate directly with WebSocket connections; ElastiCache is not designed for this use case.

629
MCQmedium

A company runs a batch processing job on Amazon ECS using Fargate. The job processes files from an S3 bucket and writes results to another S3 bucket. The job runs once per day and takes about 30 minutes. The company wants to reduce costs by stopping the ECS service when not in use. Which solution should the developer implement?

A.Use an AWS Lambda function to run the job and configure a scheduled event in Amazon EventBridge.
B.Use AWS Batch with a Fargate launch type and schedule the job with Amazon EventBridge.
C.Use Amazon ECS Service Auto Scaling to scale the service down to zero tasks when not in use.
D.Use an Amazon EC2 Auto Scaling group to launch an instance, run the job, and then terminate.
AnswerB

AWS Batch runs the job and scales resources to zero when idle.

Why this answer

AWS Batch is designed for batch computing jobs. It can launch Fargate tasks, run the job, and then stop the resources automatically. The developer can define a job queue and job definition, and schedule the job with Amazon EventBridge (CloudWatch Events).

AWS Step Functions can orchestrate but is more complex. ECS Scheduled Tasks can also work, but AWS Batch is purpose-built for this and handles retries, dependencies, and cost optimization better. The other options are not appropriate: EC2 Auto Scaling scales EC2 instances, not Fargate tasks; Lambda has a 15-minute timeout; ECS Service Auto Scaling keeps desired count at least 1, not 0.

630
MCQeasy

A developer is deploying a containerized application on Amazon ECS using Fargate. The application needs to store sensitive configuration data, including database passwords, that must be rotated regularly. Which service should the developer use to manage these secrets securely?

A.Amazon S3 with server-side encryption
B.AWS Secrets Manager
C.Amazon DynamoDB with server-side encryption
D.AWS Systems Manager Parameter Store
AnswerB

Secrets Manager provides automatic secret rotation and fine-grained access control.

Why this answer

Option C is correct because AWS Secrets Manager is designed to store and rotate secrets automatically. Option A is wrong because SSM Parameter Store can store secrets but does not natively rotate them. Option B is wrong because DynamoDB is not a secret management service.

Option D is wrong because S3 can store encrypted objects but requires custom rotation logic.

631
MCQhard

A company uses AWS CodeCommit for source control. A developer needs to automate the build and test process for every commit to the 'develop' branch. The developer creates a CodeBuild project and wants to trigger it automatically. What is the most efficient way to set up this automation?

A.Create a CloudWatch Events rule that triggers CodeBuild on code commit events
B.Configure a webhook in CodeCommit to call CodeBuild directly
C.Create a CodePipeline with a source stage from CodeCommit and a build stage from CodeBuild
D.Use an SQS queue to receive SNS notifications from CodeCommit and trigger CodeBuild
AnswerC

CodePipeline natively integrates and triggers on changes.

Why this answer

CodePipeline can be configured to start on changes to a CodeCommit repository and then invoke CodeBuild. Option C is correct because it uses a pipeline with a source trigger. Option A (CloudWatch Events) is less efficient as it requires a separate rule.

Option B (webhooks) is used for third-party repositories. Option D (SQS) is unnecessary overhead.

632
MCQhard

A developer runs the AWS CLI command shown. The Lambda function returns a 200 status code but the output file is null and the response includes FunctionError: Unhandled. What does this indicate?

A.The Lambda function timed out.
B.The Lambda function threw an unhandled exception.
C.The payload was too large for synchronous invocation.
D.The Lambda function was not found.
AnswerB

FunctionError: Unhandled indicates an unhandled exception.

Why this answer

Option A is correct because 'Unhandled' means the function threw an exception that was not caught, and the output is null because the function returned an error. Option B is wrong because 200 indicates invocation succeeded. Option C is wrong because no such error.

Option D is wrong because the function was invoked.

633
MCQmedium

A developer is deploying a serverless application using AWS SAM. The application includes an API Gateway REST API and several Lambda functions. The developer runs 'sam deploy' and the deployment succeeds. However, when the developer tests the API endpoint using curl, the request times out. The CloudWatch logs for the Lambda function show that the function is not being invoked. The API Gateway logs are not enabled. The developer checks the API Gateway console and sees that the integration type is 'AWS Service' instead of 'Lambda Function'. The developer used the following SAM template snippet: Resources: MyApi: Type: AWS::Serverless::Api Properties: StageName: Prod DefinitionBody: swagger: 2.0 info: title: My API paths: /items: get: x-amazon-apigateway-integration: type: aws_proxy uri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations responses: {} MyFunction: Type: AWS::Serverless::Function Properties: CodeUri: ./src Handler: index.handler Runtime: nodejs14.x Events: ApiEvent: Type: Api Properties: RestApiId: !Ref MyApi Path: /items Method: GET What is the most likely cause of the timeout?

A.The API Gateway endpoint is not publicly accessible due to a resource policy.
B.The Lambda function's code is throwing an unhandled exception before it can log.
C.The Lambda function has reached the concurrency limit.
D.The API Gateway integration type is misconfigured; the SAM template should use 'AWS::Serverless::Function' event source instead of manual Swagger integration.
AnswerD

The manual Swagger integration may conflict with the event source, causing incorrect integration.

Why this answer

The SAM template defines the API using both the 'AWS::Serverless::Api' resource with a Swagger definition inline and the 'AWS::Serverless::Function' with an Api event. This may cause a conflict or incorrect configuration. Option D is correct: the 'x-amazon-apigateway-integration' type is set to 'aws_proxy' but the URI is incorrect.

However, the API Gateway integration type shown as 'AWS Service' indicates that the integration was not properly set up. The most likely cause is that the SAM template incorrectly defines the integration, leading to a misconfiguration. Option A is wrong because the timeout is not due to Lambda limits.

Option B is wrong because the code is not invoked. Option C is wrong because the API is correctly set up for public access.

634
MCQmedium

A developer is using AWS SAM to define a serverless application. The application includes an AWS Lambda function and an Amazon API Gateway REST API. The developer wants to configure the API Gateway stage to enable logging and set the stage name based on the SAM parameter Stage. In the SAM template, which property of the AWS::Serverless::Api resource should the developer use to set the stage name?

A.StageName
B.DefinitionBody
C.StageDescription
D.EndpointConfiguration
AnswerA

This property sets the name of the API Gateway stage. It can reference a SAM parameter, e.g., !Ref Stage.

Why this answer

The `StageName` property of the `AWS::Serverless::Api` resource directly sets the stage name for the API Gateway REST API. By using a SAM parameter like `Stage` (e.g., `StageName: !Ref Stage`), the developer can dynamically control the stage name at deployment time. This is the intended and simplest way to configure the stage name in an AWS SAM template.

Exam trap

The trap here is that candidates confuse `StageName` with `StageDescription` (Option C) because both relate to stage configuration, but `StageDescription` only provides metadata and does not control the actual stage identifier used in the API endpoint URL.

How to eliminate wrong answers

Option B (`DefinitionBody`) is wrong because it defines the OpenAPI specification for the API, not the stage name; it can include a `stageName` field within the OpenAPI definition, but that is not the SAM-level property for setting the stage name. Option C (`StageDescription`) is wrong because it provides a description of the stage (e.g., for documentation or tagging), not the stage name itself. Option D (`EndpointConfiguration`) is wrong because it specifies the endpoint type (e.g., REGIONAL, EDGE, PRIVATE) for the API, not the stage name.

635
MCQhard

A developer deployed the above AWS SAM template. Messages are not being processed; they end up in the DeadLetterQueue after 3 receives. The Lambda function timeout is 30 seconds. What is the most likely cause?

A.The maxReceiveCount is too low; increase it to 5.
B.The batch size is too high, causing the function to timeout.
C.The Lambda function does not have permission to poll the SQS queue.
D.The SQS visibility timeout is equal to the Lambda function timeout.
AnswerD

If the function runs for the full timeout, the message becomes visible again, leading to duplicate processing and eventual DLQ.

Why this answer

Option A is correct because the VisibilityTimeout (30 seconds) equals the Lambda timeout (30 seconds). If the function takes near 30 seconds, the message becomes visible again before processing completes, causing another receive and eventually moving to DLQ. Option B is wrong because the function has the SQSPollerPolicy.

Option C is wrong because BatchSize 10 is fine. Option D is wrong because a higher maxReceiveCount would delay DLQ, not prevent it.

636
MCQeasy

A developer needs to allow an IAM user to temporarily access an AWS account for 12 hours. The developer must not create long-term credentials. What should the developer use?

A.Create an IAM user with a password and access keys.
B.Use AWS STS to generate temporary security credentials for a role.
C.Attach a resource-based policy to the account.
D.Use Amazon Cognito user pools to generate temporary access.
AnswerB

STS provides temporary credentials with a configurable expiration, ideal for time-limited access.

Why this answer

IAM Security Token Service (STS) can generate temporary credentials with a custom expiration. By creating a role and allowing the user to assume it with a session duration of 12 hours, the requirement is met. Option A is wrong because IAM users have long-term credentials.

Option C is wrong because resource-based policies alone don't grant cross-account access with temporary credentials. Option D is wrong because Cognito is for end users.

637
MCQmedium

A company has a DynamoDB table that stores order data. The table has a partition key of OrderID and a sort key of OrderDate. The company frequently queries orders by CustomerID, which is not a key attribute. The queries are slow and consume a lot of read capacity. Which design change would MOST improve query performance?

A.Increase the provisioned read capacity for the table.
B.Create a Global Secondary Index (GSI) with CustomerID as the partition key.
C.Change the table's primary key to use CustomerID as the partition key.
D.Use a FilterExpression on the CustomerID attribute in a Scan operation.
AnswerB

GSI allows efficient querying on CustomerID.

Why this answer

Queries by non-key attributes require a Scan, which is inefficient. Creating a Global Secondary Index with CustomerID as the partition key allows efficient querying. Changing the table's key would break existing applications.

Using FilterExpression still scans the table. Increasing read capacity only addresses throttling, not performance of scans.

638
MCQhard

A team uses AWS CloudFormation to manage infrastructure. They want to deploy a stack that includes an Amazon RDS DB instance. During deployment, the stack creation fails because the DB instance creation times out. The team wants to ensure that subsequent stack creation attempts do not recreate the DB instance from scratch but instead continue from the failed state. Which CloudFormation feature should they use?

A.Use a CloudFormation WaitCondition to pause stack creation until the DB instance is available.
B.Create the DB instance using a separate CloudFormation stack and reference it using Fn::ImportValue.
C.Apply a stack policy that prevents the DB instance from being deleted during stack updates.
D.Use a CloudFormation custom resource to check for an existing DB instance and create it only if it does not exist.
AnswerD

Custom resource can implement logic to reuse an existing DB instance or create a new one, avoiding recreation on retry.

Why this answer

Option B is correct. CloudFormation stack creation rollback triggers with '--on-failure DO_NOTHING' or '--disable-rollback' will leave the failed resources in place so they can be resumed? Actually, CloudFormation does not support resuming a failed stack creation; it will roll back and delete resources. To avoid this, you can use a custom resource to check if the DB instance already exists, but the question asks for a feature to continue from failed state.

The best approach is to use a custom resource or separate stack for the DB instance. Among options, only 'Custom resource' (Option A) can handle such logic, but the correct answer is B: Use a custom resource to check for existing DB instance and skip creation if it exists. However, Option A is also custom resource.

Let's re-evaluate: The feature that allows you to conditionally create resources based on existing resources is 'Conditions' but that requires knowing the DB instance ID. 'Custom resource' can query existing DB and return a value to use in conditions. So Option B is correct. Option A (WaitCondition) is for signaling completion, not for conditional creation.

Option C (Stack policy) protects resources but does not help with continuation. Option D (Change sets) are for updates, not creation rollback.

639
MCQhard

A company has a production application running on Amazon ECS with Fargate. The application consists of a front-end service and a backend service that processes orders. The backend service consumes messages from an Amazon SQS queue and writes order records to an Amazon DynamoDB table. Recently, during a marketing campaign, traffic increased significantly, causing the backend service to fall behind processing messages. The SQS queue depth grew to over 100,000 messages, and some orders were not processed in time, leading to customer complaints. The operations team noticed that the ECS service's CPU utilization never exceeded 60%, and memory utilization was around 50%. The service is configured with a desired count of 2 tasks and a target tracking scaling policy based on average CPU utilization. The DynamoDB table has on-demand capacity mode. After analyzing the logs, the development team found that each message processing takes about 2 seconds, but the backend service has a bottleneck: it makes an HTTP call to a third-party API that sometimes takes up to 10 seconds to respond. The team wants to optimize the architecture to handle traffic spikes better without over-provisioning resources. Which solution is MOST effective?

A.Increase the batch size of messages polled from SQS to 20 to process more messages per task.
B.Refactor the backend service to send the order processing request to a separate SQS queue and have a dedicated set of tasks poll that queue to make the HTTP call. This decouples the main processing from the slow API call.
C.Increase the desired count of the ECS service to 10 tasks and set a target tracking scaling policy based on SQS queue depth.
D.Change the scaling policy to use memory utilization instead of CPU, since CPU is underutilized.
AnswerB

Offloading the slow call improves throughput.

Why this answer

Option A is correct because the bottleneck is the third-party API call. Moving the call to a separate step function or SQS queue allows the ECS service to offload that work and process more messages concurrently. Option B is wrong because increasing tasks may not help if the bottleneck is the API latency.

Option C is wrong because changing scaling metric to memory is not addressing the root cause. Option D is wrong because increasing batch size may increase per-invocation time and exacerbate the bottleneck.

640
MCQhard

A developer is troubleshooting an AWS Lambda function that is invoked from an Amazon S3 bucket via event notifications. The function processes images and stores metadata in Amazon DynamoDB. The developer notices that some images are being processed multiple times, resulting in duplicate entries in DynamoDB. The S3 event notification is configured to send events to the Lambda function with the 's3:ObjectCreated:*' event type. The function uses the 'uuid' library to generate a unique ID for each image upon processing. What is the most likely cause of the duplicate processing?

A.S3 event notifications are delivered at least once, and the Lambda function is not idempotent.
B.The Lambda function's concurrency is set too high, causing race conditions.
C.The DynamoDB table does not have a primary key that prevents duplicates.
D.The S3 bucket is configured with versioning, causing multiple object creation events.
AnswerA

S3 can send the same event multiple times. Without idempotency checks (e.g., using the S3 object key as the DynamoDB primary key), each event creates a new item, causing duplicates.

Why this answer

Amazon S3 event notifications are delivered on an 'at least once' basis, meaning the same event can be sent to Lambda multiple times. If the Lambda function is not idempotent—i.e., processing the same event multiple times produces duplicate side effects—then duplicate DynamoDB entries will occur. The use of a 'uuid' library inside the function does not help because a new UUID is generated on each invocation, so the same image gets different IDs and is stored as a separate item each time.

Exam trap

The trap here is that candidates assume generating a unique ID inside the function solves duplication, but they miss that idempotency requires using a stable, external identifier (like the S3 object key) to detect and skip already-processed events.

How to eliminate wrong answers

Option B is wrong because high concurrency can cause race conditions, but the core issue here is duplicate event delivery, not concurrent writes; even with low concurrency, duplicate events would still be processed. Option C is wrong because the DynamoDB table's primary key design does not cause duplicate processing; it only affects whether duplicate writes are rejected or overwritten—the problem is that the function is invoked multiple times for the same image. Option D is wrong because S3 versioning generates separate object versions, each with a unique version ID, and the 's3:ObjectCreated:*' event fires once per version; versioning does not cause multiple events for the same object version.

641
MCQhard

Refer to the exhibit. A developer runs the AWS CLI command to decrypt a file using a KMS key alias 'my-key' and receives the error shown. The developer has an IAM policy that allows 'kms:Decrypt' on 'arn:aws:kms:us-east-1:123456789012:key/abcd1234-...'. Which additional step is required to resolve this error?

A.Add the user's ARN to the KMS key policy with 'kms:Decrypt' permission.
B.Attach a policy to the user that allows 'kms:DescribeKey' on the key.
C.Use the key ID instead of the alias in the command.
D.Enable IAM user permissions in the KMS key policy.
AnswerA

The key policy must explicitly grant the user permission to decrypt.

Why this answer

The error occurs because the KMS key policy does not grant the user permission to decrypt using the key. Even though the user has an IAM policy allowing 'kms:Decrypt' on the key, KMS requires that the key policy explicitly allow IAM user permissions (or grant the user direct access) for IAM policies to take effect. By adding the user's ARN to the key policy with 'kms:Decrypt', the key policy grants the necessary access, resolving the error.

Exam trap

The trap here is that candidates assume IAM policies alone are sufficient for KMS operations, but KMS requires the key policy to explicitly grant access to the user or enable IAM user permissions and then grant the action.

How to eliminate wrong answers

Option B is wrong because 'kms:DescribeKey' is not required for decryption; the error is about access denial, not missing key metadata. Option C is wrong because using the key ID instead of the alias would not resolve the access issue; the alias resolves to the same key, and the error is due to the key policy, not the identifier format. Option D is wrong because enabling IAM user permissions in the KMS key policy is a general setting that must be combined with an explicit grant of permissions to the user; simply enabling it without adding the user's ARN does not grant access.

642
MCQmedium

A company stores sensitive data in an S3 bucket that must be encrypted at rest. The security team requires that all objects uploaded to the bucket are automatically encrypted using server-side encryption with AWS KMS (SSE-KMS). A developer uploads an object without specifying any encryption header. The upload succeeds, but the object is not encrypted. What is the most likely cause?

A.The bucket policy denies uploads without the x-amz-server-side-encryption header, but the developer's IAM user has permission to override the bucket policy.
B.The KMS key policy does not allow the IAM user to encrypt with that key.
C.The S3 bucket has default encryption disabled.
D.The bucket does not have a default encryption configuration set to SSE-KMS.
AnswerD

Without default encryption, objects uploaded without encryption headers remain unencrypted.

Why this answer

Option D is correct because S3 default encryption must be explicitly enabled on the bucket to enforce SSE-KMS when no encryption header is provided. Option A is wrong because bucket policies cannot enforce encryption headers retroactively; they can deny PutObject without encryption, but the upload would fail, not succeed unencrypted. Option B is wrong because the bucket policy does not block the upload.

Option C is wrong because the KMS key policy does not affect default encryption enforcement.

643
MCQhard

An ECS blue/green deployment with CodeDeploy and an Application Load Balancer fails because the replacement task set never receives test traffic. Which configuration should be checked?

A.S3 bucket versioning
B.Lambda provisioned concurrency
C.The test listener and target group mapping in the deployment group
D.DynamoDB TTL
AnswerC

Correct for the stated requirement.

Why this answer

In an ECS blue/green deployment with CodeDeploy and an Application Load Balancer, the test listener and its associated target group are responsible for routing test traffic to the replacement task set. If the replacement task set never receives test traffic, the most likely cause is that the test listener is not correctly mapped to the target group in the CodeDeploy deployment group configuration. This mapping ensures that traffic from the test listener is directed to the replacement task set during the deployment lifecycle.

Exam trap

The trap here is that candidates may confuse the test listener with the production listener or assume the issue is with the ALB itself, rather than recognizing that the test listener-to-target-group mapping in the CodeDeploy deployment group is the specific configuration that controls test traffic routing.

How to eliminate wrong answers

Option A is wrong because S3 bucket versioning is unrelated to ECS deployment traffic routing; it is used for object version control and rollback in S3, not for CodeDeploy traffic routing. Option B is wrong because Lambda provisioned concurrency is a feature for managing concurrent execution capacity of Lambda functions, not for ECS task set traffic routing in blue/green deployments. Option D is wrong because DynamoDB TTL (Time to Live) is a feature for automatically expiring items in DynamoDB tables, and it has no role in CodeDeploy or ALB traffic routing.

644
MCQhard

Refer to the exhibit. A developer runs an AWS CLI command on an EC2 instance and receives the error shown. The instance has an IAM role attached with the necessary permissions. What is the most likely cause of this error?

A.The CLI command is not supported on EC2 instances.
B.The CLI is not configured to use the instance profile credentials; environment variables or config file might be overriding.
C.The IAM role does not have the required permissions for the CLI command.
D.The instance does not have an IAM role attached.
AnswerB

Missing credentials configuration.

Why this answer

The error indicates that the AWS CLI cannot find credentials. Even though the EC2 instance has an IAM role attached, the CLI will not automatically use instance profile credentials if environment variables (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) or a config file (e.g., ~/.aws/credentials) are present with different or invalid values. The CLI's credential provider chain checks environment variables first, then the config file, and only falls back to the instance metadata service (IMDS) if no other credentials are found.

Therefore, overriding settings are the most likely cause.

Exam trap

The trap here is that candidates assume the IAM role is automatically used by the CLI, but they overlook that environment variables or a local AWS credentials file can override the instance profile credentials, causing a 'Unable to locate credentials' error even when the role is correctly attached.

How to eliminate wrong answers

Option A is wrong because the AWS CLI is fully supported on EC2 instances and can run any command the instance's IAM role permits. Option C is wrong because the error message explicitly states 'Unable to locate credentials,' not a permissions error; if the role lacked permissions, the error would be 'AccessDenied' or similar. Option D is wrong because the question states the instance has an IAM role attached, so the role exists; the issue is that the CLI is not using it.

645
MCQhard

An application running on EC2 needs to access an S3 bucket. The developer has assigned an IAM role to the EC2 instance with a policy that allows s3:GetObject on the bucket. However, the application is still getting access denied errors. What should the developer check?

A.Check that the application is using HTTPS instead of HTTP.
B.Check the S3 bucket policy for an explicit deny statement that applies to the IAM role.
C.Check that the EC2 instance has permissions to decrypt the KMS key used by S3.
D.Check that the EC2 instance is in the same VPC as the S3 bucket.
AnswerB

An explicit deny in the bucket policy overrides any allow from IAM.

Why this answer

Option B is correct because even if the IAM role attached to the EC2 instance allows s3:GetObject, an S3 bucket policy with an explicit deny statement that applies to that role will override the allow. IAM policy evaluation logic dictates that an explicit deny in any policy (resource-based or identity-based) takes precedence over any allow, resulting in access denied errors.

Exam trap

The trap here is that candidates assume an IAM role with an allow policy is sufficient, overlooking that S3 bucket policies can contain explicit deny statements that override the role's permissions.

How to eliminate wrong answers

Option A is wrong because S3 supports both HTTP and HTTPS, and using HTTP does not cause access denied errors; HTTPS is recommended for encryption in transit but not a requirement for authorization. Option C is wrong because the question does not mention S3 server-side encryption with KMS, and without a KMS key being used, KMS permissions are irrelevant to the access denied error. Option D is wrong because S3 buckets are global resources and do not reside in a VPC; EC2 instances can access S3 over the internet or via a VPC endpoint, but being in the same VPC is not a requirement for access.

646
Multi-Selectmedium

A company uses AWS Elastic Beanstalk to deploy a web application. The application uses an Amazon RDS database. The developer wants to ensure that the database connection string is not hard-coded in the application code. Which THREE methods can the developer use to pass the connection string securely? (Choose THREE.)

Select 3 answers
A.Read the connection string from Amazon RDS tags.
B.Use AWS Secrets Manager.
C.Use Elastic Beanstalk environment properties.
D.Store the connection string in a configuration file in the application bundle.
E.Use AWS Systems Manager Parameter Store.
AnswersB, C, E

Secrets Manager is designed for managing secrets.

Why this answer

Options A, B, and D are correct. A: Environment properties in Elastic Beanstalk are injected into the application. B: AWS Systems Manager Parameter Store provides secure, encrypted storage.

D: AWS Secrets Manager is designed for secrets like database credentials. Option C is wrong because the application code should not read from RDS tags; tags are not intended for sensitive data. Option E is wrong because putting the connection string in a file in the deployment package is not secure.

647
MCQeasy

A developer wants to upload a large file (5 GB) to an Amazon S3 bucket using the AWS SDK. Which approach is MOST efficient and resilient?

A.Generate a presigned URL and use a third-party tool to upload.
B.Invoke an AWS Lambda function to upload the file.
C.Use the Multipart Upload API to upload the file in parts.
D.Use the PutObject API call with the entire file.
AnswerC

Multipart Upload is designed for large objects.

Why this answer

Option C is correct because the S3 Multipart Upload API is designed for large objects, providing better throughput and resilience. Option A is wrong because it does not support objects over 5 GB. Option B is wrong because presigned URLs don't provide multipart upload benefits.

Option D is wrong because Lambda has a payload limit.

648
MCQeasy

A developer is using AWS OpsWorks for Chef Automate to manage a stack. The developer needs to deploy a new application version to existing instances. Which OpsWorks feature should the developer use?

A.Recipes
B.Custom JSON
C.Stacks
D.Layers
AnswerA

Recipes run on instances to perform tasks like deploying applications.

Why this answer

Recipes are Chef cookbook components that define the sequence of commands to execute on an instance. To deploy a new application version, the developer can run a custom recipe (e.g., via an OpsWorks lifecycle event or a manual 'Execute Recipes' action) that pulls the updated code, restarts services, or performs any necessary deployment steps. This directly maps to the requirement of deploying a new version to existing instances.

Exam trap

The trap here is confusing the static configuration elements (Stacks, Layers, Custom JSON) with the dynamic execution mechanism (Recipes) needed to actually perform a deployment action on running instances.

How to eliminate wrong answers

Option B is wrong because Custom JSON is used to pass custom configuration data (like database credentials or app settings) to OpsWorks stacks, not to execute deployment actions. Option C is wrong because a Stack is the top-level container for resources (instances, layers, apps) and does not itself perform deployment actions; it defines the environment. Option D is wrong because a Layer defines the configuration, packages, and lifecycle recipes for a group of instances, but deploying a new application version requires running a specific recipe, not just defining a layer.

649
MCQeasy

A developer has an Amazon S3 bucket containing private user documents. The application must generate a time-limited URL for users to download their own documents without requiring the users to have AWS credentials. Which solution should the developer use?

A.Use CloudFront signed URLs with an origin access identity (OAI) to restrict access to the S3 bucket.
B.Create a pre-signed URL for each object using the AWS SDK with an appropriate expiration time.
C.Set a bucket policy that allows public read access for the specific users based on their IP addresses.
D.Provide the users with IAM user credentials that have read access to the bucket.
AnswerB

Pre-signed URLs grant temporary access to a specific S3 object. The URL is generated using the developer's AWS credentials and expires after the specified duration, providing secure time-limited access.

Why this answer

Pre-signed URLs allow temporary, time-limited access to private S3 objects without requiring the user to have AWS credentials. The developer generates the URL server-side using the AWS SDK, embedding an expiration time, and the user can download the object directly via HTTP GET. This meets the requirement of granting ephemeral access to specific documents for unauthenticated users.

Exam trap

The trap here is that candidates often confuse pre-signed URLs with CloudFront signed URLs, thinking the CDN is required for time-limited access, but pre-signed URLs work directly with S3 and are simpler for single-object, time-limited downloads without needing CloudFront.

How to eliminate wrong answers

Option A is wrong because CloudFront signed URLs with OAI are used to control access at the CDN edge, but they still require the developer to manage CloudFront distributions and signing keys; the question asks for a simpler, direct S3 solution without requiring users to have AWS credentials. Option C is wrong because setting a bucket policy for public read access based on IP addresses would expose the bucket to all users from those IPs, violating the requirement for per-user, per-document private access and not providing time-limited URLs. Option D is wrong because providing IAM user credentials to end users is a security anti-pattern; it would require distributing long-term credentials, violating the principle of least privilege and the requirement that users not have AWS credentials.

650
Multi-Selecthard

A developer is troubleshooting an AWS Lambda function that is invoked by an Amazon S3 bucket notification. The function processes new objects and writes results to a DynamoDB table. Recently, some objects are not being processed. The developer checks the CloudWatch Logs for the Lambda function and sees no errors. Which TWO actions should the developer take to investigate the issue?

Select 2 answers
A.Enable DynamoDB Streams on the table and process records.
B.Increase the Lambda function's memory allocation.
C.Check the S3 bucket notification configuration to ensure it is properly set for the correct events.
D.Configure a dead-letter queue on the Lambda function to capture unprocessed events.
E.Review the Lambda function's CloudWatch Logs for timeout messages.
AnswersC, D

Misconfigured notifications can cause some events to not trigger the function.

Why this answer

Options B and D are correct. Option B: S3 event notifications can fail if the event is not configured correctly; checking the bucket notification configuration ensures the events are being sent. Option D: Lambda dead-letter queues (DLQ) capture events that failed to be processed; if configured, they can reveal unprocessed events.

Option A is wrong because the function logs show no errors, indicating the function is not invoked for those objects. Option C is wrong because DynamoDB stream is not involved in this flow. Option E is wrong because the function is invoked, but the issue is before invocation.

651
MCQeasy

The exhibit shows a CloudFormation template that creates an S3 bucket with versioning enabled. After deploying the stack, a developer uploads an object to the bucket. Later, the developer updates the object by uploading a new version. The developer wants to retrieve the original object. What is the correct way to do this?

A.Restore the original object using the S3 Object Lambda.
B.Use the S3 Batch Operations to revert to the original version.
C.The original object is overwritten and cannot be retrieved.
D.Use the S3 console or CLI to list object versions and retrieve the version ID of the original object.
AnswerD

Versioning stores all versions; you can retrieve by version ID.

Why this answer

Option A is correct because versioning allows preserving and retrieving previous versions. Option B is wrong because there is no undo in S3. Option C is wrong because the original is still present as a previous version.

Option D is wrong because only the latest version is returned by default.

652
Multi-Selecteasy

A developer is using AWS CodePipeline to automate deployments. The pipeline has a source stage that pulls code from an Amazon S3 bucket. Which TWO actions can the developer take to automatically start the pipeline when new code is uploaded to the S3 bucket? (Choose TWO.)

Select 2 answers
A.Configure the pipeline to use a periodic poll of the S3 bucket
B.Use Amazon CloudWatch Events to listen for S3 PutObject events and target the pipeline
C.Configure an S3 event notification to invoke an AWS Lambda function that starts the pipeline
D.Configure an S3 event notification to trigger an AWS CodeBuild build
E.Configure the S3 bucket to send events to an Amazon SQS queue, and configure the pipeline to poll the queue
AnswersB, C

CloudWatch Events can start a pipeline.

Why this answer

Options A and D are correct. S3 events can trigger Lambda or directly start a pipeline via CloudWatch Events. Option B is incorrect because CodeBuild is used for build, not trigger.

Option C is incorrect because SQS is not a direct trigger for CodePipeline. Option E is incorrect because polling is not automatic.

653
MCQhard

A company uses AWS CodeDeploy to deploy an application to EC2 instances. The deployment fails with the error: 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' The deployment group consists of 4 EC2 instances. The deployment configuration is 'CodeDeployDefault.OneAtATime'. The CodeDeploy agent logs on the failed instance show: 'Error: Script at specified location: scripts/install_dependencies.sh failed with exit code 1.' What should the developer do to resolve this issue?

A.Change the deployment configuration to 'CodeDeployDefault.AllAtOnce'.
B.Review the install_dependencies.sh script for errors and correct them.
C.Reinstall the CodeDeploy agent on the failed instance.
D.Increase the number of EC2 instances in the deployment group.
AnswerB

The script failed, causing the instance deployment to fail; fixing the script resolves the issue.

Why this answer

Option A is correct. The script failed with exit code 1, indicating a bug in the script. The developer should fix the script based on the logs.

Option B is wrong because the deployment configuration is already OneAtATime; changing to AllAtOnce would make it worse. Option C is wrong because increasing instance count does not fix the script error. Option D is wrong because the error is in the script, not the agent.

654
MCQmedium

A team uses AWS Elastic Beanstalk with a Docker platform. They want to deploy a multi-container Docker application. What file is required to define the container configuration?

A.docker-compose.yml
B.Dockerrun.aws.json
C.Dockerfile
D.env.yaml
AnswerB

This is the required file for multi-container Docker environments.

Why this answer

AWS Elastic Beanstalk uses the `Dockerrun.aws.json` file to define the configuration for multi-container Docker environments. This JSON file specifies the images to use, port mappings, links between containers, and volumes, and it is required when deploying a multi-container Docker application on Elastic Beanstalk.

Exam trap

The trap here is that candidates familiar with Docker Compose might assume `docker-compose.yml` is the required file, but Elastic Beanstalk specifically requires `Dockerrun.aws.json` for multi-container deployments, and using the wrong file will cause the deployment to fail.

How to eliminate wrong answers

Option A is wrong because `docker-compose.yml` is used by Docker Compose for local multi-container orchestration, but Elastic Beanstalk does not natively support this file for deployment; it requires `Dockerrun.aws.json`. Option C is wrong because a `Dockerfile` defines how to build a single container image, not the orchestration of multiple containers in a multi-container environment. Option D is wrong because `env.yaml` is used in Elastic Beanstalk to define environment properties and configuration options, not container definitions.

655
MCQmedium

A developer is building a serverless application using AWS Lambda to process events from Amazon S3. The Lambda function needs to persist data to an Amazon RDS MySQL database. Which of the following is the MOST secure way to pass database credentials to the Lambda function?

A.Store the credentials in an S3 bucket with server-side encryption and read them in the Lambda function.
B.Use IAM database authentication for MySQL and assign an IAM role to the Lambda function.
C.Hardcode the credentials as environment variables in the Lambda function configuration.
D.Store the credentials in AWS Secrets Manager and retrieve them in the Lambda function code.
AnswerD

Secrets Manager provides secure storage and automatic rotation.

Why this answer

Option A is correct because using AWS Secrets Manager allows automatic rotation and secure retrieval of secrets without hardcoding. Option B is wrong because environment variables are visible in the Lambda console. Option C is wrong because storing in S3 is less secure and requires additional permissions.

Option D is wrong because IAM roles are for AWS services, not database credentials.

656
Multi-Selecthard

An API backed by Lambda returns high p95 latency after deployment. Which two telemetry sources are most useful first?

Select 2 answers
A.AWS Billing console only
B.CloudWatch Lambda duration/init duration/logs
C.S3 Inventory reports
D.X-Ray traces across API Gateway and Lambda
AnswersB, D

Correct for the stated requirement.

Why this answer

CloudWatch Lambda duration and init duration metrics directly measure the time your function spends executing and initializing, which are the primary drivers of p95 latency. Logs can reveal cold starts, timeouts, or inefficient code paths that cause high latency. These are the most immediate telemetry sources to identify performance bottlenecks in the Lambda function itself.

Exam trap

The trap here is that candidates often overlook the combination of CloudWatch metrics and X-Ray traces, mistakenly thinking that only one telemetry source (like CloudWatch logs) is sufficient, or they confuse billing data with performance monitoring.

657
MCQeasy

A developer is implementing a REST API using Amazon API Gateway and AWS Lambda. The API should return a static response from an Amazon S3 bucket for a specific GET endpoint without invoking a Lambda function. Which API Gateway integration type should be used?

A.MOCK
B.HTTP_PROXY
C.AWS_PROXY
D.AWS
AnswerB

Forwards request to an HTTP endpoint like S3 website.

Why this answer

Option C is correct because the HTTP proxy integration forwards requests directly to an HTTP endpoint, such as an S3 static website. Option A is wrong because MOCK returns a static response but does not integrate with S3. Option B is wrong because AWS proxy integrates with Lambda.

Option D is wrong because it's for private integrations.

658
MCQmedium

A developer is building a serverless application using AWS Step Functions. The workflow must execute hundreds of thousands of short-lived tasks per day, each taking less than 30 seconds. The tasks need to run in parallel, and a small number of duplicate executions are acceptable. Which type of Step Functions workflow should the developer choose?

A.Standard Workflow
B.Express Workflow
C.AWS Lambda function with synchronous invocation
D.Amazon Simple Workflow Service (SWF)
AnswerB

Express Workflows are optimized for high-volume, short-duration executions (under 5 minutes) with at-least-once delivery. They can handle hundreds of thousands of executions per second at a lower cost, making them suitable for this use case.

Why this answer

Express Workflows are designed for high-volume, short-duration (under 5 minutes) event-processing workloads, executing hundreds of thousands of state transitions per second with at-least-once semantics. Since the tasks are short-lived (under 30 seconds), run in parallel, and tolerate a small number of duplicate executions, Express Workflow is the correct choice because it offers lower cost and higher throughput than Standard Workflow, which guarantees exactly-once execution and is better suited for long-running, auditable workflows.

Exam trap

The trap here is that candidates often assume Standard Workflow is always the default choice for Step Functions, overlooking the specific requirements for high throughput, short duration, and tolerance for duplicates that make Express Workflow the correct answer.

How to eliminate wrong answers

Option A is wrong because Standard Workflow is designed for long-running, durable workflows with exactly-once execution and a maximum execution duration of one year, making it over-provisioned and more expensive for high-volume, short-lived tasks where duplicate executions are acceptable. Option C is wrong because AWS Lambda synchronous invocation is not a Step Functions workflow type; it is a compute invocation pattern that lacks the orchestration, state management, and parallel execution capabilities provided by Step Functions. Option D is wrong because Amazon Simple Workflow Service (SWF) is a legacy service for long-running, human-in-the-loop workflows, not optimized for high-throughput, short-lived automated tasks, and it requires managing workers and deciders, adding operational overhead.

659
Multi-Selecteasy

Which TWO AWS services can be used to trigger an AWS Lambda function asynchronously?

Select 2 answers
A.Amazon EventBridge
B.Amazon API Gateway (REST API)
C.Amazon CloudWatch Events (scheduled events)
D.Amazon S3 (bucket notifications)
E.AWS Step Functions (synchronous)
AnswersA, D

EventBridge invokes Lambda asynchronously for events.

Why this answer

Options B and D are correct. S3 can invoke Lambda asynchronously on object create events. EventBridge can invoke Lambda asynchronously in response to events.

Option A is synchronous invocation. Option C is for scheduled events (could be considered asynchronous, but EventBridge is a more direct answer). Option E is synchronous invocation.

660
MCQhard

A developer receives the above error when trying to launch an EC2 instance. What is the most likely cause?

A.The account has reached its EC2 instance limit
B.The developer is trying to launch the instance in a restricted VPC
C.An SCP at the organizational level denies ec2:RunInstances
D.The developer's IAM policy does not allow ec2:RunInstances
AnswerC

The error explicitly states an explicit deny in a service control policy.

Why this answer

The error message explicitly mentions a service control policy (SCP) that denies the action. SCPs are applied at the organizational level. Option A is incorrect because IAM policy would not mention SCP.

Option C is incorrect because the error is about authorization, not service limits. Option D is incorrect because the error does not mention VPC.

661
MCQeasy

A developer wants to allow an IAM user to rotate their own access keys. Which IAM policy action should be included?

A.iam:UpdateAccessKey
B.iam:GetAccessKeyLastUsed
C.iam:DeleteAccessKey
D.iam:CreateAccessKey
AnswerA

Allows updating (activating/deactivating) keys.

Why this answer

Option B is correct because iam:UpdateAccessKey allows the user to update their own access keys. Option A is wrong because iam:CreateAccessKey alone does not allow rotation without update. Option C is wrong because iam:DeleteAccessKey deletes keys.

Option D is wrong because iam:GetAccessKeyLastUsed is read-only.

662
Multi-Selecthard

A Lambda function behind API Gateway intermittently times out only during cold starts. Which two actions can reduce cold-start impact?

Select 2 answers
A.Use provisioned concurrency for predictable low latency
B.Move all logs to S3 Glacier
C.Reduce deployment package size and initialize clients outside unnecessary hot paths
D.Disable all retries
AnswersA, C

Correct for the stated requirement.

Why this answer

Provisioned concurrency keeps a specified number of Lambda execution environments initialized and ready to respond immediately, eliminating the cold-start latency for those invocations. This is the most direct way to ensure predictable low latency for a function that intermittently times out during cold starts.

Exam trap

The trap here is that candidates may confuse reducing cold-start impact with optimizing log storage or retry behavior, but only provisioned concurrency and minimizing initialization code directly address the cold-start latency issue.

663
Multi-Selecthard

A company is deploying a containerized application on Amazon ECS using the Fargate launch type. The application must be highly available across multiple Availability Zones. The developer needs to configure the ECS service. Which THREE configuration options are required? (Choose THREE.)

Select 3 answers
A.Create an Auto Scaling group for the Fargate tasks.
B.Set the desired number of tasks to at least 2.
C.Associate an Application Load Balancer with the ECS service.
D.Configure the service to place tasks in at least two subnets in different Availability Zones.
E.Use a DynamoDB table to store task state.
AnswersB, C, D

Multiple tasks provide redundancy.

Why this answer

Option A is correct because a load balancer is needed to distribute traffic across tasks in multiple AZs. Option C is correct because setting the number of tasks to at least 2 ensures redundancy. Option D is correct because spreading tasks across multiple AZs ensures high availability.

Option B is wrong because ECS does not support Auto Scaling groups with Fargate. Option E is wrong because a DynamoDB table is not needed for ECS service configuration.

664
Multi-Selecteasy

A developer is deploying an application using AWS Elastic Beanstalk. The developer wants to ensure that the application is highly available and can recover from an AZ failure. Which TWO configurations should be applied? (Choose TWO.)

Select 2 answers
A.Configure the environment to use multiple Availability Zones.
B.Select a larger EC2 instance type.
C.Enable Multi-AZ for the application's Amazon RDS database.
D.Attach an Elastic Load Balancer to the environment.
E.Use a single EC2 instance for simplicity.
AnswersA, D

Distributes instances across AZs.

Why this answer

Options A and D are correct. A: Deploying to multiple AZs ensures that if one AZ fails, the application remains available. D: A load balancer distributes traffic across instances in multiple AZs.

Option B is wrong because a single instance is not highly available. Option C is wrong because a larger instance type does not provide AZ redundancy. Option E is wrong because an RDS Multi-AZ database is for database availability, not application.

665
MCQeasy

A developer needs to analyze real-time streaming data from thousands of devices. The data consists of JSON messages that must be processed and stored in Amazon S3. Which AWS service should the developer use to ingest and buffer the streaming data?

A.Amazon S3
B.AWS Lambda
C.Amazon Simple Queue Service (SQS)
D.Amazon Kinesis Data Streams
AnswerD

Designed for real-time data ingestion.

Why this answer

Option A is correct because Amazon Kinesis Data Streams is designed for real-time data ingestion and can buffer data. Option B is wrong because Lambda is for compute, not ingestion. Option C is wrong because SQS is for message queues, not high-throughput streaming.

Option D is wrong because S3 is storage, not ingestion.

666
Multi-Selecteasy

A developer is tasked with securing a legacy application that stores secrets in environment variables. Which THREE AWS services can be used to improve the security posture?

Select 3 answers
A.AWS Key Management Service (KMS)
B.AWS Certificate Manager
C.AWS CloudHSM
D.AWS Systems Manager Parameter Store
E.AWS Secrets Manager
AnswersA, D, E

Used to encrypt secrets.

Why this answer

Secrets Manager, Parameter Store, and KMS can all help manage and encrypt secrets.

667
MCQeasy

A company requires that all data in Amazon S3 be encrypted at rest using server-side encryption with a customer-managed KMS key. The developer needs to ensure that any object uploaded without the x-amz-server-side-encryption header set to aws:kms is denied. How can this be enforced?

A.Use a bucket policy that denies s3:PutObject if the encryption condition is not met.
B.Configure default encryption on the bucket with SSE-KMS.
C.Enable S3 Object Lock.
D.Use a CloudTrail trail to monitor uploads.
AnswerA

Correct. A bucket policy can deny s3:PutObject when the required encryption header is absent, enforcing encryption on all uploads.

Why this answer

Option A is correct because an S3 bucket policy with a condition that denies s3:PutObject unless the `s3:x-amz-server-side-encryption` header equals `aws:kms` enforces server-side encryption with a customer-managed KMS key at the API level. This policy explicitly rejects any upload that does not include the required encryption header, ensuring compliance even if default encryption is bypassed or misconfigured.

Exam trap

The trap here is that candidates often confuse default encryption (which silently applies encryption but does not deny non-compliant uploads) with a bucket policy that actively denies requests, leading them to choose Option B as a simpler but ineffective solution.

How to eliminate wrong answers

Option B is wrong because configuring default encryption on the bucket with SSE-KMS only applies encryption to objects uploaded without an explicit encryption header; it does not deny uploads that omit the header, so objects can still be uploaded without the required `x-amz-server-side-encryption` header. Option C is wrong because S3 Object Lock is designed to prevent object deletion or overwrites for compliance or retention purposes, not to enforce encryption requirements during upload. Option D is wrong because CloudTrail trails only log API calls for auditing and monitoring; they cannot enforce or deny S3 PutObject operations based on encryption headers.

668
MCQeasy

A developer wants to deploy a serverless application using AWS CloudFormation. The application consists of an API Gateway, Lambda functions, and DynamoDB tables. The developer wants to ensure that the stack can be updated without resource interruption when possible. Which CloudFormation feature should the developer use?

A.Use a Lambda alias with a DeploymentPreference update policy
B.Use a ChangeSet to review changes before applying them
C.Use a StackPolicy to protect critical resources
D.Use a Custom Resource to manage updates
AnswerA

This enables traffic shifting between old and new Lambda versions, ensuring zero downtime during updates.

Why this answer

Option A is correct because the `DeploymentPreference` update policy on a Lambda alias enables canary, linear, or all-at-once traffic shifting during stack updates. This allows the developer to update Lambda function versions without interrupting existing invocations, as traffic is gradually routed to the new version while the old version continues to serve requests until the transition completes.

Exam trap

The trap here is that candidates often confuse ChangeSets (which only preview changes) with the actual update mechanism, or they mistakenly think StackPolicies or Custom Resources can control update behavior, when in fact only the `DeploymentPreference` update policy on a Lambda alias provides the traffic-shifting capability needed for uninterrupted updates.

How to eliminate wrong answers

Option B is wrong because a ChangeSet only provides a preview of the changes that will be applied to the stack; it does not prevent resource interruption during the update itself. Option C is wrong because a StackPolicy is used to prevent accidental updates or deletions of specific resources by denying update/delete actions, but it does not control how updates are rolled out to avoid interruption. Option D is wrong because a Custom Resource is used to handle provisioning of resources not natively supported by CloudFormation, not to manage update strategies for Lambda functions.

669
MCQmedium

A developer needs to allow an EC2 instance to read from a DynamoDB table. Which is the best practice to grant permissions?

A.Create an IAM role with the required permissions and attach it to the EC2 instance.
B.Generate an IAM user access key and store it in the application configuration.
C.Hardcode the AWS credentials in the application code.
D.Add the DynamoDB table ARN to the EC2 instance's security group.
AnswerA

IAM roles are the secure way to grant permissions to EC2.

Why this answer

The best practice for granting an EC2 instance permissions to access DynamoDB is to create an IAM role with the required permissions and attach it to the instance. This eliminates the need to manage long-term credentials, as the instance automatically retrieves temporary security credentials from the instance metadata service (IMDS) via the AWS Security Token Service (STS). This approach follows the principle of least privilege and ensures credentials are rotated automatically.

Exam trap

The trap here is that candidates may confuse security groups (network-level access control) with IAM policies (identity-based access control) and incorrectly think adding a DynamoDB table ARN to a security group can grant data access, when in fact security groups only control network traffic and cannot authorize API calls to DynamoDB.

How to eliminate wrong answers

Option B is wrong because storing an IAM user access key in the application configuration introduces long-term static credentials that must be manually rotated, increasing the risk of exposure and violating AWS best practices for EC2. Option C is wrong because hardcoding AWS credentials in application code is a severe security risk, as the credentials can be exposed through version control, logs, or decompilation, and it also prevents automatic rotation. Option D is wrong because security groups are stateful firewalls that control network traffic at the instance level, not IAM permissions; they cannot grant access to DynamoDB, which operates over HTTPS and requires identity-based authentication.

670
Multi-Selecteasy

A developer is using AWS CodePipeline to automate deployments. The pipeline has a Source stage using Amazon S3 and a Deploy stage using AWS Elastic Beanstalk. The developer notices that the pipeline fails at the Deploy stage with the error 'The deployment failed because the version of the application to be deployed could not be found.' Which TWO actions should the developer take to resolve this issue?

Select 2 answers
A.Ensure that the S3 bucket and the Elastic Beanstalk environment are in the same AWS region.
B.Make sure the source artifact is a valid zip file containing the application code and environment configuration.
C.Confirm that the S3 object key does not contain special characters.
D.Verify that the S3 bucket name is exactly as specified in the pipeline.
E.Check that the IAM role for CodePipeline has permissions to read from the S3 bucket and deploy to Elastic Beanstalk.
AnswersA, E

Cross-region deployments require additional configuration.

Why this answer

Option B (Ensure the S3 bucket is in the same region) is correct because cross-region access requires explicit configuration. Option D (Check that the source artifact is a zip file) is correct because Elastic Beanstalk expects a zip. Option A is wrong because the bucket name is not an issue.

Option C is wrong because it's a separate service. Option E is wrong because the S3 key is typically correct.

671
MCQmedium

A developer needs to grant temporary access to an Amazon S3 bucket for a user from a different AWS account. The developer wants to use the most secure method that does not require sharing long-term credentials. Which approach should the developer take?

A.Create an IAM user in the developer's account and share the access keys
B.Use S3 bucket policy with a condition for the external account's IAM user
C.Use cross-account IAM roles with STS AssumeRole
D.Use S3 access control lists (ACLs) with the external user's canonical user ID
AnswerC

This allows the external user to assume a role in the developer's account, obtaining temporary credentials. It does not require sharing long-term keys and provides fine-grained control.

Why this answer

Option C is correct because using cross-account IAM roles with AWS Security Token Service (STS) AssumeRole allows the external user to obtain temporary, limited-privilege credentials without sharing any long-term access keys. This approach follows the principle of least privilege and eliminates the risk of exposed static credentials, as the temporary credentials automatically expire after a configurable duration (default 1 hour, max 12 hours).

Exam trap

The trap here is that candidates often confuse S3 bucket policies with cross-account access, thinking a bucket policy alone can grant temporary credentials, when in fact bucket policies only authorize access based on the requester's existing (long-term) credentials and do not issue temporary tokens.

How to eliminate wrong answers

Option A is wrong because sharing IAM user access keys exposes long-term credentials that never expire, violating the requirement for temporary access and increasing the risk of credential leakage. Option B is wrong because an S3 bucket policy with a condition for an external account's IAM user still requires that external user to use their own long-term IAM credentials to sign requests, which does not grant temporary access and does not eliminate long-term credential sharing. Option D is wrong because S3 ACLs use canonical user IDs (the account's AWS-assigned identifier) and require the external user to authenticate with their own long-term credentials; ACLs also do not provide temporary credentials and are considered a legacy access control mechanism that is less secure and less flexible than IAM roles.

672
MCQhard

A developer deploys this CloudFormation template. The Lambda function fails to access the DynamoDB table 'MyTable'. What is the most likely cause?

A.The Lambda execution role lacks DynamoDB permissions.
B.The runtime nodejs18.x is incorrect for this handler.
C.The S3 bucket 'my-bucket' does not exist.
D.The environment variable TABLE_NAME is misspelled.
AnswerA

The role ARN is provided but its policy must include DynamoDB actions.

Why this answer

Option B is correct because the Lambda execution role does not include dynamodb: permissions. Option A is wrong because the environment variable is correctly set. Option C is wrong because the runtime is supported.

Option D is wrong because S3 bucket and key are specified correctly.

673
MCQmedium

A REST API requires request validation before invoking Lambda to reduce unnecessary function executions for malformed payloads. Where should validation be configured?

A.Inside the Lambda timeout setting
B.In the IAM execution role
C.In the S3 bucket policy
D.In API Gateway request models and validators
AnswerD

Correct for the stated requirement.

Why this answer

API Gateway provides built-in request validation using models (JSON Schema) and validators. By configuring validation at the API Gateway layer, malformed payloads are rejected before they reach the Lambda function, reducing unnecessary invocations and associated costs. This is the correct approach because API Gateway acts as the entry point for REST APIs and can enforce payload structure without invoking the backend.

Exam trap

The trap here is that candidates may confuse Lambda's execution role or timeout settings with request validation, not realizing that API Gateway is the correct layer to filter malformed payloads before they trigger Lambda.

How to eliminate wrong answers

Option A is wrong because the Lambda timeout setting controls how long a function can run, not whether it is invoked; it cannot prevent invocation for malformed payloads. Option B is wrong because the IAM execution role defines permissions for the Lambda function to access other AWS services, not request validation. Option C is wrong because S3 bucket policies control access to S3 objects, not API request validation; they are unrelated to REST API payload checking.

674
Multi-Selecthard

Which THREE steps are required to set up a continuous delivery pipeline using AWS CodePipeline, CodeBuild, and CodeDeploy? (Select THREE.)

Select 3 answers
A.Set up an Amazon RDS database to store deployment logs.
B.Create a deploy stage with CodeDeploy to deploy the artifacts.
C.Configure an AWS Lambda function to trigger the pipeline.
D.Create a build stage with CodeBuild to compile and test the code.
E.Create a source stage that retrieves code from a repository.
AnswersB, D, E

Required for deployment.

Why this answer

Option B is correct because CodeDeploy is the AWS service that automates application deployments to compute services like EC2, Lambda, or on-premises instances. In a CodePipeline continuous delivery workflow, the deploy stage uses CodeDeploy to take the build artifacts from the previous stage and deploy them to the target environment, ensuring a repeatable and automated release process.

Exam trap

The trap here is that candidates often think a database or a Lambda trigger is a required component, but the core pipeline only needs source, build, and deploy stages; additional services like RDS or Lambda are optional and not part of the minimal setup.

675
Multi-Selecthard

A developer is designing a serverless application using AWS Lambda and API Gateway. The application needs to authenticate users via a third-party identity provider (IdP). Which TWO services can be used to manage user authentication?

Select 2 answers
A.Amazon Cognito User Pools
B.AWS IAM
C.AWS Lambda custom authorizer
D.AWS Security Token Service (STS)
E.AWS Secrets Manager
AnswersA, C

Can federate with third-party IdPs.

Why this answer

Options A and D are correct. Cognito User Pools can integrate with third-party IdPs. API Gateway can use Lambda authorizers to validate tokens.

Option B is wrong because IAM is for AWS users, not external IdPs directly. Option C is wrong because Secrets Manager is for secrets. Option E is wrong because STS is for temporary credentials, not authentication.

Page 8

Page 9 of 22

Page 10