CCNA Development with AWS Services Questions

68 of 518 questions · Page 7/7 · Development with AWS Services · Answers revealed

451
MCQeasy

A developer needs to store application configuration data, such as database connection strings and API keys, for a microservices application running on Amazon ECS. The configuration must be encrypted at rest and easily auditable. Which AWS service should the developer use?

A.AWS Secrets Manager.
B.Amazon S3 with server-side encryption.
C.AWS Systems Manager Parameter Store.
D.Amazon DynamoDB with encryption at rest.
AnswerC

Parameter Store is designed for configuration management, supports encryption, and integrates with CloudTrail for auditing.

Why this answer

Option C is correct because AWS Systems Manager Parameter Store can store configuration data securely, with encryption using KMS, and provides audit trails via CloudTrail. Option A is incorrect because S3 is not designed for parameter storage and would require additional setup for encryption and access control. Option B is incorrect because DynamoDB is a database, not a configuration store; it would require more overhead.

Option D is incorrect because Secrets Manager is more expensive and is specifically for secrets, not general application configuration.

452
MCQhard

A developer is building a data processing pipeline that uses Amazon Kinesis Data Streams. The developer wants to ensure that records are processed in order within each shard. The consumer application runs on Amazon EC2 instances in an Auto Scaling group. What should the developer do to maintain ordering?

A.Use Amazon DynamoDB Streams to capture the order.
B.Use AWS Lambda as the consumer and set the batch size to 1.
C.Ensure that one consumer processes each shard exclusively.
D.Use the Kinesis Client Library (KCL) with multiple workers in the same consumer group.
AnswerC

Exclusive processing per shard ensures ordering within that shard.

Why this answer

Option D is correct because each shard's records have a sequence number, and a single consumer can process them in order. Option A is wrong because multiple consumers in a group can process different shards but ordering within a shard is maintained only if one consumer handles that shard. Option B is wrong because DynamoDB streams are for DynamoDB tables, not Kinesis.

Option C is wrong because Lambda consumes records in batches, but ordering is preserved within a shard as long as there's only one concurrent invocation per shard. However, the best practice is to have one consumer per shard.

453
Multi-Selecthard

A developer is building a serverless application using AWS Lambda and Amazon API Gateway. The application must authenticate users using a third-party OAuth 2.0 provider. Which THREE options can the developer use to integrate with the OAuth provider?

Select 3 answers
A.Use an API Gateway resource policy to allow only authenticated users.
B.Use a Lambda authorizer in API Gateway to validate the OAuth token.
C.Configure Amazon Cognito User Pools as an OAuth 2.0 provider and use its integration with API Gateway.
D.Use IAM authorization with a custom token service.
E.Implement token validation in a custom Lambda function that is invoked before processing the request.
AnswersB, C, E

Lambda authorizer can call the OAuth provider.

Why this answer

API Gateway Lambda authorizer can call the OAuth provider to validate tokens. Cognito User Pools can be configured as an OAuth 2.0 provider and integrated with API Gateway. Custom Lambda function can validate tokens directly.

API Gateway resource policy is for IP whitelisting, not authentication. IAM authorization is for AWS credentials.

454
Matchingmedium

Match each AWS service to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Pub/sub messaging

Queue-based messaging

Real-time streaming data

Event bus service

Managed message broker

Why these pairings

Messaging services are crucial for decoupling applications.

455
Multi-Selectmedium

A developer is building a serverless application using AWS Lambda functions that need to access an Amazon RDS database. Which of the following are best practices for managing database credentials? (Choose TWO.)

Select 2 answers
A.Use AWS Systems Manager Parameter Store to store encrypted credentials.
B.Use AWS Secrets Manager to store and rotate credentials.
C.Store the credentials as Lambda environment variables.
D.Hardcode the credentials in the Lambda function code.
E.Store the credentials in a file in the Lambda deployment package.
AnswersA, B

Parameter Store can store encrypted parameters securely.

Why this answer

Options B and D are correct because they involve secure storage and rotation of credentials. Option A is wrong because storing credentials in Lambda environment variables is not secure if the variables are visible in the console. Option C is wrong because hardcoding is never a best practice.

Option E is wrong because storing in source code is insecure.

456
MCQhard

A company runs a data processing pipeline using AWS Step Functions. The pipeline starts with a task that reads a CSV file from Amazon S3 and then fans out to multiple parallel Lambda functions for data transformation. The final step aggregates the results and writes to an Amazon DynamoDB table. Recently, the pipeline has been failing intermittently with 'StateMachineExecutionLimitExceeded' errors. The development team has already increased the execution history limit to the maximum. The pipeline runs about 500 executions per day. Meanwhile, the operations team reports that some executions are timing out after 5 minutes, even though each Lambda function completes within 30 seconds. The Step Function definition uses a Map state with a max concurrency of 20. The developer needs to fix both issues. Which combination of actions should the developer take? (Choose the BEST option.)

A.Reduce the max concurrency of the Map state and increase the task execution timeout in the Step Function definition.
B.Split the pipeline into multiple smaller Step Functions and chain them together.
C.Increase the max concurrency of the Map state and add a retry policy.
D.Set a Lambda reserved concurrency for the transformation functions to 100.
AnswerA

Lower concurrency reduces parallel executions, preventing limit errors; increasing timeout prevents timeout errors.

Why this answer

Option A is correct because reducing max concurrency and increasing task timeout addresses both state machine execution limits and timeouts. Option B is wrong because increasing map concurrency would worsen throttling. Option C is wrong because splitting into multiple state machines does not address task timeouts.

Option D is wrong because Lambda reserved concurrency does not prevent state machine throttling.

457
MCQhard

A developer is deploying a microservices architecture on Amazon ECS with Fargate. Each service needs to store sensitive configuration data such as database passwords. The developer wants to avoid hardcoding secrets in the application code. Which approach should the developer use?

A.Store the secrets in an Amazon S3 bucket and use a pre-signed URL to download them at startup.
B.Define the secrets as environment variables in the ECS task definition.
C.Encrypt the secrets using AWS KMS and store the encrypted blob in a configuration file within the Docker image.
D.Store the secrets in AWS Systems Manager Parameter Store or AWS Secrets Manager and reference them in the ECS task definition using the 'secrets' parameter.
AnswerD

This securely injects secrets at runtime.

Why this answer

Option A is correct because AWS Systems Manager Parameter Store or AWS Secrets Manager can securely store secrets and be referenced in ECS task definitions. Option B is wrong because environment variables in the task definition are visible in plaintext. Option C is wrong because S3 is not designed for secrets.

Option D is wrong because it increases attack surface.

458
MCQmedium

A developer is troubleshooting an issue where an IAM user is unable to upload a file to an S3 bucket that uses server-side encryption with AWS KMS (SSE-KMS). The IAM policy shown in the exhibit is attached to the user. What is the likely cause of the failure?

A.The KMS key ARN in the resource statement is incorrect.
B.The user does not have s3:PutObject permission on the bucket.
C.The user does not have kms:Encrypt permission on the KMS key.
D.The user does not have access to the KMS key at all.
AnswerC

When using SSE-KMS, the s3:PutObject action requires kms:Encrypt (or kms:GenerateDataKey, which is included, but encrypt is needed for upload). Actually, for upload, kms:Encrypt is required; the policy only has kms:Decrypt and kms:GenerateDataKey, which are for download/read. So missing kms:Encrypt causes failure.

Why this answer

The correct answer is B. The policy allows s3:PutObject but does not include kms:Encrypt, which is required for uploading objects with SSE-KMS. Option A is wrong because the policy allows s3:PutObject.

Option C is wrong because the KMS key is specified. Option D is wrong because the user may not have KMS permissions, but the missing action is kms:Encrypt.

459
MCQeasy

An IAM policy is attached to an IAM user. The user attempts to upload an object to s3://my-bucket/confidential/report.pdf from an IP address 192.168.1.100. What will happen?

A.The upload succeeds because the Allow statement grants s3:PutObject on all objects in the bucket.
B.The upload fails because the Deny statement blocks the request.
C.The upload succeeds because the IP address 192.168.1.100 matches the condition.
D.The upload fails because the Deny statement does not have a condition.
AnswerB

The Deny statement explicitly denies access when the source IP is not in the specified range.

Why this answer

Option A is correct because the Deny statement explicitly denies s3:* actions on the confidential prefix when the source IP is not in 10.0.0.0/8. Since the user's IP (192.168.1.100) is not in that range, the Deny applies. Even though the Allow statement grants s3:PutObject, the explicit Deny overrides.

Option B is wrong because the Deny applies. Option C is wrong because the Deny is explicit. Option D is wrong because the IP condition is checked.

460
MCQeasy

A developer is writing code to upload an object to an Amazon S3 bucket. The object is 200 MB in size. Which AWS SDK method should the developer use to perform this upload?

A.Enable S3 Transfer Acceleration and use the PutObject API.
B.Use the PutObject API operation.
C.Use the multipart upload API.
D.Use a pre-signed URL and upload using HTTP PUT.
AnswerC

Multipart upload is recommended for objects larger than 100 MB.

Why this answer

Option C is correct because the multipart upload API is designed for objects over 100 MB. Option A is wrong because PutObject is for objects up to 5 GB, but recommended for smaller objects. Option B is wrong because pre-signed URLs are for granting temporary access, not uploading large objects efficiently.

Option D is wrong because S3 Transfer Acceleration speeds up uploads over long distances but does not change the API method needed.

461
MCQhard

A developer is using AWS X-Ray to trace requests through a microservices application. The application consists of several AWS Lambda functions that call each other and Amazon DynamoDB. The developer notices that some traces are incomplete and missing segments for downstream calls. What is the MOST likely cause?

A.The downstream DynamoDB table does not have X-Ray tracing enabled.
B.The Lambda functions do not have the X-Ray SDK imported.
C.The X-Ray daemon is not running on the Lambda execution environment.
D.The X-Ray sampling rate is set too low.
AnswerA

X-Ray tracing must be enabled on DynamoDB to capture segments.

Why this answer

Option D is correct because X-Ray tracing must be enabled on downstream resources to record segments. Option A is wrong because sampling rate affects number of traces, not completeness. Option B is wrong because X-Ray SDK is needed on Lambda.

Option C is wrong because X-Ray daemon is needed for EC2, but Lambda uses the X-Ray SDK.

462
MCQmedium

A developer is using Amazon API Gateway with a Lambda authorizer to control access to an API. The authorizer function needs to decode a JWT token from the request header and return an IAM policy. Which type of Lambda authorizer should be used?

A.TOKEN authorizer with the token passed in the Authorization header.
B.REQUEST authorizer with the token in a custom header.
C.Use Amazon Cognito User Pools as the authorizer.
D.Use a resource policy to allow or deny access based on the JWT token.
AnswerA

A TOKEN authorizer is the simplest and most appropriate choice for JWT token validation. It receives the token as a string and returns a policy. This matches the requirement.

Why this answer

A TOKEN authorizer is designed to receive a JWT or OAuth token in the Authorization header and pass it directly to the Lambda function for validation. The Lambda function then decodes the token and returns an IAM policy document to allow or deny the API request. This is the correct choice because the question explicitly states the token is in the request header and needs to be decoded, which matches the TOKEN authorizer's behavior of forwarding the raw token value.

Exam trap

The trap here is that candidates confuse the TOKEN authorizer (which passes only the token) with the REQUEST authorizer (which passes the full request), assuming that decoding a JWT requires access to other request parameters, when in fact the token alone is sufficient for validation.

How to eliminate wrong answers

Option B is wrong because a REQUEST authorizer passes the entire request context (headers, query parameters, path parameters) to the Lambda function, which is unnecessary overhead when only the JWT token from a header is needed; it also requires more complex parsing logic. Option C is wrong because Amazon Cognito User Pools are a managed identity service that handles JWT verification natively, not a Lambda authorizer; using them would bypass the requirement for a custom Lambda function to decode the token. Option D is wrong because resource policies control access based on IP addresses, VPCs, or AWS accounts, not on the contents of a JWT token; they cannot decode or validate token claims.

463
MCQeasy

A developer is building a serverless application using AWS Lambda. The function needs to access a DynamoDB table and write logs to Amazon CloudWatch. What is the minimum set of IAM permissions the Lambda execution role must have?

A.dynamodb:PutItem, logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents
B.logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents
C.dynamodb:*, logs:PutLogEvents
D.dynamodb:GetItem, dynamodb:PutItem, logs:PutLogEvents
AnswerA

Provides exactly the needed permissions.

Why this answer

Option C is correct because the Lambda execution role must allow logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents for CloudWatch, and dynamodb:PutItem for DynamoDB. Option A is wrong because it includes unnecessary DynamoDB read permissions. Option B is wrong because it includes dynamodb:* which is too broad.

Option D is wrong because it lacks DynamoDB write permission.

464
Multi-Selectmedium

A developer is designing a serverless application that uses Amazon API Gateway and AWS Lambda. The API receives a high volume of requests, and the developer needs to cache responses to reduce latency and cost. Which TWO actions should the developer take? (Choose TWO.)

Select 2 answers
A.Use DynamoDB Accelerator (DAX) to cache Lambda responses.
B.Use ElastiCache for Redis to store frequently accessed responses.
C.Use Amazon CloudFront in front of API Gateway to cache responses.
D.Enable API Gateway caching and set a TTL for the cache.
E.Configure the Lambda function to return cache-control headers in the response.
AnswersD, E

API Gateway caching stores responses and reduces Lambda invocations.

Why this answer

Option A is correct because enabling caching in API Gateway will cache responses for a specified TTL. Option C is correct because Lambda can return cache-control headers to instruct API Gateway to cache the response. Option B is wrong because CloudFront caches content at the edge, but API Gateway caching is separate and more direct.

Option D is wrong because DynamoDB Accelerator is for database caching, not API responses. Option E is wrong because ElastiCache is not integrated with API Gateway for response caching.

465
MCQeasy

A developer wants to store application logs in Amazon S3 with automatic transition to Glacier after 30 days and deletion after 365 days. Which S3 feature should be used?

A.S3 Lifecycle configuration
B.S3 Object Lock
C.S3 Replication
D.S3 Event Notifications
AnswerA

Lifecycle policies manage transitions and expirations.

Why this answer

S3 Lifecycle policies automate transitioning objects between storage classes and expiring them. Option A is correct.

466
MCQhard

An organization uses AWS CodeBuild to run tests for a Node.js application. The build environment is Linux. The buildspec.yml includes a pre_build phase that runs 'npm install'. Occasionally, the build fails with an error 'npm ERR! code EINTEGRITY'. The developer wants to resolve this issue without compromising security. Which action should be taken?

A.Create a separate CodeBuild project to run npm install.
B.Add 'npm cache verify' to the pre_build phase before 'npm install'.
C.Add 'npm config set registry http://registry.npmjs.org/' to use HTTP.
D.Use 'npm install --prefer-offline' to avoid fetching from registry.
AnswerB

This verifies and cleans the cache, resolving integrity issues.

Why this answer

Option B is correct because adding 'npm cache verify' before 'npm install' can fix integrity errors by clearing the cache. Option A is wrong because disabling integrity checks reduces security. Option C is wrong because 'npm install --prefer-offline' uses cache and may still have integrity issues.

Option D is wrong because using a separate CodeBuild project does not solve the integrity problem.

467
MCQeasy

A developer is creating an AWS Lambda function that needs to access files from an Amazon EFS file system. The Lambda function must be configured to access the VPC. Which of the following is required to allow the Lambda function to mount the EFS file system?

A.The Lambda function must have the AWSLambdaVPCAccessExecutionRole managed policy attached.
B.The Lambda function must be in the same Availability Zone as the EFS mount target.
C.The Lambda function must have the AmazonElasticFileSystemClientReadWriteAccess managed policy attached.
D.The Lambda function must have the efs:MountFileSystem permission in its execution role.
AnswerA

This policy provides permissions to create and manage ENIs, which is essential for Lambda to connect to a VPC and access EFS.

Why this answer

The AWSLambdaVPCAccessExecutionRole managed policy provides the necessary permissions for Lambda to manage elastic network interfaces (ENIs) in a VPC, which is required for Lambda to connect to an EFS file system via mount targets. Without this policy, the Lambda function cannot create or manage the ENI needed to route traffic to the EFS mount target within the VPC.

Exam trap

The trap here is that candidates confuse the VPC networking permissions required for Lambda to mount EFS (AWSLambdaVPCAccessExecutionRole) with EFS-specific API permissions (AmazonElasticFileSystemClientReadWriteAccess) or a nonexistent efs:MountFileSystem action, leading them to select the wrong policy or permission.

How to eliminate wrong answers

Option B is wrong because Lambda can access EFS mount targets in any Availability Zone within the same VPC; it does not need to be in the same AZ as the mount target, as Lambda uses ENIs in the VPC subnets to reach the mount target across AZs. Option C is wrong because the AmazonElasticFileSystemClientReadWriteAccess policy grants permissions to EFS API operations (e.g., CreateFileSystem, DescribeMountTargets) but does not include the specific efs:MountFileSystem permission or the VPC networking permissions required for Lambda to mount the file system. Option D is wrong because the efs:MountFileSystem permission is not a valid IAM action; EFS mounting is controlled by network connectivity (VPC configuration) and the execution role must include permissions for EC2 ENI management (ec2:CreateNetworkInterface, etc.), not a direct EFS mount action.

468
MCQeasy

A company stores sensitive user data in an S3 bucket. The security team requires that all data be encrypted at rest using a customer-managed KMS key. The bucket already has default encryption configured with SSE-S3. What is the MINIMUM change needed to meet the requirement?

A.Change the default encryption of the bucket to SSE-KMS with the desired KMS key.
B.Add an object-level encryption setting to each object after upload.
C.Enable S3 Bucket Keys on the bucket.
D.Attach a bucket policy that denies uploads without the required KMS key.
AnswerA

This ensures all objects uploaded are encrypted with the specified KMS key.

Why this answer

SSE-S3 is Amazon-managed keys, not customer-managed. To use customer-managed KMS keys, you must change the default encryption to SSE-KMS. S3 Bucket Keys reduce KMS costs but are not required.

Object-level encryption settings are not needed if default encryption is set. Policy change is not sufficient.

469
MCQhard

A company is using Amazon API Gateway to expose a set of RESTful APIs. Each API call is processed by an AWS Lambda function. The company wants to enforce throttling limits to prevent abuse. Specifically, the company wants to allow 100 requests per second per API key. What is the SIMPLEST way to achieve this?

A.Use AWS WAF to block requests after 100 per second.
B.Set a reserved concurrency on the Lambda function to 100.
C.Configure a CloudWatch alarm to disable the API key after exceeding the limit.
D.Create a usage plan in API Gateway with a rate limit of 100 requests per second per API key.
AnswerD

Correct: Usage plans allow per-key throttling.

Why this answer

Option B is correct because API Gateway provides built-in usage plans with the ability to set rate limits per API key. Option A is wrong because Lambda reserved concurrency limits the overall concurrency, not per-key throttling. Option C is wrong because WAF is for web application firewall, not per-key throttling.

Option D is wrong because CloudWatch alarms only alert, they don't throttle.

470
MCQmedium

A company wants to build a RESTful API that handles file uploads. The API needs to support multipart/form-data content type. The developer is using Amazon API Gateway and AWS Lambda. Which approach should the developer use to handle file uploads efficiently?

A.Configure API Gateway to pass the entire request body to Lambda, and process the file within the Lambda function.
B.Create a Lambda function that accepts the file and uploads it to S3 using the AWS SDK.
C.Use API Gateway to generate a presigned S3 URL, and have the client upload directly to S3. The Lambda function can then process the file asynchronously.
D.Use an EC2 instance to host a custom web server that accepts file uploads and writes to S3.
AnswerC

This approach uses presigned URLs to allow direct upload to S3, avoiding API Gateway and Lambda payload limits. The Lambda function can be triggered by S3 events to process the uploaded file.

Why this answer

Option C is correct because it offloads the file upload to Amazon S3 directly via a presigned URL, which avoids the 10 MB payload limit and 29-second timeout of API Gateway and Lambda for large files. The client uploads the file to S3, and a separate Lambda function processes the file asynchronously, making the solution efficient and scalable for multipart/form-data uploads.

Exam trap

The trap here is that candidates assume Lambda can handle file uploads directly via API Gateway, overlooking the 10 MB payload limit and 29-second timeout, and fail to recognize the presigned URL pattern as the efficient serverless solution for large multipart/form-data uploads.

How to eliminate wrong answers

Option A is wrong because API Gateway has a 10 MB payload limit and a 29-second integration timeout, making it unsuitable for large file uploads; passing the entire request body to Lambda also forces the function to handle raw multipart parsing, which is inefficient and error-prone. Option B is wrong because it still requires the client to send the file through API Gateway and Lambda, hitting the same size and timeout constraints; the Lambda function would need to receive the entire file payload before uploading to S3, defeating the purpose of direct upload. Option D is wrong because it introduces unnecessary infrastructure management (EC2) and does not leverage serverless benefits; it also does not address the requirement to use API Gateway and Lambda, and a custom web server on EC2 adds operational overhead without improving efficiency.

471
MCQmedium

A developer is building a microservices application composed of multiple AWS Lambda functions and an Amazon API Gateway. The developer needs to trace requests as they travel through different services to identify performance bottlenecks. Which AWS service should the developer integrate?

A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.AWS X-Ray
D.Amazon Inspector
AnswerC

X-Ray is designed for tracing requests across distributed applications, allowing developers to pinpoint performance issues.

Why this answer

AWS X-Ray is the correct service because it provides end-to-end tracing of requests as they travel through distributed applications, including AWS Lambda functions and API Gateway. It generates a service map that shows the flow of requests, latency breakdowns, and identifies performance bottlenecks across microservices. X-Ray integrates directly with Lambda and API Gateway via the X-Ray SDK and tracing headers, enabling trace propagation without code changes.

Exam trap

The trap here is that candidates confuse CloudWatch Logs (which shows logs) with distributed tracing (which correlates requests across services), leading them to pick CloudWatch Logs instead of X-Ray for end-to-end performance analysis.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API calls for auditing and governance, not for tracing individual request paths or performance bottlenecks across microservices. Option B is wrong because Amazon CloudWatch Logs aggregates log data but does not provide distributed tracing or service maps to correlate requests across multiple Lambda functions and API Gateway. Option D is wrong because Amazon Inspector is a vulnerability management service that scans for software vulnerabilities and network exposure, not for tracing application requests or performance analysis.

472
MCQmedium

A company uses Amazon API Gateway to expose a REST API. The API uses a Lambda authorizer to validate JWT tokens. Recently, the API has been returning 401 Unauthorized errors for valid tokens. The developer notices that the tokens are signed with a new key but the authorizer still uses the old key. What is the MOST efficient way to update the authorizer with the new key?

A.Modify the Lambda authorizer to fetch the public key from a well-known URL at runtime.
B.Update the API Gateway stage deployment to redeploy the API.
C.Delete and recreate the API Gateway authorizer with the new key.
D.Update the Lambda authorizer's environment variable with the new key and publish a new version.
AnswerA

This allows the authorizer to always use the latest key without manual updates.

Why this answer

Option A is correct because the Lambda authorizer can retrieve the public key from an external URL (e.g., JWKS endpoint) at runtime, avoiding hardcoded keys. Option B is wrong because recreating the authorizer would cause downtime. Option C is wrong because deploying a new stage does not update the authorizer logic.

Option D is wrong because manually updating environment variables requires a function update and is less flexible than fetching keys dynamically.

473
MCQeasy

A developer is using AWS CodePipeline to automate a build and deploy process. The pipeline has a build stage that uses AWS CodeBuild and a deploy stage that uses AWS CodeDeploy. The build stage produces a build artifact that is stored in Amazon S3. The deploy stage fails with 'NoSuchKey' error. What is the MOST likely cause?

A.The CodeDeploy application does not have the correct service role.
B.The CodeBuild project does not have permissions to upload to the S3 bucket.
C.The pipeline does not have an OutputArtifact configured for the build stage, so the artifact is not passed to the deploy stage.
D.The S3 bucket policy does not allow CodePipeline to access the artifact.
AnswerC

Correct: Artifacts must be defined in the pipeline configuration.

Why this answer

Option B is correct because the artifact must be passed explicitly between stages via the OutputArtifacts and InputArtifacts configuration. Option A is wrong because S3 bucket policy is not typically the issue for cross-account same account. Option C is wrong because CodeBuild permissions are separate.

Option D is wrong because CodeDeploy permissions are for deployment, not artifact access.

474
Multi-Selectmedium

A company is using AWS Elastic Beanstalk to deploy a web application. The application uses an Amazon RDS MySQL database. The development team wants to ensure that database credentials are not exposed in the application code. Which THREE actions should the team take to securely manage and retrieve database credentials? (Choose three.)

Select 3 answers
A.Store the credentials in an S3 bucket with a bucket policy that restricts access to the application.
B.Configure Elastic Beanstalk to pass the secret ARN to the application as an environment property.
C.Modify the application code to retrieve the credentials from Secrets Manager at startup.
D.Hardcode the credentials in the application code and use environment variables to override them.
E.Store the database credentials in AWS Secrets Manager.
AnswersB, C, E

Correct: Elastic Beanstalk can pass the secret ARN securely.

Why this answer

Option A is correct because AWS Secrets Manager can store and automatically rotate database credentials. Option C is correct because Elastic Beanstalk can pass environment properties (e.g., secrets) to the application. Option D is correct because the application can query Secrets Manager at runtime to get the current credentials.

Option B is incorrect because hardcoding credentials in environment variables is insecure. Option E is incorrect because storing credentials in S3 with a bucket policy is less secure and not best practice.

475
MCQmedium

A company runs a Node.js application on AWS Elastic Beanstalk. The application experiences high latency during peak hours. The developer suspects that the environment's EC2 instances are under-provisioned. Which configuration change would MOST effectively address the latency issue with minimal cost increase?

A.Place the environment behind an Application Load Balancer.
B.Enable Auto Scaling and configure scaling triggers based on CPU utilization.
C.Change the instance type to a larger size in the environment configuration.
D.Decrease the minimum number of instances in the Auto Scaling group.
AnswerB

Auto Scaling adds instances during high CPU usage and removes them when idle, optimizing cost and performance.

Why this answer

Option D is correct because enabling Auto Scaling and adjusting scaling triggers allows the environment to add instances during peak hours and remove them during low traffic, balancing performance and cost. Option A is wrong because increasing instance size may be more expensive and less elastic. Option B is wrong because reducing the number of instances would worsen latency.

Option C is wrong because using a load balancer alone does not change instance provisioning.

476
MCQmedium

A developer is using Amazon API Gateway to expose a REST API. The API needs to validate request parameters and payload before invoking the backend Lambda function. What is the MOST efficient way to perform this validation?

A.Use API Gateway request validation with a model schema.
B.Validate the request in the Lambda function and return errors if validation fails.
C.Use Amazon CloudFront to validate the request at the edge.
D.Use API Gateway request parameters to enforce required headers.
AnswerA

API Gateway can validate requests before invoking Lambda, saving costs.

Why this answer

Option B is correct because API Gateway can validate requests using a model schema, reducing Lambda invocations. Option A is wrong because validation in Lambda still incurs cost and latency. Option C is wrong because request parameters alone don't validate payload.

Option D is wrong because CloudFront is a CDN, not for API validation.

477
Multi-Selecthard

A developer is configuring an Amazon API Gateway REST API with a Lambda function as the backend. The Lambda function returns a JSON response. The developer wants to enable caching to reduce the number of calls to the Lambda function. Which TWO steps are required to enable caching for a specific stage?

Select 2 answers
A.Configure cache key parameters in the method request.
B.Enable API caching in the stage settings.
C.Attach a custom domain name to the API.
D.Create an API key and usage plan.
E.Deploy the API to an edge-optimized endpoint.
AnswersA, B

Cache keys determine how responses are cached; they must be defined.

Why this answer

Options A and C are correct. Enabling caching requires enabling cache in the API Gateway stage settings and also configuring cache key parameters (usually by enabling caching on the method request). Option B is for API keys, not caching.

Option D is for edge-optimized endpoints, not caching. Option E is not directly related to enabling caching; it is about custom domain.

478
MCQeasy

A developer is building a serverless application using AWS Lambda. The application needs to process messages from an Amazon SQS queue and store results in an Amazon DynamoDB table. Which AWS service should the developer use to trigger the Lambda function when new messages arrive in the SQS queue?

A.Set up an Amazon EventBridge rule to capture SQS events and invoke Lambda.
B.Use Amazon SNS to subscribe to the SQS queue and trigger Lambda.
C.Use AWS Step Functions to poll the SQS queue and invoke Lambda.
D.Configure an SQS event source mapping on the Lambda function.
AnswerD

Lambda can poll SQS and invoke the function automatically.

Why this answer

Amazon SQS can directly invoke AWS Lambda via event source mappings. Option A is correct because Lambda can poll SQS and process messages. Option B is incorrect because SNS is a pub/sub service, not for SQS.

Option C is incorrect because EventBridge is for event buses, not direct SQS triggers. Option D is incorrect because Step Functions orchestrate workflows, not direct triggers.

479
Multi-Selecthard

A company is using AWS CodePipeline to automate its CI/CD pipeline. The pipeline has a source stage that pulls code from an Amazon S3 bucket. Which THREE steps should the developer take to ensure that only approved changes are deployed to production?

Select 3 answers
A.Use AWS CloudFormation change sets to review changes
B.Enable versioning on the S3 bucket
C.Configure cross-account access for the pipeline
D.Add a manual approval step before the production deployment
E.Encrypt the S3 bucket with AWS KMS
AnswersA, B, D

Change sets allow you to preview changes before applying them.

Why this answer

Option A is correct because manual approval gates allow review. Option B is correct because S3 versioning enables rollback. Option D is correct because CloudFormation change sets allow preview.

Option C is wrong because AWS KMS is not needed. Option E is wrong because cross-account access is not mentioned.

480
Multi-Selectmedium

A developer is designing a microservices architecture using Amazon ECS with Fargate. The services need to communicate with each other securely. Which THREE methods can be used to enable service-to-service authentication?

Select 3 answers
A.Use AWS App Mesh with mutual TLS (mTLS) authentication.
B.Configure Amazon ECS Service Connect for service-to-service communication.
C.Use Amazon API Gateway as a proxy for inter-service communication.
D.Use security group rules to allow traffic only between services.
E.Use IAM roles for tasks and AWS SDK to sign requests.
AnswersA, B, E

App Mesh can enforce mTLS between services.

Why this answer

IAM roles for tasks can be used to authenticate to other AWS services via SDK. Service Connect can handle service discovery and encryption. App Mesh provides mTLS for authentication between services.

Security groups control network access, not authentication. API Gateway is for external APIs.

481
MCQhard

A developer is building a REST API using Amazon API Gateway and AWS Lambda. The API must support CORS to allow requests from a web application hosted on a different domain. The developer has enabled CORS on the API Gateway resource and configured the Lambda function to return the appropriate headers. However, the web application is still receiving CORS errors. What is the most likely cause?

A.The API Gateway stage is not redeployed after enabling CORS.
B.The API Gateway CORS configuration is incorrect; the allowed origin should be set to '*'.
C.The web application is not sending the preflight OPTIONS request.
D.The Lambda function is not returning the CORS headers in the response.
AnswerD

For non-proxy integrations, the Lambda must include CORS headers in its response.

Why this answer

Option D is correct when the Lambda function is a custom integration (not proxy), the Lambda function must return the CORS headers in the response. For proxy integrations, API Gateway automatically handles CORS headers. If the developer enabled CORS on API Gateway but the Lambda is a custom integration, the headers from API Gateway may not be passed through; the Lambda must return them.

Option A is the correct answer: the Lambda function must return the CORS headers because the API Gateway CORS configuration only applies to the mock response, not the Lambda response.

482
MCQhard

A company runs a microservices application on Amazon ECS with Fargate. The application consists of three services: frontend, orders, and payments. The frontend service is behind an Application Load Balancer (ALB). The orders service processes requests from frontend and sends messages to the payments service via an Amazon SQS queue. The payments service polls the queue. Recently, during peak hours, the orders service experiences high latency and the SQS queue depth increases significantly. The monitoring shows that the payments service is not keeping up. The company wants to scale the payments service based on the queue depth. The developer has configured an ECS Service Auto Scaling target tracking policy using the SQS queue's ApproximateNumberOfMessagesVisible metric. However, the payments service is not scaling up as expected. What is the most likely cause?

A.The target tracking policy is not configured correctly because ECS Service Auto Scaling requires a custom metric, and the metric may not have been published yet.
B.The SQS queue is not sending the ApproximateNumberOfMessagesVisible metric to CloudWatch.
C.The payments service has reached the maximum number of tasks allowed by the service quota.
D.The payments service is not configured to poll the SQS queue frequently enough.
AnswerA

ECS Service Auto Scaling can use predefined SQS metrics, but it requires the metric to be available in CloudWatch, which may have a delay. Also, the policy might be misconfigured.

Why this answer

Option D is correct because the ECS Service Auto Scaling requires a custom metric to be published to CloudWatch, and it may take a few minutes for the metric to appear. Option A is wrong because Fargate tasks do not have a maximum task limit by default; the limit is per region and can be increased. Option B is wrong because the SQS ApproximateNumberOfMessagesVisible metric is available as a standard CloudWatch metric.

Option C is wrong because the payments service polls the queue; the scaling policy should work regardless of polling frequency.

483
MCQhard

A developer is building a serverless application using AWS Lambda and Amazon API Gateway REST API. The API Gateway is configured to use a Lambda proxy integration. The developer wants to return a custom error message with a specific HTTP status code (e.g., 404) when a resource is not found. How should the developer implement this?

A.Return a JSON object with 'status_code' and 'message' keys.
B.Throw an exception with a message that includes the HTTP status code.
C.Return a JSON object with 'errorMessage' and 'errorType' keys.
D.Return a JSON object with keys 'statusCode', 'headers', and 'body' where 'statusCode' is 404 and 'body' contains the error message.
AnswerD

For Lambda proxy integration, the Lambda function must return a response in the format { 'statusCode': ..., 'headers': ..., 'body': ... } to control the HTTP response.

Why this answer

Option B is correct because with proxy integration, Lambda must return a response in the specific format: statusCode, headers, and body. Option A is wrong because throwing an exception results in a 502 Bad Gateway. Option C is wrong because the format does not include 'errorMessage' as a top-level key.

Option D is wrong because the correct format uses 'statusCode', not 'status_code'.

484
MCQeasy

A developer wants to share an Amazon Machine Image (AMI) from one AWS account to another. The AMI is backed by Amazon EBS snapshots. What must the developer do to ensure the target account can launch an EC2 instance from the AMI?

A.Copy the AMI to the target account's region and share the AMI.
B.Make the AMI public and share the EBS snapshots.
C.Share the KMS key used to encrypt the EBS snapshots with the target account.
D.Modify the AMI permissions to allow the target account and share the underlying EBS snapshots.
AnswerD

Both AMI and snapshots must be shared.

Why this answer

Option A is correct because the AMI must be shared with the target account, and the EBS snapshots must be shared as well. Option B (copy to target account) is not necessary. Option C (public) is not required.

Option D (encryption key) is only needed if the snapshots are encrypted.

485
MCQhard

A company runs a stateful web application on EC2 instances behind an Application Load Balancer. The application uses WebSockets for real-time communication. The company wants to use AWS CodeDeploy to deploy updates with minimal downtime. Which deployment configuration should the developer use?

A.Canary deployment.
B.In-place deployment.
C.Blue/green deployment.
D.Immutable deployment.
AnswerC

Blue/green deployment creates a new environment, allowing traffic to be switched after verification, minimizing downtime for stateful apps.

Why this answer

Option A is correct because a blue/green deployment allows the company to create a new set of instances (green) and switch traffic after testing, minimizing downtime. Option B is incorrect because in-place deployment would update instances one by one, but stateful applications may lose session data. Option C is incorrect because immutable deployments are not supported by CodeDeploy for EC2; they are used with Elastic Beanstalk.

Option D is incorrect because canary deployments are for Lambda, not EC2.

486
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a web application. The application stores user-uploaded images in an S3 bucket. The developer needs to ensure that the application can read and write to the S3 bucket. What should the developer do?

A.Use Amazon CloudFront to proxy requests to the S3 bucket.
B.Hardcode the AWS access keys in the application code.
C.Apply an S3 bucket policy that allows access from the Elastic Beanstalk environment's security group.
D.Configure the Elastic Beanstalk environment to use an IAM instance profile that grants S3 access.
AnswerD

The instance profile provides permissions to the EC2 instances running the application.

Why this answer

Option A is correct because Elastic Beanstalk can automatically create and configure an instance profile with the necessary S3 permissions if you specify the bucket policy. Option B is wrong because S3 bucket policies are for bucket-level access, not directly for EC2 instances. Option C is wrong because access keys are insecure.

Option D is wrong because CloudFront is for content delivery, not for granting S3 access.

487
MCQmedium

A company is developing a microservices architecture using Amazon ECS with Fargate launch type. Each microservice needs to store sensitive configuration data such as database passwords. The company wants to avoid storing secrets in the application code or environment variables. What is the MOST secure and recommended approach?

A.Pass secrets as environment variables in the task definition.
B.Store secrets in an encrypted S3 bucket and have the application download them at startup.
C.Use AWS Systems Manager Parameter Store or AWS Secrets Manager to store and retrieve secrets.
D.Use an AWS Lambda function to generate secrets and store them in DynamoDB.
AnswerC

Correct: These services are built for secure secret management.

Why this answer

Option C is correct because AWS Systems Manager Parameter Store (or Secrets Manager) is designed for secure storage of secrets and can be accessed via IAM roles. Option A is wrong because environment variables can be exposed. Option B is wrong because S3 is not designed for secrets and requires encryption management.

Option D is wrong because Lambda is a compute service, not a secret store.

488
Multi-Selectmedium

A developer is implementing S3 multipart upload for large files. Which two actions are required to complete the upload?

Select 2 answers
A.Enable S3 static website hosting
B.Upload all parts and keep their ETags/part numbers
C.Disable bucket encryption
D.Call CompleteMultipartUpload with the uploaded part list
AnswersB, D

Correct for the stated requirement.

Why this answer

Option B is correct because during an S3 multipart upload, each part must be uploaded individually, and the response includes an ETag (a hash of the part) and a part number. These must be recorded and provided in the final request to assemble the object. Option D is correct because the CompleteMultipartUpload API call is required to signal S3 to combine all uploaded parts into the final object, using the list of ETags and part numbers.

Exam trap

The trap here is that candidates may think uploading all parts is sufficient without calling CompleteMultipartUpload, or they may confuse the multipart upload process with other S3 features like static hosting or encryption settings.

489
MCQeasy

A developer is building an application that needs to send email notifications to users. Which AWS service is designed for sending transactional emails?

A.AWS Lambda
B.Amazon Simple Email Service (SES)
C.Amazon Simple Notification Service (SNS)
D.Amazon Simple Queue Service (SQS)
AnswerB

SES is a scalable email service designed for sending transactional emails.

Why this answer

Option B is correct because Amazon SES is for sending emails. Option A is wrong because SNS is for push notifications. Option C is wrong because SQS is for message queuing.

Option D is wrong because Lambda is compute.

490
MCQhard

A company runs a microservices architecture on Amazon ECS with Fargate. Each service uses an Application Load Balancer and stores data in Amazon DynamoDB. The operations team notices that during traffic spikes, some requests fail with HTTP 503 errors. CloudWatch metrics show that the ALB's TargetResponseTime is increasing, and the DynamoDB table's ConsumedWriteCapacityUnits are reaching the provisioned limit. The team wants to handle traffic spikes gracefully without manual intervention. What should they do?

A.Increase the DynamoDB table's provisioned write capacity and the ALB's target group deregistration delay.
B.Use an SQS queue to buffer write requests and process them asynchronously.
C.Add a DynamoDB Accelerator (DAX) cluster to cache frequently accessed data.
D.Enable DynamoDB Auto Scaling for write capacity and configure ECS Service Auto Scaling based on ALB request count.
AnswerD

Both services will automatically scale to meet demand.

Why this answer

Option B is correct. DynamoDB Auto Scaling adjusts the provisioned capacity based on traffic, preventing throttling. ECS Service Auto Scaling adds more tasks to handle increased load.

Option A is wrong because increasing the throughput limit without auto scaling would still require manual changes. Option C is wrong because DynamoDB Accelerator (DAX) is a cache for reads, not writes. Option D is wrong because SQS for write requests adds complexity and may not be real-time.

491
Multi-Selecthard

A company is using AWS CodePipeline to automate its deployment pipeline. The pipeline has a source stage that pulls code from Amazon S3, a build stage using AWS CodeBuild, and a deploy stage using AWS CodeDeploy. The developer wants to add a manual approval step before deployment to production. Which of the following are correct steps to implement this? (Choose THREE.)

Select 3 answers
A.Add a second pipeline for the approval step.
B.Configure the approval action to use an SNS topic for notifications.
C.Use AWS CodeBuild to run a script that waits for manual approval.
D.Create an IAM role that allows the pipeline to publish to the SNS topic.
E.Add an approval action to the pipeline before the deploy stage.
AnswersB, D, E

SNS sends emails to approvers when approval is needed.

Why this answer

Options A, C, and D are correct. Option A is correct because an approval action is added to the pipeline. Option B is wrong because CodeBuild is for build, not deployment.

Option C is correct because approval requires an SNS topic to send notifications. Option D is correct because an IAM role is needed for the approval action to publish to SNS. Option E is wrong because the approval action is added to the pipeline, not a separate stage.

492
MCQmedium

A developer is deploying an application on Amazon ECS using the Fargate launch type. The application needs to communicate with a DynamoDB table. The developer creates a VPC with private subnets and configures the ECS service to use those subnets. However, the tasks cannot reach DynamoDB. What is the MOST likely cause?

A.The task IAM role does not have permissions to access DynamoDB.
B.The security group of the tasks does not allow outbound traffic to DynamoDB.
C.The VPC does not have a VPC endpoint for DynamoDB, and there is no NAT gateway.
D.The task definition does not have a network mode that supports DynamoDB.
AnswerC

Correct: Private subnets cannot reach DynamoDB without a VPC endpoint or NAT.

Why this answer

Option B is correct because private subnets need a VPC endpoint (or NAT gateway) to access DynamoDB. Option A is wrong because security groups control traffic at instance level, but the issue is routing. Option C is wrong because IAM roles are for permissions, not network connectivity.

Option D is wrong because task definitions don't have network settings for VPC endpoints.

493
MCQeasy

A developer has written an AWS Lambda function that processes messages from an Amazon SQS queue. The function is configured with a reserved concurrency of 5. The SQS queue has 10,000 messages waiting to be processed. What will happen when the Lambda function is invoked?

A.Lambda will automatically increase reserved concurrency to handle the load.
B.Lambda will reject the invocation because reserved concurrency is too low.
C.Lambda will scale up to 20 concurrent executions to process all messages quickly.
D.Lambda will process messages with a maximum of 5 concurrent executions, each processing a batch of messages.
AnswerD

Reserved concurrency limits to 5 concurrent executions.

Why this answer

Reserved concurrency limits the maximum number of concurrent invocations to 5. Lambda will poll the SQS queue and process messages up to the reserved concurrency. If the batch size is 10, each invocation processes up to 10 messages, so up to 50 messages can be processed concurrently.

The rest remain in the queue. Lambda does not scale beyond reserved concurrency.

494
MCQmedium

A developer is building a REST API using Amazon API Gateway and wants to transform the request data before sending it to the backend Lambda function. The transformation includes mapping query string parameters to a JSON body. Which API Gateway feature should be used?

A.Velocity Template Language (VTL) mapping templates
B.Lambda authorizer
C.Request validator
D.CORS configuration
AnswerA

Mapping templates in API Gateway use VTL to transform request data, such as converting query string parameters into a JSON body before passing to Lambda.

Why this answer

Option A is correct because API Gateway uses Velocity Template Language (VTL) mapping templates to transform incoming request data, such as mapping query string parameters into a JSON body before passing it to the backend Lambda function. This feature allows you to define a template that extracts values from the request's query string parameters (e.g., `$input.params('paramName')`) and constructs a new JSON payload, enabling seamless integration with Lambda without modifying the client request.

Exam trap

The trap here is that candidates often confuse request validation (Option C) with data transformation, assuming that validating the request structure also implies the ability to reshape the data, but validation only checks for presence and format, not mapping or transformation.

How to eliminate wrong answers

Option B is wrong because a Lambda authorizer is used for custom authentication and authorization of API requests, not for transforming request data or mapping parameters to a JSON body. Option C is wrong because a request validator only validates that the request adheres to the API's defined schema (e.g., required parameters, types), but it does not perform any data transformation or mapping. Option D is wrong because CORS configuration manages cross-origin resource sharing headers (e.g., Access-Control-Allow-Origin) to allow browser-based clients from different domains, and it has no role in transforming request payloads or mapping query string parameters.

495
MCQhard

A company has a production application running on AWS Lambda that processes real-time streaming data from Amazon Kinesis Data Streams. The Lambda function is configured with a batch size of 100 and a maximum concurrency of 5. Recently, the application has been experiencing failures with a high number of invocation errors. The errors indicate that the function is timing out. The developer checks the CloudWatch metrics and notices that the IteratorAge metric for the Kinesis stream is increasing rapidly, and there are many Throttles events for the Lambda function. The average execution duration of the function is 30 seconds, and the function timeout is set to 1 minute. The Kinesis stream has 10 shards. The company expects the data volume to double in the next month. Which combination of actions should the developer take to resolve the issue and prepare for future growth?

A.Increase the number of shards in the Kinesis stream to 20 and increase Lambda concurrency to 10.
B.Increase Lambda concurrency to at least 20 and reduce the batch size to 10.
C.Disable the reserved concurrency limit on the Lambda function and decrease the batch size to 5.
D.Increase the Lambda function timeout to 5 minutes and increase the batch size to 500.
AnswerB

More concurrency reduces throttling; smaller batch size reduces processing time per invocation.

Why this answer

Option C is correct. Increasing Lambda concurrency to at least 20 (2 per shard) will reduce throttling. Reducing batch size to 10 will lower processing time per batch, preventing timeouts.

Option A is wrong because increasing timeout to 5 minutes doesn't address throttling. Option B is wrong because increasing shards to 20 without increasing concurrency will not help. Option D is wrong because disabling concurrency limit could cause uncontrolled scaling.

496
MCQmedium

Refer to the exhibit. A developer invokes an AWS Lambda function and receives this error. The function is configured with a 3-second timeout. The developer needs to process data that sometimes takes up to 10 seconds. What should the developer do?

A.Change the invocation type to Event (async).
B.Increase the Lambda function timeout to 10 seconds.
C.Increase the memory allocation for the Lambda function.
D.Set reserved concurrency to 1.
AnswerB

Increasing timeout allows longer execution.

Why this answer

Option D is correct because increasing the timeout to 10 seconds allows the function to complete. Option A is incorrect because increasing memory does not directly affect timeout. Option B is incorrect because async invocation does not change timeout.

Option C is incorrect because reserved concurrency does not affect timeout.

497
Multi-Selecthard

A developer is building a real-time chat application using WebSocket APIs in API Gateway and Lambda. The application must handle thousands of concurrent connections. Which TWO actions should the developer take to ensure the application scales properly?

Select 2 answers
A.Use CloudFront to distribute the WebSocket endpoints.
B.Place the Lambda function in a VPC to improve security.
C.Enable API Gateway caching to reduce Lambda invocations.
D.Set the Lambda function's reserved concurrency to a high enough value.
E.Use a DynamoDB table to store connection IDs and handle connection state.
AnswersD, E

Reserved concurrency ensures the function can handle peak load.

Why this answer

Options B and C are correct. Using a DynamoDB table to store connection IDs (B) is a common pattern for managing WebSocket connections. Setting the Lambda function concurrency limit (C) prevents throttling of other functions.

Option A is wrong because Lambda functions in a VPC have limited elastic network interfaces. Option D is wrong because API Gateway handles scaling automatically. Option E is wrong because CloudFront does not support WebSocket APIs.

498
MCQeasy

A developer wants to deploy a containerized application to Amazon ECS using Fargate. The application requires persistent storage that can be shared across multiple containers in the same task. Which storage option should the developer use?

A.Amazon EC2 instance store
B.Amazon EFS file system
C.Amazon S3 bucket
D.Amazon EBS volume
AnswerB

EFS can be used as a shared volume in Fargate.

Why this answer

Option B is correct because EFS can be mounted as a volume in Fargate tasks and shared among containers. Option A (EBS) is not supported in Fargate. Option C (S3) is object storage, not a file system.

Option D (Instance store) is ephemeral and not available in Fargate.

499
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application needs to store session state. Which configuration is MOST cost-effective and scalable?

A.Use S3 to store session state
B.Use an ElastiCache Memcached cluster
C.Use an RDS database to store session state
D.Store session state in the local file system of each EC2 instance
AnswerB

Memcached is designed for session storage and is cost-effective.

Why this answer

ElastiCache with Memcached is a common choice for distributed session state. Option A is correct.

500
Multi-Selecthard

A company uses Amazon API Gateway to expose a REST API backed by AWS Lambda. The API has a resource /items with GET and POST methods. The GET method returns items from a DynamoDB table. The POST method adds an item to the table. Currently, all methods are open to the public. Security requirements mandate that only authenticated users can access the POST method, while the GET method remains public. Which THREE steps should the developer take to meet these requirements?

Select 3 answers
A.Configure the Lambda authorizer only on the POST method in the API Gateway.
B.Create a Lambda function as an authorizer that validates a JWT token from the Authorization header.
C.In the Lambda authorizer, return an IAM policy that allows execute-api:Invoke on the POST method.
D.Use an Amazon Cognito User Pools authorizer for the entire API.
E.Add a resource policy that denies public access to the POST method.
AnswersA, B, C

Authorizers can be applied per method.

Why this answer

Option A is correct because a Lambda authorizer can validate tokens. Option C is correct because the authorizer can be configured only on the POST method. Option E is correct because the Lambda authorizer returns an IAM policy that allows or denies access.

Option B is incorrect because Cognito User Pools authorizer would apply to the entire API. Option D is incorrect because resource policies are global, not method-specific.

501
Multi-Selecthard

A Lambda function processes messages from an SQS standard queue and writes results to DynamoDB. Duplicate writes occasionally occur after retries. Which two changes best make the processing idempotent?

Select 2 answers
A.Use a deterministic idempotency key stored with a conditional write in DynamoDB
B.Increase the Lambda timeout to 15 minutes
C.Treat the SQS message ID or business transaction ID as a processed-record key
D.Disable SQS visibility timeout
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because using a deterministic idempotency key (e.g., a business transaction ID) combined with a conditional write in DynamoDB ensures that if the same message is processed more than once, the second write attempt will fail because the item already exists. This prevents duplicate records even when Lambda retries after a failure or timeout, making the processing idempotent at the database level.

Exam trap

The trap here is that candidates often confuse idempotency with simply increasing timeouts or disabling visibility timeouts, not realizing that idempotency requires a deterministic key and a conditional check at the storage layer.

502
MCQeasy

A developer wants to store session state for a web application that runs on multiple EC2 instances behind an Application Load Balancer. Which AWS service should the developer use to store the session state in a centralized, highly available location?

A.Amazon RDS
B.Amazon S3
C.Amazon ElastiCache
D.AWS Lambda
AnswerC

ElastiCache provides a managed Redis or Memcached cluster, ideal for session state.

Why this answer

ElastiCache (Redis or Memcached) is a managed in-memory cache that is commonly used for session state storage across multiple EC2 instances. DynamoDB is also an option but is not listed. S3 is not suitable for session state.

RDS is a relational database, not ideal for session state. Lambda is compute, not storage.

503
MCQhard

A developer is deploying an application using AWS CloudFormation. The template includes an AWS::Lambda::Function resource. The developer wants to ensure that the Lambda function's code is automatically updated when the source code in S3 changes. Which approach should the developer use?

A.Specify the S3 object version in the template and update the version number in the template when code changes.
B.Use the AWS::Lambda::Version resource to create a new version.
C.Include the S3 bucket and key as template parameters and update the stack with a new key when code changes.
D.Use a custom resource backed by a Lambda function that polls S3 for changes.
AnswerA

Changing the version ID causes CloudFormation to detect a modification and update the function.

Why this answer

CloudFormation does not automatically detect changes in S3. Using the same S3 key with a version ID ensures that CloudFormation sees a change and updates the function. Using a parameter for the bucket does not trigger updates.

Custom Resource or CodePipeline is overkill for simple updates.

504
MCQeasy

A company is using AWS CloudFormation to deploy infrastructure. The developer wants to update a stack and needs to know what changes will be made before executing the update. Which AWS CLI command should the developer use?

A.aws cloudformation deploy
B.aws cloudformation create-change-set
C.aws cloudformation validate-template
D.aws cloudformation update-stack
AnswerB

Correct: Change sets allow you to preview changes.

Why this answer

Option C is correct because 'aws cloudformation change-set create' creates a change set that previews changes. Option A is wrong because 'update-stack' directly updates without preview. Option B is wrong because 'deploy' is for CodeDeploy.

Option D is wrong because 'validate-template' only checks syntax.

505
Multi-Selecthard

A developer is troubleshooting a Lambda function that is failing with a 'Task timed out' error. The function is configured with a 3-second timeout. The function makes an HTTP request to an external API that sometimes takes more than 3 seconds to respond. Which THREE actions should the developer take to resolve this issue?

Select 3 answers
A.Use an asynchronous invocation pattern with a queue to decouple the HTTP request.
B.Place the Lambda function in a VPC to improve network latency.
C.Increase the Lambda function timeout to 10 seconds.
D.Reduce the batch size in the event source mapping.
E.Implement retry logic with exponential backoff in the function code.
AnswersA, C, E

Asynchronous processing prevents timeouts by returning immediately.

Why this answer

Options B, C, and E are correct. Increasing the Lambda timeout (B) allows the function to wait longer for the API response. Implementing a retry logic with exponential backoff (C) helps handle transient delays.

Using an asynchronous invocation pattern (E) decouples the request from the response, allowing the function to return quickly and process the response later. Option A is incorrect because VPC configuration does not affect timeout. Option D is incorrect because reducing batch size is not relevant to timeout.

506
MCQeasy

A developer is building a serverless API using Amazon API Gateway and AWS Lambda. The API accepts JSON payloads in the request body. The developer wants to ensure that incoming requests have a valid structure before being passed to the Lambda function to reduce unnecessary invocations. Which API Gateway feature should the developer use?

A.Request validation using models and request validators
B.Usage plans with API keys
C.WAF (AWS WAF) integration
D.Custom authorizer (Lambda authorizer)
AnswerA

API Gateway request validation checks the request against a model (JSON schema). It rejects invalid requests before reaching the integration, reducing Lambda invocations.

Why this answer

Option A is correct because API Gateway's request validation feature allows you to define a JSON Schema model for the request body and attach a request validator to the method. This validates the payload structure before the request reaches the Lambda function, preventing invalid payloads from triggering unnecessary invocations and reducing costs.

Exam trap

The trap here is that candidates confuse request validation (payload structure checking) with authorization (who can call the API) or security filtering (WAF), leading them to pick a wrong option like custom authorizer or WAF integration.

How to eliminate wrong answers

Option B is wrong because usage plans with API keys control rate limiting and quota management for API consumers, not payload structure validation. Option C is wrong because AWS WAF integration protects against web exploits like SQL injection or cross-site scripting at the HTTP layer, not JSON schema validation. Option D is wrong because a custom authorizer (Lambda authorizer) authenticates and authorizes the caller (e.g., via OAuth or JWT), but does not validate the request body's structure or content.

507
MCQeasy

The exhibit shows the output of a command. What does this output indicate about the bucket?

A.Versioning is enabled, and MFA delete is required
B.Versioning is suspended
C.Versioning is disabled
D.Versioning is enabled, and MFA delete is not required
AnswerD

MFADelete is Disabled.

Why this answer

Versioning is enabled, but MFA delete is not required. Option B is correct.

508
MCQhard

A developer is optimizing an S3 bucket for static website hosting. The site has a main page (index.html) and an error page (error.html). Users report seeing a generic 403 error instead of the error page when accessing a missing object. What is the likely cause?

A.The bucket policy denies access to the error.html object.
B.The Error document field in the static website hosting configuration is not set to error.html.
C.The index.html is missing from the bucket.
D.The error.html object has incorrect permissions.
AnswerB

The configuration must specify the error document for custom error pages.

Why this answer

Option D is correct because S3 static website hosting uses the Index document and Error document settings; if the error document is not configured correctly, S3 returns a generic 403. Option A is wrong because error page is not tied to object permissions. Option B is wrong because error page is different from index.

Option C is wrong because bucket policy does not affect error page routing.

509
MCQeasy

A developer wants to store application configuration securely and retrieve it programmatically from EC2 instances. The configuration includes database passwords and API keys. Which AWS service should be used?

A.EC2 user data
B.Amazon S3 with server-side encryption
C.AWS CloudFormation template parameters
D.AWS Systems Manager Parameter Store with SecureString
AnswerD

Provides encrypted storage for secrets and integration with EC2.

Why this answer

Option B is correct because AWS Systems Manager Parameter Store with SecureString provides encrypted storage for secrets. Option A is wrong because S3 is not designed for secret management. Option C is wrong because EC2 user data is not encrypted.

Option D is wrong because CloudFormation is for infrastructure, not runtime secret retrieval.

510
Multi-Selectmedium

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application consists of an API Gateway, Lambda functions, and a DynamoDB table. The developer wants to define and deploy this infrastructure as code. Which files and tools are required? (Choose THREE.)

Select 3 answers
A.Terraform configuration files
B.aws cloudformation deploy command
C.AWS SAM template file (template.yaml)
D.aws cloudformation package command
E.AWS CLI with aws lambda update-function-code command
AnswersB, C, D

This command deploys the packaged application.

Why this answer

The correct answers are B, C, and D. SAM uses a template.yaml file, and the aws cloudformation package and deploy commands are used to deploy. Option A is wrong because Terraform is a separate tool.

Option E is wrong because the AWS CLI alone cannot handle SAM packaging and deployment.

511
MCQmedium

A developer is building a serverless application that uses Amazon S3 event notifications to trigger an AWS Lambda function for thumbnail generation. The developer wants to ensure that duplicate S3 events do not cause the same image to be processed multiple times. Which approach should the developer implement to ensure idempotent processing?

A.Store the object key and event ID in a DynamoDB table and check for duplicates before processing
B.Set the Lambda function's concurrency to 1 to prevent concurrent executions
C.Use an Amazon SQS FIFO queue as the event destination
D.Enable S3 event notification filtering based on object size
AnswerA

By recording processed object keys in DynamoDB and checking for existing records, the function can skip duplicate events, ensuring each object is processed only once.

Why this answer

Option A is correct because storing the S3 object key and event ID in a DynamoDB table with a TTL attribute allows the Lambda function to perform a conditional write (or check for an existing item) before processing. This ensures that even if duplicate S3 events are delivered (e.g., due to S3's at-least-once delivery guarantee), the same image is only processed once, achieving idempotency.

Exam trap

The trap here is that candidates often assume S3 event notifications are exactly-once, but the exam tests that they are at-least-once, requiring explicit idempotency handling via an external store like DynamoDB.

How to eliminate wrong answers

Option B is wrong because setting concurrency to 1 only prevents concurrent executions but does not prevent duplicate events from being processed sequentially; the same image could still be processed multiple times if duplicate events arrive one after another. Option C is wrong because SQS FIFO queues provide exactly-once processing within the queue, but S3 event notifications cannot directly send to a FIFO queue (S3 only supports standard SQS queues as event destinations), and even if you manually route through a FIFO queue, the deduplication ID would need to be based on the event ID, which is not automatically handled. Option D is wrong because filtering based on object size only reduces the number of events triggered (e.g., for small or large objects) but does not address duplicate events for the same object; duplicates can still occur regardless of size.

512
MCQeasy

A developer is using AWS SAM to define a serverless application. The application includes an AWS Lambda function that needs to access an Amazon DynamoDB table. The developer wants to grant the Lambda function the minimum required permissions to read and write items in the table. Which resource should the developer use to define the IAM permissions?

A.AWS::DynamoDB::Table
B.AWS::IAM::Role
C.AWS::Serverless::Function Policies property
D.AWS::Lambda::Permission
AnswerC

The Policies property allows attaching IAM policies to the function's execution role.

Why this answer

In AWS SAM, the AWS::Serverless::Function resource has a Policies property that can be used to attach IAM policies. The developer can use a managed policy like 'AmazonDynamoDBFullAccess' or a custom policy. However, the recommended approach is to use the 'Policies' property with a statement that grants specific DynamoDB actions.

AWS::IAM::Role can be used but is not necessary if using SAM. AWS::Lambda::Permission is for resource-based policies, not for Lambda execution role. AWS::DynamoDB::Table defines the table, not permissions.

513
Multi-Selecthard

A company has a web application running on Amazon ECS with Fargate launch type. The application needs to store and retrieve user session data. The sessions are small and require very low latency access. The development team wants a fully managed solution. Which storage options meet these requirements? (Choose TWO.)

Select 2 answers
A.Amazon DynamoDB
B.Amazon S3
C.Amazon EFS
D.Amazon ElastiCache for Redis
E.Amazon RDS for PostgreSQL
AnswersA, D

DynamoDB offers single-digit millisecond latency and is fully managed.

Why this answer

The correct answers are C and D. Amazon ElastiCache for Redis provides in-memory caching with low latency, and Amazon DynamoDB provides fast NoSQL storage. Option A is wrong because EFS is a file system, not optimized for key-value session data.

Option B is wrong because RDS is relational and adds latency. Option E is wrong because S3 is object storage with higher latency.

514
MCQmedium

A developer wants to update an AWS CloudFormation stack that includes an Amazon SQS queue. The queue is currently processing messages. The developer needs to change the queue's default visibility timeout without losing any messages. Which approach should the developer take?

A.Delete the stack and recreate it with the updated visibility timeout.
B.Update the stack directly; CloudFormation will automatically handle in-flight messages.
C.Change the visibility timeout using the UpdateStack API; messages will be unaffected as long as the new timeout is longer than the current one.
D.Stop the queue, update the visibility timeout, then resume the queue.
AnswerC

The update modifies the queue's configuration without impacting existing messages. A longer timeout ensures messages don't become visible while being processed.

Why this answer

Option C is correct because the UpdateStack API allows you to modify the visibility timeout of an SQS queue without disrupting in-flight messages, as long as the new timeout is longer than the current one. This ensures that messages already being processed have sufficient time to complete before becoming visible again, preventing any message loss. CloudFormation handles the update by applying the change to the queue resource definition and triggering a stack update that modifies the queue's configuration without deleting or recreating it.

Exam trap

The trap here is that candidates may think CloudFormation automatically handles in-flight messages during an update, but in reality, the developer must choose a new visibility timeout that is longer than the current one to prevent message loss.

How to eliminate wrong answers

Option A is wrong because deleting and recreating the stack would destroy the existing queue and all its messages, including in-flight ones, causing message loss. Option B is wrong because while CloudFormation can update the stack directly, it does not automatically handle in-flight messages; the developer must ensure the new visibility timeout is longer than the current one to avoid premature message redelivery. Option D is wrong because SQS queues cannot be 'stopped' or 'paused'; they are always active, and attempting to stop the queue is not a valid operation in AWS.

515
Multi-Selecthard

A company is using AWS CloudFormation to deploy infrastructure. The developer needs to update a stack but wants to avoid downtime for a critical database. Which THREE strategies should the developer consider?

Select 3 answers
A.Set the DeletionPolicy attribute to Retain on the database resource.
B.Use the Parameters section to set a conditional update flag.
C.Use the UpdateReplace policy to create a new resource before deleting the old one.
D.Apply a stack policy that prevents updates to the database resource.
E.Use change sets to review the impact of changes before executing them.
AnswersC, D, E

This minimizes downtime during replacement.

Why this answer

Option A (Change sets) is correct because they allow previewing changes. Option B (Stack policy) is correct because it can protect specific resources during updates. Option D (UpdateReplace policy) is correct because it can create a replacement before deletion.

Option C is wrong because deletion policy is about stack deletion, not updates. Option E is wrong because it's a parameter, not a strategy.

516
MCQhard

A developer is writing a Lambda function that processes events from an Amazon Kinesis stream. The function must ensure that records are processed in the order they were received and that each shard is processed by only one instance of the function at a time. How should the developer configure the Lambda function?

A.Set the function's concurrency to the number of shards and enable parallelization factor.
B.Set the batch size to 1 and configure the function's reserved concurrency to 1.
C.Set the batch size to 100 and enable parallelization factor per shard.
D.Use a DynamoDB table to track sequence numbers and enforce ordering.
AnswerB

Batch size 1 ensures records are processed one at a time, and reserved concurrency 1 ensures only one instance processes all shards sequentially.

Why this answer

Option B is correct because setting the batch size to 1 and the concurrency to the number of shards (or reserved concurrency of 1) ensures per-shard ordering and single-threaded processing per shard. Option A is wrong because parallelization factor processes batches in parallel, breaking ordering. Option C is wrong because Lambda processes multiple shards concurrently by default, but reserving concurrency per shard is not possible; instead, set concurrency to 1.

Option D is wrong because Kinesis ordering is per-shard, not across the stream.

517
MCQeasy

Refer to the exhibit. The IAM policy is attached to an IAM role that is assumed by an AWS Lambda function. The Lambda function needs to read and write objects in the 'my-bucket' S3 bucket, but it should never delete objects. What will happen when the function attempts to delete an object?

A.The delete will fail because the Deny statement explicitly denies the delete action.
B.The delete will succeed because there is no explicit deny for the specific object.
C.The delete will succeed because the Allow statement gives full access.
D.The delete will fail because the Allow statement only includes GetObject and PutObject.
AnswerA

Explicit deny prevents the delete.

Why this answer

The policy explicitly denies s3:DeleteObject. IAM policies are evaluated with an explicit deny override. Even if another policy allows delete, the explicit deny will take effect, and the request will be denied.

518
MCQmedium

A company is using AWS CodePipeline to automate deployments of a serverless application. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CloudFormation). The deploy stage fails intermittently with the error 'Rate exceeded' when creating or updating stacks. What should the developer do to resolve this issue?

A.Use the AWS CLI to deploy the CloudFormation stack instead of CodePipeline.
B.Increase the timeout for the CloudFormation deployment action in the pipeline.
C.Request a service limit increase for CloudFormation API calls.
D.Add a retry configuration with exponential backoff to the CloudFormation deployment action.
AnswerD

Retries with backoff can handle transient rate limiting.

Why this answer

Option B is correct. CloudFormation has API rate limits; adding a retry with backoff in the pipeline configuration will handle transient throttling. Option A is wrong because increasing the timeout does not address rate limits.

Option C is wrong because using a different deployment method may not avoid CloudFormation API calls. Option D is wrong because the issue is not related to IAM permissions.

← PreviousPage 7 of 7 · 518 questions total

Ready to test yourself?

Try a timed practice session using only Development with AWS Services questions.